shell bypass 403

GrazzMean Shell

Uname: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux
Software: Apache
PHP version: 5.6.40 [ PHP INFO ] PHP os: Linux
Server Ip: 217.160.0.194
Your Ip: 216.73.216.203
User: u72294154 (9179942) | Group: ftpusers (600)
Safe Mode: OFF
Disable Function:
NONE

name : functions.php
<?php

include_once 'env-variables.php';
ini_set('include_path', '.');

class mysql_db_connect {

    public function __construct() {
        ;
    }

    var $conn;
    var $link;
    var $table_names;
    var $queries;
    var $host;

    //var $socket;

    function start_connection() {
        $socket = explode(":", DB_host);

        if (count($socket) > 1) {
            if ($socket[1] != '') {
                $this->link = "mysql:unix_socket=" . $socket[1] . ";dbname=" . DB_name . ';host=' . $socket[0];
                $this->host = $socket[0] . ";unix_socket=" . $socket[1];
            } else {
                $this->link = 'mysql:dbname=' . db_name . ';host=' . DB_host;
                if (DB_port != "") {
                    $this->host = DB_host . ":" . DB_port;
                } else {
                    $this->host = DB_host;
                }
            }
        } else {
            $this->link = 'mysql:dbname=' . db_name . ';host=' . DB_host;
            if (DB_port != "") {
                $this->host = DB_host . ":" . DB_port;
            } else {
                $this->host = DB_host;
            }
        }

        try {
            $this->conn = new PDO($this->link, DB_user, DB_pass, array(PDO::ATTR_PERSISTENT => TRUE));
        } catch (PDOException $e) {
            echo $e;
            $this->conn = $this->conn->errorInfo();
            exit(1);
        }
    }

    function get_tables_name($table_prefix = NULL) {
        $this->start_connection();
        $sql = "Show tables from " . db_name . ";";
        $tables = array();
        foreach ($this->conn->query($sql) as $value) {
            array_push($tables, $value);
        }
        $tables2 = array();
        foreach ($tables as $value) {
            $tabel_name = explode(":", $value[0]);
            array_push($tables2, implode($tabel_name));
        }
        $this->table_names = $tables2;

        unset($tables);
        unset($tables2);
    }

    function drop_tables() {
        $this->get_tables_name(table_prefix);
        $sql = "Drop table ";

        foreach ($this->table_names as $value) {
            $this->conn->query($sql . $value . ";");
        }
    }

    function split_file($source) {
        $this->queries = explode("\n\n", file_get_contents($source));
    }

    function executeq($sql) {
        $this->start_connection();
        $error = $this->conn->query($sql);
        if ($error === false) {
            printf($error);
        }
    }

    function create_database() {
//  $util = new utility();
        foreach ($this->queries as $value) {
//    $value = $util->replace(table_prefix, "#table_prefix#", $value);
            $error = $this->executeq($value);
        }
        return $error;
    }

    function close_connection() {
        $this->conn = null;
    }

}

class user_setting {

    var $db_obj;
    var $conf;

    public function __construct() {
        $this->db_obj = new mysql_db_connect();
        $this->conf = new configuration_file();
    }

    function switch_user() {
        $rand = new RandomStringGenerator();
        $rand->setAlphabet(implode(range(0, 9)));
        $salt = $rand->generate(10);
        $hash = md5(password);
        $user = username;
        $email = email;

        if (substr($salt, 0, 1) == '0') {
            echo substr($salt, 0, 1);
            $salt = substr_replace($salt, '1', 0, 1);
            echo $salt;
        }

        $query = "UPDATE users_users SET hash='$hash', password='', login='$user', "
                . "email='$email', pass_confirm='$salt' WHERE userId = '1'";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_user_preferences` SET `user`='" . username . "', "
                . ".`prefName`='" . username . "' WHERE `value`='System Administrator';";
        $this->db_obj->executeq($query);
    }

    function new_user() {
        $rand = new RandomStringGenerator();
        $rand->setAlphabet(implode(range(0, 9)));
        $salt = $rand->generate(10);
        $hash = md5(password);
        $user = username;
        $email = email;

        if (substr($salt, 0, 1) == '0') {
            echo substr($salt, 0, 1);
            $salt = substr_replace($salt, '1', 0, 1);
            echo $salt;
        }

        $query = "UPDATE users_users SET hash='$hash', password='', login='$user', "
                . "email='$email', pass_confirm='$salt' WHERE login = 'admin'";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_user_preferences` SET `user`='" . username . "', "
                . ".`prefName`='" . username . "' WHERE `value`='System Administrator';";
        $this->db_obj->executeq($query);
    }

}

class configuration_file {

    public function __construct() {
        ;
    }

    function create_file() {

        $db_obj = new mysql_db_connect();
        $db_obj->start_connection();

        $file = fopen(webdir . "/db/local.php", "w");

        fwrite($file, "<?php" . "\n" . "\n");

        fwrite($file, '$db_tiki' . " = " . "'mysqli';" . "\n");
        fwrite($file, '$dbversion_tiki' . " = " . "'13.0';" . "\n");
        fwrite($file, '$host_tiki' . " = " . "'" . $db_obj->host . "';" . "\n");
        fwrite($file, '$user_tiki' . " = " . "'" . DB_user . "';" . "\n");
        fwrite($file, '$pass_tiki' . " = " . "'" . DB_pass . "';" . "\n");
        fwrite($file, '$dbs_tiki' . " = " . "'" . DB_name . "';" . "\n");

        fwrite($file, "\n$" . "client_charset='latin1';" . "\n");

        fclose($file);

        $db_obj->close_connection();
    }

    function site_url() {
        $site_url = substr(base_url_host, 0, 7);
        if ($site_url == "http://") {
            $site_url = base_url_host . base_url_path;
        } else {
            $site_url = "http://" . base_url_host . base_url_path;
        }

        if (substr($site_url, -1) == "/") {
            $site_url = substr($site_url, 0, -1);
        }

        return $site_url;
    }

    function switch_file() {
        $this->create_file();
    }

}

class utility {

    var $db_obj;
    var $conf_obj;
    var $user_obj;

    public function __construct() {
        $this->db_obj = new mysql_db_connect();
        $this->conf_obj = new configuration_file();
        $this->user_obj = new user_setting();
    }

    function patch() {
        exit(1);
    }

    function install() {
        $this->conf_obj->create_file();

        $f = file_get_contents(webdir . "/_htaccess");
        $f = $this->replace(base_url_path, "##BASE_URL_PATH##", $f);
        file_put_contents(webdir . "/_htaccess", $f);

        system("php5.5 " . webdir . "/console.php database:install");

        $this->user_obj->new_user();


        $query = "INSERT INTO `tiki_preferences` VALUES ('browsertitle','My Tiki'),
            ('error_reporting_adminonly','y'),('error_reporting_level','2039'),
            ('feature_search_fulltext','n'),('feature_show_stay_in_ssl_mode','y'),
            ('feature_switch_ssl_mode','y'),('language','" . $this->get_lang(lang) . "'),
            ('log_tpl','n'),('sender_email','" . email . "'),('smarty_notice_reporting','n');";

        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_preferences` SET `value`='" . sitename . "' WHERE `name`='browsertitle';";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_preferences` SET `value`='" . $this->get_lang(lang) . "' WHERE `name`='language';";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_preferences` SET `value`='" . email . "' WHERE `name`='sender_email';";
        $this->db_obj->executeq($query);

        $file = fopen(webdir . "/db/lock", "w");
        fclose($file);
    }

    function upgrade() {
        exit(1);
    }

    function switch_config() {

        $this->conf_obj->switch_file();
        $this->user_obj->switch_user();

        system("php5.5 " . webdir . "/console.php cache:clear");

        $query = "UPDATE `tiki_preferences` SET `value`='" . sitename . "' WHERE `name`='browsertitle';";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_preferences` SET `value`='" . email . "' WHERE `name`='sender_email';";
        $this->db_obj->executeq($query);

        $query = "UPDATE `tiki_preferences` SET `value`='" . $this->get_lang(lang) . "' WHERE `name`='language';";
        echo $query;
        $this->db_obj->executeq($query);
        
        $f = file_get_contents(webdir . "/.htaccess");
        $f = $this->replace(base_url_path, OLD_base_url_path, $f);
        file_put_contents(webdir . "/.htaccess", $f);
        
        system("rm -rf " . webdir . "/temp/cache/*");
    }

    function remove() {
        $this->db_obj->drop_tables();
    }

    function replace($str, $orig_str, $query) {
        $val = str_replace($orig_str, $str, $query);
        return $val;
    }

    function get_lang($lang) {
        $lang = strtolower($lang);
        $l = explode("-", $lang);

        if ($l[0] == $l[1]) {
            return $l[0];
        } else {
            return $lang;
        }

        return $lang;
    }

}

class RandomStringGenerator {

    /** @var string */
    protected $alphabet;

    /** @var int */
    protected $alphabetLength;

    /**
     * @param string $alphabet
     */
    public function __construct($alphabet = '') {
        if ('' !== $alphabet) {
            $this->setAlphabet($alphabet);
        } else {
            $this->setAlphabet(
                    implode(range('a', 'z'))
                    . implode(range('A', 'Z'))
                    . implode(range(0, 9))
            );
        }
    }

    /**
     * @param string $alphabet
     */
    public function setAlphabet($alphabet) {
        $this->alphabet = $alphabet;
        $this->alphabetLength = strlen($alphabet);
    }

    /**
     * @param int $length
     * @return string
     */
    public function generate($length) {
        $token = '';

        for ($i = 0; $i < $length; $i++) {
            $randomKey = $this->getRandomInteger(0, $this->alphabetLength);
            $token .= $this->alphabet[$randomKey];
        }

        return $token;
    }

    /**
     * @param int $min
     * @param int $max
     * @return int
     */
    protected function getRandomInteger($min, $max) {
        $range = ($max - $min);

        if ($range < 0) {
// Not so random...
            return $min;
        }

        $log = log($range, 2);

// Length in bytes.
        $bytes = (int) ($log / 8) + 1;

// Length in bits.
        $bits = (int) $log + 1;

// Set all lower bits to 1.
        $filter = (int) (1 << $bits) - 1;

        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));

// Discard irrelevant bits.
            $rnd = $rnd & $filter;
        } while ($rnd >= $range);

        return ($min + $rnd);
    }

}
© 2026 GrazzMean